Bradley, Manna. The Calculus of Computation, Springer, 2007
.pdf
178 6 Program Correctness: Strategies
define int e = ?;
@pre
@post wperm(a, a0, e)
int[] BubbleSort(int[] a0) { int[] a := a0;
for
@L1 : −1 ≤ i < |a| wperm(a, a0, e) (int i := |a| − 1; i > 0; i := i − 1) { for
@L2 : 0 ≤ j < i i < |a| wperm(a, a0, e) (int j := 0; j < i; j := j + 1) {
if (a[j] > a[j + 1]) { int t := a[j];
a[j] := a[j + 1]; a[j + 1] := t;
}
}
}
return a;
}
Fig. 6.10. BubbleSort with annotations for weak permutation
define int e = ?; |
|
|
@pre |
|
|
@post»( |
i. 0 ≤ i < |rv | rv [i] = e) |
|
↔ ( i. 0 |
≤ i < |a0| a0[i] = e) ( i. 0 ≤ i < |b0| b0[i] = e)– |
|
int[] union(int[] a0, int[] b0) { int[] u := new int[|a0| + |b0|]; int j := 0;
for @
(int i = 0; i < |a0|; i := i + 1) { u[j] := a0[i];
j := j + 1;
}
for @
(int i = 0; i < |b0|; i := i + 1) { u[j] := b0[i];
j := j + 1;
}
return u;
}
Fig. 6.11. Function union of the linear set implementation
|
|
|
Exercises |
179 |
define int e = ?; |
|
|
|
|
@pre sorted(a0, 0, |a0| − 1) |
sorted(b0, 0, |b0| − 1) |
|
3 |
|
@post2 |
( i. 0 ≤ i < |a0| a0[i] = e) ( i. 0 ≤ i < |b0| b0[i] = e) |
|||
sorted(rv , 0, |rv | − 1) |
– |
|
||
» |
↔ ( i. 0 ≤ i < |rv | rv [i] = e) |
5 |
||
4 |
|
b0) { |
|
|
int[] union(int[] a0, int[] |
|
|
||
int[] u := new int[|a0| + |b0|]; |
|
|
||
int i := 0, j := 0; |
|
|
|
|
for @ |
|
|
|
|
(int k = 0; k < |u|; k := k + 1) { |
|
|
||
if (i ≥ |a0|) { |
|
|
|
|
u[k] := b0[j]; |
|
|
|
|
j := j + 1; |
|
|
|
|
} |
|
|
|
|
else if (j ≥ |b0|) { |
|
|
|
|
u[k] := a0[i]; |
|
|
|
|
i := i + 1; |
|
|
|
|
} |
|
|
|
|
else if (a0[i] ≤ b0[j]) |
{ |
|
|
|
u[k] := a0[i]; |
|
|
|
|
i := i + 1; |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
u[k] := b0[j]; |
|
|
|
|
j := j + 1; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
return u; |
|
|
|
|
} |
|
|
|
|
Fig. 6.12. Function union of the sorted set implementation
Part II
Algorithmic Reasoning
It is reasonable to hope that the relationship between computation and mathematical logic will be as fruitful in the next century as that between analysis and physics in the last. The development of this relationship demands a concern for both applications and mathematical elegance.
— John McCarthy
A Basis for a Mathematical Theory of Computation, 1963
Having established in Part I the mathematical foundations for precision in designing and implementing software and hardware systems, we turn in Part
IIto the task of automating some of the required logical reasoning. Chapters 7–10 discuss decision procedures for many of the theories and
fragments of theories introduced in Chapter 3. These decision procedures automate the task of proving the verification conditions of Chapters 5 and 6. Chapter 7 applies the method of quantifier elimination to decide validity in TZ and TQ. Chapters 8 and 9 focus on decision procedures for the quantifierfree fragments of the theories TQ, TE, Tcons, and TA. In Chapter 10, these procedures are combined in the Nelson-Oppen framework to address formulae with symbols of multiple signatures. The treatment of arrays in Chapter 11 looks beyond the quantifier-free fragment, but we show how the combination method of Chapter 10 still applies.
Chapter 12 turns to automating the inductive assertion method of Chapter 5. It presents a methodology for constructing algorithms that learn inductive facts about software. These algorithms reduce the burden on the engineer to provide annotations.
