1 a combination method for generating interpolants greta yorsh madan musuvathi tel aviv university,...
TRANSCRIPT
1
A Combination Method for A Combination Method for Generating InterpolantsGenerating Interpolants
Greta Yorsh
Madan Musuvathi
Tel Aviv University, Israel
Microsoft Research, Redmond, US
CAV’05
2
Craig Interpolation TheoremCraig Interpolation Theorem
• A, B first-order formulas
• If A B then there exists a first-order formula C
1. A C2. C B 3. C refers only to AB-common
symbols
• C is an interpolant for (A,B)
3
MotivationMotivation
• Abstraction– forget some information about the system – preserve enough information to show that
an error state is not reachable
• Interpolation– forget some information about A – preserve enough information to show that
B is unsatisfiable
4
MotivationMotivation
• Bounded Model Checking [McMillan, CAV’03]
– abstraction of reachable states – completeness
initial errorreachable in k steps
A-part B-part
C
5
MotivationMotivation
• Bounded model checking [McMillan, CAV’03]
– propositional (hardware) and first-order (software)
• Predicate abstraction refinement [HJMS, POPL’04] – first-order
• Computation of the abstract transition relation [McMillan et al., CAV’05]– propositional
• Exploit prover’s ability to focus on relevant facts
6
Interpolant GenerationInterpolant Generation• Craig interpolation theorem [’57]
– (full) first-order logic– existence of interpolants (cut elimination)
• Pudlak [‘95], Krajicek [’95]– propositional logic
• Pudlak [‘95]– linear inequalities (LI)
• McMillan [TACAS’04]– uninterpreted functions (UF)– the combinated theory of UF and LI
(with boolean combinations)
7
Nelson-Oppen Nelson-Oppen Combination MethodCombination Method
• Satisfiability in a combined theory [’79]
• Given– P1 is a decision procedure for satisfiability in T1
– P2 is a decision procedure for satisfiability in T2
• Combines P1 and P2 into a decision procedure for satisfiability in the combined theory T = T1 T2
8
Interpolant Generation Interpolant Generation in Combined Theory in Combined Theory
• Given– P1 interpolant generation procedure for T1
– P2 interpolant generation procedure for T2
• How to combine P1 and P2 into an interpolant generation procedure for the combined theory T = T1 T2 ?
9
OutlineOutline
• Notations
• Partial interpolants
• Example
• Equality-interpolating theories
• Conclusions
10
First-Order Theory First-Order Theory TT
T entailment modulo theory T
signature– constant, function and relation symbols– equality =
• L is a set of -formulas – assume L is (quantifier free) conjunction of -literals
interpreted symbols– theory of linear inequalities: + , < – theory of Lisp structures: car, cdr, cons, atom
11
Example TheoriesExample Theories
• UF – Uninterpreted Functions contains uninterpreted function symbols: f,g,... is empty – example: f(a,b) = g(c)
• LI - Linear Inequalities contains + , < , 0, 1, 2, ... – example: a < b + 2*c
• Lisp structures = { car, cdr, cons, atom }– example: car(a) = cons(car(b),cdr(c))
