Symbolic Computation and Theorem Proving in Program Analysis

Size: px

Start display at page:

Download "Symbolic Computation and Theorem Proving in Program Analysis"

Bathsheba Chapman
5 years ago
Views:

1 Symbolic Computation and Theorem Proving in Program Analysis Laura Kovács Chalmers

2 Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS 08, LPAR 10) Part 3: Quantified Invariant Generation (FASE 09, MICAI 11) Part 4: Invariants, Interpolants and Symbol Elimination (CADE 09, POPL 12, APLAS 12)

3 Part 4: Invariants, Interpolants and Symbol Eliminatio Symbol Elimination by First-Order Theorem Proving Invariants, Interpolants and Symbol Elimination Interpolants from Proofs Interpolation in Vampire Quality of Interpolants Conclusions

4 Outline Invariants, Interpolants and Symbol Elimination Interpolants from Proofs Interpolation in Vampire Quality of Interpolants Conclusions

5 Invariants, Symbol Elimination, and Interpolation Reachability of B in ONE iteration: A(c, d) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d)

6 Invariants, Symbol Elimination, and Interpolation Reachability of B in ONE iteration: A(c, d) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d )

7 Invariants, Symbol Elimination, and Interpolation Reachability of B in ONE iteration: A(c, d) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d ) Refutation: A(c, d) T (c, d, c, d ) B(c, d ) The formula is of 2 states (c, d, c, d ). Need a state formula I(c, d ) such that: (Jhala and McMillan) A(c, d) T (c, d, c, d ) I(c, d ) and I(c, d ) B(c, d )

8 Invariants, Symbol Elimination, and Interpolation Reachability of B in ONE iteration: A(c, d) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d ) Refutation: A(c, d) T (c, d, c, d ) B(c, d ) The formula is of 2 states (c, d, c, d ). Need a state formula I(c, d ) such that: (Jhala and McMillan) A(c, d) T (c, d, c, d ) I(c, d ) and I(c, d ) B(c, d )

9 Invariants, Symbol Elimination, and Interpolation Reachability of B in ONE iteration: A(c, d) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d ) Refutation: A(c, d) T (c, d, c, d ) B(c, d ) The formula is of 2 states (c, d, c, d ). Need a state formula I(c, d ) such that: (Jhala and McMillan) A(c, d) T (c, d, c, d ) I(c, d ) and I(c, d ) B(c, d ) Taks: Compute interpolant I(c, d ) by eliminating symbols c, d.

10 Invariants, Symbol Elimination, and Interpolation Reachability of B in ONE iteration: A(c, d) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d ) I(c, d ) 0 < c = 1 C[0] = D[0] I(c, d ) 0 < c = 2 C[0] = D[0] C[1] = D[1] Taks: Compute interpolant I(c, d ) by eliminating symbols c, d.

11 Invariants, Symbol Elimination, and Interpolation Reachability of B in TWO iterations: A(c, d) T (c, d, c, d ) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d ) I(c, d ) 0 < c = 1 C[0] = D[0] I(c, d ) 0 < c = 2 C[0] = D[0] C[1] = D[1] Taks: Compute interpolant I(c, d ) by eliminating symbols c, d, c, d.

12 Invariants, Symbol Elimination, and Interpolation Reachability of B in TWO iterations: A(c, d) T (c, d, c, d ) T (c, d, c, d ) B(c, d ) {c = d = 0 N > 0 ( k) (0 k < N D[k] = 0)} precondition A(c, d) while (c < N) do C[c] := D[d]; c < N C[c] = D[d] c = c + 1 d = d + 1 c N }{{} T (c,d,c,d ) c := c + 1; d := d + 1 end do {( k)(0 k < N C[k] = 0)} postcondition B(c, d ) I(c, d ) ( k)0 k < c C[k] = D[k] I(c, d ) ( k)0 k < c C[k] = D[k] Taks: Compute interpolant I(c, d ) implying invariant in any state.

13 Outline Invariants, Interpolants and Symbol Elimination Interpolants from Proofs Interpolation in Vampire Quality of Interpolants Conclusions

14 Symbol Elimination and Interpolation What is an Interpolant? Computing Interpolants Local Derivations Symbol Eliminations Building Interpolants from Proof Summary: Invariants, Symbol Elimination, Interpolants

15 Notation First-order predicate logic with equality. : always true, : always false. A: universal closure of A. Symbols: predicate symbols; function symbols; constants. Equality is part of the language equality is not a symbol. L A : the language of A: the set of all formulas built from the symbols occurring in A.

