Solvers: Equality and Arrays Lecture 4 2012

Solvers: Equality and Arrays

Lecture 4 2012

Nikolaj Bjørner Microsoft ResearchDTU Winter course January 5th 2012

PlanThe theory of Un-interpreted functions

The Theory of Arrays

Key Takeaways:

Theory of equality, un-interpreted functions and arrays

Saturation-based decision proceduresA common patternConnections with algorithms used in program analysis

Inference rule formulationDatalog formulation

A reduction approach to decision proceduresThe theory of array reduces to theory of equalities/functions

Deciding Equality

E - The theory of equalityReflexivity: t = t

Symmetry: t = s s = t

Transitivity: t = s s= u t = u

Congruence: t1= s1 .. tn =sn f(t1, …, tn) = f(s1, …, sn)

E – the (infinite) conjunction of these axioms

Congruence Closure

E-satisfiability can be decided with a simple algorithm known as congruence closure.

Congruence closure creates a finite quotient for DC(E + L).

E – Equality axiomsL – Literals: extra equalities in input

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a b c d e s t

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a b c d e s t

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

c d e s ta,b

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

c d e s ta,b

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

d e s ta,b,c

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

d e s ta,b,c

d,e

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

s ta,b,c

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

s ta,b,c d,e

a,b,c,s

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

td,e

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

td,ea,b,c,s

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b,c,s d,e,t

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b,c,s d,e,t

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b,c,s d,e,t

Unsatisfiable

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e

a,b,c,s d,e,t

Model construction

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e

a,b,c,s d,e,t

Model construction|M| = {1 ,2} (universe, aka domain)

1 2

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e

a,b,c,s d,e,t

Model construction|M| = {1 ,2} (universe, aka domain)

M(a) = 1 (assignment)

1 2

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e

a,b,c,s d,e,t

Model construction|M| = {1 ,2} (universe, aka domain)

M(a) = 1 (assignment)

1 2

Alternative notation:aM = 1

Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e

a,b,c,s d,e,t

Model construction|M| = {1 ,2} (universe, aka domain)

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

1 2

Deciding Equality:Termination, Soundness, Completeness

Termination: easySoundness

Invariant: all constants in a “ball” are known to be equal.The “ball” merge operation is justified by:

Transitivity and Symmetry rules.Completeness

We can build a model if an inconsistency was not detected.Proof template (by contradiction):

Build a candidate model.Assume a literal was not satisfied.Find contradiction.

Deciding Equality:Termination, Soundness, Completeness

CompletenessWe can build a model if an inconsistency was not detected.Instantiating the template for our procedure:

Assume some literal c = d is not satisfied by our model.That is, M(c) ≠ M(d).This is impossible, c and d must be in the same “ball”.

c,d,…i

M(c) = M(d) = i

Deciding Equality:Termination, Soundness, Completeness

CompletenessWe can build a model if an inconsistency was not detected.Instantiating the template for our procedure:

Assume some literal c ≠ d is not satisfied by our model.That is, M(c) = M(d).Key property: we only check the disequalities after we processed all equalities.This is impossible, c and d must be in the different “balls”

c,… M(c) = i

M(d) = j

i

d,…j

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, f(a, g(d)) f(b, g(e))

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, f(a, g(d)) f(b, g(e))

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, g(e))v1 g(d)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, g(e))v1 g(d)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, v2)v1 g(d), v2 g(e)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, v2)v1 g(d), v2 g(e)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 f(b, v2)v1 g(d), v2 g(e), v3 f(a, v1)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 f(b, v2)v1 g(d), v2 g(e), v3 f(a, v1)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

First Step: “Naming” subterms

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a,b,c,s d,e,t v1 v2 v3 v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

d = e implies g(d) = g(e)

a,b,c,s d,e,t v1 v2 v3 v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

d = e implies v1 = v2

a,b,c,s d,e,t v1 v2 v3 v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

d = e implies v1 = v2

a,b,c,s d,e,t v1,v2 v3 v4

We say:v1 and v2 are congruent.

