Array Property Fragment

Transcription

1 Array Property Fragment Max-Ferdinand Gerhard Suffel Saarland University 25th January 2013 Decision Procedures MPI-SWS 1 / 29

2 Application in Deductive Verification 2 / 29

3 Application in Deductive Verification Problem Decide whether a given programm is correct and always terminates. 2 / 29

4 Application in Deductive Verification Problem Decide whether a given programm is correct and always terminates. Approach Use SMT-Solver to proof automatically assertions along basic paths. 2 / 29

5 Application in Deductive Verification Problem Decide whether a given programm is correct and always terminates. Approach Use SMT-Solver to proof automatically assertions along basic paths. arr > 0 forall ix. ( ix >= 0 && ix < arr -> rv >= arr [ ix ]) int max ( int [] arr ) { int max = arr [0]; forall j. (j < i && j >= 0 -> max >= arr [j]) for ( int i = 1; i < arr ; i = i + 1) { if(arr [i] >= max ) { max = arr [i]; } } return max ; } 2 / 29

6 Application in Deductive Verification Problem Decide whether a given programm is correct and always terminates. Approach Use SMT-Solver to proof automatically assertions along basic paths. arr > 0 forall ix. ( ix >= 0 && ix < arr -> rv >= arr [ ix ]) int max ( int [] arr ) { int max = arr [0]; forall j. (j < i && j >= 0 -> max >= arr [j]) for ( int i = 1; i < arr ; i = i + 1) { } if(arr [i] >= max ) { max = arr [i]; } } return max ; Required Theories T Z T E T A 2 / 29

7 Application in Deductive Verification Problem Decide whether a given programm is correct and always terminates. Approach Use SMT-Solver to proof automatically assertions along basic paths. arr > 0 forall ix. ( ix >= 0 && ix < arr -> rv >= arr [ ix ]) int max ( int [] arr ) { int max = arr [0]; forall j. (j < i && j >= 0 -> max >= arr [j]) for ( int i = 1; i < arr ; i = i + 1) { } if(arr [i] >= max ) { max = arr [i]; } } return max ; Required Theories T Z T E T A Now, Theory of Arrays T A and more... 2 / 29

8 Theory of Arrays T A John McCarthy, 1962 Signature Σ A : { [ ],, =} 3 / 29

9 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. 3 / 29

10 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. 3 / 29

11 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. and = represents equality of array elements not whole arrays. 3 / 29

12 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. and = represents equality of array elements not whole arrays. Here, a[i] and a i v are functions, and = is a predicate! 3 / 29

13 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. and = represents equality of array elements not whole arrays. Here, a[i] and a i v are functions, and = is a predicate! Axioms of T A : (reflexivity), (symmetry), and (transitivity) of T E. 3 / 29

14 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. and = represents equality of array elements not whole arrays. Here, a[i] and a i v are functions, and = is a predicate! Axioms of T A : (reflexivity), (symmetry), and (transitivity) of T E. a, i, j. i = j a[i] = a[j] (array congruence) 3 / 29

15 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. and = represents equality of array elements not whole arrays. Here, a[i] and a i v are functions, and = is a predicate! Axioms of T A : (reflexivity), (symmetry), and (transitivity) of T E. a, i, j. i = j a[i] = a[j] (array congruence) a, i, j. i = j a i v [j] = v (read-over-write 1) 3 / 29

16 Theory of Arrays T A John McCarthy, 1962 where Signature Σ A : { [ ],, =} a[i] represents the value of array a at position i. a i v represents the modified array a with value v at position i. and = represents equality of array elements not whole arrays. Here, a[i] and a i v are functions, and = is a predicate! Axioms of T A : (reflexivity), (symmetry), and (transitivity) of T E. a, i, j. i = j a[i] = a[j] (array congruence) a, i, j. i = j a i v [j] = v (read-over-write 1) a, i, j. i j a i v [j] = a[j] (read-over-write 2) 3 / 29

17 Can we decide T A -validity? 4 / 29

18 Can we decide T A -validity? Theorem (Undecidability) T A -validity of a general Σ A -formula is undecidable. 4 / 29

19 Can we decide T A -validity? Theorem (Undecidability) T A -validity of a general Σ A -formula is undecidable. Reason: Arrays are similar to uninterpreted functions with modifications. 4 / 29

20 Can we decide T A -validity? Theorem (Undecidability) T A -validity of a general Σ A -formula is undecidable. Reason: Arrays are similar to uninterpreted functions with modifications. Encode arbitrary formula of FOL in T A by viewing functions as multi-dimensional arrays. 4 / 29

21 Can we decide T A -validity? Theorem (Undecidability) T A -validity of a general Σ A -formula is undecidable. Reason: Arrays are similar to uninterpreted functions with modifications. Encode arbitrary formula of FOL in T A by viewing functions as multi-dimensional arrays. FOL is in general undecidable. 4 / 29

22 Can we decide T A -validity? Theorem (Undecidability) T A -validity of a general Σ A -formula is undecidable. Reason: Arrays are similar to uninterpreted functions with modifications. Encode arbitrary formula of FOL in T A by viewing functions as multi-dimensional arrays. FOL is in general undecidable. Theorem (Decidability) T A -satisfiability of a quantifier-free Σ A -formula is decidable. 4 / 29

23 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. 5 / 29

24 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. Problem Decide whether F is T A -satisfiable or not. 5 / 29