7
Quantified Linear Arithmetic
Whilst in [Presburger arithmetic] one can only state rather simple theorems, yet an e cient algorithm. . . is useful in that it can quickly dispose of a host of the simpler formulas. . . , leaving only the more complex to be dealt with by some more general theorem prover or by the human.
— David C. Cooper
Theorem Proving in Arithmetic Without Multiplication, 1972
Recall from Chapter 3 that satisfiability in the theories of linear integer arithmetic TZ and linear rational (or real) arithmetic TQ is decidable. This chapter explores a common method of deciding satisfiability of arbitrarily quantified formulae in decidable theories in the context of TZ and TQ.
A quantifier elimination procedure is an algorithm that constructs from a given formula an equivalent quantifier-free formula. When the given formula does not have any free variables, the atoms of the resulting formula are applications of predicates to constant terms such as 3 < 5. If the truth value of these constant terms is decidable, a quantifier elimination procedure provides a basis for a satisfiability decidable procedure. When the given formula contains free variables, the resulting quantifier-free formula contains a subset of these free variables.
Section 7.1 presents the method of quantifier elimination in an abstract context. Sections 7.2 and 7.3 then present quantifier elimination methods for the theory of integers TZ and the theory of rationals TQ, respectively. The complexity results of Section 7.4 suggest that these algorithms are near-optimal in time complexity, although quantifier-elimination methods are, in general, computationally expensive.
Sections 7.2.4 and 7.2.5 discuss optimizations for the integer case that are particularly e ective when the given formula has only existential quantifiers or only universal quantifiers. With these optimizations, the quantifier elimination method for TZ is our main decision procedure for the quantifier-free fragment
184 7 Quantified Linear Arithmetic
of TZ . However, the case for TQ is di erent: Chapter 8 presents a special decision procedure for the quantifier-free fragment of TQ.
7.1 Quantifier Elimination
7.1.1 Quantifier Elimination
Quantifier elimination (QE) is the main technique that underlies the algorithms of this chapter. As the name suggests, the idea is to eliminate quantifiers of a formula F until only a quantifier-free formula G that is equivalent to F remains.
Formally, a theory T admits quantifier elimination if there is an algorithm that, given Σ-formula F , returns a quantifier-free Σ-formula G that is T -equivalent to F . Then T is decidable if satisfiability in the quantifier-free fragment of T is decidable.
Example 7.1. Consider the ΣQ-formula
F : x. 2x = y ,
which expresses the set of rationals y that can be halved. Intuitively, all rationals can be halved, so a quantifier-free TQ-equivalent formula is
G : ,
which expresses the set of all rationals. Also, G states that F is valid. |
|
Example 7.2. Consider the ΣZ -formula
F : x. 2x = y ,
which expresses the set of integers y that can be halved (to produce another integer). Intuitively, only even integers can be halved. Can you think of a quantifier-free TZ -equivalent formula to F ? In fact, no such formula exists. Later, we introduce an augmented theory of integers that contains a countably infinite number of divisibility predicates. For example, in this extended theory, an equivalent formula to F is
G : 2 | y ,
which expresses the set of even integers: integers that are divisible by 2.
7.2 Quantifier Elimination over Integers |
185 |
7.1.2 A Simplification
In developing a QE algorithm for theory T , we need only consider formulae of the form x. F for quantifier-free formula F . For given arbitrary formula G, choose the innermost quantified formula x. H or x. H. In the latter case, rewrite x. H as ¬( x. ¬H) and focus on the subformula x. ¬H inside the negation.
In both the existential and universal cases, we now have a formula of the form x. F to which we apply the QE algorithm to find T -equivalent and quantifier-free formula H′. In the existential case, replace x. H in G with H′. In the universal case, replace x. H in G with ¬H′.
Example 7.3. Consider the Σ-formula
G1 : x. y. z. F1[x, y, z] ,
and assume that T admits quantifier elimination. The innermost quantified formula is z. F1[x, y, z]. Applying the QE algorithm for T to this subformula returns F2[x, y]:
G2 : x. y. F2[x, y] .
The innermost quantified formula is now y. F2[x, y]; rewriting, we have
G3 : x. ¬( y. ¬F2[x, y]) .
Applying the QE algorithm to the existential subformula y. ¬F2[x, y] produces F3[x]. We now have
G4 : x. ¬F3[x] .
