Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A...
Transcript of Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A...
![Page 1: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/1.jpg)
Interpolant Strength
V. D’Silva, D. Kroening, M. Purandare, G. Weissenbacher
University of Oxford and ETH Zurich
VMCAI, Madrid, 18th of January, 2010
![Page 2: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/2.jpg)
Motivation
Verification with Model Checking And Interpolation
Craig-interpolation commonly applied in model checkingused to compute approximate images
Strongest interpolant not necessarily the best oneCoarse approximations can lead to faster convergence
Range of interpolants exists
but existing interpolation systems can only generate one
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 2 / 30
![Page 3: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/3.jpg)
Outline
BackgroundWhat is a Craig interpolant?Interpolant-based model checkingInterpolation for propositional logic
A novel, more general interpolation system
Interpolant strength
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 3 / 30
![Page 4: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/4.jpg)
What is a Craig interpolant?
“Traditional” definition [William Craig, 57]:A ⇒ I ⇒ Call non-logical symbols in I occur in A as well as in C
A
C
I
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 4 / 30
![Page 5: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/5.jpg)
What is a Craig interpolant?
Common definition for automated verification:A ⇒ I and I ∧ B inconsistentall non-logical symbols in I occur in A as well as in B
C
I
B=¬C
“bad states”
“reachable”A
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 5 / 30
![Page 6: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/6.jpg)
Bounded Model Checking
s0
T(s0,s1) T(s1,s2)
s1s2
Bad states
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 6 / 30
![Page 7: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/7.jpg)
Interpolant-based Model Checking
T(s0,s1) T(s1,s2)
Bad states
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 7 / 30
![Page 8: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/8.jpg)
Interpolant-based MC: Property Preserving Approximation
Bad states
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 8 / 30
![Page 9: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/9.jpg)
Interpolant-based MC: Property Preserving Approximation
Bad states
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 8 / 30
![Page 10: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/10.jpg)
Interpolant-based MC: Property Preserving Approximation
Bad states
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 8 / 30
![Page 11: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/11.jpg)
Interpolant-based Model Checking: Iteration
T(s1,s2)
s1s2
T(s0,s1)
s0
I
Bad states
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 9 / 30
![Page 12: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/12.jpg)
Example: Counting State Machine
x0 = 0
T (xi , xi+1) ≡ (xi+1 := xi + 2)
Property: x 6= 7
s0 ∪ I Strongest Intermediate Interpolant Weakest{0} xi = 2 xi%2 = 0 (xi + 2) 6= 7{0, 2} xi ∈ {2, 4} xi%2 = 0 . . .
{0, 2, 4} xi ∈ {2, 4, 6} xi%2 = 0 . . .
{0, 2, 4, . . .} xi ∈ {2, 4, 6, . . .} xi%2 = 0 . . .
Strongest interpolant delays convergence
Weakest interpolant results in spurious counterexample
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 10 / 30
![Page 13: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/13.jpg)
Resolution for CNF Formulas
CNF formula: A conjunction of clauses∧i
∨j
`i,j , `i,j ∈ {a, a | a ∈ Variables}
e.g.,a1 ∧ (a1 ∨ a2) ∧ (a1 ∨ a2) ∧ a1
Resolution proofs
(C ∨ a) (D ∨ a)
C ∨ D[Res]
a1
a1a2 a1a2 a1
a2
a1
�
Naturally generated by modern SAT solvers
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 11 / 30
![Page 14: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/14.jpg)
Resolution for CNF Formulas
CNF formula: A conjunction of clauses∧i
∨j
`i,j , `i,j ∈ {a, a | a ∈ Variables}
e.g.,a1 ∧ (a1 ∨ a2) ∧ (a1 ∨ a2) ∧ a1
Resolution proofs
(C ∨ a) (D ∨ a)
C ∨ D[Res]
a1
a1a2 a1a2 a1
a2
a1
�Naturally generated by modern SAT solvers
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 11 / 30
![Page 15: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/15.jpg)
Colouring Formulas
A ≡ a1 ∧ (a1 ∨ a2) B ≡ (a1 ∨ a2) ∧ a1
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 12 / 30
![Page 16: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/16.jpg)
Interpolants from Resolution Proofs
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 13 / 30
![Page 17: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/17.jpg)
Interpolants from Resolution Proofs
Interpolant I is a circuit following the structure of the proofIn our example, I is
T if input values make a1 ∧ (a1 ∨ a2) trueF if input values make (a1 ∨ a2) ∧ a1 true
a1
a1a2 a1a2 a1
a2
a1
�
a1a2 T T
a1
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 14 / 30
![Page 18: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/18.jpg)
McMillan’s Interpolation System
Annotate each clause C in the proof with a partial interpolant I
Base case (initial clause C):
I = “keep all literals ` ∈ C s.t. var(`) ∈ Var(B)”
I = T
Induction step (internal clauses C1, C2):
C1 ∨ a [I1] C2 ∨ a [I2]C1 ∨ C2 [I3]
if a /∈ Var(B), I3def= I1 ∨ I2 I1
I2I3
if a ∈ Var(B), I3def= I1 ∧ I2 I1
I2I3
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 15 / 30
![Page 19: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/19.jpg)
Interpolants from Proofs: Example Revisited
a1
a1a2 a1a2 a1
a2
a1
�
a1a2 T T
a1
I is (a1 ∧ a2), the strongest possible interpolant
All interpolants form a lattice.