25 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. Problem Decide whether F is T A -satisfiable or not. Idea Reduce to T E -satisfiability via application of (read-over-write) axioms. 5 / 29

26 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. Problem Decide whether F is T A -satisfiable or not. Idea Reduce to T E -satisfiability via application of (read-over-write) axioms. If F does not contain any write terms, then view read terms as uninterpreted function terms. 5 / 29

27 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. Problem Decide whether F is T A -satisfiable or not. Idea Reduce to T E -satisfiability via application of (read-over-write) axioms. If F does not contain any write terms, then view read terms as uninterpreted function terms. Otherwise, any write term must occur in the context of a read since arrays themselves cannot be asserted to be equal or not equal. 5 / 29

28 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. Problem Decide whether F is T A -satisfiable or not. Idea Reduce to T E -satisfiability via application of (read-over-write) axioms. If F does not contain any write terms, then view read terms as uninterpreted function terms. Otherwise, any write term must occur in the context of a read since arrays themselves cannot be asserted to be equal or not equal. Apply (read-over-write) axioms to deconstruct the read-over-writes. 5 / 29

29 Quantifier-free fragment of T A Given quantifier-free conjunctive Σ A -formula F. Problem Decide whether F is T A -satisfiable or not. Idea Reduce to T E -satisfiability via application of (read-over-write) axioms. If F does not contain any write terms, then view read terms as uninterpreted function terms. Otherwise, any write term must occur in the context of a read since arrays themselves cannot be asserted to be equal or not equal. Apply (read-over-write) axioms to deconstruct the read-over-writes. T E -satisfiability on quantifier-free fragment of T E is decidable. 5 / 29

30 Decision Procedure for QFF of T A 6 / 29

31 Decision Procedure for QFF of T A Step 1 For every read-over-write term a i v [j] in F, replace F with: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom Repeat until there are no more read-over-write terms. 6 / 29

32 Decision Procedure for QFF of T A Step 1 For every read-over-write term a i v [j] in F, replace F with: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom Repeat until there are no more read-over-write terms. Step 2 Associate each array variable a with a fresh function symbol f a. Replace read terms a[i] with f a (i). 6 / 29

33 Decision Procedure for QFF of T A Step 1 For every read-over-write term a i v [j] in F, replace F with: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom Repeat until there are no more read-over-write terms. Step 2 Associate each array variable a with a fresh function symbol f a. Replace read terms a[i] with f a (i). Step 3 Decide and return the T E -satisfiability of the resulting formula. (Apply Congruence-closure algorithm on each produced disjunct.) 6 / 29

34 Decision Procedure for QFF of T A Example Is this Σ A -formula T A -satisfiable? F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] 7 / 29

35 Decision Procedure for QFF of T A Example Is this Σ A -formula T A -satisfiable? F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] Step 1 7 / 29

36 Decision Procedure for QFF of T A Example Is this Σ A -formula T A -satisfiable? F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] Step 1 F contains a read-over-write term: a i 1 v 1 i 2 v 2 [j] 7 / 29

37 Decision Procedure for QFF of T A Example Is this Σ A -formula T A -satisfiable? F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] Step 1 F contains a read-over-write term: a i 1 v 1 i 2 v 2 [j] Rewrite it to F 1 F 2 : F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 2 : i 2 j i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 [j] a[j]. 7 / 29

38 Decision Procedure for QFF of T A Example Is this Σ A -formula T A -satisfiable? F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] Step 1 F contains a read-over-write term: a i 1 v 1 i 2 v 2 [j] Rewrite it to F 1 F 2 : F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 2 : i 2 j i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 [j] a[j]. F 2 contains a read-over-write term: a i 1 v 1 [j] 7 / 29

39 Decision Procedure for QFF of T A Example Is this Σ A -formula T A -satisfiable? F : i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 i 2 v 2 [j] a[j] Step 1 F contains a read-over-write term: a i 1 v 1 i 2 v 2 [j] Rewrite it to F 1 F 2 : F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 2 : i 2 j i 1 = j i 1 i 2 a[j] = v 1 a i 1 v 1 [j] a[j]. F 2 contains a read-over-write term: a i 1 v 1 [j] Rewrite it to F 3 F 4 : F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. 7 / 29

40 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 8 / 29

41 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 F 1, F 3, F 4 do not contain any write terms, so replace read terms: F 1 : i 2 = j i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j), F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 v 1 f a (j), F 4 : i 1 j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 f a (j) f a (j). 8 / 29

42 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 F 1, F 3, F 4 do not contain any write terms, so replace read terms: F 1 : i 2 = j i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j), F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 v 1 f a (j), F 4 : i 1 j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 f a (j) f a (j). Step 3 8 / 29

43 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 F 1, F 3, F 4 do not contain any write terms, so replace read terms: F 1 : i 2 = j i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j), F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 v 1 f a (j), F 4 : i 1 j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 f a (j) f a (j). Step 3 F 1 is T E -unsatisfiable since i 2 = j i 1 = j i 1 = i 2 but i 1 i 2. 8 / 29

44 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 F 1, F 3, F 4 do not contain any write terms, so replace read terms: F 1 : i 2 = j i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j), F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 v 1 f a (j), F 4 : i 1 j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 f a (j) f a (j). Step 3 F 1 is T E -unsatisfiable since i 2 = j i 1 = j i 1 = i 2 but i 1 i 2. F 3 is T E -unsatisfiable since f a (j) = v 1 v 1 f a (j) are contradictory. 8 / 29

