Efficiently Reasoning about Programs

Size: px

Start display at page:

Download "Efficiently Reasoning about Programs"

William Armstrong
5 years ago
Views:

1 Efficiently Reasoning about Programs Neil Immerman College of Computer and Information Sciences University of Massachusetts, Amherst Amherst, MA, USA people.cs.umass.edu/ immerman

2 co-r.e. complete Halt co-r.e. Arithmetic Hierarchy FO(N) r.e. complete Halt FO (N) FO (N) Recursive r.e. Primitive Recursive SO[2 no(1) ] EXPTIME QSAT PSPACE complete FO[2 no(1) ] SO[n O(1) ] PSPACE co-np complete SAT co-np SO PTIME Hierarchy SO NP complete SAT SO NP co-np NP FO[n O(1) ] FO(LFP) FO[log O(1) n] Horn- SAT truly P complete P NC FO[log n] feasible AC 1 FO(CFL) FO(TC) FO(DTC) FO(REGULAR) FO(COUNT) FO 2SAT 2COLOR NL comp. L comp. LOGTIME Hierarchy sac 1 NL L NC 1 ThC 0 AC 0

3 Thm. [Turing 1936] Halt undecidable. co-r.e. complete Halt co-r.e. Arithmetic Hierarchy FO(N) r.e. complete Halt FO (N) FO (N) Recursive r.e. Primitive Recursive SO[2 no(1) ] EXPTIME QSAT PSPACE complete FO[2 no(1) ] SO[n O(1) ] PSPACE co-np complete SAT co-np SO PTIME Hierarchy SO NP complete SAT SO NP co-np NP FO[n O(1) ] FO(LFP) FO[log O(1) n] Horn- SAT truly P complete P NC FO[log n] feasible AC 1 FO(CFL) FO(TC) FO(DTC) FO(REGULAR) FO(COUNT) FO 2SAT 2COLOR NL comp. L comp. LOGTIME Hierarchy sac 1 NL L NC 1 ThC 0 AC 0

4 Halt is r.e. complete

5 Halt is r.e. complete w Σ (α(w)) M α Halt

6 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt.

7 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt. Cannot check correctness of arbitrary input program.

8 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt. Cannot check correctness of arbitrary input program. Long-Term Societal Goal:

9 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt. Cannot check correctness of arbitrary input program. Long-Term Societal Goal: Automatic help to produce programs that are

10 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt. Cannot check correctness of arbitrary input program. Long-Term Societal Goal: Automatic help to produce programs that are certified to safely and faithfully

11 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt. Cannot check correctness of arbitrary input program. Long-Term Societal Goal: Automatic help to produce programs that are certified to safely and faithfully do what they should do

12 Halt is r.e. complete w Σ (α(w)) M α Halt Any arbitrary search problem can be translated to Halt. Cannot check correctness of arbitrary input program. Long-Term Societal Goal: Automatic help to produce programs that are certified to safely and faithfully do what they should do and not do what they should not do.

13 Thm. [Turing 1936] Halt undecidable. co-r.e. complete Halt co-r.e. Arithmetic Hierarchy FO(N) r.e. complete Halt FO (N) FO (N) Recursive r.e. Primitive Recursive SO[2 no(1) ] EXPTIME QSAT PSPACE complete FO[2 no(1) ] SO[n O(1) ] PSPACE co-np complete SAT co-np SO PTIME Hierarchy SO NP complete SAT SO NP co-np NP FO[n O(1) ] FO(LFP) FO[log O(1) n] Horn- SAT truly P complete P NC FO[log n] feasible AC 1 FO(CFL) FO(TC) FO(DTC) FO(REGULAR) FO(COUNT) FO 2SAT 2COLOR NL comp. L comp. LOGTIME Hierarchy sac 1 NL L NC 1 ThC 0 AC 0

