CS156: the Calculus of Computation

The Theory of Equality TE

CS156: The Calculus of Σ : =, a, b, c, ..., f , g, h, ..., p, q, r, ... E { } Computation uninterpreted symbols: constants a, b, c,... Zohar Manna • functions f , g, h,... • Winter 2010 predicates p, q, r,... • Example: x = y f (x) = f (y) T -unsatisfiable ∧ 6 E f (x)= f (y) x = y T -satisfiable ∧ 6 E f (f (f (a))) = a f (f (f (f (f (a))))) = a f (a) = a ∧ ∧ 6 TE -unsatisfiable x = g(y, z) f (x)= f (g(y, z)) T -valid Chapter 9: Quantifier-free Equality and Data → E Structures

Page 1 of 48 Page 2 of 48

Axioms of TE Axiom schema 1. x. x = x (reflexivity) 5. for each positive integer n and n-ary predicate symbol p, ∀ 2. x, y. x = y y = x (symmetry) ∀ → n 3. x, y, z. x = y y = z x = z (transitivity) ∀ ∧ → x¯, y¯. xi = yi (p(¯x) p(¯y)) define = to be an equivalence relation. ∀ ! → ↔ i^=1 Axiom schema (predicate) 4. for each positive integer n and n-ary function symbol f , n Thus, for unary p, the axiom is x¯, y¯. xi = yi f (¯x)= f (¯y) ∀ ! → x′, y ′.x′ = y ′ (p(x′) p(y ′)) i^=1 ∀ → ↔ (function) Therefore, For example, for unary f , the axiom is a = b (p(a) p(b)) → ↔ x′, y ′. x′ = y ′ f (x′)= f (y ′) is TE -valid. (x′ a, y ′ b). ∀ → → → Therefore, x = g(y, z) f (x)= f (g(y, z)) → is T -valid. (x x, y g(y, z)). E ′ → ′ → Page 3 of 48 Page 4 of 48 We discuss TE -formulae without predicates Equivalence and Congruence Relations: Basics For example, for Σ -formula E Binary relation R over set S F : p(x) q(x, y) q(y, z) q(x, z) is an equivalence relation if ∧ ∧ → ¬ • ◮ reflexive: s S. sRs; introduce fresh constant and fresh functions fp and fq, and ∀ ∈ • ◮ symmetric: s1, s2 S. s1 R s2 s2 R s1; transform F to ∀ ∈ → ◮ transitive: s , s , s S. s R s s R s s R s . ∀ 1 2 3 ∈ 1 2 ∧ 2 3 → 1 3 G : f (x)= f (x, y)= f (y, z)= f (x, z) = . p • ∧ q • ∧ q • → q 6 • Example: Define the binary relation 2 over the set Z of integers ≡ m n iff (m mod 2) = (n mod 2) ≡2 That is, m, n Z are related iff they are both even or both odd. ∈ is an equivalence relation ≡2 is a congruence relation if in addition • n s, t. s R t f (s) R f (t) . ∀ i i → i^=1 Page 5 of 48 Page 6 of 48

Classes Quotient equivalence equivalence For relation R over set S, The quotient S/R of S by relation R is the congruence congruence equivalence equivalence the class of s S under R is partition of S into classes congruence ∈ congruence def [s]R = s′ S : sRs′ . S/R = [s] : s S . { ∈ } { R ∈ } Example: It satisﬁes total and disjoint conditions. The equivalence class of 3 under 2 over Z is ≡ Example: The quotient Z/ 2 is a partition of Z. The set of [3] 2 = n Z : n is odd . ≡ ≡ { ∈ } equivalence classes

Partitions n Z : n is odd , n Z : n is even A partition P of S is a set of subsets of S that is {{ ∈ } { ∈ }}

◮ total S′ = S Note duality between relations and classes S P ! [′∈ ◮ disjoint S , S P. S = S S S = ∀ 1 2 ∈ 1 6 2 → 1 ∩ 2 ∅ Page 7 of 48 Page 8 of 48 Reﬁnements Closures