45 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 F 1, F 3, F 4 do not contain any write terms, so replace read terms: F 1 : i 2 = j i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j), F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 v 1 f a (j), F 4 : i 1 j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 f a (j) f a (j). Step 3 F 1 is T E -unsatisfiable since i 2 = j i 1 = j i 1 = i 2 but i 1 i 2. F 3 is T E -unsatisfiable since f a (j) = v 1 v 1 f a (j) are contradictory. F 4 is T E -unsatisfiable since f a (j) f a (j) is contradictory. 8 / 29

46 Decision Procedure for QFF of T A Example (cont ) F 1 : i 2 = j i 1 = j i 1 i 2 a[j] = v 1 v 2 a[j], F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 a[j] = v 1 v 1 a[j], F 4 : i 1 j i 2 j i 1 = j i 1 i 2 a[j] = v 1 a[j] a[j]. Step 2 F 1, F 3, F 4 do not contain any write terms, so replace read terms: F 1 : i 2 = j i 1 = j i 1 i 2 f a (j) = v 1 v 2 f a (j), F 3 : i 1 = j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 v 1 f a (j), F 4 : i 1 j i 2 j i 1 = j i 1 i 2 f a (j) = v 1 f a (j) f a (j). Step 3 F 1 is T E -unsatisfiable since i 2 = j i 1 = j i 1 = i 2 but i 1 i 2. F 3 is T E -unsatisfiable since f a (j) = v 1 v 1 f a (j) are contradictory. F 4 is T E -unsatisfiable since f a (j) f a (j) is contradictory. Hence, F is T A -unsatisfiable! 8 / 29

47 Decision Procedure for QFF of T A Actually, the algorithm suffers from an exponential blowup in Step 1: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom 9 / 29

48 Decision Procedure for QFF of T A Actually, the algorithm suffers from an exponential blowup in Step 1: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom Idea Avoid it by introducing a fresh variable x aijv : F {a i v [j] x aijv } ((i = j x aijv = v) (i j x aijv = a[j])) 9 / 29

49 Decision Procedure for QFF of T A Actually, the algorithm suffers from an exponential blowup in Step 1: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom Idea Avoid it by introducing a fresh variable x aijv : F {a i v [j] x aijv } ((i = j x aijv = v) (i j x aijv = a[j])) But, this is not in the quantifier-free conjunctive fragment of T E. 9 / 29

50 Decision Procedure for QFF of T A Actually, the algorithm suffers from an exponential blowup in Step 1: (i = j F {a i v [j] v}) (i j F {a i v [j] a[j]}) }{{}}{{} (read-over-write 1) axiom (read-over-write 2) axiom Idea Avoid it by introducing a fresh variable x aijv : F {a i v [j] x aijv } ((i = j x aijv = v) (i j x aijv = a[j])) But, this is not in the quantifier-free conjunctive fragment of T E. Theorem (Complexity) T A -satisfiability of a quantifier-free conjunctive Σ A -formula is NP-complete. 9 / 29

51 Is this fragment of T A expressive enough? 10 / 29

52 Is this fragment of T A expressive enough? Is F T A -valid? F : a[i] = e a i e = a 10 / 29

53 Is this fragment of T A expressive enough? F : a[i] = e a i e = a Is F T A -valid? No, since equality between arrays is undefined! 10 / 29

54 Is this fragment of T A expressive enough? F : a[i] = e a i e = a Is F T A -valid? No, since equality between arrays is undefined! F : a[i] = e j. a i e [j] = a[j] Is F T A -valid? 10 / 29

55 Is this fragment of T A expressive enough? F : a[i] = e a i e = a Is F T A -valid? No, since equality between arrays is undefined! F : a[i] = e j. a i e [j] = a[j] Is F T A -valid? Yes, but F is not a quantifier-free Σ A -formula! 10 / 29

56 Is this fragment of T A expressive enough? F : a[i] = e a i e = a Is F T A -valid? No, since equality between arrays is undefined! F : a[i] = e j. a i e [j] = a[j] Is F T A -valid? Yes, but F is not a quantifier-free Σ A -formula! Extensional Theory of Arrays T A = (Levitt et al. 2001) Define equality between arrays as a further axiom for T A : a, b. ( i. a[i] = b[i]) a = b (extensionality) 10 / 29

57 Is this fragment of T A expressive enough? F : a[i] = e a i e = a Is F T A -valid? No, since equality between arrays is undefined! F : a[i] = e j. a i e [j] = a[j] Is F T A -valid? Yes, but F is not a quantifier-free Σ A -formula! Extensional Theory of Arrays T A = (Levitt et al. 2001) Define equality between arrays as a further axiom for T A : a, b. ( i. a[i] = b[i]) a = b Theorem (Decidability) (extensionality) T A = -satisfiability of a quantifier-free Σ= A -formula is decidable. 10 / 29

58 Array Property Fragment of T A Aaron R. Bradley and Zohar Manna, / 29

59 Array Property Fragment of T A Aaron R. Bradley and Zohar Manna, 2007 An array property is a Σ A -formula with a list of variables i: i. F [i] G[i] 11 / 29

60 Array Property Fragment of T A Aaron R. Bradley and Zohar Manna, 2007 An array property is a Σ A -formula with a list of variables i: index guard F [i]: i. F [i] G[i] iguard atom var iguard iguard iguard iguard atom var = var evar var var evar evar uvar where uvar i, and evar is any constant or unquantified variable. 11 / 29

