Bradley, Manna. The Calculus of Computation, Springer, 2007
.pdf
11.2 Integer-Indexed Arrays |
301 |
•Universal properties F [x] in TA T , where F [x] is a Σ-formula:
i. F [a[i]]
•Bounded universal properties F [x] in TAZ T , where F [x] is a Σ-formula:
i. ℓ ≤ i ≤ u → F [a[i]]
•Bounded and unbounded sorted arrays sorted(a, ℓ, u) in TAZ TZ or TAZ TQ :
i, j. ℓ ≤ i ≤ j ≤ u → a[i] ≤ a[j]
•Partitioned arrays partitioned(a, ℓ1, u1, ℓ2, u2) in TAZ TZ or TAZ TQ:
i, j, ℓ1 ≤ i ≤ u1 < ℓ2 ≤ j ≤ u2 → a[i] ≤ a[j]
The last two predicates are necessary for reasoning about sorting algorithms, while the first four forms of properties are useful in general. For example, bounded equality is essential for summarizing the e ects of a function on an array — in particular, what parts of the array are unchanged.
11.2.2 Decision Procedure
As in Section 11.1, the idea of the decision procedure is to reduce universal quantification to finite conjunction. Given F from the array property fragment of TAZ, decide its TAZ-satisfiability as follows:
Step 1
Put F in NNF.
Step 2
Apply the following rule exhaustively to remove writes:
′ |
] |
|
′ |
[i] = e |
F [ahi ei] |
′ |
[j]) |
for fresh a′ |
(write) |
F [a |
a |
( j. j 6= i → |
a[j] = a |
|
|
To meet the syntactic requirements on an index guard, rewrite the third conjunct as
j. j ≤ i − 1 i + 1 ≤ j → a[j] = a′[j] .
Step 3
Apply the following rule exhaustively to remove existential quantification:
F [ i. G[i]] |
for fresh j (exists) |
F [G[j]] |
|
Existential quantification can arise during Step 1 if the given formula has a negated array property.
302 11 Arrays
Step 4
From the output of Step 3, F3, construct the index set I:
{t : ·[t] F3 such that t is not a universally quantified variable} I = {t : t occurs as a pexpr in the parsing of index guards}
If I = , then let I = {0}. The index set contains all relevant symbolic indices that occur in F3.
Step 5
Apply the following rule exhaustively to remove universal quantification:
H |
H[ i. F [i] → G[i]] |
|
(forall) |
|
|
F [i] → G[i] |
|
||
|
|
^ |
|
|
i In
n is the size of the block of universal quantifiers over i.
Step 6
F5 is quantifier-free. Decide the (TA TZ )-satisfiability of the resulting formula.
Suppose array elements are interpreted in some theory T with signature Σ. For deciding the (TAZ T )-satisfiability of an array property (ΣAZ Σ)- formula, use a combination decision procedure for the quantifier-free fragment of TA TZ T in Step 6. Thus, this procedure is a decision procedure precisely when the quantifier-free fragment of TA TZ T is decidable. Chapter 10 discusses deciding satisfiability in combinations of quantifier-free fragments of theories.
Example 11.10. Consider the following ΣAZ -formula:
F: ( i. ℓ ≤ i ≤ u → a[i] = b[i])
¬( i. ℓ ≤ i ≤ u + 1 → ahu + 1 b[u + 1]i[i] = b[i]) .
In NNF, we have
F1 : ( i. ℓ ≤ i ≤ u → a[i] = b[i])
( i. ℓ ≤ i ≤ u + 1 ahu + 1 b[u + 1]i[i] 6= b[i]) .
Step 2 produces
F2 : ( i. ℓ ≤ i ≤ u → a[i] = b[i])
( i. ℓ ≤ i ≤ u + 1 a′[i] 6= b[i])
a′[u + 1] = b[u + 1]
( j. j ≤ u + 1 − 1 u + 1 + 1 ≤ j → a[j] = a′[j]) .
11.2 Integer-Indexed Arrays |
303 |
Step 3 removes the existential quantifier by introducing a fresh constant k:
F3 : ( i. ℓ ≤ i ≤ u → a[i] = b[i])
ℓ ≤ k ≤ u + 1 a′[k] 6=b[k]
a′[u + 1] = b[u + 1]
( j. j ≤ u + 1 − 1 u + 1 + 1 ≤ j → a[j] = a′[j]) .