a1 ∨ a2
a1 a2
a1 ∧ a2
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 16 / 30
![Page 20: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/20.jpg)
Spectrum of Colours
Existing interpolation systems unnecessarily restrict artistic freedom
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 17 / 30
![Page 21: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/21.jpg)
Lattice of Colours, Join
(colour lattice)
t =
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 18 / 30
![Page 22: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/22.jpg)
Locality Preserving Colouring
Each literal ` in each clause coloured separately!
Literals from A \ B must be coloured
Literals from B \ A must be coloured
Literals from A and B: Any colour ∈ { , , }
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 19 / 30
![Page 23: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/23.jpg)
Propagate Colours to Internal Nodes
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 20 / 30
![Page 24: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/24.jpg)
Example: Coloured Proof
L(a2, u) t L(a2, v) =
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 21 / 30
![Page 25: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/25.jpg)
Labelled Interpolation System
Base case (initial vertices):
If C ∈ A: I def= “all literals ` ∈ C s.t. L(`, v) = ”
If C ∈ B: I def= ¬( “all literals ` ∈ C s.t. L(`, v) = ”)
Induction step (internal vertices):
C1 ∨ a [I1] C2 ∨ a [I2]C1 ∨ C2 [I3]
if L(a) t L(a) = I3def= I1 ∨ I2 I1
I2I3
if L(a) t L(a) = I3def= (a ∨ I1) ∧ (I2 ∨ a) 0 1
I1 I2
a
if L(a) t L(a) = I3def= I1 ∧ I2 I1
I2I3
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 22 / 30
![Page 26: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/26.jpg)
Theorem: Correctness of Labelled Interpolation
Theorem. For any (A, B)-refutation R and locality preserving colouring L,ITP(L, R) is an interpolant for (A, B).
Proof: Minor adaptation of [Yorsh and Musuvathi, CADE ’05]:
Invariant: A ∧ (¬C|A) ` I
B ∧ (¬C|B) ` ¬I
Var(I) ⊆ Var(A) ∩Var(B)
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 23 / 30
![Page 27: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/27.jpg)
Example: Interpolant for Coloured Proof
F T T
T
F
Interpolant a2 cannot be obtained with existing systems!
Also, a2 is implied by a1 ∧ a2.
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 24 / 30
![Page 28: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/28.jpg)
Strength of Interpolants
I1 ∨ I2 ⇐= (a ∨ I1)∧(I2 ∨ a) ⇐= I1 ∧ I2
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 25 / 30
![Page 29: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/29.jpg)
Theorem: Strength of Interpolants
⇐ ⇐
min and max for colours
Lift ⇐, min and max pointwise to colouring functions
Theorem. Let R be an (A, B)-refutation and LR be the set of localitypreserving colourings over R. The structure (LR,⇐, max, min) is acomplete lattice.
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 26 / 30
![Page 30: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/30.jpg)
Strength of Interpolants (continued)
A-local A/B-shared B-local
strongest (McMillan)
. . .
⇓ (Huang, Krajıcek, Pudlak)
. . .
weakest (“inverse” McMillan)
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 27 / 30
![Page 31: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/31.jpg)
Restructuring Proofs
Change strength of interpolant by swapping nodes in proofInformally introduced in [Jhala and McMillan, LMCS 07]
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 28 / 30
![Page 32: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/32.jpg)
Restructuring and Relabelling Proofs
Labelling and restructuring are orthogonal techniques!
Itp(L, R)
Itp(L, R’)
Itp(L’ , R’)
Itp(L’ , R)
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 29 / 30
![Page 33: Interpolant Strength · Interpolant-based model checking Interpolation for propositional logic A novel, more general interpolation system Interpolant strength D’Silva et al. (Oxford](https://reader034.fdocuments.us/reader034/viewer/2022050606/5fad25974684cc408c7c70fd/html5/thumbnails/33.jpg)
Conclusion and Future Work
Labelled interpolation systemsgeneralise existing interpolation systems for propositional logicconstitute a dial for tuning interpolant strength
All proofs available in ETH Technical Report 652
Vijay D’Silva, ESOP 2010:
Propositional Interpolation and
Abstract Interpretation
Interpolation systems, clauses and interpolants form abstract domains.Existing systems as optimal abstractions of the colouring system.
Future workEmpirical analysis of effect of interpolant strength
D’Silva et al. (Oxford University) Interpolant Strength VMCAI ’10 30 / 30