Decision procedures an algorithmic point of view download

Finding a good variable order is a subject that has been researched extensively and has yielded many PhD theses. It is an NP-complete problem to decide whether a given variable order is optimal [36]. There is a very large body of work on BDDs and their extensions — variableordering strategies is only one part of this work.

Another interesting topic is alternatives to Apply. As part of Problem 2. Consider three persons A, B, and C who need to be seated in a row. A does not want to sit in the left chair.

B does not want to sit to the right of C. If so, give an assignment. Problem 2. Show that the two if-then-else expressions below are equivalent:!

Show the implication graph at each decision level. The transition function determines to which states we can move given the current state and input. For example, the automaton in Fig. A CNF formula in which no clause has more than two literals.

Show a polynomial-time algorithm that solves each of the problems above. In other words, in the resulting formula all the clauses are either unary, binary, or have not more than one positive literal. How many additional variables are necessary for the conversion? Hint: you may use the notion of dominators from graph theory.

How can the condition that you suggest be implemented inside a SAT solver? Hint: think of CNF formulas as sets of clauses.

All binary Boolean operators can be expressed as such expressions. Assume that x labels the root nodes of two BDDs f and g, and that we need to compute ite c, f, g. Present pseudocode for constructing a BDD for the ite operator. Describe the data structure that you assume. Explain how your algorithm can be used to replace Apply. Based on [47]. Let f be a function mapping a vector of m Boolean variables to an integer, i. Numerous SAT solvers were developed through the years on the basis of this framework.

The alternative approach of stochastic solvers, which were not discussed in length in this chapter, was led for many years by the GSAT and WalkSat solvers [].

The introduction of Chaff in [] 2. New SAT solvers are introduced every year; readers interested in the latest tools should check the results of the annual SAT competitions. Then, given a problem instance, the run time of each of the n solvers is predicted, and accordingly the solver is chosen for the task. SATzilla [] is a successful algorithm portfolio based on these ideas that won several categories in the competition.

There are many algorithms for minimizing such cores — see, for example, [81, 98, , ]. The description of the main SAT procedure in this chapter was inspired mainly by [, ]. Earlier versions of this problem were more restricted, for example the work of Hooker [96] and of Kim, Whittemore, Marques-Silva, and Sakallah [].

Probably the best-known is related to complexity theory: SAT played a major role in the theoretical breakthrough achieved by Cook in [50], who showed that every NP problem can be reduced to SAT.

By translating problems to CNF we may lose high-level information about the problem, but we can also gain low-level information that is harder to detect in the original representation of the problem. An interesting angle of SAT is that it attracts research by physicists! There is a well-known result showing empirically that randomly generated SAT instances are hardest when the ratio between the numbers of clauses and variables is around 4. Another interesting result is that as the formula grows, the phase transition sharpens, asymptotically reaching a sharp phase transition, i.

There have been several articles about these topics in Science [, ], Nature [] and even The New York Times []. Binary Decision Diagrams Binary decision diagrams were introduced by Lee in [], and explored further by Akers [3]. Together they form what we now refer to as reducedordered BDDs. Numerous extensions of ROBDDs exist in the literature, some of which extend 5 The origin of this interest is in statistical mechanics.

Multiterminal BDDs also discussed in Problem 2. First used on page. In practice, even without this restriction, memory is rarely the bottleneck.

We leave the proof of this claim as an exercise Problem 4. Why should we study both, then? It is more natural and convenient to use equality logic for modeling certain problems 1 The restriction to a single domain also called a single type or a single sort is not essential. It is introduced for the sake of simplicity of the presentation.

This information may be lost if the problem is modeled directly in propositional logic. Boolean variables can easily be eliminated from the input formula by replacing each such variable with an equality between two new variables.

The same observation applies to many of the other theories that we consider in this book. Problem 3. Unless otherwise stated, we assume from here on that the input equality formulas do not have constants.

Uninterpreted functions are used for abstracting, or generalizing, theorems. Aside: The Logic Perspective To explain the meaning of uninterpreted functions from the perspective of logic, we have to go back to the notion of a theory, which was explained in Sect. Recall the set of axioms 1.

Only a single additional axiom an axiom scheme, actually is necessary in order to extend equality logic to EUF. Uninterpreted predicates are treated in a similar way. Under certain conditions, uninterpreted functions let us reason about systems while ignoring the semantics of some or all functions, assuming they are not necessary for the proof. What does it mean to ignore the semantics of a function? Ignoring the semantics of the function means that an interpretation neednot satisfy these axioms in order to satisfy the formula.