Simplifying, we have
F3′ : ( i. ℓ ≤ i ≤ u → a[i] = b[i])
ℓ ≤ k ≤ u + 1 a′[k] 6=b[k]
a′[u + 1] = b[u + 1]
( j. j ≤ u u + 2 ≤ j → a[j] = a′[j]) .
The index set is thus
I = {k, u + 1} {ℓ, u, u + 2} ,
which includes the read terms k and u + 1 and the terms ℓ, u, and u + 2 that occur as pexprs in the index guards. Step 5 rewrites universal quantification to finite conjunction over this set:
^
F5 : |
(ℓ ≤ i ≤ u → a[i] = b[i]) |
|
|
i I |
′≤ k ≤ u + 1 a′[k] 6=b[k] |
|
ℓ |
|
|
a [u + 1] = b[u + 1] |
|
|
|
^ |
|
(j ≤ u u + 2 ≤ j → a[j] = a′[j]) . |
|
|
j |
I |
Expanding the conjunctions according to the index set I and simplifying according to trivially true or false antecedents (ℓ ≤ u + 1 ≤ u simplifies to , while u ≤ u u + 2 ≤ u simplifies to ) produces:
F5′ : (ℓ ≤ k ≤ u → a[k] = b[k])
(ℓ ≤ u → a[ℓ] = b[ℓ] a[u] = b[u])
ℓ ≤ k ≤ u + 1 a′[k] 6=b[k]
a′[u + 1] = b[u + 1]
(k ≤ u u + 2 ≤ k → a[k] = a′[k])(ℓ ≤ u u + 2 ≤ ℓ → a[ℓ] = a′[ℓ])a[u] = a′[u] a[u + 2] = a′[u + 2] .
(TA TZ)-satisfiability of this quantifier-free (ΣA ΣZ )-formula can be decided using the techniques of Chapter 10. But let us finish the example. F5′ is (TA TZ)-unsatisfiable. In particular, note that by the third conjunct k is restricted such that ℓ ≤ k ≤ u + 1; that the first conjunct asserts that for most of this
range (k [ℓ, u′]), a[k] = b[k]; that′ the third-to-last conjunct asserts that for |
|||
k ≤ u, a[k] = a [k], contradicting′ |
a [k] 6=b[k]′ by the fourth′ |
conjunct; and that |
|
even if k = u + 1, a [k] 6=b[k] = b[u + 1] = a [uZ+ 1] = a [k] by the fourth and |
|||
fifth conjuncts, a contradiction. Hence, F is TA -unsatisfiable. |
|
||
304 11 Arrays
Theorem 11.11 (Sound & Complete). Consider (ΣAZ Σ)-formula F from the array property fragment of TAZ T . The output F5 of Step 5 is (TAZ T )- equisatisfiable to F .
The proof proceeds using the same strategy as in the proof of Theorem 11.7. The main di erence is that the projection function projI is defined so that it maps an index to its nearest neighbor in the index set. For a given interpretation I, define a projection function projI : ΣA-terms → I that maps ΣAZ-terms to terms of the index set I. Let projI (t) = i I be such that either
• αI [i] ≤ αI [t] ( j I. αI [j] ≤ αI [t] → αI [j] ≤ αI [i])
•or αI [t] < αI [i] ( j I. αI [i] ≤ αI [j]).
That is, i is the index set term that is t’s nearest neighbor under I, with preference for left neighbors. Extend projI to vectors of variables:
projI (i) = (projI (i1), . . . , projI (in)) .
Using this projection function, the remainder of the proof closely follows the proof of Theorem 11.7. Exercise 11.4 asks the reader to finish the proof.
11.3 Hashtables
Hashtables are a common data structure in modern programs. In this section, we describe a theory for hashtables TH and provide a reduction of the hashtable property fragment of ΣH-formulae into the array property fragment of TA.
The signature of TH is the following:
ΣH : {get(·, ·), put(·, ·, ·), remove(·, ·), · keys(·), =} ,
where
•put(h, k, v) is the hashtable that is modified from h by mapping key k to value v.
•remove(h, k) is the hashtable that is modified from h by unmapping the key k.
• get(h, k) is the value mapped by key k, which is undetermined if h does not map k to any value.
