The Calculus of Computation: Decision Procedures with 11. Arrays - PowerPoint PPT Presentation

The Calculus of Computation: Decision Procedures with 11. Arrays Applications to Verification by Aaron Bradley Zohar Manna Springer 2007 11- 1 11- 2 (2) Array Property Fragment of T A Array Property Fragment of T A Decidable fragment of T A that includes ∀ quantifiers Boolean combinations of quantifier-free T A -formulae and array properties Array property Σ A -formula of form Example: Σ A -formulae ∀ i . F [ i ] → G [ i ] , F : ∀ i . i � = a [ k ] → a [ i ] = a [ k ] where i is a list of variables. ◮ index guard F [ i ]: The antecedent is not a legal index guard since a [ k ] is not a variable (neither a uvar nor an evar ); however, by simple → iguard ∧ iguard | iguard ∨ iguard | atom iguard manipulation atom → var = var | evar � = var | var � = evar | ⊤ F ′ : v = a [ k ] ∧ ∀ i . i � = v → a [ i ] = a [ k ] var → evar | uvar Here, i � = v is a legal index guard, and a [ i ] = a [ k ] is a legal value where uvar is any universally quantified index variable, constraint. F and F ′ are equisatisfiable. and evar is any constant or unquantified variable. However, no manipulation works for: ◮ value constraint G [ i ]: a universally quantified index can occur in a value constraint G [ i ] only in a read a [ i ], where a is an G : ∀ i . i � = a [ i ] → a [ i ] = a [ k ] . array term. The read cannot be nested; for example, a [ b [ i ]] is not allowed. Thus, G is not in the array property fragment. 11- 3 11- 4

Remark: Array property fragment allows expressing equality Decision Procedure for Array Property Fragment between arrays (extensionality): two arrays are equal precisely The idea of the decision procedure for the array property fragment when their corresponding elements are equal. is to reduce universal quantification to finite conjunction. That is, it constructs a finite set of index terms s.t. examining only these For given formula positions of the arrays is sufficient. F : · · · ∧ a = b ∧ · · · Example: Consider F : a � i ⊳ v � = a ∧ a [ i ] � = v , with array terms a and b , rewrite F as which expands to F ′ : ∀ j . a � i ⊳ v � [ j ] = a [ j ] ∧ a [ i ] � = v . F ′ : · · · ∧ ( ∀ i . ⊤ → a [ i ] = b [ i ]) ∧ · · · . Intuitively, to determine that F ′ is T A -unsatisfiable requires merely F and F ′ are equisatisfiable. examining index i :    � F ′′ :  ∧ a [ i ] � = v , a � i ⊳ v � [ j ] = a [ j ] j ∈{ i } or simply a � i ⊳ v � [ i ] = a [ i ] ∧ a [ i ] � = v . Simplifying, v = a [ i ] ∧ a [ i ] � = v , it is clear that this formula, and thus F , is T A -unsatisfiable. 11- 5 11- 6 The Algorithm Steps 4-6 accomplish the reduction of universal quantification to finite conjunction. Given array property formula F , decide its T A -satisfiability by the Main idea: select a set of symbolic index terms on which to instantiate following steps: all universal quantifiers. The set is sufficient for correctness. Step 1 Put F in NNF. Step 4 From the output F 3 of Step 3, construct the index set I : Step 2 Apply the following rule exhaustively to remove writes: F [ a � i ⊳ v � ] { λ } F [ a ′ ] ∧ a ′ [ i ] = v ∧ ( ∀ j . j � = i → a [ j ] = a ′ [ j ]) for fresh a ′ (write) I = ∪ { t : · [ t ] ∈ F 3 such that t is not a universally quantified variable } After an application of the rule, the resulting formula contains at least ∪ { t : t occurs as an evar in the parsing of index guards } one fewer write terms than the given formula. This index set is the finite set of indices that need to be examined. It Step 3 includes Apply the following rule exhaustively to remove existential ◮ all terms t that occur in some read a [ t ] anywhere in F (unless it quantification: is a universally quantified variable) F [ ∃ i . G [ i ]] for fresh j (exists) ◮ all terms t (constant or unquantified variable) that are compared F [ G [ j ]] to a universally quantified variable in some index guard. Existential quantification can arise during Step 1 if the given formula ◮ λ is a fresh constant that represents all other index positions that has a negated array property. are not explicitly in I . 11- 7 11- 8

