06 imc itp - ece.uwaterloo.caagurfink/ece750t29/... · interpolating model checking (imc) key idea...
TRANSCRIPT
Unbounded Model Checking:IMC and ITP
Automated Program Verification (APV)Fall 2019
Prof. Arie Gurfinkel
2 2
SAT-based Model Checking
Bounded Model Checking• Is there a counterexample of k-steps
Unbounded Model Checking• Induction and K-Induction (k-IND)• Interpolation Based Model Checking (IMC)•Property Directed Reachability (IC3/PDR)
3 3
SAT-Based Unbounded Model Checking
Uses BMC for falsification
Simulates forward reachability analysis for verification
Identifies a termination condition• all reachable states have been found: “fixed-point”
4 4
Symbolic Safety and Reachability
A transition system P = (V, Init, Tr, Bad)P is UNSAFE if and only if there exists a number N s.t.
P is SAFE if and only if there exists a safe inductive invariant Inv s.t.
Inductive
Safe
Init(X0) ^
N�1̂
i=0
Tr(Xi, Xi+1)
!^ Bad(XN ) 6) ?
Init ) Inv
Inv(X) ^ Tr(X,X 0) ) Inv(X 0)
Inv ) ¬Bad
5 5
Inductive Invariants
System State Space
Bad Inv
System S is safe iff there exists an inductive invariant Inv:• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv
Initial
i.e., if s ∈ Inv and s↝t then t ∈ Inv
6 6
Inductive Invariants
System State Space
Bad Inv
System S is safe iff there exists an inductive invariant Inv:• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv
Initial
System S is safe if Reach ∩ Bad = ∅
Reach
i.e., if s ∈ Inv and s↝t then t ∈ Inv
INIT
Forward Reachability Analysis
Bad=¬P
Does AG P hold?
R1=INIT ∨Img(INIT,T)
R2=R1∨Img(R1,T) …Rn=Rn-1∨Img(Rn-1,T)
Image operator: Img(Q,T) = ∃ V. (Q ∧ T)
Termination when• either a bad state satisfying ¬p is found• or a fixpoint is reached: Rj Í Èi=0,j-1 Ri
è Rj is the set of reachable states
Image computation methods
• Symbolic model checking without BDD's– Use SAT solver just for fixed-point detection
• Abdulla, Bjesse and Een 2000• Williams, Biere, Clarke and Gupta 2000
– Adapt SAT solver to compute image directly• McMillan, 2002
Image over-approximation
• BMC and Craig interpolation allow us to compute image over-approximation relative to property.– Avoid computing exact image.– Maintain SAT solver's advantage of filtering out
irrelevant facts.
P
Fj-1
Fj
InitF₁ ……
Approximate Reachability Analysis
Bad º ¬p
• Fi = Fi-1 ∨ AppxImg(Fi-1)• Fi over-approximates the states reachable in at most i steps
R1R2
F2 Rj-1
Rj
Over-approximation• An over-approximate image op. is Img' s.t.
for all Q, Img(Q,T) implies Img'(Q,T)• Over-approximate reachability:
F0 = IFi+1 = Fi ∪ Img'(Fi,T)
F = ∪ Fi
Fixpoint: • If Fj+1 ≡ Fj no new reachable states will be discovered• Fj is an inductive invariant
Inductive Invariants for verifying AG p
System State Space
Bad Inv
Initial
A set of states Inv is an inductive invariant if• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv i.e., if s ∈ Inv and s↝t
then t ∈ Inv
Inductive Invariants for verifying AG p
System State Space
Bad Inv
Initial
A set of states Inv is an inductive invariant if• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv i.e., if s ∈ Inv and s↝t
then t ∈ Inv
System S is safe iff there exists an inductive invariant Inv
Reach ∩ Bad = ∅
Reach
Why is F an inductive invariant?
