istituto di analisi dei sistemi ed informaticaistituto di analisi dei sistemi ed informatica...
Post on 11-Apr-2020
3 Views
Preview:
TRANSCRIPT
ISTITUTO DI ANALISI DEI SISTEMI ED INFORMATICA
CONSIGLIO NAZIONALE DELLE RICERCHE
E. De Angelis, F. Fioravanti,
A. Pettorossi, M. Proietti
AUTOMATED VERIFICATION OF
RELATIONAL PROGRAM PROPERTIES
R. 7 2015
Emanuele De Angelis – DEC, University “G. d’Annunzio”, Pescara, Italy, and Istituto di
Analisi dei Sistemi ed Informatica “Antonio Ruberti” del CNR, Via dei Taurini 15, I-00185
Roma, Italy. Email : deangelis@sci.unich.it.
URL: http://www.sci.unich.it/~deangelis.
Fabio Fioravanti – DEC, University “G. d’Annunzio”, Pescara, Italy, and Istituto di Analisi
dei Sistemi ed Informatica “Antonio Ruberti” del CNR, Via dei Taurini 15, I-00185 Roma,
Italy. Email : fioravanti@sci.unich.it. URL: http://www.sci.unich.it/~fioravan.
Alberto Pettorossi – DICII, University “Tor Vergata”, Roma, Italy, and Istituto di Analisi
dei Sistemi ed Informatica “Antonio Ruberti” del CNR, Via dei Taurini 15, I-00185 Roma,
Italy. Email : adp@iasi.cnr.it. URL : http://www.iasi.cnr.it/~adp.
Maurizio Proietti – Istituto di Analisi dei Sistemi ed Informatica “Antonio Ruberti” del
CNR, Via dei Taurini 19, I-00185 Roma, Italy. Email : maurizio.proietti@iasi.cnr.it.
URL : http://www.iasi.cnr.it/~proietti.
ISSN: 1128–3378
Collana dei Rapporti dell’Istituto di Analisi dei Sistemi ed Informatica “Antonio Ruberti”,
CNR, via dei Taurini 19, 00185 ROMA, Italy
tel. ++39-0649931
fax ++39-0649937106
email: iasi@iasi.cnr.it
URL: http://www.iasi.cnr.it
Automated Verification
of Relational Program Properties
Emanuele De Angelis1, Fabio Fioravanti1,Alberto Pettorossi2, and Maurizio Proietti3
1 DEC, University ‘G. D’Annunzio’, Pescara, Italy{emanuele.deangelis,fabio.fioravanti}@unich.it
2 DICII, University of Rome Tor Vergata, Rome, Italypettorossi@disp.uniroma2.it
3 IASI-CNR, Rome, Italymaurizio.proietti@iasi.cnr.it
Abstract. We present a method for verifying relational program prop-erties, that is, properties that relate the input and the output of twoprograms. Our verification method is parametric with respect to thedefinition of the semantics of the programming language in which theprograms are written. That definition consists of a set Int of constrainedHorn clauses (CHC) that encode the interpreter of the programminglanguage. Then, given the programs and the relational property we wantto verify, we generate, by using Int, a set of constrained Horn clauseswhose satisfiability is equivalent to the validity of the property. Unfortu-nately, state-of-the-art solvers for CHC have severe limitations in provingthe satisfiability, or the unsatisfiability, of such sets of clauses. We pro-pose some transformation techniques that increase the power of CHCsolvers when verifying relational properties. We show that these trans-formations, based on unfolding and folding rules, preserve satisfiability.Through an experimental evaluation we show that in many cases CHCsolvers are able to prove the (un)satisfiability of sets of clauses obtainedby applying the transformations we propose, whereas the same solversare unable to perform those proofs when given as input the original setsof constrained Horn clauses.
1 Introduction
During the process of software development it is often the case that severalversions of the same program are produced. This is due to the fact that theprogrammer, for instance, may want to replace an old program fragment by anew one with the objective of improving efficiency, or adding a new feature, orsimplifying the program structure. In these cases, in order to prove the correct-ness of the whole program, it may be desirable to consider relational propertiesof those program fragments, that is, properties that relate the semantics of theold fragments to the semantics of the new fragments. A particular example ofa relational property is program equivalence, but many other relations may beconsidered (see [5,29] for other significant examples).
It has been noted that proving relational properties between two structurallysimilar program versions is often easier than directly proving the desired cor-rectness properties for the new program version [5,21,29]. Moreover, in order toautomate the proof of such properties, it may be convenient to follow a trans-formational approach so as to use the already available methods and tools forproving correctness properties of individual programs. For instance, in [5,29] theauthors propose program composition techniques such that, in order to provethat a given relation between program P1 and P2 holds, it is sufficient to showthat suitable pre- and post-conditions for the composition of P1 and P2 hold. Thevalidity of these pre and postconditions is then checked by using state-of-the-artverification tools such as Why [22] and Boogie [4]. A different transformationalapproach is followed by [21]. The authors of [21] introduce a set of proof rules forprogram equivalence, and from these rules they generate verification conditionsin the form of constrained Horn clauses (CHC) which is a logical formalism re-cently suggested for program verification (see [7] for a survey of the techniqueswhich use CHC). The satisfiability of the verification conditions, which guaran-tees that the relational property holds, can be checked by using CHC solvers suchas Eldarica [25] and Z3 [18] (obviously, no complete solver may exist becausemost properties of interest, including equivalence, are in general undecidable).
Unfortunately, all the above mentioned approaches enable only a partial reuseof the available verification techniques, because one has to develop specific trans-formation rules for each programming language and each proof system in use.
In this paper we propose a method to achieve a higher parametericity withrespect to the programming language and the class of relational properties oneconsiders by pushing further the transformational approach.
As a first step of our method, we formalize a relational property betweentwo programs as a set of CHC. This is done by using the interpreter for thegiven programming language written in clausal form as indicated in [17,31]. Inparticular, the properties of the data domain in use, such as the integers and theinteger arrays, are formalized in the constraint theory of the CHC.
Now, it is very often the case that this first step is not sufficient to allow state-of-the-art CHC solvers to verify the properties of interest. Indeed, the strategiesfor checking satisfiability employed by those solvers deal with the sets of clausesencoding the semantics of each of the two programs in an independent way,thereby failing to exploit the structural similarities of the given programs. Inthis paper, instead of looking for a new, smarter strategy for satisfiability check-ing, we propose some transformation techniques for CHC that compose togetherin a suitable way the clauses relative to the two programs, so as to better exposetheir similarities of structure. This transformational approach has the advantagethat we can use existing techniques for CHC satisfiability as a final step of theverification process. This approach has been proved to be effective in practice asindicated in Section 5.
The main contributions of the paper are the following.
(1) We present a method for encoding as a set of CHC a large class of rela-tional properties of programs written in a simple imperative language. The only
4
language-specific element of our method is that we use a CHC interpreter as aformal definition of the semantics of the programming language.(2) We propose an automatic transformation technique for CHC, called predi-cate pairing, which combines together the clauses representing the semantics ofeach program with the objective of increasing the effectiveness of the subsequentapplication of a CHC solver. We prove that predicate pairing guarantees equisat-isfiability between the initial and the final sets of clauses. The proof is based onthe fact that this transformation can be expressed as a sequence of applicationsof the unfolding and folding rules [20,33].(3) We report on an experimental evaluation performed by a proof-of-conceptimplementation of our transformation technique by using the VeriMAP sys-tem [15]. The satisfiability of the transformed CHC is then verified by using thesolvers Eldarica [25], MathSAT [11], and Z3 [18]. Our experiments show thatthe transformation is effective on a number of small, but nontrivial examples.Moreover, our method is competitive with respect to some special purpose toolsfor checking equivalence [21].
The paper is organized as follows. We start off by presenting in Section 2a simple introductory example. Then, in Section 3 we present the translationof a relational property between two programs into constrained Horn clauses.In Section 4 we present the various transformation techniques and we provethat they preserve satisfiability (and unsatisfiability). The implementation ofthe verification method and its experimental evaluation is reported in Section 5.Finally, in Section 6, we discuss the related work.
2 An Introductory Example
In this section we present an example to illustrate the main ideas developed inthis paper. Let us consider the two programs of Fig. 1.
void sum_upto() {z1=f(x1);
}int f(int n1){
int r1;if (n1 <= 0) {
r1 = 0;} else {
r1 = f(n1 - 1) + n1;}return r1;
}
void prod() {z2 = g(x2,y2);
}int g(int n2, int m2){
int r2;r2=0;while (n2 > 0) {
r2 += m2;n2--;
}return r2;
}
Relational property Leq: {x1=x2, x2≤y2} sum_upto ∼ prod {z1≤z2}
Fig. 1. The programs sum_upto and prod, and the relational property to be proved.
Program sum_upto computes the sum of the first x1 non-negative integer num-bers and program prod computes the product of x2 by y2 by summing up x2times the value of y2. Thus, we have the following property Leq: if x1=x2 andx2≤ y2, then the two programs return the values z1 and z2, respectively, suchthat z1≤ z2. By using the method we will present in Section 3 (and the CHC
5
specialization of Section 4.1), the property Leq relating the computations of thetwo programs is translated into the set of constrained Horn clauses listed inFig. 2, written in the syntax of Constraint Logic Programming (CLP) [26].
