1
A Combination Method for Generating Interpolants
by G. Yorsh and M. Masuvathi
Presentation by: Emilia Katz
2
The Goal
• Given:– theory T – combination of T1 and T2
– A and B – two logical T-formulas– A ⋀ B is unsatisfiable in T– efficient interpolant-generation procedures
exist for T1 and T2
• Find:– interpolant for <A,B>
if both sub-procedures are polynomial, the resulting
procedure will also be polynomial
restrictions on T1 and T2 will be
seen later…
3
The Idea
• How to find an interpolant efficiently?– Derive it from unsatisfiability proof
• But how? And how to get the proof?• We don’t want to make further assumptions about
T1 and T2, so– We don’t know how their interpolant-generation
procedures work– We don’t know how their decision procedures work
• The idea: use them as black boxes– Combine d.p.-s for T1 and T2 into a d. p. for T.– Use the proof and the interpolant-generation
procedures for T1 and T2 to derive an interpolant in T.Nelson-Oppen framework…
4
Example
T1 = UIF (uninterpreted functions theory)
T2 = LI (linear equalities theory)
A ≝ (f(x1)+x2=x3) (f(y1)+y2=y3) (y1x1)
B ≝ (x2=g(b))(y2=g(b))(x1 y1)(x3 < y3)
• UIF and LI satisfy the requirements [assume it meanwhile, we’ll return to it later]
• A B is unsatisfiable [we’ll see this in a couple of minutes]
5
Nelson – Oppen framework
… for combining decision procedures• Given:
– theory T – combination of T1 and T2
– A and B – two conjunctions of literals in T• Goal: is A ⋀ B satisfiable in T ?• Assumptions:
– Σ = Σ1 Σ2 (denote: Σ = ΣT, Σi = ΣTi)– Σ1 Σ2 = {=}– T1, T2 are stably-infinite– T1, T2 have decision procedures for satisfiability of
conjunctions of Σi literals
= every quantifier-free Σi-formula is
satisfiable in Ti iff it is satisfied by a Ti-
interpretation with infinite domain
6
N.-O. framework application example
T1 = UIF (uninterpreted functions theory)T2 = LI (linear equalities theory)
A ≝ (f(x1)+x2=x3) (f(y1)+y2=y3) (y1x1)B ≝ (x2=g(b))(y2=g(b))(x1 y1)(x3 < y3)
1. Purification: ALI = (a1+x2=x3) (a2+y2=y3) (y1x1)
AUIF = ((a1 = f(x1)) (a2 = f(y1))BLI = (x1 y1)(x3 < y3)BUIF = (x2=g(b))(y2=g(b))
replace: f(x1) by a1, f(y1) by a2
add equalities for a1, a2
no replacements needed
7
Application Example – contd.2. Equality propagation:
UIF LI
(1) a1 = f(x1) (5) a1+x2=x3
(2) a2 = f(y1) (6) a2+y2=y3
(3) x2=g(b) (7) y1x1
(4) y2=g(b) (8) x1 y1
-------------------- (9) x3 < y3
--------------------(10) x1 = y1
(11) a1 = a2
(12) x2 = y2
Unsatisfiable! Theory: LI
Eq = (a1=a2 x2=y2)
under the line: EqLI
under the line: EqUIF
8
Nelson – Oppen frameworkA B
Purification
A1 B1 A2 B2
in T
in T1 in T2
Equality propagation
Dec. proc. for T1
Dec. proc. for T2
F1:= A1 B1 F2:= A2 B2
Equality derivation in T1 (Eq1)
Equality derivation in T2 (Eq2)
F2 := F2Eq1
F1 := F1Eq2
Sat. Sat.