The only thing it needs to satisfy is an axiom stating that the uninterpreted function, like any function, is consistent, i. This is the requirement of functional consistency also called functional congruence : Functional consistency: Instances of the same function return the same value if given equal arguments.

There are many cases in which the formula of interest is valid regardless of the interpretation of a function. Assume that we have a method for checking the validity of an EUF formula. Relying on this assumption, the basic scheme for using uninterpreted functions is the following: 1. The transformation in step 2 comes at a price, of course, as it loses information. As mentioned earlier, it causes the procedure to be incomplete, even if the original formula belongs to a decidable logic.

When there exists a decision procedure for the input formula but it is too computationally hard to solve, one can design a procedure in which uninterpreted functions are gradually substituted back to their interpreted versions. We shall discuss this option further in Sect. Two C functions.

In the present case, however, equivalence can be decided. The derivation of these relations from these two programs can be done as follows: 1.

Unroll the for loop. Replace the left-hand side variable in each assignment with a new auxiliary variable. Wherever a variable is read referred to in an expression , replace it with the auxiliary variable that replaced it in the last place where it was assigned.

Conjoin all program statements. See also Example 1. Two formulas corresponding to the programs a and b in Fig. The motivation in this case is computational: deciding formulas with multiplication over, for example, bit variables is notoriously hard.

Replacing the multiplication symbol with uninterpreted functions can solve the problem. Similarly, if we also had addition, we could replace all of its instances with another uninterpreted function, say F. Instead of validating 3. Other examples of the use of uninterpreted functions are presented in Sect. Instead, we rely on the strongest property that is common to all functions, namely functional consistency.

The situation is more complicated when considering functions in programming languages 3. Therefore, the set of states reachable by the two programs can be represented and searched. The former is somewhat more intuitive to understand, but also imposes certain restrictions on the decision procedures that can be used to solve it, unlike the latter.

In the discussion that follows, for the sake of simplicity, we make several assumptions regarding the input formula: it has a single uninterpreted function, with a single argument, and no two instances of this function have the same argument. The generalization of the reductions is rather straightforward, as the examples later on demonstrate. Example 3.

Functional consistency is guaranteed in that case only if we consider all the data that the function may read including global variables, static variables, and data read from the environment as argument of the function, and provided that the program is single-threaded. Assign indices to the uninterpreted-function instances from subexpressions outwards. Denote by Fi the instance of F that is given the index i, and by arg Fi its single argument.

Recall our main example. We left it in Fig. This example also demonstrates how to generalize the reduction to functions with several arguments: only if all arguments of a pair of function instances are the same pairwise , the return value of the function is forced to be the same. Our example has four instances of the uninterpreted function G, G out0 a, in , G out1 a, in , G in, in , and G G in, in , in , which we number in this order.

On the basis of 3. This is interesting. However, this is not the same as the above equation. So what has happened here? The reader may observe that most of these constraints are in fact redundant. The validity of the formula depends on G out0 a, in being equal to G in, in , and G out1 a, in being equal to G G in, in , in. In practice, such observations are important because the quadratic growth in the number of functionalconsistency constraints may become a bottleneck.

More details of this technique can be found in []. Finally, we consider the case in which there is more than one function symbol. We leave this and other extensions as an exercise Problem 3. The generalization of Algorithm 3. Let us return to our main example of this chapter, the problem of proving the equivalence of programs a and b in Fig. We continue from Fig. Recall their origin: the function instances are G out0 a, in , G out1 a, in , G in, in and G G in, in , in , which we number in this order.

If there are multiple uninterpreted-function symbols, the reduction is applied to each of them separately, as demonstrated in the following example, in which we consider the formula of Example 3. It has implications for the decision procedure that one can use when solving the resulting formula.

We discuss this point further in Sect. This is not surprising, as we clearly lose information by replacing concrete, interpreted functions with uninterpreted functions. Further, suppose that we 3. Since in Algorithms 3. One may add, of course, additional constraints that capture more information about the original function — commutativity, in the case of the example above.

In other words, by adding these constraints we make them partially interpreted functions, as we model some of their properties. For the multiplication function, for example, we can add a constraint that if one of the arguments is equal to 0, then so is the result.

