06 imc itp - ece.uwaterloo.caagurfink/ece750t29/... · interpolating model checking (imc) key idea...

Unbounded Model Checking:IMC and ITP

Automated Program Verification (APV)Fall 2019

Prof. Arie Gurfinkel

2 2

SAT-based Model Checking

Bounded Model Checking• Is there a counterexample of k-steps

Unbounded Model Checking• Induction and K-Induction (k-IND)• Interpolation Based Model Checking (IMC)•Property Directed Reachability (IC3/PDR)

3 3

SAT-Based Unbounded Model Checking

Uses BMC for falsification

Simulates forward reachability analysis for verification

Identifies a termination condition• all reachable states have been found: “fixed-point”

4 4

Symbolic Safety and Reachability

A transition system P = (V, Init, Tr, Bad)P is UNSAFE if and only if there exists a number N s.t.

P is SAFE if and only if there exists a safe inductive invariant Inv s.t.

Inductive

Safe

Init(X0) ^

N�1̂

i=0

Tr(Xi, Xi+1)

!^ Bad(XN ) 6) ?

Init ) Inv

Inv(X) ^ Tr(X,X 0) ) Inv(X 0)

Inv ) ¬Bad

5 5

Inductive Invariants

System State Space

Bad Inv

System S is safe iff there exists an inductive invariant Inv:• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv

Initial

i.e., if s ∈ Inv and s↝t then t ∈ Inv

6 6

Inductive Invariants

System State Space

Bad Inv

System S is safe iff there exists an inductive invariant Inv:• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv

Initial

System S is safe if Reach ∩ Bad = ∅

Reach

i.e., if s ∈ Inv and s↝t then t ∈ Inv

INIT

Forward Reachability Analysis

Bad=¬P

Does AG P hold?

R1=INIT ∨Img(INIT,T)

R2=R1∨Img(R1,T) …Rn=Rn-1∨Img(Rn-1,T)

Image operator: Img(Q,T) = ∃ V. (Q ∧ T)

Termination when• either a bad state satisfying ¬p is found• or a fixpoint is reached: Rj Í Èi=0,j-1 Ri

è Rj is the set of reachable states

Image computation methods

• Symbolic model checking without BDD's– Use SAT solver just for fixed-point detection

• Abdulla, Bjesse and Een 2000• Williams, Biere, Clarke and Gupta 2000

– Adapt SAT solver to compute image directly• McMillan, 2002

Image over-approximation

• BMC and Craig interpolation allow us to compute image over-approximation relative to property.– Avoid computing exact image.– Maintain SAT solver's advantage of filtering out

irrelevant facts.

P

Fj-1

Fj

InitF₁ ……

Approximate Reachability Analysis

Bad º ¬p

• Fi = Fi-1 ∨ AppxImg(Fi-1)• Fi over-approximates the states reachable in at most i steps

R1R2

F2 Rj-1

Rj

Over-approximation• An over-approximate image op. is Img' s.t.

for all Q, Img(Q,T) implies Img'(Q,T)• Over-approximate reachability:

F0 = IFi+1 = Fi ∪ Img'(Fi,T)

F = ∪ Fi

Fixpoint: • If Fj+1 ≡ Fj no new reachable states will be discovered• Fj is an inductive invariant

Inductive Invariants for verifying AG p

System State Space

Bad Inv

Initial

A set of states Inv is an inductive invariant if• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv i.e., if s ∈ Inv and s↝t

then t ∈ Inv

Inductive Invariants for verifying AG p

System State Space

Bad Inv

Initial

A set of states Inv is an inductive invariant if• Initiation: Initial ⊆ Inv• Safety: Inv ∩ Bad = ∅• Consecution: TR(Inv) ⊆ Inv i.e., if s ∈ Inv and s↝t

then t ∈ Inv

System S is safe iff there exists an inductive invariant Inv

Reach ∩ Bad = ∅

Reach

Why is F an inductive invariant?

Recall: forward reachability sequence F0 = I

Fi+1 = Fi ∪ Img'(Fi,T)F = ∪ Fi

How to compute an approximate image for reachability analysis?