61 Array Property Fragment of T A Aaron R. Bradley and Zohar Manna, 2007 An array property is a Σ A -formula with a list of variables i: index guard F [i]: i. F [i] G[i] iguard atom var iguard iguard iguard iguard atom var = var evar var var evar evar uvar where uvar i, and evar is any constant or unquantified variable. value constraint G[i]: Each i i occurs only in a read a[i] where a is an array term. Nested reads are not allowed: a[b[i]] 11 / 29

62 Array Property Fragment of T A Aaron R. Bradley and Zohar Manna, 2007 An array property is a Σ A -formula with a list of variables i: index guard F [i]: i. F [i] G[i] iguard atom var iguard iguard iguard iguard atom var = var evar var var evar evar uvar where uvar i, and evar is any constant or unquantified variable. value constraint G[i]: Each i i occurs only in a read a[i] where a is an array term. Nested reads are not allowed: a[b[i]] Array Property Fragment of T A : Boolean combination of quantifier-free Σ A -formulas and array properties. 11 / 29

63 Array Property Fragment of T A Examples 12 / 29

64 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. 12 / 29

65 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. i. i c a[i] = v with constant c. 12 / 29

66 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. i. i c a[i] = v with constant c. i. i }{{} = i a k v [i] = b[i]. 12 / 29

67 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. i. i c a[i] = v with constant c. i. i }{{} = i a k v [i] = b[i]. Illegal: i. i a[k] a[i] = a[k]. 12 / 29

68 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. i. i c a[i] = v with constant c. i. i }{{} = i a k v [i] = b[i]. Illegal: i. i a[k] a[i] = a[k]. Rewrite as: v = a[k] i. i v a[i] = a[k]. 12 / 29

69 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. i. i c a[i] = v with constant c. i. i }{{} = i a k v [i] = b[i]. Illegal: i. i a[k] a[i] = a[k]. Rewrite as: v = a[k] i. i v a[i] = a[k]. i. i a[i] a[i] = a[k]. 12 / 29

70 Array Property Fragment of T A Examples Legal: i. i j a j v [i] = w. i. i c a[i] = v with constant c. i. i }{{} = i a k v [i] = b[i]. Illegal: i. i a[k] a[i] = a[k]. Rewrite as: v = a[k] i. i v a[i] = a[k]. i. i a[i] a[i] = a[k]. i, j. i j a[i] = a[j]. 12 / 29

71 Array Property Fragment of T A and Extensionality 13 / 29

72 Array Property Fragment of T A and Extensionality Remark (Extensionality): Two arrays are equal precisely when their corresponding elements are equal. 13 / 29

73 Array Property Fragment of T A and Extensionality Remark (Extensionality): Two arrays are equal precisely when their corresponding elements are equal. For given formula: F : a = b with array terms a and b, rewrite F as: F : ( i. a[i] = b[i]) }{{} Array property F and F are equisatisfiable and F is in array property fragment of T A! 13 / 29

74 Array Property Fragment of T A and Extensionality Remark (Extensionality): Two arrays are equal precisely when their corresponding elements are equal. For given formula: F : a = b with array terms a and b, rewrite F as: F : ( i. a[i] = b[i]) }{{} Array property F and F are equisatisfiable and F is in array property fragment of T A! The array property fragment of T A incorporates T = A. 13 / 29

75 Array Property Fragment of T A Given Σ A -formula F of the array property fragment of T A. 14 / 29

76 Array Property Fragment of T A Given Σ A -formula F of the array property fragment of T A. Problem Decide whether F is T A -satisfiable or not. 14 / 29

77 Array Property Fragment of T A Given Σ A -formula F of the array property fragment of T A. Problem Decide whether F is T A -satisfiable or not. Idea Use quantifier instantiation, which is similar to quantifier elimination. 14 / 29

78 Array Property Fragment of T A Given Σ A -formula F of the array property fragment of T A. Problem Decide whether F is T A -satisfiable or not. Idea Use quantifier instantiation, which is similar to quantifier elimination. Replace universal quantification: by finite conjunction: i.f [i] F [t 1 ] F [t n ] We call t 1,..., t n the index terms which depend on the formula F. 14 / 29

79 Array Property Fragment of T A Given Σ A -formula F of the array property fragment of T A. Problem Decide whether F is T A -satisfiable or not. Idea Use quantifier instantiation, which is similar to quantifier elimination. Replace universal quantification: by finite conjunction: i.f [i] F [t 1 ] F [t n ] We call t 1,..., t n the index terms which depend on the formula F. Find index terms s.t. examination is sufficient to decide satisfiability. 14 / 29

80 Decision Procedure for Array Property Fragment of T A 15 / 29

81 Decision Procedure for Array Property Fragment of T A Step 1 Put F in NNF. 15 / 29

82 Decision Procedure for Array Property Fragment of T A Step 1 Put F in NNF. Step 2 Apply the following rule exhaustively to remove writes: F [a i v ] F [a ] a [i] = v ( j. j i a[j] = a [j]) for fresh a After each application, the formula contains at least one write term fewer. 15 / 29

83 Decision Procedure for Array Property Fragment of T A Step 1 Put F in NNF. Step 2 Apply the following rule exhaustively to remove writes: F [a i v ] F [a ] a [i] = v ( j. j i a[j] = a [j]) for fresh a After each application, the formula contains at least one write term fewer. Step 3 Apply the following rule exhaustively to remove existential quantification: F [ i. G[i]] F [G[j]] for fresh j Existential quantification can arise during Step 1 if the given formula has a negated array property. 15 / 29