1. false ← X1=X2, X2≤Y 2, Z1′ >Z2′, su(X1, Z1′), p(X2, Y 2, Z2′)2. su(X1, Z1′)← f(X1, Z, X1, R, N1, Z1′)3. f(X, Z, N, R, N, 0)← N≤04. f(X, Z, N, R, N, Z1)← N≥1, N1=N−1, Z1=R2+N, f(X, Z, N1, R1, N2, R2)5. p(X2, Y 2, Z2′)← g(X2, Y 2, Z, X2, Y 2, 0, N, P, Z2′)6. g(X, Y, Z, N, P, R, N, P, R)← N≤07. g(X, Y, Z, N, P, R, N2, P 2, R2)← N≥1, N1=N−1, R1=P +R,
g(X, Y, Z, N1, P, R1, N2, P 2, R2)
Fig. 2. Translation into constrained Horn clauses of the relational property Leq.
Clause 1 specifies the relational property Leq, where primed logical variablesrefer to the final values of the corresponding imperative variables. In particular,note that the constraint Z1′ > Z2′ is the negation of the property we wantto prove. Clauses 2–4 and 5–7 encode the input-ouput relations computed byprograms sum_upto and prod, respectively. The relational property Leq holds iffclauses 1–7 are satisfiable.
Unfortunately, state-of-the-art solvers for constrained Horn clauses with lin-ear integer arithmetic (such as Eldarica [25], MathSAT [11], and Z3 [18])are unable to prove the satisfiability of clauses 1–7. This is due to the fact thatthose solvers reason on the predicate su and p separately, and hence, to provethat clause 1 is satisfiable (that is, its premise is unsatisfiable), they should dis-cover quadratic relations among variables (in our case, Z1′ = X1×(X1−1)/2and Z2′ =X2×Y 2), and these relations cannot be expressed by linear arithmeticconstraints.
In order to deal with this limitation one could extend constrained Hornclauses with solvers for the theory of non-linear integer arithmetic constraints [8].However, this extension has to cope with the additional problem that the satis-fiability problem for non-linear constraints is undecidable [30].
In this paper we propose an approach based on suitable transformations ofthe clauses that encode the property Leq into an equisatisfiable set of clauses,which, as shown in the sequel, are hopefully easier to solve. In our example, theclauses of Fig. 2 are transformed into the ones shown in Fig. 3.
false ← X1≤Y 2, Z1′ >Z2′, fg(X1,Z,X1,R, N1, Z1′, Y 2, Z, 0, N2, P 2, Z2′)fg(X, Z, N, R, N, 0, Y 2, V, Z2, N, P 2, Z2)← N≤0fg(X, Z, N, R, N, Z1, Y 2, V, W, N2, P 2, Z2)←
N≥1, N1=N−1, Z1=R2+N, M =Y 2+W,fg(X, Z, N1, R1, S, R2, Y 2, V, M, N2, P 2, Z2)
Fig. 3. Transformed clauses derived from the clauses 1–7 in Fig. 2.
6
The predicate fg(X, Z, N, R, N1, Z1, Y 2, V, W, N2, P 2, Z2) is equivalent tothe conjunction f(X, Z, N, R, N1, Z1), g(X, Y 2, V, N, Y 2, W, N2, P 2, Z2). The ef-fect of this transformation is that it is possible to infer linear relations amonga subset of the variables occurring in the conjunctions of predicates, withouthaving to use in an explicit way their non-linear relations with other variables.In particular, one can infer that fg(X1, Z, X1, R, N1, Z1′, Y 2, Z, 0, N2, P 2, Z2′)enforces the constraint (X1 > Y 2) ∨ (Z1′≤Z2′), and hence the satisfiability ofthe first clause of Fig. 3, without having to derive quadratic relations. Indeed,after this transformation MathSAT (and, after further transformation, also El-
darica and Z3) is able to prove the satisfiability of the clauses of Fig. 3, whichimplies the validity of the relational property Leq.
3 Specifying Relational Properties in CHC
In this section we introduce the notion of a relational property relative to twoprograms written in a simple imperative language and we show how a relationalproperty can be translated into constrained Horn clauses.
3.1 Relational properties
We consider a C-like programming language manipulating integers and inte-ger arrays via assignments, function calls, conditionals, while loops, and goto’s.A program is a sequence of labeled commands (or commands, for short), andin each program there is a unique halt command that, when executed, causesprogram termination.
The semantics of our language is defined by a binary transition relation,denoted by =⇒, between configurations. Each configuration is a pair ⟨⟨ℓ :c, δ⟩⟩ ofa labeled command ℓ : c and an environment δ. An environment δ is a functionthat maps every variable identifier x of a set V of identifiers to its value v in theintegers (for integer variables) or in the set of the finite sequences of integers(for array variables). Given an environment δ, dom(δ) denotes its domain. Thedefinition of the relation =⇒ corresponds to the multistep operational semantics,that is: (i) the semantics of each command, other than a function call, is definedby a pair of the form ⟨⟨ℓ :c, δ⟩⟩ =⇒ ⟨⟨ℓ′ :c′, δ′⟩⟩, and (ii) the semantics of a functioncall is recursively defined in terms of the reflexive, transitive closure =⇒∗.
In particular, the semantics of an assignment is:
(R1) ⟨⟨ℓ :x=e, δ⟩⟩ =⇒ ⟨⟨at(nextlab(ℓ)), update(δ, x, !e" δ)⟩⟩
where: (i) at(ℓ) denotes the command whose label is ℓ, (ii) nextlab(ℓ) denotes thelabel of the command which is immediately after the command with label ℓ, (iii)update(δ, x, v) denotes the environment δ′ that is equal to the environment δ,except that δ′(x) = v, and (iv) !e" δ is the value of the expression e in theenvironment δ.
The semantics of a call to the function f is:
(R2) ⟨⟨ℓ :x=f(e1, . . . , ek), δ⟩⟩ =⇒ ⟨⟨at(nextlab(ℓ)), update(δ′, x, !e" δ′)⟩⟩
if ⟨⟨at(firstlab(f)), δ⟩⟩ =⇒∗ ⟨⟨ℓr : return e, δ′⟩⟩
7
where: (i) firstlab(f) denotes the label of the first command in the definitionof the function f , and (ii) δ is the environment δ extended by the bindings forthe formal parameters, say x1, . . . , xk, and the local variables, say y1, . . . , yh, off (we assume that the identifiers xi’s and yi’s do not occur in dom(δ)). Thus,we have that δ = δ ∪ {x1 )→ !e1" δ, . . . , xk )→ !ek" δ, y1 )→ v1, . . . , yh )→ vh}, forarbitrary values v1, . . . , vh. We refer to [17] for a more detailed presentation ofthe multistep semantics.
A program P terminates for an initial environment δ and computes the finalenvironment η, denoted ⟨P, δ⟩ ⇓ η, iff ⟨⟨ℓ0 :c, δ⟩⟩ =⇒∗ ⟨⟨ℓh :halt, η⟩⟩, where ℓ0 :c isthe first labeled command of P . ⟨⟨ℓ0 :c, δ⟩⟩ and ⟨⟨ℓh :halt, η⟩⟩ are called the initialconfiguration and the final configuration, respectively.
Now, we can formally define a relational property as follows. Let P1 and P2 betwo programs with global variables in V1 and V2, respectively, with V1∩V2 = ∅.Let ϕ and ψ be two first order formulas with variables in V1∪V2. Then, by usingthe notation of [5], a relational property is specified by the 4-tuple {ϕ} P1∼P2 {ψ}.For instance, the relational property Leq presented in Section 2 is specified by:{x1=x2, x2≤y2} sum_upto ∼ prod {z1≤z2}.
We say that {ϕ} P1 ∼ P2 {ψ} is valid iff the following holds: if the inputs of P1
and P2 satisfy the pre-relation ϕ and the programs P1 and P2 both terminate,then upon termination the outputs of P1 and P2 satisfy the post-relation ψ. Thevalidity of a relational property is formalized by Definition 1 below, where givena formula α and an environment δ, by α [δ] we denote the formula α where everyfree occurrence of a variable has been replaced by its values in δ.
Definition 1. A relational property {ϕ} P1 ∼ P2 {ψ} is said to be valid, denoted|= {ϕ} P1 ∼ P2 {ψ}, iff for all environments δ1 and δ2 with dom(δ1)⊆V1 anddom(δ2)⊆V2, the following holds:
if |= ϕ [δ1∪ δ2] and ⟨P1, δ1⟩ ⇓ η1 and ⟨P2, δ2⟩ ⇓ η2, then |= ψ [η1∪ η2].
3.2 Formal Semantics of the Imperative Language in CHC
In order to translate a relational program property into constrained Horn clauses,first we need to specify the operational semantics of our C-like language by aset of constrained Horn clauses. We follow the approach presented in [17] whichnow we briefly recall.
The transition relation =⇒ between configurations and its reflexive, transitiveclosure =⇒∗ are specified by the binary predicates tr and reach, respectively. Weonly show the formalization of the semantic rules R1 and R2 above, consistingof the following clauses D1 and D2, respectively. For the other rules of themultistep operational semantics we refer to [17].
