Reasoning about Arrays Aaron R. Bradley CU Boulder max := a[l]; - PowerPoint PPT Presentation

Reasoning about Arrays Aaron R. Bradley CU Boulder

max := a[l]; for(i := l+1; i <= u; i++) if (a[i] > max) max := a[i]; Establish postcondition: ∀ j. l ≤ j ≤ u → a [ j ] ≤ max Loop invariant: ∀ j. l ≤ j < i → a [ j ] ≤ max Also establish postcondition: ∀ j. a [ j ] = a 0 [ j ]

for(i := 0; i < length(sets); i++) u := union(u, sets[i]); Given postcondition of union ( u, v ) : rv = u ∪ v Establish postcondition: ∀ j. 0 ≤ j ≤ | sets | → sets [ j ] ⊆ u Loop invariant: ∀ j. 0 ≤ j < i → sets [ j ] ⊆ u

Loop invariant: ∀ j. 0 ≤ j < i → sets [ j ] ⊆ u Translation: ∀ j. 0 ≤ j < i → ∀ e. sets [ j ][ e ] → u [ e ]

Sets • e ∈ s : s [ e ] • s ⊆ t ∀ e. s [ e ] → t [ e ] • s ⊂ t ( ∀ e. s [ e ] → t [ e ]) ∧ ( ∃ e 1 . ¬ s [ e 1 ] ∧ t [ e 1 ]) • s = t ∩ u ∀ e. s [ e ] ↔ t [ e ] ∧ u [ e ] • s = t ∀ e. s [ e ] ↔ ¬ t [ e ] Multisets (bags) • C ( s, e ) s [ e ] • s = t ⊎ u ∀ e. s [ e ] = t [ e ] + u [ e ] • . . .

assert(v >= 0); ht := put(ht, k, v); Precondition: ∀ j ∈ keys ( ht ) . get ( ht , j ) ≥ 0 Establish postcondition: ∀ j ∈ keys ( ht ) . get ( ht , j ) ≥ 0 Verification condition: ( ∀ j ∈ keys ( ht ) . get ( ht , j ) ≥ 0) ∧ v ≥ 0 ∧ h ′ = put ( ht , k , v ) → ( ∀ j ∈ keys ( h ′ ) . get ( h ′ , j ) ≥ 0)

Flat data structures • Integer-indexed arrays • Collections: sets, multisets (bags) • Hashtables Model and reason about them as arrays (uninterpreted functions).

First-Order Theory T : (Σ , A ) • Signature Σ : non-logical symbols ( a , b , + , < , . . . ) • Axioms A : formulae interpreting symbols T -Interpretation I : ( D, α ) • Domain D : set of objects • Assignment α : assigns Σ -symbols to domain elements, functions, predicates • for each F ∈ A , I | = F Σ -formula F is T -valid iff for every T -interpretation I , I | = F .

F is T -valid iff ¬ F is T -unsatisfiable

Decision Problem for T Decide if Σ -formula F is T -valid. T is set of T -valid Σ -formulae.

T A : First-Order Theory of Arrays Signature: Σ A : { a [ i ] , a � i ⊳ v � , = } Axioms: • Equality axioms • Infinite domain axiom schema: for all n > 0 n � ∀ i 1 , . . . , i n . ∃ j. j � = i k k =1 • Read-over-write ∀ a, i, j, v. i = j → a � i ⊳ v � [ j ] = v ∀ a, i, j, v. i � = j → a � i ⊳ v � [ j ] = a [ j ]

T Z A : First-Order Theory of Integer-Indexed Arrays Signature: Σ Z A : Σ A ∪ Σ Z = { a [ i ] , a � i ⊳ v � , = , 0 , 1 , + , ≥} Axioms: • Axioms of integer arithmetic • Equality axioms • Read-over-write ∀ a, i, j, v. i = j → a � i ⊳ v � [ j ] = v ∀ a, i, j, v. i � = j → a � i ⊳ v � [ j ] = a [ j ]

Fragment of T Subset of T given by syntactic restriction. Example: “quantifier-free” fragment (QFF) of T A Is a [ i ] = e 1 ∧ e 1 � = e 2 → a � i ⊳ e 2 � [ i ] � = a [ i ] T A -valid? Alternately, is a [ i ] = e 1 ∧ e 1 � = e 2 ∧ a � i ⊳ e 2 � [ i ] = a [ i ] T A -unsatisfiable?