12
Theory-Specific InterpolantsTheory-Specific Interpolants
• A, B are formulas in L
• If A B T
then there exists a formula C in L
1. A T C
2. C B T
3. C refers only to AB-common symbols or to symbols in
• C is an interpolant in theory T for (A,B)
13
Example: Lisp StructuresExample: Lisp Structures
– A-local symbols: a, car,cdr,atom– B-local symbols: b, cons
– AB-common symbols: c1,c2,c3
is { car, cdr, cons, atom }
A B
car(a) = c2
c3 = cdr(a)
a = c1
atom(c1)
(b = cons(c2,c3))
c1 = b
• Interpolant for (A,B) in Lisp theory is c1 = cons(c2,c3)
14
Combined Theory TCombined Theory T
• First-order theory T defined as a combination of T1 and T2
– T is T1 T2
(union of axioms / intersection of sets of models)
is 1 1
is 1 2
– disjoint signatures: 1 2 is { = }
15
Interpolants in Combined TheoryInterpolants in Combined Theory
A B
UFa1 = f(x1)a2 = f(y1)
x2 = g(b)
y2 = g(b)
LI
a1 + x2 = x3
a2 + y2 = y3
y1 x1
x1 y1
x3 < y3
• A is (f(x1) + x2 = x3)(f(y1) + y2 = y3)(y1 x1)
• B is (x2 = g(b))(y2 = g(b))(x1 y1)(x3 < y3)
• Purify A and B separatelyseparately– AUF ALI is the result of purify(A)– BUF BLI is the result of purify(B)
T is UF LI
16
Interpolants in Combined TheoryInterpolants in Combined Theory
A B
UFa1 = f(x1)a2 = f(y1)
x2 = g(b)
y2 = g(b)
LI
a1 + x2 = x3
a2 + y2 = y3
y1 x1
x1 y1
x3 < y3
• Find an interpolant C for (A,B)– C in UF LI
– C uses only AB-common symbols or interpreted symbols UF LI
(+,<, x1,x2,x3,y1,y2,y3)
T is UF LI
17
Interpolant Generation Interpolant Generation in Combined Theory in Combined Theory
• Given– P1 is a decision procedure for T1
– P2 is a decision procedure for T2
• Combine P1 and P2 into an interpolant generation procedure for the combined theory T = T1 T2
18
RequirementsRequirements
• Requirement on procedure P1 (same for P2)– P1 is a decision procedure for satisfiability of T1
– if input is satisfiable P1 generates a new consequence (equality between variables)
– if input of the form AB is unsatisfiable in T1, P1 generates an interpolant for A and B in T1
• Requirement on T1 (and T2)– stably-infinite– convex– equality-interpolating
19
Equality PropagationEquality Propagation
PPUFUFPPUFUF PPLILIPPLILI
a1 = f(x1)a2 = f(y1)
x2 = g(b)
y2 = g(b)a1 + x2 = x3
a2 + y2 = y3
y1 x1
x1 y1
x3 < y3
AUF BUF ALI BLI
x1=y1
x2=y2
a1=a2
CLI is interpolant for ALI(a1=a2) and BLI(x2=y2)
CLI is x2-y2 = x3-y3
CLI is not an interpolant for (A,B)
[ CLI ][ ? ][ ? ]
[ ? ][ ? ]
[ ? ][ ? ]
20
ObservationObservation
• CLI is interpolant for ALI(a1=a2) and BLI(x2=y2)
• CLI is not an interpolant for (A,B)
– ALI (a1=a2) T CLI but A T CLI
– a1=a2 follows from A B, but not A alone
• How to “lift” CLI to an interpolant for (A,B) ?
21
The ideaThe idea
• Whenever a new equality generated by a component procedure P1 (or P2),
P1 also generates a formula [?]– “explains” the equality– uses only AB-common symbol– partial interpolant
• An interpolant for (A,B) in UFLI is a boolean combination of CLI and [?],...,[?]
