EQUIVALENCE REMOVAL

Our second attempt to reduce the theory of our proofs coming from the JML specifica-tions was to try an equivalence removal. This idea came from the fact that, according to preliminary experiments, the use of many equivalences, together with universal quantifi-cations, produced a large explosion on the search space of the underlying theorem prover (the E prover), which could prevent it from finding the solution for a given problem.

With this in mind our objective was, given an equivalence relation like (forall V1 V2 (<-> (neqv V1 V2) (not (= V1 V2)))), translate a formula like:

(->

(and

(and (neqv this Null)

(and (instanceof heap this (ClassType Flag))

(Flag_invariant heap t intA this))) (= b 0) (= i 0) (= krak_access (acc t this))) (neqv krak_access Null)) to the equivalent formula:

(->

(and

(and (not (= this Null))

(and (instanceof heap this (ClassType Flag))

(Flag_invariant heap t intA this))) (= b 0) (= i 0)

(= krak_access (acc t this))) (not (= krak_access Null)))

by replacing all the occurrences of the left side of an equivalence with the respective value of the right side. Additionally we would remove the matched equivalence from the background theory, since, now, it would be meaningless. While the resulting goal

formula may be larger in size, when compared with the original one, we believed that the running time to find a result could be smaller.

At a first sight this kind of replacement could appear as a trivial task (this trans-formation can be easily performed using emacs+lisp), but we have found various details that have showed themselves quite complicated, and, leaded to far less substitutions than we were initially expecting.

5.2.1 Restrictions to the equivalence replacement

Having defined the first approach, that is, replace all occurrences of the left side of an equivalence by the value on the right side, and considering the matching of universally quantified formulas, we faced some restrictions to this approach.

First of all, one of our initial concerns when thinking about the replacement strategy was for cases like:

a ↔ b b ↔ c c ↔ a

A declaration like this would easily lead to recursive (and infinite) replacements, since occurrences of a would be replaced by b, b would be replaced by c, and then a would be reintroduced again. But, as we are using the Union-Find algorithm (briefly described in Section 5.1) to represent the replacements this would never happen. To demonstrate this we will show what happens in this case.

i) at first all the formulas have themselves as their representants (i.e., they are not replaced);

ii) when we find the equivalence among a and b we change the representant of a, to b, so to indicate the equivalence;

iii) continuing we find the equivalence among b and c and make the union between then, now both a and b have as representant c

iv) when we finally find the last equivalence, between c and a, we make a union so that c will point to the representant of a, which, is c itself, so no replacement will occur in this case.

These steps are represented in Figure 5.2.

This solved, we still had another problem related to recurrence. Take, for example, an expression like: (forall U V (<-> (f U) (g V (f U)))). In this case we would have a

Figure 5.2. Union find effect on recurrent definitions.

recursive definition of the left side of the term, which would generate recursive substitu-tions. In this case, we have chosen simply to ignore these occurrences, and leave them as they appear.

Another question we have faced was when working with equivalences such as (forall U (<-> (f U) (forall V (g V U)))). The problem with this is that we could have a situation where we would replace a occurrence of (f U) by (forall V (g V U)) in the goal formula.

As said before, haRVey has a processing algorithm for dealing with quantifiers, and with the addition of a quantified formula in the goal, this algorithm could be prejudiced. Such algorithm could then introduce new axioms in the theory, what could result in no no speed ups in the proofs, or, even worse. In this case we decided to leave this as an option to be chosen by the user.

5.2.2 The problem with this approach

Even with these cases covered, we faced another problem: take for example the formula shown at Figure 5.3 (a). In this case, the equivalence removal works as expected and produces a coherent result. But when if we slightly change the order of the axioms we get a completely wrong result, as shown in Figure 5.3 (b).

5.2.3 Equivalence removal - A second approach

To overcome this problem we have chose to restrict even more the criteria we have to consider an equivalence as being valid to do the replacement. To do this we have followed the following conjecture:

Conjecture 5.2 If an axiom is an universally quantified equivalence, s.t. one of its sides is an atom s.t. all the variables in it are universally quantified, so we can eliminate the axiom, and replace all the instances of that atom for the other side of the equivalence, making the necessary replacement of the variables.

So now we will look only for formulas that are comprised of just universally quantified symbols, and that still match the above criteriations. So in a equivalence like (forall U

∀ U,V. f(U,V) ↔ g(V,U) f(a,b) ↔ y

f(a,b) ↔ y ∀ U,V. f(U,V) ↔ g(V,U)

x ↔ y x ↔ y

|= |=

x ↔ g(b,a) x ↔ g(b,a)

g(b,a) ↔ y ∀ U,V. f(U,V) ↔ g(V,U)

x ↔ y x ↔ y

|= |=

x ↔ g(b,a) x ↔ g(b,a)

x ↔ y x ↔ y

|= |=

x ↔ y x ↔ g(b,a)

|= |=

y ↔ y y ↔ g(b,a)

(a) (b)

Figure 5.3. Problem with equivalence removal.

V (<-> (f U V) (g a b))), we would replace any occurrence of the symbol f (like in (f (h b) (h c))) with (g a b).

A formula like (forall U (<-> (h i U)(g (f U) U) )) would not yield any replacement, since the left side contains a symbol (i ), that is not universally quantified.

At this point we also have choose to make the replacements based on any side of the formula, i.e., we first try to see if the left side of the formula can be replaced by the right side (based on the restrictions we presented earlier), if it is not possible we then try to replace the right side by the left side, in the same way. In the last example, since we could not do the replacemente, because i is not a universally quantified symbol, we would then check the other side, that is (g (f U) U). In this case, while it only posses universal quantified variables, it would not yeld to a replacemente as well, because it posses another function inside it (f ).

Another fact that we have tried was to restrict the replacements only if the symbol being replaced do not occur on any other formula of the theory, that is, we only replaced terms at the goal formula. We have done this as a secure measure, but, in the cases we tested, we did not find any case were it would be a concern. Still we have left this ap-proach for reference, while keeping the unconditional replacement (w.r.t., replacing terms occurring in the theory), as an option. From now on we will refer to the unconditional replacement as “full” equivalence removal, and the restricted one as “local” equivalence removal.

As a last remark, it is important to note that the considerations made here can also be applied for equality.