1

A Combination Method for A Combination Method for Generating InterpolantsGenerating Interpolants

Greta Yorsh

Madan Musuvathi

Tel Aviv University, Israel

Microsoft Research, Redmond, US

CAV’05

2

Craig Interpolation TheoremCraig Interpolation Theorem

• A, B first-order formulas

• If A B then there exists a first-order formula C

1. A C2. C B 3. C refers only to AB-common

symbols

• C is an interpolant for (A,B)

3

MotivationMotivation

• Abstraction– forget some information about the system – preserve enough information to show that

an error state is not reachable

• Interpolation– forget some information about A – preserve enough information to show that

B is unsatisfiable

4

MotivationMotivation

• Bounded Model Checking [McMillan, CAV’03]

– abstraction of reachable states – completeness

initial errorreachable in k steps

A-part B-part

C

5

MotivationMotivation

• Bounded model checking [McMillan, CAV’03]

– propositional (hardware) and first-order (software)

• Predicate abstraction refinement [HJMS, POPL’04] – first-order

• Computation of the abstract transition relation [McMillan et al., CAV’05]– propositional

• Exploit prover’s ability to focus on relevant facts

6

Interpolant GenerationInterpolant Generation• Craig interpolation theorem [’57]

– (full) first-order logic– existence of interpolants (cut elimination)

• Pudlak [‘95], Krajicek [’95]– propositional logic

• Pudlak [‘95]– linear inequalities (LI)

• McMillan [TACAS’04]– uninterpreted functions (UF)– the combinated theory of UF and LI

(with boolean combinations)

7

Nelson-Oppen Nelson-Oppen Combination MethodCombination Method

• Satisfiability in a combined theory [’79]

• Given– P1 is a decision procedure for satisfiability in T1

– P2 is a decision procedure for satisfiability in T2

• Combines P1 and P2 into a decision procedure for satisfiability in the combined theory T = T1 T2

8

Interpolant Generation Interpolant Generation in Combined Theory in Combined Theory

• Given– P1 interpolant generation procedure for T1

– P2 interpolant generation procedure for T2

• How to combine P1 and P2 into an interpolant generation procedure for the combined theory T = T1 T2 ?

9

OutlineOutline

• Notations

• Partial interpolants

• Example

• Equality-interpolating theories

• Conclusions

10

First-Order Theory First-Order Theory TT

T entailment modulo theory T

signature– constant, function and relation symbols– equality =

• L is a set of -formulas – assume L is (quantifier free) conjunction of -literals

interpreted symbols– theory of linear inequalities: + , < – theory of Lisp structures: car, cdr, cons, atom

11

Example TheoriesExample Theories

• UF – Uninterpreted Functions contains uninterpreted function symbols: f,g,... is empty – example: f(a,b) = g(c)

• LI - Linear Inequalities contains + , < , 0, 1, 2, ... – example: a < b + 2*c

• Lisp structures = { car, cdr, cons, atom }– example: car(a) = cons(car(b),cdr(c))

12

Theory-Specific InterpolantsTheory-Specific Interpolants

• A, B are formulas in L

• If A B T

then there exists a formula C in L

1. A T C

2. C B T

3. C refers only to AB-common symbols or to symbols in

• C is an interpolant in theory T for (A,B)

13

Example: Lisp StructuresExample: Lisp Structures

– A-local symbols: a, car,cdr,atom– B-local symbols: b, cons

– AB-common symbols: c1,c2,c3

is { car, cdr, cons, atom }

A B

car(a) = c2

c3 = cdr(a)

a = c1

atom(c1)

(b = cons(c2,c3))

c1 = b

• Interpolant for (A,B) in Lisp theory is c1 = cons(c2,c3)

14

Combined Theory TCombined Theory T

• First-order theory T defined as a combination of T1 and T2

– T is T1 T2

(union of axioms / intersection of sets of models)

is 1 1

is 1 2

– disjoint signatures: 1 2 is { = }

15

Interpolants in Combined TheoryInterpolants in Combined Theory

A B

UFa1 = f(x1)a2 = f(y1)

x2 = g(b)

y2 = g(b)

