The Calculus of Computation: Decision Procedures with Applications to Verification 11. Arrays by Aaron Bradley Zohar Manna Springer 2007 11- 1 11- 2 (2) Array Property Fragment of TA Array Property Fragment of TA Decidable fragment of TA that includes ∀ quantifiers Boolean combinations of quantifier-free TA-formulae and array properties Array property ΣA-formula of form Example: ΣA-formulae ∀i. F [i] → G[i] , F : ∀i. i 6= a[k] → a[i]= a[k] where i is a list of variables. ◮ index guard F [i]: The antecedent is not a legal index guard since a[k] is not a variable (neither a uvar nor an evar); however, by simple iguard → iguard ∧ iguard | iguard ∨ iguard | atom manipulation atom → var = var | evar 6= var | var 6= evar | ⊤ ′ var → evar | uvar F : v = a[k] ∧ ∀i. i 6= v → a[i]= a[k] where uvar is any universally quantified index variable, Here, i 6= v is a legal index guard, and a[i]= a[k] is a legal value ′ and evar is any constant or unquantified variable. constraint. F and F are equisatisfiable. ◮ value constraint G[i]: a universally quantified index can occur However, no manipulation works for: in a value constraint G[i] only in a read a[i], where a is an G : ∀i. i 6= a[i] → a[i]= a[k] . array term. The read cannot be nested; for example, a[b[i]] is not allowed. Thus, G is not in the array property fragment. 11- 3 11- 4 Remark: Array property fragment allows expressing equality Decision Procedure for Array Property Fragment between arrays (extensionality): two arrays are equal precisely The idea of the decision procedure for the array property fragment when their corresponding elements are equal. is to reduce universal quantification to finite conjunction. That is, For given formula it constructs a finite set of index terms s.t. examining only these positions of the arrays is sufficient. F : ··· ∧ a = b ∧ ··· Example: Consider F : ahi ⊳ vi = a ∧ a[i] 6= v , with array terms a and b, rewrite F as which expands to F ′ j. a i ⊳ v j a j a i v . F ′ : ··· ∧ (∀i. ⊤ → a[i]= b[i]) ∧ ··· . : ∀ h i[ ]= [ ] ∧ [ ] 6= Intuitively, to determine that F ′ is TA-unsatisfiable requires merely F and F ′ are equisatisfiable. examining index i: F ′′ : ahi ⊳ vi[j]= a[j] ∧ a[i] 6= v , ^ j∈{i} or simply ahi ⊳ vi[i]= a[i] ∧ a[i] 6= v . Simplifying, v = a[i] ∧ a[i] 6= v , it is clear that this formula, and thus F , is TA-unsatisfiable. 11- 5 11- 6 The Algorithm Steps 4-6 accomplish the reduction of universal quantification to finite Given array property formula F , decide its TA-satisfiability by the conjunction. following steps: Main idea: select a set of symbolic index terms on which to instantiate Step 1 all universal quantifiers. The set is sufficient for correctness. Put F in NNF. Step 4 Step 2 From the output F3 of Step 3, construct the index set I: Apply the following rule exhaustively to remove writes: F [ahi ⊳ vi] ′ {λ} ′ ′ ′ for fresh a (write) F [a ] ∧ a [i]= v ∧ (∀j. j 6= i → a[j]= a [j]) I = ∪ {t : ·[t] ∈ F3 such that t is not a universally quantified variable} After an application of the rule, the resulting formula contains at least ∪ {t : t occurs as an evar in the parsing of index guards} one fewer write terms than the given formula. Step 3 This index set is the finite set of indices that need to be examined. It includes Apply the following rule exhaustively to remove existential quantification: ◮ all terms t that occur in some read a[t] anywhere in F (unless it F [∃i. G[i]] is a universally quantified variable) for fresh j (exists) ◮ all terms t (constant or unquantified variable) that are compared F [G[j]] to a universally quantified variable in some index guard. Existential quantification can arise during Step 1 if the given formula ◮ λ is a fresh constant that represents all other index positions that has a negated array property. are not explicitly in I. 11- 7 11- 8 Step 5 (Key step) Example: Consider array property formula Apply the following rule exhaustively to remove universal F : ahℓ⊳vi[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (∀i. i 6= ℓ → a[i]= b[i]) quantification: array property | {z } H[∀i. F [i] → G[i]] (forall) Index guard is i 6= ℓ and the value constraint