84 Decision Procedure for Array Property Fragment of T A Step 4 From the output F 3 of Step 3, construct the index set I: I {λ} := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an evar in the parsing of index guards} 16 / 29

85 Decision Procedure for Array Property Fragment of T A Step 4 From the output F 3 of Step 3, construct the index set I: I {λ} := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an evar in the parsing of index guards} The finite index set I contains: All terms t that occur in some read a[t] anywhere in F (unless it is a universally quantified variable). 16 / 29

86 Decision Procedure for Array Property Fragment of T A Step 4 From the output F 3 of Step 3, construct the index set I: I {λ} := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an evar in the parsing of index guards} The finite index set I contains: All terms t that occur in some read a[t] anywhere in F (unless it is a universally quantified variable). All terms t (constant or unquantified variable) that are compared to a universally quantified variable in some index guard. 16 / 29

87 Decision Procedure for Array Property Fragment of T A Step 4 From the output F 3 of Step 3, construct the index set I: I {λ} := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an evar in the parsing of index guards} The finite index set I contains: All terms t that occur in some read a[t] anywhere in F (unless it is a universally quantified variable). All terms t (constant or unquantified variable) that are compared to a universally quantified variable in some index guard. λ is a fresh constant that represents all other index positions that are not explicitly in I. 16 / 29

88 Decision Procedure for Array Property Fragment of T A Step 5 Apply the following rule exhaustively to remove universal quantification: H[ i. F [i] G[i]] [ ] H (F [i] G[i]) i I n where n is the number of quantified variables i. 17 / 29

89 Decision Procedure for Array Property Fragment of T A Step 5 Apply the following rule exhaustively to remove universal quantification: H[ i. F [i] G[i]] [ ] H (F [i] G[i]) i I n where n is the number of quantified variables i. Step 6 From the output F 5 of Step 5, construct: F 6 : F 5 i I\{λ} λ i The new conjuncts assert that the variable λ of Step 4 is indeed unique. 17 / 29

90 Decision Procedure for Array Property Fragment of T A Step 5 Apply the following rule exhaustively to remove universal quantification: H[ i. F [i] G[i]] [ ] H (F [i] G[i]) i I n where n is the number of quantified variables i. Step 6 From the output F 5 of Step 5, construct: F 6 : F 5 i I\{λ} λ i The new conjuncts assert that the variable λ of Step 4 is indeed unique. Step 7 Decide the T A -satisfiability of F 6 using the decision procedure for the quantifier-free fragment of T A. 17 / 29

91 Decision Procedure for Array Property Fragment of T A Example Is this Σ A -formula T A -valid? F := ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i]) 18 / 29

92 Decision Procedure for Array Property Fragment of T A Example Is this Σ A -formula T A -valid? F := ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i]) Hence, check T A -satisfiability of: (( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i])) 18 / 29

93 Decision Procedure for Array Property Fragment of T A Example Is this Σ A -formula T A -valid? F := ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i]) Hence, check T A -satisfiability of: (( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i])) Step 1: NNF F 1 : ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] b[i]) 18 / 29

94 Decision Procedure for Array Property Fragment of T A Example Is this Σ A -formula T A -valid? F := ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i]) Hence, check T A -satisfiability of: (( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i])) Step 1: NNF F 1 : ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] b[i]) Step 2: Remove writes F 2 : ( i. i k a[i] = b[i]) b[k] = v ( i. a [i] b[i]) a [k] = v ( i. i k a [i] = a[i]) 18 / 29

95 Decision Procedure for Array Property Fragment of T A Example Is this Σ A -formula T A -valid? F := ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i]) Hence, check T A -satisfiability of: (( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] = b[i])) Step 1: NNF F 1 : ( i. i k a[i] = b[i]) b[k] = v ( i. a k v [i] b[i]) Step 2: Remove writes F 2 : ( i. i k a[i] = b[i]) b[k] = v ( i. a [i] b[i]) a [k] = v ( i. i k a [i] = a[i]) Step 3: Remove existential quantifiers F 3 : ( i. i k a[i] = b[i]) b[k] = v a [j] b[j] a [k] = v ( i. i k a [i] = a[i]) 18 / 29

96 Decision Procedure for Array Property Fragment of T A Example (cont ) F 3 : ( i. i k a[i] = b[i]) b[k] = v a [j] b[j] a [k] = v ( i. i k a [i] = a[i]) Step 4: Compute index set I := {λ, k, j} 19 / 29

97 Decision Procedure for Array Property Fragment of T A Example (cont ) F 3 : ( i. i k a[i] = b[i]) b[k] = v a [j] b[j] a [k] = v ( i. i k a [i] = a[i]) Step 4: Compute index set I := {λ, k, j} Step 5+6: Remove universal quantifiers F 6 : (λ k a[λ] = b[λ]) (k k a[k] = b[k]) (j k a[j] = b[j]) b[k] = v a [j] b[j] a [k] = v (λ k a [λ] = a[λ]) (k k a [k] = a[k]) (j k a [j] = a[j]) λ k λ j 19 / 29