(D1) tr(cf (cmd(L, asgn(X, expr(E))), Env), cf (cmd(L1, C), Env1))←eval(E, Env, V ), update(Env, X, V, Env1), nextlab(L, L1), at(L1, C)
(D2) tr(cf (cmd(L, asgn(X, call(F, Es))), Env), cf (cmd(L2, C2), Env2))←fun_env(Es, Env, F, FEnv), firstlab(F, FL), at(FL, C),reach(cf (cmd(FL, C), FEnv), cf (cmd(LR, return(E)), Env1)),eval(E, Env1, V ), update(Env1, X, V, Env2), nextlab(L, L2), at(L2, C2)
8
The predicate reach is recursively defined by the following two clauses:
reach(C, C)reach(C, C2)← tr(C, C1), reach(C1, C2)
Configurations are represented by using terms of the form cf (cmd(L, C), Env),where: (i) L and C encode the label and the command, respectively, (ii) Envencodes the environment. The term asgn(X, expr(E)) encodes the assignmentof the value of the expression E to the variable X . The predicate eval(E, Env, V )holds iff V is the value of the expression E in the environment Env. The termcall(F, Es) encodes the call of the function F with the list Es of the actual pa-rameters. The predicate fun_env(Es, Env, F, FEnv) computes from Es and Envthe list Vs of the values of the actual parameters of the function F and buildsthe new initial environment FEnv for executing the body of F . In FEnv the localvariables of F are all bound to arbitrary values. The other terms and predicatesoccurring in clauses D1 and D2 have the obvious meaning which can be derivedfrom the above explanation of the semantic rules R1 and R2.
Given a program Prog, represented as a set of at(L, C) facts, its input/outputrelation is represented by a predicate prog defined as follows:
prog(X, X ′)← initConf (C, X), reach(C, C′), finalConf (C′, X ′)
where initConf (C, X) and finalConf (C′, X ′) hold iff the tuples X and X ′ arethe values of the global variables of Prog in the initial and final configurations Cand C′, respectively.
3.3 Translating Relational Properties into CHC
Let us consider a relational property {ϕ} P1 ∼ P2 {ψ}. We assume that ϕand ψ are quantifier-free formulas of the theory A of linear integer arithmeticand integer arrays [9]. A quantifier free formula of A is also called a constraint.
More complex theories of constraints may be used for defining relationalproperties. For instance, one may consider theories with nested quantifiers [2].Our approach is, to a large extent, parametric with respect to those theories. In-deed, the transformation rules on which it is based only require that satisfiabilityand entailment of constraints be decidable (see Section 4).
The validity of a relational property is translated into a set of constrainedHorn clauses, that is, implications of the form: A0 ← c, A1, . . . , An, where (i)A0 is either an atomic formula (or atom) or false, (ii) c is a constraint, and(iii) A1, . . . , An is a possibly empty conjunction of atoms. A set S of clauses isA-satisfiable or, simply, satisfiable iff A ∪ S is satisfiable.
The relational property of the form {ϕ} P1 ∼ P2 {ψ} is translated into thefollowing clause:
(Prop) false ← pre(X, Y ), p1(X, X ′), p2(Y, Y ′), neg_post(X ′, Y ′)
where: (i) X and Y are the disjoint tuples of global variables of P1 and P2,respectively (in the translation we use capital letters for variable identifiers);(ii) X ′ and Y ′ are primed versions of X and Y , respectively;(iii) pre(X, Y ) is ϕ;
9
(iv) the predicates p1(X, X ′) and p2(Y, Y ′) are defined by a set of clauses derivedfrom P1 and P2, respectively, by using a formalization of the the operationalsemantics of the programming language, as explained in Section 3.2; and(v) neg_post(X ′, Y ′) is ¬ψ, with all variables replaced by their primed versions.
Note that we can always eliminate negation from the atoms pre(X, Y ) andneg_post(X ′, Y ′) by pushing negation inward and transforming negated equal-ities into disjunctions of inequalities. Moreover, we can eliminate disjunctionfrom constraints and replace clause Prop by a set of clauses with false in thehead. Although these transformations are not strictly needed by the techniquesdescribed in the rest of the paper, they may be helpful for the constraint solvingtools we use when automating our verification method.
Let RP be a relational property and TRP be the set of constrained Hornclauses generated by the translation process described above, then TRP is correctin the following sense.
Theorem 1 (Correctness of the CHC Translation). RP is valid iff TRP
is satisfiable.
The proof of this theorem directly follows from the fact that the predicatereach is a correct formalization of the semantics of the programming language.
4 Transforming Specifications of Relational Properties
The reduction of the validity problem, that is, the problem of testing whether ornot {ϕ} P1 ∼ P2 {ψ} is valid, to the problem of verifying the satisfiability of a setTRP of constrained Horn clauses allows us to apply reasoning techniques that areindependent of the specific programming language in which programs P1 and P2
are written. In particular, we can try to solve the satisfiability problem for TRP byapplying one of the available solvers for constrained Horn clauses. Unfortunately,as shown by the example in Section 2, it may be the case that these solvers failto prove satisfiability (or unsatisfiability). In Section 5 the reader will find anexperimental evidence of this limitation. However, a very significant advantageof having reduced the validity problem to a CHC satisfiability problem is thatwe can now transform the set TRP by applying any satisfiability preservingalgorithm, before submitting the new, transformed satisfiability problem to aCHC solver.
In this section we present some transformations of constrained Horn clausesthat have the objective of increasing the effectiveness of the subsequent usesof CHC solvers. These transformations, called transformation strategies, are:(1) CHC specialization, and (2) predicate pairing.
These strategies are variants of techniques developed in the area of logicprogramming for improving the efficiency of program execution [19,32]. We willshow that these techniques are very effective for the class of verification prob-lems we are considering here, and actually, they are more general and effectivethan other ad-hoc techniques developed for proving special cases of relationalproperties, such as program equivalence [21].
10
The above CHC Specialization and Predicate Pairing strategies are realizedas sequences of applications of some elementary transformation rules, collectivelycalled unfold/fold rules, proposed in the field of CLP [20].
Now we present the version of those rules we need in our context here. Thoserules allow us to derive from an old set Cls of constrained Horn clauses a newset TransfCls of constrained Horn clauses.
Definition Rule. We introduce a definition clause D of the form newp(X)← c, G,where newp is a new predicate symbol, X is a tuple of variables occurringin {c, G}, c is a constraint, and G is a non-empty conjunction of atoms. Wederive the set of clauses TransfCls = Cls ∪ {D}. We denote by Defs the set ofall definition clauses introduced in a sequence of application of the unfold/foldrules.
Unfolding Rule. Given a clause C in Cls of the form H ← c, L, A, R, where H iseither false or an atom, A is an atom, c is a constraint, and L and R are (possiblyempty) conjunctions of atoms, let us consider the set {Ki ← ci, Bi | i = 1, . . . , m}made out of the (renamed apart) clauses of Cls such that, for i=1, . . . , m, A isunifiable with Ki via the most general unifier ϑi and A |= ∃X.(c, ci)ϑi whereX is the tuple of variables in (c, ci)ϑi. By unfolding C w.r.t. A using Cls, wederive the set of clauses TransfCls = (Cls− {C})∪U(C), where the set U(C) is{(H ← c, ci, L, Bi, R)ϑi | i = 1, . . . , m}.
Folding Rule. Given a clause E of the form: H ← e, L, Q, R and a clause D inDefs of the form K ← d, G such that: (i) for some substitution ϑ, Q = Gϑ, and(ii) A |= ∀X. (e→ dϑ) holds, where X is the tuple of variables in e→ dϑ, thenby folding E using D we derive the set of clauses TransfCls = (Cls − {E}) ∪{H ← e, L, Kϑ, R}.
By using the results in [20], which ensure that the transformation rules pre-serve the least model of a set of constrained Horn clauses, if any, we get thefollowing result.
Theorem 2 (Soundness of the Unfold/Fold Rules). Suppose that from aset Cls of constrained Horn clauses we derive a new set TransfCls of clausesby a sequence of applications of the unfold/fold rules, where every definitionclause used for folding is unfolded during that sequence. Then Cls is satisfiableiff TransfCls is satisfiable.
4.1 CHC Specialization
Specialization is a transformation technique that has been proposed in variousprogramming contexts to take advantage of static information to simplify andcustomize programs [27]. In the field of program verification it has been shownthat the specialization of constrained Horn clauses can be very useful to simplifyclauses before checking their satisfiability [13,28].
We will use CHC specialization to simplify our initial set of clauses TRP.In particular, starting from clause Prop of Section 3.3, we introduce two newpredicates p1sp and p2sp, defined by the clauses:
(S1) p1sp(V, V ′)← p1(X, X ′) (S2) p2sp(W, W ′)← p2(Y, Y ′)
11
where V, V ′, W, W ′ are the sub-tuples of X, X ′, Y, Y ′, respectively, which occurin pre(X, Y ) or neg_post(X ′, Y ′). Then, by applying the folding rule, we canreplace p1 and p2 in clause Prop, by p1sp and p2sp, thereby obtaining:
(Propsp) false ← pre(V, W ), p1sp(V, V ′), p2sp(W, W ′), neg_post(W, W ′)
Now, by applying the specialization strategy of [13] starting from the set ofclauses (TRP − {Prop})∪ {Propsp, S1, S2}, we derive specialized versions of theclauses that define the semantics of programs P1 and P2. In particular, in thoseclauses there are reference to neither the predicate reach, nor the predicate tr,nor the terms encoding configurations.