16 What is an Interpolant? Let A, B be closed formulas such that A B. Theorem (Craig s Interpolation Theorem) There exists a closed formula I L A L B such that I is an interpolant of A and B. A I and I B. Note: if A and B are ground, they also have a ground interpolant.

17 What is an Interpolant? Let A, B be closed formulas such that A B. Theorem (Craig s Interpolation Theorem) There exists a closed formula I L A L B such that I is an interpolant of A and B. A I and I B. Reverse interpolant of A and B: any formula I such that A I and I, B.

18 Interpolation with Theories Theory T : any set of closed formulas. C 1,..., C n T C means that the formula C 1... C 1 C holds in all models of T. Interpreted symbols: symbols occurring in T. Uninterpreted symbols: all other symbols. Theorem Let A, B be formulas and let A T B. Then there exists a formula I such that 1. A T I and I B; 2. every uninterpreted symbol of I occurs both in A and B; 3. every interpreted symbol of I occurs in B. Likewise, there exists a formula I such that 1. A I and I T B; 2. every uninterpreted symbol of I occurs both in A and B; 3. every interpreted symbol of I occurs in A.

19 Interpolation with Theories Theory T : any set of closed formulas. C 1,..., C n T C means that the formula C 1... C 1 C holds in all models of T. Interpreted symbols: symbols occurring in T. Uninterpreted symbols: all other symbols. Theorem Let A, B be formulas and let A T B. Then there exists a formula I such that 1. A T I and I B; 2. every uninterpreted symbol of I occurs both in A and B; 3. every interpreted symbol of I occurs in B. Likewise, there exists a formula I such that 1. A I and I T B; 2. every uninterpreted symbol of I occurs both in A and B; 3. every interpreted symbol of I occurs in A.

20 Computing Interpolants using Inference Systems Inference Rule: A 1... A n A Inference system: a set of inference rules. Axiom: an inference rule with 0 premises. Derivation of A: tree with the root A built from inferences.

21 Interpolants and Local AB-Derivations AB-derivation Let L = L A L B. A derivation Π is an AB-derivation if (AB1) For every leaf C of Π one of following conditions holds: 1. A T C and C L A or 2. B T C and C L B. (AB2) For every inference C 1... C n C of Π we have C 1,..., C n T C. We will refer to property (AB2) as soundness.

22 Interpolants and Local AB-Derivations C 1... C n C This inference is local if the following two conditions hold: (L1) Either {C 1,..., C n, C} L A or {C 1,..., C n, C} L B. (L2) If all of the formulas C 1,..., C n are colorless, then C is colorless, too. A derivation is called local if so is every inference of this derivation.

23 Shape of local derivations for A B

24 Local Derivations: Example A B [demo] A := x(x = c) B := a = b Universal interpolant I: x y(x = y) A local refutation of in the superposition calculus: x = c y = c x = y a b y b

25 Local Derivations: Example A B [demo] A := x(x = c) B := a = b Universal interpolant I: x y(x = y) A local refutation of in the superposition calculus: x = c y = c x = y a b y b

26 Interpolants and Symbol Eliminating Inference At least one of the premises colored. The conclusion is not colored. x = c y = c x = y a b y b Interpolant x y(x = y): conclusion of a symbol-eliminating inference.

27 Interpolants and Symbol Eliminating Inference At least one of the premises colored. The conclusion is not colored. x = c y = c x = y a b y b Interpolant x y(x = y): conclusion of a symbol-eliminating inference.

28 Extracting Interpolants from Local Proofs Theorem (CADE 09) Let Π be a closed local AB-refutation. Then: A reverse interpolant I of A and B can be extracted from Π in linear time. I is ground if all formulas in Π are ground. I is a boolean combination of conclusions of symbol-eliminating inferences of Π. NOTE: No restriction on the calculus (only soundness required) can be used with theories. Can generate interpolants in theories where no good interpolation algorithms exist. Shift of interest: what matters are symbol-eliminating inferences.

29 Extracting Interpolants from Local Proofs Theorem (CADE 09) Let Π be a closed local AB-refutation. Then: A reverse interpolant I of A and B can be extracted from Π in linear time. I is ground if all formulas in Π are ground. I is a boolean combination of conclusions of symbol-eliminating inferences of Π. NOTE: No restriction on the calculus (only soundness required) can be used with theories. Can generate interpolants in theories where no good interpolation algorithms exist. Shift of interest: what matters are symbol-eliminating inferences.