14 Thm. [Turing 1936] Halt undecidable. co-r.e. complete Halt co-r.e. Arithmetic Hierarchy FO(N) r.e. complete Halt FO (N) FO (N) Recursive r.e. Primitive Recursive SO[2 no(1) ] EXPTIME Thm. [Cook 1971] SAT is NP complete. QSAT PSPACE complete FO[2 no(1) ] SO[n O(1) ] PSPACE co-np complete SAT co-np FO[n O(1) ] FO(LFP) SO PTIME Hierarchy SO NP complete SAT SO NP co-np NP Horn- SAT P complete P FO[log O(1) n] truly NC FO[log n] feasible AC 1 FO(CFL) FO(TC) FO(DTC) FO(REGULAR) FO(COUNT) FO 2SAT 2COLOR NL comp. L comp. LOGTIME Hierarchy sac 1 NL L NC 1 ThC 0 AC 0

15 SAT is NP complete.

16 SAT is NP complete. w Σ no(1) (α(w)) ϕ α SAT

17 SAT is NP complete. w Σ no(1) (α(w)) ϕ α SAT Arbitrary exponential search problem is translated to SAT.

18 SAT is NP complete. w Σ no(1) (α(w)) ϕ α SAT Arbitrary exponential search problem is translated to SAT. SAT is not feasible in the worst case.

19 SAT is NP complete. w Σ no(1) (α(w)) ϕ α SAT Arbitrary exponential search problem is translated to SAT. SAT is not feasible in the worst case. Every reasonable search problem can be encoded as an instance of SAT.

20 SAT is NP complete. w Σ no(1) (α(w)) ϕ α SAT Arbitrary exponential search problem is translated to SAT. SAT is not feasible in the worst case. Every reasonable search problem can be encoded as an instance of SAT. Great progress in design of SAT Solvers.

21 SAT is NP complete. w Σ no(1) (α(w)) ϕ α SAT Arbitrary exponential search problem is translated to SAT. SAT is not feasible in the worst case. Every reasonable search problem can be encoded as an instance of SAT. Great progress in design of SAT Solvers. Fast, general-purpose problem solvers.

22 Verification by Reduction to SAT

23 Verification by Reduction to SAT When and why does this work?

24 Verification by Reduction to SAT When and why does this work? How general and powerful can we make it?

25 Background: Dynamic Complexity Static 1. Read entire input 2. Compute boolean query Q(input) 3. Classic Complexity Classes are static: FO, NC, P, NP,...

26 Background: Dynamic Complexity Static 1. Read entire input 2. Compute boolean query Q(input) 3. Classic Complexity Classes are static: FO, NC, P, NP, What is the fastest way upon reading the entire input, to compute the query?

27 Background: Dynamic Complexity Static 1. Read entire input 2. Compute boolean query Q(input) 3. Classic Complexity Classes are static: FO, NC, P, NP, What is the fastest way upon reading the entire input, to compute the query? Dynamic 1. Long series of Inserts, Deletes, Changes, and, Queries 2. On query, very quickly compute Q(current database) 3. Dynamic Complexity Classes: Dyn-FO, Dyn-NC

28 Background: Dynamic Complexity Static 1. Read entire input 2. Compute boolean query Q(input) 3. Classic Complexity Classes are static: FO, NC, P, NP, What is the fastest way upon reading the entire input, to compute the query? Dynamic 1. Long series of Inserts, Deletes, Changes, and, Queries 2. On query, very quickly compute Q(current database) 3. Dynamic Complexity Classes: Dyn-FO, Dyn-NC 4. What additional information should we maintain? auxiliary data structure

29 Dynamic (Incremental) Applications Databases LaTexing a file Performing a calculation Processing a visual scene Understanding a natural language Verifying a circuit Verifying and compiling a program

30 Dynamic (Incremental) Applications Databases LaTexing a file Performing a calculation Processing a visual scene Understanding a natural language Verifying a circuit Verifying and compiling a program Surviving in the wild

