Reasoning in Complex Theories and Applications Viorica - - PowerPoint PPT Presentation

Reasoning in Complex Theories and Applications

Viorica Sofronie-Stokkermans Max-Planck-Institut f¨ ur Informatik Saarbr¨ ucken, Germany Tutorial KI 2008, September 23, 2008

1

Motivation

Long-term goal of research in computer science

• use computers as ’intelligent assistants’ in

e.g. mathematics, engineering (and other fields) Main problem

• complex description of problems to be solved

→ complex systems, complex encoding

2

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras Tasks − construct proofs − check proofs MATHEMATICS

Example: Lipschitz functions R ∪ ( Lf

c,λ1) ∪ (

Lg

c,λ2) |

= ( Lf +g

c,(λ1+λ2))

( Lf

c,λ1)

A x |f (x) − f (c)| ≤ λ1 · |x − c| ( Lg

c,λ2)

A x |g(x) − g(c)| ≤ λ2 · |x − c| ( Lf+g

c,(λ1+λ2))

A x |f (x)+g(x)−f (c)−g(c)|≤(λ1+λ2) · |x−c| Similar:

• free functions; (piecewise) monotone functions
• functions defined according to a partition of

their domain of definition, ...

3

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras VERIFICATION MATHEMATICS Tasks Theories numeric domains − functions over − data types − numbers − safety / lifeness

− reactive and hybrid systems

− construct proofs − check proofs Tasks

− programs

− correctness − termination

Infinite state systems (software, real time, hybrid)

• simulation/testing cannot guarantee absence of errors

→ need symbolic methods Solution: - Build ’formal model’ of the system;

• Prove that properties are ’consequences of the model’

4

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras VERIFICATION MATHEMATICS Tasks Theories numeric domains − functions over − data types − numbers − safety / lifeness

− reactive and hybrid systems

− construct proofs − check proofs Tasks

− programs

− correctness − termination

Example: Does BubbleSort return a sorted array? int [] BubbleSort(int[] a) { int i, j, t; for (i := |a| − 1; i > 0; i := i − 1) { for (j := 0; j < i; j := j + 1) { if (a[j] > a[j + 1]){t := a[j]; a[j] := a[j + 1]; a[j + 1] := t}; }} return a}

5

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras VERIFICATION MATHEMATICS Tasks Theories numeric domains − functions over − data types − numbers − safety / lifeness

− reactive and hybrid systems

− construct proofs − check proofs Tasks

− programs

− correctness − termination

Example: Does BubbleSort return a sorted array? int [] BubbleSort(int[] a) { int i, j, t; for (i := |a| − 1; i > 0; i := i − 1) { for (j := 0; j < i; j := j + 1) { if (a[j] > a[j + 1]){t := a[j]; a[j] := a[j + 1]; a[j + 1] := t}; }} return a} Generate verification conditions and prove that they are valid Predicates:

• sorted(a, l, u):

A i, j(l≤i≤j≤u→a[i]≤a[j])

• partitioned(a, l1, u1, l2, u2):

A i, j(l1≤i≤u1≤l2≤j≤u2→a[i]≤a[j])

6

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras VERIFICATION MATHEMATICS Tasks Theories numeric domains − functions over − data types − numbers − safety / lifeness

− reactive and hybrid systems

− construct proofs − check proofs Tasks

− programs

− correctness − termination

Example: Controllers (safety)

valve (0/1) Lalarm Loverflow L

inflow

• utflow

L < L

L := in(out(L)) L := in(L) L > L

valve := 0 valve := 1

RBC braking + reaction distance

in, out : R → R pos, pos′ : Z → R

7

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras − test consistency Tasks − answer queries − limit search Tasks − construct proofs − check proofs VERIFICATION DATA BASES MATHEMATICS Tasks − safety / lifeness − correctness − termination − programs − reactive/hybrid systems Theories numeric domains − functions over − data types − numbers Theories − First−order logic − Datalog − ... − numbers − functions Complex theories

8

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras − test consistency Tasks − answer queries − limit search Tasks − construct proofs − check proofs VERIFICATION DATA BASES MATHEMATICS Tasks − safety / lifeness − correctness − termination − programs − reactive/hybrid systems Theories numeric domains − functions over − data types − numbers Theories − First−order logic − Datalog − ... − numbers − functions Complex theories

complex systems (MAS, reactive systems w. embedded software, databases)

9

Examples of application domains

Theories − numbers − polynomials − functions over numeric domains − algebras − test consistency Tasks − answer queries − limit search Tasks − construct proofs − check proofs VERIFICATION DATA BASES MATHEMATICS Tasks − safety / lifeness − correctness − termination − programs − reactive/hybrid systems Theories numeric domains − functions over − data types − numbers Theories − First−order logic − Datalog − ... − numbers − functions Complex theories

complex systems (MAS, reactive systems w. embedded software, databases) Method: - encode problems as logical formulae

• test entailment / satisfiability / validity

10

Problems and goals

– 1st order logic is undecidable: cannot build an ’all-purpose’ program +

• ften fragments of theories occurring in applications are decidable

– theories do not occur alone: need to consider combinations of theories +

• ften provers for the component theories can be combined efficiently

Important: Identify theories (and extensions/combinations thereof) which are decidable (with low complexity) and relevant in applications

11

Overview

We plan to make a survey of recent developments in the field and provide several examples. Plan of the tutorial

• Reasoning in standard theories
• Reasoning in theory extensions
• Reasoning in combinations of theories

Important: identify decidable/tractable fragments

12

Reasoning about standard datatypes

• Numbers
• natural numbers, integers, reals, rationals
• Data structures
• theories of lists
• theory of acyclic lists
• theory of arrays
• theories of sets, multisets
• Algebraic theories
• (total/partial) orderings
• lattices, semilattices
• distributive lattices
• Boolean algebras
• groups, rings, fields, ...

13

Reasoning in theory extensions

• Numbers
• integers, reals, rationals
• Data structures
• theories of lists
• f integers, reals, . . .
• theory of acyclic lists
• f integers, reals, . . .
• theory of arrays
• f integers, reals, . . .
• theories of sets
• f integers, reals, . . .

+ functions (free, rec. def.) e.g : length, card

• Algebraic theories
• (total/partial) orderings

with monotone functions

• lattices, semilattices

with operators

• distributive lattices

with operators

• Boolean algebras

with operators

• fields

with operators

14

Modularity

Modular (i.e. black-box) composition of decision procedures is highly desirable – for saving time and resources.

15

Idea

Hierarchic Reasoning Example: T1 T1: Σ1-theory; T0 ⊆ T1 Σ0 ⊂ Σ1 f : R → R mon. T0 T0: Σ0-theory. R Can we use a prover for T0 as a blackbox to prove theorems in T1?

16

Idea

Hierarchic Reasoning Example: T1 T1: Σ1-theory; T0 ⊆ T1 Σ0 ⊂ Σ1 f : R → R mon. T0 T0: Σ0-theory. R Can we use a prover for T0 as a blackbox to prove theorems in T1? Modular Reasoning Example: T1 T0 T2 T0: Σ0-theory. lists(R) ∪ arrays(R) Ti: Σi-theory; T0 ⊆ Ti Σ0 ⊆ Σi. Can we use provers for T1, T2 as blackboxes to prove theorems in T1 ∪ T2? Which information needs to be exchanged between the provers?

17

Structure

• Reasoning in standard theories

Preliminaries: Logic, theories, models Decidable logical theories and theory fragments Tractability

• Reasoning in combinations of theories

disjoint signature non-disjoint signature

• Theory extensions
• Applications

18

Structure

• Reasoning in standard theories

Preliminaries: Logic, theories, models Decidable logical theories and theory fragments Tractability

• Reasoning in combinations of theories

disjoint signature non-disjoint signature

• Theory extensions
• Applications

19

Reminder: Signature

A signature: Σ = (Ω, Pred) fixes an alphabet of non-logical symbols, where

• Ω is a set of function symbols f with arity n ≥ 0,

written f /n,

• Pred is a set of predicate symbols p with arity m ≥ 0,

written p/m. If n = 0 then f is also called a constant (symbol). If m = 0 then p is also called a propositional variable. Example 1: Σ1 = ({f /2, g/1, c/0}, {P/2}) Example 2: Σ2 = ({+/2, s/1, 0/0}, {≤ /2})

20

Reminder: Variables

Predicate logic admits the formulation of abstract, schematic assertions. (Object) variables are the technical tool for schematization. We assume that X is a given countably infinite set of symbols which we use for (the denotation

• f) variables.

21

Terms

Terms over Σ (Σ-terms) are formed according to these syntactic rules: s, t, u, v ::= x , x ∈ X (variable) | f (s1, ..., sn) , f /n ∈ Ω (functional term) By TΣ(X) we denote the set of Σ-terms (over X). A term not containing any variable is called a ground term. Example 1: Σ1 = ({f /2, g/1, c/0}, {P/2}) Terms: f (g(x), y), g(f (x, c)), c Example 2: Σ2 = ({+/2, s/1, 0/0}, {≤ /2}) Terms: x + s(y), s(0 + s(z)),

22

Reminder: Atoms

Atoms (atomic formulas) over Σ are formed according to this syntax: A, B ::= p(s1, ..., sm) , p/m ∈ Π h | (s ≈ t) (equation) i Whenever we admit equations as atomic formulas we are in the realm of first-order logic with equality. Example 1: Σ1 = ({f /2, g/1, c/0}, {P/2}) Atoms: P(f (g(x), y), g(f (x, c))), P(c, c) Example 2: Σ2 = ({+/2, s/1, 0/0}, {≤ /2}) Atoms: x + s(y) ≤ s(0 + s(z)), s(0) ≤ 0

23

Reminder: Literals and clauses

Literals: L ::= A (positive literal) | ¬A (negative literal) Clauses C, D ::= ⊥ (empty clause) | L1 ∨ . . . ∨ Lk, k ≥ 1 (non-empty clause)

24

Reminder: General First-Order Formulas

FΣ(X) is the set of first-order formulas over Σ defined as follows: F, G, H ::= ⊥ (falsum) | ⊤ (verum) | A (atomic formula) | ¬F (negation) | (F ∧ G) (conjunction) | (F ∨ G) (disjunction) | (F → G) (implication) | (F ↔ G) (equivalence) | A x F (universal quantification) | E x F (existential quantification)

25

Conventions

In what follows we will use the following conventions: constants (0-ary function symbols) are denoted with a, b, c, d, ... function symbols with arity ≥ 1 are denoted

• f , g, h, ... if the formulae are interpreted into arbitrary algebras
• +, −, s, ... if the intended interpretation is into numerical domains

predicate symbols with arity 0 are denoted p, q, r, s, ... predicate symbols with arity ≥ 1 are denoted

• P, Q, R, ... if the formulae are interpreted into arbitrary algebras
• ≤, ≥, <, > if the intended interpretation is into numerical domains

variables are denoted x, y, z, ...

