weizmann institute deciding equality formulas by small domain instantiations o. shtrichman the...

Weizmann Institute

Deciding equality formulasby small domain instantiations

O. Shtrichman

The Weizmann Institute

Joint work with

A.Pnueli, Y.Rodeh, M.Siegel

Weizmann Institute

DC+C

Verification Condition Generator

Code generation

Abstraction Level ++

CVT

Auto-decomposition

Abstraction

Range Minimizer

TLV (verifier)

Weizmann Institute

u x y u x y z u u

z x y x y1 1 1 2 2 2 1 2

1 1 2 2

( ) ( )

u F x y u F x y z G u u

z G F x y F x y1 1 1 2 2 2 1 2

1 1 2 2

( , ) ( , ) ( , )

( ( , ), ( , ))

To a formula with uninterpreted functions

Uninterpreted functions

From a general formula:

Weizmann Institute

u F x y u F x y z G u u

z G F x y F x y1 1 1 2 2 2 1 2

1 1 2 2

( , ) ( , ) ( , )

( ( , ), ( , ))

2

12211

212211

212121

gz

gzfufu

ggfufu

ffyyxx

From a formula with uninterpreted functions:

To a formula in the theory of equality

Ackerman’s reduction

Weizmann Institute

Sajid et al (CAV 98’) : encode each comparison (x=y) with a boolean variable exy. A special BDD traversing algorithm maintains the lost transitivity. • Major improvement comparing to finite instantiations with 1..n.• The traversing algorithm is worst case exponential. • The number of encoding bits is worst case (Vs. n logn in finite instantiations).

Bryant et al (CAV 99’) : in positive equality formulas, replaceeach UIF with a unique constant.

n2FHGIKJ

A folk theorem: Finite Instantiations with 1..n.

In search for an efficient decision procedure

Weizmann Institute

Instead of giving the range [1..11], analyze connectivity:

x1 x2 y1 y2 g1 g2

zu1 f1 f2 u2

x1, y1, x2, y2 :{0-1} u1, f1, f2, u2 : {0-3} g1, g2, z: {0-2}

The state-space: from 1111 to ~105

2

12211

212211

212121

gz

gzfufu

ggfufu

ffyyxx

Finite Instantiations revisited

Weizmann Institute

Or even better:

x1 x2 y1 y2 g1 g2

zu1 f1 f2 u2

x1, y1, g1 , u1 : {0}

{0} {0-1}

An Upper-bound: State-space n!

x2, y2 , g2 , f1 : {0-1}

u2 : {0-3} f2, z : {0-2}

The state-space: from ~105 to 576

Weizmann Institute

The Range-Minimization Problem

Given a quantifier-free formula with equalities only, find in

polynomial time a small domain sufficient to preserve its truth

value:

D : Infinite domainD*: finite domain

D* D

Weizmann Institute

Analyzing the formula structure

Assume is given in positive form, and contains no constants.

Let At() be the set of all atomic formulas of the form xi=xj

or xi xj appearing in .

A subset B = {1,…,k} At() is consistent, if 1 ^... ^k

is satisfiable; e.g. B = (xi= xj ^ xi xj) is inconsistent.

A Range Allocation R is adequate for At(), if every consistent subset B At() can be satisfied under R.

Weizmann Institute

Examples:

At() R

(x1=x2) (x2=x3) {(x1=x2),(x2=x3)} x1,x2,x3 {0}

(x1x2) (x2

x3) {(x1x2),(x2

x3)} x1 {0}

x2 {1}

x3 {2}

(x1x2) ( False (x1=x2)) {(x1

x2),(x1=x2)} x1 {0}

x2 {0,1}

(x1=x2) ( False (x1x2)) {(x1

x2),(x1=x2)} x1 {0}

x2 {0,1}

The price of a polynomial procedure: At() holds less information than .

Weizmann Institute

Split At() into two sets:

:

)}(),(),(),(),({ 221 212121zgfufuyyxx

)}(),(),(),(),{( 121121 212zgfufuggff

A :

A= :

zg

zgfufu

ggfufu

ffyyxx

2

121

121

21

)(

)(

21

221

2121

The atomic sub-formulas of

Weizmann Institute

x1 x2 y1 y2 g1 g2

zu1 f1 f2 u2

A graphical representation

)}(),(),(),(),({ 221 212121zgfufuyyxx

)}(),(),(),(),{( 121121 212zgfufuggff

A :

A= :

Note: 1. Inconsistent subsets, appear as contradictory cycles2. Some of the vertices are mixed

Weizmann Institute

The Range-Allocation Algorithm

A. Remove all solid edges not belonging to contradictory cycles.

B. Add a single unique value to singleton vertices, and remove them from the graph.

x1 x2 y1 y2 g1 g2

zu1 f1 f2 u2

{0} {1} {3}{2}

Step I - pre-processing:

Weizmann Institute

Step II - Set construction:

A. For each mixed vertex xi:

1. Add a unique value ui to R(xi)2. Broadcast ui on G

3. Remove xi from the graph

B. Add a unique value to each remaining G= component

g1 g2

z

{4}{4}

{4}

g1

z

{4, }

{4, }

g1 g2

z

{4}

{4, }

{4, }

1. 2.