Recall: forward reachability sequence F0 = I
Fi+1 = Fi ∪ Img'(Fi,T)F = ∪ Fi
How to compute an approximate image for reachability analysis?
Also called trace
16 16
Adequacy of Approximate Img
Img' is adequate w.r.t. Bad, when• if Q cannot reach Bad in any number of steps, then
Img’(Q,T) cannot reach Bad in any number of steps
If Img' is adequate, then• Bad is reachable iff F ∧ Bad is SAT
Adequate image
Q Bad
Img(Q,T)
Reached from Q Can reach Bad
Img�(Q,T)
But how do you get an adequate Img'?
k-adequate image operator
• Img' is k-adequate w.r.t. Bad, when– if Q cannot reach Bad,
Img’(Q,T) cannot reach Bad within k steps
• Note, if k > diameter, then k-adequate is equivalent to adequate.
19 19
Interpolating Model Checking (IMC)
Key Idea• turn SAT/SMT proofs of bounded safety to inductive traces• repeat forever until a counterexample or inductive invariant are found
Introduced by McMillan in 2003• Kenneth L. McMillan: Interpolation and SAT-Based Model Checking.
CAV2003: 1-13• based on pairwise Craig interpolation
Extended to sequences• Yakir Vizel, Orna Grumberg: Interpolation-sequence based model checking.
FMCAD 2009: 1-8– uses interpolation sequence
• Kenneth L. McMillan: Lazy Abstraction with Interpolants. CAV 2006: 123-136– IMPACT: interpolation sequence on each program path
20 20
Inductive Trace
An inductive trace of a transition system P = (V, Init, Tr, Bad) is a sequence of formulas [F0, …, FN] such that
• Init ⇒F0
•∀0 ≤ i < N , Fi(v) ∧ Tr (v, u) ⇒ Fi+1 (u)
A trace is safe iff ∀ 0 ≤ i ≤ N , Fi ⇒¬Bad
A trace is monotone iff ∀ 0 ≤ i < N , Fi ⇒ Fi+1
A trace is closed iff ∃ 1 ≤ i ≤ N, Fi ⇒(F0 ∨ … ∨ Fi-1)
A transition system P is SAFE iff it admits a safe closed trace
21 21
P
Fj-1
Fj
Init
F₁ ……
Safe Monotone Inductive Trace
Bad =¬p
• Fi over-approximates the states that are reachable in at most i steps• If Fj+1 -> Fj then Fj is an inductive invariant
R1
R2
F2 Rj-1
Rj
22 22
Craig Interpolants [Craig 57]
Given a pair (A,B) of propositional formulas s.t.• A(X,Y) ∧ B(Y,Z) is unsatisfiable• i.e., A⇒¬B
There exists a formula I such that:• A ⇒I• I ∧ B is unsatisfiable• I is over Y, the common variables of A and B
A ⇒¬B
A ⇒ I
I ⇒ ¬B
A BI
23 23
Example
A = p Ù q, B = ¬q Ù r,
I = ?
24 24
Interpolants from Resolution Proofs
When A ∧ B is unsatisfiable, SAT solvers return a a resolution graph deriving false
An interpolant I can be derived from the resolution graph• In linear time• In the worst case, I is linear in the resolution graph (i.e., exponential in the
size of A and B)
ITP = procedure for computing an interpolant
ITP(A,B) = resulting interpolant
Pudlak,Krajicek 97, McMillan 03
IMC – Interpolation-based MCMcMillan, CAV 2003
∧ T(V,V1) ∧ T(V1,V2)∧ … ∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))
A B
• Interpolant I1 is computed
– over-approximates the states reachable from INIT in 1 transition
– cannot reach a bad state in £ k-1 transitions
INIT(V)
Craig Interpolation Theorem is used to safely over-approximate sets of reachable states:
I1
k-1-adequate overapprox. image!*only partial – why?
