The Impact of Craig s Interpolation Theorem. in Computer Science

Size: px

Start display at page:

Download "The Impact of Craig s Interpolation Theorem. in Computer Science"

Melina Frederica Cobb
6 years ago
Views:

1 The Impact of Craig s Interpolation Theorem in Computer Science Cesare Tinelli tinelli@cs.uiowa.edu The University of Iowa Berkeley, May 2007 p.1/28

2 The Role of Logic in Computer Science Mathematical logic is central to Computer Science Berkeley, May 2007 p.2/28

3 The Role of Logic in Computer Science Mathematical logic is central to Computer Science It provides formal foundations for Programming languages Relational databases Computational complexity Hardware design and validation Formal methods in software engineering Artificial Intelligence... Berkeley, May 2007 p.2/28

4 Craig s Interpolation Theorem in CS has had a strong and lasting impact in several CS areas, both at the theoretical and the practical level Berkeley, May 2007 p.3/28

5 Craig s Interpolation Theorem in CS has had a strong and lasting impact in several CS areas, both at the theoretical and the practical level has been generalized to many other logics used in CS (sorted, equational, modal, intuitionistic,... ) Berkeley, May 2007 p.3/28

6 Craig s Interpolation Theorem in CS has had a strong and lasting impact in several CS areas, both at the theoretical and the practical level has been generalized to many other logics used in CS (sorted, equational, modal, intuitionistic,... ) together with compactness, is considered a crucial property of any new logic for CS Berkeley, May 2007 p.3/28

7 Craig s Interpolation Theorem in CS has had a strong and lasting impact in several CS areas, both at the theoretical and the practical level has been generalized to many other logics used in CS (sorted, equational, modal, intuitionistic,... ) together with compactness, is considered a crucial property of any new logic for CS comes up in any formal method based on modular decomposition of complex systems Berkeley, May 2007 p.3/28

8 Craig s Interpolation Some applications: Hardware/software specification (Diaconescu et al., 93, Rosu & Goguen, 2000, Bicarregui et al., 2000) Berkeley, May 2007 p.4/28

9 Craig s Interpolation Some applications: Hardware/software specification (Diaconescu et al., 93, Rosu & Goguen, 2000, Bicarregui et al., 2000) Reasoning with large knowledge bases (Amir & McIlraith, 2005) Berkeley, May 2007 p.4/28

10 Craig s Interpolation Some applications: Hardware/software specification (Diaconescu et al., 93, Rosu & Goguen, 2000, Bicarregui et al., 2000) Reasoning with large knowledge bases (Amir & McIlraith, 2005) Type inference (Jhala et al., 2007) Berkeley, May 2007 p.4/28

11 Craig s Interpolation Some applications: Hardware/software specification (Diaconescu et al., 93, Rosu & Goguen, 2000, Bicarregui et al., 2000) Reasoning with large knowledge bases (Amir & McIlraith, 2005) Type inference (Jhala et al., 2007) Combination of theorem provers for different theories (Nelson& Oppen, 1979; Tinelli, 2003; Ghilardi, 2005) Berkeley, May 2007 p.4/28

12 Craig s Interpolation Some applications: Hardware/software specification (Diaconescu et al., 93, Rosu & Goguen, 2000, Bicarregui et al., 2000) Reasoning with large knowledge bases (Amir & McIlraith, 2005) Type inference (Jhala et al., 2007) Combination of theorem provers for different theories (Nelson& Oppen, 1979; Tinelli, 2003; Ghilardi, 2005) Model checking of finite- and infinite-state systems (McMillan, 2003, Henzinger et al., 2004) Berkeley, May 2007 p.4/28

13 Craig s Interpolation Some applications: Hardware/software specification (Diaconescu et al., 93, Rosu & Goguen, 2000, Bicarregui et al., 2000) Reasoning with large knowledge bases (Amir & McIlraith, 2005) Type inference (Jhala et al., 2007) Combination of theorem provers for different theories (Nelson& Oppen, 1979; Tinelli, 2003; Ghilardi, 2005) Model checking of finite- and infinite-state systems (McMillan, 2003, Henzinger et al., 2004) Berkeley, May 2007 p.5/28

14 The Essence of Craig s Interpolation for CS Craig s Interpolation: If ϕ 1 and ϕ 2 are inconsistent, there is a ϕ in their shared language such that ϕ 1 = ψ and ψ ϕ 2 is inconsistent. Berkeley, May 2007 p.6/28