LI

a1 + x2 = x3

a2 + y2 = y3

y1 x1

x1 y1

x3 < y3

• A is (f(x1) + x2 = x3)(f(y1) + y2 = y3)(y1 x1)

• B is (x2 = g(b))(y2 = g(b))(x1 y1)(x3 < y3)

• Purify A and B separatelyseparately– AUF ALI is the result of purify(A)– BUF BLI is the result of purify(B)

T is UF LI

16

Interpolants in Combined TheoryInterpolants in Combined Theory

A B

UFa1 = f(x1)a2 = f(y1)

x2 = g(b)

y2 = g(b)

LI

a1 + x2 = x3

a2 + y2 = y3

y1 x1

x1 y1

x3 < y3

• Find an interpolant C for (A,B)– C in UF LI

– C uses only AB-common symbols or interpreted symbols UF LI

(+,<, x1,x2,x3,y1,y2,y3)

T is UF LI

17

Interpolant Generation Interpolant Generation in Combined Theory in Combined Theory

• Given– P1 is a decision procedure for T1

– P2 is a decision procedure for T2

• Combine P1 and P2 into an interpolant generation procedure for the combined theory T = T1 T2

18

RequirementsRequirements

• Requirement on procedure P1 (same for P2)– P1 is a decision procedure for satisfiability of T1

– if input is satisfiable P1 generates a new consequence (equality between variables)

– if input of the form AB is unsatisfiable in T1, P1 generates an interpolant for A and B in T1

• Requirement on T1 (and T2)– stably-infinite– convex– equality-interpolating

19

Equality PropagationEquality Propagation

PPUFUFPPUFUF PPLILIPPLILI

a1 = f(x1)a2 = f(y1)

x2 = g(b)

y2 = g(b)a1 + x2 = x3

a2 + y2 = y3

y1 x1

x1 y1

x3 < y3

AUF BUF ALI BLI

x1=y1

x2=y2

a1=a2

CLI is interpolant for ALI(a1=a2) and BLI(x2=y2)

CLI is x2-y2 = x3-y3

CLI is not an interpolant for (A,B)

[ CLI ][ ? ][ ? ]

[ ? ][ ? ]

[ ? ][ ? ]

20

ObservationObservation

• CLI is interpolant for ALI(a1=a2) and BLI(x2=y2)

• CLI is not an interpolant for (A,B)

– ALI (a1=a2) T CLI but A T CLI

– a1=a2 follows from A B, but not A alone

• How to “lift” CLI to an interpolant for (A,B) ?

21

The ideaThe idea

• Whenever a new equality generated by a component procedure P1 (or P2),

P1 also generates a formula [?]– “explains” the equality– uses only AB-common symbol– partial interpolant

• An interpolant for (A,B) in UFLI is a boolean combination of CLI and [?],...,[?]

22

Theory-Specific Partial InterpolantsTheory-Specific Partial Interpolants

PP11PP11

A1 B1

x=y

• A1 B1 T1 x=y

• A1 B1 (x=y) T1

23

Theory-Specific Partial InterpolantsTheory-Specific Partial Interpolants

PP11PP11

A1 B1 x=y• A1 B1 T1 x=y

• A1 B1 (x=y) T1

[ C[ CT1T1 ] ]

• CCT1T1(x=y)(x=y) a theory-specific theory-specific partialpartial interpolant of x=y

for A1 and B1 in theory T1 – interpolant for A1 and B1 (x=y)

if x,y B-local AB-common – interpolant for A1 (x=y) and B1

if x,y A-local AB-common

24

• CCT1T1(x=y)(x=y) is a theory-specific partial interpolant of x=y

for A1(a=a’) and B1(b=b’)

in theory T1

• C(x=y)C(x=y) a partial interpolant

of x=y for A and B in T1T2

is a boolean combination of CT1(x=y) and C(a=a’) and C(b=b’)

