Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The...
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The...
Weizmann Institute
Deciding equality formulasby small domain instantiations
O. Shtrichman
The Weizmann Institute
Joint work with
A.Pnueli, Y.Rodeh, M.Siegel
Weizmann Institute
DC+C
Verification Condition Generator
Code generation
Abstraction Level ++
CVT
Auto-decomposition
Abstraction
Range Minimizer
TLV (verifier)
Weizmann Institute
u x y u x y z u u
z x y x y1 1 1 2 2 2 1 2
1 1 2 2
( ) ( )
u F x y u F x y z G u u
z G F x y F x y1 1 1 2 2 2 1 2
1 1 2 2
( , ) ( , ) ( , )
( ( , ), ( , ))
To a formula with uninterpreted functions
Uninterpreted functions
From a general formula:
Weizmann Institute
u F x y u F x y z G u u
z G F x y F x y1 1 1 2 2 2 1 2
1 1 2 2
( , ) ( , ) ( , )
( ( , ), ( , ))
2
12211
212211
212121
gz
gzfufu
ggfufu
ffyyxx
From a formula with uninterpreted functions:
To a formula in the theory of equality
Ackerman’s reduction
Weizmann Institute
Sajid et al (CAV 98’) : encode each comparison (x=y) with a boolean variable exy. A special BDD traversing algorithm maintains the lost transitivity. • Major improvement comparing to finite instantiations with 1..n.• The traversing algorithm is worst case exponential. • The number of encoding bits is worst case (Vs. n logn in finite instantiations).
Bryant et al (CAV 99’) : in positive equality formulas, replaceeach UIF with a unique constant.
n2FHGIKJ
A folk theorem: Finite Instantiations with 1..n.
In search for an efficient decision procedure
Weizmann Institute
Instead of giving the range [1..11], analyze connectivity:
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
x1, y1, x2, y2 :{0-1} u1, f1, f2, u2 : {0-3} g1, g2, z: {0-2}
The state-space: from 1111 to ~105
2
12211
212211
212121
gz
gzfufu
ggfufu
ffyyxx
Finite Instantiations revisited
Weizmann Institute
Or even better:
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
x1, y1, g1 , u1 : {0}
{0} {0-1}
An Upper-bound: State-space n!
x2, y2 , g2 , f1 : {0-1}
u2 : {0-3} f2, z : {0-2}
The state-space: from ~105 to 576
Weizmann Institute
The Range-Minimization Problem
Given a quantifier-free formula with equalities only, find in
polynomial time a small domain sufficient to preserve its truth
value:
D : Infinite domainD*: finite domain
D* D
Weizmann Institute
Analyzing the formula structure
Assume is given in positive form, and contains no constants.
Let At() be the set of all atomic formulas of the form xi=xj
or xi xj appearing in .
A subset B = {1,…,k} At() is consistent, if 1 ^... ^k
is satisfiable; e.g. B = (xi= xj ^ xi xj) is inconsistent.
A Range Allocation R is adequate for At(), if every consistent subset B At() can be satisfied under R.
Weizmann Institute
Examples:
At() R
(x1=x2) (x2=x3) {(x1=x2),(x2=x3)} x1,x2,x3 {0}
(x1x2) (x2
x3) {(x1x2),(x2
x3)} x1 {0}
x2 {1}
x3 {2}
(x1x2) ( False (x1=x2)) {(x1
x2),(x1=x2)} x1 {0}
x2 {0,1}
(x1=x2) ( False (x1x2)) {(x1
x2),(x1=x2)} x1 {0}
x2 {0,1}
The price of a polynomial procedure: At() holds less information than .
Weizmann Institute
Split At() into two sets:
:
)}(),(),(),(),({ 221 212121zgfufuyyxx
)}(),(),(),(),{( 121121 212zgfufuggff
A :
A= :
zg
zgfufu
ggfufu
ffyyxx
2
121
121
21
)(
)(
21
221
2121
The atomic sub-formulas of
Weizmann Institute
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
A graphical representation
)}(),(),(),(),({ 221 212121zgfufuyyxx
)}(),(),(),(),{( 121121 212zgfufuggff
A :
A= :
Note: 1. Inconsistent subsets, appear as contradictory cycles2. Some of the vertices are mixed
Weizmann Institute
The Range-Allocation Algorithm
A. Remove all solid edges not belonging to contradictory cycles.
B. Add a single unique value to singleton vertices, and remove them from the graph.
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
{0} {1} {3}{2}
Step I - pre-processing:
Weizmann Institute
Step II - Set construction:
A. For each mixed vertex xi:
1. Add a unique value ui to R(xi)2. Broadcast ui on G
3. Remove xi from the graph
B. Add a unique value to each remaining G= component
g1 g2
z
{4}{4}
{4}
g1
z
{4, }
{4, }
g1 g2
z
{4}
{4, }
{4, }
1. 2.