15 The Essence of Craig s Interpolation for CS Craig s Interpolation: If ϕ 1 and ϕ 2 are inconsistent, there is a ϕ in their shared language such that ϕ 1 = ψ and ψ ϕ 2 is inconsistent. Intuitively, ψ is an abstraction of ϕ 1 from the viewpoint of ϕ 2 ; ψ summarizes and translates in the shared language why ϕ 1 is inconsistent with ϕ 2. Berkeley, May 2007 p.6/28

16 Part I: Craig Interpolation for Prover Combinations Berkeley, May 2007 p.7/28

17 Satisfiability Modulo Theories In some areas of Computer Science, one is interested in the satisfiability in a particular theory of certain classes of formulas. Berkeley, May 2007 p.8/28

18 Satisfiability Modulo Theories In some areas of Computer Science, one is interested in the satisfiability in a particular theory of certain classes of formulas. Microprocessors design: theory of equality, atoms like f(g(a,b),c) = g(c,a). Berkeley, May 2007 p.8/28

19 Satisfiability Modulo Theories In some areas of Computer Science, one is interested in the satisfiability in a particular theory of certain classes of formulas. Microprocessors design: theory of equality, atoms like f(g(a,b),c) = g(c,a). Timed automata, planning: theory of integers/reals, atoms like x y < 2. Berkeley, May 2007 p.8/28

20 Satisfiability Modulo Theories In some areas of Computer Science, one is interested in the satisfiability in a particular theory of certain classes of formulas. Microprocessors design: theory of equality, atoms like f(g(a,b),c) = g(c,a). Timed automata, planning: theory of integers/reals, atoms like x y < 2. Software verification/model checking: combination of theories, atoms like 5 + first((x + 2) :: l) = a[j] + 1. Berkeley, May 2007 p.8/28

21 Satisfiability Modulo Theories In some areas of Computer Science, one is interested in the satisfiability in a particular theory of certain classes of formulas. Microprocessors design: theory of equality, atoms like f(g(a,b),c) = g(c,a). Timed automata, planning: theory of integers/reals, atoms like x y < 2. Software verification/model checking: combination of theories, atoms like 5 + first((x + 2) :: l) = a[j] + 1. We refer to this general problem as Satisfiability Modulo Theories, or SMT. Berkeley, May 2007 p.8/28

22 Satisfiability Modulo Theories In some areas of Computer Science, one is interested in the satisfiability in a particular theory of certain classes of formulas. Microprocessors design: theory of equality, atoms like f(g(a,b),c) = g(c,a). Timed automata, planning: theory of integers/reals, atoms like x y < 2. Software verification/model checking: combination of theories, atoms like 5 + first((x + 2) :: l) = a[j] + 1. We refer to this general problem as Satisfiability Modulo Theories, or SMT. Berkeley, May 2007 p.8/28

23 Satisfiability Modulo Theories Let T be a first-order theory of signature Σ and L Σ a class of Σ-formulas. Berkeley, May 2007 p.9/28

24 Satisfiability Modulo Theories Let T be a first-order theory of signature Σ and L Σ a class of Σ-formulas. The T -satisfiability problem for L Σ consists in deciding for any formula ϕ[x] L Σ whether T { x.ϕ} is satisfiable. Berkeley, May 2007 p.9/28

25 Satisfiability Modulo Theories Let T be a first-order theory of signature Σ and L Σ a class of Σ-formulas. The T -satisfiability problem for L Σ consists in deciding for any formula ϕ[x] L Σ whether T { x.ϕ} is satisfiable. Some relevant theories in SMT Equality with Uninterpreted Function Symbols Linear Arithmetic (Real and Integer) Arrays (i.e., updatable maps) Bit vectors Finite trees Berkeley, May 2007 p.9/28

26 Solving Combined SMT Problems For many theories T and some formula classes L there exist (efficient) decision procedures for the T -satisfiability problem for L Σ. Berkeley, May 2007 p.10/28

27 Solving Combined SMT Problems For many theories T and some formula classes L there exist (efficient) decision procedures for the T -satisfiability problem for L Σ. Problem: In practice, we often need to deal with mixed formulas in L Σ 1 Σ n modulo a combined theory T 1 T n. Berkeley, May 2007 p.10/28

