LRA Interpolants from No Man s Land. Leonardo Alt, Antti E. J. Hyvärinen, and Natasha Sharygina University of Lugano, Switzerland

Size: px

Start display at page:

Download "LRA Interpolants from No Man s Land. Leonardo Alt, Antti E. J. Hyvärinen, and Natasha Sharygina University of Lugano, Switzerland"

Marcia Riley
6 years ago
Views:

1 LR Interpolants from No Man s Land Leonardo lt, ntti E. J. Hyvärinen, and Natasha Sharygina University of Lugano, Switzerland

3 Motivation The goal: Finding the right proof The tool: Make interpolation on LR more flexible The application: LR for abstractions in software model checking The keywords: SMT solving, function summaries, labeled interpolation systems

4 Interpolants Given two formulas and B such that ^ B!? an interpolant is a formula I such that Vars(I) Vars() \ Vars(B)! I I ^ B!? B

5 Interpolants Given two formulas and B such that ^ B!? an interpolant is a formula I such that Vars(I) Vars() \ Vars(B)! I I ^ B!? I B

6 Interpolants Given two formulas and B such that ^ B!? an interpolant is a formula I such that Vars(I) Vars() \ Vars(B)! I I ^ B!? I I 0 B

7 Interpolants Given two formulas and B such that ^ B!? an interpolant is a formula I such that Vars(I) Vars() \ Vars(B)! I I ^ B!? I I 0 I 00 B

8 Interpolation in Proofs 1. Find a concrete proof for a simple case 2. Generalise the proof 3. Try to prove the general case

9 Interpolation in Proofs 1. Find a concrete proof for a simple case 2. Generalise the proof 3. Try to prove the general case S(x 0 ) {z } ^ T (x 0,x 1 ) ^...^ T (x k 1,x k ) ^ Err(x k ) {z } B B

10 Interpolation in Proofs 1. Find a concrete proof for a simple case 2. Generalise the proof 3. Try to prove the general case S(x 0 ) {z } ^ T (x 0,x 1 ) ^...^ T (x k 1,x k ) ^ Err(x k ) {z } B I(x) ^ T (x, x 0 )! I(x 0 ) I B

11 Example: HiFrog Given a C program and a set of assertions

12 Example: HiFrog Given a C program and a set of assertions 1. Construct a BMC instance of the program

13 Example: HiFrog Given a C program and a set of assertions 1. Construct a BMC instance of the program 2. Check the first assertion against the BMC instance srt 1

14 Example: HiFrog Given a C program and a set of assertions 1. Construct a BMC instance of the program 2. Check the first assertion against the BMC instance 3. Compute an interpolant out of the proof srt 1 I

15 Example: HiFrog Given a C program and a set of assertions 1. Construct a BMC instance of the program 2. Check the first assertion against the BMC instance 3. Compute an interpolant out of the proof 4. Use the interpolant for checking the consequent assertions srt 2 srt 1 I

16 Example: HiFrog Given a C program and a set of assertions 1. Construct a BMC instance of the program 2. Check the first assertion against the BMC instance 3. Compute an interpolant out of the proof 4. Use the interpolant for checking the consequent assertions srt 2... srt 1 I

17 Example: HiFrog Given a C program and a set of assertions 1. Construct a BMC instance of the program 2. Check the first assertion against the BMC instance 3. Compute an interpolant out of the proof 4. Use the interpolant for checking the consequent assertions srt 2... srt 1 I srt n

18 Duality of Interpolants

19 Duality of Interpolants B

20 Duality of Interpolants I 0 B

21 Duality of Interpolants I 0 B

22 What is LR Given a set of linear inequalities over real-valued variables, determine if there are values for the variables that satisfy all the inequalities y 0 0.5x + 3y 2z 5 > y x 2 + 2xy + y 2 > 1 x In 2 dimensions: determine whether half planes have a non-empty intersection

23 Solving LR in SMT Instance Set of LR inequalities ST solver Theory solver determines satisfiability Unsat Unsat n explanation, subset of the LR inequalities Sat The theory solver for LR is based on the Simplex algorithm

24 Simplex in SMT pre-processing step: ll inequalities are written so that left side is a constant and right side a linear expression 0 x + 6y 4z 0.3 x + 2y 1 < x 2y + 3z We end up with two types of entities: Bounds on variables Bounds on sums of the variables The idea is to repeatedly adjust variable 5 > y 4 < y 2 > z 0 x values to satisfy bounds on the sums, and change the role of the variables and the sums y z x

25 Simplex Example 0 0.5x + 3y 2z 0.3 x + 2y 1 < x 2y + 3z x y 2 z

26 Simplex Example < y x y x

27 Simplex Example < y x y x

28 Simplex Example < y x y x

29 Simplex Example < y x y x

30 Simplex Example < y x y x

31 Simplex Example < y x y Just enough to fix the equality x

32 Simplex Example u = 0.5x + 3y 2z < y x y Just enough to fix the equality x

33 Simplex Example u = 0.5x + 3y 2z x = 2u 6y + 4z < y y Just enough to fix the equality x

34 Simplex Example u = 0.5x + 3y 2z x = 2u 6y + 4z < y u y Just enough to fix the equality x

35 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound

36 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound u u v v

37 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound u u v If an expression bound cannot be v satisfied since the variables are at their bounds, the problem is unsatisfiable

38 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound conflict is the unsatisfied expression and the set of expressions currently bounding its variables. u u v If an expression bound cannot be v satisfied since the variables are at their bounds, the problem is unsatisfiable

39 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound conflict is the unsatisfied expression and the set of expressions currently bounding its variables. u u v If an expression bound cannot be v satisfied since the variables are at their bounds, the problem is unsatisfiable (1 > 0.5v u)

40 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound conflict is the unsatisfied expression and the set of expressions currently bounding its variables. u u v If an expression bound cannot be v satisfied since the variables are at their bounds, the problem is unsatisfiable (1 > 0.5v u) (u > 3)

41 Simplex Example fter each adjustment 1. The expressions change 2. One variable is fixed to its bound conflict is the unsatisfied expression and the set of expressions currently bounding its variables. u u v If an expression bound cannot be v satisfied since the variables are at their bounds, the problem is unsatisfiable (1 > 0.5v u) (u > 3) (v < 3)

42 LR Interpolation ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 ssume that (u > 3) B and (v < 3), (1 > 0.5v u).

