Post on 19-Dec-2015
transcript
Weizmann Institute
Deciding equality formulasby small domain instantiations
O. Shtrichman
The Weizmann Institute
Joint work with
A.Pnueli, Y.Rodeh, M.Siegel
Weizmann Institute
DC+C
Verification Condition Generator
Code generation
Abstraction Level ++
CVT
Auto-decomposition
Abstraction
Range Minimizer
TLV (verifier)
Weizmann Institute
u x y u x y z u u
z x y x y1 1 1 2 2 2 1 2
1 1 2 2
( ) ( )
u F x y u F x y z G u u
z G F x y F x y1 1 1 2 2 2 1 2
1 1 2 2
( , ) ( , ) ( , )
( ( , ), ( , ))
To a formula with uninterpreted functions
Uninterpreted functions
From a general formula:
Weizmann Institute
u F x y u F x y z G u u
z G F x y F x y1 1 1 2 2 2 1 2
1 1 2 2
( , ) ( , ) ( , )
( ( , ), ( , ))
2
12211
212211
212121
gz
gzfufu
ggfufu
ffyyxx
From a formula with uninterpreted functions:
To a formula in the theory of equality
Ackerman’s reduction
Weizmann Institute
Sajid et al (CAV 98’) : encode each comparison (x=y) with a boolean variable exy. A special BDD traversing algorithm maintains the lost transitivity. • Major improvement comparing to finite instantiations with 1..n.• The traversing algorithm is worst case exponential. • The number of encoding bits is worst case (Vs. n logn in finite instantiations).
Bryant et al (CAV 99’) : in positive equality formulas, replaceeach UIF with a unique constant.
n2FHGIKJ
A folk theorem: Finite Instantiations with 1..n.
In search for an efficient decision procedure
Weizmann Institute
Instead of giving the range [1..11], analyze connectivity:
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
x1, y1, x2, y2 :{0-1} u1, f1, f2, u2 : {0-3} g1, g2, z: {0-2}
The state-space: from 1111 to ~105
2
12211
212211
212121
gz
gzfufu
ggfufu
ffyyxx
Finite Instantiations revisited
Weizmann Institute
Or even better:
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
x1, y1, g1 , u1 : {0}
{0} {0-1}
An Upper-bound: State-space n!
x2, y2 , g2 , f1 : {0-1}
u2 : {0-3} f2, z : {0-2}
The state-space: from ~105 to 576
Weizmann Institute
The Range-Minimization Problem
Given a quantifier-free formula with equalities only, find in
polynomial time a small domain sufficient to preserve its truth
value:
D : Infinite domainD*: finite domain
D* D
Weizmann Institute
Analyzing the formula structure
Assume is given in positive form, and contains no constants.
Let At() be the set of all atomic formulas of the form xi=xj
or xi xj appearing in .
A subset B = {1,…,k} At() is consistent, if 1 ^... ^k
is satisfiable; e.g. B = (xi= xj ^ xi xj) is inconsistent.
A Range Allocation R is adequate for At(), if every consistent subset B At() can be satisfied under R.
Weizmann Institute
Examples:
At() R
(x1=x2) (x2=x3) {(x1=x2),(x2=x3)} x1,x2,x3 {0}
(x1x2) (x2
x3) {(x1x2),(x2
x3)} x1 {0}
x2 {1}
x3 {2}
(x1x2) ( False (x1=x2)) {(x1
x2),(x1=x2)} x1 {0}
x2 {0,1}
(x1=x2) ( False (x1x2)) {(x1
x2),(x1=x2)} x1 {0}
x2 {0,1}
The price of a polynomial procedure: At() holds less information than .
Weizmann Institute
Split At() into two sets:
:
)}(),(),(),(),({ 221 212121zgfufuyyxx
)}(),(),(),(),{( 121121 212zgfufuggff
A :
A= :
zg
zgfufu
ggfufu
ffyyxx
2
121
121
21
)(
)(
21
221
2121
The atomic sub-formulas of
Weizmann Institute
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
A graphical representation
)}(),(),(),(),({ 221 212121zgfufuyyxx
)}(),(),(),(),{( 121121 212zgfufuggff
A :
A= :
Note: 1. Inconsistent subsets, appear as contradictory cycles2. Some of the vertices are mixed
Weizmann Institute
The Range-Allocation Algorithm
A. Remove all solid edges not belonging to contradictory cycles.
B. Add a single unique value to singleton vertices, and remove them from the graph.
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
{0} {1} {3}{2}
Step I - pre-processing:
Weizmann Institute
Step II - Set construction:
A. For each mixed vertex xi:
1. Add a unique value ui to R(xi)2. Broadcast ui on G
3. Remove xi from the graph
B. Add a unique value to each remaining G= component
g1 g2
z
{4}{4}
{4}
g1
z
{4, }
{4, }
g1 g2
z
{4}
{4, }
{4, }
1. 2.