31 Parity Current Database: S Request Auxiliary Data: b

32 Parity Current Database: S Request Auxiliary Data: b ins(3,s)

33 Parity Current Database: S Request Auxiliary Data: b ins(3,s) 1

34 Parity Current Database: S Request Auxiliary Data: b ins(3,s) 1 ins(7,s)

35 Parity Current Database: S Request Auxiliary Data: b ins(3,s) ins(7,s) 0

36 Parity Current Database: S Request Auxiliary Data: b ins(3,s) ins(7,s) 0 del(3,s)

37 Parity Current Database: S Request Auxiliary Data: b ins(3,s) ins(7,s) del(3,s) 1

38 Parity Dyn-FO Current Database: S Request Auxiliary Data: b ins(3,s) ins(7,s) del(3,s) 1 ins(a,s) del(a,s) S (x) S(x) x = a S (x) S(x) x a b (b S(a)) b (b S(a)) ( b S(a)) ( b S(a))

39 Dynamic Examples Parity Does binary string w have an odd number of 1 s? Static: TIME[n], FO[Ω(log n/ log log n)] Dynamic: Dyn-TIME[1], Dyn-FO

40 Dynamic Examples Parity Does binary string w have an odd number of 1 s? Static: TIME[n], FO[Ω(log n/ log log n)] Dynamic: Dyn-TIME[1], Dyn-FO REACH u Is t reachable from s in undirected graph G? Static: not in FO, requires FO[Ω(log n/ log log n)] Dynamic: in Dyn-FO [Patnaik, I]

41 Dynamic Examples Parity Does binary string w have an odd number of 1 s? Static: TIME[n], FO[Ω(log n/ log log n)] Dynamic: Dyn-TIME[1], Dyn-FO REACH u Is t reachable from s in undirected graph G? Static: not in FO, requires FO[Ω(log n/ log log n)] Dynamic: in Dyn-FO [Patnaik, I] connectivity, minimum spanning trees, k-edge connectivity,... in Dyn-FO

42 Fact: [Dong & Su] REACH(acyclic) DynFO u v x y a b

43 Fact: [Dong & Su] REACH(acyclic) DynFO ins(a, b, E) : P (x, y) P(x, y) (P(x, a) P(b, y)) u v x y a b

44 Fact: [Dong & Su] REACH(acyclic) DynFO ins(a, b, E) : P (x, y) P(x, y) (P(x, a) P(b, y)) u v x y a b del(a, b, E): P (x, y) P(x, y) [ (P(x, a) P(b, y)) ( uv) ( P(x, u) E(u, v) P(v, y) P(u, a) P(v, a) (a u b v) )]

45 Reachability Problems REACH = { G G directed, s G t } NL REACH d = { G G directed, outdegree 1 s G t } L REACH u = { G G undirected, s G t } L REACH a = { G G alternating, s G t } P

46 Facts about dynamic REACHABILITY Problems: REACH(acyclic) Dyn-FO [DS] REACH d Dyn-QF [H] REACH u Dyn-FO [PI] REACH Dyn-FO(COUNT) [H] PAD(REACH a ) Dyn-FO [PI]

47 Exciting New Result Thm. REACH Dyn-FO [Samir Datta, Raghav Kulkarni, Anish Mukherjee, Thomas Schwentick, Thomas Zeume] REACH Matrix Rank Dyn-FO

48 Thm. 1 [Hesse] REACH d (acyclic) Dyn-FO proof: Maintain E, E, D (outdegree = 1). ins(a, b, E): (ignore if outdegree or acyclicity violated) E (x, y) E(x, y) (x = a y = b) D (x) D(x) x = a E (x, y) E (x, y) (E (x, a) E (b, y))

