Reasoning with Finite Sets and Cardinality Constraints in SMT
Kshitij Bansal, Clark Barrett, Andrew Reynolds, Cesare Tinelli

TL;DR
This paper introduces a novel, efficient calculus for deciding satisfiability in the theory of finite sets with cardinality constraints, enhancing SMT solver capabilities for reasoning about set properties.
Contribution
It presents a new incremental approach using a graph to track overlapping set regions, improving scalability and efficiency over previous methods.
Findings
The new technique is competitive with existing methods.
It scales better on certain problem classes.
The calculus is suitable for implementation in SMT solvers.
Abstract
We consider the problem of deciding the satisfiability of quantifier-free formulas in the theory of finite sets with cardinality constraints. Sets are a common high-level data structure used in programming; thus, such a theory is useful for modeling program constructs directly. More importantly, sets are a basic construct of mathematics and thus natural to use when formalizing the properties of computational systems. We develop a calculus describing a modular combination of a procedure for reasoning about membership constraints with a procedure for reasoning about cardinality constraints. Cardinality reasoning involves tracking how different sets overlap. For efficiency, we avoid considering Venn regions directly, as done in previous work. Instead, we develop a novel technique wherein potentially overlapping regions are considered incrementally as needed, using a graph to track the…
| file | output | time (s.) | # vertices | # leaves |
|---|---|---|---|---|
| cade07-vc1.smt2 | unsat | 0.00 | 3 | 3 |
| cade07-vc2a.smt2 | unsat | 0.00 | 6 | 3 |
| cade07-vc2b.smt2 | sat | 0.01 | 15 | 5 |
| cade07-vc2.smt2 | unsat | 0.01 | 6 | 3 |
| cade07-vc3a.smt2 | unsat | 0.00 | 6 | 0 |
| cade07-vc3b.smt2 | sat | 0.02 | 15 | 6 |
| cade07-vc3.smt2 | unsat | 0.01 | 6 | 0 |
| cade07-vc4b.smt2 | sat | 0.16 | 44 | 12 |
| cade07-vc4.smt2 | unsat | 0.17 | 51 | 16 |
| cade07-vc5b.smt2 | sat | 0.39 | 63 | 21 |
| cade07-vc5.smt2 | unsat | 0.38 | 77 | 25 |
| cade07-vc6a.smt2 | unsat | 0.02 | 32 | 12 |
| cade07-vc6b.smt2 | sat | 0.04 | 32 | 12 |
| cade07-vc6c.smt2 | sat | 0.06 | 32 | 12 |
| cade07-vc6.smt2 | unsat | 0.32 | 36 | 16 |
| cvc4-card.scala-10.smt2 | 2 sat/2 unsat | 0.10 | 48 | 19 |
| cvc4-card.scala-12.smt2 | 1 sat/3 unsat | 0.03 | 0 | 0 |
| cvc4-card.scala-14.smt2 | 2 sat/2 unsat | 0.09 | 25 | 11 |
| cvc4-card.scala-15.smt2 | 1 sat/3 unsat | 0.01 | 0 | 0 |
| cvc4-card.scala-16.smt2 | 2 sat/4 unsat | 0.26 | 39 | 18 |
| cvc4-card.scala-17.smt2 | 1 sat/3 unsat | 0.02 | 19 | 8 |
| cvc4-card.scala-18.smt2 | 2 sat/2 unsat | 0.10 | 39 | 20 |
| cvc4-card.scala-21.smt2 | 2 sat/2 unsat | 1.69 | 134 | 35 |
| cvc4-card.scala-6.smt2 | 1 sat/4 unsat | 0.02 | 8 | 5 |
| cvc4-card.scala-8.smt2 | 1 sat/3 unsat | 0.06 | 21 | 12 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\lmcsheading
1–LABEL:LastPageFeb. 22, 2017Nov. 01, 2018
\excludeversionfinal
{final}
\titlecomment
This article extends [BRBT16] with additional calculus rules and a full proof of correctness.
Reasoning with finite sets and
cardinality constraints in SMT
Kshitij Bansal\rsupera
\lsuperaGoogle, Inc.
,
Clark Barrett\rsuperb
\lsuperbDepartment of Computer Science, Stanford University
,
Andrew Reynolds\rsuperc
\lsupercDepartment of Computer Science, The University of Iowa
and
Cesare Tinelli\rsuperc
Abstract.
We consider the problem of deciding the satisfiability of quantifier-free formulas in the theory of finite sets with cardinality constraints. Sets are a common high-level data structure used in programming; thus, such a theory is useful for modeling program constructs directly. More importantly, sets are a basic construct of mathematics and thus natural to use when formalizing the properties of computational systems. We develop a calculus describing a modular combination of a procedure for reasoning about membership constraints with a procedure for reasoning about cardinality constraints. Cardinality reasoning involves tracking how different sets overlap. For efficiency, we avoid considering Venn regions directly, as done in previous work. Instead, we develop a novel technique wherein potentially overlapping regions are considered incrementally as needed, using a graph to track the interaction among the different regions. The calculus has been designed to facilitate its implementation within SMT solvers based on the DPLL() architecture. Our experimental results demonstrate that the new techniques are competitive with previous techniques and can scale much better on certain classes of problems.
Key words and phrases:
Satisfiability modulo theories, Finite sets, Decision procedures
1991 Mathematics Subject Classification:
Theory of computation: Automated reasoning
This work was partially supported by NSF grants 1228765, 1228768, and 1320583. The first author was at New York University when this work was completed.
1. Introduction
Satisfiability modulo theories (SMT) solvers are at the heart of many formal methods tools. One of the reasons for their popularity is that fast, dedicated decision procedures for fragments of first-order logic that SMT solvers implement are extremely useful for reasoning about constructs common in hardware and software verification. In particular, they provide a good balance between speed and expressiveness. Common fragments include theories such as bitvectors, arithmetic, and arrays, which are useful for modeling basic constructs as well as for performing general reasoning.
As the use of SMT solvers has spread, there has been a corresponding demand for SMT solvers to support additional useful theories. Although it is possible to encode finitely axiomatizable theories using quantifiers, the performance and robustness gap between a custom decision procedure and an encoding using quantifiers can be quite significant.
In this paper, we present a new decision procedure for a fragment of finite set theory. Our main motivation is that sets are a common abstraction used in programming. As with other general-purpose SMT theories such as the theories of arrays and bitvectors, the theory of finite sets is useful for modeling a variety of program constructs. Sets are also used directly in high-level programming languages such as SETL [SDSD86] and in specification languages such as Alloy [Jac12], B [AA05] and Z [ASM80]. More generally, sets are a basic construct in mathematics and come up quite naturally when trying to express properties of systems.
