Finite Quanti fi cation in Hierarchic Theorem Proving Peter - PowerPoint PPT Presentation

Finite Quanti fi cation in Hierarchic Theorem Proving Peter Baumgartner Uwe Waldmann Joshua Bax

Overall Goal Theorem Proving in Hierarchic Combinations of Speci fi cations Foreground Speci fi cation (FG) Axioms: Lists, Arrays De fi nitions: Length, isSorted ? ⊨ Conjecture extends Background Speci fi cation (BG) - Linear integer arithmetic Main issue Quanti fi ers: complete theorem proving is theoretically impossible Problem: incompleteness: “no refutation” ⇒ “countersatis fi able” 2 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Calculi for Hierarchic Reasoning SMT : DPLL(T) + instantiation heuristics (CVC4, Z3,...) � Model evolution with LIA constraints [B Tinelli 2008, 2011] � Sequent calculus [Rümmer 2008] � Theory instantiation [Korovin 2006] � LASCA [Korovin Voronkov 2007] � Hierarchic superposition 
 [Bachmair Ganzinger Waldmann 1994, Althaus Weidenbach Kruglov 
 2009, Weidenbach Kruglov 2012, B Waldmann 2013] � This work Recover completeness for fi nitely quanti fi ed fragment Can be used on top of hierarchic superposition and SMT 3 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Hierarchic Speci fi cations Background (BG) speci fi cation consists of Sorts, e.g. { int } Operators, e.g. { 0, 1, -1, 2, -2, ..., -, +, >, ≥ } Parameters e.g. { m , n, α } Models, e.g. linear integer arithmetic Foreground (FG) speci fi cation extends BG speci fi cation by New sorts, e.g. { array } New operators, e.g. { read: array × int ↦ int, write: array × int × int ↦ array, a: array } First-order clauses, e.g. array axiom Finite saturation { read(write( a , i , x ), i ) ≈ x, by superposition read(write( a , i , x ), j ) ≈ read( a , j ) ∨ i ≈ j } 4 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Hierarchic Speci fi cations Array axioms from above read(write( a , i , x ), i ) ≈ x (1) read(write( a , i , x ), j ) ≈ read( a , j ) ∨ i ≈ j (2) � Additional clauses read(a, i ) ≤ read(a, j ) ∨ ¬( i < j) ∨ i ∉ [1..1000] ∨ j ∉ [1..1000] (3) // Array a is sorted in the range [1..1000] 1 ≤ m ∧ m < 1000 (4) (5) read(a, m) < read(a, m+1) Can’t we directly � use superposition? Contributions of this paper A general method for model computation on top of HSP/SMT, e.g. a ↦ … … 5 5 5 5 6 6 6 6 … … 1 2 3 50 51 998 999 1000 m 5 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Hierarchic Speci fi cations Models of hierarchic speci fi cations Must satisfy the FG clauses, and must leave the interpretation of the BG sorts and operators unchanged ( conservative extension ): - distinct BG elements may not be identi fi ed ( no confusion ), and - no new elements may be added to BG sorts ( no junk ) � Hierarchic superposition calculus (HSP) Extension of the superposition calculus for hierarchic speci fi cations Calls BG-solver to decide BG-unsatis fi ability of BG clauses Complete under assumptions: su ffi cient completeness , compactness The clause set (1)-(5) is not su ffi ciently complete � Finite saturation does not mean “satis fi able (wrt hierarchic interpretations)” 6 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Su ffi cient Completeness Su ffi cient Completeness In every model of the FG clauses, every ground FG term that has a BG 
 sort must be equal to some BG term Example read(a, i ) ≤ read(a, j ) ∨ ¬( i < j) ∨ i ∉ [1..1000] ∨ j ∉ [1..1000] 
 � (3) � (5) read(a, m) < read(a, m+1) is not su ffi ciently complete, admits junk: Domain: { 0, -1, 1, -2, 2, …, NaN } Interpret: read(a, i ) ↦ NaN (NaN < NaN) ↦ true (NaN ≤ NaN) ↦ true Consequence Finite saturation of (1) - (5) under HSP does not mean anything Next goal : recover su ffi cient completeness for fi nitely quanti fi ed clauses 7 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Finitely Quanti fi ed Clauses De fi nition � A clause C is fi nitely quanti fi ed if for every BG variable x occurring 
 under a BG sorted FG operator, C contains a domain declaration of 
 the form x ∉ [l..u], where l and u are concrete integers. � Examples � read(a, i ) ≤ read(a, j ) ∨ ¬( i < j) ∨ i ∉ [1..1000] ∨ j ∉ [1..1000] 
 (3) (5) read(a, m) < read(a, m+1) f( i +1, f(j, 2) + 1) > α + y ∨ y > 0 ∨ i ∉ [1..1000] ∨ j ∉ [10..100] (Rationale: using “large” domains is useful enough in practice) Observation: only fi nitely many ground instances wrt BG sorted FG terms 8 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Su ffi cient Completeness for Finitely Quanti fi ed Clauses read(a, i ) ≤ read(a, j ) ∨ ¬( i < j) ∨ i ∉ [1..1000] ∨ j ∉ [1..1000] (3) Alternative 1 Force mapping of relevant read-terms to integers by adding unit clauses read(a, 1) ≈ 3 read(a, 2) ≈ 5 … read(a, 999) ≈ 4 read(a, 1000) ≈ 7 � Properties Recovers su ffi cient completeness Soundness and completeness by exhaustive search through mappings Practically useless 9 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Su ffi cient Completeness for Finitely Quanti fi ed Clauses read(a, i ) ≤ read(a, j ) ∨ ¬( i < j) ∨ i ∉ [1..1000] ∨ j ∉ [1..1000] (3) Alternative 2 Force mapping of relevant read-terms to integers by adding unit clauses read(a, 1) ≈ α 1 read(a, 2) ≈ α 2 … read(a, 999) ≈ α 999 read(a, 1000) ≈ α 1000 where α i is a fresh parameter � Properties Recovers su ffi cient completeness Supplants outer loop by BG constraint satisfaction problem Still practically useless 10 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Su ffi cient Completeness for Finitely Quanti fi ed Clauses read(a, i ) ≤ read(a, j ) ∨ ¬( i < j) ∨ i ∉ [1..1000] ∨ j ∉ [1..1000] (3) Alternative 3 (taken) Add unit clauses to express default interpretation with exceptions read(a, i ) ≈ α 0 ∨ i ∉ [1..1000]\{50, 60} read(a, 50) ≈ α 50 read(a, 60) ≈ α 60 where α i is a fresh parameter � Properties Recovers su ffi cient completeness Basis for procedure in paper - Start with a default interpretation read(a, i ) ≈ α 0 ∨ i ∉ [1..1000] - Modify by adding exceptions like 50, 60 in a con fl ict-driven way 
 until model found or unsatis fi able Next: idea of this method 11 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Our Method - First Round Given clause set N[ ∆ x ], where ∆ x = [1..1000] f( x ) ≉ x ∨ x ∉ [1..1000] (1) f(5) ≈ 8 (2) f(8) ≈ 5 (3) � Current set of exceptions Π x ⊆ ∆ x Initially Π x = {} � Finite Domain Transformation M = FD(N[ ∆ x ], Π x ) f( x ) ≈ α 0 ∨ x ∉ [1..1000] default interpretation for f( x ) in (1) (f) (1f) α 0 ≉ x ∨ x ∉ [1..1000] (f) applied to (1) f(5) ≈ 8 (2) f(8) ≈ 5 (3) � Now use HSP to check satis fi ability 12 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Our Method - First Round Finite Domain Transformation M = FD(N[ ∆ x ], Π x ) f( x ) ≈ α 0 ∨ x ∉ [1..1000] (f) (1f) α 0 ≉ x ∨ x ∉ [1..1000] f(5) ≈ 8 (2) f(8) ≈ 5 (3) M is unsatis fi able, take { f(5) ≈ α 0 , f(8) ≈ α 0 , (2), (3) }, HSP detects this Maximal sub-domain Γ x = [1..7] ⊆ ∆ x recovers satis fi ability ( α 0 ↦ 8) � f( x ) ≈ α 0 ∨ x ∉ [1..7] f( x ) ≈ α 0 ∨ x ∉ [1..8] (f) (f) � α 0 ≉ x ∨ x ∉ [1..7] α 0 ≉ x ∨ x ∉ [1..8] (1f) (1f) � (2) f(5) ≈ 8 (2) f(5) ≈ 8 � (3) f(8) ≈ 5 (3) f(8) ≈ 5 � Satis fi able Unsatis fi able � Sub-domain [1..7] and critical point 8 can be found by binary search Repair with 8 as next exception 13 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