26

Reminder: Σ-algebras, valuations

Σ-algebra A = (A, {fA : Aa(f ) → A}f ∈Ω, {PA ⊆ Aa(P)}P∈Pred) Valuation in a Σ-algebra A = (A, {fA}f ∈Ω, {PA}P∈Pred): β : X → A extends in a canonical way to terms

27

Reminder: Σ-algebras, valuations

Σ-algebra A = (A, {fA : Aa(f ) → A}f ∈Ω, {PA ⊆ Aa(P)}P∈Pred) Valuation in a Σ-algebra A = (A, {fA}f ∈Ω, {PA}P∈Pred): β : X → A extends in a canonical way to terms:

Example 1: Σ1 = ({f /2, g/1, c/0}, {P/2}) A1 = ({a, b}, {fA, gA, cA}, {PA}) fA : A2 → A fA(a, a) = fA(a, b) = a, fA(b, a) = fA(b, b) = b, gA : A → A gA(a) = b, gA(b) = a, cA = a ∈ A PA ⊆ A2 PA = {(b, a)}. Valuation in A1. β : X → {a, b} with β(x) = a, β(y) = b (A1, β)(f (g(x), y)) = fA(gA(β(x)), β(y)) = fA(gA(a), b) = b

28

Reminder: Σ-algebras, valuations

Σ-algebra A = (A, {fA : Aa(f ) → A}f ∈Ω, {PA ⊆ Aa(P)}P∈Pred) Valuation in a Σ-algebra A = (A, {fA}f ∈Ω, {PA}P∈Pred): β : X → A extends in a canonical way to terms:

Example 1: Σ1 = ({f /2, g/1, c/0}, {P/2}) A1 = ({a, b}, {fA, gA, cA}, {PA}) fA : A2 → A fA(a, a) = fA(a, b) = a, fA(b, a) = fA(b, b) = b, gA : A → A gA(a) = b, gA(b) = a, cA = a ∈ A PA ⊆ A2 PA = {(b, a)}. Valuation in A1. β : X → {a, b} with β(x) = a, β(y) = b (A1, β)(f (g(x), y)) = fA(gA(β(x)), β(y)) = fA(gA(a), b) = b Example 2: Σ2 = ({+/2, s/1, 0/0}, {≤ /2}) A2 = (Z, {+, s, 0}, {≤}) Valuation in A2. β : X → Z with β(x) = 4, β(y) = 5 (A2, β)(+(s(x), y)) = s(β(x)) + β(y) = s(4) + 5 = 5 + 5 = 10

29

Reminder: Σ-algebras, valuations

Σ-algebra A = (A, {fA : Aa(f ) → A}f ∈Ω, {PA ⊆ Aa(P)}P∈Pred) Valuation in a Σ-algebra A = (A, {fA}f ∈Ω, {PA}P∈Pred): β : X → A extends in a canonical way to formulae:

Example 1: A1 = ({a, b}, {fA, gA, cA}, {PA}) PA ⊆ A2 PA = {(b, a)}; fA : A2 → A fA(a, a) = fA(a, b) = a, fA(b, a) = fA(b, b) = b, gA : A → A gA(a) = b, gA(b) = a, cA = a ∈ A β : X → {a, b} with β(x) = a, β(y) = b (A1, β)( A xP(f (g(x), x), c)) = min{(A1, β[x→d])P(f (g(x), x), c) | d∈{a, b}} = min{PA(fA(gA(a), a), cA), PA(fA(gA(b), b), cA)} = min{PA(fA(b, a), a), PA(fA(a, b), a)} = min(1, 0) = 0 (A1, β)( E xP(f (g(x), x), c)) = max{(A1, β[x→d])P(f (g(x), x), c) | d∈{a, b}} = max{PA(fA(gA(a), a), cA), PA(fA(gA(b), b), cA)} = max{PA(fA(b, a), a), PA(fA(a, b), a)} = max(1, 0) = 1

30

Reminder: Satisfiability, Validity, Entailment

(A, β) | = F iff (A, β)(F) = 1 A | = F iff (A, β)(F) = 1 for all β : X → A Validity F is valid iff | = F iff (A, β)(F) = 1 for all A and all β : X → A Satisfiability F is satisfiable iff (A, β)(F) = 1 for some A and β : X → A Note: F valid iff ¬F is unsatisfiable Entailment: F | = G iff ( A A A β : X → A if (A, β)| =F then (A, β)| =G). N | = G iff ( A A A β : X → A if (A, β)| =F for all F∈N then (A, β)| =G). Note: F | = G iff F ∧ ¬G unsatisfiable iff F ∧ ¬G | =⊥ Validity/Satisfiability/Entailment are undecidable in first-order logic

31

Reminder: Satisfiability, Validity, Entailment

(A, β) | = F iff (A, β)(F) = 1 A | = F iff (A, β)(F) = 1 for all β : X → A Validity F is valid iff | = F iff (A, β)(F) = 1 for all A and all β : X → A Satisfiability F is satisfiable iff (A, β)(F) = 1 for some A and β : X → A Note: F valid iff ¬F is unsatisfiable Entailment: F | = G iff ( A A A β : X → A if (A, β)| =F then (A, β)| =G). N | = G iff ( A A A β : X → A if (A, β)| =F for all F∈N then (A, β)| =G). Note: F | = G iff F ∧ ¬G unsatisfiable iff F ∧ ¬G | =⊥ Validity/Satisfiability/Entailment are undecidable in first-order logic In applications, when testing validity/satisfiability/entailment we want to test it w.r.t. a specific class of models (e.g. only those satisfying a set of axioms) ... associated with the theory corresponding to the application.

32

Logical theories

Syntactic view Axiomatized by a set F of (closed) first-order Σ-formulae. the models of F: Mod(F) = {A ∈ Σ-alg | A | = G, for all G in F} Semantic view given a class M of Σ-algebras the first-order theory of M: Th(M) = {G ∈ FΣ(X) closed | M | = G} Th(Mod(F)) the set of formulae true in all models of F represents exactly the set of consequences of F

F ⊆ Th(Mod(F)) (typically strict) M ⊆ Mod(Th(M)) (typically strict)

33

Examples

• 1. Groups. Σ = ({e/0, ∗/2, i/1}, ∅)

F = (group axioms) 8 > > < > > : A x, y, z x ∗ (y ∗ z) ≈ (x ∗ y) ∗ z A x x ∗ i(x) ≈ e ∧ i(x) ∗ x ≈ e A x x ∗ e ≈ x ∧ e ∗ x ≈ x Mod(F): the class of all groups; F ⊂ Th(Mod(F))

• 2. Linear integer arithmetic. Σ = ({0/0, s/1, +/2}, {≤ /2})

Z+ = (Z, 0, s, +, ≤) the standard interpretation of integers. {Z+} ⊂ Mod(Th(Z+))

34

Examples

• 3. Uninterpreted function symbols. Σ = (Ω, Pred)

M = Σ-alg: the class of all Σ-structures The theory of uninterpreted function symbols is Th(Σ-alg) the family of all first-order formulae which are true in all Σ-algebras.

• 4. Lists. Σ = ({car/1, cdr/1, cons/2}, ∅)

F = 8 > > < > > : car(cons(x, y)) ≈ x cdr(cons(x, y)) ≈ y cons(car(x), cdr(x)) ≈ x Mod(F): the class of all models of F ThLists = Th(Mod(F)) theory of lists (axiomatized by F)

35

Decidable theories

Σ = (Ω, Pred) be a signature.

M: class of Σ-algebras. T = Th(M) is decidable iff there is an algorithm which, for every closed first-order formula φ, can decide (after a finite number of steps) whether φ is in T or not. F: class of (closed) first-order formulae. The theory T = Th(Mod(F)) is decidable iff there is an algorithm which, for every closed first-order formula φ, can decide (in finite time) whether F | = φ or not.

36

Examples

Undecidable theories

• Peano arithmetic

Axiomatized by: A x ¬(x + 1 ≈ 0) (zero) A x A y (x + 1 ≈ y + 1 → x ≈ y (successor) F[0] ∧ ( A x (F[x] → F[x + 1]) → A xF[x]) (induction) A x (x + 0 ≈ x) (plus zero) A x, y (x + (y + 1) ≈ (x + y) + 1) (plus successor) A x, y (x ∗ 0 ≈ 0) (times zero) A x, y (x ∗ (y + 1) ≈ x ∗ y + x) (times successor)

3 ∗ y + 5 > 2 ∗ y expressed as E z(z = 0 ∧ 3 ∗ y + 5 ≈ 2 ∗ y + z) Intended interpretation: (N, {0, 1, +, ∗}, {≈, ≤}) (does not capture true arithmetic by G¨

• del’s incompleteness theorem)
• Th((Z, {0, 1, +, ∗}, {≤}))
• Th(Σ-alg)

37

Examples

In order to obtain decidability results:

• Restrict the signature
• Enrich axioms
• Look at certain fragments

38

Examples

In order to obtain decidability results:

• Restrict the signature
• Enrich axioms
• Look at certain fragments

Decidable theories

• Presburger arithmetic decidable in 3EXPTIME [Presburger’29]

Signature: ({0, 1, +}, {≈, ≤}) (no ∗) Axioms { (zero), (successor), (induction), (plus zero), (plus successor) }

• Th(Z+)

Z+ = (Z, 0, s, +, ≤) the standard interpretation of integers.