Also called trace

16 16

Adequacy of Approximate Img

Img' is adequate w.r.t. Bad, when• if Q cannot reach Bad in any number of steps, then

Img’(Q,T) cannot reach Bad in any number of steps

If Img' is adequate, then• Bad is reachable iff F ∧ Bad is SAT

Adequate image

Q Bad

Img(Q,T)

Reached from Q Can reach Bad

Img�(Q,T)

But how do you get an adequate Img'?

k-adequate image operator

• Img' is k-adequate w.r.t. Bad, when– if Q cannot reach Bad,

Img’(Q,T) cannot reach Bad within k steps

• Note, if k > diameter, then k-adequate is equivalent to adequate.

19 19

Interpolating Model Checking (IMC)

Key Idea• turn SAT/SMT proofs of bounded safety to inductive traces• repeat forever until a counterexample or inductive invariant are found

Introduced by McMillan in 2003• Kenneth L. McMillan: Interpolation and SAT-Based Model Checking.

CAV2003: 1-13• based on pairwise Craig interpolation

Extended to sequences• Yakir Vizel, Orna Grumberg: Interpolation-sequence based model checking.

FMCAD 2009: 1-8– uses interpolation sequence

• Kenneth L. McMillan: Lazy Abstraction with Interpolants. CAV 2006: 123-136– IMPACT: interpolation sequence on each program path

20 20

Inductive Trace

An inductive trace of a transition system P = (V, Init, Tr, Bad) is a sequence of formulas [F0, …, FN] such that

• Init ⇒F0

•∀0 ≤ i < N , Fi(v) ∧ Tr (v, u) ⇒ Fi+1 (u)

A trace is safe iff ∀ 0 ≤ i ≤ N , Fi ⇒¬Bad

A trace is monotone iff ∀ 0 ≤ i < N , Fi ⇒ Fi+1

A trace is closed iff ∃ 1 ≤ i ≤ N, Fi ⇒(F0 ∨ … ∨ Fi-1)

A transition system P is SAFE iff it admits a safe closed trace

21 21

P

Fj-1

Fj

Init

F₁ ……

Safe Monotone Inductive Trace

Bad =¬p

• Fi over-approximates the states that are reachable in at most i steps• If Fj+1 -> Fj then Fj is an inductive invariant

R1

R2

F2 Rj-1

Rj

22 22

Craig Interpolants [Craig 57]

Given a pair (A,B) of propositional formulas s.t.• A(X,Y) ∧ B(Y,Z) is unsatisfiable• i.e., A⇒¬B

There exists a formula I such that:• A ⇒I• I ∧ B is unsatisfiable• I is over Y, the common variables of A and B

A ⇒¬B

A ⇒ I

I ⇒ ¬B

A BI

23 23

Example

A = p Ù q, B = ¬q Ù r,

I = ?

24 24

Interpolants from Resolution Proofs

When A ∧ B is unsatisfiable, SAT solvers return a a resolution graph deriving false

An interpolant I can be derived from the resolution graph• In linear time• In the worst case, I is linear in the resolution graph (i.e., exponential in the

size of A and B)

ITP = procedure for computing an interpolant

ITP(A,B) = resulting interpolant

Pudlak,Krajicek 97, McMillan 03

IMC – Interpolation-based MCMcMillan, CAV 2003

∧ T(V,V1) ∧ T(V1,V2)∧ … ∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))

A B

• Interpolant I1 is computed

– over-approximates the states reachable from INIT in 1 transition

– cannot reach a bad state in £ k-1 transitions

INIT(V)

Craig Interpolation Theorem is used to safely over-approximate sets of reachable states:

I1

k-1-adequate overapprox. image!*only partial – why?