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b, v1 = v2 implies f(a, v1) = f(b, v2)

a,b,c,s d,e,t v1,v2 v3 v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b, v1 = v2 implies v3 = v4

a,b,c,s d,e,t v1,v2 v3 v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b, v1 = v2 implies v3 = v4

a,b,c,s d,e,t v1,v2 v3,v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a,b,c,s d,e,t v1,v2 v3,v4

Unsatisfiable

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a,b,c,s d,e,t v1,v2 v3,v4

Changing the problem

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a,b,c,s d,e,t v1,v2 v3,v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a,b,c,s d,e,t v1,v2 v3,v4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

a,b,c,s d,e,t v1,v2 v3,v4

1 2 3 4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

a,b,c,s d,e,t v1,v2 v3,v4

1 2 3 4

Missing:Interpretation for f and g.

Deciding Equality + (uninterpreted) Functions

Building the interpretation for function symbols

M(g) is a mapping from |M| to |M|Defined as:

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)Is M(g) well-defined?

Deciding Equality + (uninterpreted) Functions

Building the interpretation for function symbols

M(g) is a mapping from |M| to |M|Defined as:

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)Is M(g) well-defined?

Problem: we may have v g(a) and w g(b) s.t.M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)So, is M(g)(1) = 2 or M(g)(1) = 3?

Deciding Equality + (uninterpreted) Functions

Building the interpretation for function symbols

M(g) is a mapping from |M| to |M|Defined as:

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)Is M(g) well-defined?

Problem: we may have v g(a) and w g(b) s.t.M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)So, is M(g)(1) = 2 or M(g)(1) = 3?

This is impossible because of the congruence rule!a and b are in the same “ball”, then so are v and w

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

a,b,c,s d,e,t v1,v2 v3,v4

1 2 3 4

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

M(g) = {2 →3}

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

M(g) = {2 →3}

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

M(g) = {2 →3, else →1}

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise

Deciding Equality + (uninterpreted) Functions

a = b, b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}

M(a) = M(b) = M(c) = M(s) = 1

M(d) = M(e) = M(t) = 2

M(v1) = M(v2) = 3

M(v3) = M(v4) = 4

M(g) = {2 →3, else →1}M(f) = { (1 ,3) →4, else →1}

M(g)(i) = j if there is v g(a) s.t.M(a) = i

M(v) = j

= k, otherwise

Deciding Equality + (uninterpreted) Functions

What about predicates?

p(a, b), p(c, b)

Deciding Equality + (uninterpreted) Functions

What about predicates?

p(a, b), p(c, b)

fp(a, b) = T, fp (c, b) ≠ T

E-satisfiability - examplef(f(a)) = a, a f(a)

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Conguruence Closure GraphRecall congruence rule:

Congruence:

t1= s1 .. tn =sn f(t1, …, tn) = f(s1, …, sn)

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence Closure Graph

Congruence closure graphLet G = (V,E) be a directed graph such that for each vertex v in G, the successors (children) of v are ordered.Let C be any equivalence relation on V.The congruence closure C* of C is the finest equivalence relation on V,

that contains C : v C w then v C* w Closed: If

children(v) = v1 ..vn

children(w) = w1 ..wn Then v C* w v1 C* w1 … vn C* wn

Congruence closure graphFrom literals L to a congruence graph.

For each subterm t in L create a vertex vt

For each function symbol f create vertex vf

If t = f(t1, …, tn), let children(vt) = vf, vt1, …, vtn

From literals L to an initial equivalence CInitially C = { { v } | v V }For each equality t = s L:

Merge equivalence classes for vt and vs

Computing congruence closureFrom the definition, we can read off that Congruence

closure is the least fixed-point of the operator CongClos:

CongClos(C* )(v,w) =

v C w or let v1 .. vn = children(v)

let w1 ..wn = children(w) in CongClos(C*

)(v1, w1) .. CongClos(C*

)(vn, wn)

Computing Congruence closure

Fixed-point characterization suggests (dynamic programming) algorithm:

Maintain root vertex for each equivalence class.Maintain sig(nature) of each vertex:

sig(vf(t1,..,tn)) = root(vf ), root(vt1).. root(vtn) Initialize C* Cwhile v,w V s.t. v C* w, but sig(v) = sig(w):

C* C* with classes for v, w merged

Computing Congruence closure

A more efficient implementation of congruence closureUse union-find for maintaining rootsMaintain use (a list) for set of parent vertices.Set todo = {}def merge(v, w):

C* C* with classes for v, w merged foreach vp use(v), wp use(w):

add vp, wp to todo foreach asserted equality (v,w): merge(v,w)while some v, w todo : remove v, w from todo if v C* w, but sig(v) = sig(w) then merge(v,w)

Using congruence closureBack to the main problem.