Satisfiable!
no more new equalities
Unsatisfiable! (found by Ti, with Eq)
Unsat.Unsat.
adding new variables to replace objects of the “wrong” type, and
equalities “defining” them
9
Theory-specific InterpolantGiven:• T – first order theory of signature Σ• – class of quantifier-free Σ-formulas• ΣT Σ – interpreted symbols in T• A, B ∈ such that A ⋀ B ⊦T ⊥Then theory-specific interpolant for <A,B> is ∈ such that:
1. A ⊦T 2. ⋀ B ⊦T ⊥
3. () ((A)(B)) ΣT
new requirement: quantifier-free interpolants (for completeness of SAT-checks with
interpolants [in subsequent analysis stages])
less strict requirement: can
contain not only AB-common symbols
not necessary for the method
to work properly
set of symbols that appear in the formula
10
Requirement (3) Change Motivation
Example:A ≝ c2 = car(c1) ⋀ c3 = cdr(c1) ⋀ atom(c1)B ≝ c1 = cons(c2 ,c3)In theory of Lisp structures• ci – s are lists• car(c) = “head” element of the list c• cdr(c) = “tail” of the list c• cons(c,d) = concatenation of d after c• ΣT = {car, cdr, cons, atom}• A ⋀ B ⊦T ⊥
Axiom of T: ∀x(atom(x) ⇒ cons(car(x),cdr(x))=x)
Apply to x=A:A ⇒ (c1 = cons(c2 ,c3))
contradiction with B!
Interpolant (by new def.)
c1 = cons(c2 ,c3)
“cons” is not AB–common; “cons”, “atom”, “cdr”, “car” not alowed in
=> no interpolant for <A,B>!
11
Interpolants Generation MethodAssumptions:• T – combination of T1, T2
• Σ = Σ1 Σ2
• efficient interpolant-generation procedures exist for T1 and T2
• Restrictions from Nelson-Oppen framework:– Σ1 Σ2 = {=}– T1, T2 are stably-infinite– T1, T2 have decision procedures for satisfiability of conjunctions of Σi
literals
• T1, T2 are equality-interpolating• T1, T2 are convexGuarantee:• Output: theory-specific interpolant for <A,B> in T
first-order theories Input: <Ai,Bi> - conjunctions
of Σi literals; output – interpolant as i formula
to be explained
( (xi = yi)) ⇒ ∃k. (xk=yk)
12
Simple Case
Constraints to be relaxed later:
• A, B – conjunctions of literals
Constraints possible to relax
• T1, T2 are convex theories
Arise from the use of the Nelson-
Oppen framework
Relaxed in another work of the authors…
13
Naïve approachA B
Nelson-Oppen
in T
“Unsatisfiable!”
+ Eq (propagated equalities)
+ P (proof of AiBi ⊦Ti ⊥)
framework for <T1,T2>
“Satisfiable!”
Given: AB ⊦T ⊥
Ai Eq|Ai P Bi Eq|Bi
Interpolant generation procedure for Ti
Interpolant for <A,B>
?
14
The problem - example
A ≝ (f(x1)+x2=x3) (f(y1)+y2=y3) (y1x1)B ≝ (x2=g(b))(y2=g(b))(x1 y1)(x3 < y3)• Contradiction found by LI between
A’ = ALI(a1=a2); B’ = BLI(x1=y1)(x2=y2)• Interpolant found for <A’,B’> in LI: = (x2-y2=x3-y3)• Is interpolant for <A,B> in T?
– B T ⊥– But A : (f(x1)+x2=x3) (f(y1)+y2=y3) (y1x1) (x2-y2=x3-
y3)– A → A’ doesn’t have to hold => A additional information
from B might appear in A’
15
Proposed solution: Partial Interpolants
Definition: Projection
Given Θ – conjunction of AB-pure literals
Define Θ|A – conjunction of A-local literals,
Θ|B – conjunction of B-local and AB-common literals
Note: Θ = Θ|A Θ|B
Example: A = (a1=f(x1) a2 = f(y1)),
B = (a1=f(x1) a3 = f(y1))
Θ = A B = (a2 = f(y1) a1=f(x1) a3 = f(y1))Θ|A Θ|B
Attach one to each equality propagated in
the unsatisfiability proof in Nelson-
Oppen framework
16
Partial Interpolant – defn.