Two binary relations R1 and R2 over set S. Given binary relation R over S. R is a refinement of R , R R , if The equivalence closure RE of R is the equivalence relation s.t. 1 2 1 ≺ 2 E E ◮ R refines R , i.e. R R ; s1, s2 S. s1R1s2 s1R2s2 . ≺ ∀ ∈ → ◮ for all other equivalence relations R′ s.t. R R′, E E ≺ R refines R . either R′ = R or R R′ 1 2 ≺ That is, RE is the “smallest” equivalence relation that “covers” R. Examples: Example: If S = a, b, c, d and R = aRb, bRc, dRd , then ◮ For S = a, b , { } { } { } aRE b, bRE c, dRE d since R RE ; R1 : aR1b R2 : aR2b, bR2b • ⊆ { } { } aRE a, bRE b, cRE c by reflexivity; Then R1 R2 • ≺ bRE a, cRE b by symmetry; ◮ For set Z • aRE c by transitivity; R1 : xR1y : x mod 2 = y mod 2 • { } cRE a by symmetry. R2 : xR2y : x mod 4 = y mod 4 • { } Then R R . 2 ≺ 1 Similarly, the congruence closure RC of R is the “smallest” congruence relation that “covers” R.

Page 9 of 48 Page 10 of 48

TE -satisfiability and Congruence Classes I TE -satisfiability and Congruence Classes II Given Σ -formula F Definition: For ΣE -formula E

F : s1 = t1 sm = tm sm+1 = tm+1 sn = tn F : s1 = t1 sm = tm sm+1 = tm+1 sn = tn ∧ ··· ∧ ∧ 6 ∧ ··· ∧ 6 ∧ ··· ∧ ∧ 6 ∧ ··· ∧ 6 with subterm set SF , F is TE -satisfiable iff there exists a the subterm set S of F is the set that contains precisely F congruence relation over S such that the subterms of F . ∼ F ◮ for each i 1,..., m , si ti ; Example: The subterm set of ∈ { } ∼ ◮ for each i m + 1,..., n , s t . ∈ { } i 6∼ i F : f (a, b)= a f (f (a, b), b) = a ∧ 6 Such congruence relation defines TE -interpretation I : (DI , αI ) ∼ of F . D consists of S / elements, one for each congruence is I | F ∼| S = a, b, f (a, b), f (f (a, b), b) . class of SF under . F { } ∼ Note: we consider only quantifier-free conjunctive Σ -formulae. Instead of writing I = F for this T -interpretation, we abbreviate E | E Convert non-conjunctive formula F to DNF F , where each = F i i ∼ | disjunct Fi is a conjunction of =, =. Check each disjunct Fi . F is 6 W The goal of the algorithm is to construct the congruence relation TE -satisfiable iff at least one disjunct Fi is TE -satisfiable. over SF , or to prove that no congruence relation exists. Page 11 of 48 Page 12 of 48 Congruence Closure Algorithm Congruence Closure Algorithm (Details)

F : s1 = t1 sm = tm sm+1 = tm+1 sn = tn Initially, begin with the ﬁnest congruence relation given by the ∧ ··· ∧ ∧ 6 ∧ ··· ∧ 6 ∼0 generate congruence closure search for contradiction partition s : s S . | {z } | {z } {{ } ∈ F } Decide if F is TE -satisﬁable. That is, let each term over SF be its own congruence class. The algorithm performs the following steps: Then, for each i 1,..., m , impose s = t by merging the ∈ { } i i 1. Construct the congruence closure of congruence classes ∼

