leonardo de moura and nikolaj bjørner microsoft...
TRANSCRIPT
![Page 1: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/1.jpg)
Leonardo de Moura and Nikolaj BjørnerMicrosoft Research
![Page 2: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/2.jpg)
Verification/Analysis tools need some form of
Symbolic Reasoning
![Page 3: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/3.jpg)
Verification/Analysis tools need some form of
Symbolic ReasoningMany Flavors:
SAT Solvers
SMT Solvers
First-order Theorem Provers
Computer Algebra Systems
![Page 4: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/4.jpg)
Is formula F satisfiablemodulo theory T ?
![Page 5: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/5.jpg)
Is formula F satisfiablemodulo theory T ?
Arithmetic,
Bit-vectors,
Arrays,
Inductive data-types,
….
![Page 6: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/6.jpg)
Example:
1>2Satisfiable if the symbols 1,2 and > are uninterpreted.
|M| = { }
M(1) = M(2) =
M(>) = { (, ) }
Unsatisfiable modulo the theory arithmetic
![Page 7: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/7.jpg)
b + 2 = c and f(select(store(a,b,3), c-2) ≠ f(c-b+1)
![Page 8: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/8.jpg)
b + 2 = c and f(select(store(a,b,3), c-2) ≠ f(c-b+1)
![Page 9: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/9.jpg)
Array Theory
b + 2 = c and f(select(store(a,b,3), c-2) ≠ f(c-b+1)
![Page 10: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/10.jpg)
b + 2 = c and f(select(store(a,b,3), c-2) ≠ f(c-b+1)
![Page 11: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/11.jpg)
Test case generation
Verifying Compilers
Predicate Abstraction
Invariant Generation
Type Checking
Model Based Testing
![Page 12: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/12.jpg)
VCC
Hyper-VTerminator T-2
NModel
HAVOC
F7SAGE
Vigilante
SpecExplorer
Prefix
![Page 13: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/13.jpg)
A theory T is a set of first-order sentences.
F is satisfiable modulo T
iff
TF is satisfiable.
![Page 14: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/14.jpg)
a, i, v. select(store(a, i, v),i) = v
a, i, j, v: i = j select(store(a, i, v), j) = select(a, j)
![Page 15: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/15.jpg)
a, i, v. select(store(a, i, v),i) = v
a, i, j, v: i = j select(store(a, i, v), j) = select(a, j)
We say store is a combinator.
![Page 16: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/16.jpg)
a, i, v. select(store(a, i, v),i) = v
a, i, j, v: i = j select(store(a, i, v), j) = select(a, j)
a, i, v. store(a, i, v)[i] = v
a, i, j, v: i = j store(a, i, v)[j] = a[i]
![Page 17: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/17.jpg)
It is used to model the memory
in
Hardware/Software verification/analysis tools
![Page 18: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/18.jpg)
a, b: (i: a[i] = b[i]) a = b
![Page 19: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/19.jpg)
We have arrays from T1 to T2
T1 does not need to be the Integers
![Page 20: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/20.jpg)
a = store(b, 0, 5), b = store(c, 1, 10), c[0] = 2
M(a) = { 0 5, 1 10, else 0 }
M(b) = { 0 2, 1 10, else 0 }
M(c) = { 0 2, else 0 }
![Page 21: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/21.jpg)
1962 - McCarthy proposes the Basic Array Theory.
1968 - Kaplan solves the satisfiability problem.
1981 - Nelson propose a simple procedure based on (lazy) instantiation (PhD thesis).
2001 - Stump, Barrett, Dill and Levitt propose a procedure for extentional arrays.
2005 - Lazy instantiation is used in Yices(it wins all array divisions in SMT-COMP from 2005 - 2007).
2005 - Kapur and Zarba propose the reduction approach (many array-like theories are described).
2006 - Bradley, Manna and Sipma propose a procedure for a rich decidable array fragment.
![Page 22: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/22.jpg)
2008 - Goel, Krstic and Fuchs formalize the lazy instantiation approach.
2008 - Bofill, Nieuwenhuis, Oliveras, Rodriguez-Carbonell and Rubio propose the store-reduction approach
“Model-Based” approaches:
2007 - Ganesh and Dill, “a decision procedure for bitvectors and arrays”, CAV’07
2008 - Brummayer and Biere, “lemmas on demand for the extentional theory of arrays”, SMT’08
![Page 23: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/23.jpg)
“Rewrite-Based” approaches:
2002 - Lynch and Morawska, “Automatic Decidability”, LICS
2005 - Armando, Bonacina, Ranise and Schulz propose the rewrite based approach.
Arrays in hardware verification:
1994 - Burch and Dill, “Automatic Verification of pipelined microprocessor control”, CAV
2006 - Manolios, Srinivasan, Vroon, “Automatic memory reductions for RTL model verification”, ICCAD
More relevant work can be found in our paper…
![Page 24: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/24.jpg)
Recipe: Given a formula F
1) Collect all array terms in F
2) Collect all indices in F
3) Instantiate array axioms using 1 and 2
F’ = F Instances
4) Execute EUF solver on F’
Array theory is a local theory extension.
![Page 25: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/25.jpg)
a = store(b, i, v), a[j] v, c[k] = v, i = j
array terms: a, b, store(b, i, v), c
indices: i, j, k
![Page 26: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/26.jpg)
a = store(b, i, v), a[j] v, c[k] = v, i = j
array terms: a, b, store(b, i, v), c
indices: i, j, k
Instances:
store(a, i, v)[i] = v, store(a, j, v)[j] = v, …
i = j store(a, i, v)[j] = a[i], …
Problem: Many useless instances!