Nelson-Oppen Combination Method Given : • Theories T 1 , . . . , T k that share only = ( and are stably infinite ) • Decision procedures P 1 , . . . , P k • Quantifier-free (Σ 1 ∪ · · · ∪ Σ k ) -formula F Decide if F is ( T 1 ∪ · · · ∪ T k ) -satisfiable using P 1 , . . . , P k . Think about arrays in context of Nelson-Oppen.

History • 1962: John McCarthy formalizes arrays as first-order theory T A . • 1969: James King describes and implements DP for QFF of T A . • 1979: Nelson & Oppen describe combination method for QF theories sharing = . • 1980s: Suzuki, Jefferson; Jaffar; Mateti describe DPs for QFF of theories of arrays with predicates for sorted, partitioned, etc . • 1997: Levitt describes DP for QFF of extensional theory of arrays in thesis. • 2001: Stump, Barrett, Dill, Levitt describe DP for QFF of extensional theory of arrays.

• 2006: Bradley, Manna, Sipma describe DP for array property fragment of T A , T Z A . • Other recent references: – Sofronie-Stokkermans et al. : local theory extensions – Ghilardi, Nicolini, Ranise, Zucchelli – Iosef, Habermehl, Vojnar: use flat counter automata – Fontaine: Combinations with Bernays-Schonfinkel-Ramsey class

Array Property Fragment of T A Array property : ∀ i. F [ i ] → G [ a [ i ]] • F : index guard iguard := iguard ∧ iguard | iguard ∨ iguard | atom atom := var = var | evar � = var | var � = evar | ⊤ var := evar | uvar • G : value constraint i only appears in a [ i ] (possibly within nested array properties) Array property fragment : Boolean combination of array properties and QF formulae.

Array Property Fragment of T A ∪ T Same definition when T is a Nelson-Oppen theory.

Decision Procedure Given : Array property formula F 1. F 1 : push negations to atoms 2. F 2 : Eliminate writes G [ a � i ⊳ v � ] G [ a ′ ] ∧ a ′ [ i ] = v ∧ ( ∀ j. j � = i → a [ j ] = a ′ [ j ]) 3. Construct index set I : { t : t is symbolic index } ∪ { κ }

4. F 4 : κ is unique � F 2 ∧ κ � = t t ∈I\ κ 5. F 5 : Instantiate quantifiers �� � H [ ∀ i. G [ i ]] = ⇒ G [ t ] H t ∈I 6. F 5 is QF . Decide satisfiability using Nelson-Oppen DP .

Example: Extensional theory (Stump et al. , 2001) a = b � i ⊳ v � ∧ a [ i ] � = v In array property fragment: ( ∀ j. a [ j ] = b � i ⊳ v � [ j ]) ∧ a [ i ] � = v Eliminate write: ( ∀ j. a [ j ] = b ′ [ j ]) ∧ a [ i ] � = v ∧ b ′ [ i ] = v ∧ ( ∀ j. j � = i → b ′ [ j ] = b [ j ]) Index set: I : { i, κ }

QF formula: a [ i ] = b ′ [ i ] ∧ a [ κ ] = b ′ [ κ ] ∧ a [ i ] � = v ∧ b ′ [ i ] = v ∧ ( i � = i → b ′ [ i ] = b [ i ]) ∧ ( κ � = i → b ′ [ κ ] = b [ κ ]) ∧ κ � = i Simplified: a [ i ] = b ′ [ i ] ∧ a [ κ ] = b ′ [ κ ] ∧ a [ i ] � = v ∧ b ′ [ i ] = v ∧ b ′ [ κ ] = b [ κ ] ∧ κ � = i

Why κ ? ( ∀ i. a [ i ] > 0) ∧ ( ∀ i. a [ i ] < 0) But requires infinite domain for indices. Recall axiom schema: For all n > 0 n � ∀ i 1 , . . . , i n . ∃ j. j � = i k k =1