98 Decision Procedure for Array Property Fragment of T A Example (cont ) F 3 : ( i. i k a[i] = b[i]) b[k] = v a [j] b[j] a [k] = v ( i. i k a [i] = a[i]) Step 4: Compute index set I := {λ, k, j} Step 5+6: Remove universal quantifiers F 6 : (λ k a[λ] = b[λ]) (k k a[k] = b[k]) (j k a[j] = b[j]) b[k] = v a [j] b[j] a [k] = v (λ k a [λ] = a[λ]) (k k a [k] = a[k]) (j k a [j] = a[j]) λ k λ j Step 7: Case distinction on j = k reveals: j = k: a [j] = v and b[j] = v but a [j] b[j], thus contraction. 19 / 29

99 Decision Procedure for Array Property Fragment of T A Example (cont ) F 3 : ( i. i k a[i] = b[i]) b[k] = v a [j] b[j] a [k] = v ( i. i k a [i] = a[i]) Step 4: Compute index set I := {λ, k, j} Step 5+6: Remove universal quantifiers F 6 : (λ k a[λ] = b[λ]) (k k a[k] = b[k]) (j k a[j] = b[j]) b[k] = v a [j] b[j] a [k] = v (λ k a [λ] = a[λ]) (k k a [k] = a[k]) (j k a [j] = a[j]) λ k λ j Step 7: Case distinction on j = k reveals: j = k: a [j] = v and b[j] = v but a [j] b[j], thus contraction. j k: b[j] = a[j] and a [j] = a[j] but b[j] a [j], thus contraction. 19 / 29

100 Decision Procedure for Array Property Fragment of T A Example (cont ) F 3 : ( i. i k a[i] = b[i]) b[k] = v a [j] b[j] a [k] = v ( i. i k a [i] = a[i]) Step 4: Compute index set I := {λ, k, j} Step 5+6: Remove universal quantifiers F 6 : (λ k a[λ] = b[λ]) (k k a[k] = b[k]) (j k a[j] = b[j]) b[k] = v a [j] b[j] a [k] = v (λ k a [λ] = a[λ]) (k k a [k] = a[k]) (j k a [j] = a[j]) λ k λ j Step 7: Case distinction on j = k reveals: j = k: a [j] = v and b[j] = v but a [j] b[j], thus contraction. j k: b[j] = a[j] and a [j] = a[j] but b[j] a [j], thus contraction. Hence, F is T A -valid! 19 / 29

101 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. 20 / 29

102 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Step 6 does not affect the satisfiability of F 6, as λ is a fresh constant. 20 / 29

103 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Step 6 does not affect the satisfiability of F 6, as λ is a fresh constant. Assume I = F 6 and index set I. Construct J such that J = F : 20 / 29

104 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Step 6 does not affect the satisfiability of F 6, as λ is a fresh constant. Assume I = F 6 and index set I. Construct J such that J = F : If α I [i] = v i for i I and α I [λ] = v λ then 20 / 29

105 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Step 6 does not affect the satisfiability of F 6, as λ is a fresh constant. Assume I = F 6 and index set I. Construct J such that J = F : If α I [i] = v i for i I and α I [λ] = v λ then proj I (t) = { i if αi [t] = v i for some i I λ otherwise 20 / 29

106 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Step 6 does not affect the satisfiability of F 6, as λ is a fresh constant. Assume I = F 6 and index set I. Construct J such that J = F : If α I [i] = v i for i I and α I [λ] = v λ then proj I (t) = { i if αi [t] = v i for some i I λ otherwise Extend proj I to vectors of variables. 20 / 29

107 Decision Procedure for Array Property Fragment of T A Theorem (Sound & Complete) Let F be a Σ A -formula of the array property fragment of T A. The output of F 6 by the algorithm is T A -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Step 6 does not affect the satisfiability of F 6, as λ is a fresh constant. Assume I = F 6 and index set I. Construct J such that J = F : If α I [i] = v i for i I and α I [λ] = v λ then proj I (t) = { i if αi [t] = v i for some i I λ otherwise Extend proj I to vectors of variables. Define J like I except for arrays, i.e., a[i] = a[proj I (i)]. 20 / 29

108 Decision Procedure for Array Property Fragment of T A This even works, when we extend T A with an arbitrary theory T with signature Σ for the array elements! 21 / 29

109 Decision Procedure for Array Property Fragment of T A This even works, when we extend T A with an arbitrary theory T with signature Σ for the array elements! Theorem (Sound & Complete) Let F be a (Σ A Σ)-formula of the array property fragment of (T A T ). The output of F 6 by the algorithm is (T A T )-equisatisfiable to F. 21 / 29

110 Decision Procedure for Array Property Fragment of T A This even works, when we extend T A with an arbitrary theory T with signature Σ for the array elements! Theorem (Sound & Complete) Let F be a (Σ A Σ)-formula of the array property fragment of (T A T ). The output of F 6 by the algorithm is (T A T )-equisatisfiable to F. Theorem (Complexity) Suppose T -satisfiability is in NP. For sub-fragments of the array property fragment of (T A T ) in which formula have bounded-size blocks of quantifiers, (T A T )-satisfiability is NP-complete. 21 / 29

111 Is this fragment of T A expressive enough? 22 / 29

112 Is this fragment of T A expressive enough? No, we considered only arrays with uninterpreted indices but software engineers usually think of arrays as integer-indexed cells in memory! 22 / 29

113 Is this fragment of T A expressive enough? No, we considered only arrays with uninterpreted indices but software engineers usually think of arrays as integer-indexed cells in memory! Containment, the array a contains element e at some index between l and u: i. l i u a[i] = e 22 / 29