For instance, let us consider again our example of Section 2. The translationof the relational property Leq: {x1 = x2, x2 ≤ y2} sum_upto ∼ prod {z1 ≤ z2}is as follows:
false ← X1=X2, X2≤Y 2, Z1′ >Z2′,sum_upto(X1, Z1, X1′, Z1′), prod(X2, Y 2, Z2, X2′, Y 2′, Z2′)
where predicates sum_upto and prod are defined in terms of the predicate reachas shown in Section 3.2. By specialization we get clauses 1–7 of Fig. 2, where suand p are the specialized versions of sum_upto and prod , respectively.
CHC specialization is performed by applying the unfold/fold rules, and henceby Theorem 2 the following property holds.
Theorem 3. Let Tsp be derived from TRP by specialization. Then TRP is satis-fiable iff Tsp is satisfiable.
4.2 Predicate Pairing
The core of our verification method is the predicate pairing transformation strat-egy (see Fig. 4), which composes pairs of predicates q and r into one new predi-cate t equivalent to their conjunction. As suggested by the example of Section 2,this transformation may ease the discovery of relations between variables oc-curring in the two original predicates, and thus it may ease the satisfiabilitytest.
Let us see the predicate pairing strategy in action by considering again theexample of Section 2.
First Iteration of the while loop.Unfolding: The strategy starts off by unfolding su(X1, Z1′) and p(X2, Y 2, Z2′)in clause 1 of Fig. 2, hence deriving the following new clause:
8. false ← X≤Y 2, Z1>Z2,f(X1, Z, X1, R, N1, Z1′), g(X1, Y 2, Z, X, Y 2, 0, N2, P 2, Z2′)
Definition & Folding: A new atom with predicate fg is introduced for replac-ing the conjunction of the atoms with predicates f and g in the premise ofclause 8:
9. fg(X1, Z, N, R, N1, Z1′, Y 2, V, W, N2, P 2, Z2′)←f(X1, Z, N, R, N1, Z1′), g(X1, Y 2, V, N, Y 2, W, N2, P 2, Z2′)
12
Input: A set Q ∪R ∪ {C} of clauses where: (i) C is of the form false ← c, q(X), r(Y ),(ii) q and r occur in Q and R, respectively, and (iii) no predicate occurs in both Qand R.Output: A set TransfCls of clauses.
Initialization: InCls := {C}; Defs := ∅; TransfCls := Q ∪R;
while there is a clause C in InCls doUnfolding: From clause C derive a set U(C) of clauses by unfolding C with respect
to every atom occurring in its body using Q ∪R;Rewrite each clause in U(C) to a clause of the form H ← d, A1, . . . , Ak, suchthat, for i = 1, . . . , k, Ai is of the form p(X1, . . . , Xm), where X1, . . . , Xm are, notnecessarily distinct, variables;
Definition & Folding:F (C) := U(C);for every clause E ∈ F (C) of the form H ← d, G1, qi(Vi), G2, ri(Wi), G3 where qi
and ri occur in Q and R, respectively, doif in Defs there is no clause of the form newp(Z)← qi(Vi), ri(Wi), where Z is
the tuple of distinct variables in (Vi, Wi)then add newp(Z)← qi(Vi), ri(Wi) to InCls and to Defs;F (C) := (F (C)− {E}) ∪ {H ← d, G1, newp(Z), G2, G3}
end-for
InCls := InCls− {C}; TransfCls := TransfCls ∪ F(C);end-while
Fig. 4. The predicate pairing transformation strategy.
and that conjunction is folded, hence deriving:
10. false ← X≤Y 2, Z1′ >Z2′, fg(X1, Z, X1, R, N1, Z1′, Y 2, Z, 0, N2, P 2, Z2′)
Second Iteration of the while loop.Unfolding: Now, the atoms with predicate f and g in the premise of the newlyintroduced clause 9 are unfolded, and the following new clauses are derived:
11. fg(X, Z, N, R, N, 0, Y, V, W, N2, Y, Z2)← N≤012. fg(X, Z, N, R, N, Z1, Y 2, V, W, N2, P 2, Z2)←
N≥1, N1=N−1, Z1=R2+N, M =Y 2+W,f(X, Z, N1, R1, S, R2), g(X, Y 2, V, N1, Y 2, M, N2, P 2, Z2)
Definition & Folding: No new predicate is needed, as the conjunction of theatoms with predicate f and g in clause 12 can be folded using clause 9. We get:
13. fg(X, Z, N, R, N, Z1, Y 2, V, W, N2, P 2, Z2)←N≥1, N1=N−1, Z1=R2+N, M =Y 2+W,fg(X, Z, N1, R1, S, R2, Y 2, V, M, N2, P 2, Z2)
Clauses 10, 11, and 13, which are the ones shown in Fig. 3, constitute the finalset of clauses we have derived.
The predicate pairing strategy always terminates because the number of thepossible new predicate definitions is bounded by the number γ of conjunctionsof the form qi(Vi), ri(Wi), where qi occurs in Q and ri occurs in R and, hence,the number of executions of the while loop of the strategy is bounded by γ.
13
Thus, from the fact that the unfold/fold transformation rules preserve satis-fiability (see Theorem 2), we get the following result.
Theorem 4 (Soundness of the predicate pairing strategy). Let the setQ ∪ R ∪ {C} of clauses be the input of the predicate pairing strategy. Then thestrategy terminates and returns a set TransfCls of clauses such that Q∪R∪{C}is satisfiable iff TransfCls is satisfiable.
5 Implementation and Experimental Evaluation
We have implemented the techniques presented in Sections 3 and 4 by using theVeriMAP transformation and verification system [15]. The satisfiability of theconstrained Horn clauses derived by transformation has been checked by usingthe SMT solvers Eldarica [25], MathSAT [11], and Z3 [18].
We have considered 90 problems referring to relational properties of small,yet non-trivial, C-like programs mostly taken from the literature [5,6,21]. Thesources of the problems are available at http://map.uniroma2.it/releq. Theproperties we have considered belong to the following categories. All programsact on integers, except for those in the arr category which act on integer arrays.
The ite (respectively, rec) category consists of equivalence properties be-tween pairs of iterative (respectively, recursive) programs, that is, we have veri-fied that for every pair of programs, the two programs in the pair compute thesame outputs when given the same inputs.
The i-r category consists of equivalence properties between an iterative and arecursive (non-tail recursive) program. For example, we have verified the equiv-alence of iterative and recursive versions of programs computing the greatestcommon divisor of two integers and the n-th triangular number Tn =
!n
i=1i.
The arr category consists of equivalence properties between programs actingon integer arrays.
The leq category consists of inequality properties stating that if the inputsof two programs satisfy some given precondition, then their outputs satisfy aninequality postcondition. For instance, we have verified that for all non-negativeintegers m and n: (i) if n≤m, then Tn≤n×m (see the example of Section 2),and (ii) n2≤n3.
The mon (respectively, inj) category consists of properties stating that pro-grams, under some given preconditions, compute monotonically non-decreasing(respectively, injective) functions. For example, we have verified monotonicityand injectivity of programs computing the Fibonacci numbers, the square of anumber, and the triangular numbers (for non-negative input values).
The fun category consists of properties stating that, under some given pre-conditions, some of the outputs of the given programs are functionally dependenton a proper subset of the inputs.
The results of our experimental evaluation are summarized in Table 1. Allexperiments have been performed on a single core of an Intel Core Duo E73002.66Ghz processor with 4GB of memory running Ubuntu. Timings are in seconds.A time limit of 60 seconds has been set for all problems.
14
Cat n Tr Eld Z3 PP Eld MS Z3 CP+Eld CP+MS CP+Z3ite 21 0.04 7 (5.61) 6 (1.06) 1.23 13 (5.10) 19 (7.39) 6 (1.08) 4 (0.07) 1 (0.10) 15 (2.55)rec 18 0.06 7 (4.16) 8 (3.10) 1.82 7 (5.19) 11 (1.09) 6 (0.94) 7 (0.06) 0 7 (0.08)i-r 4 0.05 0 0 0.58 0 3 (8.16) 0 4 (0.35) 1 (0.08) 4 (0.35)arr 5 0.05 0 1 (0.78) 1.02 1 (4.29) 1 (0.78) 4 (0.81) 1 (5.81) 1 (2.26) 1 (0.75)leq 6 0.03 1 (2.83) 1 (0.77) 0.29 1 (4.76) 6 (2.52) 1 (0.80) 2 (1.74) 0 3 (0.64)mon 18 0.02 4 (4.60) 4 (0.90) 2.78 11 (5.55) 16 (1.61) 8 (0.98) 0 1 (3.12) 6 (0.81)inj 11 0.02 0 0 1.87 0 11 (1.70) 4 (1.10) 7 (1.71) 0 6 (0.63)fun 7 0.02 5 (4.49) 5 (0.80) 3.90 6 (4.77) 7 (1.03) 5 (0.91) 0 0 2 (0.69)Tot 90 0.04 24(4.67) 25(1.61) 1.84 39(5.16) 74(3.30) 34(0.97) 25(0.93) 4(1.39) 44(1.20)
Table 1. Timings are in seconds. The timeout occurs after 60 seconds.