Definition: Theory-specific partial interpolant
A’,B’ - conjunctions of pure literals in Σi,
e – AB-pure atomic formula generated by decision procedure for the theory Ti: A’B’ Ti e
Then:
Theory-specific partial interpolant for e w.r.t. <A’,B’>, φi
A’,B’(e), is the interpolant generated for <A’(e|A’), B’(e|B’)> by Ti’s procedure
thus, A’B’ e Ti ⊥
in our case, (A’)(A), (B’)(B) => interpolant for e contains only AB-common symbols
17
LI-Partial Interpolant Example
• First equality propagated: e=(x1=y1); A’ = ALI, B’ = BLI
• (7) ALI, (8) BLI
• e|A’= true, e|B’= (x1=y1)
• Interpolant for < y1x1 ,
(x1y1) (x1=y1) >: φLI
A’,B’(x1=y1)= y1 x1
UIF LI
(1) a1 = f(x1)(5) a1+x2=x3
(2) a2 = f(y1)(6) a2+y2=y3
(3) x2=g(b) (7) y1x1
(4) y2=g(b) (8) x1 y1
------------------ (9) x3 < y3
------------------
(10) x1 = y1
x1, y1 are AB-common
18
Partial Interpolant – contd.
Definition: Partial interpolant• e – AB-pure equality derived from AB in Nelson-Oppen
framework by a theory Ti: AiBiEq Ti e• Ai, Bi – conjunctions of pure literals• Eq – a set of AB-pure equalitiesPartial interpolant for e w.r.t. <A,B>, φA,B(e), is defined
inductively:• Base:
– e Ai ⇒ φA,B(e) = ⊥, – e Bi ⇒ φA,B(e) = ⊤
• Inductive step: Let A’ ≝ AiEq|A, B’ ≝ BiEq|B φA,B(e) = (φi
A’,B’(e) ⋁aA’ φA,B(a)) ⋀bB’ φA,B(b)
reason for restriction to equality-interpolating theories
derived from AB by Nelson-Oppen procedure…
a, b - equalities
19
Partial interpolant - example
• Find partial interpolant for <A,B>, φA,B(⊥), from the running example:
• Follow the proof step-by-step• Step1: deriving (x1=y1)
– Ti = LI– Eq = ⊤, thus:– A’ = ALI = (a1+x2=x3) (a2+y2=y3) (y1x1)– B’ = BLI = (x1 y1)(x3 < y3)– φA,B(x1=y1) = φLI
A’,B’(x1=y1) = y1 x1
20
Partial interpolant example – contd.
• Step2: deriving (a1=a2)– Ti = UIF– Eq = (x1=y1)– Eq|A = ⊤, Eq|B = (x1=y1), thus:– A’ = AUIF = ((a1 = f(x1)) (a2 = f(y1))– B’ = BUIF(x1=y1) = (x2=g(b))(y2=g(b)) (x1=y1)– φA,B(a1=a2) = (φUIF
A’,B’(a1=a2) ⊥) ⋀bB’ φA,B(b)– φUIF
A’,B’(a1=a2)= (x1=y1)– φA,B(a1=a2) = (x1=y1)(y1 x1) = (y1 < x1)
A’=AUIF => we have results only from
the base case
= φA,B(x1=y1) = (y1 x1)
interpolant-generation proc. of UIF
the rest is True from the base case
propagated eq. used to derive a1=a2
21
Partial interpolant example – contd.
• Step3: deriving (x2=y2)
– Ti = UIF
– Eq = ⊤, thus:
– A’ = AUIF = ((a1 = f(x1)) (a2 = f(y1))
– B’ = BUIF = (x2=g(b))(y2=g(b))
– φA,B(x2=y2) = φUIFA’,B’(x2=y2) =
= interpolant, derived by UIF’s procedure for <A’(x2=y2)|A’, B’ (x2=y2)|B’> =
=interpolant for < ((a1 = f(x1)) (a2 = f(y1)), (x2=g(b))(y2=g(b)) (x2=y2) >
no propagated eq. needed to derive x2=y2
= ⊤ = (x2=y2)
=> Internal contradiction => φA,B(x2=y2) = ⊤
22
Partial interpolant example – contd.