Step 5 (Key step) Example: Consider array property formula Apply the following rule exhaustively to remove universal F : a � ℓ⊳ v � [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( ∀ i . i � = ℓ → a [ i ] = b [ i ]) quantification: � �� � array property H [ ∀ i . F [ i ] → G [ i ]] (forall)   Index guard is i � = ℓ and the value constraint is a [ i ] = b [ i ]. It is  � � � already in NNF. By Step 2, rewrite F as H F [ i ] → G [ i ]  i ∈I n F 2 : a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( ∀ i . i � = ℓ → a [ i ] = b [ i ]) ∧ a ′ [ ℓ ] = v ∧ ( ∀ j . j � = ℓ → a [ j ] = a ′ [ j ]) where n is the size of the list of quantified variables i . Step 6 F 2 does not contain any existential quantifiers. Its index set is From the output F 5 of Step 5, construct I = { λ } ∪ { k } ∪ { ℓ } � F 6 : F 5 ∧ λ � = i . { λ, k , ℓ } . = i ∈ I\{ λ } Thus, by Step 5, replace universal quantification: The new conjuncts assert that the variable λ introduced in Step 4 � a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( i � = ℓ → a [ i ] = b [ i ]) is indeed unique. i ∈ I F 5 : � Step 7 � � j � = ℓ → a [ j ] = a ′ [ j ] ∧ a ′ [ ℓ ] = v ∧ Decide the T A -satisfiability of F 6 using the decision procedure for j ∈ I the quantifier-free fragment. 11- 9 11- 10 Step 6 distinguishes λ from other members of I : � a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( λ � = ℓ → a [ λ ] = b [ λ ]) a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( i � = ℓ → a [ i ] = b [ i ]) ∧ ( k � = ℓ → a [ k ] = b [ k ]) i ∈ I F 5 : � � � ∧ a ′ [ ℓ ] = v ∧ ( λ � = ℓ → a [ λ ] = a ′ [ λ ]) j � = ℓ → a [ j ] = a ′ [ j ] F 6 : ∧ a ′ [ ℓ ] = v ∧ ∧ ( k � = ℓ → a [ k ] = a ′ [ k ]) j ∈ I ∧ λ � = k ∧ λ � = ℓ Expanding produces Simplifying, a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( λ � = ℓ → a [ λ ] = b [ λ ]) a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( k � = ℓ → a [ k ] = b [ k ]) ∧ ( ℓ � = ℓ → a [ ℓ ] = b [ ℓ ]) F ′ ∧ a [ λ ] = b [ λ ] ∧ ( k � = ℓ → a [ k ] = b [ k ]) 5 : F ′ ∧ a ′ [ ℓ ] = v ∧ ( λ � = ℓ → a [ λ ] = a ′ [ λ ]) 6 : ∧ a ′ [ ℓ ] = v ∧ a [ λ ] = a ′ [ λ ] ∧ ( k � = ℓ → a [ k ] = a ′ [ k ]) ∧ ( k � = ℓ → a [ k ] = a ′ [ k ]) ∧ ( ℓ � = ℓ → a [ ℓ ] = a ′ [ ℓ ]) ∧ λ � = k ∧ λ � = ℓ Simplifying produces There are two cases to consider. ◮ If k = ℓ , then a ′ [ ℓ ] = v and a ′ [ k ] = b [ k ] imply b [ k ] = v , yet a ′ [ k ] = b [ k ] ∧ b [ k ] � = v ∧ a [ k ] = v ∧ ( λ � = ℓ → a [ λ ] = b [ λ ]) b [ k ] � = v . ∧ ( k � = ℓ → a [ k ] = b [ k ]) F ′′ 5 : ◮ If k � = ℓ , then a [ k ] = v and a [ k ] = b [ k ] imply b [ k ] = v , but ∧ a ′ [ ℓ ] = v ∧ ( λ � = ℓ → a [ λ ] = a ′ [ λ ]) again b [ k ] � = v . ∧ ( k � = ℓ → a [ k ] = a ′ [ k ]) Hence, F ′ 6 is T A -unsatisfiable, indicating that F is T A -unsatisfiable. 11- 11 11- 12

(3) Theory of Integer-Indexed Arrays T Z Array property: Σ Z A -formula of the form A ∀ i . F [ i ] → G [ i ] , ≤ enables reasoning about subarrays and properties such as where i is a list of integer variables. subarray is sorted or partitioned. ◮ F [ i ] index guard: signature of T Z A : Σ Z A = Σ A ∪ Σ Z iguard → iguard ∧ iguard | iguard ∨ iguard | atom axioms of T Z A : both axioms of T A and T Z → expr ≤ expr | expr = expr atom expr → uvar | pexpr pexpr ′ → pexpr Z | Z · evar | pexpr ′ + pexpr ′ pexpr ′ → where uvar is any universally quantified integer variable, and evar is any existentially quantified or free integer variable. ◮ G [ i ] value constraint: Any occurrence of a quantified index variable i must be as a read into an array, a [ i ], for array term a . Array reads may not be nested; e.g. , a [ b [ i ]] is not allowed. Array property fragment of T Z A consists of formulae that are Boolean combinations of quantifier-free Σ Z A -formulae and array properties. 11- 13 11- 14 A Decision Procedure Step 3 Apply the following rule exhaustively to remove existential The idea again is to reduce universal quantification to finite quantification: conjunction. Given F from the array property fragment of T Z A , decide its F [ ∃ i . G [ i ]] T Z A -satisfiability as follows: for fresh j (exists) F [ G [ j ]] Step 1 Existential quantification can arise during Step 1 if the given Put F in NNF. formula has a negated array property. Step 2 Step 4 Apply the following rule exhaustively to remove writes: From the output of Step 3, F 3 , construct the index set I : F [ a � i ⊳ e � ] F [ a ′ ] ∧ a ′ [ i ] = e ∧ ( ∀ j . j � = i → a [ j ] = a ′ [ j ]) for fresh a ′ (write) { t : · [ t ] ∈ F 3 such that t is not a universally quantified variable } I = ∪ { t : t occurs as a pexpr in the parsing of index guards } To meet the syntactic requirements on an index guard, rewrite the If I = ∅ , then let I = { 0 } . The index set contains all relevant third conjunct as symbolic indices that occur in F 3 . ∀ j . j ≤ i − 1 ∨ i + 1 ≤ j → a [ j ] = a ′ [ j ] . 11- 15 11- 16