39

Examples

In order to obtain decidability results:

• Restrict the signature
• Enrich axioms
• Look at certain fragments

Decidable theories

• The theory of real numbers (with addition and multiplication)

is decidable in 2EXPTIME [Tarski’30]

40

Examples

In order to obtain decidability results:

• Restrict the signature
• Enrich axioms
• Look at certain fragments

41

Problems

T : first-order theory in signature Σ; L class of (closed) Σ-formulae Given φ in L, is it the case that T | = φ? Common restrictions on L Pred = ∅ {φ ∈ L | T | = φ} L={ A xA(x) | A atomic} word problem L={ A x(A1∧ . . . ∧An→B) | Ai, B atomic} uniform word problem Th A

Horn

L={ A xC(x) | C(x) clause} clausal validity problem Th A

,cl

L={ A xφ(x) | φ(x) unquantified} universal validity problem Th A L={ E xA1∧ . . . ∧An | Ai atomic} unification problem Th E L={ A x E xA1∧ . . . ∧An | Ai atomic} unification with constants Th A E

42

T -validity

T first-order theory in signature Σ; L class of (closed) Σ-formulae Common restrictions on L

Pred = ∅ {φ ∈ L | T | = φ} L={ A x(A1∧ . . . ∧An→B) | Ai, B atomic} uniform word problem Th A

Horn

L={ A xC(x) | C(x) clause} clausal validity problem Th A

,cl

L={ A xφ(x) | φ(x) unquantified} universal validity problemTh A

Remarks:

• T -validity for Th

A

,cl decidable iff T -validity for Th

A decidable

• For convex theories:

T -validity for Th A

,Horn decidable iff T -validity for Th

A

,cl decidable.

43

Convex theories

Definition A first-order Σ-theory T is Σ0-convex (Σ0 ⊆ Σ) iff whenever T | =

n

^

i=1

Ai →

m

_

j=1

Bj, where A1, . . . , An are Σ-atoms, and B1, . . . , Bm are Σ0-atoms there exists k ∈ {1, . . . , m} such that T | =

n

^

i=1

Ai → Bk, Examples: LI(Q) – theory of rational numbers with linear arithmetic:

• 1. LI(Q) is convex with respect to equality atoms, i.e.

if LI(Q) | = ^

i

Ai → _

j

ti ≈ t′

i then LI(Q) |

=

n

^

i=1

Ai → tk ≈ t′

k for some k

• 2. LI(Q) is not convex with respect to inequality atoms:

LI(Q) | = x ≤ y ∨ y ≤ x but Q | = x ≤ y and Q | = y ≤ x.

• 3. Theories axiomatized by sets of Horn clauses are convex
• 4. Any theory T such that Mod(T ) closed under products is convex.

44

T -validity vs. T -satisfiability

T -validity: Let T be a first-order theory in signature Σ Let L be a class of (closed) Σ-formulae Given φ in L, is it the case that T | = φ? Remark: T | = φ iff T ∪ ¬φ unsatisfiable Every T -validity problem has a dual T -satisfiability problem: T -satisfiability: Let T be a first-order theory in signature Σ Let L be a class of (closed) Σ-formulae ¬L = {¬φ | φ ∈ L} Given ψ in ¬L, is it the case that T ∪ ψ is satisfiable?

45

T -validity vs. T -satisfiability

Common restrictions on L / ¬L

L ¬L { A xA(x) | A atomic} { E x¬A(x) | A atomic} { A x(A1∧ . . . ∧An→B) | Ai, B atomic} { E x(A1∧ . . . ∧An∧¬B) | Ai, B atomic} { A x W Li | Li literals} { E x V L′

i | L′ i literals}

{ A xφ(x) | φ(x) unquantified} { E xφ′(x) | φ′(x) unquantified} validity problem for universal formulae ground satisfiability problem

46

T -validity vs. T -satisfiability

Common restrictions on L / ¬L

L ¬L { A xA(x) | A atomic} { E x¬A(x) | A atomic} { A x(A1∧ . . . ∧An→B) | Ai, B atomic} { E x(A1∧ . . . ∧An∧¬B) | Ai, B atomic} { A x W Li | Li literals} { E x V L′

i | L′ i literals}

{ A xφ(x) | φ(x) unquantified} { E xφ′(x) | φ′(x) unquantified} validity problem for universal formulae ground satisfiability problem In what follows we will focus on the problem of checking the satisfiability

• f conjunctions of ground literals

47

SMT tools

SAT problems Given: conjunction φ of prop. clauses Task: check if φ satisfiable Method: DPLL

• deterministic choices first

unit resolution pure literal assignment

• case distinction (splitting)
• heuristics

selection criteria for splitting backtracking conflict-driven learning

48

SMT tools

SAT problems SMT problems Given: conjunction φ of prop. clauses Given: conjunction φ of clauses Task: check if φ satisfiable Task: check if φ | =T ⊥ Method: DPLL Method: DPLL(T )

• deterministic choices first
• Boolean assignment found

unit resolution using DPLL pure literal assignment

• ... and checked for T -satisfiability
• case distinction (splitting)
• the assignment can be partial
• heuristics

and checked before splitting selection criteria for splitting

• usual heuristics are used:

backtracking non-chronological backtracking conflict-driven learning learning

49

SMT tools

SAT problems SMT problems Given: conjunction φ of prop. clauses Given: conjunction φ of clauses Task: check if φ satisfiable Task: check if φ | =T ⊥ Method: DPLL Method: DPLL(T )

• deterministic choices first
• Boolean assignment found

unit resolution using DPLL pure literal assignment

• ... and checked for T -satisfiability
• case distinction (splitting)
• the assignment can be partial
• heuristics

and checked before splitting selection criteria for splitting

• usual heuristics are used:

backtracking non-chronological backtracking conflict-driven learning learning

Systems implementing such specialized satisfiability problems: Yices, Barcelogic Tools, CVC lite, haRVey, Math-SAT,... are called (S)atisfiability (M)odulo (T)heory solvers.

50

T -satisfiability vs. Constraint Solving

The field of constraint solving also deals with satisfiability problems But be careful:

• in constraint solving one is interested if a formula is

satisfiable in a given, fixed model of T .

• in T -satisfiability one is interested if a formula is

satisfiable in any model of T at all.

51

Useful theories

Many example of theories in which ground satisfiability is decidable:

• The empty theory (no axioms) UIF(Σ)
• linear (rational or integer) arithmetic
• theories axiomatizing common datatypes (lists, arrays)
• algebraic counterparts of modal logics

(Boolean algebras with operators)

52

Useful theories

Example 1: McCarthy’s theory of arrays. Sorts: a (arrays), i (index) and e (elements) Functions: write : a × i × e → a, read : a × i → e Axioms: read(write(a, i, e), i) = e i = j → read(write(a, i, e), j) = read(a, j) a = b ↔ A i(read(a, i) = read(b, i))

• the full first-order theory of arrays is undecidable
• the ground satisfiability problem is decidable (in NP)

53

Useful theories

Example 2: The theory of acyclic lists Axioms: car(cons(x, y) = x cdr(cons(x, y) = y cons(car(x), cdr(x)) = x t(x) = x t contains only cons

• the full first-order theory is decidable (but non-elementary)
• the ground satisfiability problem is decidable (in PTIME)

54

Useful theories

Example 2: The theory of acyclic lists Axioms: car(cons(x, y) = x cdr(cons(x, y) = y cons(car(x), cdr(x)) = x t(x) = x t contains only cons

• the full first-order theory is decidable (but non-elementary)
• the ground satisfiability problem is decidable (in PTIME)

55

Tractability

Main issue: Reduce the search space Here: Datalog Locality

56

Example 1: Deductive Databases

Deductive database Inference rules: Facts: Query:

57

Example 1: Deductive Databases

Deductive database Example: reachability in graphs Inference rules: S(x) R(x) R(x) E(x, y) R(y) Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) Query: R(d)

c a b d

S(a), E(a, c), E(c, d), E(d, c), E(b, c)

58

Example 1: Deductive Databases

Deductive database Example: reachability in graphs Inference rules: S(x) R(x) R(x) E(x, y) R(y) Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) Query: R(d)

c a b d

S(a), E(a, c), E(a, d), E(c, d), E(b, c), R(a)

59

Example 1: Deductive Databases

Deductive database Example: reachability in graphs Inference rules: S(x) R(x) R(x) E(x, y) R(y) Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) Query: R(d)

c a b d

S(a), E(a, c), E(a, d), E(c, d), E(b, c), R(a), R(c)

60

Example 1: Deductive Databases

Deductive database Example: reachability in graphs Inference rules: S(x) R(x) R(x) E(x, y) R(y) Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) Query: R(d)

c a b d

S(a), E(a, c), E(a, d), E(c, d), E(b, c), R(a), R(c), R(d)

61

Example 1: Deductive Databases

Deductive database → Datalog (Horn clauses, no function symbols) Inference rules: S(x) → R(x) R(x) ∧ E(x, y) → R(y) | {z }

set K of Horn clauses

Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) | {z }

set F of ground atoms

Query: R(d) | {z }

ground atom G

F | =K G iff K ∪ F | = G iff K ∪ F ∪ ¬G | =⊥

62

Example 1: Deductive Databases

Deductive database → Datalog (Horn clauses, no function symbols) Inference rules: S(x) → R(x) R(x) ∧ E(x, y) → R(y) | {z }

set K of Horn clauses

Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) | {z }

set F of ground atoms

Query: R(d) | {z }

ground atom G

Ex: S(a) S(x) → R(x) R(a) E(a, c) R(x) ∧ E(x, y) → R(y) R(c) E(c, d) R(x) ∧ E(x, y) → R(y) R(d)

