We describe the implementation of a system for propertydirected symbol elimination in extensions of a theory T0 with additional function symbols whose properties are axiomatised using a set of clauses. The system performs the symbol elimination in a hierarchical way, relying on existing mechanisms for symbol elimination in T0. Many reasoning problems in mathematics or program verification can be reduced to checking satisfiability of ground formulae w.r.t. a theory (this can be a standard theory, e.g. linear arithmetic, or a complex theory - e.g. the extension of a base theory with additional function symbols axiomatized by a set of formulae, or a combination of theories). More interesting is to go beyond yes/no answers, i.e. to consider problems - in mathematics or verification - in which the properties of certain function symbols are underspecified (these symbols are considered to be parametric) and (weakest) additional conditions need to be derived under which given properties hold. In [13] a method for property-directed symbol elimination in local theory extensions was proposed which can be used for obtaining such constraints on parameters. The goal of this paper is to present the current state of an implementation of this method in the system SEH-PILoT. Structure of the paper: In Section 2.2 we first present the theoretical background and then the implementation details. In Section 3 we discuss in detail an example, then present an overview of a (small) subset of the tests we considered so far.
2.1
Let Π0=(Σ0, Pred) be a signature, and T0 be a “base” theory with signature Π0. We consider extensions T := T0∪K of T0 with new function symbols Σ (extension functions) whose properties are axiomatized using a set K of (universally closed) clauses in the extended signature Π = (Σ0 ∪ Σ, Pred), such that each clause in K contains function symbols in Σ. Let Σpar ⊆ Σ be a set of parameters. Let Σc be an additional set of constants.
Task: Let G be a set of ground Π ∪ Σc clauses. We want to check whether G is satisfiable w.r.t. T0 ∪ K or not and – if it is satisfiable – to generate a weakest universal Π0 ∪ Σpar-formula Γ such that T0 ∪ K ∪ Γ ∪ G is unsatisfiable. Method. For satisfiability checking we use a method for hierarchical reduction to checking satisfiability in the base theory. For symbol elimination (i.e. for determining Γ ) we use a method for hierarchically reducing the problem to a quantifier elimination problem w.r.t. T0. If T0 allows quantifier elimination (i.e. for every formula φ over Π0 there exists a quantifier-free formula φ∗ over Π0 which is equivalent to φ modulo T0) a method for quantifier elimination w.r.t. T0 can be used for this.
In what follows we present situations in which hierarchical reasoning is complete and weakest constraints on parameters can be generated.
Local Theory Extensions. Let Ψ be a closure operator on sets of ground terms. A theory extension T0 ⊆ T0 ∪ K is Ψ -local if it satisfies the condition: (LocfΨ )
For every finite set G of ground ΠC -clauses (for an additional set C of constants) it holds that T0 ∪ K ∪ G |= ⊥ if and only if
T0 ∪ K[ΨK(G)] ∪ G is unsatisfiable.
where, for every set G of ground ΠC -clauses, K[ΨK(G)] is the set of instances
of K in which the terms starting with a function symbol in Σ are in ΨK(G) =
Ψ (est(K, G)), where est(K, G) is the set of ground terms starting with a function
in Σ occurring in G or K.
Ψ -local extensions can be recognized by showing that certain partial models
embed into total ones [
Hierarchical Reasoning. Consider a Ψ -local theory extension T0 ⊆ T0 ∪ K. Condition (LocfΨ ) requires that for every finite set G of ground ΠC clauses: T0 ∪ K∪G |=⊥ if and only if T0∪K[ΨK(G)]∪G |=⊥ . In all clauses in K[ΨK(G)]∪G the function symbols in Σ only have ground terms as arguments, so K[ΨK(G)]∪G can be flattened and purified1 by introducing, in a bottom-up manner, new 1 i.e. the function symbols in Σ are separated from the other symbols. constants ct ∈ C for subterms t=f (c1, . . . , cn) where f ∈Σ and ci are constants, together with definitions ct≈f (c1, . . . , cn) which are all included in a set Def. We thus obtain a set of clauses K0∪G0∪Def, where K0 and G0 do not contain Σ-function symbols and Def contains clauses of the form c≈f (c1, . . . , cn), where f ∈Σ, c, c1, . . . , cn are constants.
Theorem 1 ([
T0 ⊆ T1 = T0 ∪ K1 ⊆ T2 = T0 ∪ K1 ∪ K2 ⊆ · · · ⊆ Tn = T0 ∪ K1 ∪ ... ∪ Kn
in which each theory is a local extension of the preceding one. For a chain of
n local extensions a satisfiability check w.r.t. the last extension can be reduced
(in n steps) to a satisfiability check w.r.t. T0. The only restriction we need to
impose in order to ensure that such a reduction is possible is that at each step
the clauses reduced so far need to be ground. Groundness is assured if each
variable in a clause appears at least once under an extension function. This
iterated instantiation procedure for chains of local theory extensions has been
implemented in H-PILoT [
Theorem 2 ([
Algorithm 1 yields a formula ∀x. ΓT (x) with T0 ∪ ∀x. ΓT (x) ∪ K ∪ G |=⊥ also if
the extension T ⊆ T0 ∪ K is not Ψ -local or T 6= ΨK(G), but in this case there is
no guarantee that ∀x. ΓT (x) is the weakest universal formula with this property.