30 Extracting Interpolants from Local Proofs Theorem (CADE 09) Let Π be a closed local AB-refutation. Then: A reverse interpolant I of A and B can be extracted from Π in linear time. I is ground if all formulas in Π are ground. I is a boolean combination of conclusions of symbol-eliminating inferences of Π. NOTE: No restriction on the calculus (only soundness required) can be used with theories. Can generate interpolants in theories where no good interpolation algorithms exist. Shift of interest: what matters are symbol-eliminating inferences.

31 Building Interpolants from Proofs Problem: generation of proofs giving interpolants. Idea 1: look for local refutations only; Idea 2: find calculi that guarantee that local proofs exist. LASCA: Superposition + Linear Arithmetic; Separating orderings (colored symbols are the greatest). Theorem (CADE 09) If is separating, then every AB-derivation in LASCA is local. First-order interpolation implemented in Vampire.

32 Building Interpolants from Proofs Problem: generation of proofs giving interpolants. Idea 1: look for local refutations only; Idea 2: find calculi that guarantee that local proofs exist. LASCA: Superposition + Linear Arithmetic; Separating orderings (colored symbols are the greatest). Theorem (CADE 09) If is separating, then every AB-derivation in LASCA is local. First-order interpolation implemented in Vampire.

33 Building Interpolants from Proofs Problem: generation of proofs giving interpolants. Idea 1: look for local refutations only; Idea 2: find calculi that guarantee that local proofs exist. LASCA: Superposition + Linear Arithmetic; Separating orderings (colored symbols are the greatest). Theorem (CADE 09) If is separating, then every AB-derivation in LASCA is local. First-order interpolation implemented in Vampire.

34 Building Interpolants from Proofs Problem: generation of proofs giving interpolants. Idea 1: look for local refutations only; Idea 2: find calculi that guarantee that local proofs exist. LASCA: Superposition + Linear Arithmetic; Separating orderings (colored symbols are the greatest). Theorem (CADE 09) If is separating, then every AB-derivation in LASCA is local. First-order interpolation implemented in Vampire.

35 Formulas Coloring Reverse Interpolant L : z < 0 x z y x left: z R : y 0 x + y 0 right: - y x x < 0 L : g(a) = c + 5 f (g(a)) c + 1 left: g, a R : h(b) = d + 4 d = c + 1 f (h(b)) < c + 1 right: h, b c + 1 f (c + 5) L : p c c q f (c) = 1 left: c R : q d d p f (d) = 0 right: d p q (q > p f (p) = 1) L : R : f (x 1 ) + x 2 = x 3 f (y 1 ) + y 2 = y 3 y 1 x 1 x 2 = g(b) y 2 = g(b) x 1 y 1 x 3 < y 3 left: right: f g, b x 1 > y 1 x 2 y 2 x 3 = y 3 R : c 1 cons(c 2, c 3 ) right: - L : c = car(c ) c = cdr(c 1 ) (atom(c 1 )) left: car, cons atom(c 1 ) c 1 = cons(c 2, c 3 ) L : Q(f (a)) Q(f (b)) left: Q, a, b R : f (V ) = c right: c x, y : f (x) f (y) L : a = c f (c) = a left: a R : c = b (b = f (c)) right: b c = f (c) L : True a [x ] = y x = x y = y + 1 z = x left: x, y R : (y = a [z ] + 1) right: a [x ] = y x = z Table : Interpolation with Vampire, within 1 second time limit.

36 Symbol Elimination and Interpolation Invariants, Interpolants and Symbol Elimination Interpolants from Proofs Interpolation in Vampire Quality of Interpolants Conclusions

37 Interpolation Through Colors in Vampire There are three colors: blue, red and green.

38 Interpolation Through Colors in Vampire There are three colors: blue, red and green. Each symbol (function or predicate) is colored in exactly one of these colors.

39 Interpolation Through Colors in Vampire There are three colors: blue, red and green. Each symbol (function or predicate) is colored in exactly one of these colors. We have two formulas: A and B. Each symbol in A is either blue or green. Each symbol in B is either red or green.