5
5
5
5
Weizmann Institute
u1 f1 f2 u2
{6} {6} {6} {6}
f1 f2 u2
{6,7} {6,7} {6,7}
u2
{6,7, }
u1 f1 f2 u2
{6} {6,7}
1.
2.
3. f1
{6,7, }
{6,7, } {6,7, }
8
8
9
9
Weizmann Institute
Is the allocated range always adequate?
» For all xB, assign the smallest value allocated in step
A to a mixed vertex which is G(B)=- connected to x.
» If there isn’t any, choose the value given in step B.
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
{3}{2} {4}
{4, }
{4, }
{6} {6,7}{6,7, } {6,7, }
{1}{0}
We have to satisfy every consistent subset B :
5
58 9
Weizmann Institute
Bad ordering:
Good ordering:
18
12
The vertices removed in step A constitutes a Vertex-Cover of G.
We will look for a Minimal Vertex Cover (mvc).
State space:
Order makes a difference
{6} {6,7}{6,7, } {6,7, }8 9
{6, } {6} {6,7} {6,7, }8 9
Weizmann Institute
G
Order makes a difference
G/mvc
Weizmann Institute
Colors make a difference
12
4
{6, } {6} {6} {6, }
{6, } {6} {6,7} {6,7, }State space:Unique
values:
~ Unique values:
When should mvc vertices be assigned different values?
8
8 7
9
Weizmann Institute
Colors make a difference
x y
Two mixed vertices are incompatible, if there is a path between them with one solid edge.
Coloring the incompatibility graph:
z w
yz w
Weizmann Institute
x1 x2 y1 y2 g1 g2
zu1 f1 f2 u2
{3}{2} {4}
{4,5}
{4,5}
{6,7} {6}{6} {6,8}
{1}{0}
A state-space story:
1111 11! 161..n 1..i basic order color
4872 ?576
connectivity
Range allocation algo.
Weizmann Institute
The worst case: double cliques back to n!• One connected component (nk=n)• All vertices are mixed• Worst vertex-cover: mk = nk-1• Worst coloring: yk=mk
A 4 double-clique
State-space k
mnk
ymkk
kkkk yyy )1()!(
A new upper bound for the state-space
For each connected G= component k: nk = |G=| mk= |mvck| yk - the number of colors in mvck (ykmk)
k
Weizmann Institute
MODULE main
VARH_zN1_693_c :0..31;zN1_693_c :0..31;N1_643_c :0..31;T1_c :0..31;T1_644_c :0..31;N1_c :0..31;f_plus1 :0..31;f_plus2 :0..31;f_minus1 :0..31;f_minus2 :0..31;f_minus3 :0..31;f_minus4 :0..31;f_mul1 :0..31;f_mul2 :0..31;f_div1 :0..31;f_div2 :0..31;f_div3 :0..31;f_div4 :0..31;sqrt_1 :0..31;sqrt_2 :0..31;POSM_c :boolean;POSM_33_c :boolean;H0_99_c :boolean;
MODULE main
VARH_zN1_693_c :{33};zN1_693_c :{33};N1_643_c :{19};T1_c :{27};T1_644_c :{27,28};N1_c :{19};f_plus1 :{0,21,22};f_plus2 :{21,0};f_minus1 :{8,9,10,11};f_minus2 :{8,9,10,11};f_minus3 :{8,9,10,11};f_minus4 :{8,9,10,11};f_mul1 :{16};f_mul2 :{16};f_div1 :{23,24,25};f_div2 :{23,24,25};f_div3 :{24,23};f_div4 :{23};sqrt_1 :{29};sqrt_2 :{29,30};POSM_c :boolean;POSM_33_c :boolean;H0_99_c :boolean;
Before and after, in SMV
Weizmann Institute
Experimental Results
• A design of a SNECMA turbine engine with Sildex™ results in a verification condition of about 6000 lines.
• Before : 92% verified in reasonable timeAfter: 100% verified in reasonable time
• Some of the formulas had 150 integer variables and more.
The implementation is available at: http://www.wisdom.weizmann.ac.il/~ofers/sat/bench.htm