5

5

5

5

Weizmann Institute

u1 f1 f2 u2

{6} {6} {6} {6}

f1 f2 u2

{6,7} {6,7} {6,7}

u2

{6,7, }

u1 f1 f2 u2

{6} {6,7}

1.

2.

3. f1

{6,7, }

{6,7, } {6,7, }

8

8

9

9

Weizmann Institute

Is the allocated range always adequate?

» For all xB, assign the smallest value allocated in step

A to a mixed vertex which is G(B)=- connected to x.

» If there isn’t any, choose the value given in step B.

x1 x2 y1 y2 g1 g2

zu1 f1 f2 u2

{3}{2} {4}

{4, }

{4, }

{6} {6,7}{6,7, } {6,7, }

{1}{0}

We have to satisfy every consistent subset B :

5

58 9

Weizmann Institute

Bad ordering:

Good ordering:

18

12

The vertices removed in step A constitutes a Vertex-Cover of G.

We will look for a Minimal Vertex Cover (mvc).

State space:

Order makes a difference

{6} {6,7}{6,7, } {6,7, }8 9

{6, } {6} {6,7} {6,7, }8 9

Weizmann Institute

G

Order makes a difference

G/mvc

Weizmann Institute

Colors make a difference

12

4

{6, } {6} {6} {6, }

{6, } {6} {6,7} {6,7, }State space:Unique

values:

~ Unique values:

When should mvc vertices be assigned different values?

8

8 7

9

Weizmann Institute

Colors make a difference

x y

Two mixed vertices are incompatible, if there is a path between them with one solid edge.

Coloring the incompatibility graph:

z w

yz w

Weizmann Institute

x1 x2 y1 y2 g1 g2

zu1 f1 f2 u2

{3}{2} {4}

{4,5}

{4,5}

{6,7} {6}{6} {6,8}

{1}{0}

A state-space story:

1111 11! 161..n 1..i basic order color

4872 ?576

connectivity

Range allocation algo.

Weizmann Institute

The worst case: double cliques back to n!• One connected component (nk=n)• All vertices are mixed• Worst vertex-cover: mk = nk-1• Worst coloring: yk=mk

A 4 double-clique

State-space k

mnk

ymkk

kkkk yyy )1()!(

A new upper bound for the state-space

For each connected G= component k: nk = |G=| mk= |mvck| yk - the number of colors in mvck (ykmk)

k

Weizmann Institute

MODULE main

VARH_zN1_693_c :0..31;zN1_693_c :0..31;N1_643_c :0..31;T1_c :0..31;T1_644_c :0..31;N1_c :0..31;f_plus1 :0..31;f_plus2 :0..31;f_minus1 :0..31;f_minus2 :0..31;f_minus3 :0..31;f_minus4 :0..31;f_mul1 :0..31;f_mul2 :0..31;f_div1 :0..31;f_div2 :0..31;f_div3 :0..31;f_div4 :0..31;sqrt_1 :0..31;sqrt_2 :0..31;POSM_c :boolean;POSM_33_c :boolean;H0_99_c :boolean;

MODULE main

VARH_zN1_693_c :{33};zN1_693_c :{33};N1_643_c :{19};T1_c :{27};T1_644_c :{27,28};N1_c :{19};f_plus1 :{0,21,22};f_plus2 :{21,0};f_minus1 :{8,9,10,11};f_minus2 :{8,9,10,11};f_minus3 :{8,9,10,11};f_minus4 :{8,9,10,11};f_mul1 :{16};f_mul2 :{16};f_div1 :{23,24,25};f_div2 :{23,24,25};f_div3 :{24,23};f_div4 :{23};sqrt_1 :{29};sqrt_2 :{29,30};POSM_c :boolean;POSM_33_c :boolean;H0_99_c :boolean;

Before and after, in SMV

Weizmann Institute

Experimental Results

• A design of a SNECMA turbine engine with Sildex™ results in a verification condition of about 6000 lines.

• Before : 92% verified in reasonable timeAfter: 100% verified in reasonable time

• Some of the formulas had 150 integer variables and more.

The implementation is available at: http://www.wisdom.weizmann.ac.il/~ofers/sat/bench.htm