40 Interpolation Through Colors in Vampire There are three colors: blue, red and green. Each symbol (function or predicate) is colored in exactly one of these colors. We have two formulas: A and B. Each symbol in A is either blue or green. Each symbol in B is either red or green. We know that A B. Our goal is to find a green formula I such that 1. A I; 2. I B.

41 Interpolation Example in Vampire fof(fa,axiom, q(f(a)) & q(f(b)) ). fof(fb,conjecture,?[v]: V!= c).

42 Interpolation Example in Vampire % request to generate an interpolant vampire(option,show_interpolant,on). % symbol coloring vampire(symbol,predicate,q,1,left). vampire(symbol,function,f,1,left). vampire(symbol,function,a,0,left). vampire(symbol,function,b,0,left). vampire(symbol,function,c,0,right). % formula L vampire(left_formula). fof(fa,axiom, q(f(a)) & q(f(b)) ). vampire(end_formula). % formula R vampire(right_formula). fof(fb,conjecture,?[v]: V!= c). vampire(end_formula).

43 Symbol Elimination and Interpolation Invariants, Interpolants and Symbol Elimination Interpolants from Proofs Interpolation in Vampire Quality of Interpolants Conclusions

44 Given: a problem (an interpolation problem) Generate: a formula (an interpolant) -1 + a + -a = -1 x( (x 5) -6 + x -1) -( a) = -1 x((1 x + --(-1 + a) (-1 x))) (a 6 1 a + -1) x( (-1 x) (x -2)) x(-1 x + -a (-1 + a x)) x(-1 + x = x) -a a = -1 x( (--(-1 + a) x) 1 x + -1) x(( (x 4) -5 + x -1)) x(x (x 2)) x( (x 3) -4 + x -1) x(x + -a -1 (x -1 + a)) x(-1 + x = a + -(-1 + a) + x) 6 b

45 Given: a problem (an interpolation problem) Generate: a formula (an interpolant) -1 + a + -a = -1 x( (x 5) -6 + x -1) -( a) = -1 x((1 x + --(-1 + a) (-1 x))) (a 6 1 a + -1) x( (-1 x) (x -2)) x(-1 x + -a (-1 + a x)) x(-1 + x = x) -a a = -1 x( (--(-1 + a) x) 1 x + -1) x(( (x 4) -5 + x -1)) x(x (x 2)) x( (x 3) -4 + x -1) x(x + -a -1 (x -1 + a)) x(-1 + x = a + -(-1 + a) + x) 6 b or (a 6) -a -1 (-1 -a) a = a (2 + a 6) (-1 + a 1) (a 6 (b 6))

46 Given: a problem (an interpolation problem) Generate: a formula (an interpolant) which is small -1 + a + -a = -1 x( (x 5) -6 + x -1) -( a) = -1 x((1 x + --(-1 + a) (-1 x))) (a 6 1 a + -1) x( (-1 x) (x -2)) x(-1 x + -a (-1 + a x)) x(-1 + x = x) -a a = -1 x( (--(-1 + a) x) 1 x + -1) x(( (x 4) -5 + x -1)) x(x (x 2)) x( (x 3) -4 + x -1) x(x + -a -1 (x -1 + a)) x(-1 + x = a + -(-1 + a) + x) 6 b or (a 6) -a -1 (-1 -a) a = a (2 + a 6) (-1 + a 1) (a 6 (b 6))

47 Given: a problem (an interpolation problem) Generate: a formula (an interpolant) which is small -1 + a + -a = -1 x( (x 5) -6 + x -1) -( a) = -1 x((1 x + --(-1 + a) (-1 x))) (a 6 1 a + -1) x( (-1 x) (x -2)) x(-1 x + -a (-1 + a x)) x(-1 + x = x) -a a = -1 x( (--(-1 + a) x) 1 x + -1) x(( (x 4) -5 + x -1)) x(x (x 2)) x( (x 3) -4 + x -1) x(x + -a -1 (x -1 + a)) x(-1 + x = a + -(-1 + a) + x) 6 b What is a good interpolant? logical strength [Jhala07, D Silva09, McMillan08]; small size [Kroening10, Brillout11, Griggio11]. or (a 6) -a -1 (-1 -a) a = a (2 + a 6) (-1 + a 1) (a 6 (b 6))

48 How to Make Interpolants Smaller/Nicer? in size; in weight; in the number of quantifiers;...

49 How to Make Interpolants Smaller/Nicer? in size; in weight; in the number of quantifiers;... Revised Interpolation Problem: Given R B, find a green formula I: R I; I B; I is small.