The first two columns (Cat) and (n) report the names of the categories andthe number of problems in each category, respectively. The third column (Tr)reports the average time taken for generating the set of CHC encoding the rela-tional property by applying the method presented in Section 3 (including CHCspecialization).
Columns 4 (Eld) and 5 (Z3 ) report the number of problems that were solvedby applying Eldarica and Z3, respectively, on the CHC encoding of the relationalproperty. Between parentheses we have indicated the average time taken for eachsolved problem. There is no column for MathSAT because it is unable to dealwith clauses containing multiple atoms in their premise.
Column 6 (PP) reports the average time taken for applying the predicatepairing transformation strategy presented in Section 4.2. Predicate pairing ter-minates before the timeout for all problems.
Columns 7 (Eld), 8 (MS), and 9 (Z3 ) report the results obtained by applyingEldarica, MathSAT, and Z3, respectively, on the CHC derived by applying thepredicate pairing strategy. We indicate the number of solved problems and theaverage solving time.
If a CHC solver is unable to solve a problem after predicate pairing, we applyCHC specialization again with the goal of propagating the constraints occurringin the clauses and discovering invariants by means of the widening and convex-hull operators [13]. In some cases this constraint propagation produces a setof CHC without constrained facts (that is, clauses of the form A ← c), andhence satisfiable. If the other cases, we apply again the solvers on the clausesobtained after constraint propagation. Columns 10 (CP+Eld), 11 (CP+MS),and 12 (CP+Z3 ) report the results obtained by applying constraint propagation,possibly followed by Eldarica, MathSAT, and Z3, respectively, in the cases wherethe predicate pairing and the CHC solvers were unable to deliver an answer. Asusual, we report the number of problems solved and the average solving time.The solving times include the time spent for constraint propagation.
More details about the results of our experimental evaluation are reportedin the Appendix.
The use of the predicate pairing and constraint propagation strategies signif-icantly increases the number of problems that have been solved. In particular,the number of problems that can be solved by Eldarica increases from 24 (see
15
Column 4) to 64 (sum of Columns 7 and 10). Similarly for MathSAT from zeroto 78 (sum of Columns 8 and 11), and for Z3 from 25 (see Column 5) to 78 (sumof Columns 9 and 12). The number of problems that can be solved by using anyof the considered CHC solvers is 86.
We observe that the application of the predicate pairing strategy is veryeffective in increasing the number of solved problems. For instance, it allowsEldarica to solve 15 more problems (see Columns 4 and 7). For problems that canalready be solved without using the pairing strategy the performance overheadis almost always tolerable. However, for three problems out of the 90 we haveconsidered, Z3 is unable to prove the property within the considered time limitafter the application of the pairing strategy (although one of these problems canbe solved after the constraint propagation phase).
Also the application of constraint propagation turns out to be very useful forsolving additional problems. For instance, for Z3 constraint propagation allowsthe solution of additional 44 problems (see Column 12).
It is worth noticing that for the problems in the ite and rec categories ourverification method is competitive with the approach to the proof of programequivalences presented in [21]. However, that approach cannot be directly appliedto problems belonging to the other categories.
6 Related Work
Various logics and methods for reasoning about program relations have been pre-sented in the literature. Their main purpose is the formal, possibly automated,validation of program transformation and program analysis techniques.
A Hoare-like axiomatization of relational reasoning for simple while programshas been proposed in [6], which however does not present any technique forautomating proofs.
A partial automation of relational reasoning has been proposed in [5], whichintroduces a notion of a program product that allows the reduction of a relationalverification problem to a standard program verification problem. The methodrequires human ingenuity to generate program products via ad-hoc refinementsand also to provide suitable invariants to the program verifier. Similarly to [5],the Differential Assertion Checking technique proposed in [29] makes use of thenotion of a program composition to reduce the relative correctness of two pro-grams to a suitable safety property of the composed program.
The idea of using program transformations to help the proof of relationalproperties between higher-order functional programs has been explored in [3].The main difference between the approach in [3] and ours is that, besides thedifference of programming languages, we transform the logical representationof the property to be proved, rather than the two programs under analysis.Our approach allows higher parametericity with respect to the programminglanguage, and also enables us to use very effective tools for CHC solving.
Our notion of the predicate pairing is related to that of the mutual summariespresented in [24]. Mutual summaries relate the summaries of two procedures,and can be used to prove relations between them, including relative termination
16
(which we do not consider in our technique). Similarly to the above mentionedpapers [5,29], this approach requires human ingenuity to generate suitable proofobligations, which can then be discharged by automated theorem provers.
Program equivalence is one of the relational properties that has been exten-sively studied (see [10,12,21,23,34] for some recent work). Indeed, during soft-ware development one may want to modify the program text and prove that itssemantics has not changed (this kind of proofs is sometimes called regression ver-ification). Among the various approaches to prove program equivalence, the onewhich is most related to ours is the one reported in [21], which proposes proofrules for the equivalence of simple imperative programs that are then trans-lated into constrained Horn clauses. The satisfiability of these clauses is thenchecked by state-of-the-art CHC solvers. As already mentioned, our method canbe applied to more general relational properties. Moreover, we need not spe-cial purpose proof rules for equivalence and, instead, we use transformations ofconstrained Horn clauses.
Finally, we want to mention that in the present paper we have used (vari-ants and extensions of) transformation techniques for constrained Horn clausesproposed in previous work in the area of program verification (see, for in-stance, [1,13,14,16,17,28,31]). However, the goal of that previous work was theverification of partial and total correctness of single programs, and not the ver-ification of relations between two programs which has been the objective of ourstudy in this paper.
7 Conclusions
We have presented a method for verifying relational properties of programs writ-ten in a simple imperative language with integer and array variables. The methodconsists in: (i) translating the property to be verified into a set of constrainedHorn clauses, then (ii) transforming these clauses to better exploit the interac-tions between the predicates which represent the computations evoked by theprograms, and finally, (iii) using state-of-the-art constrained Horn clause solversto prove satisfiability.
Although we have considered imperative programs, the only language-specificelement of our method is the constrained Horn clause interpreter that we haveused to represent in clausal form the program semantics and the property tobe verified. Indeed, our method can also be applied to prove relations betweenprograms written in different programming languages. Thus, our approach isbasically independent of the programming language used.
Finally, we think that our approach can be refined and improved by takingadvantage of the progress that in the future could be made in the developmentof techniques and tools for reasoning about constrained Horn clauses.
Acknowledgements
We wish to thank Arie Gurfinkel, Vladimir Klebanov, and the participants inthe VPT workshop at ETAPS 2015 for stimulating conversations.
17
References
1. E. Albert, M. Gómez-Zamalloa, L. Hubert, and G. Puebla. Verification of Javabytecode using analysis and transformation of logic programs. In M. Hanus,ed., Practical Aspects of Declarative Languages, LNCS 4354, pages 124–139.Springer, 2007.
2. F. Alberti, S. Ghilardi, and N. Sharygina. Decision procedures for flat array prop-erties. In TACAS ’14, Grenoble, France, LNCS 8413, pages 15–30. Springer, 2014.
3. K. Asada, R. Sato, and N. Kobayashi. Verifying relational properties of functionalprograms by first-order refinement. In Proc. PEPM ’15, Mumbai, India, pages61–72. ACM, 2015.
4. M. Barnett, B.-Y. E. Chang, R. De Line, B. Jacobs, and K. R. M. Leino. Boogie:A modular reusable verifier for object-oriented programs. In F. de Boer, M. Bon-sangue, S. Graf, and W.-P. de Roever, eds., Formal Methods for Components andObjects, LNCS 4111, pages 364–387. Springer, 2006.
5. G. Barthe, J. M. Crespo, and C. Kunz. Relational verification using productprograms. In FM ’11: Formal Methods, Limerick, Ireland, LNCS 6664, pages 200–214. Springer, 2011.
6. N. Benton. Simple relational correctness proofs for static analyses and programtransformations. In Proc. 31st ACM SIGPLAN-SIGACT, POPL ’04, Venice, Italy,pages 14–25. ACM, 2004.
7. N. Bjørner, A. Gurfinkel, K. L. McMillan, and A. Rybalchenko. Horn clausesolvers for program verification. In L. D. Beklemishev, A. Blass, N. Dershowitz,B. Finkbeiner, and W. Schulte, eds., Fields of Logic and Computation II - Essaysdedicated to Y. Gurevich, LNCS 9300, pages 24–51. Springer, 2015.
8. C. Borralleras, S. Lucas, A. Oliveras, E. Rodríguez-Carbonell, and A. Rubio. SATmodulo linear arithmetic for solving polynomial constraints. J. Autom. Reasoning,48(1):107–131, 2012.