Generally, the more abstract the formula is, the easier it is, computationally, to solve it. On the other hand, the more abstract the formula is, the fewer correct facts about its original version can be proven. The right abstraction level for a given formula can be found by a trial-and-error process. The correctness of this step is implied by 3. The optional step that follows step 4 is not necessary for the soundness of the algorithm, but only for its performance.

Plenty of room for creativity is left when one is implementing such an algorithm: which constraints to add in step 5? When to resort to the original interpreted functions? How to implement step 4? An instance of such a procedure is described, for the case of bit-vector arithmetic, in Sect. Such rules are the basis of rewriting systems [64, 99], which are used in several branches of mathematics and mathematical logic.

Theorem provers that are based on rewriting systems such as ACL2 [] use hundreds of such rules. Many of these rules can be used in the context of the partially interpreted functions that were studied in Sect.

Rewriting systems, as a formalism, have the same power as a Turing machine. Such implementations require the design of a strategy for applying the rules, and a mechanism based on pattern matching for detecting the set of applicable rules at each step. Return to step 2. Occasionally it happens that properties are correct regardless of the semantics of a certain function, and functional consistency is all that is needed for the proof.

In such cases, replacing the function with an uninterpreted function can simplify the proof. In the chip design industry, proving equivalence between two versions of a hardware circuit is a standard procedure.

Another application is translation validation, a process of proving the semantic equivalence of the input and output of a compiler.

Indeed, we end this chapter with a detailed description of these two problem domains. In both applications, it is expected that every function on one side of the equation can be mapped to a similar function on the other side.

In such cases, replacing all functions with an uninterpreted version and using one of the reductions that we saw in Sects.

The computation is split into phases, called pipeline stages. This allows one to speed up the computation by making use of concurrent computation, as is done in an assembly line in a factory. The clock frequency of a circuit is limited by the length of the longest path between latches i. Figure 3. For the sake of simplicity, we assume that they each impose the same delay. The circuit applies function F to the inputs in, and stores the result in latch L1. A multiplexer is a circuit that selects between two inputs according to the value of a Boolean signal.

In this case, this selection signal is computed by a function C. Showing the correctness of a transformation of a pipelined circuit using uninterpreted functions. After the transformation, the circuit has a shorter longest path between stages, and thus can be operated at a higher clock frequency Observe that the second stage contains two functions, G and K, where the output of G is used as an input for K.

Suppose that this is the longest path within the circuit. We now aim to transform the circuit in order to make it work faster. This can be done in this case by moving the gates represented by K down into the third stage. Observe also that only one of the values in L3 and L4 is used, as the multiplexer selects one of them depending on C.

We can therefore remove one of the latches by introducing a second multiplexer in the second stage. The circuit after these changes is shown in Fig. We can show that the transformations are correct by proving that for all inputs, the conjunction of the above equalities implies 3.

Unlike the hardware example, we start from interpreted functions and replace them with uninterpreted functions. Namely, if the two arguments of the original terms are equal, then the terms should be equal. For the purpose of demonstrating the use of uninterpreted functions, whether we use an implication or an equivalence is immaterial. Suppose that we are attempting to perform translation validation for a compiler that does not perform heavy arithmetic optimizations.

In such a case, the scheme above will probably succeed. Prove that given an equality logic formula, Algorithm 3. Extend Algorithm 3. Suppose that in Algorithm 3. Symbol Refers to. With the exception of Sect. As an alternative, Shostak proposed in a method for handling uninterpreted functions directly. The version of the algorithm that is presented here assumes that the uninterpreted functions have a single argument. The extension to the general case is left as an exercise Problem 4.

Build congruence-closed equivalence classes. All other variables form singleton equivalence classes. Repeat until there are no more classes to be merged. Repeat until there are no more such instances. Variants of Algorithm 4. This can work well as long as there are not too many cases to consider.

This problem arises with all the theories that we study in this book. There are two main approaches. A second approach is based on a full reduction to propositional logic, and is the subject of the rest of this chapter.

We assume from here on that uninterpreted functions have already been eliminated, i. Recall that we are also assuming that the formula is given to us in NNF and without constants. It is possible, of course, that an equality may appear in the equality literals set and its negation in the disequality literals set. Example 4. We may write simply GE for an equality graph when the formula it corresponds to is clear from the context. Graphically, equality literals are represented as dashed edges and disequality literals as solid edges, as illustrated in Fig.