IMC – Interpolation-based MC

A B

• I1 is fed back to the BMC solver• A new interpolant I2 is computed

– I2 over-approximates the states reachable from INIT in 2 transitions– cannot reach a bad state in £ k-1 transitions

• Iterative process

I1(V) ∧ T(V,V1) ∧ T(V1,V2)∧ … ∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))

∧ T(V,V1) ∧ T(V1,V2)∧ … ∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))

A B

INIT(V)

I1

I2

• In IMC, short BMC formulas can prove the nonexistence of long CEXs– INIT is replaced by Ij which over-approximates Rj

• If a satisfying assignment toIj(V) ∧ T(V,V1) ∧ T(V1,V2)∧…∧ T(Vk-1,Vk) ∧ (¬p(V1) ∨…∨¬p(Vk))is found, the counterexample might be spurious– Since Ij(V) is over-approximated

• Increase precision:Increase k and start over with the original INIT

IMC – Interpolation-based MC

I1

I2

0 0 1 1( ) ( , ) ( )INIT V T V V p VÙ Ù¬

1 0 0 1 1( ) ( , ) ( )I V T V V p VÙ Ù¬

2 0 0 1 1( ) ( , ) ( )I V T V V p VÙ Ù¬ BAD ¬p

I�1

))()((),(),()( 2121100 VqVqVVTVVTVINIT ¬Ú¬ÙÙÙ

))()((),(),()(' 21211001 VqVqVVTVVTVI ¬Ú¬ÙÙÙ

))()((),(),()(' 2121100 VqVqVVTVVTVIk ¬Ú¬ÙÙÙ

.

.

.

• A fixpoint is checked whenever a new interpolant is computed

• For iteration i, every new interpolant is checked for inclusion in all previously computed interpolants for the same i– In Þ INIT Ú Vj=1,n-1 Ij

P

Ij-1

Ij

InitI₁ ……

IMC as Approximate Forward Reachability (1)

Bad º ¬p

Inductive trace:I0 = InitIi Ù TR ⇒(Ii+1)’Ii Ù TRj⇒ pj for j=0…k-1

Ii over-approximates the states that are reachable in (exactly) i steps

Fixpoint: If Ij => INITÚ I1 Ú… Ú Ij-1 then INITÚ I1 Ú… Ú Ij-1 is an inductive invariant

R1R2

I2 Rj-1

Rj

Claim: If Ij => INITÚ I1 Ú… Ú Ij-1 then INITÚ I1 Ú… Ú Ij-1 is an ind. invariant

Proof:Consecution: (INITÚ I1 Ú… Ú Ij-1) Ù TR => (I1 ÚI2 Ú … Ú Ij)’ => (INITÚ I1 Ú… Ú Ij-1)’

Initiation: INIT => INITÚ I1 Ú… Ú Ij-1

Safety: INITÚ I1 Ú… Ú Ij-1 => p

∧ TR(V,V1) ∧ …Ii(V)

∧ TR(V,V1) ∧ …Ii-1(V)

Ii

Ii+1

Inductive Invariants in IMC

33 33

IMC Pseudocode (1)

k=1 while (true) {j = 0I0 = INITwhile(true) {if (SAT(Ij ∧ TRk ∧ (¬p1∨… ∨¬pk)) {

if (j==0) then return CEXk++; break;

} else // UNSATIj+1 = ITP(Ij∧ TR, TRk-1 ∧ (¬p1∨… ∨¬pk));if (Ij+1 => INIT Ú I1 Ú… Ú Ij ) then return SAFEj++;

}}

34 34

IMC Pseudocode (2)

k=1

while (true) {

I = INIT

while(true) {

if (SAT(I ∧ TRk ∧ (¬p1∨… ∨¬pk)) {if (I = INIT) then return CEX

k++; break;

} else // UNSAT

I’ = ITP(I ∧ TR, TRk-1 ∧ (¬p1∨… ∨¬pk));if (I’ => I ) then return SAFE

I = I ∨ I’;

}

}

McMillan 2003

P

Fj-1

Fj

InitF₁ ……

Approximate Reachability Sequence in IMC (2)

Bad º ¬p

F0 = InitFi+1 = Fi Ú Ii+1Fi Ù TR ⇒(Ii+1)’ ⇒(Fi+1)’Fi Ù TRj⇒ pj for j=0…k-1

• Fi over-approximates the states that are reachable in at most i steps• If Fj+1 ⇒ Fj then Fj is an inductive invariant

R1R2

F2 Rj-1

Rj

Termination

• Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate.