![Page 27: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/27.jpg)
a = store(b, i, v), a[j] v, c[k] = v, i = j
array terms: a, b, store(b, i, v), c
indices: i, j, k
Instances:
store(a, i, v)[i] = v, store(a, j, v)[j] = v, …
i = j store(a, i, v)[j] = a[i], …
Problem: Many useless instances!
Lazy instantiation: select a small subset of instances.
(more later)
![Page 28: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/28.jpg)
A generalization of the Array theory
CAL: Combinatory Array Logic
New filters for minimizing the number of instances
A simple architecture for non-stably infinite theories
We want arrays of bit-vectors.
![Page 29: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/29.jpg)
v,i: K(v)[i] = v
a1,…, an, i: mapf(a1,…, an)[i] = f(a1[i], …, an[i])
![Page 30: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/30.jpg)
v,i: K(v)[i] = v
a1,…, an, i: mapf(a1,…, an)[i] = f(a1[i], …, an[i])
Suggested by Stump, Barrett, Dill, LevittTheir procedure works for
infinite-domain satisfiability.
![Page 31: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/31.jpg)
v,i: K(v)[i] = v
a1,…, an, i: mapf(a1,…, an)[i] = f(a1[i], …, an[i])
“Family” of combinators. We can instantiate it with any f.
![Page 32: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/32.jpg)
mapf( , )=
… …v1 v2 v3 v4 v5 … …w1 w2 w3 w4 w5
… …f(v1,w1) f(v2,w2) f(v3,w3) f(v4,w4) f(v5,w5)
![Page 33: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/33.jpg)
Set of T as an Array from T to Boolean
K(false)
{a} store(, a, true)
a S S[a]
S1 S2 map(S1, S2)
S1 S2 map(S1, S2)
![Page 34: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/34.jpg)
Set of T as an Array from T to Boolean
K(false)
{a} store(, a, true)
a S S[a]
S1 S2 map(S1, S2)
S1 S2 map(S1, S2)
But not cardinality |S|, power-set, …
![Page 35: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/35.jpg)
Bag of T as an Array from T to Integer
K(0)
{a} store(, a, 1)
mult(a, B) B[a]
B1 B2 map+(B1, B2)
B1 B2 mapmin(B1, B2)
![Page 36: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/36.jpg)
mapite( , … …T F T T F
… …w1 w2 w3 w4 w5
… …v1 v2 v3 v4 v5,
)
=
… …v1 w2 v3 v4 w5
![Page 37: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/37.jpg)
Support for equality and uninterpreted functions (EUF)Set of strongly disjoint theories (more later)Clauses and literalsBoolean terms
a t – a is a name for the term t
a: – a has sort
a b – a and b are equal in the current context
![Page 38: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/38.jpg)
a b – a and b are equal in the current context
a t – a is a name for the term t
a:() – a is an array from to
![Page 39: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/39.jpg)
Extensionality is applied to everypair of array constants.
Upwards propagation distributes index overall modifications of same array.
![Page 40: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/40.jpg)
Extensionality is applied to everypair of array constants.
Upwards propagation distributes index overall modifications of same array.
Delay the application of ext and .
Only works for unsatisfiable instances.
![Page 41: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/41.jpg)
Ignore “congruent” axiom instances
![Page 42: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/42.jpg)
Extensionality is applied to everypair of array constants.
Restrict to constants asserted to be different or foreign.We say a is foreign if there is b s.t. a b and b is the argument of an uninterpreted function symbol.
![Page 43: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/43.jpg)
Example:a = store(b, i, v), b[i] = v, f(a) f(b)
![Page 44: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/44.jpg)
We do not need to add the extensionality axiom for (a,b)if they are already known to be disequal.
![Page 45: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/45.jpg)
We do not need to add the extensionality axiom for (a,b)if they are already known to be disequal.
b1Typo in the paper!
Should be b1
![Page 46: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/46.jpg)
Scenario from software verificationBunch of facts about the initial state of the heapa0[i0] = v0, a0[i1] = v1, a0[i2] = v2, …
Perform a series of updatesa1= store(a0, j1, w1), a2= store(a1, j2, w2), …
Check some property on the final heapan[k] v
![Page 47: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/47.jpg)
store(a, i, v1) = store(b, i, v2), i k, a[k] b[k]
![Page 48: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/48.jpg)
![Page 49: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/49.jpg)
![Page 50: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/50.jpg)
![Page 51: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/51.jpg)
Potentially unsoundif F only has models
M where M() is finite.
![Page 52: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/52.jpg)
We also have a restricted version of map using
linear stratification (see paper for details).
Default-value extension (new theory symbol ), and alternative for and
![Page 53: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/53.jpg)
Efficient Core
Strongly disjoint theories + Unintepreted functions
Strongly disjoint theory Sort disjoint
Examples: Arithmetic, Bitvectors and Booleans
All other theories are reduced to this core.
Not covered today: inductive datatypes.
![Page 54: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/54.jpg)
Arrays are useful in practice.
They are used in many verification tools at Microsoft.
CAL is a useful extension of the array theory.
Simple combination architecture.
Efficient and easy to implement.
![Page 55: Leonardo de Moura and Nikolaj Bjørner Microsoft Researchleodemoura.github.io/files/fmcad09-slides.pdf · Leonardo de Moura and Nikolaj Bjørner Microsoft Research. Verification/Analysis](https://reader033.vdocuments.mx/reader033/viewer/2022060921/60ad5ab78dd54c2dd96522e5/html5/thumbnails/55.jpg)
Arrays are useful in practice.
They are used in many verification tools at Microsoft.
CAL is a useful extension of the array theory.
Simple combination architecture.
Efficient and easy to implement.
Thank You!