50 Extracting Interpolants from Local Proofs

51 Extracting Interpolants from Local Proofs G 1 G 2 G 3 G 4 Interpolant: boolean combination of {G 1,..., G 4 } [McMillan05, KV09]

52 Extracting Interpolants from Local Proofs G 1 G 2 G 3 G 4 Digest Interpolant: boolean combination of {G 1,..., G 4 }

53 Extracting Interpolants from Local Proofs G 1 G 2 G is in the digest: - comes from a red block - followed by a blue or green block G 3 G 4 Digest Interpolant: boolean combination of {G 1,..., G 4 }

54 Extracting Interpolants from Local Proofs G 1 G 2 G is in the digest: - comes from a red block - followed by a blue or green block or - comes from a blue block - followed by a red G 3 G 4 Digest Interpolant: boolean combination of {G 1,..., G 4 }

55 How to Make Interpolants Smaller/Nicer? Task: minimise interpolants = minimise digest

56 How to Make Interpolants Smaller/Nicer? Task: minimise interpolants = minimise digest Idea: Change the green areas of the local proof

57 How to Make Interpolants Smaller/Nicer? Task: minimise interpolants = minimise digest Idea: Change the green areas of the local proof Slicing off formulas A 1 A n A A n+1 A m A 0 slicing off A A 1 A n A n+1 A m A 0

58 How to Make Interpolants Smaller/Nicer? Task: minimise interpolants = minimise digest Idea: Change the green areas of the local proof Slicing off formulas A 1 A n A A n+1 A m A 0 slicing off A A 1 A n A n+1 A m A 0 If A is green: Green slicing

59 How to Make Interpolants Smaller/Nicer? Task: minimise interpolants = minimise digest Idea: Change the green areas of the local proof Slicing off formulas B 0 R 0 G 1 G 0 B 0 R 0 slicing off G 1 G 0 If A is green: Green slicing

60 How to Make Interpolants Smaller/Nicer? Task: minimise interpolants = minimise digest Idea: Change the green areas of the local proof, but preserve locality! Slicing off formulas B 0 R 0 G 1 G 0 B 0 R 0 slicing off G 1 G 0 If A is green: Green slicing

61 How to Make Interpolants Smaller/Nicer? R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7

62 How to Make Interpolants Smaller/Nicer? Digest: {G 4, G 7 } R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7 Reverse interpolant: G 4 G 7

63 How to Make Interpolants Smaller/Nicer? R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7

64 How to Make Interpolants Smaller/Nicer? Digest: {G 5, G 7 } R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7 Reverse interpolant: G 5 G 7

65 How to Make Interpolants Smaller/Nicer? R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7

66 How to Make Interpolants Smaller/Nicer? Digest: {G 6, G 7 } R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7 Reverse interpolant: G 6 G 7

67 How to Make Interpolants Smaller/Nicer? R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7

68 How to Make Interpolants Smaller/Nicer? Digest: {G 6 } R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7 Reverse interpolant: G 6

69 How to Make Interpolants Smaller/Nicer? R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7 Note that the interpolant has changed from G 4 G 7 to G 6.

70 How to Make Interpolants Smaller/Nicer? R 3 R 1 G 1 G 3 B 1 G 2 G 4 G 5 G 6 R 4 G 7 Note that the interpolant has changed from G 4 G 7 to G 6. There is no obvious logical relation between G 4 G 7 and G 6, for example none of these formulas implies the other one; These formulas may even have no common atoms or no common symbols.

71 How to Make Interpolants Smaller/Nicer? If green slicing gives us very different interpolants, we can use it for finding small interpolants. Problem: if the proof contains n green formulas, the number of possible different slicing off transformations is 2 n.

72 How to Make Interpolants Smaller/Nicer? If green slicing gives us very different interpolants, we can use it for finding small interpolants. Problem: if the proof contains n green formulas, the number of possible different slicing off transformations is 2 n.

73 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations

74 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2

75 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations G 3, and at most one of G 1, G 2 can be sliced off. R B G 2 G 1 G 3

76 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Some predicates on green formulas: sliced(g): G was sliced off; red(g): the trace of G contains a red formula; blue(g): the trace of G contains a blue formula; green(g): the trace of G contains only green formulas; digest(g): G belongs to the digest.