28 Solving Combined SMT Problems For many theories T and some formula classes L there exist (efficient) decision procedures for the T -satisfiability problem for L Σ. Problem: In practice, we often need to deal with mixed formulas in L Σ 1 Σ n modulo a combined theory T 1 T n. In that case, it helps if we can combine modularly decision procedures for the individual T 1,...,T n into a decision procedure for T 1 T n. Berkeley, May 2007 p.10/28

29 The General Combined Satisfiability Problem For i = 1, 2, let T i a first-order theory of signature Σ i and let L Σ i be a class of Σ i -formulas such that the T i -satisfiability problem for L Σ i is decidable. Berkeley, May 2007 p.11/28

30 The General Combined Satisfiability Problem For i = 1, 2, let T i a first-order theory of signature Σ i and let L Σ i be a class of Σ i -formulas such that the T i -satisfiability problem for L Σ i is decidable. Combination methods apply to languages L Σ 1 Σ 2 that are effectively purifiable for T 1 and T 2 Berkeley, May 2007 p.11/28

31 The General Combined Satisfiability Problem For i = 1, 2, let T i a first-order theory of signature Σ i and let L Σ i be a class of Σ i -formulas such that the T i -satisfiability problem for L Σ i is decidable. Combination methods apply to languages L Σ 1 Σ 2 that are effectively purifiable for T 1 and T 2, i.e., such that the (T 1 T 2 )-satisfiability of a formula ϕ L Σ 1 Σ 2 is effectively reducible to the (T 1 T 2 )-satisfiability of formulas of the form ϕ 1 ϕ 2 with ϕ i L Σ i for i = 1, 2. Berkeley, May 2007 p.11/28

32 The General Combined Satisfiability Problem For i = 1, 2, let T i a first-order theory of signature Σ i and let L Σ i be a class of Σ i -formulas such that the T i -satisfiability problem for L Σ i is decidable. Combination methods apply to languages L Σ 1 Σ 2 that are effectively purifiable for T 1 and T 2 Observation: For purifiable languages, (T 1 T 2 )-satisfiability is at heart an interpolation problem. Berkeley, May 2007 p.11/28

33 Combined Satisfiability as Interpolation For i = 1, 2, let T i -be a Σ i -theory and ϕ i [x i ] a Σ i -formula. ϕ 1 ϕ 2 is (T 1 T 2 )-unsatisfiable Berkeley, May 2007 p.12/28

34 Combined Satisfiability as Interpolation For i = 1, 2, let T i -be a Σ i -theory and ϕ i [x i ] a Σ i -formula. ϕ 1 ϕ 2 is (T 1 T 2 )-unsatisfiable iff T 1,ϕ 1,T 2,ϕ 2 = Berkeley, May 2007 p.12/28

35 Combined Satisfiability as Interpolation For i = 1, 2, let T i -be a Σ i -theory and ϕ i [x i ] a Σ i -formula. ϕ 1 ϕ 2 is (T 1 T 2 )-unsatisfiable iff T 1,ϕ 1,T 2,ϕ 2 = iff, by an application of Craig s interpolation theorem, there is a (Σ 1 Σ 2 )-formula ϕ(x) with x = x 1 x 2 s.t. T 1,ϕ 1 = ϕ and T 2,ϕ 2,ϕ = Berkeley, May 2007 p.12/28

36 Combined Satisfiability as Interpolation For i = 1, 2, let T i -be a Σ i -theory and ϕ i [x i ] a Σ i -formula. ϕ 1 ϕ 2 is (T 1 T 2 )-unsatisfiable iff T 1,ϕ 1,T 2,ϕ 2 = iff, by an application of Craig s interpolation theorem, there is a (Σ 1 Σ 2 )-formula ϕ(x) with x = x 1 x 2 s.t. T 1,ϕ 1 = ϕ and T 2,ϕ 2,ϕ = The problem then is just computing the interpolant ϕ. Berkeley, May 2007 p.12/28

37 Combined Satisfiability as Interpolation For i = 1, 2, let T i -be a Σ i -theory and ϕ i [x i ] a Σ i -formula. ϕ 1 ϕ 2 is (T 1 T 2 )-unsatisfiable iff T 1,ϕ 1,T 2,ϕ 2 = iff, by an application of Craig s interpolation theorem, there is a (Σ 1 Σ 2 )-formula ϕ(x) with x = x 1 x 2 s.t. T 1,ϕ 1 = ϕ and T 2,ϕ 2,ϕ = All existing combination methods are in essence ways to compute ϕ, possibly incrementally, in finite time, without building a direct proof that T 1,ϕ 1,T 2,ϕ 2 = Berkeley, May 2007 p.12/28