49 Thm. 1 [Hesse] REACH d (acyclic) Dyn-FO proof: Maintain E, E, D (outdegree = 1). ins(a, b, E): (ignore if outdegree or acyclicity violated) E (x, y) E(x, y) (x = a y = b) D (x) D(x) x = a E (x, y) E (x, y) (E (x, a) E (b, y)) del(a, b, E): E (x, y) E(x, y) (x a y b) D (x) D(x) x a E (x, y) E (x, y) (E (x, a) E(a, b) E (b, y))

50 Dynamic Reasoning Reasoning About reachability can we get to y from x by following a sequence of pointers n x 1 x 0 n x 2 x 3 n n y 1 y 3 x 4 n n n x y 2 y

51 Dynamic Reasoning Reasoning About reachability can we get to y from x by following a sequence of pointers is crucial for understanding programs and proving that they meet their specifications. n x 1 x 0 n x 2 x 3 n n y 1 y 3 x 4 n n n x y 2 y n

52 In general, reasoning about reachability is undecidable. Can express tilings and thus runs of Turing Machines.

53 In general, reasoning about reachability is undecidable. Can express tilings and thus runs of Turing Machines. Even worse, can express finite path and thus finite and thus standard natural numbers. Thus satisfiablity of FO(TC) is as hard as the Arithmetic Hierarchy [Avron].

54 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields.

55 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields. n(x, y) means that x points to y.

56 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields. n(x, y) means that x points to y. Use predicate symbol, n, but not n.

57 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields. n(x, y) means that x points to y. Use predicate symbol, n, but not n. The following axioms assure that n is the reflexive transitive closure of some acyclic, functional n.

58 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields. n(x, y) means that x points to y. Use predicate symbol, n, but not n. The following axioms assure that n is the reflexive transitive closure of some acyclic, functional n. acyclic xy (n (x, y) n (y, x) x = y)

59 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields. n(x, y) means that x points to y. Use predicate symbol, n, but not n. The following axioms assure that n is the reflexive transitive closure of some acyclic, functional n. acyclic xy (n (x, y) n (y, x) x = y) transitive xyz (n (x, y) n (y, z) n (x, z))

60 Itzhaky, Banerjee, Immerman, Aleks Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV For now, restrict to acyclic fields. n(x, y) means that x points to y. Use predicate symbol, n, but not n. The following axioms assure that n is the reflexive transitive closure of some acyclic, functional n. acyclic xy (n (x, y) n (y, x) x = y) transitive xyz (n (x, y) n (y, z) n (x, z)) linear xyz (n (x, y) n (x, z) n (y, z) n (z, y))

61 Effectively-Propositional Reasoning about Reachability in Linked Data Structures Assume acyclic, transitive and linear axioms, as integrity constraints.

62 Effectively-Propositional Reasoning about Reachability in Linked Data Structures Assume acyclic, transitive and linear axioms, as integrity constraints. Automatically transform a program manipulating linked lists to an correctness condition.

63 Effectively-Propositional Reasoning about Reachability in Linked Data Structures Assume acyclic, transitive and linear axioms, as integrity constraints. Automatically transform a program manipulating linked lists to an correctness condition. Using Hesse s dynqf algorithm for REACH d, these formulas are closed under weakest precondition.

64 Effectively-Propositional Reasoning about Reachability in Linked Data Structures Assume acyclic, transitive and linear axioms, as integrity constraints. Automatically transform a program manipulating linked lists to an correctness condition. Using Hesse s dynqf algorithm for REACH d, these formulas are closed under weakest precondition. The negation of the correctness condition is, thus equi-satisfiable with a propositional formula (EPR).

65 Effectively-Propositional Reasoning about Reachability in Linked Data Structures Assume acyclic, transitive and linear axioms, as integrity constraints. Automatically transform a program manipulating linked lists to an correctness condition. Using Hesse s dynqf algorithm for REACH d, these formulas are closed under weakest precondition. The negation of the correctness condition is, thus equi-satisfiable with a propositional formula (EPR). Use a SAT solver to automatically prove correctness or find counter-example runs, typically in only a few seconds.