77 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Some predicates on green formulas: sliced(g): G was sliced off; red(g): the trace of G contains a red formula; blue(g): the trace of G contains a blue formula; green(g): the trace of G contains only green formulas; digest(g): G belongs to the digest. sliced(g 1 ) Green(G 1 ) sliced(g 1 ) red(g 1 )

78 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Some predicates on green formulas: sliced(g): G was sliced off; red(g): the trace of G contains a red formula; blue(g): the trace of G contains a blue formula; green(g): the trace of G contains only green formulas; digest(g): G belongs to the digest. sliced(g 3 ) Green(G 3 ) sliced(g 3 ) (Green(G 3 ) Green(G 1 ) Green(G 2 )) sliced(g 3 ) (red(g 3 ) red(g 1 ) red(g 2 )) sliced(g 3 ) (blue(g 3 ) blue(g 1 ) blue(g 2 ))

79 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Some predicates on green formulas: sliced(g): G was sliced off; red(g): the trace of G contains a red formula; blue(g): the trace of G contains a blue formula; green(g): the trace of G contains only green formulas; digest(g): G belongs to the digest. digest(g 1 ) sliced(g 1 )

80 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Some predicates on green formulas: sliced(g): G was sliced off; red(g): the trace of G contains a red formula; blue(g): the trace of G contains a blue formula; green(g): the trace of G contains only green formulas; digest(g): G belongs to the digest. sliced(g 1 ) Green(G 1 ) sliced(g 1 ) red(g 1 ) sliced(g 3 ) Green(G 3 ) sliced(g 3 ) (Green(G 3 ) Green(G 1 ) Green(G 2 )) sliced(g 3 ) (red(g 3 ) red(g 1 ) red(g 2 )) sliced(g 3 ) (blue(g 3 ) blue(g 1 ) blue(g 2 )) digest(g 1 ) sliced(g 1 )

81 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Express digest(g)

82 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Express digest(g) by considering the possibilities: G comes from a red/ blue/green formula G is followed by a red/ blue/green formula

83 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Express digest(g) by considering the possibilities: G comes from a red/ blue/green formula rc(g)/bc(g) G is followed by a red/ blue/green formula bf(g)/rf(g)

84 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Express digest(g) by considering the possibilities: G comes from a red/ blue/green formula rc(g)/bc(g) G is followed by a red/ blue/green formula bf(g)/rf(g) digest(g 3 ) (rc(g 3 ) rf(g 3 )) (bc(g 3 ) bf(g 3 )) rc(g 3 ) ( sliced(g 3 ) (red(g 1 ) red(g 2 ))

85 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Express digest(g) by considering the possibilities: G comes from a red/ blue/green formula rc(g)/bc(g) G is followed by a red/ blue/green formula bf(g)/rf(g) sliced(g 1 ) Green(G 1 ) sliced(g 1 ) red(g 1 ) sliced(g 3 ) Green(G 3 ) sliced(g 3 ) (Green(G 3 ) Green(G 1 ) Green(G 2 )) sliced(g 3 ) (red(g 3 ) red(g 1 ) red(g 2 )) sliced(g 3 ) (blue(g 3 ) blue(g 1 ) blue(g 2 )) digest(g 1 ) sliced(g 1 ) digest(g 3 ) (rc(g 3 ) rf(g 3 )) (bc(g 3 ) bf(g 3 )) rc(g 3 ) ( sliced(g 3 ) (red(g 1 ) red(g 2 ))

86 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT solutions encode all slicing off transformations R G 1 G 3 B G 2 Express digest(g) by considering the possibilities: G comes from a red/ blue/green formula rc(g)/bc(g) G is followed by a red/ blue/green formula bf(g)/rf(g) sliced(g 1 ) Green(G 1 ) sliced(g 1 ) red(g 1 ) sliced(g 3 ) Green(G 3 ) sliced(g 3 ) (Green(G 3 ) Green(G 1 ) Green(G 2 )) sliced(g 3 ) (red(g 3 ) red(g 1 ) red(g 2 )) sliced(g 3 ) (blue(g 3 ) blue(g 1 ) blue(g 2 )) digest(g 1 ) sliced(g 1 ) digest(g 3 ) (rc(g 3 ) rf(g 3 )) (bc(g 3 ) bf(g 3 )) rc(g 3 ) ( sliced(g 3 ) (red(g 1 ) red(g 2 ))

87 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT; solutions encode all slicing off transformations; compute small interpolants: smallest digest of green formulas; ( ) min {Gi1,...,G in } digest(g i ) G i use a pseudo-boolean optimisation tool or an SMT solver to minimise interpolants; minimising interpolants is an NP-complete problem.