Notes:– don't need to know when k > d in order to terminate– often termination occurs with k << d

Interpolation-based MC

• Fully SAT-based• Inherits SAT solvers ability to concentrate on facts

relevant to a property• Most effective when– Very large set of facts is available– Only a small subset are relevant to property

• For true properties, appears to converge for smaller k values

• Disadvantage: start from scratch for each k

38 38

IMC WITH INTERPOLATION SEQUENCE

Interpolation Sequence• If A1 Ù … Ù Ak+1 is unsatisfiable, then there exists an

interpolation-sequence I0,I1,…,Ik,Ik+1 for (A1,… ,Ak+1 ) s.t.:I0=T and Ik+1=FIj Ù Aj+1 Þ Ij+1

Ij - over common variables of A1,… ,Aj and Aj+1,… ,Ak

• Each Ij can be computed as the interpolant of A=A1 Ù … Ù Aj and B=Aj+1 Ù … Ù Ak– All Ij’s should be computed on the same resolution graph

In particular:A1 ⇒ I1 Ik⇒¬Ak+1

Interpolation Sequence• If A1 Ù … Ù Ak+1 is unsatisfiable, then there exists an

interpolation-sequence I0,I1,…,Ik,Ik+1 for (A1,… ,Ak+1 ) s.t.:I0=T and Ik+1=F

Ij Ù Aj+1 Þ Ij+1

Ij - over common variables of A1,… ,Aj and Aj+1,… ,Ak

Computed by pairwise interpolation applied to different cuts of a fixed resolution proof - All Ij’s should be computed on the same resolution graph

Init ∧Tr1 Tr2 Tr3 Tr4 Tr5 ¬pI1 I2 I3 I4 I5

In particular:A1 ⇒ I1 Ik⇒¬Ak+1

Reachability with Interpolation-Sequence

INIT(V0)∧T(V0,V1) ∧ T(V1,V2) ∧ T(V2,V3) ∧…∧ T(Vk-1,Vk) ∧ ¬P(Vk)

A1 A3 Ak Ak+1

I1 I3 Ik

A2

I2

• Unsatisfiable BMC formula partitioned in the following manner:

Vizel , Grumberg, FMCAD 2009

Ij Ù Aj+1 ÞIj+1Ij - over common variables of A1,… ,Aj and Aj+1,… ,Ak+1

I1,1

0 0 1 1 2 2( ) ( , ) ( , ) ( )INIT V T V V T V V p VÙ Ù Ù¬

I1,2I2,2

0 0 1 1( ) ( , ) ( )INIT V T V V p VÙ Ù¬

F1 F2

INIT R1

INIT

R2 R3

F1F2

F3

)'''()''',''()'','()',()( VPVVTVVTVVTVINIT ¬ÙÙÙÙ )'()',()( VPVVTVINIT ¬ÙÙ

I1,1 I2,2I1,2

F1F2

I3,3I2,3I1,3

Analogy to Forward Reachability

BAD ¬p

)'()',()',()( VPVVTVVTVINIT ¬ÙÙÙ

• BMC is used for bug finding

• Interpolation-sequence computes an inductive trace: <F0,F1,…,Fk> from BMC formulas– Safe over-approximations of reachable states– Fi(V) ∧ T(V,V‘) Þ Fi+1(V‘)– Fi Þ P

• Integrated into the BMC loop to detect termination

Checking if a “fixpoint” has been reached

• Does there exist 2 £ n £ k such that Fn Þ Vj=1…n-1 Fj ?

• Similar to checking fixpoint in forward reachability analysis:RkÍ Uj=1…k-1 Rj

• But here we check inclusion for every 2 £ k £ n

– No monotonicity because of the approximation

• “Fixpoint” is checked with a SAT solver

Termination

Always terminates• either when BMC finds a bug: M |¹ AGp• or when all reachable states have been found:

M |= AGp

Problems:• As the BMC formula grows – Interpolants grow

– keep conjoining interpolants from subsequent runs: conjunctions grow

1. “Big” formulas cause the BMC problems to be hard to solve

2. Non-CNF interpolants need to be translated to CNF3. Unrolling of TR multiplies number of variables

47

48 48

IMC: Interpolating Model Checking

N=1

BMCN

SeqItp

trace F = [F0, …, FN]