Finally, applying the QE algorithm one more time to G4 produces a quantifierfree formula G5. G5 is T -equivalent to G1.
7.2 Quantifier Elimination over Integers
We now turn to the theory of integers TZ . Presburger showed this theory to be decidable in 1929. We discuss the QE procedure of Cooper, first described in 1971.
7.2.1 Augmented Theory of Integers
Recall that TZ has the following signature:
ΣZ : {. . . , −2, −1, 0, 1, 2, . . . , −3·, −2·, 2·, 3·, . . . , +, −, =, <} ,
where
186 7 Quantified Linear Arithmetic
•. . . , −2, −1, 0, 1, 2, . . . are constants, intended to be assigned the obvious corresponding values in the intended domain Z;
•. . . , −3·, −2·, 2·, 3·, . . . are unary functions, intended to represent constant coe cients (e.g., 2 · x, abbreviated 2x);
•+ and − are binary functions, intended to represent the obvious corresponding functions over Z;
•= and > are binary predicates, intended to represent the obvious corresponding predicates over Z.
Example 7.2 claims that the ΣZ -formula x. 2x = y does not have a TZ - equivalent quantifier-free formula. The following lemma proves a more general claim.
Lemma 7.4. Consider quantifier-free ΣZ-formula F such that free(F ) = {y}. F represents the set of integers
S : {n Z : F {y 7→n} is TZ -valid} .
Either S ∩ Z+ or Z+ \ S is finite.
Z+ is the set of positive integers; ∩ and \ are set intersection and complement, respectively. The lemma says that every quantifier-free ΣZ -formula with only one free variable represents a set of integers S such that either the subset of positive integers in S has finite cardinality or the set of positive integers not in S has finite cardinality. Exercise 7.1 asks the reader to prove this lemma.
Consider again the case of x. 2x = y, and let S be the set of integers satisfying the formula, namely the even integers. Since both the set of positive even integers S ∩Z+ and the set of positive odd integers Z+ \S are infinite, the set of even integers cannot be represented in TZ by a quantifier-free formula according to the lemma. Therefore, there is no quantifier-free ΣZ -formula that is TZ-equivalent to x. 2x = y, and thus TZ does not admit QE.
To circumvent this problem, we augment the theory TZ with an infinite but countable number of unary divisibility predicates
k | · for k Z+ ;
that is, a predicate exists for each positive integer k. The intended interpretation of k | x is that it holds i k divides x without any remainder. For example,
x > 1 y > 1 2 | x + y
is satisfiable (choose x = 2 and y = 2), but
¬(2 | x) 4 | x
is not satisfiable.
7.2 Quantifier Elimination over Integers |
187 |
c
The augmented theory TZ extends the signature of TZ with these divisibility predicates. Additionally, the predicates are defined by the countable set of axioms
x. k | x ↔ y. x = ky |
(divides) |
||
|
|
c |
|
for k |
|
Z+. The next section shows that TZ |
admits QE. |
7.2.2 Cooper’s Method
In this section, we present the basic form of Cooper’s quantifier elimination method. In the subsequent sections, we examine a set of optimizations.
The algorithm is given a ΣZ-formula x. F [x] as input, where F is quantifier-free but may contain free variables in addition to x. It then proceeds
|
|
-formula that is T |
|
|
|
|
|
|
-equivalent to x. F [x] ac- |
||
to construct a quantifier-free ΣZc |
|
Z |
|
||
cording to the following |
steps. |
|
c |
|
|
c |
|
|
|||
Step 1
c
Put F [x] in NNF. The output x. F1[x] is TZ -equivalent to x. F [x] and is such that F1 is a positive Boolean combination (only and ) of literals.
Step 2
c
Replace literals according to the following TZ -equivalences, applied from left to right:
s = t |
s < t + 1 |
|
¬(s = t) |
s < t |
|
¬(s < t) |
|
t < s + 1 |
t < s + 1 t < s
The output |
x. F |
[x] is TZ |
-equivalent to x. F [x] and contains only literals |
||
of the form |
2 |
c |
|
|
|
s < t , k | t , or ¬(k | t) , |
|||||
where s, t are ΣZ -terms and k Z+. |
|||||
|
|
|
c |
-equivalences to |
|
|
Applying the T |
Z |
|||
Example 7.5.c |
|
|
|
||
¬(x < y) ¬(x = y + 3)
c
produces the TZ-equivalent formula
y < x + 1 (x < y + 3 y + 3 < x) .