While the full language of set theory is undecidable, many interesting fragments are known to be decidable. We present a calculus for the theory of finite sets which can handle basic set operations, such as membership, union, intersection, and difference, and which can also reason efficiently about set cardinalities and linear constraints involving them. The calculus is explicitly designed for easy integration into the DPLL() framework [NOT06]. We briefly describe our implementation in the DPLL()-based SMT solver cvc4 and an initial experimental evaluation of this implementation.
1.1. Related work
In the SMT community, the desire to support a theory of finite sets with cardinality goes at least as far back as a proposal by Kröning et al. [KRW09]. That article focuses on formalizing the semantics and representation of the theory within the context of the SMT-LIB standard, rather than on a decision procedure for deciding it.
There is a stream of research on exploring decidable fragments of set theory (often referred to in the literature as syllogistics) [COP01]. One such subfragment is MLSS, more precisely, the ground set-theoretic fragment with basic Boolean set operators (union, intersection, set difference), singleton operator and membership predicate. A tableau-based procedure for this fragment was introduced by Cantone and Zarba [CZ98]. The part of our calculus covering this fragment builds on their work. De Moura and Bjørner presented an extension of the theory of arrays [DMB09] that can be used to encode the MLSS fragment. However, this approach cannot be used to encode cardinality constraints.
In this paper, we consider an extension of the MLSS fragment with set cardinality operations, whose decidability was established by Zarba [Zar02, Zar05]. The decision procedure described by Zarba involves making an upfront guess that is exponential in the number of set variables, making it non-incremental and highly impractical. That said, the focus of that work is on establishing decidability and not on providing an efficient procedure.
Another closely related logical fragment is the Boolean Algebra and Presburger Arithmetic (BAPA) fragment, for which several algorithms have been proposed [KNR06, KR07, SSK11]. Though BAPA does not have the membership predicate or the singleton operator in its language, Suter et al. [SSK11, Section 4] show how one can generalize their algorithm for such reasoning. Intuitively, singleton sets can be simulated by imposing a cardinality constraint . Similarly, membership constraints of the form x\mathrel{\ooalign{\sqsubset\cr{-}}}S can be encoded as by introducing a singleton subset . This reduction can lead to significant inefficiencies, however. Consider the following simple example: x\mathrel{\ooalign{\sqsubset\cr{-}}}S_{1}\sqcup\left(S_{2}\sqcup\left(\ldots\sqcup\left(S_{99}\sqcup S_{100}\right)\right)\right). In our calculus, a straightforward repeated application of one of the rules for set unions can determine the satisfiability of this constraint. In contrast, in a reduction to BAPA, membership reasoning is reduced to reasoning about cardinalities of different sets. For example, the algorithm in [SSK11] will reduce the problem to an arithmetic problem involving variables for Venn regions derived from , , , , and the singleton set introduced for .
The broader point is that reasoning about the cardinalities of Venn regions is the main bottleneck for this fragment. As we show in our calculus, it is possible to avoid using Venn regions for membership predicates by instead reasoning about them directly. For explicit cardinality constraints, our calculus minimizes the number of Venn regions that need to be considered by reasoning about only a limited number of relevant regions introduced lazily.
A procedure for cardinality constraints over multisets is considered in [PK08]. A recent procedure for reasoning about sets and measure functions is given by Bender et al [BS17], which also relies on a reduction from set reasoning to arithmetic reasoning. Reasoning about sets with cardinality constraints in the context of invariant checking for bounded model checking is considered by Alberti et al. [AGP16], and in the context of invariant synthesis by von Gleissenthall et el. [vGBR16]. These works too rely on reductions to arithmetic and do not involve the use of dedicated decision procedures for sets in SMT solvers. Other procedures for reasoning about sets include a unification-based approach by Cristiá et al. [CR16].
The theory we consider in this paper can be seen as the combination of Presburger arithmetic with the theory of finite sets, with the cardinality operator acting as a bridging function between the two theories. Decision procedures for non-disjoint combinations of theories with bridging functions have been studied by Sofronie-Stokkermans [SS09] and Chocron et al. [CFR15]. Their main contribution is the identification of restrictions on the theories and the development of combination methods that allow one to construct a decision procedure for the combined theory as a modular combination of the decision procedures for the component theories. That work is mostly limited to cases of bridging functions from the theory of algebraic datatypes to other theories, where the bridging function is definable by recursion over constructor terms. It does not apply to our setting because neither our source theory nor the bridging function match those requirements. Our approach is similar though in that it tries to separate as much as possible the reasoning about sets proper from the reasoning about their cardinality, so as to leverage off-the-shelf linear integer arithmetic solvers in order to reason about cardinalities.
1.2. Formal Preliminaries
We work in the context of many-sorted first-order logic with equality. We assume the reader is familiar with the following notions: signature, term, literal, formula, free variable, interpretation, and satisfiability of a formula in an interpretation (see, e.g., [BSST09] for more details). Let be a many-sorted signature. We use as the (infix) logical symbol for equality for all sorts in and always interpret it as the identity relation. If is a term or a formula, we denote by the set of ’s free variables, extending the notation to tuples and sets of terms or formulas as expected.
If is a -formula and a -interpretation, we write if satisfies . If is a term, we denote by the value of in . A theory is a pair , where is a signature and is a class of -interpretations that is closed under variable reassignment (i.e., every -interpretation that differs from one in only in how it interprets the variables is also in ). We refer to as the models of . A -formula is satisfiable (resp., unsatisfiable) in if it is satisfied by some (resp., no) interpretation in . A set of -formulas entails in a -formula , written , if every interpretation in that satisfies all formulas in satisfies as well. We write as an abbreviation for . We write to denote that entails in the class of all -interpretations. The set is satisfiable in if where is the universally false atom. Two -formulas are equisatisfiable in if for every model of that satisfies one, there is a model of that satisfies the other and differs from at most over the free variables not shared by the two formulas. When convenient, we will tacitly treat a finite set of formulas as the conjunction of its elements and vice versa.
2. A Theory of Finite Sets with Cardinality
We are interested in a typed theory of finite sets with cardinality. In a more general logical setting, this theory would be equipped with a parametric set type, with a type parameter for the set’s elements, and a corresponding collection of polymorphic set operations.111In fact, this is the setting supported in our implementation in cvc4. For simplicity here, we will describe instead a many-sorted theory of sets of sort whose elements are all of sort . The theory can be combined with any other theory in a standard way, i.e., Nelson-Oppen-style, by identifying the sort with a sort in but with the restriction that the sort must be interpreted in as an infinite set.222An extension that allows the sort to be interpreted as finite by relying on polite combination [JB10] is left to future work. Note that the many-sorted setting limits us to sets of elements of the same type (so sets such as are not representable). Also, we limit our language to consider only flat sets (i.e., no sets of sets of integers, say) although this restriction can be lifted by combining with (copies of) itself using Nelson-Oppen combination. More generally, an input having set constraints over multiple element types can be handled by invoking copies of our procedure for these sorts and combining them in the standard way. The theory has also a sort for terms denoting set cardinalities. Since we consider only finite sets, all cardinalities will be natural numbers.