114 Is this fragment of T A expressive enough? No, we considered only arrays with uninterpreted indices but software engineers usually think of arrays as integer-indexed cells in memory! Containment, the array a contains element e at some index between l and u: i. l i u a[i] = e Sortedness, the array a is sorted between index l and index u: i, j. l i j u a[i] a[j] 22 / 29

115 Is this fragment of T A expressive enough? No, we considered only arrays with uninterpreted indices but software engineers usually think of arrays as integer-indexed cells in memory! Containment, the array a contains element e at some index between l and u: i. l i u a[i] = e Sortedness, the array a is sorted between index l and index u: i, j. l i j u a[i] a[j] Partitioning, the array elements between l 1 and u 1 are smaller than all elements between l 2 and u 2 : i, j. l 1 i u 1 l 2 j u 2 a[i] a[j] 22 / 29

116 Is this fragment of T A expressive enough? No, we considered only arrays with uninterpreted indices but software engineers usually think of arrays as integer-indexed cells in memory! Containment, the array a contains element e at some index between l and u: i. l i u a[i] = e Sortedness, the array a is sorted between index l and index u: i, j. l i j u a[i] a[j] Partitioning, the array elements between l 1 and u 1 are smaller than all elements between l 2 and u 2 : i, j. l 1 i u 1 l 2 j u 2 a[i] a[j] Theory of Integer-Indexed Arrays T Z A (Bradley, Manna, Sipma 2006) 22 / 29

117 Array Property Fragment of T Z A Now, array properties are (Σ A Σ Z )-formulas with a list of variables i: i. F [i] G[i] 23 / 29

118 Array Property Fragment of T Z A Now, array properties are (Σ A Σ Z )-formulas with a list of variables i: index guard F [i]: i. F [i] G[i] iguard atom iguard iguard iguard iguard atom expr expr expr = expr expr uvar pexpr pexpr pexpr pexpr Z Z evar pexpr + pexpr where uvar i, and evar is any existential quantified or free integer variable. 23 / 29

119 Array Property Fragment of T Z A Now, array properties are (Σ A Σ Z )-formulas with a list of variables i: index guard F [i]: i. F [i] G[i] iguard atom iguard iguard iguard iguard atom expr expr expr = expr expr uvar pexpr pexpr pexpr pexpr Z Z evar pexpr + pexpr where uvar i, and evar is any existential quantified or free integer variable. value constraint G[i]: like in the array property fragment of T A. 23 / 29

120 Array Property Fragment of T Z A Now, array properties are (Σ A Σ Z )-formulas with a list of variables i: index guard F [i]: i. F [i] G[i] iguard atom iguard iguard iguard iguard atom expr expr expr = expr expr uvar pexpr pexpr pexpr pexpr Z Z evar pexpr + pexpr where uvar i, and evar is any existential quantified or free integer variable. value constraint G[i]: like in the array property fragment of T A. Array Property Fragment of T Z A : Boolean combination of quantifier-free (Σ A Σ Z )-formulas and array properties. 23 / 29

121 Decision Procedure for Array Property Fragment of T Z A 24 / 29

122 Decision Procedure for Array Property Fragment of T Z A Step 1 Put F in NNF. 24 / 29

123 Decision Procedure for Array Property Fragment of T Z A Step 1 Put F in NNF. Step 2 Apply the following rule exhaustively to remove writes: F [a i v ] F [a ] a [i] = v ( j. j i a[j] = a [j]) for fresh a Rewrite index guard to match syntactic requierements: j.j i 1 i + 1 j a[j] = a [j] 24 / 29

124 Decision Procedure for Array Property Fragment of T Z A Step 1 Put F in NNF. Step 2 Apply the following rule exhaustively to remove writes: F [a i v ] F [a ] a [i] = v ( j. j i a[j] = a [j]) for fresh a Rewrite index guard to match syntactic requierements: j.j i 1 i + 1 j a[j] = a [j] Step 3 Apply the following rule exhaustively to remove existential quantification: F [ i. G[i]] F [G[j]] for fresh j 24 / 29

125 Decision Procedure for Array Property Fragment of T Z A Step 4 From the output F 3 of step 3, construct the index set I: I := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an pexpr in the parsing of index guards} If I =, then let I := {0}. 25 / 29

126 Decision Procedure for Array Property Fragment of T Z A Step 4 From the output F 3 of step 3, construct the index set I: I := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an pexpr in the parsing of index guards} If I =, then let I := {0}. The index set contains all relevant symbolic indices that occur in F / 29

127 Decision Procedure for Array Property Fragment of T Z A Step 4 From the output F 3 of step 3, construct the index set I: I := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an pexpr in the parsing of index guards} If I =, then let I := {0}. The index set contains all relevant symbolic indices that occur in F 3. Step 5 Apply the following rule exhaustively to remove universal quantification: H[ i. F [i] G[i]] [ ] H (F [i] G[i]) i I n where n is the number of quantified variables i. 25 / 29

128 Decision Procedure for Array Property Fragment of T Z A Step 4 From the output F 3 of step 3, construct the index set I: I := {t : [t] F 3 such that t is not a universally quantified variable} {t : t occurs as an pexpr in the parsing of index guards} If I =, then let I := {0}. The index set contains all relevant symbolic indices that occur in F 3. Step 5 Apply the following rule exhaustively to remove universal quantification: H[ i. F [i] G[i]] [ ] H (F [i] G[i]) i I n where n is the number of quantified variables i. Step 6 Decide the T Z A -satisfiability of F 5 using the decision procedure for the quantifier-free fragment of T Z A. 25 / 29

