Thesis Proposal

1
Part 1 Positive Equality for Uninterpreted
functions in Eager Encoding
2
Eliminating Function applications

• Two applications of an uninterpreted function f
  in a formula
• f(x1) and f(x2)

3
Positive Equality Optimization

• Goal
• Replace as many of the vfi variables with
  constant values
• Exploit the positive structure of the formula
• Overall Benefit
• The function-free formula has smaller number of
  integer variables
• Reduces the number of interpretations to check
  for validity

4
Eliminating Function applications

• Two applications of an uninterpreted function f
  in a formula
• f(x1) and f(x2)

Favors positive equality analysis
5
EUF

• Logic of Equality with Uninterpreted Functions
• Terms
• ITE(F, T1, T2) If-then-else
• f (T1, , Tk) Function application
• Formulas
• ?F, F1 ? F2, F1 ? F2 Boolean connectives
• T1 T2 Equation
• p (T1, , Tk) Predicate application
• Special Cases
• v Domain variable (order-0 function)
• a Propositional variable (order-0 predicate)

6
EUF and small-model property

• Small Model Property for Validity Ackermann 54
  
• Suffices to consider a domain with k values
• k is the number of distinct function application
  terms in the formula
• Number of cases (interpretations) to check k!

7
Positive Equality for EUF
Bryant, German, Velev CAV99

• Classify formulas, terms, functions into
• Positive (p)
• General (g)

• Positive (p) formulas
• Negated even no. of times
• Do not control ITE
• Positive (p) terms
• Never appears in a g-formula equation
• Positive (p) function symbols
• All applications are p-terms

8
Maximally Diverse Interpretations

• An interpretation I is maximally diverse if
• For any p-function symbol f
• I f(T1) f(T2) iff I T1T2
• I f(T) ? I g(U), for any other function
  symbol g
• where f(T1), f(T2), g(U) are terms in the
  formula

Terms Equal? x y Potentially g (x) g (y) Only if
x y g (x) y No
9
Maximally Diverse Interpretations

• An interpretation I is maximally diverse if
• For any p-function symbol f
• I f(T1) f(T2) iff I T1T2
• I f(T1) ? I g(U), for any other function
  symbol g
• where f(T1), f(T2), g(U) are terms in the
  formula
• Property
• Formula valid if and only if true under all
  maximally diverse interpretations

10
Justification of Maximal Diversity Property

• For a formula F
• For any interpretation I, there is a maximally
  diverse interpretation J, such that JF ? IF

11
Exploiting Positive Equality

• Property
• P-function symbol f
• Introduce variables vf1, , vfn during
  elimination
• Consider only diverse interpretations for
  variables vf1, , vfn
• vfi ? v for any other variable v
• Example
• Assuming vf1 ? vf2

f(x1)
f(x2)
12
Summary Positive equality optimization

• Eliminate function applications
• Introduce vf1, , vfn while eliminating function
  symbol f
• For a p-function symbol f
• Replace vf1, , vfn with distinct constants
• The only variables in the function-free formula
  are the vfi variables for g function symbols
• m number of g-function applications

13
Positive Equality for EUF
General (g) Functions x,y
Positive Functions f,g

• Property
• Number of interpretations to consider m!
• m number of g-function applications

?

?
f
f

g
g
x
y
?(xy) ? (f(g(x)) f(g(y))
14
Positive Equality for EUF
General (g) Functions x,y
Positive Functions f,g

• Property
• Number of interpretations to consider m!
• m number of g-function applications

m 2
?(xy) ? (f(g(x)) f(g(y))
Search Space reduced from 6! to 2!
15
Application of positive equality

• Pipelined processor verification
• Bryant, German and Velev CAV99, Velev and Bryant
  DAC00,..
• Observation Most uninterpreted functions which
  appear in pipeline data-path are p-functions
• E.g. ALU, Incrementer for PC, .
• Other Infinite-state system verification
• Bryant, Lahiri, Seshia CAV02
• Improves efficiency in benchmarks from
  cache-coherence verification, out-of-order
  processors, software benchmarks

16
Impact of Positive Equality
Positive equality can be exploited to improve
performance
Bryant, Lahiri, Seshia CAV02
17
Ackermanns encoding and positive equality

• Two applications of an uninterpreted function f
  in a formula
• f(x1) and f(x2)

• Cant assign distinct values to vf1, vf2 for
  p-function symbol f
• Ignores the case when x1 x2

18
Limitation of positive equality analysis
Positive Functions
General Functions x,f

• Limitation of previous approach
• Not robust
• Entire analysis fails even when a single
  application is negative

?

f
f
?
f

f
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
19
Robust Positive Equality Analysis
Positive Functions
General Functions x,f

• Look at each application instead of function
  symbols
• Finer granularity for exploiting positive
  equality
• Lahiri, Bryant, Goel, Talupur TACAS04