63

Example 1: Deductive Databases

Deductive database → Datalog (Horn clauses, no function symbols) Inference rules: S(x) → R(x) R(x) ∧ E(x, y) → R(y) | {z }

set K of Horn clauses

Facts: S(a), E(a, c), E(c, d), E(d, c), E(b, c) | {z }

set F of ground atoms

Query: R(d) | {z }

ground atom G

Ex: S(a) S(x) → R(x) R(a) E(a, c) R(x) ∧ E(x, y) → R(y) R(c) E(c, d) R(x) ∧ E(x, y) → R(y) R(d)

Necessary: instances of Rules containing

• ground. terms in Facts, Query

64

Example 2: A theory of doubly-linked lists

Reasoning about doubly-linked lists cf. also [Necula, McPeak 2005]

A p (p = null ∧ p.next = null → p.next.prev = p) A p (p = null ∧ p.prev = null → p.prev.next = p) ∧ c=null ∧ c.next=null ∧ d=null ∧ d.next=null ∧ c.next=d.next ∧ c = d | = ⊥

65

Example 2: A theory of doubly-linked lists

Reasoning about doubly-linked lists cf. also [Necula, McPeak 2005]

(c=null ∧ c.next=null →c.next.prev=c) (c.next=null ∧ c.next.next=null →c.next.next.prev=c.next) (d=null ∧ d.next=null→d.next.prev=d) (d.next=null ∧ d.next.next=null→d.next.next.prev=d.next) ∧ c=null ∧ c.next=null ∧ d=null ∧ d.next=null ∧ c.next=d.next ∧ c = d | = ⊥

66

Local Reasoning

K set of Horn clauses; K is local, if for ground Horn clauses C, K | = C iff K[C] | = C ⇐ = always = ⇒ locality

67

Local Reasoning

K set of Horn clauses; K is local, if for ground Horn clauses C, K | = C iff K[C] | = C Local theories [Givan, McAllester’92] capture PTIME

68

Local Reasoning

K set of Horn clauses; K is local, if for ground Horn clauses C, K | = C iff K[C] | = C Local theories [Givan, McAllester’92] capture PTIME Many examples (also for the equational case)

• theory of free function symbols
• theory of successor / predecessor

8 > > < > > : s(x) = y → p(y) = x p(y) = x → s(x) = y s(x) = s(y) → x = y

• theory of lists with cons, car, cdr
• a theory of lattices [Skolem 1920]

69

Locality, tractability

K set of Horn clauses; K is local, if for ground Horn clauses C, K | = C iff K[C] | = C

K local theory

• Horn theory of K in PTIME

Saturation

[McAllester et al.’92,’93] [Basin, Ganzinger’96]

70

Locality, tractability, embeddability

K set of Horn clauses; K is local, if for ground Horn clauses C, K | = C iff K[C] | = C ⇐ = always = ⇒ locality K[C] ∧ ¬C has model ⇒ K ∪ ¬C has model.

All terms Subterms of C

֒ →

Subterms of C

71

Locality, tractability, embeddability

K set of Horn clauses; K is local, if for ground Horn clauses C, K | = C iff K[C] | = C

K local theory

• Emb(K)
• Horn theory of K in PTIME

Saturation

[Skolem’20] [Evans’53,Burris’95] [McAllester et al.’92,’93] [Basin, Ganzinger’96] [Ganzinger’01]

72

Structure

• Reasoning in standard theories

Preliminaries: Logic, theories, models Decidable logical theories and theory fragments Tractability

• Reasoning in combinations of theories

disjoint signature non-disjoint signature

• Theory extensions
• Applications

73

Reasoning in combinations of theories

Here: L = { A xC(x) | C(x) clause } We focus on the following (equivalent) problems:

• T -validity of clauses
• T -satisfiability of (existentially quantified) conjunctions of literals

where T is a combination of theories

74

Problems

The combined decidability problem For i = 1, 2

• let Ti be a first-order theory in signature Σi
• assume the Ti-validity problem

for universal formulae is decidable Let T1 L T2 be a combination of T1 and T2 Question: Is the T1 L T2-validity problem for universal formulae decidable?

75

Problems

The combined decidability problem For i = 1, 2

• let Ti be a first-order theory in signature Σi
• assume the Ti ground satisfiability problem

is decidable Let T1 L T2 be a combination of T1 and T2 Question: Is the T1 L T2 ground satisfiability problem decidable?

76

Goal: Modularity

Modular Reasoning Example: T1 T0 T2 T0: Σ0-theory. lists(R) ∪ arrays(R) Ti: Σi-theory; T0 ⊆ Ti Σ0 ⊆ Σi. Can use provers for T1, T2 as blackboxes to prove theorems in T1 ∪ T2? Which information needs to be exchanged between the provers?

77

The combined decidability problem

Main issue: How is T1 L T2 defined? Here: put together the axioms Syntactic view: T1 + T2 = T1 ∪ T2 ⊆ FΣ1∪Σ2(X) Mod(T1 ∪ T2) = {A ∈ (Σ1 ∪ Σ2)-alg | A | = G, for all G in T1 ∪ T2}

where Σ1 ∪ Σ2 = (Ω1, Pred1) ∪ (Ω2, Pred2) = (Ω1 ∪ Ω2, Pred1 ∪ Pred2)

78

The combined decidability problem

Main issue: How is T1 L T2 defined? Here: put together the axioms Syntactic view: T1 + T2 = T1 ∪ T2 ⊆ FΣ1∪Σ2(X) Mod(T1 ∪ T2) = {A ∈ (Σ1 ∪ Σ2)-alg | A | = G, for all G in T1 ∪ T2}

where Σ1 ∪ Σ2 = (Ω1, Pred1) ∪ (Ω2, Pred2) = (Ω1 ∪ Ω2, Pred1 ∪ Pred2)

Semantic view: Let Mi = Mod(Ti), i = 1, 2 M1 + M2 = {A ∈ (Σ1 ∪ Σ2)-alg | A|Σi ∈ Mi for i = 1, 2}

79

The combined decidability problem

Main issue: How is T1 L T2 defined? Here: put together the axioms Syntactic view: T1 + T2 = T1 ∪ T2 ⊆ FΣ1∪Σ2(X) Mod(T1 ∪ T2) = {A ∈ (Σ1 ∪ Σ2)-alg | A | = G, for all G in T1 ∪ T2}

where Σ1 ∪ Σ2 = (Ω1, Pred1) ∪ (Ω2, Pred2) = (Ω1 ∪ Ω2, Pred1 ∪ Pred2)

Semantic view: Let Mi = Mod(Ti), i = 1, 2 M1 + M2 = {A ∈ (Σ1 ∪ Σ2)-alg | A|Σi ∈ Mi for i = 1, 2} A ∈ Mod(T1 ∪ T2) iff A ∈ M1 + M2

80

Combinations of theories

• Definition. A theory is consistent if it has at least one model.

Question: Is the union of two consistent theories always consistent? Answer: No. (Not even when the two theories have disjoint signatures) Example: Σ1 = (Ω1, ∅), Σ2 = ({c/0, d/0}, ∅), c, d ∈ Ω1 T1 = { E x, y, z(x ≈ y ∧ x ≈ z ∧ y ≈ z)} T2 = { A x(x ≈ c ∨ x ≈ d)} A ∈ Mod(T1) iff |A| ≥ 3. B ∈ Mod(T2) iff |A| ≤ 2.

81

Combinations of theories

For i = 1, 2

• let Ti be a first-order theory in signature Σi
• s.t. the ground satisfiability problem for Ti is decidable

Question: Is the ground decidability problem for T1 ∪ T2 decidable?

82

Combinations of theories

For i = 1, 2

• let Ti be a first-order theory in signature Σi
• s.t. the ground satisfiability problem for Ti is decidable

Question: Is the ground decidability problem for T1 ∪ T2 decidable? In general: No (restrictions needed for affirmative answer)

Theorem [Bonacina, Ghilardi et.al, IJCAR 2006] There are theories T1, T2 with disjoint signatures and decidable ground satis- fiability problem such that ground satisfiability in T1 ∪ T2 is unsatisfiable. Idea: It is undecidable whether a constraint Γ1 is satisfiable in an infinite model of T1. If T2 has only infinite models then the ground satisfiability problem for T1 ∪ T2 requires exactly that.

83

Combination of theories over disjoint signatures

The Nelson/Oppen procedure Given: T1, T2 first-order theories with signatures Σ1, Σ2 Assume that Σ1 ∩ Σ2 = ∅ (share only ≈) Pi decision procedures for satisfiability of ground formulae w.r.t. Ti φ quantifier-free formula over Σ1 ∪ Σ2 Task: Check whether φ is satisfiable w.r.t. T1 ∪ T2 Note: Restrict to conjunctive quantifier-free formulae φ → DNF(φ) DNF(φ) satisfiable in T iff one of the disjuncts satisfiable in T

84

Example

[Nelson & Oppen, 1979] Theories R theory of rationals ΣR = {≤, +, −, 0, 1} ≈ L theory of lists ΣL = {car, cdr, cons} ≈ E theory of equality (UIF) Σ: free function and predicate symbols ≈

85

Example

[Nelson & Oppen, 1979] Theories R theory of rationals ΣR = {≤, +, −, 0, 1} ≈ L theory of lists ΣL = {car, cdr, cons} ≈ E theory of equality (UIF) Σ: free function and predicate symbols ≈ Problems:

• 1. R∪L∪E |

= A x, y(x≤y ∧ y≤x+car(cons(0, x)) ∧ P(h(x)−h(y)) → P(0))

• 2. Is the following conjunction:

c ≤ d ∧ d ≤ c + car(cons(0, c)) ∧ P(h(c) − h(d)) ∧ ¬P(0) satisfiable in R ∪ L ∪ E?