is a[i]= b[i]. It is H F [i] → G[i] already in NNF. By Step 2, rewrite F as ^ i∈In a′[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (∀i. i 6= ℓ → a[i]= b[i]) F2 : where n is the size of the list of quantified variables i. ∧ a′[ℓ]= v ∧ (∀j. j 6= ℓ → a[j]= a′[j]) Step 6 F2 does not contain any existential quantifiers. Its index set is From the output F5 of Step 5, construct I = {λ} ∪ {k} ∪ {ℓ} F6 : F5 ∧ λ 6= i . λ, k,ℓ . ^ = { } i ∈ I\{λ} Thus, by Step 5, replace universal quantification: The new conjuncts assert that the variable λ introduced in Step 4 a′[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (i 6= ℓ → a[i]= b[i]) is indeed unique. ^ i ∈ I Step 7 F5 : ∧ a′[ℓ]= v ∧ j 6= ℓ → a[j]= a′[j] Decide the TA-satisfiability of F6 using the decision procedure for ^ j ∈ I the quantifier-free fragment. 11- 9 11- 10 Step 6 distinguishes λ from other members of I: ′ a′[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (i 6= ℓ → a[i]= b[i]) a [k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (λ 6= ℓ → a[λ]= b[λ]) ^ i ∈ I ∧ (k 6= ℓ → a[k]= b[k]) F5 : ′ ′ ∧ a′[ℓ]= v ∧ j 6= ℓ → a[j]= a′[j] F6 : ∧ a [ℓ]= v ∧ (λ 6= ℓ → a[λ]= a [λ]) ^ ′ j ∈ I ∧ (k 6= ℓ → a[k]= a [k]) ∧ λ 6= k ∧ λ 6= ℓ Expanding produces Simplifying, a′[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (λ 6= ℓ → a[λ]= b[λ]) a′[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (k 6= ℓ → a[k]= b[k]) ∧ (ℓ 6= ℓ → a[ℓ]= b[ℓ]) F ′ : ∧ a[λ]= b[λ] ∧ (k 6= ℓ → a[k]= b[k]) 5 ∧ a′[ℓ]= v ∧ (λ 6= ℓ → a[λ]= a′[λ]) F ′ : 6 ∧ a′[ℓ]= v ∧ a[λ]= a′[λ] ∧ (k 6= ℓ → a[k]= a′[k]) ∧ (k 6= ℓ → a[k]= a′[k]) ∧ (ℓ 6= ℓ → a[ℓ]= a′[ℓ]) ∧ λ 6= k ∧ λ 6= ℓ Simplifying produces There are two cases to consider. ◮ ′ ′ a′[k]= b[k] ∧ b[k] 6= v ∧ a[k]= v ∧ (λ 6= ℓ → a[λ]= b[λ]) If k = ℓ, then a [ℓ]= v and a [k]= b[k] imply b[k]= v, yet b[k] 6= v. ′′ ∧ (k 6= ℓ → a[k]= b[k]) F : ◮ 5 ∧ a′[ℓ]= v ∧ (λ 6= ℓ → a[λ]= a′[λ]) If k 6= ℓ, then a[k]= v and a[k]= b[k] imply b[k]= v, but ∧ (k 6= ℓ → a[k]= a′[k]) again b[k] 6= v. ′ Hence, F6 is TA-unsatisfiable, indicating that F is TA-unsatisfiable. 11- 11 11- 12 Z Z (3) Theory of Integer-Indexed Arrays TA Array property: ΣA-formula of the form . , ≤ enables reasoning about subarrays and properties such as ∀i F [i] → G[i] subarray is sorted or partitioned. where i is a list of integer variables. Z Z ◮ F [i] index guard: signature of TA : ΣA =ΣA ∪ ΣZ iguard → iguard ∧ iguard | iguard ∨ iguard | atom Z axioms of TA : both axioms of TA and TZ atom → expr ≤ expr | expr = expr expr → uvar | pexpr pexpr → pexpr′ pexpr′ → Z | Z · evar | pexpr′ + pexpr′ where uvar is any universally quantified integer variable, and evar is any existentially quantified or free integer variable. ◮ G[i] value constraint: Any occurrence of a quantified index variable i must be as a read into an array, a[i], for array term a. Array reads may not be nested; e.g., a[b[i]] is not allowed. Z Array property fragment of TA consists of formulae that are Z Boolean combinations of quantifier-free ΣA-formulae and array properties. 11- 13 11- 14 A Decision Procedure Step 3 The idea again is to reduce universal quantification to finite Apply the following rule exhaustively to remove existential conjunction. quantification: Given F from the array property fragment of T Z, decide its A F [∃i. G[i]] T Z-satisfiability as follows: for fresh j (exists) A F [G[j]] Step 1 Put F in NNF. Existential quantification can arise during Step 1 if the given formula has a negated array property. Step 2 Apply the following rule exhaustively to remove writes: Step 4 From the output of Step 3, F3, construct the index set I: F [ahi ⊳ ei] for fresh a′ (write) ′ ′ ′ {t : ·[t] ∈ F3 such that t is not a universally quantified variable} F [a ] ∧ a [i]= e ∧ (∀j. j 6= i → a[j]= a [j]) I = ∪ {t : t occurs as a pexpr in the parsing of index guards} To meet the syntactic requirements on an index guard, rewrite the third conjunct as If I = ∅, then let I = {0}. The index set contains all relevant symbolic indices that occur in F3. ∀j. j ≤ i − 1 ∨ i + 1 ≤ j → a[j]= a′[j] . 11- 15 11- 16 Z Step 5 Example: ΣA-formula: Apply the following rule exhaustively to remove universal (∀i.