•k keys(h) is true i h maps the key k.
k keys(h) is merely convenient notation for a binary predicate. However, we will exploit this notation in the following useful operations:
•Key sets keys(h) can be unioned (k1 k2), intersected (k1 ∩ k2), and complemented (k).
•The predicate init(h) is true i h does not map any key.
Each is definable using the basic signature. The axioms of TH are the following:
|
|
|
11.3 Hashtables |
305 |
• |
x. x = x |
|
(reflexivity) |
|
• |
x, y. x = y → y = x |
(symmetry) |
||
• |
x, y, z. x = y |
y = z → x = z |
(transitivity) |
|
• |
h, j, k. j = k |
→ get(h, j) = get(h, k) |
(hashtable congruence) |
|
• |
h, j, k, v. j = k → get(put(h, k, v), j) = v |
(read-over-put 1) |
||
• |
|
|
||
h, k, v. j keys(h). j 6= k → get(put(h, k, v), j) = get(h, j) |
|
|||
|
|
|
(read-over-put 2) |
|
•h, k. j keys(h). j 6= k → get(remove(h, k), j) = get(h, j)
• |
h, k, v. k keys(put(h, k, v)) |
(read-over-remove) |
(keys-put) |
||
• |
h, k. k 6 keys(remove(h, k)) |
(keys-remove) |
Notice the similarity between the first six axioms of TH and those of TA. Key sets complicate the (read-over-put 2) axiom compared to the (read-over-write 2) axiom, while keys sets and key removal require three additional axioms. In particular, reading a hashtable with an unmapped key is undefined.
11.3.1 Hashtable Property Fragment
A hashtable property has the form
k. F [k] → G[k] ,
where F [k] is the key guard, and G[k] is the value constraint. Key guards are defined exactly as index guards of the array property fragment of TA: they are positive Boolean combinations of equalities between universally quantified keys; and equalities and disequalities between universally quantified keys k and other key terms. Value constraints can use universally quantified keys k in hashtable reads get(h, k) and in key set membership checks. Finally, a hashtable property does not contain any init literals.
ΣH-formulae that are Boolean combinations of quantifier-free ΣH-formulae and hashtable properties comprise the hashtable property fragment of TH.
Example 11.12. Consider the following hashtable property formula:
F : k keys(h). get(h, k) ≥ 0 .
Its key guard is trivial, while its value constraint is
k keys(h) → get(h, k) ≥ 0 .
Suppose that F annotates locations L1 and L2 in the following basic path:
@L1 : F assume v ≥ 0; put(h, s, v); @L2 : F
306 11 Arrays
We want to prove that if F holds at L1, then it holds at L2. The resulting verification condition is
|
|
→ |
( k keys(put(h, s, v)). get(put(h, s, v), k) ≥ 0) |
|
h, s, v. |
( |
k |
keys(h). get(h, k) ≥ 0) v ≥ 0 |
. |
The key set keys(h) provides a mechanism for reasoning about the incremental modification of hashtables.
Example 11.13. To express equality between key sets, keys(h1) = keys(h2), in TH, write
k. k keys(h1) ↔ k keys(h2) .
To express equality between hashtables, h1 = h2, write
keys(h1) = keys(h2) k keys(h1). get(h1, k) = get(h2, k) .
11.3.2 Decision Procedure
Given F from the hashtable property fragment of TH, the decision procedure reduces its TH-satisfiability to TA-satisfiability of a formula in the array property fragment. The main idea of the reduction is to represent hashtables h of F by two arrays in the ΣA-formula: an array h for the elements and an array keysh that indicates if a key maps to an element. In particular, keysh[k] = ◦ indicates that k is not mapped by h, while keysh[k] 6=◦ (keysh[k] = •) indicates that h does map h to a value given by h[k].
Step 1
Construct F • =6 ◦, for fresh constants • and ◦.
Step 2
Rewrite F1 according to the following set of rules:
|
= |
′ |
] |
|
h |
′ |
= h′hk vi keysh′ = keyshhk •i |
F [put(h, k, v)] |
F [h′ |
|
|||||
F [remove(h, k)] |
= |
F [h |
] |
|
h = h hk h[k]i keysh′ = keyshhk ◦i |
||
for fresh variable h′. In the second rule, h = h′hk h[k]i expresses that position k of h′ is undetermined since the mapping from k is being removed. Recall that equality a = b between arrays is defined by i. a[i] = b[i].