IMC – Interpolation-based MC
A B
• I1 is fed back to the BMC solver• A new interpolant I2 is computed
– I2 over-approximates the states reachable from INIT in 2 transitions– cannot reach a bad state in £ k-1 transitions
• Iterative process
I1(V) ∧ T(V,V1) ∧ T(V1,V2)∧ … ∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))
∧ T(V,V1) ∧ T(V1,V2)∧ … ∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))
A B
INIT(V)
I1
I2
• In IMC, short BMC formulas can prove the nonexistence of long CEXs– INIT is replaced by Ij which over-approximates Rj
• If a satisfying assignment toIj(V) ∧ T(V,V1) ∧ T(V1,V2)∧…∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))is found, the counterexample might be spurious– Since Ij(V) is over-approximated
• Increase precision:Increase k and start over with the original INIT
IMC – Interpolation-based MC
I1
I2
0 0 1 1( ) ( , ) ( )INIT V T V V p VÙ Ù¬
1 0 0 1 1( ) ( , ) ( )I V T V V p VÙ Ù¬
2 0 0 1 1( ) ( , ) ( )I V T V V p VÙ Ù¬ BAD ¬p
I�1
))()((),(),()( 2121100 VqVqVVTVVTVINIT ¬Ú¬ÙÙÙ
))()((),(),()(' 21211001 VqVqVVTVVTVI ¬Ú¬ÙÙÙ
))()((),(),()(' 2121100 VqVqVVTVVTVIk ¬Ú¬ÙÙÙ
.
.
.
• A fixpoint is checked whenever a new interpolant is computed
• For iteration i, every new interpolant is checked for inclusion in all previously computed interpolants for the same i– In Þ INIT Ú Vj=1,n-1 Ij
P
Ij-1
Ij
InitI₁ ……
IMC as Approximate Forward Reachability (1)
Bad º ¬p
Inductive trace:I0 = InitIi Ù TR ⇒(Ii+1)’Ii Ù TRj⇒ pj for j=0…k-1
Ii over-approximates the states that are reachable in (exactly) i steps
Fixpoint: If Ij => INITÚ I1 Ú… Ú Ij-1 then INITÚ I1 Ú… Ú Ij-1 is an inductive invariant
R1R2
I2 Rj-1
Rj
Claim: If Ij => INITÚ I1 Ú… Ú Ij-1 then INITÚ I1 Ú… Ú Ij-1 is an ind. invariant
Proof:Consecution: (INITÚ I1 Ú… Ú Ij-1) Ù TR => (I1 ÚI2 Ú … Ú Ij)’ => (INITÚ I1 Ú… Ú Ij-1)’
Initiation: INIT => INITÚ I1 Ú… Ú Ij-1
Safety: INITÚ I1 Ú… Ú Ij-1 => p
∧ TR(V,V1) ∧ …Ii(V)
∧ TR(V,V1) ∧ …Ii-1(V)
Ii
Ii+1
Inductive Invariants in IMC
33 33
IMC Pseudocode (1)
k=1 while (true) {j = 0I0 = INITwhile(true) {if (SAT(Ij ∧ TRk ∧ (¬p1∨… ∨¬pk)) {
if (j==0) then return CEXk++; break;
} else // UNSATIj+1 = ITP(Ij∧ TR, TRk-1 ∧ (¬p1∨… ∨¬pk));if (Ij+1 => INIT Ú I1 Ú… Ú Ij ) then return SAFEj++;
}}
34 34
IMC Pseudocode (2)
k=1
while (true) {
I = INIT
while(true) {
if (SAT(I ∧ TRk ∧ (¬p1∨… ∨¬pk)) {if (I = INIT) then return CEX
k++; break;
} else // UNSAT
I’ = ITP(I ∧ TR, TRk-1 ∧ (¬p1∨… ∨¬pk));if (I’ => I ) then return SAFE
I = I ∨ I’;
}
}
McMillan 2003
P
Fj-1
Fj
InitF₁ ……
Approximate Reachability Sequence in IMC (2)
Bad º ¬p
F0 = InitFi+1 = Fi Ú Ii+1Fi Ù TR ⇒(Ii+1)’ ⇒(Fi+1)’Fi Ù TRj⇒ pj for j=0…k-1
• Fi over-approximates the states that are reachable in at most i steps• If Fj+1 ⇒ Fj then Fj is an inductive invariant
R1R2
F2 Rj-1
Rj
Termination
• Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate.