A similar result holds for chains of local theory extensions.
2 H-PILoT allows the user to specify a chain of extensions by tagging the extension
functions with their place in the chain (e.g., if f occurs in K3 but not in K1 ∪ K2 it
is declared as level 3).
Algorithm 1 Symbol elimination in theory extensions [
Set T of ground ΠC -terms Output: ∀y. ΓT (y) (universal Π0 ∪ Σpar-formula) Step 1 Purify K[T ] ∪ G as described in Theorem 1 (with set of extension symbols Σ1).
Let K0 ∪ G0 ∪ Con0 be the set of Π0C -clauses obtained this way.
Step 2 Let G1 = K0 ∪ G0 ∪ Con0. Among the constants in G1, we identify (i) the constants cf , f ∈ Σpar, where cf is a constant parameter or cf is introduced by a definition cf ≈ f (c1, . . . , ck) in the hierarchical reasoning method, (ii) all constants cp occurring as arguments of functions in Σpar in such definitions. Replace all the other constants c with existentially quantified variables x (i.e. replace G1(cp, cf , c) with ∃x. G1(cp, cf , x)).
Step 3 Construct a formula Γ1(cp, cf ) equivalent to ∃x. G1(cp, cf , x) w.r.t. T0 using a method for quantifier elimination in T0 and let Γ2(cp, cf ) be ¬Γ1(cp, cf ). Step 4 Replace (i) each constant cf introduced by definition cf ≈ f (c1, . . . , ck) with the term f (c1, . . . , ck) and (ii) cp with universally quantified variables y in Γ2(cp, cf ). The formula obtained this way is ∀y. ΓT (y).
Theorem 3 ([
T0 ⊆ T0 ∪ K1 ⊆ T0 ∪ K1 ∪ K2 ⊆ . . . ⊆ T0 ∪ K1 ∪ K2 ∪ · · · ∪ Kn where every extension in the chain satisfies condition (Compf ), Ki are all flat and linear, and in all Ki all variables occur below the extension terms on level i.
Let G be a set of ground clauses, and let G1 be the result of the hierarchical reduction of satisfiability of G to a satisfiability test w.r.t. T0. Let T = T (G) be the set of all instances used in the chain of hierarchical reductions and let ∀y. ΓT (G)(y) be the formula obtained by applying Steps 2–4 of Alg. 1 to G1. Then ∀y. ΓT (G)(y) is entailed by every conjunction Γ of clauses with the property that T0 ∪ Γ ∪ K1 ∪ · · · ∪ Kn ∪ G is unsatisfiable (i.e. it is the weakest such constraint). 2.2
Hierarchical reasoning: H-PILoT. The method for hierarchical reasoning in
local theory extensions described before was implemented in the system H-PILoT
[
Main Algorithm. SEH-PILoT follows the steps of Algorithm 1.
Step 1: SEH-PILoT uses H-PILoT (with
option -redlog) for the hierarchical reduction to
a problem in the base theory. H-PILoT
computes the necessary instances K[TG], where TG
is the set of ground terms necessary for
instantiation (cf. Thm.3), generates the formula
K0 ∪ G0 ∪ Con0 and writes it in a file which can
be used as input for Redlog [
Step 2: Taking into account the function symbols to be eliminated, the constants are classified as required in Step 2 of Alg. 1 and the Redlog file is changed accordingly such that only those symbols that do not correspond to a parameter or argument of a parameter are considered to be existentially quantified.
Step 3: SEH-PILoT uses Redlog to eliminate the existentially quantified symbols and afterwards to negate the resulting formula.