86

An Example

R L E Σ {≤, +, −, 0, 1} {car, cdr, cons} F ∪ P Axioms x + 0 ≈ x car(cons(x, y))≈x x − x ≈ 0 cdr(cons(x, y))≈y (univ. + is A, C at(x)∨cons(car(x), cdr(x))≈x quantif.) ≤ is R, T, A ¬at(cons(x, y)) x ≤ y ∨ y ≤ x x≤y→x+z≤y+z Is the following conjunction: c ≤ d ∧ d ≤ c + car(cons(0, c)) ∧ P(h(c) − h(d)) ∧ ¬P(0) satisfiable in R ∪ L ∪ E ?

87

Step 1: Purification

Given: φ conjunctive quantifier-free formula over Σ1 ∪ Σ2 Task: Find φ1, φ2 s.t. φi is a pure Σi-formula and φ1 ∧ φ2 equivalent with φ f (s1, . . . , sn) ≈ g(t1, . . . , tm) → u≈f (s1, . . . , sn) ∧ u≈g(t1, . . . , tm) f (s1, . . . , sn) ≈ g(t1, . . . , tm) → u≈f (s1, . . . , sn) ∧ v≈g(t1, . . . , tm) ∧ u ≈ v (¬)P(. . . , si, . . . ) → (¬)P(. . . , u, . . . ) ∧ u≈si (¬)P(. . . , si[t], . . . ) → (¬)P(. . . , si[t → u], . . . ) ∧ u≈t where t ≈ f (t1, . . . , tn) Termination: Obvious Correctness: φ1 ∧ φ2 and φ satisfiable in exactly the same models of T1 ∪ T2

88

Step 1: Purification

c ≤ d ∧ d ≤ c + car(cons(0, c)) ∧ P(h(c) − h(d)) ∧ ¬P(0)

89

Step 1: Purification

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) − h(d)) ∧ ¬P(0)

90

Step 1: Purification

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) − h(d) | {z }

c2

) ∧ ¬P(0)

91

Step 1: Purification

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

)

92

Step 1: Purification

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d)

93

Step 1: Purification

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d) satisfiable satisfiable satisfiable

94

Step 2: Propagation

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d) deduce and propagate equalities between constants entailed by components

95

Step 2: Propagation

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d) c1 ≈ c5

96

Step 2: Propagation

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d) c1 ≈ c5 c1 ≈ c5 c ≈ d

97

Step 2: Propagation

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d) c1 ≈ c5 c1 ≈ c5 c ≈ d c ≈ d c3 ≈ c4

98

Step 2: Propagation

c ≤ d ∧ d ≤ c + car(cons(0, c)) | {z }

c1

∧ P(h(c) |{z}

c3

− h(d) |{z}

c4

| {z }

c2

) ∧ ¬P( 0 |{z}

c5

) R L E c ≤ d c1 ≈ car(cons(c5, c)) P(c2) d ≤ c + c1 ¬P(c5) c2 ≈ c3 − c4 c3 ≈ h(c) c5 ≈ 0 c4 ≈ h(d) c1 ≈ c5 c1 ≈ c5 c ≈ d c ≈ d c3 ≈ c4 c2 ≈ c5 ⊥

99

The Nelson-Oppen algorithm

φ conjunction of literals Step 1. Purification T1 ∪ T2 ∪ φ → (T1 ∪ φ1) ∪ (T2 ∪ φ2): where φi is a pure Σi-formula and φ1 ∧ φ2 is equisatisfiable with φ. Step 2. Propagation. The decision procedure for ground satisfiability for T1 and T2 fairly exchange information concerning entailed unsatisfiability

• f constraints in the shared signature

i.e. clauses over the shared variables. until an inconsistency is detected or a saturation state is reached.

100

The Nelson-Oppen algorithm

φ conjunction of literals Step 1. Purification T1 ∪ T2 ∪ φ → (T1 ∪ φ1) ∪ (T2 ∪ φ2): where φi is a pure Σi-formula and φ1 ∧ φ2 is equisatisfiable with φ. Step 2. Propagation. The decision procedure for ground satisfiability for T1 and T2 fairly exchange information concerning entailed unsatisfiability

• f constraints in the shared signature

i.e. clauses over the shared variables. until an inconsistency is detected or a saturation state is reached. not problematic; requires linear time not problematic; termination guaranteed Sound: if inconsistency detected input unsatisfiable Complete: under additional assumptions

101

Implementation

φ conjunction of literals Step 1. Purification: T1 ∪ T2 ∪ φ → (T1 ∪ φ1) ∪ (T2 ∪ φ2), where φi is a pure Σi-formula and φ1 ∧ φ2 is equisatisfiable with φ. Step 2. Propagation: The decision procedure for ground satisfiability for T1 and T2 fairly exchange information concerning entailed unsatisfiability of constraints in the shared signature i.e. clauses over the shared variables. until an inconsistency is detected or a saturation state is reached. How to implement Propagation? Guessing: guess a maximal set of literals containing the shared variables; check it for Ti ∪ φi consistency.

102

Implementation

φ conjunction of literals Step 1. Purification: T1 ∪ T2 ∪ φ → (T1 ∪ φ1) ∪ (T2 ∪ φ2), where φi is a pure Σi-formula and φ1 ∧ φ2 is equisatisfiable with φ. Step 2. Propagation: The decision procedure for ground satisfiability for T1 and T2 fairly exchange information concerning entailed unsatisfiability of constraints in the shared signature i.e. clauses over the shared variables. until an inconsistency is detected or a saturation state is reached. How to implement Propagation? Guessing: guess a maximal set of literals containing the shared variables; check it for Ti ∪ φi consistency. Backtracking: identify disjunction of equalities between shared variables entailed by Ti ∪ φi; make case split by adding some of these equalities to φ1, φ2. Repeat as long as possible.

103

Implementation of propagation

Guessing variant Guess a maximal set of literals containing the shared variables; check it for Ti ∪ φi consistency. Advantage: Whenever constraints are represented as Boolean combinations of atoms, one may combine heuristics of SMT solvers with specific features of the theories to be combined to produce the right arrangement efficiently.

104

Implementation of propagation

Backtracking variant Identify disjunction of equalities between shared variables entailed by Ti ∪ φi; make case split by adding some of these equalities to φ1, φ2. Repeat as long as possible. Advantages:

• it works on the non-disjoint case as well
• can be made deterministic for combinations of convex theories

105

Complexity

Main sources of complexity: (i) transformation of the formula in DNF (ii) propagation (a) decide whether there is a disjunction of equalities between variables (b) investigate different branches corresponding to disjunctions

106

Complexity

Main sources of complexity: (i) transformation of the formula in DNF (ii) propagation T is convex iff for every quantifier-free formula φ, φ | = W

i xi ≈ yi implies φ |

= xj ≈ yj for some j. → No branching

107

Complexity

Main sources of complexity: (i) transformation of the formula in DNF (ii) propagation T is convex iff for every quantifier-free formula φ, φ | = W

i xi ≈ yi implies φ |

= xj ≈ yj for some j. → No branching Theorem. Let T1 and T2 be convex and stably infinite; Σ1 ∩ Σ2 = ∅ If satisfiability of conjunctions of literals in Ti is in PTIME Then satisfiability of conjunctions of literals in T1 ∪ T2 is in PTIME

108

Complexity

In general: non-deterministic procedure Theorem. Let T1 and T2 be convex and stably infinite; Σ1 ∩ Σ2 = ∅ If satisfiability of conjunctions of literals in Ti is in NP Then satisfiability of conjunctions of literals in T1 ∪ T2 is in NP

109

Completeness

Example: E1 E2 f (g(x), g(y)) ≈ x k(x) ≈ k(x) f (g(x), h(y)) ≈ y non-trivial non-trivial g(c)≈h(c) ∧ k(c)≈c g(c)≈h(c) k(c)≈c satisfiable in E1 satisfiable in E2 no equations between shared variables; Nelson-Oppen answers “satisfiable”

110

Completeness

Example: E1 E2 f (g(x), g(y)) ≈ x k(x) ≈ k(x) f (g(x), h(y)) ≈ y non-trivial non-trivial g(c)≈h(c) ∧ k(c)≈c g(c)≈h(c) k(c)≈c satisfiable in E1 satisfiable in E2 no equations between shared variables; Nelson-Oppen answers “satisfiable” A model of E1 satisfies g(c) ≈ h(c) iff E e ∈ A s.t. g(e) = h(e). Then, for all a ∈ A: a = fA(g(a), g(e)) = fA(g(a), h(e)) = e g(c)≈h(c) ∧ k(c)≈c unsatisfiable

111

Completeness

Another example T1 theory admitting models of cardinality at most 2 T2 theory admitting models of any cardinality f1 ∈ Σ1, f2 ∈ Σ2 such that Ti | = A x, y fi(x) = fi(y). φ = f1(c1)≈f1(c2) ∧ f2(c1)≈f2(c3) ∧ f2(c2)≈f2(c3) φ1 = f1(c1)≈f1(c2) φ2 = f2(c1)≈f2(c3) ∧ f2(c2)≈f2(c3) The Nelson-Oppen procedure returns “satisfiable” T1 ∪ T2 | = A x, y, z(f1(x)≈f1(y) ∧ f2(x)≈f2(z) ∧ f2(y)≈f2(z) → (x ≈ y ∧ x ≈ z ∧ y ≈ z)) f1(c1)≈f1(c2) ∧ f2(c1)≈f2(c3) ∧ f2(c2)≈f2(c3) unsatisfiable

112

Completeness

Cause of incompleteness There exist formulae satisfiable in finite models of bounded cardinality Solution: Consider stably infinite theories. T is stably infinite iff for every quantifier-free formula φ φ satisfiable in T iff φ satisfiable in an infinite model of T . Note: This restriction is not mentioned in [Nelson Oppen 1979]; introduced by Oppen in 1980.