Our Method - Second Round Given clause set N[ ∆ x ] f( x ) ≉ x ∨ x ∉ [1..1000] (1) f(5) ≈ 8 (2) f(8) ≈ 5 (3) � Current set of exception points Π x ⊆ ∆ x Π x = {8} � Finite Domain Transformation M = FD(N[ ∆ x ], Π x ) f( x ) ≈ α 0 ∨ x ∉ [1..1000]\{8} default interpretation for f( x ) in (1) (f) (f8) f(8) ≈ α 8 f at exception point 8 (1f) α 0 ≉ x ∨ x ∉ [1..1000]\{8} (f) applied to (1) (1f8) α 8 ≉ 8 (f8) applied to (1) f(5) ≈ 8 (2) Satis fi able with α 0 ↦ 8, α 8 ↦ 5 . Done f(8) ≈ 5 (3) 14 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving

General Method: checkSAT/ fi nd algorithm checkSAT ( N [ ∆ x ]) 1 // returns ”satisfiable” or ”unsatisfiable” 2 var Π x := ; x // The current set of exceptions 3 while true { 4 let M = FD ( N , Π x ) 5 Tacitly assume these if M is satisfiable return ”satisfiable” 6 checks are e ff ective if M [ ; x ] is unsatisfiable return ”unsatisfiable” 7 let ( x , d ) = find ( M ) 8 Π x := Π x [ x 7! Π x [ { d } ] 9 } 10 Line 7 example, Π x = {8} M M[ ∅ x ] f( x ) ≈ α 0 ∨ x ∉ ∆ x \{8} f(5) ≈ 8 f( x ) > x ∨ x ∉ ∆ x (1) FD f(8) ≈ α 8 f(8) ≈ 5 f(5) ≈ 8 (2) α 0 > x ∨ x ∉ ∆ x \{8} f(8) ≈ 5 (3) α 8 > 8 15 Baumgartner/Bax/Waldmann Finite Quanti fi cation in Hierarchic Theorem Proving