Notes:– don't need to know when k > d in order to terminate– often termination occurs with k << d
Interpolation-based MC
• Fully SAT-based• Inherits SAT solvers ability to concentrate on facts
relevant to a property• Most effective when– Very large set of facts is available– Only a small subset are relevant to property
• For true properties, appears to converge for smaller k values
• Disadvantage: start from scratch for each k
38 38
IMC WITH INTERPOLATION SEQUENCE
Interpolation Sequence• If A1 Ù … Ù Ak+1 is unsatisfiable, then there exists an
interpolation-sequence I0,I1,…,Ik,Ik+1 for (A1,… ,Ak+1 ) s.t.:I0=T and Ik+1=FIj Ù Aj+1 Þ Ij+1
Ij - over common variables of A1,… ,Aj and Aj+1,… ,Ak
• Each Ij can be computed as the interpolant of A=A1 Ù … Ù Aj and B=Aj+1 Ù … Ù Ak– All Ij’s should be computed on the same resolution graph
In particular:A1 ⇒ I1 Ik⇒¬Ak+1
Interpolation Sequence• If A1 Ù … Ù Ak+1 is unsatisfiable, then there exists an
interpolation-sequence I0,I1,…,Ik,Ik+1 for (A1,… ,Ak+1 ) s.t.:I0=T and Ik+1=F
Ij Ù Aj+1 Þ Ij+1
Ij - over common variables of A1,… ,Aj and Aj+1,… ,Ak
Computed by pairwise interpolation applied to different cuts of a fixed resolution proof - All Ij’s should be computed on the same resolution graph
Init ∧Tr1 Tr2 Tr3 Tr4 Tr5 ¬pI1 I2 I3 I4 I5
In particular:A1 ⇒ I1 Ik⇒¬Ak+1
Reachability with Interpolation-Sequence
INIT(V0)∧T(V0,V1) ∧ T(V1,V2) ∧ T(V2,V3) ∧…∧ T(Vk-1,Vk) ∧ ¬P(Vk)
A1 A3 Ak Ak+1
I1 I3 Ik
A2
I2
• Unsatisfiable BMC formula partitioned in the following manner:
Vizel , Grumberg, FMCAD 2009
Ij Ù Aj+1 ÞIj+1Ij - over common variables of A1,… ,Aj and Aj+1,… ,Ak+1
I1,1
0 0 1 1 2 2( ) ( , ) ( , ) ( )INIT V T V V T V V p VÙ Ù Ù¬
I1,2I2,2
0 0 1 1( ) ( , ) ( )INIT V T V V p VÙ Ù¬
F1 F2
INIT R1
INIT
R2 R3
F1F2
F3
)'''()''',''()'','()',()( VPVVTVVTVVTVINIT ¬ÙÙÙÙ )'()',()( VPVVTVINIT ¬ÙÙ
I1,1 I2,2I1,2
F1F2
I3,3I2,3I1,3
Analogy to Forward Reachability
BAD ¬p
)'()',()',()( VPVVTVVTVINIT ¬ÙÙÙ
• BMC is used for bug finding
• Interpolation-sequence computes an inductive trace: <F0,F1,…,Fk> from BMC formulas– Safe over-approximations of reachable states– Fi(V) ∧ T(V,V‘) Þ Fi+1(V‘)– Fi Þ P
• Integrated into the BMC loop to detect termination
Checking if a “fixpoint” has been reached
• Does there exist 2 £ n £ k such that Fn Þ Vj=1…n-1 Fj ?