E-satisfiability t1 = t2 t3 = t4 t5 t6

Form graph using {t1, t2, t3 , t4 , t5 , t6 }Initialize C from equalitiesCompute C* from CCheck that vt5 C* vt6

Congruence closure algorithmSoundness: C* just simulates axioms of E.

Completeness: From C* build model M.fM(v1, …, vn) = root(v),

if there is a v, such that sig(v) = fM,v1, …, vn fM(v1, …, vn) = *

otherwiseThen all axioms in E are true in M.All equalities in L are true in M.

DPLL(E)Congruence closure just checks satisfiability of conjunction of literals.

How does this fit together with Boolean search DPLL?

DPLL builds partial model M incrementallyUse M to build C*

After every Decision or Propagate, orWhen F is propositionally satisfied by M.

Check that disequalities are satisfied.

E - conflictsRecall Conflict:

Conflict M || F M || F || C if CF, M ⊨T C

A version more useful for theories:

Conflict M || F M || F || C if C M, ⊨T C

E - conflictsExample

M = fff(a) = a, g(b) = c, fffff(a)= a, a f(a) C = fff(a) = a, fffff(a)=a, a f(a)⊨E fff(a) a fffff(a) a a = f(a)

Use C as a conflict clause.

E - conflictsHow can one mine M for E-conflicts?

ConvexityThe theory E is convex.

Convexity: Let L be a set of equalities and disequalitiesIf L ⊨E s1 = t1 … sn = tn Then for some i: L ⊨E si = ti (proof: use soundess and completeness of Congruence Closure).

A consequence:To check satisfiability it suffices to check each disequality in isolation.

Inference rules, Abstract decision procdures, and Datalog Consider Datalog formulation: Rule formulation:

Eq(x,x) .Eq(x,y) :- Eq(y,x).Eq(x,y) :- Eq(x,z), Eq(z,y) .Eq(u,v) :- Eq(x,y), F(x,u), F(y,v) .

F(a,f(a)) . F(b, f(b)) . Eq(a,b) .?- Eq(f(a),f(b)) .

Congruence closure algorithm is “just” an efficient way of computing closure of Eq(_,_).

𝑥∼𝑦𝑦∼𝑥

𝑥∼𝑦 𝑦∼𝑧𝑥∼𝑧

𝑥∼𝑦𝑢≡ 𝑓 (𝑥 ) ,𝑣≡ 𝑓 ( 𝑦 )𝑢∼𝑣

𝑥∼𝑥

Arrays

Why use abstract arrays?def swap(a, i, j): tmp = a[i]; a[i] = a[j]; a[j] = tmp;

new(a)[i] = a[j]new(a)[j] = a[i]k i, k j a[k] = new(a)[k]

def swap(a, i, j): tmp = a[i]; a = write(a,i,a[j]); a= write(a,j,tmp);

def swap(a, i, j): tmp = a[i]; a1= write(a,i,a[j]); a2= write(a1,j,tmp); new(a) = a2

new(a) = let tmp = a[i] a1= write(a,i,a[j]); a2= write(a1,j,tmp); in a2

new(a) = write(write(a,i,a[j]),j,a[i])

new(a)[j] = write(write(a,i,a[j]),j,a[i])[j] = a[i]

new(a)[i] = write(write(a,i,a[j]),j,a[i])[i] = if i = j then a[i] else write(a,i,a[j])[i] =if i = j then a[i] else a[j] =a[j]

Theory of arraysFunctions: F = { read, write }Predicates: P = { = }Convention a[i] means: read(a,i)

Non-extensional arrays TA: a, i, v . write(a,i,v)[i] = va, i, j, v . i j write(a,i,v)[j] = a[j]

Extensional arrays: TEA = TA + a, b. ((i. a[i] = b[i]) a = b)

Array examples

( , , ) [ ] [ ]b write a i v i j b j a j

( , , )( , , )

[ ] [ ]

b write a i vc write a j ww b j v c i b c

Array examples( , , ) [ ] [ ]b write a i v i j b j a j

( , , ) [ ] [ ]b write a i v i j b j a j

Is valid

Is unsat

( , , ) [ ] [ ]( ( , , )[ ] [ ])b write a i v i j b j a ji j write a i v j a j

Is unsat(arrayaxiom)

( , , )[ ] [ ] ( , , )[ ] [ ]b write a i v i ja j b j write a i v j a j

Is unsat(congruence)