188 7 Quantified Linear Arithmetic
Step 3
Collect terms containing x so that literals have the form
hx < t , t < hx , k | hx + t , or ¬(k | hx + t) ,
where t is a term that does not contain x and h, k Z+. The output is the
c formula x. F3[x], which is TZ-equivalent to x. F [x].
Example 7.6. Collecting terms in
x + x + y < z + 3z + 2y − 4x
c
produces the TZ-equivalent formula
6x < 4z + y .
Step 4
Let
δ′ = lcm{h : h is a coe cient of x in F3[x]} ,
where lcm returns the least common multiple of the set. Multiply atoms in F3[x] by constants so that δ′ is the coe cient of x everywhere:
|
|
′ |
′ |
|
|
|
|
|
′ |
′ |
hx < t |
δ ′x < h′ t |
|
|
|
|
where |
h′h = δ′ |
|||
t < hx |
h′t < δ′ |
x |
′ |
|
|
|
where |
h′h = δ′ |
||
k | hx + t |
|
h k ′| δ x |
′+ h |
t |
′ |
t) |
where |
h′h = δ′ |
||
¬(k | hx + t) |
|
¬(h k | δ x + h |
where |
h h = δ |
|
|||||
Notice the abuse of notation: h′k | · is a di erent (unary) predicate than k | ·. This rewriting results in formula F3′ in which all occurrences of x occur in terms δ′x. Replace δ′x terms with a fresh variable x′ to form F3′′:
F3′′ : F3′{δ′x 7→x′} .
Finally, construct
x′. F3′′[x′] δ′ | x′ . |
|
| |
{z } |
F4 [x′]
The divisibility literal constrains the fresh variable x′ to be divisible by δ′, which exactly captures the values of δ′x.
′ ′ c ′
x . F4[x ] is TZ -equivalent to x. F [x]. Moreover, each literal of F4[x ] that contains x′ has one of the following forms:
(A)x′ < a
(B)b < x′
(C)h | x′ + c
(D)¬(k | x′ + d)
where a, b, c, d are terms that do not contain x, and h, k Z+.
7.2 Quantifier Elimination over Integers |
189 |
Step 5 |
|
Construct the left infinite projection F−∞[x′] from F4[x′] by replacing
(A) literals x′ < a by
and
(B) literals b < x′ by .
The idea is that very small numbers (the left side of the “number line”) satisfy
(A) literals but not (B) literals.
Let |
|
h of (C) literals h x′ + c |
|
δ = lcm k of (D) literals ¬(|k | x′ + d) |
and B be the set of b terms appearing in (B) literals. Construct
|
δ |
δ |
_ |
|
|
F−∞[j] |
|
|
|
F5 : |
|
F4[b + j] . |
|
|
|
j=1 |
j=1 b B |
|
|
5 |
|
c |
|
|
F is quantifier-free and TZ |
-equivalent to |
x. F [x]. |
||
Step 5 is the trickiest part of the procedure, so let us focus on this step. The first major disjunct of F5 contains only divisibility literals. It asserts that an infinite number of small numbers n satisfy F4[n]. For if there exists one number n that satisfies the Boolean combination of divisibility literals in F−∞, then every n − λδ, for λ Z+, also satisfies F−∞.
The second major disjunct asserts that there is a least n Z that satisfies F4[n]. This least n is determined by the b terms of the (B) literals.
More formerly, consider the following periodicity property of the divisibility predicates:
If m | δ, then m | n i m | n + λδ for all λ Z.
In other words, m | · cannot distinguish between the cases m | n and m | n+λδ. Since δ is chosen in Step 5 to be the least common multiple of the integers h and k of the divides predicates, no divides literal in F5 can distinguish between two integers n and n + λδ, for any λ Z.
With this property in mind, consider the first major disjunct of F5 again. If n Z satisfies F [n], then so does n − λδ for λ Z+. Then surely a small enough number exists that satisfies all (A) literals and falsifies all (B) literals of F4, mirroring the construction of F−∞.
For the second major disjunct, suppose that some number n satisfies F4[n]. Decreasing this number continues to satisfy the same (A) literals. It cannot decrease past some value b without changing the truth of some (B) literal.