Atomic formulas in are built over a signature with these three sorts, and an infinite set of variables for each sort. Modulo isomorphism, is the theory of a single many-sorted structure, and its models differ in essence only on how they interpret the variables. Each model of interprets as some countably infinite set , as the set of finite subsets of , and as . The signature of has the following predicate and function symbols, summarized in Figure LABEL:fig:symbols: the usual symbols of linear integer arithmetic, the usual set composition operators, an empty set () and a singleton set () constructor,333We will use , , and also to denote sets at the meta level. The difference between their two uses should be clear from context.
and a cardinality operator (), all interpreted as expected. The signature includes also symbols for the cardinality comparison (), subset () and membership (\mathrel{\ooalign{\sqsubset\cr{-}}}) predicates.
We call set term any term of sort , and cardinality term any term of sort with no occurrences of . A set constraint is an atomic formula of the form , , e\mathrel{\ooalign{\sqsubset\cr{-}}}s or their negation, with and set terms or of the form , and a term of sort . A cardinality constraint is a [dis]equality or an inequality or where and are cardinality terms. An element constraint is a [dis]equality where and are variables of sort . A -constraint is a set, cardinality or element constraint. We write and e\not\mathrel{\ooalign{\sqsubset\cr{-}}}t respectively as an abbreviation of and \lnot e\mathrel{\ooalign{\sqsubset\cr{-}}}t.
We use , for variables of sort ; , , for variables of sort ; , , , for terms of sort ; and with subscripts for variables of sort . Given , a set of constraints, (respectively, ) denotes the set of variables (respectively, terms) in . For notational convenience, we fix an injective mapping from terms of sort to variables of sort that allows us to associate to each set term a unique cardinality variable .
We are interested in checking the satisfiability in of conjunctions of -constraints. While this problem is decidable, it has high worst-case time complexity [Zar02]. So our efforts are in the direction of producing a solver for -constraints that is efficient in practice, in addition to being correct and terminating. Our solver relies on the modular combination of a solver for set constraints and an off-the-shelf solver for linear integer arithmetic, which handles arithmetic reasoning over set cardinalities.
3. A Calculus for the Theory
In this section, we describe a tableaux-style calculus capturing the essence of our combined solver for . As we describe in the next section, that calculus admits a proof procedure that decides the satisfiability of -constraints.
Restriction \thethm.
For simplicity, we consider as input to the calculus only finite sets of constraints whose set constraints are in flat form. The latter are (well-sorted) set constraints of the form , , , , , , , x\mathrel{\ooalign{\sqsubset\cr{-}}}S, x\not\mathrel{\ooalign{\sqsubset\cr{-}}}S, or , where , , , , and are variables of the expected sort. We also assume that any set variable of appears in at most one union, intersection or set difference term. Thanks to common equisatisfiability-preserving transformations all of these assumptions can be made without loss of generality [COP01, Chapter 10]. These transformations include intermediate steps that replace constraints of the form with . They also include steps that replace each occurrence of the same term in union, intersection or set difference terms by a fresh variable while adding the equality constraint .
The calculus is described as a set of derivation rules which modify a state data structure. A state is either the special state or a tuple of the form , where
- •
is a set of set constraints,
- •
is a set of element constraints,
- •
is a set of cardinality constraints, and
- •
is a directed graph over set terms with nodes and edges .
Initial states have the form where is the empty graph and is a partition of a given set of constraints satisfying Restriction 3.
Since cardinality constraints can be processed by a standard arithmetic solver, and element constraints by a simple equality solver,444 Recall that has no terms of sort besides variables.
we present and discuss only rules that deal with set constraints.
The derivation rules are provided in Figures 2 through 9 in guarded assignment form. In such form, the premises of a rule refer to the current state and the conclusion describes how each state component is changed, if at all, by the rule’s application. A derivation rule applies to a state if all the conditions in the rule’s premises hold for and the resulting state is different from . In the rules, we write as an abbreviation for . Rules with two or more conclusions separated by the symbol are non-deterministic branching rules.
The rules are such that it is possible to generate a closed tableau (or derivation tree) from an initial state , where , , and satisfy Restriction 3 and is an empty graph, if and only if is unsatisfiable in . Broadly speaking, the derivation rules can be divided into three categories. First are those that reason about membership constraints (of form x\mathrel{\ooalign{\sqsubset\cr{-}}}S). These rules only update the components and of the current state, although their premises may depend on other parts of the state, in particular, the nodes of the graph . Second are rules that handle constraints of the form . The graph incrementally built by the calculus is central to satisfying these constraints. Third are rules for propagating element and cardinality constraints, respectively to and .
3.1. Set reasoning rules
Figures 2 and 3 focus on sets without cardinality. They are based on the MLSS decision procedure by Cantone and Zarba [CZ98], though with some key differences. First, the rules operate over a set of terms with sort which may be larger than just the terms in . This generalization is required because of additional terms that may be introduced when reasoning about cardinalities. Second, the reasoning is done modulo equality. A final, technical difference is that we work with sets of ur-elements rather than untyped sets.
These rules rely on the following additional notation. For any set of constraints, let refer to terms of sort in , with denoting all terms in . We define the binary relation to be the reflexive, symmetric, and transitive closure of the relation on terms induced by the equality constraints in . Now, we define the following closures on the components and of a state :
[TABLE]
where , , , in , and , in . Next, we define a left-associative binary operator that takes as input a set of constraints and a single constraint . Intuitively, adds to only if is not in ’s closure. More precisely,
[TABLE]
The set of relevant terms, denoted by , for a state consists of all terms from and , namely: .
Figure 2 shows the rules for reasoning about membership in unions, intersections, and differences. Each rule covers one case in which a new membership (or non-membership) constraint can be deduced. The justification for these rules is straightforward based on the semantics of the set operations. The restriction in the premise of some of the rules cover all the various cases where , say, is the same as , different from , the same as , and the same as . Figure 3 shows rules for singletons, disequalities, and contradictions. Note in particular that the Set Disequality rule introduces a fresh variable , denoting an element that is in one set but not in the other.