66 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete).

67 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols.

68 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols. constant symbols: c 1,..., c k

69 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols. constant symbols: c 1,..., c k ϕ = x 1... x s y 1... y t (α(x, t, c))

70 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols. constant symbols: c 1,..., c k ϕ = x 1... x s y 1... y t (α(x, t, c)) small model: ϕ FO-SAT iff has model size k + s.

71 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols. constant symbols: c 1,..., c k ϕ = x 1... x s y 1... y t (α(x, t, c)) small model: ϕ FO-SAT iff has model size k + s. EPR-SAT Σ p 2 (2nd level polynomial-time hierarchy)

72 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols. constant symbols: c 1,..., c k ϕ = x 1... x s y 1... y t (α(x, t, c)) small model: ϕ FO-SAT iff has model size k + s. EPR-SAT Σ p 2 (2nd level polynomial-time hierarchy) If t is fixed, then reducible to SAT.

73 Effectively-Propositional Reasoning (EPR) FO-SAT is undecidable (co-r.e. complete). EPR: formulas; no function symbols. constant symbols: c 1,..., c k ϕ = x 1... x s y 1... y t (α(x, t, c)) small model: ϕ FO-SAT iff has model size k + s. EPR-SAT Σ p 2 (2nd level polynomial-time hierarchy) If t is fixed, then reducible to SAT. Z3 seems to do very well for us on EPR-SAT.

75 Thm. 2 [Hesse] Reachability of functional graphs is in DynQF. proof idea: If adding an edge, e, would create a cycle, then we maintain relation p the path relation without the edge completing the cycle as well as E, E and D. Surprisingly this can all be maintained via quantifier-free formulas, without remembering which edges we are leaving out in computing p.

76 Thm. 2 [Hesse] Reachability of functional graphs is in DynQF. proof idea: If adding an edge, e, would create a cycle, then we maintain relation p the path relation without the edge completing the cycle as well as E, E and D. Surprisingly this can all be maintained via quantifier-free formulas, without remembering which edges we are leaving out in computing p. Using Thm. 2, the above methodology has been extended to cyclic deterministic graphs. Itzhaky, Banerjee, Immerman, Nanevski, Sagiv, Effectively-Propositional Reasoning About Reachability in Linked Data Structures CAV Itzhaky, Banerjee, Immerman, Lahav, Nanevski, Sagiv, Modular Reasoning about Heap Paths via Effectively Propositional Formulas, POPL 2014

77 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite.

78 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite. What data structures can we handle: lists, doubly linked lists, cyclic lists; binary trees,...

79 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite. What data structures can we handle: lists, doubly linked lists, cyclic lists; binary trees,... The [CAV13] and [POPL14] papers assume that correct invariants are given for each loop. On-going work to automatically generate and prove loop invariants:

80 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite. What data structures can we handle: lists, doubly linked lists, cyclic lists; binary trees,... The [CAV13] and [POPL14] papers assume that correct invariants are given for each loop. On-going work to automatically generate and prove loop invariants: Feldman, Padon, I, Sagiv, Shoham, Bounded Quantifier Instantiation for Checking Inductive Invariants [TACAS17]

81 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite. What data structures can we handle: lists, doubly linked lists, cyclic lists; binary trees,... The [CAV13] and [POPL14] papers assume that correct invariants are given for each loop. On-going work to automatically generate and prove loop invariants: Feldman, Padon, I, Sagiv, Shoham, Bounded Quantifier Instantiation for Checking Inductive Invariants [TACAS17] Padon, I, Karbyshev, Sagiv, Shoham, Decidability of Inferring Inductive Invariants [POPL16].