Step 4: The constants contained in the formula
obtained by Step 3 are replaced back with the
terms they represent and the constants
occurring as arguments are replaced by universally
quantified variables. Fig. 1. SEH-PILoT structure
Finally SEH-PILoT translates the generated
constraints from the syntax of Redlog back to the syntax of H-PILoT such that
they can easily be used for verification or an iterative approach of constraint
generation. Since Redlog is not very efficient in simplifying formulae, SLFQ can
be used, which allows Redlog to use the possibilities of simplification offered by
QEPCAD B [
We illustrate the way SEH-PILoT works on the following example4. Consider a discrete water level controller in which the inflow varies during the evolution of the system, and can be modeled by a function inflow : R → R, where inflow(t) is the inflow at time step t. If the water level becomes greater than an alarm level Lalarm (positioned below the overflow level Loverflow) a valve is opened and a fixed quantity of water (outflow) is left out. Otherwise, the valve remains closed. Assume that the formula Init(L) := L<Loverflow describes the initial states. Then L ≤ Loverflow is an inductive invariant iff the following formulae are unsatisfiable w.r.t. the extension of the theory of real numbers with a function inflow: (1) ∃L. (L < Loverflow ∧ L > Loverflow); (2) ∃L, L0, t, t0. (L≤Loverflow∧L>Lalarm∧L0≈L+inflow(t)−outflow∧t0≈t+1∧L0>Loverflow); (3) ∃L, L0, t, t0. (L≤Loverflow ∧ L≤Lalarm ∧ L0≈L+inflow(t) ∧ t0≈t+1 ∧ L0>Loverflow). We want to obtain conditions on the parameters (inflow, outflow, Lalarm, Loverflow) under which L < Loverflow is an inductive invariant. (1) is clearly unsatisfiable. SEH-PILoT (with assumptions Lalarm < Loverflow, ∀x. inflow(x) > 0) generated weakest universal conditions under which (2) resp. (3) are unsatisfiable. Consider e.g. (2). The problem is described in the H-PILoT syntax as follows: B a s e f u n c t i o n s :={(+ ,2) , ( − ,2) , ( ∗ , 2 ) } E x t e n s i o n f u n c t i o n s :={( inflow , 1 , 1)} R e l a t i o n s :={(<=, 2 ) , (<, 2 ) , (>=, 2 ) , (>, 2)} Clauses := l <= l o v e r f l o w ; l > lalarm ; l p = ( l+i n f l o w ( t ))− outflow ; tp = t+ 1 ; Query:= l p > l o v e r f l o w ; It can be checked that the extension R ⊆ R∪K of R with a function symbol inflow satisfying the axiom K = ∀x.(inflow(x) > 0) defines a local theory extension. When using SEH-PILoT the user has to specify the name of the H-PILoT file (in this case inv2.loc), the symbols to be eliminated (l, lp and tp) and any additional constraints on the parameters (lalarm<loverflow and ∀x.(inflow(x)>0)). This is done in the command line: sehpilot inv2.loc -e l lp tp -a ’lalarm<loverflow’ ’inflow(?)>0’ --stats If called with the additional constraints added to the command line (example “Water tank, -a” in Table 1) SEH-PILoT generates the right instances. Alternatively, the clause ∀x.(inflow(x) > 0) can be added to the Clauses in the inv2.loc-file (example “Water tank, no -a” in Table 1). In both cases H-PILoT performs the hierarchical reduction described in Theorem 1 for G being the conjunction of the ground formulae in Clauses, Query and in the additional assumptions if option -a is used, by determining the set T = est(G) = {inflow(t)} of terms in G starting with an extension function, considering the instances of K containing this term, K[T ] = {inflow(t) > 0} and introducing a constant e1 for inflow(t), and generates the Redlog file: 4 This example as well as several additional examples can be found under https: //userpages.uni-koblenz.de/~sofronie/sehpilot/. l o a d p a c k a g e r e d l o g ; r l s e t OFSF ; o f f r l v e r b o s e ; on r l n z d e n ; o f f nat ; v a r s := { lalarm , e 1 , l , lp , outflow , l o v e r f l o w , t , tp } ; formula := ( l p > l o v e r f l o w and l > l a l a r m and l <= l o v e r f l o w and tp = t + 1 and l p = ( l + e1 ) − o u t f l o w ) ; query := ( r l q e ex ( vars , formula ) ) ; end ; universally and obtains the weakest constraint: SEH-PILoT classifies the constants and updates the Redlog file by simplifying the input and changing vars to the set of symbols to be eliminated l, lp, tp, eliminates these variables, negates the result and simplifies5 the resulting formula and obtains e1 − outflow ≤ 0. It then replaces e1 with inflow(t), quantifies t (Γ1) (Γ2) ∀t. (inflow(t) ≤ outflow) ∀t. (lalarm + inflow(t) ≤ loverflow) for (3). for which (2) becomes unsatisfiable. A similar procedure yields the constraint Test runs for SEH-PILoT. We analyzed examples from mathematics, verification and wireless network theory. We used H-PILoT for testing satisfiability of the formulae; if the formulae were satisfiable SEH-PILoT was used for symbol elimination and generating constraints on the parameters. The table below provides some data on the size of the problems we analyzed and the time H-PILoT needed for hierarchical reduction and SEH-PILoT for symbol elimination. # clauses time H-PILoT # atoms # atoms time QE # atoms # atoms Time
input (s) (1) (2) (ms) (3) (4) (s)
Name
Mathematics
Case distinction
Example 5.6 in [
Example 4 in [