9. A. R. Bradley, Z. Manna, and H. B. Sipma. What’s decidable about arrays? InProc. VMCAI ’06, LNCS 3855, pages 427–442. Springer, 2006.
10. S. Chaki, A. Gurfinkel, and O. Strichman. Regression verification for multi-threaded programs. In V. Kuncak and A. Rybalchenko, eds., VMCAI ’12, Philadel-phia, PA, USA, LNCS 7148, pages 119–135. Springer, 2012.
11. A. Cimatti, A. Griggio, B. Schaafsma, and R. Sebastiani. The MathSAT5 SMTSolver. In N. Piterman and S. Smolka, eds., Proc. TACAS ’13, LNCS 7795, pages93–107. Springer, 2013.
12. S. Ciobâcă, D. Lucanu, V. Rusu, and G. Rosu. A language-independent proof sys-tem for mutual program equivalence. In S. Merz and J. Pang, eds., Formal Meth-ods and Software Engineering ICFEM ’14, Luxembourg, Luxembourg, LNCS 8829,pages 75–90. Springer, 2014.
13. E. De Angelis, F. Fioravanti, A. Pettorossi, and M. Proietti. Program verificationvia iterated specialization. Sci. Comput. Program., 95, Part 2:149–175, 2014.
14. E. De Angelis, F. Fioravanti, A. Pettorossi, and M. Proietti. Verifying array pro-grams by transforming verification conditions. In Proc. VMCAI ’14, LNCS 8318,pages 182–202. Springer, 2014.
15. E. De Angelis, F. Fioravanti, A. Pettorossi, and M. Proietti. VeriMAP: A tool forverifying programs through transformations. In Proc. TACAS ’14, LNCS 8413,pages 568–574. Springer, 2014. http://www.map.uniroma2.it/VeriMAP.
16. E. De Angelis, F. Fioravanti, A. Pettorossi, and M. Proietti. Proving correctness ofimperative programs by linearizing constrained Horn clauses. Theory and Practiceof Logic Programming, 15(4-5):635–650, 2015.
18
17. E. De Angelis, F. Fioravanti, A. Pettorossi, and M. Proietti. Semantics-basedgeneration of verification conditions by program specialization. In Proc. Symp. onPrinciples and Practice of Declarative Programming, Siena, Italy, pages 91–102.ACM, 2015.
18. L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In Proc. TACAS ’08,LNCS 4963, pages 337–340. Springer, 2008.
19. D. De Schreye, R. Glück, J. Jørgensen, M. Leuschel, B. Martens, and M. H.Sørensen. Conjunctive partial deduction: Foundations, control, algorithms, andexperiments. Journal of Logic Programming, 41(2–3):231–277, 1999.
20. S. Etalle and M. Gabbrielli. Transformations of CLP modules. Theoretical Com-puter Science, 166:101–146, 1996.
21. D. Felsing, S. Grebing, V. Klebanov, P. Rümmer, and M. Ulbrich. Automat-ing regression verification. In I. Crnkovic, M. Chechik, and P. Grünbacher, eds.,ACM/IEEE ASE ’14, Vasteras, Sweden, pages 349–360, 2014.
22. J.-C. Filliâtre and A. Paskevich. Why3 - Where programs meet provers. In Pro-gramming ESOP ’13, LNCS 7792, pages 125–128. Springer, 2013.
23. B. Godlin and O. Strichman. Regression verification: Proving the equivalence ofsimilar programs. Softw. Test., Verif. Reliab., 23(3):241–258, 2013.
24. C. Hawblitzel, M. Kawaguchi, S. K. Lahiri, and H. Rebêlo. Towards modularlycomparing programs using automated theorem provers. In M. P. Bonacina, ed.,Automated Deduction - CADE 24, LNCS 7898, pages 282–299. Springer, 2013.
25. H. Hojjat, F. Konecný, F. Garnier, R. Iosif, V. Kuncak, and P. Rümmer. A verifica-tion toolkit for numerical transition systems. In D. Giannakopoulou and D. Méry,eds., FM ’12: Formal Methods, LNCS 7436, pages 247–251. Springer, 2012.
26. J. Jaffar and M. Maher. Constraint logic programming: A survey. Journal of LogicProgramming, 19/20:503–581, 1994.
27. N. D. Jones, C. K. Gomard, and P. Sestoft. Partial Evaluation and AutomaticProgram Generation. Prentice Hall, 1993.
28. B. Kafle and J. P. Gallagher. Constraint specialisation in Horn clause verification.In Proc. PEPM ’15, Mumbai, India, pages 85–90. ACM, 2015.
29. S. K. Lahiri, K. L. McMillan, R. Sharma, and C. Hawblitzel. Differential assertionchecking. In B. Meyer, L. Baresi, and M. Mezini, eds., ESEC/FSE ’13, SaintPetersburg, Russian Federation, pages 345–355. ACM, 2013.
30. Y. V. Matijasevic. Enumerable sets are diophantine. Doklady Akademii NaukSSSR (in Russian), 191:279–282, 1970.
31. J. C. Peralta, J. P. Gallagher, and H. Saglam. Analysis of imperative programsthrough analysis of constraint logic programs. In G. Levi, ed., Proc. SAS ’98,LNCS 1503, pages 246–261. Springer, 1998.
32. A. Pettorossi and M. Proietti. Transformation of logic programs: Foundations andtechniques. Journal of Logic Programming, 19,20:261–320, 1994.
33. H. Tamaki and T. Sato. Unfold/fold transformation of logic programs. In S.-Å.Tärnlund, ed., Proc. ICLP ’84, pages 127–138, Uppsala, Sweden, 1984. UppsalaUniversity.
34. S. Verdoolaege, G. Janssens, and M. Bruynooghe. Equivalence checking of staticaffine programs using widening to handle recurrences. ACM Trans. Program. Lang.Syst., 34(3):11, 2012.
19
Deta
iled
resu
lts
of
the
ex
peri
men
tal
evalu
ati
on
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
bart
he0.
04T
OT
O1.
65T
O30
.79
TO
0.09
true
N/A
N/A
N/A
0.09
N/A
0.09
bart
he2
0.03
TO
TO
0.54
TO
2.78
TO
0.13
un
know
nT
ON
/A0.
94T
ON
/A1.
07ba
rthe
2-bi
g0.
04T
OT
O1.
43T
O5.
69T
O26
.62
un
know
nT
ON
/A1.
46T
ON
/A28
.08
bart
he2-
big2
0.06
TO
TO
3.92
TO
56.6
8T
O4.
36un
know
nT
ON
/A2.
89T
ON
/A7.
25bu
g15
0.03
3.78
0.81
0.20
2.89
0.75
0.76
0.05
true
N/A
N/A
N/A
N/A
N/A
N/A
digi
ts10
0.07
3.52
TO
2.41
7.17
3.29
0.94
0.77
un
know
nN
/AN
/AN
/AN
/AN
/AN
/Adi
gits
10_
inl
0.09
3.48
0.81
2.42
6.92
1.90
TO
0.14
true
N/A
N/A
N/A
N/A
N/A
0.14
fib0.
04T
OT
O0.
66T
O4.
74T
O0.
11un
know
nT
ON
/A0.
79T
ON
/A0.
90lo
op0.
03T
OT
O0.
463.
594.
43T
O0.
06tr
ue
N/A
N/A
N/A
N/A
N/A
0.06
loop
20.
03T
OT
O0.
483.
571.
57T
O0.
06tr
ue
N/A
N/A
N/A
N/A
N/A
0.06
loop
30.
03T
OT
O0.
333.
351.
00T
O0.
05tr
ue
N/A
N/A
N/A
N/A
N/A
0.05
loop
40.
04T
OT
O0.
55T
O19
.26
TO
0.07
true
N/A
N/A
N/A
0.07
N/A
0.07
loop
50.
02T
OT
O0.
47T
OT
OT
O0.
10tr
ue
N/A
N/A
N/A
0.10
0.10
0.10
nest
ed-w
hile
0.06
TO
TO
2.42
8.93
1.27
TO
0.19
true
N/A
N/A
N/A
N/A
N/A
0.19
sim
ple-
loop
0.02
7.58
0.93
0.13
5.69
1.50
0.99
0.03
true
N/A
N/A
N/A
N/A
N/A
N/A
upco
unt
0.03
TO
TO
0.19
3.24
0.88
TO
0.04
true
N/A
N/A
N/A
N/A
N/A
0.04
whi
le-i
f0.
04T
OT
O0.
874.
031.
20T
O0.
09tr
ue
N/A
N/A
N/A
N/A
N/A
0.09
bart
he-f
ault
y0.
0714
.86
2.29
3.55
9.77
TO
2.21
0.21
un
know
nN
/AT
ON
/AN
/AT
ON
/Alo
op5-
faul
ty0.
022.
760.
750.
453.
170.
870.
770.
08un
know
nN
/AN
/AN
/AN
/AN
/AN
/Ane
sted
-whi
le-f
ault
y0.
053.
300.
792.
364.
001.
040.
830.