s = t ,..., s = t [si ] i 1 and [ti ] i 1 { 1 1 m m} ∼ − ∼ − to form a new congruence relation . over the subterm set SF . Then ∼i To accomplish this merging, = s1 = t1 sm = tm . ◮ form the union of [si ] i 1 and [ti ] i 1 ∼ | ∧ ··· ∧ ∼ − ∼ − ◮ propagate any new congruences that arise within this union. 2. If for any i m + 1,..., n , si ti , return unsatisfiable. ∈ { } ∼ The new relation is a congruence relation in which s t . 3. Otherwise, = F , so return satisfiable. ∼i i ∼ i ∼| How do we actually construct the congruence closure in Step 1? Page 13 of 48 Page 14 of 48 Congruence Closure Algorithm: Example 1 I Congruence Closure Algorithm: Example 1 II This partition represents the congruence closure of S . Given ΣE -formula F Is it the case that F : f (a, b)= a f (f (a, b), b) = a ∧ 6 a, f (a, b), f (f (a, b), b) , b = F ? {{ } { }} | Construct initial partition by letting each member of the subterm No, as f (f (a, b), b) a but F asserts that f (f (a, b), b) = a. set SF be its own class: ∼ 6 1. a , b , f (a, b) , f (f (a, b), b) Hence, F is TE -unsatisfiable. {{ } { } { } { }} According to the first literal f (a, b)= a, merge f (a, b) and a { } { } to form partition 2. a, f (a, b) , b , f (f (a, b), b) {{ } { } { }} According to the (function) congruence axiom, f (a, b) a, b b implies f (f (a, b), b) f (a, b) , ∼ ∼ ∼ resulting in the new partition 3. a, f (a, b), f (f (a, b), b) , b {{ } { }} Page 15 of 48 Page 16 of 48 Congruence Closure Algorithm: Example 2 I Congruence Closure Algorithm: Example 2 II Example: Given ΣE -formula 3. a, f 3(a) , f (a), f 4(a) , f 2(a), f 5(a) . {{ } { } { }} F : f (f (f (a))) = a f (f (f (f (f (a))))) = a f (a) = a From the second literal, f 5(a)= a, merge ∧ ∧ 6 From the subterm set SF , the initial partition is f 2(a), f 5(a) and a, f 3(a) 1. a , f (a) , f 2(a) , f 3(a) , f 4(a) , f 5(a) { } { } {{ } { } { } { } { } { }} to form the partition where, for example, f 3(a) abbreviates f (f (f (a))). 4. a, f 2(a), f 3(a), f 5(a) , f (a), f 4(a) . According to the literal f 3(a)= a, merge {{ } { }} Propagating the congruence f 3(a) and a . { } { } f 3(a) f 2(a) f (f 3(a)) f (f 2(a)) i.e. f 4(a) f 3(a) From the union, ∼ ⇒ ∼ ∼ 2. a, f 3(a) , f (a) , f 2(a) , f 4(a) , f 5(a) yields the partition {{ } { } { } { } { }} 5. a, f (a), f 2(a), f 3(a), f 4(a), f 5(a) , deduce the following congruence propagations: {{ }} f 3(a) a f (f 3(a)) f (a) i.e. f 4(a) f (a) which represents the congruence closure in which all of SF are ∼ ⇒ ∼ ∼ and equal. Now, f 4(a) f (a) f (f 4(a)) f (f (a)) i.e. f 5(a) f 2(a) a, f (a), f 2(a), f 3(a), f 4(a), f 5(a) = F ? ∼ ⇒ ∼ ∼ {{ }} | Thus, the final partition for this iteration is the following: No, as f (a) a, but F asserts that f (a) = a. Hence, F is 3 4 2 5 ∼ 6 3. a, f (a) , f (a), f (a) , f (a), f (a) . TE -unsatisfiable. {{ } { } { }} Page 17 of 48 Page 18 of 48 Congruence Closure Algorithm: Example 3 Implementation of Algorithm

Given ΣE -formula Directed Acyclic Graph (DAG)

For ΣE -formula F , graph-based data structure for representing the F : f (x)= f (y) x = y . ∧ 6 subterms of SF (and congruence relation between them).

The subterm set SF induces the following initial partition: 1. x , y , f (x) , f (y) . {{ } { } { } { }} 1: f f (f (a, b), b) Then f (x)= f (y) indicates to merge f (x) and f (y) . { } { } 2: f f (a, b) The union f (x), f (y) does not yield any new congruences, so the { } final partition is 3: a 4: b a b 2. x , y , f (x), f (y) . {{ } { } { }} Efficient way for computing the congruence closure. Does x , y , f (x), f (y) = F ? {{ } { } { }} | Yes, as x y, agreeing with x = y. Hence, F is T -satisfiable. 6∼ 6 E Page 19 of 48 Page 20 of 48 Summary of idea DAG representation