{exa}
Let
[TABLE]
Using the rules in Figure 2, we can directly deduce the additional constraints: x\not\mathrel{\ooalign{\sqsubset\cr{-}}}C\sqcap{D} (by Inter Up II), x\not\mathrel{\ooalign{\sqsubset\cr{-}}}A, x\not\mathrel{\ooalign{\sqsubset\cr{-}}}B, y\not\mathrel{\ooalign{\sqsubset\cr{-}}}A, y\not\mathrel{\ooalign{\sqsubset\cr{-}}}B (by Union Down I), and y\not\mathrel{\ooalign{\sqsubset\cr{-}}}C (by Inter Down II). This gives a complete picture, modulo equality, of exactly which sets contain and . ∎
3.2. Cardinality of sets
The next set of rules, described in Figure 6 and Figure 7, operate on the graph component of the current state. Their purpose is to modify the graph so as to capture the mutual dependencies between set and cardinality constraints. They are based on the observation that the cardinality of two sets, and that of their union, intersection and set difference are interrelated; and if two set terms are asserted to be equal, their cardinalities must match.
Figure 5 shows the Venn regions for two sets, and . The fact that , and are disjoint imposes the following relationships between their cardinalities and those of , and :
[TABLE]
We can represent these same relationships using the graph in Figure 5. The nodes of the graph are set terms, and each node has the property of being the disjoint union of its children in the graph. Our calculus incrementally constructs a similar graph containing all nodes whose cardinality is implicitly or explicitly constrained by the current state. Set terms with implicit cardinality constraints include union, intersection, and set difference terms appearing in , for which one of the operands is already in the graph; and terms occurring in an equality whose other member is already in the graph. A careful analysis555See completeness proof in [Ban16, Chapter 2] for further details. reveals that we can actually avoid adding intersection terms unless both and are already in the graph, and set difference terms unless is already in the graph.
The rules in Figure 6 make use of a function which takes a graph and a term and returns the graph defined as follows:
- (1)
For or or :
- (2)
For or :
- , ,
- (3)
For and and as above:
Recall that, by assumption, each set variable participates in at most one union, intersection, or set difference in the input set of constraints. It is not difficult to see that this property is preserved by every rule. This ensures that edges from a set variable node are added to the graph only once, maintaining the invariant that its children in the graph are disjoint. The only other rule which adds edges to the graph is the Merge Equality IIrule, but it only adds nodes from the leaves of the graph, creating a new set of disjoint leaves.
Terms with explicit constraints on their cardinality are added to the graph by rule Introduce Card. Terms that have implicit constraints on their cardinality, specifically, singletons and the empty set, are added by rules Introduce Singleton and Introduce Empty Set.
If two nodes and in the graph are explicitly asserted to be equal (that is, or ), we can ensure they have the same cardinality by systematically modifying the graph as follows. Let denote the set of leaf nodes for the subtree rooted at node which are not known to be empty. Formally,
[TABLE]
where and denotes the children of . We call two nodes and merged if they have the same set of nonempty leaves, that is if .
The rules in Figure 7 ensure that for all equalities over set terms, the corresponding nodes in the graph are merged. Consider an equality . Rule Merge Equality I handles the case when either or is a proper subset of the other by constraining the extra leaves in the superset to be empty. Rule Merge Equality II handles the remaining case where neither is a subset of the other. The graph is defined as follows, where and :
[TABLE]
Merge Equality II introduces a quadratic number of leaves (). To reduce the impact of merge operations, a useful rule to apply early on is the (optional) Guess Empty Set rule in Figure 8. It guesses if a leaf node is equal to the empty set or not. The use of this rule is illustrated in Example 3.3. Here and in Figure 9, .
In Figure 8 we denote by the collection of all of the following cardinality constraints imposed by graph :
- (1)
For each set term , its cardinality (denoted by its corresponding cardinality variable ) is the sum of the cardinalities of its non-empty leaf nodes:
[TABLE] 2. (2)
Each cardinality is non-negative:
[TABLE] 3. (3)
Every singleton set has cardinality :
[TABLE] 4. (4)
The empty set has cardinality [math]:
[TABLE]
Rule Arithmetic contradiction relies on the arithmetic solver to check whether the constraints in are inconsistent with the input cardinality constraints.
3.3. Cardinality and membership interaction
The rules in Figure 9 propagate consequences of set membership constraints to the state components and . Let denote the set of equalities in , and let denote the equivalence class of with respect to . In the rules, for term of sort , denotes the set \left\{\left[x\right]_{\mathcal{E}}\ \middle|\ x\mathrel{\ooalign{\sqsubset\cr{-}}}t\in\mathcal{S}^{*}\right\} of equivalence classes of elements known to be in . The notation means that for some concrete constant .
Rule Members Arrangement is used to decide which element variables constrained to be in the same set should be identified and which should not. Once applied to completion, Rule Propagate Minsize can then be used to determine a lower bound for the cardinality of that set. The (optional) rule Guess Lower Bound can be used to short-circuit this process by guessing a conservative lower bound based on the number of distinct equivalence classes of elements known to be members of a set. If this does not lead to a contradiction, a model can be found without resorting to an extensive use of Members Arrangement.
{exa}
Consider again the constraints from Example 3.1, but now augmented with cardinality constraints:
[TABLE]
Using the rules in Figure 6, the following nodes get added to the graph: , , (by Introduce Card), , (by Introduce Eq Right). Node is added with children , , and ; and by adding , we also get and , with the corresponding edges from and . Now, using two applications of Merge Equality II, we force the sets , and to have the same set of 3 leaves, labeled , , and . Let us call the latter nodes respectively , , and , for convenience. Let us also designate and . Notice that the induced cardinality constraints now include , , and . With the addition of and to the graph, these are also added to . We can then deduce x\mathrel{\ooalign{\sqsubset\cr{-}}}C\setminus D and y\mathrel{\ooalign{\sqsubset\cr{-}}}D\setminus C using the rules for set difference. Finally, we can use Propagate Minsize to deduce and . It is now not hard to see that using pure arithmetic reasoning, we can deduce that which leads to using Arithmetic contradiction. ∎
4. Calculus Correctness
Our calculus is terminating and sound for any derivation strategy, that is, regardless of how the rules are applied. It is also refutation complete for any fair strategy, defined as a strategy that does not delay indefinitely the application of an applicable derivation rule.
To prove these properties it is convenient to partition the derivation rules of the calculus in the following subsets.
- , membership predicate reasoning rules, from Figures 2 and 3.
- , graph rules to reason about cardinality, from Figures 6, 7 and 8.
- , rules from Figure 9 other than Rule Guess Lower Bound.
- , rule Guess Lower Bound.
The rules are used to construct derivation trees. A derivation tree is a tree over states, with a root of the form where satisfies Restriction 3 and the children of each non-root node are obtained by applying one of the derivation rules of the calculus to that node. Let be a subset of the derivation rules of the calculus. A state is saturated with respect to if no rules in apply to it. A branch of a derivation tree is closed if it ends with ; it is saturated with respect to if so is its leaf. A derivation tree is closed if all of its branches are closed. A derivation tree derives from a derivation tree if it is obtained from by the application of exactly one of the derivation rules to one of ’s leaves.