Array examplesIs valid

Is unsat

( , , )( , , )

[ ] [ ]

b write a i vc write a j ww b j v c i b c

( , , )( , , )

[ ] [ ]

b write a i vc write a j ww b j v c i b c

Array examplesIs unsat( , , )

( , , )[ ][ ]

b write a i vc write a j ww b jv c ib c

[ ] ( , , )[ ][ ] ( , , )[ ]

w b j write a i v jv c i write a j w i

( , , )[ ] [ ]i j write a i v j a j Array axiom

Array examplesIs unsat( , , )

( , , )[ ] ( , , )[ ][ ] ( , , )[ ]

( , , )[ ] [ ]( , , )[ ] [ ]

b write a i vc write a j ww b j write a i v jv c i write a j w ib ci j write a i v j a ji j write a j w i a i

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ][ ] ( , , )[ ]

b write a i vc write a j ww b j write a i v jv c i write a j w ib ci j

i j

Array examplesCase:( , , )

( , , )[ ] ( , , )[ ][ ] ( , , )[ ]

( , , )[ ]

b write a i vc write a j ww b j write a i v jv c i write a j w ib ci jwrite a i v i v

i j

Array axiom

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ][ ] ( , , )[ ]

( , , )[ ]

b write a i vc write a j ww b j write a i v jv c i write a j w ib ci jwrite a i v i vw v

i j

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ][ ] ( , , )[ ]

( , , )[ ]

b write a i vc write a j ww b j write a i v jv c i write a j w ib ci jwrite a i v i vw vb c

i j

Congruence

Array examples – a few steps

Case:( , , )( , , )

[ ] ( , , )[ ][ ] ( , , )[ ]

( , , )[ ] [ ]( , , )[ ] [ ]

b write a i vc write a j ww b j write a i v jv c i write a j w ib cwrite a i v j a jwrite a j w i a i

i j

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]

b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib c

i j

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]

( . [ ] [ ])

b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib ck b k c k b c

i j

Extensionality

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]

( . [ ] [ ])

b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib c

k b k c k

i j

Extensionality

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]

[ ] [ ]

b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib cb k c k

i j

Skolemize

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]

[ ] [ ]( ( , , )[ ] [ ])( ( , , )[ ] [ ])

b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib cb k c ki k write a i v k b kj k write a j w k c k

i j

Array axiom

Array examplesCase:

( , , )( , , )

[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]

[ ] [ ]( ( , , )[ ] [ ])( ( , , )[ ] [ ])

b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib cb k c ki k write a i v k b kj k write a j w k c kyadayadayada

i j

Decision procedures for arraysLet L be literals over F = { read, write }

Find M such that: M ⊨TA L

Basic algorithm, reduce to E: for every sub-term read(a,i), write(b,j,v) in L

i j a = b read(write(b,j,v),i) = read(a,i)read(write(b,j,v),j) = v

Find ME, such thatME ⊨E L AssertedAxioms

Decision procedures for arraysCorrectness of basic algorithm:

ME satisfies array axioms on terms in L.To show that ME can be extended to model for arrays:

From Congurence Closure C* build model:aM = [| *d1 *r1 , *d2 *r2 , *d3 .., else vroot(a) |]Where readM(aM, *di ) = *r1 e.g., *r1 = root(read(root(a),root(i)) under C*

Model satisfies array axioms.For every write(a,i,v) the model satisfies write(a,i,v)[j] = a[j] whenever iM jM (first axiom) and also write(a,i,v)[i] = v (second axiom).vroot(a) was added to make arrays different unless they were forced to be (no extensionality)

Non-extensionalityA non-theorem

a and b need not be equal even if the array axioms hold.

( , , ) [ ]b write a i v a i v a b

Extensional arraysTo enforce:

a, b. ((i. a[i]= b[i]) a = b)

For every pair a, b in L, Add fresh constant iab

Add axiom a b a[iab] b[iab]

Arrays galoreArrays may be more than just read/write.

The constant array:v, i . const(v)[i] = v

Generalized write: a,b,c, i . a[i] = b[i] write(a,b,c)[i] = c[i] a,b,c, i . a[i] b[i] write(a,b,c)[i] = b[i]We now have sets: = const(false), T = const(true), A B = write(,A,B)[i] A B = write(T,A,B)[i]

Ranges:l,u, x . range(l,u)[x] l x u

Arrays galoreClaim: Same kind of reduction to E (and arithmetic) works

Integer ranges, require slightly morerange(l,u)[l-1], range(l,u)[u+1]range(l,u)[l], range(l,u)[u]

Is there a general principle underpinning such extensions?