• Step4: deriving ⊥– Ti = LI
– Eq = (x2=y2) (a1=a2)
– Eq|A = (x2=y2) (a1=a2), Eq|B = ⊤, thus:
– A’ = ALI(x2=y2)(a1=a2) = ((a1 = f(x1))(a2 = f(y1)) (x2=y2)(a1=a2)
– B’ = BLI = (x2=g(b))(y2=g(b))
– φA,B(⊥) = (φLIA’,B’(⊥) (φA,B(x2=y2) φA,B(a1=a2))) ⊤
=> φA,B(⊥) = ((x2-y2=x3-y3)) (y1 < x1)
= (y1<x1)
interpolant-generation proc. of UIF
⋀bB’ φA,B(b) = ⊤from the base case
propagated eq.-s used to derive ⊥
= ⊤= (x2-y2=x3-y3)
23
Correctness
Lemma 1:
The partial interpolant, φA,B(e), is an interpolant for < A (e|A), B (e|B) > in the combined theory T.
φA,B(⊥) is an interpolant for < A, B >
24
Equality-interpolating theories
• Restriction on T1, T2 : they should be equality-interpolating
Definition: Theory T is equality-interpolating if whenever
– A, B T– AB T (a=b)– a (A)-(B), b (B)-(A)=> Exists a term t s.t.– AB T (a=t) (b=t)– (t) (A) (B)t is called equality-interpolating term for (a=b)
with respect to <A,B>
thus propagation of AB-pure equalities only in the Nelson-
Oppen framework is enough indeed
25
Equality-interpolating theories (contd.)
• LI, UIF, Lisp are equality-interpolating theories
• Not all the theories are equality-interpolating. Example:– theory with two relation symbols, P and Q– axiom: abc P(a,c)Q(c,b) ⇒ (a=b)– let A ≝ P(a,c), B ≝ Q(c,b)– A B (a=b)– But: no equality-interpolating term for (a=b) !
26
Relaxing constraints
• Constraints to be relaxed:– A, B – conjunctions of literals
• The idea: use– Extended Pudlák’s algorithm
=> propositional interpolants for a pair of clause sets– Lazy Proof-Explication framework (using SAT-slover)
=> checking satisfiability of arbitrary quantifier-free FOL formulas
i.e., CNF formulas
27
Pudlák’s algorithm• Input:
– A, B – pair of clause sets– A ⋀ B ⊦T ⊥– – proof of unsatisfiability for A ⋀ B
• For each clause c in , define p(c):1. (a) cA ⇒ p(c) := ⊥
(b) cB ⇒ p(c) := ⊤• otherwise, x,c1,c2.(c = resolvex(c1,c2))
(a) xA and xB ⇒ p(c) := p(c1)p(c2)
(b) xB and xA ⇒ p(c) := p(c1)p(c2)
(c) x - AB-common ⇒ p(c) := (x p(c1))(x p(c2))
• p(⊥) is the interpolant for <A,B>
partial interpolant
for c
c is a result of
resolution; x - pivot
x – A-local
x – B-local
variant of the seen before
28
Pudlák’s algorithm correctness
• Invariant:
For each clause c , p(c) is an interpolant for <gA(c), gB(c)>
gA(c) =A(c)|A, gB(c)=B(c)|B• Thus:
(c = ⊥) ⇒ gA(⊥) = A, gB(⊥) = B
⇒[invariant] p(⊥) is the interpolant for <A,B>
29
Lazy Proof-Explication framework
• Our input – quantifier-free FOL formulas
• Nelson-Oppen framework works on conjunctions of literals
• How to bridge the gap?