{defi}
[Derivations]*Let be a set of -constraints. A derivation (of ) is a sequence of derivation trees, with finite or countably infinite, such that derives from for all , and is a one-node tree whose root is a state where . A refutation (of ) is a (finite) derivation of that ends with a closed tree. *
Remark 1*.*
In the proofs below we implicitly rely on the fact that, for every state in a derivation tree, the constraints in satisfy Restriction 3. This is the case because the restriction is imposed on root states and is preserved by all of its rules, as one can easily verify.
4.1. Termination
Proposition 2* (Termination).*
Let collect all rules in our calculus except for (the optional) rule Guess Lower Bound. Every derivation using only rules from is finite.
Proof 4.1*.*
Let be the initial state of the derivation. We first define a well-founded relation over states. Next, we show that application of any rule in to a leaf of a derivation tree gives smaller states with respect to this relation. As the relation is well-founded, it will follow that the derivation cannot be infinite.
In order to define , we define for , each of which maps a state to a natural number (non-negative integer). We denote the set of natural numbers by .
- •
: number of equalities in such that either , , or .
- •
: size of .
- •
: size of .
- •
: number of disequalities in such that the premise of Set Disequality holds.
- •
: size of .
- •
: size of .
- •
: size of subtracted from . As all constraints in are either or with and in , the size of can be at most . Thus, is well-defined as a map into .
- •
: size of subtracted from . There are at most constraints of the form or in as and are in . There are at most constraints of the form x\mathrel{\ooalign{\sqsubset\cr{-}}}s or x\not\mathrel{\ooalign{\sqsubset\cr{-}}}s in as and are in and respectively. Thus, is well-defined as a map into .
- •
: size of .
Then, we define the order over states as follows:
- •
if and .
- •
if , , and
[TABLE]
where is the -fold lexicographic product of ordering over natural numbers .
- •
otherwise.
The well-foundedness of over states follows from the well-foundedness of [BN98, Section 2.4].
Let be a rule applicable at state , and let be the state after the application of the rule (if there are multiple conclusions, denote the state on first branch as , second branch as and so on). We note below for each rule the relation between , , and , , which establishes that .
- •
First, we consider Rules for intersection (Figure 2), union (Figure 2), set difference (Figure 2) and Rule Singleton for singleton. None of these rules introduce equalities of set terms, nor do they affect the graph ; thus . The only terms introduced to are from , thus . None of these rules update or introduce equalities or disequalities of set terms, thus . None of these rules introduce disequalities between set terms, thus . None of these rules introduce set terms not already in or , thus . None of the rules introduce variables not already in or , thus . None of these rules update , thus .
Each of these rules updates . Recall that for a rule to be applicable at , the resulting state must be different from . From the definition of , we can conclude that the size of has increased. As and , it follows that .
- •
Next, we consider Rules Single Member, Single Non-member and Members Arrangement. None of these rules introduce equalities of set terms, thus . None of these rules introduce set terms to or , thus . None of these rules update or introduce equalities or disequality of set terms, thus . None of these rules introduce disequalities of set terms, thus . None of these rules introduce set terms to or , thus . None of the rules introduce variables not already in or , thus .
Each of these rules updates . From the definition of , we can conclude that the size of has increased. As , we can conclude that .
- •
Next, we consider Rule Set Disequality. The rule does not introduce any equality of set terms, thus for . The rule does not introduce set terms to or , thus for . The rule does not update , thus for . The premise of the rule does not hold after application of the rule on either of the branches. It follows that for .
- •
Next, we consider Introduce Rules (Figure 6). Note that none of these rules introduce equalities of set terms. Also note that if , and in then (see Proposition 5, property 1). Thus, .
Each of the rules adds at least one new node to which is in . At the same time, is unchanged. It follows that .
- •
Rules Merge Equality I and Merge Equality II. Though these rules add equalities of the form to , the equalities are such that , and . It follows that .
Now, observe that for Rule Merge Equality I or Rule Merge Equality II to be applicable, there must exist such that . After the application of the rule, . This shows that .
- •
Rule Merge Equality III. For the rule to be applicable, there must exist such that . After the application of the rule, . Thus, necessarily .
- •
Rule Guess Empty Set. Note that though this rule may add an equality of the form on the first branch, using the same reasoning as for Rules Merge Equality I and Merge Equality II above, we can conclude that . On the second branch, as no disequality is added, we get that . Only terms introduced to are from , thus for .
In order to apply the rule, we pick a such that and . On the first branch, , thus . On the second branch, , thus .
- •
Rule Propagate Minsize. The rule does not update , , or , thus , , , , , , , and . But, .
- •
Rules Eq Unsat, Set Unsat, Empty Unsat, and Arithmetic contradiction. For each of these rules to be applicable, . On the other hand, after the application of the rule. By definition, .
Remark 3*.*
It is easy to extend the termination proof above to include the optional rule Guess Lower Bound. It would involve tracking sizes of additional objects—a strategy similar to the one adopted for Rule Guess Empty Set in our proof would suffice.
4.2. Completeness
We prove properties about different subsets of rules, developing the completeness proof in stages. We start with a proposition about rule set .
Proposition 4*.*
Let be a derivation tree leaf that is saturated with respect to . There is a model of that satisfies the constraints and and has the following properties.
- (1)
For all of sort ,
if and only if . 2. (2)
For all of sort , S^{\mathfrak{S}}=\left\{x^{\mathfrak{S}}\ \middle|\ x\mathrel{\ooalign{\sqsubset\cr{-}}}S\in\mathcal{S}^{*}\right\}. 3. (3)
For all of sort , .
Proof 4.2*.*
Since the models of are closed under variable reassignment, we pick an arbitrary model of and show that we can change its interpretation of the variables of to satisfy the properties above.
We start by interpreting all variables of sort in so that, for all and in of sort,
[TABLE]
It follows that satisfies . Next, let interpret each variable of sort in as:
[TABLE]
and each variable of sort in as:
[TABLE]
For any set term , define
[TABLE]
Let be an arbitrary set of set terms which includes all set terms in . Using the assumption that the given state is saturated, we show by structural induction on set terms that for any set term :
[TABLE]
Case 1* ( is a variable).*
The definition of is identical to that of .
Case 2* ( is ).*
Rule Empty Unsat would apply to the state if there was a constraint of the form x\mathrel{\ooalign{\sqsubset\cr{-}}}\emptyset in . It follows that .