Arrays galoreConsider a more general formulation. is a conjunction of:

Equalities, disequalities i, j, k . G(i,j,k) F(i,j,k)

Where G is a guard formula comparing indices:And-or formula of i j, i cClaim: We can always eliminate i =j from the guard.

Where F is a general formula with arrays, Restriction: no nested array formulas.

Example: j . if i = j then b[i] = v else b[i] = a[i]Encodes that b = write(a,i,v)

Arrays galore i, j, k . G(i,j,k) F(i,j,k)

Where G is a guard formula comparing indices:And-or formula of i j, i cClaim: We can always eliminate i =j or i = c from the guard.

i, j, k . i = j k c j c’ F(i,j,k) i, k . k c i c F(i,i,k)

Arrays galore i, j, k . G(i,j,k) F(i,j,k)

Where G is a guard formula comparing indices:And-or formula of i j, i cClaim: We can always or from the guard

i, j, k . G(i,j,k) G’(i,j,k) F(i,j,k)

i, j, k . G(i,j,k) F(i,j,k) i, j, k . G’(i,j,k) F(i,j,k)

Arrays galore i, j, k . G(i,j,k) F(i,j,k)

Where G is conjunction of i j, i c

Decision procedure:Collect all c, where a[c] or c = i Instantiate quantifiers by all combinations of such indices.Check for E – satisfiability of ground formula.

Correctness: All quantified formulas are satisfied by C* .

Arrays galore - Arithmetic i, j, k . G(i,j,k) F(i,j,k)

Where G is conjunction of i < j, i < c, i > c

Decision procedure:Collect all c, where a[c], c < i , c > i occurs in formula.For each c, also add c-1, c+1 to collection.Instantiate quantifiers by all combinations of collected indices.Check for ILA + E – satisfiability of ground formula.

Combinatory Array Logic

What else are arrays?Special combinators:

Result: Existential fragment is decidable and in NP by reduction to congruence closure using finite set of instances. ( f belongs to base theory – not arrays)

( , , ) . ( , , [ ])

( ) .

( , ) . ( [ ], [ ])f

write a i v j ite i j v a j

K v j v

map a b j f a j b j

… A different fragment:

Then:

Theory is decidable.

( ) .

( , , ) . ( [ ], [ ], [ ])

( , ) .( [ ] [ ])

.

ite

K v j v

map a b c j ite a j b j c j

map a b j a j b j

I j j

( , , ) ( ( ( ), ), ( ), )itewrite a i v map map K i I K v a

Last combinator for the road…Can I access a default array value?

( )

( ( ))( ( , )) ( ( ), ( ))

( ( , , )) ( )

f

a default

K v vmap a b f a b

write a i v a

Only sound for infinite domains

Let’s use CAL:Simple set and bag operations:

But not cardinality |A|, power-set 2A, …

min

(0)( ){ } ( , ,1){ } ( , , )( , ) [ ][ ]

( , )( , )( , )( , )

( ) ( ( ) 0)( ) ( ( ) )

Bag

Bag

KK falsea write aa write a true

mult a A A aa A A aA B map A BA B map A BA B map A BA B map A B

finite A Afinite A A false

A Basic Decision Procedure

A reduction-based approach

( )?ArraySat T

( ( ) )?Equality ArraySat T Closure

Use saturation rules to reduce arrays to the theory of un-interpreted functions

Extract models for arrays as finite graphs

Array Saturation Rules

a~b – a and b are equal in current contexta≡t – a is a name for the term t

Congruence Closure Rule

Bottlenecks Extensionality axiom is

instantiated on every pair of array variables.

Upwards propagation distributes index over all modifications of same array.

Bottlenecks and Bottleneck:

Extensionality axiom is instantiated on every pair of array variables.

Optimization: Restrict to variables asserted different, or shared.

Bottlenecks and Bottleneck: Upwards

propagation distributes index over all modifications of same array.Optimization: Only use for updates where ancestor has multiple children. Formulas from programs are well-behaved.

The effect on benchmarksThis is where it matters

Saturating for CAL

Saturating K, map,

Saturating K, map, Rules for map are similar as for store.

Optimization of has to be generalized.

Finite domains…