?

f
f
?
f

f
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
20
Robust Positive Equality Analysis

• Goal
• If a variable vfi is a result of eliminating a
  p-term, then try to assign it a distinct constant
• Question
• Can we always assign the vfi variables for any
  p-term a distinct value?
• Not always
• Can we compute the set of p-terms that maximizes
  the number of vfi variables that can be assigned
  distinct values?
• In general, NP-complete

21
Outline

• Robust positive equality
• Robust maximal diversity theorem
• Exploiting robust positive equality
• Obstacles
• Solutions
• Results
• Related work

22
Robust Maximal Diversity

• For an interpretation I
• A p-term f(T) is called is g-arg-distinct, if
  there is no g-term f(U), such that I T I
  U.
• An interpretation I is robust maximally diverse
  if
• For every g-arg-distinct p-term f(T1),
• I f(T1) f(T2) iff I T1T2
• I f(T) ? I g(U), for any other function
  symbol g
• where f(T1), f(T2), g(U) are terms in the
  formula

23
Example
I x, f 2(x), f 4(x), f(x), f 3(x)

• For an interpretation I
• A p-term f(T) is called is g-arg-distinct, if
  there is no g-term f(U), such that
• I T I U.
• An interpretation I is robust maximally diverse
  if
• For every g-arg-distinct p-term f(T1),
• I f(T1) f(T2) iff I T1T2
• I f(T) ? I g(U), for any other function
  symbol g
• where f(T1), f(T2), g(U) are terms in the
  formula

Non robust-maximally diverse interpretation
?

f
P-term
f
G-term
?
f

f
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
24
Robust Maximal Diversity Theorem

• Theorem
• Formula valid if and only if true under all
  robust maximally diverse interpretations

• Generalization of positive equality
• Any robust-maximally diverse interpretation is a
  maximally diverse interpretations
• The subset inclusion can be proper
• Consequence
• Fewer interpretations to consider to check
  validity

25
Exploiting Robust Positive Equality

• Function applications f(x1),, f(xn)
• Introduce variables vf1, , vfn during elimination

• Value of vfi Value of f(xi)
• when xi does not equal x1,,xi-1
• i.e. when f(xi) is g-arg-distinct

• By Robust maximal diversity theorem
• Assign a distinct constant to vfi , when i gt
  l

26
What we need

• Eliminate the g-terms as early as possible
• Constrained by the sub-expression ordering
• e.g. f(x) has to be eliminated before
  eliminating f(f (x))
• Need the best topological order
• Respects the sub-expression orderings
• Maximizes the number of vf variables that can be
  assigned distinct constant value
• Need to define this objective function precisely

27
Function elimination and topological order

• Requires a topological order on the terms
• Respects the sub-expression order
• Eliminate functions from sub-terms first
• Example order
• x, f(x), f 2(x), f 3(x), f 4(x)
• Only order for this example

?

f
f
?
f

f
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
28
Function elimination and topological order

• vf variables for every p-term cant be assigned
  distinct values
• P-terms that are subterms of a g-term with the
  same function.
• Example order
• x, f(x), f 2(x), f 3(x), f 4(x)
• Only order for this example

?

f
?
f

f
f
Always precedes the g-term f 2(x)
x
?(f(f(x))x) ? (f(f(f(f(x)))) f(f(f((x)))
29
Topological ordering and the p-terms

• Topological order lt
• Poslt(f)
• Set of p-terms of f which do not precede any
  g-terms of f in lt
• Poslt ?f Poslt(f)

30
Topological ordering Example 1

• Topological order lt
• Poslt(f)
• Set of p-terms of f which do not precede any
  g-terms of f in lt
• Poslt ?f Poslt(f)

?


f

f
?
f


f

• Example
• xlt f(x) lt f 2(x) lt f 3(x) lt f 4(x)
• Poslt f 2(x), f 3(x), f 4(x)

x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
31
Topological ordering

• Property
• The vfi variables which results when eliminating
  terms in Poslt can be assigned a distinct constant
  value
• Goal
• Find the topological order lt that maximizes
  the size of Poslt

• Topological order lt
• Poslt(f)
• Set of p-terms of f which do not precede any
  g-terms of f in lt
• Poslt ?f Poslt(f)

32
Finding the best topological ordering

• With multiple non-zero arity function symbol
• Best order may not be best for each symbol

• Example
• 3 topological orders on terms
• xltg(x)ltf(g(x))ltf(x)ltg(f(x))
• xlt f(x)ltg(f(x))ltg(x)ltf(g(x))
• xltg(x)lt f(x)ltg(f(x))ltf(g(x))

33
Obtaining best topological order

• Complexity
• NP-complete
• Polynomial when only 1 non-zero arity function
  symbol
• Reduction from the maximum independent set
  problem
• Greedy heuristic to find a good order
• Assign higher priorities to p-terms of functions
  with greater number of potential terms in Poslt
• Finds the optimal order for most of the examples
  we have seen so far.