Is F closed

N:=N+1

CEX

SAFE

SAT

UNSAT

YesNo

49 49

IMC: Strength and Weaknesses

Strength• elegant• global bounded safety proof• many different interpolation algorithms available• easy to extend to SMT theories

Weaknesses• the naïve version does not converge easily– interpolants are weaker towards the end of the sequence

• not incremental– no information is reused between BMC queries

• size of interpolants• hard to guide

50 50

INTERPOLATION

51 51

Alternative Definition of an Interpolant

Let F = A(x, z) ∧ B(z, y) be UNSAT, where x and y are distinct• Note that for any assignment v to z either– A(x, v) is UNSAT, or– B(v, y) is UNSAT

An interpolant is a circuit I(z) such that for every assignment v to z• I(v) = A only if A(x, v) is UNSAT• I(v) = B only if B(v, y) is UNSAT

A proof system S has a feasible interpolation if for every refutation ¼ of F in S, F has an interpolant polynomial in the size of ¼• propositional resolution has feasible interpolation• extended resolution does not have feasible interpolation

52 52

Algorithms for Computing Interpolants

Variable Elimination by Substitution

Variable Elimination by Resolution

Optimizing using an MUS

Interpolating a resolution proof

53 53

Interpolation via Variable Elimination (1)

A(X, Y) and B(Y, Z) be two sets of clauses such that A ∧ B are UNSAT

Let I(Y) be a formula defined as follows:

Then, I(Y) is an interpolant between A and BPf: I(Y) = ∃ X . A(X, Y)

Question: Is that a good ITP procedure for IMC?

I(Y ) =_

~x2Bn

A(~x),where n = |X|<latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit><latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit><latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit><latexit sha1_base64="rXTVOtOaVl9zHbI9ZZKbc7r0erc=">AAACN3icbVBNTxsxFPTSQmmgbUqPXJ4agYJUod0KiV6QgF7KpaISgaBsGnmdl8TC613Zb1Mis/+ql/4NbvTSQ6uq1/4DnLAHvkayNJp5T88zSa6kpTC8CuaePJ1feLb4vLa0/OLlq/rrlWObFUZgS2QqM+2EW1RSY4skKWznBnmaKDxJzj5O/ZMxGiszfUSTHLspH2o5kIKTl3r1zwfN0w1Y34E4kcMxYs/FYxTuvIRYaohTTqMkcfvlV6fLEvaalbvxDmLCc3LfRmgQStCwAxfti169EW6GM8BDElWkwSoc9uqXcT8TRYqahOLWdqIwp67jhqRQWNbiwmLOxRkfYsdTzVO0XTfLXcKaV/owyIx/mmCm3t5wPLV2kiZ+chrE3vem4mNep6DBh66TOi8Itbg5NCgUUAbTEqEvDQpSE0+4MNL/FcSIGy7IV13zJUT3Iz8kx+83I8+/bDV296s6Ftkqe8uaLGLbbJd9YoesxQT7zn6y3+xP8CP4FfwN/t2MzgXVzht2B8H/a/uGq24=</latexit>

54 54

Interpolation via Variable Elimination (2)

A(X, Y) and B(Y, Z) be two sets of clauses such that A ∧ B are UNSAT

Recall that Res*(A, X) stands for all clauses obtained from A by exhaustively resolving on variables in X

Let I(Y) be defined as follows

Then, I(Y) is an interpolant between A and B.Pf: I(Y) = ∃ X . A(X, Y)

Question: Is that a good ITP procedure for IMC?

