Decision Procedures for Automating Termination Proofs Ruzica - PowerPoint PPT Presentation

Decision Procedures for Automating Termination Proofs Ruzica Piskac, EPFL Thomas Wies, IST Austria

Proving Program Termination assum sume x > 0 le x ¸ 0 do while do y := 1 while y < x do do y := 2 y end x := x – 1 end Ranking function into the natural numbers: Construction of global ranking functions is difficult (to automate)!

Automating Termination Proofs Proof techniques based on local ranking functions - Size-change principle [Lee, Jones, Ben-Amram 2001] - Transition invariants [Podelski, Rybalchenko 2004] Idea - decompose program into simpler ones - prove each simple program terminating independently Use decision procedures for well-founded domains to automate these tasks  Terminator [Cook, Podelski, Rybalchenko 2006]

Proving Program Termination assum sume x > 0 le x ¸ 0 do while do y := 1 while y < x do do y := 2 y end We need decision procedures for more powerful x := x – 1 well-founded orderings. end This talk : decision procedures for multiset orderings Ranking function into a lexicographically ordered set: Decomposition into linear ranking functions is not always possible!

Counting Leaves in a Tree prog CountLeaves ( root : Tree ) : int = a var S : Stack [ Tree ] = root var c : int = 0 b c do y := head ( S ) if leaf ( y ) then d e d d S := tail ( S ) c := c + 1 e e e e e e else S := left ( y ) ¢ right ( y ) ¢ tail ( S ) until S = ² return c S : a

Counting Leaves in a Tree prog CountLeaves ( root : Tree ) : int = a var S : Stack [ Tree ] = root var c : int = 0 b c do y := head ( S ) if leaf ( y ) then d e d d S := tail ( S ) c := c + 1 e e e e e e else S := left ( y ) ¢ right ( y ) ¢ tail ( S ) until S = ² return c S : e ¢ e ¢ c Ranking function for loop: Consider S as a multiset of trees with subtree ordering.

Multisets base set multiplicity 4 1 3 3 2 2 2 X finite multisets Operations are defined point-wise:

Multiset Orderings Extend ordering ¹ on base set to ordering ¹ m on multisets 4 1 1 5 3 3 3 3 2 2 5 2 2 2 1 X Y

Multiset Orderings Extend ordering ¹ on base set to ordering ¹ m on multisets 4 1 5 3 X n Y Y n X 3 3 2 2 5 2 2 1 X Y ¹ m well-founded iff ¹ well-founded [Dershowitz, Manna 1979]

Counting Leaves in a Tree a b c d e d d e e e e e e extens ext ension ion of of sub subtre tree relat elatio ion Termination Condition for Loop: to to Multis iset ets Vali lid! d! Is satisfiability of multiset ordering constraints decidable?

Main Results Let T 0 be a base theory of a preordered set. Examples for T 0 − theory of all preordered sets − theory of linear integer arithmetic − theory of a term algebra (trees) with subterm relation 1. If T 0 is decidable then so is its multiset extension. 2. If T 0 is decidable in NP then so is its multiset extension. 3. Decision procedure is easily implementable using off-the-shelf SMT solvers.

Decision Procedure through an Example X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) Un Unsatisfia atisfiable ble! Y ’ Y X ’ X

Step 1: Flattening Introduce fresh variables for all non-variable subterms X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X )

Step 2: Reduction Replace multiset operations by their pointwise definitions X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2 ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ ( 8 x: Y ( x ) · X ( x )) ^ ( 9 y:Y 0 ( y ) 6 = Y ( y )) ^ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! 9 y: Y 0 ( y ) < Y ( y ) ^ y 0 ¹ y ) ^ (( 8 x:X 0 ( x ) = X ( x )) _ ( 9 x 0 : X ( x 0 ) < X 0 ( x 0 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( x 0 ¹ x )))

Step 3: Skolemization Skolemize all existential quantifiers X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2,3 ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ ( 8 x: Y ( x ) · X ( x )) ^ ( 9 y:Y 0 ( y ) 6 = Y ( y )) ^ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! 9 y: Y 0 ( y ) < Y ( y ) ^ y 0 ¹ y ) ^ (( 8 x:X 0 ( x ) = X ( x )) _ ( 9 x 0 : X ( x 0 ) < X 0 ( x 0 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( x 0 ¹ x )))

Step 3: Skolemization Skolemize all existential quantifiers X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2,3 ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ witness function ( 8 x: Y ( x ) · X ( x )) ^ ( 8 x: Y ( x ) · X ( x )) ^ ( Y 0 ( c 1 ) 6 = Y ( c 1 )) ^ ( 9 y:Y 0 ( y ) 6 = Y ( y )) ^ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! Y 0 ( w ( y 0 )) < Y ( w ( y 0 )) ^ y 0 ¹ w ( y 0 )) ^ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! 9 y: Y 0 ( y ) < Y ( y ) ^ y 0 ¹ y ) ^ (( 8 x:X 0 ( x ) = X ( x )) _ ( ( 8 x:X 0 ( x ) = X ( x )) _ ( 9 x 0 : X ( x 0 ) < X 0 ( x 0 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( x 0 ¹ x ))) ( X ( c 2 ) < X 0 ( c 2 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( c 2 ¹ x )))