34
Sample Results

• Implemented in UCLID decision procedure
• With Zchaff SAT-solver
• Code Validation Benchmarks
• Pnueli, Rodeh, Strichman, Siegel CAV99

35
Observations

• Robust positive equality improves efficiency
• Useful in practice
• Small overhead (5) over positive equality
  analysis
• Efficient implementation can further reduce this
  overhead
• Seldom affects total time when translation time
  to SAT is a small fraction of the overall time

36
Related work

• Pnueli, Rodeh, Strichman Siegel CAV99
• Removes function applications by Ackermanns
  reduction
• Range allocation for the resultant formula
• Assigns smaller ranges for g-terms
• Rodeh Strichman CAV01
• Uses Bryant, German Velevs function
  elimination method range allocation
• Has similarities and differences with our work

37
Conclusions

• Positive Equality
• Simplifies function-free formula by reducing the
  number of variables in the formula
• Robust Positive Equality
• Generalization of positive equality
• Improves applicability for more general
  benchmarks
• Can be extended for CLU logic
• T1 lt T2 c BLS02 Lahiri MS Thesis
• Can we generalize it for linear arithmetic EUF?

38
Questions
39
Decision Procedure Benchmarking

• Compared against Stanford Validity Checker (SVC)
  
• its successor CVC (which uses Chaff)
• Decides CLU real linear arith. bit-vector
  arith.
• UCLID uses Chaff for Boolean SAT
• UCLID time translation time Chaff time

40
Impact of Positive Equality
Positive equality can be exploited to improve
performance
41
Exploiting Positive Equality

• Property
• P-function symbol f
• Introduce variables vf1, , vfn during
  elimination
• Consider only diverse interpretations for
  variables vf1, , vfn
• vfi ? v for any other variable v
• Example
• Assuming vf1 ? vf2

42
Compare Ackermanns Method

• Replacing Application
• Introduce new domain variable
• Enforce functional consistency by global
  constraints

• Unclear how to generate diverse interpretations

43
Decision Procedures in Verification

• Work-horse for many automated verification
  methodologies
• Processor and Protocol verification
• Pipelined processor verification
• Burch Dill CAV94, Bryant, German Velev
  CAV99,
• Out-of-order processor and cache coherence
  verification
• Lahiri, Seshia Bryant FMCAD02, Bryant, Lahiri
  Seshia CAV02
• Predicate abstraction
• Software verification
• SLAM (MSR), BLAST (Berkeley), MAGIC (CMU),
• Protocol verification
• Das, Dill Park CAV99,

44
Decision Procedures for quantifier-free fragment
of first-order logic

• Principal theories
• Logic of equality with uninterpreted functions
• f(x) f(g(y))
• Linear arithmetic
• Difference-bound logic subset ( T1 lt T2 c)
• Full linear arithmetic
• Arrays
• read and write operations
• Tools
• SVC/CVC from Stanford (FMCAD 96, CAV02, CAV
  04)
• UCLID from CMU (CAV02, CAV04)
• ICS from SRI (CAV 01)
• Simplify/Verifun from HP (CAV 03)
• Zapato from Microsoft (CAV 04)

45
Revisiting Positive Equality
Shuvendu K. Lahiri Randal E. Bryant Amit
Goel Muralidhar Talupur
Carnegie Mellon University
46
Conclusions

• Generalization of Bryant et als positive
  equality analysis
• Subsumes original positive equality
• Exploiting robust positive equality in a decision
  procedure
• Problems and heuristics
• Future Work
• Integrate smaller range-allocation for the
  g-terms
• Pnueli et al. CAV99, Talupur et al. CAV04

47
Positive Equality for EUF
General (g) Functions x,y
Positive Functions f,g

• Split the set of terms into
• p-terms
• Function applications of p-functions
• g-terms
• Function applications of g-functions

?

?
f
f

g
g
x
y
?(xy) ? (f(g(x)) f(g(y))
48
Definition

• P-term
• Term which never appear in equations that are
  g-formulas
• G-term
• Term which appears at least once in an equation
  that is a g-formula

?

f
f
?
f
p-terms

f
g-terms
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
49
Eliminating Function Applications

• Bryant, German Velev CAV99
• Replacing Application
• Introduce new domain variable
• Nested ITE structure maintains functional
  consistency

50
Robust maximally diverse interpretations
I x ? 0, f(0) ? 1, f(1) ? 0,..

• P-term h(T1,, Tn)
• If args. do not equal the args. of any g-term
  h(U1,,Un), then
• Can only equal other h application terms with
  equal arguments
• Property
• Formula valid if and only if true under all
  robust maximally diverse interpretations