113

Completeness

Guessing version: C set of constants shared by φ1, φ2 R equiv. relation assoc. with partition of C →ar(C, R) =

^

R(c,d)

c ≈ d ∧ ^

¬R(c,d)

c ≈ d

• Lemma. Assume that there exists a partition of C s.t. φi ∧ ar(C, R) is

Ti-satisfiable. Then φ1 ∧ φ2 is T1 ∪ T2-satisfiable.

Idea of proof: Let Ai ∈ Mod(Ti) s.t. Ai| =φi∧ar(C, R). Then cA1=dA1 iff cA2=dA2. Let i : {cA1 | c ∈ C} → {cA2 | c ∈ C}, i(cA1) = cA2 well-defined; isomorphism. Stable infinity: can assume w.l.o.g. that A1, A2 have the same cardinality Let h : A1 → A2 bijection s.t. h(cA1 ) = cA2 Use h to transfer the Σ1-structure on A2.

• Theorem. If T1, T2 are both stably infinite and the shared signature is

empty then the Nelson-Oppen procedure transfers decidability of ground satisfiability from T1, T2 to T1 ∪ T2.

114

Extensions of the Nelson-Oppen procedure

• relax the stable infiniteness requirement
• relax the requirement that the theories have disjoint signatures

Main idea: Find situations in which Ti models of φi, i = 1, 2 can be “amalgamated” to a T1 ∪ T2 model of φ1 ∧ φ2.

115

Extensions of the Nelson-Oppen procedure

• relax the stable infiniteness requirement
• relax the requirement that the theories have disjoint signatures

Main idea: Find situations in which Ti models of φi, i = 1, 2 can be “amalgamated” to a T1 ∪ T2 model of φ1 ∧ φ2.

[Tinelli,Zarba’03] One theory “shiny” (for each satisf. constraint we can compute a finite k s.t. the theory has models of every cardinality λ ≥ k) [Ghilardi’04] Model theoretical conditions. Presented in what follows.

116

Theories with non-disjoint signatures

T1 theory with signature Σ1, T2 theory with signature Σ2. The common subsignature Σ0 = Σ1 ∩ Σ2 is not assumed to be empty. Question: Under which condition can the Nelson-Oppen combination scheme be used in this situation and provides a decision procedure?

117

Theories with non-disjoint signatures

Step 1: Purification – can be done as in the disjoint case Step 2: Propagation – need to ensure that only a finite number of formulae

• ver the shared signature needs to be propagated.

118

Theories with non-disjoint signatures

Step 1: Purification – can be done as in the disjoint case Step 2: Propagation – need to ensure that only a finite number of formulae

• ver the shared signature needs to be propagated.

The simplest way of avoiding non-termination in Step 2 is to make the following assumptions (cf. [Ghilardi’04]): A1: T1 and T2 contain a Σ0-theory T0 which is locally finite, i.e. has the property that for any finite set X of variables only finitely many Σ0-terms with variables in X (up to T0-equivalence) exist. A2: Representative terms for equivalence classes computable. Implementation: Propagation can still be implemented by – guessing (guess maximal set of representative Σ0-literals over shared constants), or – backtracking (make case-split on disjunctions of Σ0-literals over the shared constants which are not entailed by the purified formulae).

119

Theories with non-disjoint signatures

Step 1: Purification – can be done as in the disjoint case Step 2: Propagation – need to ensure that only a finite number of formulae

• ver the shared signature needs to be propagated.

Soundness: clear (as in the disjoint case)

120

Theories with non-disjoint signatures

Step 1: Purification – can be done as in the disjoint case Step 2: Propagation – need to ensure that only a finite number of formulae

• ver the shared signature needs to be propagated.

Completeness: need to impose additional conditions on the theories

121

Theories with non-disjoint signatures

Main idea in proof of completeness for the Nelson-Oppen procedure: given Ti-models Ai of φi – construct a T1 ∪ T2-model A of φ1 ∧ φ2. Stable infinity guarantees that this is possible. Observations [Ghilardi’04]: – the condition that Ti is stably infinite means: every model of Ti embeds into an infinite model – theory of an infinite model: model completion of the theory of equality

122

Theories with non-disjoint signatures

Main idea in proof of completeness for the Nelson-Oppen procedure: given Ti-models Ai of φi – construct a T1 ∪ T2-model A of φ1 ∧ φ2. Stable infinity guarantees that this is possible. Observations [Ghilardi’04]: – the condition that Ti is stably infinite means: every model of Ti embeds into an infinite model – theory of an infinite model: the model completion T ∗

0 of the theory T0

→ Generalization: We make the following assumptions: A3: T0 is universal and has a model completion T ∗

0 .

A4: Every model of Ti embeds into a model of Ti ∪ T ∗

0 , for i = 1, 2.

123

Theories with non-disjoint signatures

Main idea in proof of completeness for the Nelson-Oppen procedure: given Ti-models Ai of φi – construct a T1 ∪ T2-model A of φ1 ∧ φ2. Stable infinity guarantees that this is possible. Observations [Ghilardi’04]: – the condition that Ti is stably infinite means: every model of Ti embeds into an infinite model – theory of an infinite model: the model completion T ∗

0 of the theory T0

→ Generalization: We make the following assumptions: A3: T0 is universal and has a model completion T ∗

0 .

A4: Every model of Ti embeds into a model of Ti ∪ T ∗

0 , for i = 1, 2.

• 1. every model of T0 embeds

into a model of T ∗

• 2. T ∗

allows QE (equiv: M ∈ Mod(T0) ⇒ M ∪ ∆(M) complete)

124

Theories with non-disjoint signatures

A1: T1 and T2 contain a locally finite Σ0-theory T0 (for any finite set X of variables

• nly finitely many Σ0-terms with variables in X (up to T0-equivalence) exist).

A2: Representative terms for equivalence classes computable. A3: T0 is universal and has a model completion T ∗

0 .

A4: Every model of Ti embeds into a model of Ti ∪ T ∗

0 , for i = 1, 2.

Theorem [Ghilardi’04] Under assumptions A1–A4 on the theories T1 and T2, the Nelson-Oppen procedure transfers decidability of ground satisfiability from T1, T2 to T1 ∪ T2.

125

Theories with non-disjoint signatures

A1: T1 and T2 contain a locally finite Σ0-theory T0 (for any finite set X of variables

• nly finitely many Σ0-terms with variables in X (up to T0-equivalence) exist).

A2: Representative terms for equivalence classes computable. A3: T0 is universal and has a model completion T ∗

0 .

A4: Every model of Ti embeds into a model of Ti ∪ T ∗

0 , for i = 1, 2.

Theorem [Ghilardi’04] Under assumptions A1–A4 on the theories T1 and T2, the Nelson-Oppen procedure transfers decidability of ground satisfiability from T1, T2 to T1 ∪ T2. Proof: All steps of the algorithm are satisfiability preserving → soundness

126

Theories with non-disjoint signatures

A1: T1 and T2 contain a locally finite Σ0-theory T0 (for any finite set X of variables

• nly finitely many Σ0-terms with variables in X (up to T0-equivalence) exist).

A2: Representative terms for equivalence classes computable. A3: T0 is universal and has a model completion T ∗

0 .

A4: Every model of Ti embeds into a model of Ti ∪ T ∗

0 , for i = 1, 2.

Theorem [Ghilardi’04] Under assumptions A1–A4 on the theories T1 and T2, the Nelson-Oppen procedure transfers decidability of ground satisfiability from T1, T2 to T1 ∪ T2. Proof: A1, A2 ensure termination of propagation

127

Theories with non-disjoint signatures

A1: T1 and T2 contain a locally finite Σ0-theory T0 (for any finite set X of variables

• nly finitely many Σ0-terms with variables in X (up to T0-equivalence) exist).

A2: Representative terms for equivalence classes computable. A3: T0 is universal and has a model completion T ∗

0 .

A4: Every model of Ti embeds into a model of Ti ∪ T ∗

0 , for i = 1, 2.

Theorem [Ghilardi’04] Under assumptions A1–A4 on the theories T1 and T2, the Nelson-Oppen procedure transfers decidability of ground satisfiability from T1, T2 to T1 ∪ T2.

Proof: Information exchange → saturation E Ti -models Ai sharing common structure A. A4: A ֒ → Ai ֒ → A∗

i ∈ Mod(Ti ∪ T ∗ 0 )

A3: T0 is universal → A ∈ Mod(T0) T ∗

0 ∪ ∆(A) is a complete theory

Robinson’s Joint consistency theorem: ∆e(A1) ∪ ∆e(A2) consistent

A∗

1

A A∗

2

128

Examples

The Nelson-Oppen style procedure presented above yields a decision procedure for the ground satisfiability problem w.r.t. T1 ∪ T2 for: Example: Ti=Th(BAO(Σi)) (Boolean alg. with operators in Σi, i = 1, 2), Σ1 ∩ Σ2 = ∅. T0: the theory of Boolean algebras (satisfies A1, A2). A3: The model completion T ∗

0 of the theory of Boolean algebras is

the theory of atomless Boolean algebras. A4: every Boolean algebra with operators in Σi embeds into an atomless Boolean algebra with operators in Σi, Applications:

• Combinations of modal logics

e.g. for reasoning about knowledge and belief in multi-agent systems

• Combinations of description logics

129

Examples

The Nelson-Oppen style procedure presented above yields a decision procedure for the ground satisfiability problem w.r.t. T1 ∪ T2 for: Example: T1 = LI(Q) be linear arithmetic T2 be the theory of total orders with a strictly monotone function f . (ground satisfiability decidable) The theories T1 and T2 share the theory T0 be the theory of total orders.