f (a, b)= a f (f (a, b), b) = a type node = ∧ 6 { 1: f 1: f 1: f id : id node’s unique identiﬁcation number fn : string 2: f 2: f 2: f constant or function name args : id list 3: a 4: b 3: a 4: b 3: a 4: b list of function arguments Initial DAG f (a, b)= a f (a, b) a, b b ⇒ ∼ ∼ ⇒ mutable find : id merge f (a, b) a f (f (a, b), b) f (a, b) the representative of the congruence class ∼ merge f (f (a, b), b) mutable ccpar : id set f (a, b) if the node is the representative for its explicit equation by congruence congruence class, then its ccpar (congruence closure parents) are all find f (f (a, b), b)= a = find a parents of nodes in its congruence class Unsatisﬁable f (f (a, b), b) = a ⇒ } 6 ) Page 21 of 48 Page 22 of 48

DAG Representation of node 2 DAG Representation of node 3

type node = type node = { { id : id ... 2 id : id ... 3 fn : string ... f fn : string ... a args : id list ... [3, 4] args : id list ... [] mutable find : id ... 3 mutable find : id ... 3 mutable ccpar : id set ... mutable ccpar : id set ... 1, 2 ∅ { } } } 1: f 1: f

2: f 2: f

3: a 4: b 3: a 4: b

Page 23 of 48 Page 24 of 48 The Implementation I The Implementation II find function union function returns the representative of node’s congruence class let union i1 i2 = let rec find i = let n1 = node (find i1) in let n = node i in let n2 = node (find i2) in if n.find = i then i else find n.find n .find n .find; 1 ← 2 n .ccpar n .ccpar n .ccpar; 1: f 2 ← 1 ∪ 2 n .ccpar 1 ← ∅ 2: f n2 is the representative of the union class

3: a 4: b

Example: find 2 = 3 find 3 = 3 3 is the representative of 2, 3 . { } Page 25 of 48 Page 26 of 48 The Implementation III The Implementation IV Example ccpar function Returns parents of all nodes in i’s congruence class 1: f let ccpar i = 2: f (node (find i)).ccpar

3: a 4: b congruent predicate Test whether i1 and i2 are congruent

union 1 2 n1 = 1 n2 = 3 let congruent i1 i2 = 1.find 3 ← let n1 = node i1 in 3.ccpar 1, 2 ← { } let n2 = node i2 in 1.ccpar ← ∅ n1.fn = n2.fn n .args = n .args ∧| 1 | | 2 | i 1,..., n .args . find n .args[i]= find n .args[i] ∧ ∀ ∈ { | 1 |} 1 2 Page 27 of 48 Page 28 of 48 The Implementation V The Implementation VI Example: merge function

1: f let rec merge i1 i2 =

if find i1 = find i2 then begin 2: f 6 let Pi1 = ccpar i1 in

let Pi2 = ccpar i2 in 3: a 4: b union i1 i2;

Are 1 and 2 congruent? foreach t1 Pi , t2 Pi do ∈ 1 ∈ 2 fn ﬁelds —both f if find t = find t congruent t t 1 6 2 ∧ 1 2 # of arguments — same then merge t1 t2 left arguments f (a, b) and a — both congruent to 3 done right arguments b and b — both 4 (congruent) end

Therefore 1 and 2 are congruent. Pi1 and Pi2 store the values of ccpar i1 and ccpar i2 (before the union).

Page 29 of 48 Page 30 of 48

Decision Procedure: TE -satisﬁability Example 1: TE -Satisﬁability

Given ΣE -formula f (a, b)= a f (f (a, b), b) = a ∧ 6 F : s1 = t1 sm = tm sm+1 = tm+1 sn = tn , ∧ ··· ∧ ∧ 6 ∧ ··· ∧ 6 (1) 1: f (2) 1: f (3) 1: f with subterm set SF , perform the following steps: 1. Construct the initial DAG for the subterm set SF . 2: f 2: f 2: f 2. For i 1,..., m , merge s t . ∈ { } i i 3. If find s = find t for some i m + 1,..., n , return 3: a 4: b 3: a 4: b 3: a 4: b i i ∈ { } unsatisfiable. merge 2 3 merge 1 2 Initial DAG 4. Otherwise (if find si = find ti for all i m + 1,..., n ) P = 6 ∈ { } P2 = 1 1 return satisfiable. { } {} P = 2 P2 = 1, 2 3 { } { } union 2 3 union 1 2 congruent 1 2 find f (f (a, b), b)= a = find a Unsatisfiable ⇒