19un
know
nN
/AN
/AN
/AN
/AN
/AN
/Ain
vari
anth
oist
ing
0.02
TO
TO
0.29
TO
0.80
TO
0.02
true
N/A
N/A
N/A
0.02
N/A
0.02
To
tal
tim
e0
.86
39
.28
6.3
82
5.7
86
6.3
21
40
.44
6.5
03
3.4
6–
–6
.08
0.2
80
.10
38
.21
#o
fP
ro
ble
ms
21
76
21
13
19
62
11
3–
–4
41
15
Av
era
ge
tim
e0
.04
5.6
11
.06
1.2
35
.10
7.3
91
.08
1.5
9–
–1
.52
0.0
70
.10
2.5
5
Ta
ble
2.
Cat
egor
yit
e.
Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
20
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
add-
horn
0.06
TO
TO
1.14
TO
0.94
TO
0.15
true
N/A
N/A
N/A
0.15
N/A
0.15
coco
me1
0.03
TO
TO
0.27
TO
0.99
TO
0.05
true
N/A
N/A
N/A
0.05
N/A
0.05
inlin
ing
0.04
2.84
TO
0.25
4.00
0.85
TO
0.15
true
N/A
N/A
N/A
N/A
N/A
0.15
limit
10.
02T
OT
O0.
21T
OT
OT
O0.
05un
know
nT
OT
OT
OT
OT
OT
Olim
it1u
nrol
led
0.05
TO
TO
0.19
TO
1.10
TO
0.04
true
N/A
N/A
N/A
0.04
N/A
0.04
limit
20.
03T
OT
O0.
37T
O0.
89T
O0.
02tr
ue
N/A
N/A
N/A
0.02
N/A
0.02
limit
30.
04T
OT
O0.
18T
O0.
82T
O0.
07tr
ue
N/A
N/A
N/A
0.07
N/A
0.07
loop
_re
c0.
06T
O0.
770.
28T
O1.
240.
790.
03tr
ue
N/A
N/A
N/A
0.03
N/A
N/A
tria
ngul
ar0.
03T
OT
O0.
27T
O0.
99T
O0.
07tr
ue
N/A
N/A
N/A
0.07
N/A
0.07
tria
ngul
ar-m
od0.
13T
OT
O4.
71T
OT
OT
O31
.08
un
know
nT
OT
OT
OT
OT
OT
Om
ccar
thy9
10.
043.
630.
760.
313.
52T
OT
ON
/Aun
know
nN
/AT
OT
ON
/AT
OT
Oac
kerm
ann
0.15
TO
TO
9.58
TO
TO
TO
N/A
un
know
nT
OT
OT
OT
OT
OT
Oac
kerm
ann-
faul
ty0.
213.
450.
8310
.66
6.68
TO
1.08
N/A
un
know
nN
/AT
ON
/AN
/AT
ON
/Aad
d-ho
rn-f
ault
y0.
063.
150.
771.
214.
221.
000.
840.
20un
know
nN
/AN
/AN
/AN
/AN
/AN
/Ain
linin
g-fa
ulty
0.03
2.79
0.75
0.26
3.49
0.82
0.78
0.12
un
know
nN
/AN
/AN
/AN
/AN
/AN
/Alim
it1-
faul
ty0.
022.
550.
750.
212.
90T
O0.
750.
10un
know
nN
/AT
ON
/AN
/AT
ON
/Alim
it2-
faul
ty0.
0410
.72
1.03
0.34
11.5
42.
391.
380.
11un
know
nN
/AN
/AN
/AN
/AN
/AN
/Atr
iang
ular
-mod
-fau
lty
0.09
TO
19.1
72.
26T
OT
OT
O19
.96
un
know
nT
OT
OT
OT
OT
OT
OT
ota
lti
me
1.1
32
9.1
32
4.8
33
2.7
03
6.3
51
2.0
35
.62
52
.20
––
–0
.43
–0
.55
#o
fP
ro
ble
ms
18
78
18
71
16
15
8–
––
7–
7
Av
era
ge
tim
e0
.06
4.1
63
.10
1.8
25
.19
1.0
90
.94
3.4
8–
––
0.0
6–
0.0
8
Ta
ble
3.
Cat
egor
yr
ec
.Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
21
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
cub
e_vs
_sq
uare
0.04
TO
TO
0.39
TO
2.60
TO
0.21
un
know
nT
ON
/A0.
77T
ON
/A0.
98sq
uare
n0.
03T
OT
O0.
24T
O1.
24T
O0.
09un
know
n3.
31N
/A0.
783.
40N
/A0.
87su
mod
d_vs
_sq
uare
0.03
2.83
0.77
0.41
4.76
0.89
0.80
0.08
un
know
nN
/AN
/AN
/AN
/AN
/AN
/Asu
m_
vs_
prod
uct
0.02
TO
TO
0.24
TO
3.81
TO
0.13
un
know
nT
ON
/AT
OT
ON
/AT
Osu
m_
vs_
prod
uct2
0.03
TO
TO
0.27
TO
5.50
TO
0.12
un
know
nT
ON
/AT
OT
ON
/AT
Osu
m_
vs_
squa
re0.
02T
OT
O0.
16T
O1.
05T
O0.
07tr
ue
N/A
N/A
N/A
0.07
N/A
0.07
To
tal
tim
e0
.17
2.8
30
.77
1.7
14
.76
15
.09
0.8
00
.70
3.3
1–
1.5
53
.47
–1
.92
#o
fP
ro
ble
ms
61
16
16
16
11
–2
2–
3
Av
era
ge
tim
e0
.03
2.8
30
.77
0.2
94
.76
2.5
20
.80
0.1
23
.31
–0
.78
1.7
4–
0.6
4
Ta
ble
4.
Cat
egor
yle
q.
Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
22
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
gcd
0.12
TO
TO
1.55
TO
15.2
4T
O1.
02tr
ue
N/A
N/A
N/A
1.02
N/A
1.02
sum
VSp
rod(
RE
)0.
03T
OT
O0.
33T
O7.
56T
O0.
15tr
ue
N/A
N/A
N/A
0.15
N/A
0.15
tria
ngul
ar_
nont
ail
0.03
TO
TO
0.23
TO
1.68
TO
0.13
true
N/A
N/A
N/A
0.13
N/A
0.13
tria
ngul
ar_
tail
0.03
TO
TO
0.21
TO
TO
TO
0.08
true
N/A
N/A
N/A
0.08
0.08
0.08
To
tal
tim
e0
.21
––
2.3
2–
24
.48
–1
.38
––
–1
.38
0.0
81
.38
#o
fP
ro
ble
ms
4–
–4
–3
–4
4–
––
41
4
Av
era
ge
tim
e0
.05
––
0.5
8–
8.1
6–
0.3
52
.00
–1
.00
0.3
50
.08
0.3
5
Ta
ble
5.
Cat
egor
yi-
r.
Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
23
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
fib0.
02T
OT
O1.
09T
OT
O0.
801.
40un
know
n4.
410.
86N
/A5.
812.
26N
/Afin
dmax
0.06
TO
0.78
1.22
TO
TO
0.80
1.41
un
know
nT
OT
ON
/AT
OT
ON
/Alo
opal
ign
0.05
TO
TO
1.12
TO
TO
0.80
25.5
9un
know
nT
OT
ON
/AT
OT
ON
/Alo
oppi
pe
0.14
TO
TO
1.52
TO
TO
0.84
0.06
un
know
nT
OT
ON
/AT
OT
ON
/Apr
opag
ate
0.01
TO
TO
0.14
4.29
0.78
TO
0.75
true
N/A
N/A
N/A
N/A
N/A
0.75
To
tal
tim
e0
.28
–0
.78
5.0
94
.29
0.7
83
.24
29
.21
4.4
10
.86
–5
.81
2.2
60
.75
#o
fP
ro
ble
ms
5–
15
11
45
11
1–
11
1
Av
era
ge
tim
e0
.06
–0
.78
1.0
24
.29
0.7
80
.81
5.8
44
.41
0.8
6–
5.8
12
.26
0.7
5
Ta
ble
6.
Cat
egor
ya
rr
.Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
24
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
add-
horn
0.02
TO
TO
5.48
5.58
1.31
TO
0.33
true
N/A
N/A
N/A
N/A
N/A
0.33
bart
he0.
02T
OT
O7.
25T
OT
OT
O0.
47un
know
nT
O2.
65T
OT
O3.
12T
Oba
rthe
20.
02T
OT
O1.
76T
O1.
93T
O0.
31un
know
nT
ON
/AT
OT
ON
/AT
Obu
g15
0.02
5.88
0.83
0.68
4.07
0.81
0.98
0.09
true
N/A
N/A
N/A
N/A
N/A
N/A
cub
e0.
02T
OT
O4.
11T
OT
OT
O0.
14un
know
nT
OT
OT
OT
OT
OT
Odi
gits
100.
020.
801.
040.
504.
821.
020.
860.
25tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
fib0.
02T
OT
O2.
56T
O7.
36T
O0.
40un
know
nT
ON
/A1.
08T
ON
/A1.
48lo
op0.
02T
OT
O1.
205.
131.
040.
840.
15tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
loop
20.
01T
OT
O1.
117.
581.
321.
380.
14tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
loop
30.
02T
OT
O3.
638.
601.
480.