A1 and A2: Obvious. A3 T0: universal; model completion: theory of dense total orders A4 T ∗ ⊆ T1; every model of T2 embeds into dense partial order with monotone f.

Question: Similar results for (Presburger arithmetic ∪ monotone functions)? For combinations of theories sharing the theory of real numbers?

130

Structure

• Reasoning in standard theories

Preliminaries: Logic, theories, models Decidable logical theories and theory fragments Tractability

• Reasoning in combinations of theories

disjoint signature non-disjoint signature

• Theory extensions
• Applications

131

Example: Strict monotonicity

R ∪ Z ∪ Mon(f ) ∪ (a < b ∧ f (a) = f (b) + 1) | {z }

G

| =⊥ Mon(f ) A i, j(i < j → f (i) < f (j)) Problems:

• A prover for R ∪ Z does not know about f
• A prover for first-order logic may have problems with the reals and integers
• SMT provers may have problems with the universal quantifiers

Our goal: reduce search: consider certain instances Mon(f )[G] without loss of completeness hierarchical/modular reasoning: reduce to checking satisfiability of a set of constraints over R ∪ Z

132

Local theory extensions

Our solution: Local theory extensions [Ganzinger,VS,Waldmann’04, VS’05] K set of equational clauses; T0 theory; T1 = T0 ∪ K (Loc) T0 ⊆ T1 is local, if for ground clauses G, T0 ∪ K ∪ G | =⊥ iff T0 ∪ K[G] ∪ G has no (partial) model Various notions of locality, depending of the instances to be considered e.g. stable locality [Ganzinger’01, VS’05], order locality [Basin,Ganzinger’96]; new generalizations of locality: [Ihlemann,Jacobs,VS’08].

133

Example: Strict monotonicity

R ∪ Z ∪ Mon(f ) ∪ (a < b ∧ f (a) = f (b) + 1) | {z }

G

| =⊥ Base theory (R ∪ Z) Extension a < b f (a) = f (b) + 1 A i, j(i < j → f (i) < f (j))

134

Example: Strict monotonicity

R ∪ Z ∪ Mon(f ) ∪ (a < b ∧ f (a) = f (b) + 1) | {z }

G

| =⊥ Extension is local → replace axiom with ground instances Base theory (R ∪ Z) Extension a < b f (a) = f (b) + 1 a < b → f (a) < f (b) b < a → f (b) < f (a) Solution 1: SMT(R ∪ Z ∪ UIF)

135

Example: Strict monotonicity

R ∪ Z ∪ Mon(f ) ∪ (a < b ∧ f (a) = f (b) + 1) | {z }

G

| =⊥ Extension is local → replace axiom with ground instances Add congruence axioms. Replace pos-terms with new constants Base theory (R ∪ Z) Extension a < b f (a) = f (b) + 1 a < b → f (a) < f (b) b < a → f (b) < f (a) a = b → f (a) = f (b) Solution 2: Hierarchical reasoning

136

Example: Strict monotonicity

R ∪ Z ∪ Mon(f ) ∪ (a < b ∧ f (a) = f (b) + 1) | {z }

G

| =⊥ Extension is local → replace axiom with ground instances Replace f -terms with new constants Add definitions for the new constants Base theory (R ∪ Z) Extension a < b a1 = b1 + 1 a < b → a1 < b1 b < a → b1 < a1 a = b → a1 = b1

137

Example: Strict monotonicity

R ∪ Z ∪ Mon(f ) ∪ (a < b ∧ f (a) = f (b) + 1) | {z }

G

| =⊥ Extension is local → replace axiom with ground instances Replace f -terms with new constants Add definitions for the new constants Base theory (R ∪ Z) Extension a < b a1 = f (a) a1 = b1 + 1 b1 = f (b) a < b → a1 < b1 b < a → b1 < a1 a = b → a1 = b1

138

Reasoning in local theory extensions

Locality: T0 ∪ K ∪ G | =⊥ iff T0 ∪ K[G] ∪ G | =⊥ Problem: Decide whether T0 ∪ K[G] ∪ G | =⊥ Solution 1: Use SMT(T0+UIF): possible only if K[G] ground Solution 2: Hierarchic reasoning [VS’05] reduce to satisfiability in T0: applicable in general → parameterized complexity

139

Recognizing local theory extensions

Problem: Determine whether a theory extension is local Our solutions:

• 1. Semantic method: Embeddability of partial models into total models

T1 local extension of T0

Emb(T0, T1)

• [Ganzinger, VS, Waldmann’04, VS’05]

[VS,Ihlemann’07]

• 2. Proof theoretical method: Test saturation under ordered resolution

[Basin,Ganzinger’96,’01] test locality; generate local presentation if poss. [VS’07]: theory extensions

140

Recognizing local theory extensions

Problem: Determine whether a theory extension is local Our solutions:

• 1. Semantic method: Embeddability of partial models into total models

T1 local extension of T0

Emb(T0, T1)

• [Ganzinger, VS, Waldmann’04, VS’05]

[VS,Ihlemann’07]

• 2. Proof theoretical method: Test saturation under ordered resolution

[Basin,Ganzinger’96,’01] test locality; generate local presentation if poss. [VS’07]: theory extensions Results: • Extensions with new functions +

• definitions

[VS’05,’06]

• (piecewise) boundedness/monotonicity

[VS, Ihlemann’07]

• injectivity, strict monotonicity (add. asmpts.)[Jacobs,VS’07]
• Lipschitz conds./continuity/derivability

[VS’08]

• Theories of data structures

[Ihlemann,Jacobs,VS’08]

141

Further examples

Consequence [VS,Jacobs,Ihlemann’08]

• The notion of locality allows us to uniformly explain existing results, e.g.
• Local pointer structures [McPeak, Necula 2005]
• Theory of arrays [Bradley,Manna,Sipma’06]
• The notion of locality allows us to generate / recognize in a systematic

way a large class of local theory extensions related to data structures, including proper extensions of the theories above. Examples:

• Insertion/Deletion in pointer structures
• Updates of arrays, properties of arrays

142

Combinations of complex theories

Given: A (possibly non-disjoint) combination of theories Example: lists(R) ∪ arrays(R) Problem: Are combinations of local extensions of a theory T0 again local? Answer: [VS’07] Very often. (under very mild conditions on component theories and on shared theory)

143

Structure

• Reasoning in standard theories

Preliminaries: Logic, theories, models Decidable logical theories and theory fragments Tractability

• Reasoning in combinations of theories

disjoint signature non-disjoint signature

• Theory extensions
• Applications

144

Applications

• Example 1: Theorem proving in mathematics
• Example 2: ETCS case study (AVACS)
• Example 3: Verification: list insertion

Main feature: We do not restrict to proof tasks.

• consider problems with parameters
• the hierarchical reduction to proof tasks in base theory can be used
• (together with QE): for obtaining constraints on parameters which

guarantee (un)satisfiability

• for model building

145

Example: Mathematics

Given: f , g : R→R satisfying the Lipschitz conditions (Lλ1

f ), (Lλ2 g )

(Lλ1

f )

A x, y(|f (x) − f (y)| ≤ λ1|x − y|); (Lλ2

g )

A x, y(|g(x) − g(y)| ≤ λ2|x − y|); Task: Determine whether f + g satisfies a Lipschitz condition and if so with which constant λ i.e.: determine under which conditions the following holds:

R∪Lλ1

f

∪Lλ2

g

| = A x, y(|f (x) + g(x) − (f (y) + g(y))|≤λ|x − y|) | {z }

Lλ f +g

;

146

Example: Mathematics

The following are equivalent: (1) R∪Lλ1

f ∪Lλ2 g

| = A x, y(|f (x) + g(x) − (f (y) + g(y))|≤λ|x − y|) (2) R ∪ Lλ1

f ∪Lλ2 g

∧ |f (c) + g(c) − (f (d) + g(d))| ≤ λ|c − d| | {z }

G

| =⊥ (3) R ∪ (Lλ1

f ∪Lλ2 g )[G] ∧ |f (c) + g(c) − (f (d) + g(d))| ≤ λ|c − d|

| {z }

G

| =⊥ (4) R ∪ G ′ | =⊥

Def G ′ f (c) = c1 f (d) = d1 Lλ1

f

[G]0 : |c1 − d1| ≤ λ1|c − d| g(c) = c2 g(d) = d2 Lλ1

f

[G]0 : |c2 − d2| ≤ λ2|c − d| G : |c1 + d1 − c2 − d2| ≤ λ|c − d|

147

Example: Mathematics

The following are equivalent (if λ1 > 0, λ2 > 0): (1) R∪Lλ1

f ∪Lλ2 g

| = A x, y(|f (x) + g(x) − (f (y) + g(y))|≤λ|x − y|) (4) R ∪ G ′ | =⊥

Def G ′ f (c) = c1 f (d) = d1 Lλ1

f

[G]0 : |c1 − d1| ≤ λ1|c − d| g(c) = c2 g(d) = d2 Lλ2

g [G]0 : |c2 − d2| ≤ λ2|c − d|

G0 : |c1 + d1 − c2 − d2| ≤ λ|c − d|

(5) E c, d, c1, d1, c2, d2(Lλ1

f [G]0 ∧ Lλ2 g [G]0 ∧ G0) is false

(6) λ > 0 ∧ λ1 > 0 ∧ λ2 > 0 ∧ ((λ−λ1+λ2<0 ∧ λ1−λ2≥0)∨

(λ+λ1−λ2<0 ∧ λ1−λ2<0) ∨ (λ+λ1−λ2<0 ∧ λ1−λ2≤0)∨ λ−λ2 < 0 ∨ λ−λ1 < 0 ∨ (λ−λ1−λ2 < 0 ∧ λ1+λ2≥0)) is false

(obtained after QE) (7) λ ≥ λ1+λ2 (obtained after simplification)