11.3 Hashtables |
307 |
Step 3
Rewrite F2 according to the following set of rules:
F [get(h, k)] |
= |
F [h[k]] |
F [k keys(h)] |
= |
F [keysh[k] 6= ◦] |
F [k K1 K2] |
= |
F [k K1 k K2] |
F [k K1 ∩ K2] |
= |
F [k K1 k K2] |
F [k K] |
= |
F [¬(k K)] |
F [init(h)] |
= |
F [ k. ¬(k keys(h))] |
where K, K1, and K2 are constructed from union, disjunction, and complementation of key set membership atoms. The final four rules define auxiliary operations: the right-side of each is expressible in the hashtable property fragment.
Step 4
Decide the TA-satisfiability of F3.
As in Sections 11.1 and 11.2, hashtable values may be interpreted in some theory T with signature Σ. Then the above procedure is a decision procedure precisely when there is a decision procedure for the array property fragment of TA T .
Example 11.14. Consider the following ΣH-formula:
|
|
|
→ |
( k keys(put(h, s, v)). get(put(h, s, v), k) ≥ 0) |
|
G : |
h, s, v. |
( |
k |
keys(h). get(h, k) ≥ 0) v ≥ 0 |
. |
To prove its TH-validity, prove the TH-unsatisfiability of the following: |
|
||||
F : |
( k keys(h). get(h, k) ≥ 0) v ≥ 0 |
|
|||
|
¬( k keys(put(h, s, v)). get(put(h, s, v), k) ≥ 0) . |
|
|||
Step 1 introduces • and ◦:
F1 : F • =6 ◦ .
Step 2 reduces hashtable modifications to arrays:
F2 : ( k keys(h). get(′h, k) ≥ ′0) v ≥ 0 |
|
¬′( k keys(h ). get(h , k) ≥ 0) |
|
|
h = hhs vi keysh′ = keyshhs •i |
|
• =6 ◦ . |
Step 3 completes the reduction:
308 11 Arrays
F3 : ( k. keysh[k] 6=◦ → h[k] ≥ 0) v ≥ 0
¬( k. keysh′ [k] 6=◦ → h′[k] ≥ 0)
( i. h′[i] = hhs vi[i]) ( j. keysh′ [j] = keyshhs •i[j])
• =6 ◦ .
F3 is TA-unsatisfiable. In particular, keysh′ = keyshhs •i and h′ = hhs vi, so that for all keys of h (k such that keysh[k] 6=◦), h′[k] = h[k] ≥ 0. For the one new key s of h′, we know that h′[s] = hhs vi[s] = v ≥ 0. Therefore, no key k of h′ exists at which h[k] < 0, a contradiction. Hence, G is TH-valid.
The decision procedure of Section 11.1 also proves the TA-unsatisfiability of F3.
Theorem 11.15 (Sound & Complete). Consider (ΣH Σ)-formula F from the hashtable property fragment of TH T . The rewriting procedure terminates, and its output F3 of Step 3 is equisatisfiable to F and in the array property fragment of (TA T ).
Proof. Inspection shows that if F is a (ΣH Σ)-formula from the hashtable property fragment, then F3 is a ΣA-formula from the array property fragment.
The rewrite system terminates: the rules of Step 2 and the first two rules of Step 3 remove instances of (ΣH Σ)-literals and (ΣH Σ)-terms without introducing more; and the final four rules of Step 3 clearly terminate with a finite number of applications of the first two rules of Step 3.
We must show that F has a satisfying (TH T )-interpretation precisely when F3 has a satisfying (TA T )-interpretation. Suppose that (TH T )- interpretation I satisfies F . Construct the (TA T )-interpretation J satisfying F3 as follows:
•if h maps k to v in I, set keysh[k] = • in J and h[k] = v;
•otherwise, set keysh[k] = ◦ and h[k] = v for some arbitrary value v.
This J satisfies the conjuncts added in Step 2; also, h[k] is the same value under J as get(h, k) under I, and keysh[k] 6=◦ under J i k keys(h) under I, showing the correctness of the first two rules of Step 3. The remaining rules are auxiliary and reduce to the first two.
Similarly, a (TA T )-interpretation J satisfying F3 corresponds to a (TH T )-interpretation I satisfying F . Construct I as follows:
• if keysh[k] 6=◦ and h[k] = v in J , assert get(h, k) = v and k keys(h) in I;
•otherwise, assert ¬(h keys(h)) in I.