An equality graph. Consider Fig. In this case, both paths are simple. We say that the graph, in this case, contains a contradictory cycle. In an equality graph, a contradictory cycle is a cycle with exactly one disequality edge. Furthermore, since we have assumed that there are no constants in the formula, these are the only topologies that have this property.

Consider, for example, a contradictory cycle with nodes x1 ,. The conjunction 4. All the decision procedures that we consider refer explicitly or implicitly to contradictory cycles.

For most algorithms we can further simplify this definition by considering only simple contradictory cycles. A cycle is simple if it is represented by a path in which none of the vertices is repeated, other than the starting and ending vertices.

Algorithm 4. If any rewriting has occurred in the previous two steps, go to step 2. Consider 4. Figure 4. The equality graph corresponding to Example 4. An equality graph corresponding to 4. Although we leave the formal proof of the correctness of Algorithm 4. This is implied by the monotonicity of NNF formulas see Theorem 1. Only a proof sketch and an example will be given here. The following simple observation can be helpful in this construction: given a satisfying assignment to an equality formula, shifting the values in the assignment uniformly maintains satisfaction because the values of the equality predicates remain the same.

The same observation applies to an assignment of some of the variables, as long as none of the predicates that refer to one of these variables becomes false owing to the new assignment.

Consider, for example, 4. This procedure was originally presented by Bryant and Velev in [39] under the name of the sparse method.

The other direction, however, does not hold. For example, while 4. This is the role of Btrans. The formula Btrans is a conjunction of implications, which are called transitivity constraints.

Each such implication is associated with a cycle in the nonpolar equality graph. For a cycle with n edges, Btrans forbids an assignment false to one of the edges when all the other edges are assigned true. A chord of a cycle is an edge connecting two nonadjacent nodes of the cycle. If a cycle has no chords in a given graph, it is called a chord-free cycle. Bryant and Velev proved the following theorem: Theorem 4. For a formal proof, see [39]. The following example may be helpful for developing an intuition as to why this theorem is correct.

Consider the cycle x3 , x4 , x8 , x7 in one of the two graphs in Fig. It contains the chord x3 , x8 and, hence, is not chord-free. Now assume that we wish to assign true to all edges in this cycle other than x3 , x4. If x3 , x8 is assigned true, then the assignment to the simple chordfree cycle x3 , x4 , x8 contradicts transitivity.

If x3 , x8 is assigned false, then the assignment to the simple chord-free cycle x3 , x7 , x8 contradicts transitivity. The number of simple chord-free cycles in a graph can still be exponential in the number of vertices. Hence, building Btrans such that it directly constrains every such cycle can make the size of this formula exponential in the number of variables.

A chordal graph is an undirected graph in which no cycle of size 4 or more is chord-free. Every graph can be made chordal in a time polynomial in the number of vertices. We use solid edges, but note that these should not be confused with the solid edges in polar equality graphs, where they denote 2 We simply remove all vertices from the graph one by one, each time connecting the neighbors of the eliminated vertex if they were not already connected.

The original graph plus the edges added in this process is a chordal graph. After the graph has been made chordal, it contains four triangles and, hence, Btrans conjoins 12 constraints.

There exists a version of this algorithm that is based on the polar equality graph, and generates a smaller number of transitivity constraints. See Problem 4. Furthermore, in equality logic there is a computable bound on the size of such a model. A domain is adequate for a set of formulas if it is adequate for each formula in the set. Theorem 4. Since all partitions into equivalence classes over n variables are possible in the domain 1,.

This is very encouraging, because it is already better than the worst-case complexity of Algorithm 4. Aside: The Complexity Gap Why is there a complexity gap between domain allocation and the encoding method that we described in Sect. Where is the wasted work in Equality-Logic-to-Propositional-Logic?

The former requires one bit per element in this set, or a total of n bits, while the latter requires only log n bits. The domain 1,. We can do better if we do not insist on a uniform domain allocation, which allocates the same domain to all variables. As argued in the proof of Theorem 4.

Assign i to all the variables in C. Since all the other variables in C have indices higher than i, i domain, and hence this assignment is feasible.

This The adequate domain suggested in Theorem 4. In fact, it is conjectured that n! Let us now consider the case in which the formula contains constants. Assume, without loss of generality, that the constants are c1 4. The proof is left as an exercise Problem 4. The adequate domain suggested in Theorem 4. As stated in Sect. The next few sections are dedicated to an algorithm that reduces the allocated domain further, based on an analysis of the equality graph associated with the input formula.