148

Example: Mathematics

The following are equivalent (if λ1 ≥ 0, λ2 ≥ 0): (1) R∪Lλ1

f ∪Lλ2 g

| = A x, y(|f (x) + g(x) − (f (y) + g(y))|≤λ|x − y|) (4) R ∪ G ′ | =⊥

Def G ′ f (c) = c1 f (d) = d1 Lλ1

f

[G]0 : |c1 − d1| ≤ λ1|c − d| g(c) = c2 g(d) = d2 Lλ2

g [G]0 : |c2 − d2| ≤ λ2|c − d|

G0 : |c1 + d1 − c2 − d2| ≤ λ|c − d|

(5) E c, d, c1, d1, c2, d2(Lλ1

f [G]0 ∧ Lλ2 g [G]0 ∧ G0) is false

(6) λ > 0 ∧ λ1 > 0 ∧ λ2 > 0 ∧ ((λ−λ1+λ2<0 ∧ λ1−λ2≥0)∨

(λ+λ1−λ2<0 ∧ λ1−λ2<0) ∨ (λ+λ1−λ2<0 ∧ λ1−λ2≤0)∨ λ−λ2 < 0 ∨ λ−λ1 < 0 ∨ (λ−λ1−λ2 < 0 ∧ λ1+λ2≥0)) is false

(obtained after QE) (7) λ ≥ λ1+λ2 (obtained after simplification) Consequence: If λ1 ≥ 0, λ2 ≥ 0 we have: R ∪ Lλ1

f

∪ Lλ2

g

| = Lλ

f +g

iff λ ≥ λ1+λ2

149

Verification

Modeling/Formalization

Automated reasoning − full theory − abstraction of theory Interpolation − use interpolants for refining abstraction Invariant checking/ BMC Model Checking Abstraction/ Refinement System Specifications Complex theories

150

Examples: Verification

S specification → ΣS signature of S; TS theory of S; TS transition system Init(x); Update(x, x′) Given: Safe(x) formula (e.g. safety property)

• Invariant checking

(1) | =TS Init(x) → Safe(x) (Safe holds in the initial state) (2) | =TS Safe(x)∧Update(x, x′)→Safe(x′) (Safe holds before ⇒ holds after update)

• Bounded model checking (BMC):

Check whether, for a fixed k, unsafe states are reachable in at most k steps, i.e. for all 0 ≤ j ≤ k: Init(x0) ∧ Update1(x0, x1) ∧ · · · ∧ Updaten(xj−1, xj) ∧ ¬Safe(xj) | =TS ⊥

151

Example: ETCS Case Study (AVACS project)

Simplified version of ETCS Case Study [Jacobs,VS’06, Faber,Jacobs,VS’07] Number of trains: n ≥ 0 Z Minimum and maximum speed of trains: 0 ≤ min < max R Minimum secure distance: lalarm > 0 R Time between updates: ∆t > 0 R Train positions before and after update: pos(i), pos′(i) : Z → R

152

Example: ETCS Case Study (AVACS project)

Simplified version of ETCS Case Study [Jacobs,VS’06, Faber,Jacobs,VS’07]

Update(pos, pos′) :

• A

i (i = 0 → pos(i) + ∆t∗min ≤ pos′(i) ≤ pos(i) + ∆t∗max)

• A

i (0 < i < n ∧ pos(i − 1) > 0 ∧ pos(i − 1) − pos(i) ≥ lalarm → pos(i) + ∆t ∗ min ≤ pos′(i) ≤ pos(i) + ∆t∗max) ...

153

Example: ETCS Case Study (AVACS project)

Safety property: No collisions Safe(pos) : A i, j(i<j→pos(i)>pos(j)) Inductive invariant: Init(pos) ⇒ Safe(pos) Safe(pos)∧Update(pos, pos′)∧¬Safe(pos′) | =TS ⊥ where TS is the extension of the (disjoint) combination R ∪ Z with two functions, pos, pos′ : Z → R Problem: Satisfiability test for quantified formulae in complex theory Tests: standard SMT systems (e.g. Yices) → often answer “unknown” for satisfiable formulae Idea: use chains of local theory extensions [Jacobs,VS 2006]

154

Example: ETCS Case Study (AVACS project)

T2 T2 = T1 ∪ Update(pos, pos′) T2 ∪ ¬Safe(pos′) | {z }

G

| =⊥ ⇓ T1 T1 = T0 ∪ Safe(pos) T1 ∪ G ′(pos) | =⊥ ⇓ T0 T0 = R ∪ Z T0 ∪ G ′′ | =⊥ Φ(c, cpos′, dpos, n, lalarm, min, max, ∆t) | =⊥ Method 1: SAT checking/ Counterexample gen.) Method 2: SMT(T0) + Redlog: SAT/Quantifier elimination relationships between parameters which guarantee safety → system design, optimization, ...

155

Example: List insertion

Initially list is sorted: p.next = null → p.prio ≥ p.next.prio c.prio = x, c.next = null for all p = c do if p.prio ≤ x then if First(p) then c.next′ = p, First′(c), ¬First′(p) endif; p.next′ = p.next p.prio > x then case p.next = null then p.next′ := c, c.next′ = null p.next = null ∧ p.next.prio > x then p.next′ = p.next p.next = null ∧ p.next.prio ≤ x then p.next′ = c, c.next′ = p.next Verification task: After insertion list remains sorted

156

Example: List insertion

Initially list is sorted: p.next = null → p.prio ≥ p.next.prio c.prio = x, c.next = null for all p = c do if p.prio ≤ x then if First(p) then c.next′ = p, First′(c), ¬First′(p) endif; p.next′ = p.next p.prio > x then case p.next = null then p.next′ := c, c.next′ = null p.next = null ∧ p.next.prio > x then p.next′ = p.next p.next = null ∧ p.next.prio ≤ x then p.next′ = c, c.next′ = p.next Verification task: After insertion list remains sorted

157

Example: List insertion

Initially list is sorted: p.next = null → p.prio ≥ p.next.prio c.prio = x, c.next = null for all p = c do if p.prio ≤ x then if First(p) then c.next′ = p, First′(c), ¬First′(p) endif; p.next′ = p.next p.prio > x then case p.next = null then p.next′ := c, c.next′ = null p.next = null ∧ p.next.prio > x then p.next′ = p.next p.next = null ∧ p.next.prio ≤ x then p.next′ = c, c.next′ = p.next Verification task: After insertion list remains sorted

158

Example: List insertion

Initially list is sorted: p.next = null → p.prio ≥ p.next.prio c.prio = x, c.next = null for all p = c do if p.prio ≤ x then if First(p) then c.next′ = p, First′(c), ¬First′(p) endif; p.next′ = p.next p.prio > x then case p.next = null then p.next′ := c, c.next′ = null p.next = null ∧ p.next.prio > x then p.next′ = p.next p.next = null ∧ p.next.prio ≤ x then p.next′ = c, c.next′ = p.next Verification task: After insertion list remains sorted

159

Example: List insertion

Initially list is sorted: A p(p.next = null → p.prio ≥ p.next.prio) A p(p=null ∧ p=c ∧ prio(p)≤x ∧ First(p) → next′(c)=p ∧ First′(c)) A p(p=null ∧ p=c ∧ prio(p)≤x ∧ First(p) → next′(p)=next(p) ∧ ¬First′(p)) A p(p=null ∧ p=c ∧ prio(p)≤x ∧ ¬First(p) → next′(p)=next(p)) A p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null → next′(p)=c A p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null → next′(c)=null) A p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null ∧ prio(next(p))>x → next′(p)=next(p)) A p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null ∧ prio(next(p))≤x → next′(p)=c A p(p=null ∧ p=c ∧ prio(p)>x ∧ next(p)=null ∧ prio(next(p))≤x → next′(c)=next(p)) To check: Sorted(next, prio) ∧ Update(next, next′) ∧ p0.next′=null∧p0.prio≥p0.next′.prio | =⊥ can be proved to be local

160

Example: List insertion

To show: T2 T2 = T1 ∪ Update(next, next′) T2 ∪ ¬Sorted(next′) | {z }

G

| =⊥ T1 T1 = T0 ∪ Sorted(next) T0 T0 = (Lists, next)

161

Example: List insertion

To show: T2 T2 = T1∪ Update(next, next′) T2 ∪ ¬Sorted(next′) | {z }

G

| =⊥ Locality: T1∪ Update(next, next′)[G] ∪G | =⊥ Hierarchical reasoning: | {z }

G′

T1 T1 = T0 ∪ Sorted(next) T1 ∪ G ′(next) | =⊥ T0 T0 = (Lists, next)

162

Example: List insertion

To show: T2 T2 = T1 ∪ Update(next, next′) T2 ∪ ¬Sorted(next′) | {z }

G

| =⊥ ⇓ T1 T1 = T0 ∪ Sorted(next) T1 ∪ G ′(next) | =⊥ ⇓ T0 T0 = (Lists, next) T0 ∪ G ′′ | =⊥

163

Verification

Automated reasoning − full theory − abstraction of theory Interpolation − use interpolants for refining abstraction Invariant checking/ BMC Model Checking Abstraction/ Refinement System Specifications Complex theories

164

Knowledge representation

Combine theories with non-disjoint signatures (model theoretic approach)

• Combinations of modal logics
• Combinations of description logics

Lightweight description logics

• EL: conjunction C1 ⊓ C2

existential restrictions E r.C = {x | E y(xRy ∧ y ∈ C)} Semantics: Semilattices + monotone functions → local extensions

165

Conclusions

• Reasoning in complex theories

Focus: Modularity here: test satisfiability of conjunctions of literals SMT: satisfiability procedures for conjunctions of ground clauses

• Simple theories - decidable fragments
• Combinations of theories (disjoint/non-disjoint signatures)
• Theory extensuions
• Applications
• Mathematics
• Verification
• Knowledge representation

166