22
Theory-Specific Partial InterpolantsTheory-Specific Partial Interpolants
PP11PP11
A1 B1
x=y
• A1 B1 T1 x=y
• A1 B1 (x=y) T1
23
Theory-Specific Partial InterpolantsTheory-Specific Partial Interpolants
PP11PP11
A1 B1 x=y• A1 B1 T1 x=y
• A1 B1 (x=y) T1
[ C[ CT1T1 ] ]
• CCT1T1(x=y)(x=y) a theory-specific theory-specific partialpartial interpolant of x=y
for A1 and B1 in theory T1 – interpolant for A1 and B1 (x=y)
if x,y B-local AB-common – interpolant for A1 (x=y) and B1
if x,y A-local AB-common
24
• CCT1T1(x=y)(x=y) is a theory-specific partial interpolant of x=y
for A1(a=a’) and B1(b=b’)
in theory T1
• C(x=y)C(x=y) a partial interpolant
of x=y for A and B in T1T2
is a boolean combination of CT1(x=y) and C(a=a’) and C(b=b’)
Partial InterpolantsPartial Interpolants(a=a’)A1 B1(b=b’)
x=y[ ? ][ ? ]
[ C(a=a’) ] [ C(b=b’) ]
PP11PP11
[ C[ CT1T1(x=y) ](x=y) ]
25
ExampleExample
PPUFUFPPUFUF PPLILIPPLILI
a1 = f(x1)a2 = f(y1)
x2 = g(b)
y2 = g(b)a1 + x2 = x3
a2 + y2 = y3
y1 x1
x1 y1
x3 < y3
AUF BUF ALI BLI
CUF(a1=a2) for AUF and BUF(x1=y1) is
an interpolant for AUF(a1=a2) and BUF(x1=y1)
x1=y1 [ y1 x1 ]
C(a1=a2) for A and B is CUF(a1=a2) C(x1=y1)
(x1= y1)
a1=a2
(x1=y1) y1 x1
[ y1 < x1 ]
26
ExampleExample
PPUFUFPPUFUF PPLILIPPLILI
a1 = f(x1)a2 = f(y1)
x2 = g(b)
y2 = g(b)a1 + x2 = x3
a2 + y2 = y3
y1 x1
x1 y1
x3 < y3
AUF BUF ALI BLI
x1=y1 [ y1 x1 ]
a1=a2 [ y1 < x1 ]
C() for A and B is x2-y2=x3-y3 y1<x1
CLI() interpolant for ALI(a1=a2) and BLI(x2=y2)
CLI() is x2-y2 = x3-y3
x2=y2[ ]
27
PPUFUFPPUFUF PPLILIPPLILI
a1 = f(x1)a2 = f(y1)
x2 = g(b)
y2 = g(b)a1 + x2 = x3
a2 + y2 = y3
y1 x1
x1 y1
x3 < y3
AUF BUF ALI BLI
x1=y1 [ y1 x1 ]
a1=a2 [ y1 < x1 ]
x2=y2[ ]
An interpolant C for A and B is [x2-y2=x3-y3 y1<x1]
ExampleExample
28
Theory-Specific Partial InterpolantsTheory-Specific Partial Interpolants
PP11PP11
A1 B1
e [ C[ CT1T1(e) ](e) ]
• CCT1T1(e)(e) a theory-specific theory-specific partialpartial interpolant of e
for A1 and B1 in theory T1 – interpolant for A1 and B1 e
if e B-local AB-common – interpolant for A1 e and B1
if e A-local AB-common
– if e is a=b a is A-local, b is B-local
– interpolant for A1 and B1 (a=b) ?– interpolant for A1 (a=b) and B1 ?
... to B or not to B ?
29
Equality-Interpolating TheoryEquality-Interpolating Theory
• If A B T (a = b)
– a is A-local, b is B-local
• then there exists a term t – A B T (a = t) (t = b)
– t refers to AB-common symbols only
• Equality-interpolating: UF, LI, Lisp– easy to extend the existing decision
procedures to generate such terms t
30
RequirementsRequirements
• Requirement on P1 (and P2)– P1 is a decision procedure for satisfiability of T1
– if input is satisfiable P1 generates a new consequence (equality between variables)
– if input of the form AB is unsatisfiable in T1, P1 generates an interpolant for A and B in T1
• Requirement on T1 (and T2)– stably-infinite– convex– equality-interpolating
31
SummarySummary
• A method for generating interpolants for combined theories– interpolant-generation procedures P1, P2 used as black-boxes– on top of a Nelson-Oppen procedure– propagate partial interpolants– equality-interpolating theories
• Can be integrated within existing tools– Simplify, Verifun, ICS, CVCLite, Zap
• Extensions– arbitrary quantifier-free formulas, non-convex theories,
non-disjoint signatures, quantifiers
• Application to software model-checking• More support for operations modulo theories
– join, widening, predicate abstraction, counter-example generation