129 Decision Procedure for Array Property Fragment of T Z A Theorem (Sound & Complete) Let F be a Σ Z A -formula of the array property fragment of T A Z. The output of F 5 by the algorithm is TA Z -equisatisfiable to F. 26 / 29

130 Decision Procedure for Array Property Fragment of T Z A Theorem (Sound & Complete) Let F be a Σ Z A -formula of the array property fragment of T A Z. The output of F 5 by the algorithm is TA Z -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. 26 / 29

131 Decision Procedure for Array Property Fragment of T Z A Theorem (Sound & Complete) Let F be a Σ Z A -formula of the array property fragment of T A Z. The output of F 5 by the algorithm is TA Z -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Assume I = F 5 and index set I. Construct J such that J = F : 26 / 29

132 Decision Procedure for Array Property Fragment of T Z A Theorem (Sound & Complete) Let F be a Σ Z A -formula of the array property fragment of T A Z. The output of F 5 by the algorithm is TA Z -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Assume I = F 5 and index set I. Construct J such that J = F : iff proj I (t) = i I α I[i] α I[t] ( j I. α I[j] α I[t] α I[j] α I[i]). or α I[t] > α I[i] ( j I. α I[i] α I[j]). 26 / 29

133 Decision Procedure for Array Property Fragment of T Z A Theorem (Sound & Complete) Let F be a Σ Z A -formula of the array property fragment of T A Z. The output of F 5 by the algorithm is TA Z -equisatisfiable to F. Proof (Sketch): Step 5 weakens universal quantification to finite conjunction. Assume I = F 5 and index set I. Construct J such that J = F : iff proj I (t) = i I α I[i] α I[t] ( j I. α I[j] α I[t] α I[j] α I[i]). or α I[t] > α I[i] ( j I. α I[i] α I[j]). Extend proj I to vectors. Define J like I except for arrays, i.e., a[i] = a[proj I (i)]. 26 / 29

134 Decision Procedure for Array Property Fragment of T Z A Assume an arbitrary theory T with signature Σ for the array elements. Theorem (Sound & Complete) Let F be a (Σ Z A Σ)-formula of the array property fragment of (T A Z T ). The output of F 5 by the algorithm is (TA Z T )-equisatisfiable to F. 27 / 29

135 Decision Procedure for Array Property Fragment of T Z A Assume an arbitrary theory T with signature Σ for the array elements. Theorem (Sound & Complete) Let F be a (Σ Z A Σ)-formula of the array property fragment of (T A Z T ). The output of F 5 by the algorithm is (TA Z T )-equisatisfiable to F. Theorem (Complexity) Suppose T -satisfiability is in NP. For sub-fragments of the array property fragment of (TA Z T ) in which formula have bounded-size blocks of quantifiers, (TA Z T )-satisfiability is NP-complete. 27 / 29

136 Conclusion For verification purpose we need support for Theory of Arrays. 28 / 29

137 Conclusion For verification purpose we need support for Theory of Arrays. Succint fragments are decidable and NP-complete. 28 / 29

138 Conclusion For verification purpose we need support for Theory of Arrays. Succint fragments are decidable and NP-complete. arr > 0 forall ix. ( ix >= 0 && ix < arr -> rv >= arr [ ix ]) int max ( int [] arr ) { int max = arr [0]; forall j. (j < i && j >= 0 -> max >= arr [j]) for ( int i = 1; i < arr ; i = i + 1) { if(arr [i] >= max ) { max = arr [i]; } } return max ; } 28 / 29

139 Conclusion For verification purpose we need support for Theory of Arrays. Succint fragments are decidable and NP-complete. arr > 0 forall ix. ( ix >= 0 && ix < arr -> rv >= arr [ ix ]) int max ( int [] arr ) { int max = arr [0]; forall j. (j < i && j >= 0 -> max >= arr [j]) for ( int i = 1; i < arr ; i = i + 1) { if(arr [i] >= max ) { max = arr [i]; } Required Theories } return max ; T Z T E T A } 28 / 29

140 Conclusion For verification purpose we need support for Theory of Arrays. Succint fragments are decidable and NP-complete. arr > 0 forall ix. ( ix >= 0 && ix < arr -> rv >= arr [ ix ]) int max ( int [] arr ) { int max = arr [0]; forall j. (j < i && j >= 0 -> max >= arr [j]) for ( int i = 1; i < arr ; i = i + 1) { if(arr [i] >= max ) { max = arr [i]; } Required Theories } return max ; T Z T E T A } 28 / 29

141 29 / 29 Bibliography Aaron R. Bradley and Zohar Manna The Calculus of Computation. Springer Berlin Heidelberg, 2007 Aaron R. Bradley, Zohar Manna, and Henny B. Sipma Whats Decidable About Arrays? In VMCAI 06 Proceedings of the 7th International Conference of Verification, Model Checking and Abstract Interpretation, p Aaron Stump, Clark W Barrett, David L. Dill, and Jeremy Levitt A Decision Procedure for an Extensional Theory of Arrays. In LICS 01 Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science, p Jochen Hoenicke Decision Procedures Summer Theory of Arrays Software Engineering, Albert-Ludwigs-University Freiburg