The Simplify Theorem Prover

Greg Nelson, Dave Detlefs and Jim Saxe

Mooly Sagiv

Bibliography

• Nelson & OppenSimplification by Cooperating Decision ProceduresTOPLAS 1980

• Tinelli & ZarbaCombining non-stably infinite theoriesJournal of Automated Reasoning, 2006

• Simplify: A Theorem Prover for Program CheckingDavid Detlefs, Greg Nelson, James B. SaxeJACM 2005

• Verifun: An Explicating Theorem Prover for Quantified FormulasCormac Flanagan, Rajeev Joshi, James B. Saxe

HPL-2004-199• Zap: Automated Theorem Proving for Software Analysis

Thomas Ball, Shuvendu K. Lahiri, Madanlal MusuvathiMSR Technical Report 2005

The Simplify Theorem Prover

• Proof by Refutation

• Incomplete & Sometimes diverges

• Supports– Full first order logic

• Skolemization• Incomplete treatment of universal quantifications

– Special theories• EUF• Theory of arrays• Relational Linear Algebra (The Simplex)

– Incomplete treatment multiplication• Partial orders

– Combination of theories– New axioms

• Very successful: used as the engine in many checkers:– ESC/Modula3, ESC/Java, SLAM, ...

Outline

• Search strategy (propositional)

• [Specialized theories]– EUF– Arrays– Simplex

• Combining theories

• Handling quantifiers

• Recent systems– Verifun– ZAP

Simplify search strategy

• Somewhat naive

• Top down guessing of truth values with backtracking

• Finds implied truth values

• “Lazy” conversion to CNFUse “Proxies”

• Scored clauses

• Goal oriented

Example

a=b

f(a) f(b) b=c

f(a) f(c)

Inconsistency detected by the EUF procedure so backtrack

Example

a=b

f(a) f(b) b=c

f(a) f(c)

Inconsistent with EUF

Report UNSAT

Combining Decision Procedures

• Programming languages combine different features– Arithmetic– Data types– Arrays– …

• Is there a way to compose decision procedures of different theories?

• Given two decidable logics is there a way to combine the logics into a decidable logic?

Cooperating Decision Procedures Nelson & Oppen • Quantifier free

• Proof be refutation

• Separate the conjunct into separate conjunctsA Bsuch that– A and B use different theories– Only constants are shared

• If either A or B is UNSAT report UNSAT

• When A and B are SAT propagate equalities between A and B and repeat

Example Theories

x, y: CAR(CONS(x, y)) = x

x, y: CDR(CONS(x, y)) = y

x: ATOM(x) CONS(CAR(x), CDR(x)) = x

x, y: ATOM(CONS(x, y))

LIST

x, y: x = y f (x) = f(y)EUF

x: x+0 =0

x: x +-x = 0 0 1

x, y, z: (x+y)+z = x + (y+z) 0 1

x, y:x+y = y +x

x: xx

x, y: xy y x

x, y: xyy x x=y

x, y: xyy z xz

x, y,z: xy x+z y+z

R

A Simple Example

xy

yx+g1

g2=g3-g4

g5=0

x y y x + CAR(CONS(0, x)) P(h(x)-h(y)) P(0)

P(g2)=true

P(g5)=false

g3=h(x)

g4=h(y)

g1=CAR(CONS(g5, x))

Non-Convexity

• If one of the theories is UNSAT the original formulas is UNSAT (Soundness)

• But the original formula may be UNSAT and yet no single equality suffices to prove UNSAT

• Happens for theories which imply non-convex equalities T F c1 = c2 c3 = c4 without T F c1 = c2

or T F c3 = c4

• Performs a case split

Example for Case Split

SELECT(UPDATE(v, I, e), j) = x SELECT(v, j)=y x>e x>y

Equality Propagation Procedure

1. Assign conjunctions to FL and FF s.t.,• FF contains only F-literals • FL contains only L-literals• FL FF is satisfiable iff F is satisfiable

2. If either FL or FF is UNSAT report UNSAT

3. If either FL or FF entails equality not entailed by other add this equality and go to step 2

4. If either FL or FF entails u1=v2 u2=v2 … uk=vk without entailing any equality alone then apply the procedure recursively to the k-formulas FL FF vi = uiIf any of these formulas is SAT return SAT

5. Return UNSAT

Notes

• Only equalities are propagated

• Requires that the theories can find all consequent equalities

• Completeness is non-obvious

• The original paper also performs simplification

Convexity

• A formula F is non-convex F entails u1=v2 u2=v2 … uk=vk without entailing any equality alone– Otherwise it is convex