Case 3* ( is ).*
As , it is sufficient to show that . Since rule Singleton is not applicable, we can conclude that x\mathrel{\ooalign{\sqsubset\cr{-}}}s\in\mathcal{S}^{*}. It follows that . The other direction, , follows because of saturation with respect to rule Single Member:
[TABLE]
Case 4* ( is ).*
We need to show . The proof of the left-to-right inclusion depends on rule Inter Down I:
[TABLE]
For the other direction, , we rely on rule Inter Up I:
[TABLE]
Case 5* ( is ).*
First we show that :
[TABLE]
Then we show that :
[TABLE]
Case 6* ( is ).*
First we show that :
[TABLE]
We now show that :
[TABLE]
We show by contradiction that x\not\mathrel{\ooalign{\sqsubset\cr{-}}}u\in\mathcal{S}^{*}. Assume the otherwise. Since x\mathrel{\ooalign{\sqsubset\cr{-}}}u\not\in\mathcal{S}^{*} and , the premise of rule Set difference split is satisfied. As we had neither x\mathrel{\ooalign{\sqsubset\cr{-}}}u\in\mathcal{S}^{*} nor x\not\mathrel{\ooalign{\sqsubset\cr{-}}}u\in\mathcal{S}^{*}, we get a contradiction.
[TABLE]
Having established the property of , showing that each constraint in is satisfied by is straightforward:
- (1)
Let x\mathrel{\ooalign{\sqsubset\cr{-}}}s\in\mathcal{S}. Then, by (4) and by (5). 2. (2)
Let x\not\mathrel{\ooalign{\sqsubset\cr{-}}}s\in\mathcal{S}. We show by contradiction.
[TABLE] 3. (3)
Let . From the definition of it follows that . Since and , it follows that . 4. (4)
Let . From rule Set Disequality, it follows that there exists such that either x\mathrel{\ooalign{\sqsubset\cr{-}}}s\in\mathcal{S}^{*} and x\not\mathrel{\ooalign{\sqsubset\cr{-}}}t\in\mathcal{S}^{*}, or x\not\mathrel{\ooalign{\sqsubset\cr{-}}}s\in\mathcal{S}^{*} and x\mathrel{\ooalign{\sqsubset\cr{-}}}t\in\mathcal{S}^{*}. It follows that either and , or and . In either case, we can conclude that . 5. (5)
Let . By definition, both .
For the next two results, let be a derivation tree leaf saturated with respect to rules in a derivation tree. The first result is about the effects of the rules in . The second is about the rules in .
Proposition 5*.*
For every the following holds.
- (1)
If or for some , then . 2. (2)
If , then . 3. (3)
If , then . 4. (4)
If , then . 5. (5)
For all distinct , . 6. (6)
666Technically, is ambiguous. However, since is associative in , bracketing does not matter in this context.
Proof 4.3* (Proof (Proposition 5, property 1)).*
Let , with or . From rule Introduce Eq Right and rule Introduce Eq Left it follows that both and . For each of the Rules Merge Equality I, Merge Equality II, and Merge Equality III; we show that after the application of the rule, and are equal.
Consider rule Merge Equality I. Let and denote and respectively before application of the rule. Let and denote and after application of the rule. For the rule to be applicable . The rule adds constraints to so that . Equivalently, . Since , we get .
The case for rule Merge Equality II is analogous to rule Merge Equality I.
Consider rule Merge Equality III. Let and denote and respectively before application of the rule. Let and denote and after application of the rule. Let . Note that the operation only adds nodes and vertices. Thus, is one of the following:
- •
with and : Since as well as is an edge, it follows that .
- •
. Since nodes in have an outgoing edge, it must be the case that . It follows that .
This shows that . The reasoning for is symmetrical.
As , , and , the premise of at least once of the rules (Merge Equality I), (Merge Equality II), and (Merge Equality III) must be satisfied whenever . As the branch is saturated, follows.
Proof 4.4* (Proof (Proposition 5, properties 2, 3, 4)).*
As is obtained from a derivation starting with a state with an empty graph, it is sufficient to show the properties hold for the empty graph, and that they are preserved each time the graph is modified by one of the rules.
The properties hold trivially for the empty graph. The interesting cases are when edges are added to the graph: i) of a union, intersection, or set minus term, and ii) operation.
Observe that when we introduce , , and to the graph, the following holds:
- •
,
- •
,
- •
,
- •
,
- •
, and
- •
.
We conclude that:
- •
- •
- •
- •
when an introduce rule is applied. Note that the merge operation only adds edges from existing leaf nodes, ensuring that the property is maintained by any application of .
, as defined in (2), can also be defined as:
[TABLE]
where does not depend on . The properties in the proposition about follow from the corresponding property of just established, and above formulation of .
Proof 4.5* (Proof (Proposition 5, properties 5,6)).*
The properties holds trivially for the empty graph.
Let be the graph constraints. Let . Let be a new constraint such that . Then, this modifies , and we need to verify the Property 6 still holds. Note that for any structure in , if is interpreted as empty set, the interpretation of will be same as . Thus, if and
[TABLE]
then
[TABLE]
It follows if is added to by a rule, the property 6 continue to hold. Also note that an equality is not removed by any rule (if there was such a rule, we would need to check the property continues to hold when the left side of the implication is weakened).
The only other rules which affect the properties are those which modify the graph directly, i.e. the and operations.
We show that if satisfies the properties, then so does :
- •
is , or : trivially, as no edges are added.
- •
is : Note that because of the assumptions on the normal form, either already in the graph and operation does not modify the graph, or it will add the nodes , , , , and to the graph, and edges between them. It is easy to see that the property 5 follows from:
[TABLE]
Property 6 follows from:
[TABLE]
and reasoning as earlier that any constraint of the form does not affect the property.
- •
is or : reasoning same as for .
- •
is . If not already present, , , , are added to the graph as for . In addition, for union also adds , and three edges. The properties follows from the following tautologies in in addition to those listed in analysis for :
[TABLE]
Finally, we show that if satisfies the properties, then so does if , , and .
Let denote in , and denote in (likewise for , etc.).
In order to show property 5 holds, let , and . We need to show: .
- •
Let and , i.e. both are also leaf nodes in . Then, the property for follows from that of .
- •
Let be one of the newly introduced leaf nodes and a leaf node in . Without loss of generality, let be with and . For to be in , given the way the edges are added, either or . Thus, we know that either or . In either case, it follows that , i.e. .
- •
The analysis for the case where both are newly introduced leaf nodes is similar.
To show property 6 holds, the main observation is that each node no longer a leaf node, say , is union of a new set of leaf nodes in (assuming the equalities).
[TABLE]
Note that are precisely the nodes in to which edges are added from . The proof for a node in but not in is similar.
Since all the new leaf nodes are of the form with and , it follows that property 6 holds for if it holds for assuming .
Proposition 6*.*
Let be a state such that none of the rules in our calculus are applicable. Let be an interpretation defined in Proposition 4 satisfying constraints in and . To recall, for and of sort,
[TABLE]
and for of sort,
[TABLE]
Let be an interpretation satisfying . Then, for all ,
[TABLE]
Proof 4.6*.*
Let . First we show that if , then the proposition follows. That is there exists such that . Let be as in (4).