38 Combined Satisfiability as Interpolation For i = 1, 2, let T i -be a Σ i -theory and ϕ i [x i ] a Σ i -formula. ϕ 1 ϕ 2 is (T 1 T 2 )-unsatisfiable iff T 1,ϕ 1,T 2,ϕ 2 = iff, by an application of Craig s interpolation theorem, there is a (Σ 1 Σ 2 )-formula ϕ(x) with x = x 1 x 2 s.t. T 1,ϕ 1 = ϕ and T 2,ϕ 2,ϕ = Historical note: The original correctness proof of the foremost combination method for SMT (Nelson & Oppen, 1979) relies directly on Craig s interpolation theorem. Berkeley, May 2007 p.12/28

39 An Effectively Purifiable Language The class of quantifier-free formulas is effectively purifiable for any Σ 1 and Σ 2 Berkeley, May 2007 p.13/28

40 An Effectively Purifiable Language The class of quantifier-free formulas is effectively purifiable for any Σ 1 and Σ 2 : Given a quantifier-free (Σ 1 Σ 2 )-formula ϕ we can compute Σ 1 -qffs ϕ ϕn 1 and Σ 2-qffs ϕ ϕn 2 s.t. for every (Σ 1 Σ 2 )-structure A, ϕ is satisfiable in A iff ϕ j 1 ϕ j 2 is satisfiable in A for some j. Berkeley, May 2007 p.13/28

41 An Effectively Purifiable Language The class of quantifier-free formulas is effectively purifiable for any Σ 1 and Σ 2. Moreover, the T -satisfiability problem for qffs is decidable for a very large number of theories of interest in CS. Berkeley, May 2007 p.13/28

42 An Effectively Purifiable Language The class of quantifier-free formulas is effectively purifiable for any Σ 1 and Σ 2. Moreover, the T -satisfiability problem for qffs is decidable for a very large number of theories of interest in CS. Let s focus then on quantifier-free formulas. Berkeley, May 2007 p.13/28

43 An Effectively Purifiable Language The class of quantifier-free formulas is effectively purifiable for any Σ 1 and Σ 2. Moreover, the T -satisfiability problem for qffs is decidable for a very large number of theories of interest in CS. Let s focus then on quantifier-free formulas. For simplicity, but wlog, let s consider only combined satisfiability problems of the form Γ 1 Γ 2 where each Γ i is a finite set of Σ i -literals (i.e., atomic formulas and negated atomic formulas) Berkeley, May 2007 p.13/28

44 The Combined Satisfiability Problem for QFFs For i = 1, 2, let T i -be a Σ i -theory and Γ i [x i ] a set of Σ i -literals. Berkeley, May 2007 p.14/28

45 The Combined Satisfiability Problem for QFFs For i = 1, 2, let T i -be a Σ i -theory and Γ i [x i ] a set of Σ i -literals. Let ψ 1,...,ψ n be (Σ 1 Σ 2 )-formulas over x = x 1 x 2. Berkeley, May 2007 p.14/28

46 The Combined Satisfiability Problem for QFFs For i = 1, 2, let T i -be a Σ i -theory and Γ i [x i ] a set of Σ i -literals. Let ψ 1,...,ψ n be (Σ 1 Σ 2 )-formulas over x = x 1 x 2. ψ 1,...,ψ n is an interpolation chain if for each k = 1,...,m there is an i {1, 2} s.t. T i, Γ i,ψ 1,...,ψ k 1 = ψ k Berkeley, May 2007 p.14/28

47 The Combined Satisfiability Problem for QFFs For i = 1, 2, let T i -be a Σ i -theory and Γ i [x i ] a set of Σ i -literals. Let ψ 1,...,ψ n be (Σ 1 Σ 2 )-formulas over x = x 1 x 2. ψ 1,...,ψ n is an interpolation chain if for each k = 1,...,m there is an i {1, 2} s.t. Under the right conditions: T i, Γ i,ψ 1,...,ψ k 1 = ψ k 1. Γ 1 Γ 2 is (T 1 T 2 )-unsatisfiable iff there is an interpolation chain ψ 1,...,ψ m with ψ n =, and 2. each ψ i is a disjunction of atoms and is computable using one of the decision procedures for T 1 and T 2. Berkeley, May 2007 p.14/28