• Similar to checking fixpoint in forward reachability analysis:RkÍ Uj=1…k-1 Rj
• But here we check inclusion for every 2 £ k £ n
– No monotonicity because of the approximation
• “Fixpoint” is checked with a SAT solver
Termination
Always terminates• either when BMC finds a bug: M |¹ AGp• or when all reachable states have been found:
M |= AGp
Problems:• As the BMC formula grows – Interpolants grow
– keep conjoining interpolants from subsequent runs: conjunctions grow
1. “Big” formulas cause the BMC problems to be hard to solve
2. Non-CNF interpolants need to be translated to CNF3. Unrolling of TR multiplies number of variables
47
48 48
IMC: Interpolating Model Checking
N=1
BMCN
SeqItp
trace F = [F0, …, FN]
Is F closed
N:=N+1
CEX
SAFE
SAT
UNSAT
YesNo
49 49
IMC: Strength and Weaknesses
Strength• elegant• global bounded safety proof• many different interpolation algorithms available• easy to extend to SMT theories
Weaknesses• the naïve version does not converge easily– interpolants are weaker towards the end of the sequence
• not incremental– no information is reused between BMC queries
• size of interpolants• hard to guide
50 50
INTERPOLATION
51 51
Alternative Definition of an Interpolant
Let F = A(x, z) ∧ B(z, y) be UNSAT, where x and y are distinct• Note that for any assignment v to z either– A(x, v) is UNSAT, or– B(v, y) is UNSAT
An interpolant is a circuit I(z) such that for every assignment v to z• I(v) = A only if A(x, v) is UNSAT• I(v) = B only if B(v, y) is UNSAT
A proof system S has a feasible interpolation if for every refutation ¼ of F in S, F has an interpolant polynomial in the size of ¼• propositional resolution has feasible interpolation• extended resolution does not have feasible interpolation
52 52
Algorithms for Computing Interpolants
Variable Elimination by Substitution
Variable Elimination by Resolution
Optimizing using an MUS
Interpolating a resolution proof
53 53
Interpolation via Variable Elimination (1)
A(X, Y) and B(Y, Z) be two sets of clauses such that A ∧ B are UNSAT
Let I(Y) be a formula defined as follows:
Then, I(Y) is an interpolant between A and BPf: I(Y) = ∃ X . A(X, Y)
Question: Is that a good ITP procedure for IMC?
I(Y ) =_
~x2Bn
A(~x),where n = |X|<latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit><latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit><latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit><latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit>
54 54
Interpolation via Variable Elimination (2)
A(X, Y) and B(Y, Z) be two sets of clauses such that A ∧ B are UNSAT
Recall that Res*(A, X) stands for all clauses obtained from A by exhaustively resolving on variables in X
Let I(Y) be defined as follows
Then, I(Y) is an interpolant between A and B.Pf: I(Y) = ∃ X . A(X, Y)
Question: Is that a good ITP procedure for IMC?
I(Y ) = {c 2 Res⇤(A) | Vars(c) \X = ;}<latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit><latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit><latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit><latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit>
55 55
Interpolation with MUS
A(X, Y) and B(Y, Z) be two sets of clauses such that A ∧ B are UNSAT
Let U(X, Y) be a minimal subset of A(X, Y) such that U ∧ B are UNSAT• U can be computed by iteratively querying a SAT solver• or by examining the refutation proof of A ∧ B
Let I(Y) be an interpolant of U and B computed using either of previous methods
Then, I is an interpolant for A and B Pf: ???
Question: Is I(Y) a good interpolant for IMC?