• Use SAT-solver!
30
Lazy Proof-Explication frameworkφ=A B
Nelson-Oppen
atomic formulas replaced by boolean variables
“Unsatisfiable!”
+ C (conflict clauses set)
framework for <T1,T2> “Satisfiable!”
result: φ’
propositional abstraction
satisfiability check Unsat.
satisfying ass. s for φ’
φ’:= φ’ s; C:= C {s}
Unsat.
Sat.
Sat.
s = conjunction of literals; satisfies φ propositionally
s = new conflict clause
SAT-solver
L.P.E.
31
Obtaining the interpolant
• We would like to :– give Pudlák’s algorithm the proof obtained from
L.P.E. framework – obtain interpolant
• Problem: the base case! (a) cA ⇒ p(c) := ⊥ (b) cB ⇒ p(c) := ⊤
• Now possible: cA and cB– Conflict clauses appear in the proof, and a
conflict clause may involve local literals from both A and B
32
L.P.E. framework - observations
• For each conflict clause cC, c is a conjunction of literals
c is unsatisfiable (proven by N.-O.) c contains only literals from A and B
=> every literal in c is AB-pure
• Thus we can apply previously described method (“simple case”) to find an interpolant between (c)|A and (c)|B
33
Partial Interpolant for Clauses
Definition: Partial interpolant for clauses• AB T ⊥• C – corresponding set of conflict clauses• ABC – propositionally unsatisfiable• c CPartial interpolant for c, φA,B(c), is defined inductively:• Base:
– c A ⇒ φA,B(c) = ⊥, – c B ⇒ φA,B(c) = ⊤
• Inductive step: φA,B(c) = interpolant for <c|A ,c|B> in T
can be calculated by the “simple
case” method
34
Extended Pudlák’s algorithm• Input:
– <A,B; C> where A, B, C – clause sets
– A ⋀ B ⊦T ⊥
– – proof of unsatisfiability for A ⋀ B
• For each clause c in , define p(c):1. c is not a resolution result ⇒ p(c):= φA,B(c)
2. otherwise, x,c1,c2.(c = resolvex(c1,c2))
(a) xA and xB ⇒ p(c) := p(c1)p(c2)
(b) xB and xA ⇒ p(c) := p(c1)p(c2)
(c) x - AB-common ⇒ p(c) := (x p(c1))(x p(c2))
• p(⊥) is the interpolant for <A,B>
C – set of conflict clauses
No change needed here…
35
Extended algorithm correctness• Enough to show the invariant is maintained, i.e.,
c , p(c) is an interpolant for <gA(c), gB(c)>
gA(c) =A(c)|A, gB(c)=B(c)|B• Observation: in the base case,
– cA ⇒ φA,B(c) = ⊥ ⇒
p(c) := ⊥ (as in the original algorithm) ⇒old proof works
– cB ⇒ φA,B(c) = ⊤ ⇒
p(c) := ⊤ (as in the original algorithm) ⇒old proof works
– new case: cA and cB ⇒ need new proof
36
Extended algorithm correctness(2)
• Base case: – left to prove for the case cA and cB– then φA,B(c) is interpolant for <c|A ,c|B> (by
definition)
⇒ ((c)|A φA,B(c)) ⇒ ((A(c)|A) φA,B(c))
⇒ (φA,B(c) (c)|B ⊥) ⇒ ((B (c)|B) φA,B(c) ⊥)– thus p(c)=φA,B(c) is indeed an interpolant for
<A (c)|A,B (c)|B > in T
• Induction step:– the proof relied only on the fact that the invariant
holds in the base case => the old proof stays correct
37
Conclusions
• Presented: efficient and modular method for interpolant-generation
• Generic, and not theory-specific method• Easy to incrementally extend interpolation-
generation to additional theories• Uses Nelson-Oppen framework in a
modular way, and in case of its improvement can easily connect to the new version
38
Thank you!