Page 31 of 48 Page 32 of 48 Given ΣE -formula Example 2: TE -Satisﬁability F : f (a, b)= a f (f (a, b), b) = a . ∧ 6 f (f (f (a))) = a f (f (f (f (f (a))))) = a f (a) = a The subterm set is ∧ ∧ 6 S = a, b, f (a, b), f (f (a, b), b) , 5: f 4: f 3: f 2: f 1: f 0: a (1) F { } resulting in the initial partition Initial DAG (1) a , b , f (a, b) , f (f (a, b), b) {{ } { } { } { }} in which each term is its own congruence class. Fig (1). Final partition (Fig (3)) (2) a, f (a, b), f (f (a, b), b) , b 5: f 4: f 3: f 2: f 1: f 0: a (2) {{ } { }} Note: dash edge merge dictated by equalities in F f (f (f (a))) = a merge 30: P = 4 P = 1 union 3 0 dotted edge deduced merge ⇒ 3 { } 0 { } merge 41: P4 = 5 P1 = 2 union 4 1 Does ⇒ { } { } merge 52: P = P = 3 union 5 2 a, f (a, b), f (f (a, b), b) , b = F ? ⇒ 5 {} 2 { } {{ } { }} | No, as f (f (a, b), b) a, but F asserts that f (f (a, b), b) = a. ∼ 6 Hence, F is TE -unsatisﬁable. Page 33 of 48 Page 34 of 48

Example 2: TE -Satisfiability Given ΣE -formula f (f (f (a))) = a f (f (f (f (f (a))))) = a f (a) = a ∧ ∧ 6 F : f (f (f (a))) = a f (f (f (f (f (a))))) = a f (a) = a , ∧ ∧ 6 which induces the initial partition 5: f 4: f 3: f 2: f 1: f 0: a (2) 1. a , f (a) , f 2(a) , f 3(a) , f 4(a) , f 5(a) . {{ } { } { } { } { } { }} The equality f 3(a)= a induces the partition 2. a, f 3(a) , f (a), f 4(a) , f 2(a), f 5(a) . {{ } { } { }} The equality f 5(a)= a induces the partition 3. a, f (a), f 2(a), f 3(a), f 4(a), f 5(a) . 5: f 4: f 3: f 2: f 1: f 0: a (3) {{ }} Now, does f (f (f (f (f (a))))) = a merge 50: P = 3 P = 1, 4 a, f (a), f 2(a), f 3(a), f 4(a), f 5(a) = F ? ⇒ 5 { } 0 { } {{ }} | union 5 0 No, as f (a) a, but F asserts that f (a) = a. Hence, F is merge 31: STOP.Why? ∼ 6 ⇒ TE -unsatisfiable. union 3 1 find f (a)= f (a)= find a Unsatisfiable ⇒ Page 35 of 48 Page 36 of 48 Theorem (Sound and Complete) Recursive Data Structures

Quantifier-free conjunctive ΣE -formula F is TE -satisfiable iff the Quantifier-free Theory of Lists Tcons congruence closure algorithm returns satisfiable. Σ : cons, car, cdr, atom, = cons { } constructor cons : cons(x, y) list constructed by • appending y to x left projector car : car(cons(x, y)) = x • right projector cdr : cdr(cons(x, y)) = y • atom : unary predicate •