Step 4: Strengthening Add additional axioms constraining the witness functions X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2,3,4 ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ ( 8 x: Y ( x ) · X ( x )) ^ ( 8 x: Y ( x ) · X ( x )) ^ ( 9 y:Y 0 ( y ) 6 = Y ( y )) ^ ( Y 0 ( c 1 ) 6 = Y ( c 1 )) ^ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! 9 y: Y 0 ( y ) < Y ( y ) ^ y 0 ¹ y ) ^ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! Y 0 ( w ( y 0 )) < Y ( w ( y 0 )) ^ y 0 ¹ w ( y 0 )) ^ (( 8 x:X 0 ( x ) = X ( x )) _ ( ( 8 x:X 0 ( x ) = X ( x )) _ ( 9 x 0 : X ( x 0 ) < X 0 ( x 0 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( x 0 ¹ x ))) ( X ( c 2 ) < X 0 ( c 2 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( c 2 ¹ x ))) ^ F ( Y; Y 0 ; w )

Step 5: Instantiation Instantiate universal quantifiers with ground terms X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2,3,4 ( 8 x: X 0 ( x ) = X 1 ( x ) + Y 0 ( x )) ^ Y 0 ( c 1 ) 6 = Y ( c 1 ) ^ X 0 ( c 1 ) = X ( c 1 ) ^ ( 8 x: X 1 ( x ) = max f X ( x ) ¡ Y ( x ) ; 0 g ) ^ X 0 ( c 1 ) = X ( c 1 ) ¡ Y ( c 1 ) + Y 0 ( c 1 ) _ ( 8 x: Y ( x ) · X ( x )) ^ X 0 ( c 2 ) = X ( c 2 ) ¡ Y ( c 2 ) + Y 0 ( c 2 ) ^ ( Y 0 ( c 1 ) 6 = Y ( c 1 )) ^ X ( c 2 ) < X 0 ( c 2 ) ^ Y ( c 2 ) ¸ Y 0 ( c 2 ) _ ( 8 y 0 : Y ( y 0 ) < Y 0 ( y 0 ) ! Y 0 ( w ( y 0 )) < Y ( w ( y 0 )) ^ y 0 ¹ w ( y 0 )) ^ X 0 ( w ( c 2 )) = X ( w ( c 2 )) ¡ Y ( w ( c 2 )) + Y 0 ( w ( c 2 )) ^ (( 8 x:X 0 ( x ) = X ( x )) _ Y 0 ( w ( c 2 )) < Y ( w ( c 2 )) ^ X 0 ( w ( c 2 )) ¸ X ( w ( c 2 )) _ ( X ( c 2 ) < X 0 ( c 2 ) ^ 8 x: X 0 ( x ) < X 0 ( x ) ! : ( c 2 ¹ x ))) c 2 ¹ w ( c 2 ) ^ : ( c 2 ¹ w ( c 2 )) ^ F ( Y; Y 0 ; w ) Ins nstantiate tantiate w with th c 1 ; c 2 ; w ( c 1 ) ; w ( c 2 )

Step 5: Instantiation Instantiate universal quantifiers with ground terms X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2,3,4, 5 Y 0 ( c 1 ) 6 = Y ( c 1 ) ^ X 0 ( c 1 ) = X ( c 1 ) ^ X 0 ( c 1 ) = X ( c 1 ) ¡ Y ( c 1 ) + Y 0 ( c 1 ) _ X 0 ( c 2 ) = X ( c 2 ) ¡ Y ( c 2 ) + Y 0 ( c 2 ) ^ X ( c 2 ) < X 0 ( c 2 ) ^ Y ( c 2 ) ¸ Y 0 ( c 2 ) _ X 0 ( w ( c 2 )) = X ( w ( c 2 )) ¡ Y ( w ( c 2 )) + Y 0 ( w ( c 2 )) ^ Y 0 ( w ( c 2 )) < Y ( w ( c 2 )) ^ X 0 ( w ( c 2 )) ¸ X ( w ( c 2 )) _ c 2 ¹ w ( c 2 ) ^ : ( c 2 ¹ w ( c 2 ))

Step 6: Check Satisfiability Call decision procedure for base theory + LIA + EUF Unsatisfia Un atisfiable ble! X 0 = ( X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 1 X 0 = X 1 ] Y 0 ^ X 1 = X n Y ^ Y µ X ^ Y 0 Á m Y ^ : ( X 0 Á m X ) 2,3,4, 5 Y 0 ( c 1 ) 6 = Y ( c 1 ) ^ X 0 ( c 1 ) = X ( c 1 ) ^ Un Unsatisfia atisfiable ble! X 0 ( c 1 ) = X ( c 1 ) ¡ Y ( c 1 ) + Y 0 ( c 1 ) _ X 0 ( c 2 ) = X ( c 2 ) ¡ Y ( c 2 ) + Y 0 ( c 2 ) ^ Un Unsatisfiable atisfiable! X ( c 2 ) < X 0 ( c 2 ) ^ Y ( c 2 ) ¸ Y 0 ( c 2 ) _ X 0 ( w ( c 2 )) = X ( w ( c 2 )) ¡ Y ( w ( c 2 )) + Y 0 ( w ( c 2 )) ^ Y 0 ( w ( c 2 )) < Y ( w ( c 2 )) ^ X 0 ( w ( c 2 )) ¸ X ( w ( c 2 )) _ Un Unsatisfia atisfiable ble! c 2 ¹ w ( c 2 ) ^ : ( c 2 ¹ w ( c 2 )) Unsatisfiable Un atisfiable!

Completeness of Finite Instantiation F : multiset ordering constraint after Skolemization Functions representing multisets are sort restricted but witness functions are not! finite model of F w X N base set values of base set ground terms in F Additional axioms bound witness functions!

Axioms for Witness Functions w X n Y Y n X only map to max. elements! X Y Axioms are designed specifically to guarantee NP complexity bound.