• A theory is convex

• Convex theories– EUF– Relational linear algebra

• Non-convex theories– Theory of arrays– Theory of reals under multiplications

xy =0z=0 R x=z y=z– Theory of integers under + and

Hints about Completeness• The residues of formula

– The strongest Boolean combinations of equalities between constants entailed by the formula

x=f(a)y=f(b) a=b x=y

x+y-a-b>0 (x=ay=b) (x=by=a)

x=STORE(v, u, e)[j] i=j x=e

x=STORE(v, u, e)[j]

y=v[j]

if i=j then x=e else x=y

Lemma 4: If A and B are formulas whose only common parameters are constant symbols then RES(AB) = RES(A)RES(B)

The residues in the simple example

xy

yx+g1

g2=g3-g4

g5=0

g1=g5x=y

g5=g2g3=g4

x y y x + CAR(CONS(0, x)) P(h(x)-h(y)) P(0)

P(g2)=true

P(g5)=false

g3=h(x)

g4=h(y)

g2g5

x=y g3=g4

g1=CAR(CONS(g5, x))

g1=g5

Handling Quantifiers

• The problem becomes undecidable

• Complete procedures exist and implemented (e.g., SPASS next week)

• Simplify employs incomplete heuristics– Instantiate universal quantifiers with relevant terms– Can be tuned by the user

Instantiating universal quantifiers

• Suppose that 8 x1, …, xn . P is known to hold– For example, because it is an axiom– Or because it is added to the environment during a

backtracking

• We want to find substitutions giving values to x1, …,xn such that (P) will be useful in the proof

General idea in matching

• Pick a term t from P called a trigger (sometimes pattern)

• Instantiate P with a substitution if (t) is a term that the prover is likely to require information about

• Separately implemented for different theories

• Intuition:– Since P contains the term t, (P) will contain the term (t), and

so it provides information about (t)– This is likely to be useful, since the prover wants information

about (t)

Matching in the E-graph

• The Congruence Graph is called E-graph

• Match triggers into equivalence classes

• For every occurrence of the trigger in the E-graph assert the corresponding instance– Adds terms and equalities

Example

• Assume 8 x,y: car(cons(x,y)) = x

• Prove cons(a, b) = cons(c, d)) a=c

• First trigger “car(cons(x,y)”

• Second trigger “cons(x,y)”

Choosing a trigger

• Heuristically important

• Liberal (small) triggers– Too many terms– Sometimes infinite loops

• Conservative (large) triggers– May fail to prove the theorem

• The user can provide– Candidate triggers– Candidate untriggers

Triggers as sets of terms

• Sometimes single trigger is not enoughs, t, x: member(x, s) subset(s, t) member(x,t)

• Use sets of terms as triggers {member(x, s), subset(s, t)}

Matching in the E-graph (example)

• Assume 8 x:f(x) = x [trigger f(x)] 8 x:g(g(x) = x [trigger g(g(x))]

• Prove g(f(g(a))) = a

Matching Loops

• Repeated applications of matching

• Example x: P(f(x), f(g(x)) [Trigger f(x)]

• Can be sometimes avoided by:– Check if the body of the quantifier contains a larger

instance of the term– Alternate matching and decisions– User input

Limitations of matching

• Matching loops

• Not goal oriented

• Limitations of the theories(x: P(x+1)) P(1+a)

Simplify experience

• Handles large formulas

• Robust

• In many cases complete enough

• Fully automatic for simple program verification– Cleanness

• Incompleteness in programs– Deep properties– Shape of dynamically allocated structures

• But slow on Boolean combinations

Verifun : A Theorem Prover UsingLazy Proof Explication• Rajeev Joshi Cormac Flanagan, Jim Saxe and Xinming Ou

• Key ideas:– use SAT solvers to find candidate truth assignments to atomic formulae– have theory modules produce compact “proofs” that are added to the

SAT problem to reject all truth assignments containing the “same” inconsistency

• Requires – proof explicating theory modules

• Uses Simplify Theories extended with Explication and matching

• Implemented in Java (~10,500 lines) and in C (~800 lines)

Zap: Automated Theorem Proving for Software Analysis

• Thomas Ball, Shuvendu Lahiri, Madanlal Musuvati (MSR)

• Use a SAT algorithm for the search procedure

• Use Nelson&Oppen to combine theories

• Develop new decision procedures

• Use quantifier matching

• Add features for program analysis

Conclusion

• Handling specialized theories yields significant improvements– Efficiency– Termination– Predictability

• Combination procedures are useful

• But resolution based theorem provers can still br superior in several cases