48 The Combined Satisfiability Problem for QFFs Sufficient conditions on T 1 and T 2 (Ghilardi, 2005) Where Σ 0 = Σ 1 Σ 2, there is a universal Σ 0 -theory T 0 that is: Berkeley, May 2007 p.15/28

49 The Combined Satisfiability Problem for QFFs Sufficient conditions on T 1 and T 2 (Ghilardi, 2005) Where Σ 0 = Σ 1 Σ 2, there is a universal Σ 0 -theory T 0 that is: 1. T i -compatible for i = 1, 2: (a) is enclosed in T i (b) admits a model completion T 0 (c) every model of T i embeds into a model of T i T 0 Berkeley, May 2007 p.15/28

50 The Combined Satisfiability Problem for QFFs Sufficient conditions on T 1 and T 2 (Ghilardi, 2005) Where Σ 0 = Σ 1 Σ 2, there is a universal Σ 0 -theory T 0 that is: 1. T i -compatible for i = 1, 2: (a) is enclosed in T i (b) admits a model completion T 0 (c) every model of T i embeds into a model of T i T 0 2. effectively locally finite: For any x we can compute a set {t 1,...t n } of Σ 0 -terms over x s.t. every Σ 0 -term t[x] is T 0 -equivalent to some t i Berkeley, May 2007 p.15/28

51 The Combined Satisfiability Problem for QFFs Sufficient conditions on T 1 and T 2 (Ghilardi, 2005) Where Σ 0 = Σ 1 Σ 2, there is a universal Σ 0 -theory T 0 that is: 1. T i -compatible for i = 1, 2: (a) is enclosed in T i (b) admits a model completion T 0 (c) every model of T i embeds into a model of T i T 0 2. effectively locally finite: For any x we can compute a set {t 1,...t n } of Σ 0 -terms over x s.t. every Σ 0 -term t[x] is T 0 -equivalent to some t i Nelson-Oppen Method: Σ 0 = and each T i is stably infinite. Berkeley, May 2007 p.15/28

52 Stably Infinite Theories A Σ-theory T is stably infinite iff every quantifier-free T -satisfiable formula is satisfiable in an infinite model of T. Berkeley, May 2007 p.16/28

53 Stably Infinite Theories A Σ-theory T is stably infinite iff every quantifier-free T -satisfiable formula is satisfiable in an infinite model of T. Many interesting theories are stably infinite: Theories of an infinite structure. Complete theories with an infinite model. Convex theories with no trivial models. Berkeley, May 2007 p.16/28

54 Stably Infinite Theories A Σ-theory T is stably infinite iff every quantifier-free T -satisfiable formula is satisfiable in an infinite model of T. Many interesting theories are stably infinite: Theories of an infinite structure. Complete theories with an infinite model. Convex theories with no trivial models. But others are not: Theories of a finite structure. Theories with models of bounded cardinality. Some equational/horn theories. Berkeley, May 2007 p.16/28

55 Beyond Stable Infiniteness Recent extensions of the Nelson-Oppen method partially lift the stable infiniteness requirement (Tinelli & Zarba, 2004; Ranise et al., 2005) Berkeley, May 2007 p.17/28

56 Beyond Stable Infiniteness Recent extensions of the Nelson-Oppen method partially lift the stable infiniteness requirement (Tinelli & Zarba, 2004; Ranise et al., 2005) The trick is to require the decision procedures to also exchange finite-cardinality constraints. Berkeley, May 2007 p.17/28

57 Beyond Stable Infiniteness Recent extensions of the Nelson-Oppen method partially lift the stable infiniteness requirement (Tinelli & Zarba, 2004; Ranise et al., 2005) The trick is to require the decision procedures to also exchange finite-cardinality constraints. These extensions are still instances of Craig interpolation. Berkeley, May 2007 p.17/28

58 Beyond Stable Infiniteness Recent extensions of the Nelson-Oppen method partially lift the stable infiniteness requirement (Tinelli & Zarba, 2004; Ranise et al., 2005) The trick is to require the decision procedures to also exchange finite-cardinality constraints. These extensions are still instances of Craig interpolation. However, they now consider interpolation chains that also include quantified formulas like x,y,z. x = y x = z Berkeley, May 2007 p.17/28