Partial InterpolantsPartial Interpolants(a=a’)A1 B1(b=b’)

x=y[ ? ][ ? ]

[ C(a=a’) ] [ C(b=b’) ]

PP11PP11

[ C[ CT1T1(x=y) ](x=y) ]

25

ExampleExample

PPUFUFPPUFUF PPLILIPPLILI

a1 = f(x1)a2 = f(y1)

x2 = g(b)

y2 = g(b)a1 + x2 = x3

a2 + y2 = y3

y1 x1

x1 y1

x3 < y3

AUF BUF ALI BLI

CUF(a1=a2) for AUF and BUF(x1=y1) is

an interpolant for AUF(a1=a2) and BUF(x1=y1)

x1=y1 [ y1 x1 ]

C(a1=a2) for A and B is CUF(a1=a2) C(x1=y1)

(x1= y1)

a1=a2

(x1=y1) y1 x1

[ y1 < x1 ]

26

ExampleExample

PPUFUFPPUFUF PPLILIPPLILI

a1 = f(x1)a2 = f(y1)

x2 = g(b)

y2 = g(b)a1 + x2 = x3

a2 + y2 = y3

y1 x1

x1 y1

x3 < y3

AUF BUF ALI BLI

x1=y1 [ y1 x1 ]

a1=a2 [ y1 < x1 ]

C() for A and B is x2-y2=x3-y3 y1<x1

CLI() interpolant for ALI(a1=a2) and BLI(x2=y2)

CLI() is x2-y2 = x3-y3

x2=y2[ ]

27

PPUFUFPPUFUF PPLILIPPLILI

a1 = f(x1)a2 = f(y1)

x2 = g(b)

y2 = g(b)a1 + x2 = x3

a2 + y2 = y3

y1 x1

x1 y1

x3 < y3

AUF BUF ALI BLI

x1=y1 [ y1 x1 ]

a1=a2 [ y1 < x1 ]

x2=y2[ ]

An interpolant C for A and B is [x2-y2=x3-y3 y1<x1]

ExampleExample

28

Theory-Specific Partial InterpolantsTheory-Specific Partial Interpolants

PP11PP11

A1 B1

e [ C[ CT1T1(e) ](e) ]

• CCT1T1(e)(e) a theory-specific theory-specific partialpartial interpolant of e

for A1 and B1 in theory T1 – interpolant for A1 and B1 e

if e B-local AB-common – interpolant for A1 e and B1

if e A-local AB-common

– if e is a=b a is A-local, b is B-local

– interpolant for A1 and B1 (a=b) ?– interpolant for A1 (a=b) and B1 ?

... to B or not to B ?

29

Equality-Interpolating TheoryEquality-Interpolating Theory

• If A B T (a = b)

– a is A-local, b is B-local

• then there exists a term t – A B T (a = t) (t = b)

– t refers to AB-common symbols only

• Equality-interpolating: UF, LI, Lisp– easy to extend the existing decision

procedures to generate such terms t

30

RequirementsRequirements

• Requirement on P1 (and P2)– P1 is a decision procedure for satisfiability of T1

– if input is satisfiable P1 generates a new consequence (equality between variables)

– if input of the form AB is unsatisfiable in T1, P1 generates an interpolant for A and B in T1

• Requirement on T1 (and T2)– stably-infinite– convex– equality-interpolating

31

SummarySummary

• A method for generating interpolants for combined theories– interpolant-generation procedures P1, P2 used as black-boxes– on top of a Nelson-Oppen procedure– propagate partial interpolants– equality-interpolating theories

• Can be integrated within existing tools– Simplify, Verifun, ICS, CVCLite, Zap

• Extensions– arbitrary quantifier-free formulas, non-convex theories,

non-disjoint signatures, quantifiers

• Application to software model-checking• More support for operations modulo theories

– join, widening, predicate abstraction, counter-example generation