Again, the correspondence between the two sides of each rule is clear. |
|
11.4 Larger Fragments
Why does this chapter focus on the array property fragments of TA and TAZ? Why not examine more expressive fragments? In fact, the following theorem
11.5 Summary |
309 |
states that extending the array property fragments in natural ways produces fragments for which satisfiability is undecidable.
Theorem 11.16. Consider the following extensions to the array property fragment of TAZ (TA, where appropriate):
•Permit an additional quantifier alternation.
•Permit nested reads (e.g., a1[a2[i]], where i is universally quantified).
•Permit array reads by a universally quantified variable in the index guard.
•Permit general Presburger arithmetic expressions over universally quanti-
fied index variables (even just addition of 1: i + 1) in the index guard or in the value constraint.
•Permit strict comparison < between universally quantified variables.
•Augment the theory with a predicate expressing that one array is a permutation of another.
For each resulting fragment, there exists an element theory T such that satisfiability in the array property fragment of TAZ T (TA T ) is decidable, yet satisfiability in the resulting fragment of TAZ T (TA T ) is undecidable.
Bibliographic Remarks refers the interested reader to texts that contain the proof of this theorem.
11.5 Summary
This chapter presents several decision procedures for reasoning about arraylike data structures with some quantification. It covers:
•The array property fragment of TA, which allows expressing properties of arrays themselves, rather than just their elements. Elements may be interpreted in some theory.
•The array property fragment of TAZ, which allows expressing properties of arrays and subarrays with indices interpreted within TZ.
•Quantifier instantiation as a basis for decision procedures, which allows the direct application of decision procedures for quantifier-free fragments.
•Hashtables. The decision procedure rewrites a ΣH-formula into a ΣA- formula in which each hashtable is represented by two arrays. Reductions of this form extend decision procedures to reason about theories similar to the originally targeted theory.
Reasoning about data structures is crucial for considering the correctness of programs. The decision procedures of Chapter 9 for reasoning about recursive data structures and arrays without quantifiers provide a means of accessing elements of data structures. Additionally, equality in TRDS extends to data structures. The decision procedures for the array property fragments of TA and TAZ facilitate reasoning about whole or segments of arrays, not just individual elements.
310 11 Arrays
Bibliographic Remarks
Theories of arrays have been studied for over four decades. McCarthy proposes the axiomatization based on read-over-write in [58]. James King implemented the decision procedure for the quantifier-free fragment as part of his thesis work [50]. Several authors discuss the quantifier-free fragment of a theory with predicates useful for reasoning about sorting algorithms [57, 43, 89]. Suzuki and Je erson present a permutation predicate in a more restricted fragment [89]. The approximation to reasoning about the weak permutation predicate of Exercise 6.5 captures a similar fragment, though for a weaker form of permutation. Stump, Barrett, Dill, and Levitt describe a decision procedure for the quantifier-free fragment of an extensional theory of arrays [88]. Bradley, Manna, and Sipma [9] and Bradley [6] explore the array property fragment, including the proof of Theorem 11.16, that is the basis for the presentation of this chapter.
Exercises
11.1 (DP for array property fragment of TA). Apply the decision procedure for the array property fragment of TA to the following TA-formulae.
(a) i. ahk ei[i] 6=e
(b) a[k] = b[k] i. a[i] 6=b[i] (c) a[k] 6=b[k] i. a[i] = b[i]
11.2 (DP for array property fragment of TAZ). Apply the decision procedure for the array property fragment of TAZ to the following ΣAZ-formulae.
(a) sorted(a, ℓ, u) a[ℓ] > a[u]
(b) sorted(a, ℓ, u) e ≤ a[ℓ] ¬sorted(ahℓ − 1 ei, ℓ − 1, u)
11.3 (DP for array property fragment of TAZ). Apply the decision procedure for the array property fragment of TAZ to the following ΣAZ-formula:
sorted(ah0 7ih5 9i, 0, 5) sorted(ah0 11ih5 13i, 0, 5) .
11.4( Correctness of procedure for TAZ). Prove Theorem 11.11 using the strategy suggested following the statement of the theorem.
11.5( Arrays with extensionality). Consider the extensional theory of
arrays TA= (see Section 3.6). Describe a decision procedure for the quantifierfree fragment of TA= using the methods of this chapter. Hint : Does the index set require a fresh λ variable? Why or why not?