It is not surprising that the best size of adequate domain allocation for the whole set is so high. By paying attention to additional structural similarities of formulas, we can form smaller sets of formulas and obtain much smaller adequate domain allocations. Thus, we should not worry about 4. We should, however, be able to satisfy 4. The answer is that we need only to be able to satisfy consistent subsets of literals, i.

A set e of equality literals is consistent if and only if it does not contain one of the following two patterns: 1. We refer to the values that were added in steps I. C, II. B as the characteristic values of these vertices. Note that every vertex is assigned a single characteristic value.

Vertices that are assigned their characteristic values in steps I. C and II. B are called communally assigned vertices. We assume that new values are assigned in ascending order, so that char xi 4.

For each constant-vertex ci in GE , do: 1. Empty item, for the sake of symmetry with step II. Remove ci and its adjacent edges from the graph. For every singleton vertex a vertex comprising a connected component by itself xi , add to D xi a new value ui. Remove xi and its adjacent edges from the graph. Value allocation A. While there are mixed vertices in GE do: 1. Choose a mixed vertex xi. Add ui , a new value, to D xi. Applying Algorithm 4.

Application of Algorithm 4. This improvement is the subject of Problem 4. In this case the component z, g1 , g2 is handled as follows: in step I. The edge z, g2 , now no longer part of a contradictory cycle, is then removed in step I. B and a distinct new value is added to each of these variables in step I. A and II. A are iterated a number of times not more than the number of vertices in the graph; step I.

B, II. We begin by describing a procedure which, given the allocation D produced by this algorithm 4. Otherwise, assign to xi its communally assigned value char xi. To see why all vertices are assigned a value by this procedure, observe that every vertex is allocated a characteristic value before it is removed.

This can be an individual characteristic value allocated in steps I. Every vertex xi that has an individual characteristic value can be assigned a value ae xi by R1, because it has at least the empty equality path leading to an individually allocated vertex, namely itself. All other vertices are allocated a communal value that makes them eligible for a value assignment by R2.

Consider the D-sets in Fig. Let us apply the above assignment procedure to a consistent subset e that contains all edges, excluding the two edges between u1 and f1 , the dashed edge between g1 and g2 , and the solid edge between f2 and u2 see Fig. The consistent set of edges e considered in Example 4.

A, and consequently it has the minimal characteristic value. The assignment procedure is feasible i. Since xi and all the vertices on this path were still part of the graph when xj was removed in step II.

A, then char xj was added to D xi according to step II. Thus, the assignment of char xj to xi is feasible. Next, consider the vertices that are assigned a value by R2. Every vertex that was removed in step I. C or II. A is clearly assigned a value by R1. All the other vertices were communally assigned a value in step II. In particular, the vertices that do not have a path to an individually assigned vertex were assigned such a value.

Thus, the two steps of the assignment procedure are feasible. Thus, in both cases they are assigned the same value. The remaining case is when both xi and xj were assigned values by R2. The fact that they were not assigned values in R1 implies that their characteristic values are not individually allocated, but communally allocated. This means that xi and xj were allocated their communal values in the same step, II.

B, of the allocation algorithm, which implies that they had an equality path between them moreover, this path was still part of the graph at the beginning of step II.

According to the loop condition of this step, at the end of this step there are no mixed vertices left, which rules out the possibility that xi , xj was still part of the graph at that stage. Thus, at least one of these vertices was individually assigned a value in step II. By Theorems 4. Domain allocation has the advantage of not changing in particular, not increasing the original formula, unlike the algorithm that we studied in Sect.

Moreover, Algorithm 4. On the other hand, this domain is not adequate for 4. In order to satisfy 4. But the domains allocated in 4. It turns out that not all of the edges that are associated with the functional-consistency constraints are necessary, which, in turn, results in a smaller allocated range. Consider Algorithm 4. What is the complexity of your implementation? What is the complexity of your algorithm?

Here, the authors focus on theories that are expressive enough to model real problems, but are still decidable. Specifically, the book concentrates on decision procedures for first-order theories that are commonly used in automated verification and reasoning, theorem-proving, compiler optimization and operations research.

The techniques described in the book draw from fields such as graph theory and logic, and are routinely used in industry. Then, in separate chapters, they study decision procedures for the following theories:.

Each chapter includes a detailed bibliography and exercises. Free Download Link1 Download Link 2. Download links and password may be in the description section , read description carefully! Do a search to find mirrors if no download links or dead links.