59 The Combined Satisfiability Problem for QFFs SMT provers based on some variant of the Nelson-Oppen method are widely used in academia and industry. Berkeley, May 2007 p.18/28

60 The Combined Satisfiability Problem for QFFs SMT provers based on some variant of the Nelson-Oppen method are widely used in academia and industry. The generalized results by Ghilardi have several additional applications. For instance, they can be used in the combination of modals logics. Berkeley, May 2007 p.18/28

61 Part II: Craig Interpolation in Model Checking Berkeley, May 2007 p.19/28

62 Modeling Computer Systems Software or hardware systems can be often modeled as state transition systems M = (S,I,R,L) where S is a set of states I S is a set of initial states R S S is a total transition relation L : S 2 At is a labelling function into sets of atomic formulas in some base logic Berkeley, May 2007 p.20/28

63 Modeling Computer Systems Software or hardware systems can be often modeled as state transition systems M = (S,I,R,L) where S is a set of states I S is a set of initial states R S S is a total transition relation L : S 2 At is a labelling function into sets of atomic formulas in some base logic Note: M is a Kripke model (in the sense modal logic). Berkeley, May 2007 p.20/28

64 Model Checking Software or hardware systems can be often modeled as state transition systems, or model, M = (S,I,R,L) Berkeley, May 2007 p.21/28

65 Model Checking Software or hardware systems can be often modeled as state transition systems, or model, M = (S,I,R,L) Most system correctness properties can be expressed as a safety property for a suitable model M: M is safe wrt a property ψ if no state R-reachable from an initial state satisfies ψ. Berkeley, May 2007 p.21/28

66 Model Checking Software or hardware systems can be often modeled as state transition systems, or model, M = (S,I,R,L) Most system correctness properties can be expressed as a safety property for a suitable model M: M is safe wrt a property ψ if no state R-reachable from an initial state satisfies ψ. Model checking is one of the most successful areas of formal verification. Model checking technologies are now routinely used in industry. Berkeley, May 2007 p.21/28

67 Symbolic Model Checking A model M = (S, I, R, L:S 2 At ) can be expressed symbolically by fixing a set X of variables and a first-order Σ-structure A with universe A. Berkeley, May 2007 p.22/28

68 Symbolic Model Checking A model M = (S, I, R, L:S 2 At ) can be expressed symbolically by fixing a set X of variables and a first-order Σ-structure A with universe A. Then: Every state σ S is a mapping in [X A] At is a set of atomic Σ-formulas over X I is characterized by a qff ϕ I [x] s.t. σ I iff A = ϕ I [σ] R is characterized by a qff ϕ R [x,x ] such that (σ,σ ) R iff A = ϕ R [σ,σ ] Notation: if x = x 1,...,x n then ψ[σ] = ψ[σ(x 1 ),...,σ(x n )] Berkeley, May 2007 p.22/28

69 Some Terminology A state σ is reachable (in k steps) iff there is a sequence of states σ 0,...,σ k = σ such that A = ϕ I [σ 0 ] ϕ R [σ 0,σ 1 ] ϕ R [σ k 1,σ k ] A formula ψ[x] is reachable (in k steps) from a formula ϕ[x] iff there is a sequence of states σ 0,...,σ k = σ s.t. A = ϕ[σ 0 ] ϕ R [σ 0,σ 1 ] ϕ R [σ k 1,σ k ] ψ[σ k ] Berkeley, May 2007 p.23/28

70 Some Terminology A state σ is reachable (in k steps) iff there is a sequence of states σ 0,...,σ k = σ such that A = ϕ I [σ 0 ] ϕ R [σ 0,σ 1 ] ϕ R [σ k 1,σ k ] A formula ψ[x] is reachable (in k steps) from a formula ϕ[x] iff there is a sequence of states σ 0,...,σ k = σ s.t. A = ϕ[σ 0 ] ϕ R [σ 0,σ 1 ] ϕ R [σ k 1,σ k ] ψ[σ k ] Observation: M is safe wrt ψ iff ψ is not reachable from ϕ I iff ϕ I [x 0 ] ϕ R [x 0,x 1 ] ϕ R [x k 1,x k ] ψ[x k ] is unsatisfiable in A for all k 0. Berkeley, May 2007 p.23/28