I(Y ) = {c 2 Res⇤(A) | Vars(c) \X = ;}<latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit><latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit><latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit><latexit sha1_base64="iZQ3iEfcl8lwUfJrk6s1fyh5Btc=">AAACOXicbVDLSgMxFM34rPVVdekmWJTqQmZE0I1QdaO7KrZWOrVk0tsazGSG5I5QhvktN/6FO8GNC0Xc+gOmtYivA4HDOfeQe08QS2HQdR+ckdGx8YnJ3FR+emZ2br6wsFgzUaI5VHkkI10PmAEpFFRRoIR6rIGFgYTz4Pqw75/fgDYiUmfYi6EZsq4SHcEZWqlVqByXLtbp2h71U059oagfMrwSmJ6CyS7Tjay0v2410f4yakybrMStyllM69RGIYyxZwCpn9FWoehuugPQv8QbkiIZotIq3PvtiCchKOSSGdPw3BibKdMouIQs7ycGYsavWRcalioWgmmmg8szumqVNu1E2j6FdKB+T6QsNKYXBnayv7757fXF/7xGgp3dZipUnCAo/vlRJ5EUI9qvkbaFBo6yZwnjWthdKb9imnG0ZedtCd7vk/+S2tamZ/nJdrF8MKwjR5bJCikRj+yQMjkiFVIlnNySR/JMXpw758l5dd4+R0ecYWaJ/IDz/gEOIaq7</latexit>

55 55

Interpolation with MUS

A(X, Y) and B(Y, Z) be two sets of clauses such that A ∧ B are UNSAT

Let U(X, Y) be a minimal subset of A(X, Y) such that U ∧ B are UNSAT• U can be computed by iteratively querying a SAT solver• or by examining the refutation proof of A ∧ B

Let I(Y) be an interpolant of U and B computed using either of previous methods

Then, I is an interpolant for A and B Pf: ???

Question: Is I(Y) a good interpolant for IMC?

56 56

Alternative Definition of an Interpolant

Let F = A(x, z) ∧ B(z, y) be UNSAT, where x and y are distinct• Note that for any assignment v to z either– A(x, v) is UNSAT, or– B(v, y) is UNSAT

An interpolant is a circuit I(z) such that for every assignment v to z• I(v) = A only if A(x, v) is UNSAT• I(v) = B only if B(v, y) is UNSAT

A proof system S has a feasible interpolation if for every refutation ¼ of F in S, F has an interpolant polynomial in the size of ¼• propositional resolution has feasible interpolation• extended resolution does not have feasible interpolation

57 57

Interpolants from Proof

SAT Solver

Interpolation System

Interpolant

Resolution Proof

Annotated Proof

58 58

McMillan Interpolation Procedure

Let A and B be two sets of clausesLet ! be a resolution proof of A ∧ B è false

Annotated clauses in ! with partial interpolants (Boolean formulae)• Notation: c [p] mean formula p is a partial interpolant of clause c

Augmented resolution calculus, where g(c) is a sub-clause of only global variables

59 59

Interpolation Example

P. Ruemmer. Craig Interpolation in SAT and SMT

60 60

Correctness of McMillan Interpolation

Lemma: In any annotated proof of A and B, for every clause node c [pc]the following are true

Corollary: The root of resolution proof is the empty clause, and its partial interpolant is the interpolant!

A |= pc _ (c \ g(c))B, pc |= g(c)

pc only contains global symbols<latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit><latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit><latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit><latexit sha1_base64="V/lX7Nq4mwH83rWx/p9OpgueBdA=">AAACU3icbVHLSsNAFJ3Ed31VXboZLEoFkUQEXfrYuFSwKjSlTCY3dXQeIXMjltB/FMGFP+LGhU7aIr7uZg7nnsO990ycSWExCF49f2Jyanpmdq42v7C4tFxfWb2ypsg5tLiRJr+JmQUpNLRQoISbLAemYgnX8f1p1b9+gNwKoy+xn0FHsZ4WqeAMHdWt3x3TrUiZBKSlWZfTyBlo070WUAldWNpr8u3tKKqd7AwFX+qKd/TWyIbwiCU1WvYpNxqZ0E4hTcwktX0VG2kH3Xoj2A2GRf+CcAwaZFzn3fpzlBheKNDIJbO2HQYZdkqWo+ASBrWosJAxfs960HZQMwW2Uw4zGdBNxyQ0ddekbh86ZL87SqZstZlTKoa39nevIv/rtQtMDzul0FmBoPloUFpIioZWAdNE5MDR5ZAIxnPhdqX8luWMo/uGmgsh/H3yX3C1txs6fLHfODoZxzFL1skGaZKQHJAjckbOSYtw8kTeyIdHvBfv3ff9yZHU98aeNfKj/MVPJimwyQ==</latexit>