Page 37 of 48 Page 38 of 48

Axioms of Tcons Simplifications ◮ reflexivity, symmetry, transitivity ◮ Consider only quantifier-free conjunctive Σcons-formulae. ◮ function (congruence) axioms: Convert non-conjunctive formula to DNF and check each disjunct. x1, x2, y1, y2. x1 = x2 y1 = y2 cons(x1, y1) = cons(x2, y2) ∀ ∧ → ◮ atom(u ) literals are removed: x, y. x = y car(x) = car(y) ¬ i ∀ → 1 2 x, y. x = y cdr(x) = cdr(y) replace atom(ui ) with ui = cons(ui , ui ) ∀ → ¬ by the (construction) axiom. ◮ predicate (congruence) axiom: ◮ Result of a conjunctive Σcons-formula with literals x, y. x = y (atom(x) atom(y)) ∀ → ↔ s = t s = t atom(u) 6 ◮ (A1) x, y. car(cons(x, y)) = x (left projection) ◮ Because of similarity to ΣE , we sometimes combine ∀ Σ Σ . (A2) x, y. cdr(cons(x, y)) = y (right projection) cons ∪ E ∀ (A3) x. atom(x) cons(car(x), cdr(x)) = x (construction) ∀ ¬ → (A4) x, y. atom(cons(x, y)) (atom) ∀ ¬ Page 39 of 48 Page 40 of 48 Algorithm: Tcons-Satisfiability (the idea) Algorithm: Tcons-Satisfiability car cdr 1. Construct the initial DAG for SF F : s = t s = t 1 1 ∧ ··· ∧ m m 2. for each node n with n.fn = cons generate congruence closure ◮ add car(n) and merge car(n) n.args[1] cons | {z } ◮ add cdr(n) and merge cdr(n) n.args[2] s = t s = t by axioms (A1), (A2) ∧ m+1 6 m+1 ∧ ··· ∧ n 6 n 3. for 1 i m, merge s t x y search for contradiction ≤ ≤ i i 4. for m + 1 i n, if find s = find t , return unsatisfiable | {z } ≤ ≤ i i atom(u1) atom(uℓ) 5. for 1 i ℓ, if v. find v = find u v.fn = cons, ∧ ∧ ··· ∧ ≤ ≤ ∃ i ∧ search for contradiction return unsatisfiable 6. Otherwise, return satisfiable where si , ti , and ui are|Tcons-terms {z }

Page 41 of 48 Page 42 of 48 Example Example (cont): Initial DAG

Given (Σcons ΣE )-formula ∪ car f cdr car f cdr car(x) = car(y) cdr(x) = cdr(y) F : ∧ atom(x) atom(y) f (x) = f (y) ∧ ¬ ∧ ¬ ∧ 6 x y where the function symbol f is in ΣE

car(x) = car(y) (1) ∧ car cdr car cdr axioms (A1), (A2) cdr(x) = cdr(y) (2) ∧ F ′ : x = cons(u1, v1) (3) ∧ cons cons y = cons(u , v ) (4) 2 2 ∧ f (x) = f (y) (5) 6 u1 v1 u2 v2 Recall the projection axioms: (A1) x, y. car(cons(x, y)) = x ∀ (A2) x, y. cdr(cons(x, y)) = y ∀

Page 43 of 48 Page 44 of 48 Example (cont): merge Example (cont): Propagation

(1) (2) car f cdr car f cdr car f cdr car f cdr Congruent: explicit equation car(x) car(cons(u1, v1)) x y by congruence x y find car(x) = car(y)

find car(cons(. . .)) = u1 1 : merge car(x) car(y) 3A car (3) cdr car cdr car cdr car 3B cdr 2 : merge cdr(x) cdr(y) Congruent:

cdr(x) cdr(cons(u1, v1)) cons cons 3 : merge x cons(u1, v1) cons cons find cdr(x) = cdr(y)

⇓ find cdr(cons(. . .)) = v1 u1 v1 u2 v2 u1 v1 u2 v2

Page 45 of 48 Page 46 of 48

Example (cont): merge Example (cont): congruence 4D

4 : merge y cons(u2, v2) car f cdr car f cdr ⇓ car f cdr car f cdr Congruent: Congruent: x y car(y) car(cons(u2, v2)) x y cons(u1, v1) cons(u2, v2) find car(y) = u1 car cdr car cdr find car(cons(. . .)) = u2 Congruent: f (x) f (y) (4) car cdr car cdr Congruent: find f (x) = f (y) 5 : cons cons cdr(y) cdr(cons(u , v )) 4C 2 2 cons cons find f (y) = f (y) find cdr(y) = v 1 ⇓ find cdr(cons(. . .)) = v2 F is unsatisﬁable u1 v1 u2 v2 u1 v1 u2 v2 ⇓ 4A 4B

Page 47 of 48 Page 48 of 48