82 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite. What data structures can we handle: lists, doubly linked lists, cyclic lists; binary trees,... The [CAV13] and [POPL14] papers assume that correct invariants are given for each loop. On-going work to automatically generate and prove loop invariants: Feldman, Padon, I, Sagiv, Shoham, Bounded Quantifier Instantiation for Checking Inductive Invariants [TACAS17] Padon, I, Karbyshev, Sagiv, Shoham, Decidability of Inferring Inductive Invariants [POPL16]. Padon, McMillan, Panda, Sagiv, Shoham, Ivy: Safety Verification by Interactive Generalization [PLDI16].

83 Extensions Extensions to EPR: we can have functions symbols, as long as we can guarantee the the closure of the function symbols on any finite set remains finite. What data structures can we handle: lists, doubly linked lists, cyclic lists; binary trees,... The [CAV13] and [POPL14] papers assume that correct invariants are given for each loop. On-going work to automatically generate and prove loop invariants: Feldman, Padon, I, Sagiv, Shoham, Bounded Quantifier Instantiation for Checking Inductive Invariants [TACAS17] Padon, I, Karbyshev, Sagiv, Shoham, Decidability of Inferring Inductive Invariants [POPL16]. Padon, McMillan, Panda, Sagiv, Shoham, Ivy: Safety Verification by Interactive Generalization [PLDI16]. Karbyshev, Bjorner, Itzhaky, Rinetzky, Shoham, Property-Directed Inference of Universal Invariants or Proving Their Absence [CAV15].

85 When does this work?

86 When does this work? When doesn t this work?

87 Init Inv; Inv Tr Inv ; Inv Safe

90 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ

91 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ Cor. Complete FO-UNSATmethodology:

92 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ Cor. Complete FO-UNSATmethodology: Skolemize ϕ: ϕ S is universal: ϕ S = x (α(x)); ϕ FO-SAT ϕ S FO-SAT

93 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ Cor. Complete FO-UNSATmethodology: Skolemize ϕ: ϕ S is universal: ϕ S = x (α(x)); ϕ FO-SAT ϕ S FO-SAT grnd(α) def = { α(t) } t H

94 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ Cor. Complete FO-UNSATmethodology: Skolemize ϕ: ϕ S is universal: ϕ S = x (α(x)); ϕ FO-SAT ϕ S FO-SAT grnd(α) def = { α(t) } t H ϕ FO-UNSAT grnd(α) UNSAT

95 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ Cor. Complete FO-UNSATmethodology: Skolemize ϕ: ϕ S is universal: ϕ S = x (α(x)); ϕ FO-SAT ϕ S FO-SAT grnd(α) def = { α(t) } t H ϕ FO-UNSAT grnd(α) UNSAT Feldman, Padon, I, Sagiv, Shoham, Bounded Quantifier Instantiation for Checking Inductive Invariants [TACAS17]

96 Herbrand Thm. ϕ universal ϕ FO-SAT ϕ has Herbrand model, H = ϕ Cor. Complete FO-UNSATmethodology: Skolemize ϕ: ϕ S is universal: ϕ S = x (α(x)); ϕ FO-SAT ϕ S FO-SAT grnd(α) def = { α(t) } t H ϕ FO-UNSAT grnd(α) UNSAT Feldman, Padon, I, Sagiv, Shoham, Bounded Quantifier Instantiation for Checking Inductive Invariants [TACAS17] Can Understand Decidability of Checking FO Inductive Invariants, via bounded depth of nesting of functions in t needed for unsatisfiability.

97 Thank You! Anindya Banerjee, Bill Hesse, Yotam Feldman, Shachar Itzhaky, Aleksandr Karbyshev, Ori Lahav, Aleksandar Nanevski, Oded Padon, Sushant Patnaik, Mooly Sagiv, Sharon Shoham

Reasoning about Reachability at Tom Rep s 60th Birthday Celebration

Reasoning about Reachability at Tom Rep s 60th Birthday Celebration Neil Immerman College of Information and Computer Sciences UMass Amherst people.cs.umass.edu/ immerman/ 1978: Tom 22 Neil 24 @Cornell