5
5
5
5
Weizmann Institute
u1 f1 f2 u2
{6} {6} {6} {6}
f1 f2 u2
{6,7} {6,7} {6,7}
u2
{6,7, }
u1 f1 f2 u2
{6} {6,7}
1.
2.
3. f1
{6,7, }
{6,7, } {6,7, }
8
8
9
9
Weizmann Institute
Is the allocated range always adequate?
» For all xB, assign the smallest value allocated in step
A to a mixed vertex which is G(B)=- connected to x.
» If there isn’t any, choose the value given in step B.
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
{3}{2} {4}
{4, }
{4, }
{6} {6,7}{6,7, } {6,7, }
{1}{0}
We have to satisfy every consistent subset B :
5
58 9
Weizmann Institute
Bad ordering:
Good ordering:
18
12
The vertices removed in step A constitutes a Vertex-Cover of G.
We will look for a Minimal Vertex Cover (mvc).
State space:
Order makes a difference
{6} {6,7}{6,7, } {6,7, }8 9
{6, } {6} {6,7} {6,7, }8 9
Weizmann Institute
G
Order makes a difference
G/mvc
Weizmann Institute
Colors make a difference
12
4
{6, } {6} {6} {6, }
{6, } {6} {6,7} {6,7, }State space:Unique
values:
~ Unique values:
When should mvc vertices be assigned different values?
8
8 7
9
Weizmann Institute
Colors make a difference
x y
Two mixed vertices are incompatible, if there is a path between them with one solid edge.
Coloring the incompatibility graph:
z w
yz w
Weizmann Institute
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
{3}{2} {4}
{4,5}
{4,5}
{6,7} {6}{6} {6,8}
{1}{0}
A state-space story:
1111 11! 161..n 1..i basic order color
4872 ?576
connectivity
Range allocation algo.
Weizmann Institute
The worst case: double cliques back to n!• One connected component (nk=n)• All vertices are mixed• Worst vertex-cover: mk = nk-1• Worst coloring: yk=mk
A 4 double-clique
State-space k
mnk
ymkk
kkkk yyy )1()!(
A new upper bound for the state-space
For each connected G= component k: nk = |G=| mk= |mvck| yk - the number of colors in mvck (ykmk)
k
Weizmann Institute
MODULE main
VARH_zN1_693_c :0..31;zN1_693_c :0..31;N1_643_c :0..31;T1_c :0..31;T1_644_c :0..31;N1_c :0..31;f_plus1 :0..31;f_plus2 :0..31;f_minus1 :0..31;f_minus2 :0..31;f_minus3 :0..31;f_minus4 :0..31;f_mul1 :0..31;f_mul2 :0..31;f_div1 :0..31;f_div2 :0..31;f_div3 :0..31;f_div4 :0..31;sqrt_1 :0..31;sqrt_2 :0..31;POSM_c :boolean;POSM_33_c :boolean;H0_99_c :boolean;
MODULE main
VARH_zN1_693_c :{33};zN1_693_c :{33};N1_643_c :{19};T1_c :{27};T1_644_c :{27,28};N1_c :{19};f_plus1 :{0,21,22};f_plus2 :{21,0};f_minus1 :{8,9,10,11};f_minus2 :{8,9,10,11};f_minus3 :{8,9,10,11};f_minus4 :{8,9,10,11};f_mul1 :{16};f_mul2 :{16};f_div1 :{23,24,25};f_div2 :{23,24,25};f_div3 :{24,23};f_div4 :{23};sqrt_1 :{29};sqrt_2 :{29,30};POSM_c :boolean;POSM_33_c :boolean;H0_99_c :boolean;
Before and after, in SMV
Weizmann Institute
Experimental Results
• A design of a SNECMA turbine engine with Sildex™ results in a verification condition of about 6000 lines.
• Before : 92% verified in reasonable timeAfter: 100% verified in reasonable time
• Some of the formulas had 150 integer variables and more.
The implementation is available at: http://www.wisdom.weizmann.ac.il/~ofers/sat/bench.htm