71 Strongest Inductive Invariant For a large class of systems M, we can compute from ϕ I and ϕ R the strongest inductive invariant ϕ IR for M: Berkeley, May 2007 p.24/28

72 Strongest Inductive Invariant For a large class of systems M, we can compute from ϕ I and ϕ R the strongest inductive invariant ϕ IR for M: for all σ S, A = ϕ IR [σ] exactly when σ is reachable. Berkeley, May 2007 p.24/28

73 Strongest Inductive Invariant For a large class of systems M, we can compute from ϕ I and ϕ R the strongest inductive invariant ϕ IR for M: for all σ S, A = ϕ IR [σ] exactly when σ is reachable. Then, to check that M is safe wrt to a property ψ it suffices to check that ϕ IR [x] ψ[x] is unsatisfiable in A. Berkeley, May 2007 p.24/28

74 Strongest Inductive Invariant For a large class of systems M, we can compute from ϕ I and ϕ R the strongest inductive invariant ϕ IR for M: for all σ S, A = ϕ IR [σ] exactly when σ is reachable. Then, to check that M is safe wrt to a property ψ it suffices to check that ϕ IR [x] ψ[x] is unsatisfiable in A. This can be completely automated if the satisfiability in A of qffs is decidable. Berkeley, May 2007 p.24/28

75 Strongest Inductive Invariant For a large class of systems M, we can compute from ϕ I and ϕ R the strongest inductive invariant ϕ IR for M: for all σ S, A = ϕ IR [σ] exactly when σ is reachable. Then, to check that M is safe wrt to a property ψ it suffices to check that ϕ IR [x] ψ[x] is unsatisfiable in A. This can be completely automated if the satisfiability in A of qffs is decidable. Problem: Computing ϕ IR can be very expensive. Berkeley, May 2007 p.24/28

76 Strongest Inductive Invariant For a large class of systems M, we can compute from ϕ I and ϕ R the strongest inductive invariant ϕ IR for M: for all σ S, A = ϕ IR [σ] exactly when σ is reachable. Then, to check that M is safe wrt to a property ψ it suffices to check that ϕ IR [x] ψ[x] is unsatisfiable in A. This can be completely automated if the satisfiability in A of qffs is decidable. Problem: Computing ϕ IR can be very expensive. Good news: Craig interpolation can be used to reduce this cost. Berkeley, May 2007 p.24/28

77 Computing Strongest Inductive Invariants When ϕ IR is computable it is because it is the least fix point of an image operator Img : QFF QFF where Img(ϕ[x]) is the strongest (wrt = A, entailment in A) qff ϕ p [x] such that ϕ[x] ϕ R [x,x ] = A ϕ p [x ] ϕ IR = i 0 ϕi with ϕ 0 = ϕ I and ϕ i+1 = ϕ i Img(ϕ i ) Berkeley, May 2007 p.25/28

78 Computing Strongest Inductive Invariants When ϕ IR is computable it is because it is the least fix point of an image operator Img : QFF QFF where Img(ϕ[x]) is the strongest (wrt = A, entailment in A) qff ϕ p [x] such that ϕ[x] ϕ R [x,x ] = A ϕ p [x ] ϕ IR = i 0 ϕi with ϕ 0 = ϕ I and ϕ i+1 = ϕ i Img(ϕ i ) Computing Img, and so ϕ IR, is expensive because it involves quantifier elimination. Berkeley, May 2007 p.25/28

79 Computing Strongest Inductive Invariants When ϕ IR is computable it is because it is the least fix point of an image operator Img : QFF QFF where Img(ϕ[x]) is the strongest (wrt = A, entailment in A) qff ϕ p [x] such that ϕ[x] ϕ R [x,x ] = A ϕ p [x ] ϕ IR = i 0 ϕi with ϕ 0 = ϕ I and ϕ i+1 = ϕ i Img(ϕ i ) Computing Img, and so ϕ IR, is expensive because it involves quantifier elimination. However, Img might be much stronger than needed for proving that a property ψ is unreachable. Berkeley, May 2007 p.25/28