[TABLE]
It remains to show that . Because of rule Members Arrangement, either or Rule Members Arrangement is applicable until the premise of rule Propagate Minsize holds. If Rule Propagate Minsize is applicable, must have been added to . In either case, .
Completeness is a direct consequence of the following result.
Proposition 7*.*
Let be set, element and cardinality constraints respectively, satisfying Restriction 3. Let be a derivation with respect to rules from state . If is finite, and the final derivation tree, say , in is open and saturated with respect to the rules ; then there exists an interpretation that satisfies , and .
Proof 4.7*.*
Proof outline: We build a model of the leaf nodes in the graph by modifying as needed the model obtained from Proposition 4. We add additional elements to these sets to make the cardinalities match the model satisfying the cardinality constraints and the constraints induced by the graph. Propositions 5 and 6 ensure that it is always possible to do so without violating the set constraints.
As is open, there exists a branch that does not end in the state unsat. Let be the final state on such a branch.
Let be the cardinality constraints, and the cardinality constraints induced by the graph. These constraints fall in the theory . Let be the structure satisfying these constraints. Such a structure exists because rule Arithmetic contradiction would have closed the branch if the constraints were inconsistent. From Proposition 4, we obtain a structure satisfying and . Without loss of generality, assume that is infinite.
The we build satisfying will be as follows. It coincides with the structure on terms of sort. It coincides with the structure on terms of sort. In order to define the value of set variables, for each leaf node we create the following sets:
[TABLE]
where are distinct from each other and from any such that for in or . From Proposition 6, we know that . Thus, for a leaf node ,
[TABLE]
For a set variable not in the graph, , define . For a set variable in the graph, , define:
[TABLE]
From Proposition 5, it follows that:
[TABLE]
So an equivalent way to define is as follows:
[TABLE]
We verify that each constraint in is satisfied:
- (1)
, .
For , we need to show . If neither nor , then this follows from Proposition 4. If either or , then due to rule Introduce Eq Right and rule Introduce Eq Left both and . From Proposition 5, property 1, we know that . From the definition of and in (8), it follows that .
For , we need to show . Let us write , where if , otherwise let (from (10)). Similarly we may write . From Proposition 4 we know that . Without loss of generality assume and . By definition, is disjoint from , thus . Thus, and . follows. 2. (2)
.
We need to show . It will follow from rule Introduce Empty Set and rule Introduce Eq Left.
[TABLE] 3. (3)
.
We need to show that . From rule Introduce Singleton we conclude that Then, from rule Introduce Eq Left, .
From , we know that:
[TABLE]
We can conclude that as (for proof of , see reasoning later in this proof for – the same reasoning works for all nodes )
From, Singleton, we know . By Proposition 4, . As
[TABLE]
and , we conclude that . 4. (4)
. We need to show .
Let , , and . Then,
[TABLE]
Otherwise, let , or , or . Then, from Rules Introduce Eq Right, Introduce Eq Left, Introduce Union and definition of , we know , , and in . Then,
[TABLE] 5. (5)
. We need to show .
Let , , and . Then,
[TABLE]
Let and , but . Then,
[TABLE]
If and , but ; the reasoning is same as above.
Otherwise, either or both and . Then, from Rules Introduce Eq Right, Introduce Eq Left, Introduce Inter and definition of , we know , , and in . Then,
[TABLE] 6. (6)
. We need to show .
Let , , and . Then,
[TABLE]
Let and , but . Then,
[TABLE]
Note that in contrast to intersection, if , , and , the above analysis does not apply. We do need to introduce and reason about the equality in the graph.
Let or . From Rules Introduce Eq Right, Introduce Eq Left, Introduce Set difference and definition of we know , , and in . Then,
[TABLE] 7. (7)
x\mathrel{\ooalign{\sqsubset\cr{-}}}S, x\not\mathrel{\ooalign{\sqsubset\cr{-}}}S.
Note that irrespective of whether or , . Thus, from Proposition 4, if x\mathrel{\ooalign{\sqsubset\cr{-}}}S is a constraint.
It remains to show that if x\not\mathrel{\ooalign{\sqsubset\cr{-}}}S is a constraint then . If , then again follows from Proposition 4. If , then observe that is . We already know . It remains to show that . This follows from the definition of . 8. (8)
.
From Proposition 5, we know that for in :
[TABLE]
and also,
[TABLE]
where .
In , as for each , , it follows that:
[TABLE]
Also, for in :
[TABLE]
In other words, is a disjoint union of where . It follows that,
[TABLE]
For a leaf node , from (7) we know that . We may thus conclude,
[TABLE]
From the constraint on cardinality for induced by the graph, i.e the constraint on in , we know that . The result follows:
[TABLE]
Proposition 8* (Completeness).*
Under any fair derivation strategy, every derivation of a set of -unsatisfiable constraints extends to a refutation.
Proof 4.8*.*
Contrapositively, suppose that has a derivation that cannot be extended to a refutation. By Proposition 2, must be extensible to one that ends with a tree with a saturated branch. By Proposition 7, is satisfiable in .
4.3. Soundness
We start by showing that every rule preserves constraint satisfiability.
Lemma 9*.*
For every rule of the calculus, the premise state is satisfied by a model of iff one of its conclusion configurations is satisfied by a model of where and agree on the variables shared by the two states.
Proof 4.9* (Sketch).*
Soundness of the rules in Figure 2 and Figure 3 follows trivially from the semantics of set operators and the definition of . Soundness of Merge Equality I follows from properties of the graph (see Proposition 5, in particular the property that leaf terms are disjoint). The rules in Figure 6 and rule Merge Equality II do not modify the constraints, but we need them to establish properties of the graph. Soundness of the induced graph constraints in Arithmetic contradiction follows from Proposition 5 (in particular properties 5 and 6). Soundness of Propagate Minsize follows from the semantics of cardinality. Soundness of Guess Empty Set, Members Arrangement and Guess Lower Bound is trivial.
Proposition 10* (Soundness).*
Every set of -constraints that has a refutation is -unsatisfiable.
Proof 4.10* (Sketch).*
Given Lemma 9, one can show by structural induction on derivation trees that the root of any closed derivation tree is -unsatisfiable. The claim then follows from the fact that every refutation of a set of -constraints starts with a state -equisatisfiable with .
5. Evaluation
We have implemented a decision procedure based on the calculus above in the SMT solver cvc4 [BCD*+*11]. We describe a high-level, non-deterministic version of it here, followed by an experimental evaluation on benchmarks from program analysis.
5.1. Derivation strategy
The decision procedure can be thought of as a specific strategy for applying the rules given in Section 3, divided into the sets , …, introduced in Section 4.