Non robust-maximally diverse interpretation
?

f
P-term
f
G-term
?
f

f
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
51
Heuristic for obtaining topological order

• Potentially positive terms for a function f
• The p-terms of f that are not sub-terms of any
  g-term of f
• Steps
• Sort the function symbols by the number of
  potentially positive terms
• For each function f in sorted order
• Put all the g-terms of f (and their subterms) in
  the topological order
• Put all the remaining p-terms in the topological
  order

52
Heuristic for obtaining topological order

• Potentially positive terms for a function f
• The p-terms of f that are not sub-terms of any
  g-term of f
• Steps
• Sort the function symbols by the number of
  potentially positive terms
• For each function f in sorted order
• Put all the g-terms of f (and their subterms) in
  the topological order
• Put all the remaining p-terms in the topological
  order

• Sort the functions
• fg x
• Put the g-terms for f
• xltg(x)ltf(g(x))
• Put the g-terms for g
• f(x)ltf(f((x))ltg(f(f(x)))
• Put the g-terms for x
• Already present

?

g
f

f


f
g

x
?(f(g(x)) g(f(f(x))))
53
Definitions
I x ? 0, f(0) ? 1, f(1) ? 0,..

• Interpretation I
• Assigns a value to all the functions appearing in
  a formula
• I(f) function associated with the symbol f
• Evaluation
• I e evaluates e w.r.t. the interpretation I
• Defined inductively on the structure of e

true
false
?
0

f
true
1
f
?
0
false
f

1
f
0
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))
54
Topological ordering Example 2

• Topological order lt
• Tlt(f)
• Set of p-terms of f which do not precede any
  g-terms of f in lt
• Tlt ?f Tlt(f)

?


f
?
f


f
f

• Example
• xlt f(x) lt f 2(x) lt f 3(x) lt f 4(x)
• Tlt f 3(x), f 4(x)

Always precedes the g-term f 2(x)
x
?(f(f(x))x) ? (f(f(f(f(x)))) f(f(f((x)))
55
Results

• Implemented in UCLID decision procedure
• With Zchaff SAT-solver
• Code Validation Benchmarks
• Pnueli, Rodeh, Strichman, Siegel CAV99

T union of the set of potentially positive
terms for each function
56
Topological ordering Example 2

• Topological order lt
• Poslt(f)
• Set of p-terms of f which do not precede any
  g-terms of f in lt
• Poslt ?f Poslt(f)

?


f
?
f


f
f

• Example
• xlt f(x) lt f 2(x) lt f 3(x) lt f 4(x)
• Poslt f 3(x), f 4(x)

Always precedes the g-term f 2(x)
x
?(f(f(x))x) ? (f(f(f(f(x)))) f(f(f((x)))
57
Finding the best topological ordering

• With multiple non-zero arity function symbol
• Best order may not be best for each symbol
• Example
• 3 topological orders on terms
• xltg(x)ltf(g(x))ltf(x)ltg(f(x))
• xlt f(x)ltg(f(x))ltg(x)ltf(g(x))
• xltg(x)lt f(x)ltg(f(x))ltf(g(x))

?

g
f
f
g
Poslt x, f(x)
Poslt x, g(x)
x
Poslt x
?(f(g(x)) g(f(x)))
58
Relevant papers

• Exploiting positive equality in a logic of
  equality with uninterpreted functions
• Bryant, German and Velev, CAV99
• Revisiting Positive Equality
• Lahiri, Bryant, Goel and Talupur, TACAS04
• Generalization of positive equality

59
Maximally Diverse Interpretations

• P-Function Symbols
• Equal results only for equal arguments
• Doesnt equal application of any other function
  symbol
• G-Function Symbols
• Potentially yield equal results for unequal
  arguments
• Property
• Formula valid if and only if true under all
  maximally diverse interpretations

Terms Equal? x y Potentially g (x) g (y) Only if
x y g (x) y No
60
Robust maximally diverse interpretations

• For every p-term h(T1,, Tn)
• If args. do not equal the args. of any g-term
  h(U1,,Un), then
• Can only equal other h application terms with
  equal arguments
• Property
• Formula valid if and only if true under all
  robust maximally diverse interpretations

61
Robust maximally diverse interpretations
I x, f 2(x), f(x), f 3(x)

• P-term h(T1,, Tn)
• If args. do not equal the args. of any g-term
  h(U1,,Un), then
• Can only equal other h application terms with
  equal arguments
• Property
• Formula valid if and only if true under all
  robust maximally diverse interpretations

Non robust-maximally diverse interpretation
?

f
P-term
f
G-term
?
f

f
x
?(f(x)x) ? (f(f(f(f(x)))) f(f(f((x)))