88 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT; solutions encode all slicing off transformations; compute small interpolants: smallest digest of green formulas; ( ) min {Gi1,...,G in } digest(g i ) G i use a pseudo-boolean optimisation tool or an SMT solver to minimise interpolants; minimising interpolants is an NP-complete problem.

89 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT; solutions encode all slicing off transformations; compute small interpolants: smallest digest of green formulas; ( ) min {Gi1,...,G in } digest(g i ) G i ( ) min {Gi1,...,G in } quantifier number(g i ) digest(g i ) G i use a pseudo-boolean optimisation tool or an SMT solver to minimise interpolants; minimising interpolants is an NP-complete problem.

90 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT; solutions encode all slicing off transformations; compute small interpolants: smallest digest of green formulas; ( ) min {Gi1,...,G in } digest(g i ) G i ( ) min {Gi1,...,G in } quantifier number(g i ) digest(g i ) G i use a pseudo-boolean optimisation tool or an SMT solver to minimise interpolants; minimising interpolants is an NP-complete problem.

91 How to Make Interpolants Smaller/Nicer? Solution: encode all sequences of transformations as an instance of SAT; solutions encode all slicing off transformations; compute small interpolants: smallest digest of green formulas; ( ) min {Gi1,...,G in } digest(g i ) G i ( ) min {Gi1,...,G in } quantifier number(g i ) digest(g i ) G i use a pseudo-boolean optimisation tool or an SMT solver to minimise interpolants; minimising interpolants is an NP-complete problem.

92 Experiments with Minimising Interpolants Experimental results: 9632 first-order examples from the TPTP library: for example, for 2000 problems the size of the interpolants became times smaller; 4347 SMT examples: we used Z3 for proving SMT examples; Z3 proofs were localised in Vampire; minimal interpolants were generated for 2123 SMT examples.

93 Experiments with Minimising Interpolants Experimental results: 9632 first-order examples from the TPTP library: for example, for 2000 problems the size of the interpolants became times smaller; 4347 SMT examples: we used Z3 for proving SMT examples; Z3 proofs were localised in Vampire; minimal interpolants were generated for 2123 SMT examples.

94 Experiments with Minimising Interpolants More realistic benchmarks: 4048 problems coming from CPAchecker; we used Vampire to generate local proofs; minimal interpolants were generated for 1903 CPAchecker examples: for 296 examples the size of the interpolant has decreased by a factor of 5; for 6 examples the size of the interpolant has decreased by a factor of 500.

95 Symbol Elimination and Interpolation Invariants, Interpolants and Symbol Elimination Interpolants from Proofs Interpolation in Vampire Quality of Interpolants Conclusions

96 Summary: Invariant Generation, Interpolation, Symbol Elimination Given the proof obligation A B: 1. Run a theorem prover and eliminate extra symbols; 2. Generate a (reverse) interpolant from a refutation; 3. Interpolant is a boolean combination of consequences of symbol-eliminating inferences. Given a loop: 1. Express loop properties in a language containing extra symbols; 2. Every logical consequence of these properties is a valid loop property, but not an invariant; 3. Run a theorem prover for eliminating extra symbols; 4. Every derived formula in the language of the loop is a loop invariant; 5. Invariants are consequences of symbol-eliminating inferences.

97 Summary: Invariant Generation, Interpolation, Symbol Elimination Given the proof obligation A B: 1. Run a theorem prover and eliminate extra symbols; 2. Generate a (reverse) interpolant from a refutation; 3. Interpolant is a boolean combination of consequences of symbol-eliminating inferences. Given a loop: 1. Express loop properties in a language containing extra symbols; 2. Every logical consequence of these properties is a valid loop property, but not an invariant; 3. Run a theorem prover for eliminating extra symbols; 4. Every derived formula in the language of the loop is a loop invariant; 5. Invariants are consequences of symbol-eliminating inferences.

98 End of Session 4 Slides for session 4 ended here...

Vinter: A Vampire-Based Tool for Interpolation

Vinter: A Vampire-Based Tool for Interpolation Kryštof Hoder 1, Andreas Holzer 2, Laura Kovács 2, and Andrei Voronkov 1 1 University of Manchester 2 TU Vienna Abstract. This paper describes the Vinter