Our derivation strategy can be summarized as follows. We start the derivation from the initial state with the empty graph, as described in Section 3, and apply the steps listed below, in the given order. The steps are described as rules being applied to a current branch of the derivation tree being constructed. Initially, the current branch is the only branch in the tree. On application of a rule with more than one conclusion, we select one of the branches (say, the left branch) as the current branch.
- (1)
If a rule that derives unsat is applicable to the current branch, we apply one and close the branch. We then pick another open branch as the current branch and repeat Step 1. If no open branch exists, we stop and output unsat. 2. (2)
If a propagation rule (those with one conclusion) in is applicable, apply one and go to Step 1. 3. (3)
If a split rule (those with more than one conclusion) in is applicable, apply one and go to Step 1. 4. (4)
If Guess Empty Set rule is applicable, apply it and go to Step 1. 5. (5)
If an introduce or merge rule in is applicable, apply it and go to Step 1. 6. (6)
If any of the remaining rules are applicable, apply one and go to Step 1. 7. (7)
At this point, the current branch is saturated. Stop and output sat.
Note that if there are no constraints involving the cardinality operator, then steps 1 to 3 above are sufficient for completeness.
5.2. Experimental evaluation
We evaluated our procedure on benchmarks obtained from a software verification applications. The experiments were run on a machine with 3.40GHz Intel i7 CPU with a memory limit of 3 GB and timeout of 300 seconds. We used a development version of cvc4 for this evaluation.777https://github.com/kbansal/CVC4/tree/37f6117 Benchmarks are available on the cvc4 website.888http://cvc4.cs.stanford.edu/papers/LMCS-2018/
The first set of benchmarks consists of single query benchmarks obtained from verifying programs manipulating pointer-based data structures. These were generated by the Jahob system, and have been used to evaluate earlier work on decision procedures for finite sets and cardinality [KNR06, KR07, SSK11]. The results from running cvc4 on these benchmarks are provided in the top half of Table 1. The output reported by cvc4 is in the second column. The third column shows the solving time. The fourth and fifth columns give the maximum number of vertices (# V) and leaves999The # L statistic is updated only when explicitly computed, so the numbers are approximate. For the same reason, # L is 0 on certain benchmarks even though # V is not. This is because cvc4 was able to report unsat before the need for computing the set of leaves arose. (# L) in the graph at any point during the run of the algorithm. Keeping the number of leaves low is important to avoid a blowup from the Merge Equality II rule.
Although we have not rerun the systems described in [KNR06, KR07, SSK11], we report here the experimental results as stated in the respective papers.101010One reason we were unable to do a more thorough comparison with previous work is that those implementations are no longer being maintained. Since the experiments were run on different machines the comparison is only indicative, but it does suggest that our solver has comparable performance.
In [KR07], the procedure from [KNR06] is reported to solve 12 of the 15 benchmarks with a timeout of 100 seconds, while the novel procedure in [KR07] is reported to solve 11 of the 15 benchmarks with the same timeout. The best-performing previous procedure ([SSK11]) can solve all 15 benchmarks in under a second.111111 [SSK11] includes a second set of benchmarks, but we were unable to evaluate our procedure on these, as they were only made available in a non-standard format and were missing crucial datatype declarations. As another point of comparison, we tested the procedure from [SSK11] on a benchmark of the type mentioned in Section 1.1: a single constraint of the form x\mathrel{\ooalign{\sqsubset\cr{-}}}A_{1}\sqcup\ldots\sqcup A_{21}. As expected, the solver failed (it ran out of memory after 85 seconds). In contrast, cvc4 solves this problem instantaneously.
Finally, another important difference compared to earlier work is that our implementation is completely integrated in an actively developed and maintained solver, cvc4.
To highlight the usefulness of an implementation in a full-featured SMT solver, we did a second evaluation on a set of incremental (i.e., multiple-query) benchmarks obtained from the Leon verification system [BKKS13]. These contain a mix of membership and cardinality constraints combined with constraints over the theories of datatypes and bitvectors. The results of this evaluation are shown in the bottom half of Table 1. The output column reports the number of sat and unsat queries in each benchmark. cvc4 successfully solves all of the queries in these benchmarks in under one second. To the best of our knowledge, no other SMT solver can handle this combination of theories.
6. Conclusion
We presented a new decision procedure for deciding finite sets with cardinality constraints and proved its correctness. A novel feature of the procedure is that it can reason directly and efficiently about both membership constraints and cardinality constraints. We have implemented the procedure in the SMT solver cvc4, and demonstrated the feasibility as well as some advantages of our approach. We hope this work will enable the use of sets and cardinality constraints in many new applications that rely on SMT solvers. We also expect to use it to drive the development of a standard theory of sets under the SMT-LIB initiative [BFT].
We expect to pursue several directions of future work. We will investigate relaxing Restriction 3.1 by doing more reasoning modulo equality. We will also experiment with different strategies to attempt to find the most efficient ones. We will also look into efficient means of combining sets with other theories and investigate extensions to relations and relational operators.
Acknowledgement
The authors wish to acknowledge fruitful discussions with Viktor Kuncak and Etienne Kneuss and for providing the Leon benchmarks. We thank Philippe Suter for his help running the algorithm from [SSK11].
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[AA 05] Jean-Raymond Abrial and Jean-Raymond Abrial. The B-book: assigning programs to meanings . Cambridge University Press, 2005.
- 2[AGP 16] Francesco Alberti, Silvio Ghilardi, and Elena Pagani. Counting constraints in flat array fragments. In Automated Reasoning - 8th International Joint Conference, IJCAR 2016, Coimbra, Portugal, June 27 - July 2, 2016, Proceedings , pages 65–81, 2016.
- 3[ASM 80] Jean-Raymond Abrial, Stephen A. Schuman, and Bertrand Meyer. Specification language. In On the Construction of Programs , pages 343–410. Cambridge University Press, 1980.
- 4[Ban 16] Kshitij Bansal. Decision Procedures for Finite Sets with Cardinality and Local Theory Extensions . Ph D thesis, New York University, January 2016.
- 5[BCD + 11] Clark Barrett, Christopher Conway, Morgan Deters, Liana Hadarean, Dejan Jovanovic, Tim King, Andrew Reynolds, and Cesare Tinelli. CVC 4. In 23rd International Conference on Computer Aided Verification (CAV’11) , volume 6806 of Lecture Notes in Computer Science , pages 171–177. Springer, 2011.
- 6[BFT] Clark Barrett, Pascal Fontaine, and Cesare Tinelli. The Satisfiability Modulo Theories Library (SMT-LIB). http://www.SMT-LIB.org .
- 7[BKKS 13] Régis William Blanc, Etienne Kneuss, Viktor Kuncak, and Philippe Suter. An overview of the Leon verification system: Verification by translation to recursive functions. In Scala Workshop , 2013.
- 8[BN 98] Franz Baader and Tobias Nipkow. Term Rewriting and All That . Cambridge University Press, 1998.