61 61

Other Interpolation Systems

A single resolution proof can be annotated in different ways giving different interpolants

McMillan interpolation is the strongest interpolant obtained by annotated proof rules from a given proof

There are other annotation strategies and systems for interpolation• Symmetric interpolants: ITP(A,B) == ¬ ITP(B, A)• Labelled interpolation: framework in which McMillan ITP is an instance

So far, no correlation between strength / technique and usefulness for verification J

62 62

Computing Sequence Interpolant

Let S0, S1, S2, …, Sn be n formulas whose conjunction is UNSATLet ITP(A,B) be any interpolation algorithm

Then, the sequence I0, I1, … is a sequence interpolant

I0 = ITP(S0,^

i=1..n

Si)

I1 = ITP(I0 ^ S1,^

i=2..n

Si)

Ik = ITP(Ik�1 ^ Sk,^

i=k..n

Si), for k 2 [1..(n� 1)]<latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit><latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit><latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit><latexit sha1_base64="6exJQoQ/VGB2nIDbO4K36Npdq3k=">AAACtnicbVFNb9NAEF2brxI+GuDIZUUESiUaeQsSvVSq4EJuQW3aothY6/XYXXm9tnbHQGT5J3Lhxr9hnUYRJJ3T03vz3s7MJrWSFoPgj+ffuXvv/oO9h4NHj5883R8+e35hq8YImItKVeYq4RaU1DBHiQquagO8TBRcJsWnXr/8DsbKSp/jsoao5LmWmRQcHRUPf03jgL45oWHJ8VpiOz2fdeOzOHhLw0TmPyDNIW7lCZtMdEfPYnlAw3AwjdmOp88JFdep62Jb7qONe2UubjG3xSHrNgHFVkCxCXACwk9ss8rQjhY0lJou3HRjfcgOong4CibBquguYGswIuuaxcPfYVqJpgSNQnFrFyyoMWq5QSkUdIOwsVBzUfAcFg5qXoKN2tXZO/raMSntJ8kqjXTF/utoeWntskxcZ7+s3dZ68jZt0WB2HLVS1w2CFjcPZY2iWNH+D2kqDQhUSwe4MNLNSsU1N1yg++mBOwLbXnkXXBxNmMNf3o9OP67PsUdekldkTBj5QE7JZzIjcyK8d95XL/GEf+x/88HPb1p9b+15Qf4rv/4Lpb7NnQ==</latexit>

63 63

DRUPing for Interpolants

A CDCL proof is build out of trivial resolutions• terminated by a learned clause

A sub-proof for each learned clause can be re-constructed in polynomial time• negation of clause + BCP leads to a conflict

A clausal proof is a sequence of learned clauses in the order they are learnedInterpolate while replaying the proof

learnedclause

trivial resolution

A. Gurfinkel & Y. Vizel: DRUPing for interpolats. FMCAD 2014: 99-106

64 64

MiniDRUP

SAT with DRUP proofs

Interpolation-oriented BCP in Trim

Learn near CNF interpolants in Replay

SAT

Trim

Replay

CNF

Clausal Proof

core proof

Interpolant

BCP

BCP +Learning

65 65

DAG Interpolants [TACAS’12]

Given a DAG G = (V, E) and a labeling of edges ¼:E®Expr. A DAG Interpolant (if it exists) is a labeling I:V®Expr such that• for any path v0, …, vn, and 0 < k < n,

I(vk) = ITP (¼(v0) ∧ … ∧ ¼ (vk-1), ¼(vk) ∧ … ∧ ¼(vn))• 8 (u, v) 2 E . (I(u) ∧ ¼ (u, v)) ) I(v)

1

2

3

4 5

7

6

¼1

¼2

¼3 ¼4

¼5¼6

¼7

¼8

I1

I2

I3

I4 I5

I6

I7

I2 = ITP (¼1, ¼8)I2 = ITP (¼1, ¼2 ∧¼3 ∧¼6 ∧ ¼7)…

(I1 ∧ ¼1) ) I2(I2 ∧¼8) ) I7(I2 ∧¼2) ) I3…