80 Computing Strongest Inductive Invariants When ϕ IR is computable it is because it is the least fix point of an image operator Img : QFF QFF where Img(ϕ[x]) is the strongest (wrt = A, entailment in A) qff ϕ p [x] such that ϕ[x] ϕ R [x,x ] = A ϕ p [x ] ϕ IR = i 0 ϕi with ϕ 0 = ϕ I and ϕ i+1 = ϕ i Img(ϕ i ) Computing Img, and so ϕ IR, is expensive because it involves quantifier elimination. Idea (McMillan, 2003): use interpolation to compute for each i 0 an adequate over-approximation ˆϕ i of ϕ i wrt ψ Berkeley, May 2007 p.25/28

81 How to compute ˆϕ IR for ψ incrementally Let k > 0, ˆϕ 0 = ϕ I [x] Base Case) Let: Γ 1 = ˆϕ 0 [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) Berkeley, May 2007 p.26/28

82 How to compute ˆϕ IR for ψ incrementally Let k > 0, ˆϕ 0 = ϕ I [x] Base Case) Let: Γ 1 = ˆϕ 0 [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is satisfiable in A, we are done: ψ is reachable from ϕ I in 1 to k steps. Berkeley, May 2007 p.26/28

83 How to compute ˆϕ IR for ψ incrementally Let k > 0, ˆϕ 0 = ϕ I [x] Base Case) Let: Γ 1 = ˆϕ 0 [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is unsatisfiable in A, compute an interpolant Γ[x 1 ] (wrt to = A ). Berkeley, May 2007 p.26/28

84 How to compute ˆϕ IR for ψ incrementally Let k > 0, ˆϕ 0 = ϕ I [x] Base Case) Let: Γ 1 = ˆϕ 0 [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is unsatisfiable in A, compute an interpolant Γ[x 1 ] (wrt to = A ). Γ[x] is an adequate over-approximation of Img(ϕ 0 ): Γ 1 = A Γ[x 1 ] = every state reachable from ϕ I is in Γ Γ Γ 2 = A = no state in Γ leads to ψ within k steps Berkeley, May 2007 p.26/28

85 How to compute ˆϕ IR for ψ incrementally Let k > 0, ˆϕ 0 = ϕ I [x] Base Case) Let: Γ 1 = ˆϕ 0 [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is unsatisfiable in A, compute an interpolant Γ[x 1 ] (wrt to = A ). Γ[x] is an adequate over-approximation of Img(ϕ 0 ): Γ 1 = A Γ[x 1 ] = every state reachable from ϕ I is in Γ Γ Γ 2 = A = no state in Γ leads to ψ within k steps Set ˆϕ 1 = ˆϕ 0 [x] Γ[x] Berkeley, May 2007 p.26/28

86 How to compute ˆϕ IR for ψ incrementally Assume we have computed ˆϕ i for i > 0. Step case) Let Γ 1 = ˆϕ i [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) Berkeley, May 2007 p.27/28

87 How to compute ˆϕ IR for ψ incrementally Assume we have computed ˆϕ i for i > 0. Step case) Let Γ 1 = ˆϕ i [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is unsatisfiable in A, compute an interpolant Γ as before Let ˆϕ i+1 = ˆϕ i [x] Γ[x] Berkeley, May 2007 p.27/28

88 How to compute ˆϕ IR for ψ incrementally Assume we have computed ˆϕ i for i > 0. Step case) Let Γ 1 = ˆϕ i [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is satisfiable in A, ψ is reachable from ϕ I in i + 1 to i + k steps in the overapproximated closure of ϕ R So, the satisfying paths of states might not be paths in the original system M. Berkeley, May 2007 p.27/28

89 How to compute ˆϕ IR for ψ incrementally Assume we have computed ˆϕ i for i > 0. Step case) Let Γ 1 = ˆϕ i [x 0 ] ϕ R [x 0,x 1 ] Γ 2 = ϕ R [x 1,x 2 ] ϕ R [x k 1,x k ] (ψ[x 1 ] ψ[x k ]) If Γ 1 Γ 2 is satisfiable in A, ψ is reachable from ϕ I in i + 1 to i + k steps in the overapproximated closure of ϕ R So, the satisfying paths of states might not be paths in the original system M. Then, increase k by 1 and restart the whole process. Berkeley, May 2007 p.27/28

90 Thank you Berkeley, May 2007 p.28/28

Combining Decision Procedures

Combining Decision Procedures Ashish Tiwari tiwari@csl.sri.com http://www.csl.sri.com/. Computer Science Laboratory SRI International 333 Ravenswood Menlo Park, CA 94025 Combining Decision Procedures (p.1