780.
30tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
loop
40.
02T
OT
O1.
214.
771.
051.
000.
16tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
nest
ed-w
hile
0.04
3.37
0.76
14.7
48.
791.
341.
160.
27tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
prod
uct
0.02
TO
TO
1.21
TO
1.44
TO
0.31
un
know
nT
ON
/AT
OT
ON
/AT
Osi
mpl
e-lo
op0.
028.
370.
950.
353.
980.
820.
860.
07tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
squa
re0.
02T
OT
O0.
93T
O1.
48T
O0.
33un
know
nT
ON
/A1.
14T
ON
/A1.
47su
m0.
01T
OT
O0.
46T
O1.
02T
O0.
27un
know
nT
ON
/A0.
87T
ON
/A1.
14up
coun
t0.
01T
OT
O0.
710.
741.
03T
O0.
15tr
ue
N/A
N/A
N/A
N/A
N/A
0.15
whi
le-i
f0.
02T
OT
O2.
186.
961.
29T
O0.
26tr
ue
N/A
N/A
N/A
N/A
N/A
0.26
To
tal
tim
e0
.35
18
.42
3.5
85
0.0
76
1.0
22
5.7
47
.86
4.4
0–
2.6
53
.09
–3
.12
4.8
3
#o
fP
ro
ble
ms
18
44
18
11
16
81
81
1–
13
–1
6
Av
era
ge
tim
e0
.02
4.6
10
.90
2.7
85
.55
1.6
10
.98
0.2
4–
2.6
51
.03
–3
.12
0.8
1
Ta
ble
7.
Cat
egor
ym
on
.Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
25
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
add-
horn
0.03
TO
TO
4.09
TO
1.20
TO
0.20
true
N/A
N/A
N/A
0.20
N/A
0.20
fib0.
02T
OT
O2.
77T
O5.
15T
O0.
29un
know
nT
ON
/A0.
77T
ON
/A1.
06lo
op0.
01T
OT
O1.
34T
O1.
071.
570.
20un
know
n6.
65N
/AN
/A6.
85N
/AN
/Alo
op2
0.02
TO
TO
1.22
TO
1.01
1.00
0.18
true
N/A
N/A
N/A
0.18
N/A
N/A
loop
30.
02T
OT
O3.
89T
O1.
230.
930.
22un
know
n3.
96N
/AN
/A4.
18N
/AN
/Alo
op4
0.02
TO
TO
1.34
TO
1.22
0.90
0.17
true
N/A
N/A
N/A
0.17
N/A
N/A
prod
uct
0.01
TO
TO
1.23
TO
1.18
TO
0.17
un
know
nT
ON
/AT
OT
ON
/AT
Osq
uare
0.01
TO
TO
1.01
TO
1.93
TO
0.25
un
know
nT
ON
/A0.
76T
ON
/A1.
01su
m0.
02T
OT
O0.
51T
O1.
95T
O0.
33un
know
nT
ON
/A0.
77T
ON
/A1.
10up
coun
t0.
01T
OT
O0.
79T
O1.
17T
O0.
19tr
ue
N/A
N/A
N/A
0.19
N/A
0.19
whi
le-i
f0.
02T
OT
O2.
38T
O1.
58T
O0.
22tr
ue
N/A
N/A
N/A
0.22
N/A
0.22
To
tal
tim
e0
.19
––
20
.57
–1
8.6
94
.42
.42
10
.61
–2
.31
1.9
9–
3.7
8
#o
fP
ro
ble
ms
11
––
11
–1
14
11
52
–3
7–
6
Av
era
ge
tim
e0
.02
––
1.8
7–
1.7
01
.10
0.2
25
.31
–0
.77
1.7
1–
0.6
3
Ta
ble
8.
Cat
egor
yin
j.C
olum
n‘T
rans
lati
on’
rep
orts
the
tim
eta
ken
byV
eriM
AP
totr
ansl
ate
the
prob
lem
into
CH
C.
Col
umns
3an
d4
rep
ort
the
tim
eta
ken
byE
ldar
ica
and
Z3
for
solv
ing
the
prob
lem
saf
ter
the
tran
slat
ion.
Col
umn
‘Pre
dica
teP
airi
ng(P
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
pred
icat
epa
irin
gst
rate
gy.
Col
umns
6,7,
and
8re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
PP
.Col
umn
‘Con
stra
int
Pro
paga
tion
(CP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
eco
nstr
aint
prop
agat
ion.
Col
umn
‘Ans
wer
’re
por
tsth
ean
swer
prov
ided
byV
eriM
AP
afte
rth
eap
plic
atio
nof
CP
.C
olum
ns11
,12
,an
d13
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rC
P.
Col
umns
14,
15,
and
16re
port
the
tim
eta
ken
byap
plyi
ngC
P,
plus
the
tim
ep
ossi
bly
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3re
spec
tive
ly,
inth
eca
ses
whe
reth
epr
edic
ate
pair
ing
and
the
CH
Cso
lver
sw
ere
unab
leto
deliv
eran
answ
er.
‘TO
’m
eans
that
the
tool
was
not
able
topr
ove
the
give
npr
oper
tyw
ithi
nth
eti
meo
utlim
itof
60se
cond
s.‘N
/A’
mea
nsno
tap
plic
able
bec
ause
alre
ady
prov
edin
apr
evio
usph
ase.
Tim
esar
ein
seco
nds.
26
Pro
ble
m
Translation
Eldarica
Z3
PredicatePairing(PP)
Eldarica
MathSAT
Z3
ConstraintPropagation(CP)
Answer
Eldarica
MathSAT
Z3
CP+Eldarica
CP+MathSAT
CP+Z3
add-
horn
0.02
3.86
0.74
5.92
6.90
1.15
0.97
0.37
true
N/A
N/A
N/A
N/A
N/A
N/A
bug1
50.
015.
850.
820.
690.
770.
800.
800.
09tr
ue
N/A
N/A
N/A
N/A
N/A
N/A
fib0.
02T
OT
O1.
71T
O1.
34T
O0.
29un
know
nT
ON
/A0.
93T
ON
/A1.
22ne
sted
-whi
le0.
033.
390.
7615
.87
9.37
1.33
1.16
0.29
true
N/A
N/A
N/A
N/A
N/A
N/A
sim
ple-
loop
0.01
6.27
0.93
0.34
3.08
0.76
0.81
0.06
true
N/A
N/A
N/A
N/A
N/A
N/A
upco
unt
0.02
3.07
0.75
0.68
3.93
0.82
0.80
0.05
true
N/A
N/A
N/A
N/A
N/A
N/A
whi
le-i
f0.
02T
OT
O2.
124.
541.
02T
O0.
15tr
ue
N/A
N/A
N/A
N/A
N/A
0.15
To
tal
tim
e0
.13
22
.44
4.0
02
7.3
32
8.5
97
.22
4.5
41
.30
––
0.9
3–
–1
.37
#o
fP
ro
ble
ms
75
57
67
57
6–
–1
––
2
Av
era
ge
tim
e0
.02
4.4
90
.80
3.9
04
.77
1.0
30
.91
0.1
9–
–0
.93
––
0.6
9
Ta
ble
9.
Cat
egor
yfu
n.
Col
umn
‘Tra
nsla
tion
’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
tran
slat
eth
epr
oble
min
toC
HC
.C
olum
ns3
and
4re
por
tth
eti
me
take
nby
Eld
aric
aan
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rth
etr
ansl
atio
n.C
olum
n‘P
redi
cate
Pai
ring
(PP
)’re
por
tsth
eti
me
take
nby
Ver
iMA
Pto
appl
yth
epr
edic
ate
pair
ing
stra
tegy
.C
olum
ns6,
7,an
d8
repo
rtth
eti
me
take
nby
Eld
aric
a,M
athS
AT
,an
dZ
3fo
rso
lvin
gth
epr
oble
ms
afte
rP
P.C
olum
n‘C
onst
rain
tP
ropa
gati
on(C
P)’
rep
orts
the
tim
eta
ken
byV
eriM
AP
toap
ply
the
cons
trai
ntpr
opag
atio
n.C
olum
n‘A
nsw
er’
rep
orts
the
answ
erpr
ovid
edby
Ver
iMA
Paf
ter
the
appl
icat
ion
ofC
P.
Col
umns
11,
12,
and
13re
port
the
tim
eta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
for
solv
ing
the
prob
lem
saf
ter
CP
.C
olum
ns14
,15
,an
d16
repo
rtth
eti
me
take
nby
appl
ying
CP
,pl
usth
eti
me
pos
sibl
yta
ken
byE
ldar
ica,
Mat
hSA
T,
and
Z3
resp
ecti
vely
,in
the
case
sw
here
the
pred
icat
epa
irin
gan
dth
eC
HC
solv
ers
wer
eun
able
tode
liver
anan
swer
.‘T
O’
mea
nsth
atth
eto
olw
asno
tab
leto
prov
eth
egi
ven
prop
erty
wit
hin
the
tim
eout
limit
of60
seco
nds.
‘N/A
’m
eans
not
appl
icab
leb
ecau
seal
read
ypr
oved
ina
prev
ious
phas
e.T
imes
are
inse
cond
s.
27
top related