43 LR Interpolation ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

44 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

45 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 (0.5v u 1) u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

46 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 (0.5v u 1) u + 0.5(3 v) B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

47 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 (0.5v u 1) u + 0.5(3 v) B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

48 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 -u u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

49 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 0 < -u u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

50 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression u < 0.5 bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

51 LR Interpolation The interpolant for is obtained by summing to the expression the bounds in multiplied by their factors in the expression: ssume that the expression u < 0.5 bound that could not be satisfied was 1 > 0.5v u and the bounds for the variables u, v were u > 3 v < 3 u B ssume that (u > 3) B and (v < 3), (1 > 0.5v u). v

52 Duality-based Interpolation for LR Given a primal interpolant I = c1 t(x), the dual interpolant has the form I = c2 < t(x)

53 Duality-based Interpolation for LR Given a primal interpolant I = c1 t(x), the dual interpolant has the form I = c2 < t(x) u B v

54 Duality-based Interpolation for LR Given a primal interpolant I = c1 t(x), the dual interpolant has the form I = c2 < t(x) u B v

55 Duality-based Interpolation for LR Given a primal interpolant I = c1 t(x), the dual interpolant has the form I = c2 < t(x) u B v

56 Duality-based Interpolation for LR Given a primal interpolant I = c1 t(x), the dual interpolant has the form I = c2 < t(x) ll the inequalities of the form c < t(x), c1 c < c2 are also interpolants for u B v

57 Duality-based Interpolation for LR Given a primal interpolant I = c1 t(x), the dual interpolant has the form I = c2 < t(x) ll the inequalities of the form c < t(x), c1 c < c2 are also interpolants for u B I I v

58 Duality-based Interpolation for LR Given a primal interpolant In the I = c1 t(x), the dual interpolant has the form u I = c2 < t(x) B paper ll the inequalities of the form c < t(x), c1 c < c2 are also interpolants for I I v

59 Interpolant Duality Visualized B

60 Interpolant Duality Visualized B c1=t(x) c2=t(x)

61 Interpolant Duality Visualized B Land B c1=t(x) Land c2=t(x)

62 Interpolant Duality Visualized B Land B c1=t(x) No man s land Land c2=t(x)

63 Interpolant Duality Visualized α(c2 c 1 )+c 1 =t(x) B Land B c1=t(x) No man s land Land c2=t(x)

64 Interpolant Duality Visualized α(c2 c 1 )+c 1 =t(x) B Land B c1=t(x) No man s land Land c2=t(x)

65 Experiments on SV-COMP and HiFrog

66 The rchitecture Overview Model Checker OpenSMT B SMT Solver Partitions and B UNST proof Interpolation Module ST/UNST Interpolant Proof analysis Labelling Interpolator Boolean UNST proof statistics Boolean UNST proof Labelling Boolean LR Partitions and B LR Partitions and B LR

67 Implemented in HiFrog SMT Encoder Propositional summaries Sources + ssertions ssertion traversal LR Prop LR summaries Summary refiner ST Interpolating SMT Solver Theory solvers proof proof compressor Error trace Prop ITP Interpolation-based summaries LR ITP ssertion holds

68 Results on SMT-LIB Experiments with three LR labelling functions: Strong: the primal interpolant Weak: the dual interpolant c = 0.5: the interpolant between dual and primal

69 Experiments on HiFrog ITP floppy1 kbfiltr1 diskperf1 mem disk Σ Strong c = Weak Number of HiFrog refinements (fixed propositional ITP algorithm) The difference between minimum and maximum is ~ 15% The c = 0.5 ITP provides the best results

70 Related Work Nikolaj Bjørner, rie Gurfinkel: Property Directed Polyhedral bstraction. VMCI 2015 Pudlák: Lower bounds for resolution and cutting plane proofs and monotone computations. Journal of Symbolic Logic McMillan: n Interpolating Theorem Prover. Theoretical Computer Science D Silva, Kroening, Purandare, and Weissenbacher: Interpolant Strength. VMCI lbarghouthi, McMillan: Beautiful interpolants. CV Dutertre, de Moura: fast linear-arithmetic solver for DPLL(T). Logical Methods in Computer Science lt, Hyvärinen, sadi, and Sharygina: Duality-Based Interpolation for Quantifier-Free Equalities and Uninterpreted Functions. FMCD 2017.

71 Conclusions LR interpolation with controlled strength Provides an infinite family of interpolants based on interpolation duality Integrated into a model checker Future work Better heuristics for the labelling function pply to fix-point computations in other MC applications Implementations available at

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg Interpolation Seminar Slides Albert-Ludwigs-Universität Freiburg Betim Musa 27 th June 2015 Motivation program add(int a, int b) { var x,i : int; l 0 assume(b 0); l 1 x := a; l 2 i := 0; while(i < b) {