56 56
Alternative Definition of an Interpolant
Let F = A(x, z) ∧ B(z, y) be UNSAT, where x and y are distinct• Note that for any assignment v to z either– A(x, v) is UNSAT, or– B(v, y) is UNSAT
An interpolant is a circuit I(z) such that for every assignment v to z• I(v) = A only if A(x, v) is UNSAT• I(v) = B only if B(v, y) is UNSAT
A proof system S has a feasible interpolation if for every refutation ¼ of F in S, F has an interpolant polynomial in the size of ¼• propositional resolution has feasible interpolation• extended resolution does not have feasible interpolation
57 57
Interpolants from Proof
SAT Solver
Interpolation System
Interpolant
Resolution Proof
Annotated Proof
58 58
McMillan Interpolation Procedure
Let A and B be two sets of clausesLet ! be a resolution proof of A ∧ B è false
Annotated clauses in ! with partial interpolants (Boolean formulae)• Notation: c [p] mean formula p is a partial interpolant of clause c
Augmented resolution calculus, where g(c) is a sub-clause of only global variables
59 59
Interpolation Example
P. Ruemmer. Craig Interpolation in SAT and SMT
60 60
Correctness of McMillan Interpolation
Lemma: In any annotated proof of A and B, for every clause node c [pc]the following are true
Corollary: The root of resolution proof is the empty clause, and its partial interpolant is the interpolant!
A |= pc _ (c \ g(c))B, pc |= g(c)
pc only contains global symbols<latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit><latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit><latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit><latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit>
61 61
Other Interpolation Systems
A single resolution proof can be annotated in different ways giving different interpolants
McMillan interpolation is the strongest interpolant obtained by annotated proof rules from a given proof
There are other annotation strategies and systems for interpolation• Symmetric interpolants: ITP(A,B) == ¬ ITP(B, A)• Labelled interpolation: framework in which McMillan ITP is an instance
So far, no correlation between strength / technique and usefulness for verification J
62 62
Computing Sequence Interpolant
Let S0, S1, S2, …, Sn be n formulas whose conjunction is UNSATLet ITP(A,B) be any interpolation algorithm
Then, the sequence I0, I1, … is a sequence interpolant
I0 = ITP(S0,^
i=1..n
Si)
I1 = ITP(I0 ^ S1,^
i=2..n
Si)
Ik = ITP(Ik�1 ^ Sk,^
i=k..n
Si), for k 2 [1..(n� 1)]<latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit><latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit><latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit><latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit>
63 63
DRUPing for Interpolants
A CDCL proof is build out of trivial resolutions• terminated by a learned clause
A sub-proof for each learned clause can be re-constructed in polynomial time• negation of clause + BCP leads to a conflict
A clausal proof is a sequence of learned clauses in the order they are learnedInterpolate while replaying the proof
learnedclause
trivial resolution
A. Gurfinkel & Y. Vizel: DRUPing for interpolats. FMCAD 2014: 99-106
64 64
MiniDRUP
SAT with DRUP proofs
Interpolation-oriented BCP in Trim
Learn near CNF interpolants in Replay
SAT
Trim
Replay
CNF
Clausal Proof
core proof
Interpolant
BCP
BCP +Learning
65 65
DAG Interpolants [TACAS’12]
Given a DAG G = (V, E) and a labeling of edges ¼:E®Expr. A DAG Interpolant (if it exists) is a labeling I:V®Expr such that• for any path v0, …, vn, and 0 < k < n,
I(vk) = ITP (¼(v0) ∧ … ∧ ¼ (vk-1), ¼(vk) ∧ … ∧ ¼(vn))• 8 (u, v) 2 E . (I(u) ∧ ¼ (u, v)) ) I(v)
1
2
3
4 5
7
6
¼1
¼2
¼3 ¼4
¼5¼6
¼7
¼8
I1
I2
I3
I4 I5
I6
I7
I2 = ITP (¼1, ¼8)I2 = ITP (¼1, ¼2 ∧¼3 ∧¼6 ∧ ¼7)…
(I1 ∧ ¼1) ) I2(I2 ∧¼8) ) I7(I2 ∧¼2) ) I3…