Correctness • Sound? It’s just quantifier elimination (except for κ ). • Complete? Assume I | = F 5 . Construct J such that J | = F .  if α I [ t ] = v i for some i ∈ I i  proj ( t ) = κ otherwise 

F [ proj ( i )] G [ a [ proj ( i )]] K | = (1) (2) ? F [ i ] G [ a [ i ]]

Array Property Fragment of T Z A Array property : ∀ i. F [ i ] → G [ a [ i ]] • F : index guard iguard := iguard ∧ iguard | iguard ∨ iguard | atom atom := expr ≤ expr | expr = expr expr := uvar | pexpr pexpr := pexpr ′ pexpr ′ := Z | Z · evar | pexpr ′ + pexpr ′ • G : value constraint i only appears in a [ i ] (possibly within nested array properties)

Array property fragment : Boolean combination of array properties and QF formulae.

Decision Procedure Given : Array property formula F 1. F 1 : push negations to atoms 2. F 2 : Eliminate writes G [ a � i ⊳ v � ] G [ a ′ ] ∧ a ′ [ i ] = v ∧ ( ∀ j. j ≤ i − 1 ∨ i + 1 ≤ j → a [ j ] = a ′ [ j ]) 3. Construct index set I : { t : t is symbolic index } ( { 0 } if empty )

4. F 4 : Instantiate quantifiers �� � H [ ∀ i. G [ i ]] = ⇒ G [ t ] H t ∈I 5. F 4 is QF . Decide satisfiability using Nelson-Oppen DP .

Example sorted ( a, ℓ, u ) : ∀ i, j. ℓ ≤ i ≤ j ≤ u → a [ i ] ≤ a [ j ] Is sorted ( a � 0 ⊳ 0 �� 5 ⊳ 1 � , 0 , 5) ∧ sorted ( a � 0 ⊳ 10 �� 5 ⊳ 11 � , 0 , 5) ( T Z A ∪ T Z ) -satisfiable? 0 1 w x y z 10 11 w x y z

Example sorted ( a � 0 ⊳ 0 �� 5 ⊳ 1 � , 0 , 5) ∧ sorted ( a � 0 ⊳ 10 �� 5 ⊳ 11 � , 0 , 5) Index set: {− 1 , 0 , 1 , 4 , 5 , 6 } • { 0 , 5 } from 0 ≤ i ≤ j ≤ 5 • {− 1 , 1 } from ·� 0 ⊳ ·� • { 4 , 6 } from ·� 5 ⊳ ·� Contradiction: 0 ≤ a [1] ≤ 1 ∧ 10 ≤ a [1] ≤ 11 Need 1 or 4 in index set.

Complexity Quantifier elimination is in NEXP for Nelson-Oppen theories: 1. |I| is linear in size of F , so linear-time quantifier instantiation. 2. NP DPs applied to QF formula at most exponentially larger than F . 3. Exponential in largest stack of universal quantifiers. Fixing stack height (“extensional”, “sorting” fragment) gives NP procedure.

Complexity NEXP -hard even for uninterpreted domain and range. • Bernays-Schonfinkel-Ramsey (BSR) class: ∃ ∗ ∀ ∗ , only predicates • Deciding satisfiability is NEXP -complete • Reduction: ∃ x. F [ x ] = ⇒ ∃ x. d ( x ) ∧ F [ x ] ∀ x. F [ x ] = ⇒ ∀ x. d ( x ) → F [ x ] Why d ? Only infinite T A -interpretations, but possible finite BSR-interpretations. Thanks to De Moura, Bjorner, Kuncak for mentioning BSR.

Undecidable Extensions • Extra quantifier alternation • Nested reads under ∀ i : a [ a [ i ]] • No separation: ∀ i. F [ a [ i ] , i ] • Arithmetic: a [ i + 1] when i is universal • Strict comparison: i < j when i , j are universal • Permutation predicate

Reduce from undecidability of Diophantine equations: p ( x 1 , . . . , x n ) = 0 (over nonnegative x ) “Walk”: • Begin at origin. • At each step, increment one x i . • End at solution. A walk exists iff p ( x ) = 0 has a solution.