Complete Instantiation-Based Interpolation

Transcription

1 Complete Instantiation-Based Interpolation Nishant Totla Indian Institute o Technology Bombay nishant.totla@gmail.com Thomas Wies New York University wies@cs.nyu.edu Abstract Craig interpolation has been a valuable tool or ormal methods with interesting applications in program analysis and veriication. Modern SMT solvers implement interpolation procedures or the theories that are most commonly used in these applications. However, many application-speciic theories remain unsupported, which limits the class o problems to which interpolation-based techniques apply. In this paper, we present a generic ramework to build new interpolation procedures via reduction to existing interpolation procedures. We consider the case where an application-speciic theory can be ormalized as an extension o a base theory with additional symbols and axioms. Our technique uses inite instantiation o the extension axioms to reduce an interpolation problem in the theory extension to one in the base theory. We identiy a modeltheoretic criterion that allows us to detect the cases where our technique is complete. We discuss speciic theories that are relevant in program veriication and that satisy this criterion. In particular, we obtain complete interpolation procedures or theories o arrays and linked lists. The latter is the irst complete interpolation procedure or a theory that supports reasoning about complex shape properties o heap-allocated data structures. We have implemented this procedure in a prototype on top o existing SMT solvers and used it to automatically iner loop invariants o list-manipulating programs. Categories and Subject Descriptors D.2.4 [Sotware Engineering]: Sotware/Program Veriication; F.3.1 [Logics and Meaning o Programs]: Speciying and Veriying and Reasoning about Programs; I.2.3 [Artiicial Intelligence]: Deduction and Theorem Proving General Terms Algorithms, Theory, Reliability, Veriication Keywords Craig Interpolants, Decision Procedures, Satisiability Module Theories, Program Analysis, Data Structures 1. Introduction In his pioneering work [37], McMillan recognized the useulness o Craig interpolants [13] or the automated construction o abstractions o systems. Since then, interpolation-based algorithms have been developed or a number o problems in program analysis and veriication [1, 15, 17, 24, 25, 31, 34, 39]. An important requirement or most o these algorithms is that interpolants are ground (i.e., quantiier-ree). This is because the computed in- [Copyright notice will appear here once preprint option is removed.] terpolants again serve as input to decision procedures that only support quantiier-ree ormulas. Modern SMT solvers implement ground interpolation procedures or the theories that are most commonly used in program veriication. This includes theories such as linear arithmetic [8, 9, 23, 38], the theory o uninterpreted unction symbols with equality [19, 38, 51], and combinations o such theories [11, 21, 38, 51]. However, many application-speciic theories remain unsupported. This limits the class o problems and programs to which interpolation-based algorithms can be applied. In this paper, we present a generic ramework that enables the modular construction o ground interpolation procedures or application-speciic theories via a reduction to existing interpolation procedures. We ocus on cases where an application-speciic theory can be ormalized as an extension o a base theory with additional symbols and universally quantiied axioms. As an example o such a theory extension, consider the theory o arrays over integers. Here, the base theory is the theory o linear integer arithmetic, the extension symbols are the array selection and update unctions, and the extension axioms are McCarthy s read over write axioms [36], which give meaning to the extension symbols. Theory extensions oten appear in practice, e.g., as part o the background theories o veriication systems such as BOOGIE [3] and WHY [18], and the tools that are built on top o these systems. Our starting point is the approach to instantiation-based interpolation or local theory extension presented in [47]. Local theory extensions [46] are extensions or which satisiability o ground ormulas can be decided via a reduction to satisiability in the base theory. The reduction works by instantiating the extension axioms only with terms that already appear in the input ormula. In [47], this instantiation-based reduction approach is applied to the problem o computing ground interpolants in local theory extensions. This technique is used, e.g., in the interpolation procedures underlying the sotware model checker ARMC [44] and the interpolating prover CSIsat [6]. In [47], the instantiation-based interpolation approach was shown to be complete or a syntactically deined class o local theory extensions. Unortunately, many interesting application-speciic theories do not all into this class. Instead o imposing syntactic restrictions, we identiy a stronger condition on the theory extension than just locality to ensure completeness o instantiation-based interpolation. We then relate this condition to a semantic property o the models o the theory extension. We reer to this property as the partial amalgamation property. This property allows us to systematically construct theory extensions or which the instantiation-based approach produces a complete ground interpolation procedure. The resulting ramework then applies to a more general class o theory extensions than [47]. We discuss several non-trivial examples o theories that are relevant in program veriication and to which our ramework applies. In particular, we consider the theory o arrays with dierence unction [10]. Using our approach we obtain an alternative ground interpolation procedure or this theory. Unlike the procedure presented in [10], our procedure does not require a dedicated decision proce /9/12

2 dure or this speciic array theory. Instead, it reduces the interpolation problem to existing interpolation procedures or uninterpreted unctions and linear arithmetic. The second example that we discuss in detail is a variation o Nelson s theory o linked lists with reachability predicates [41], which was studied more recently in [35]. We show that this theory does not admit ground interpolation, unless it is extended (among others) with an additional join unction. Given two heap nodes, the join unction returns the join point o the two list segments that start in the given nodes (i such a join point exists). Incidentally, the join unction is not just o theoretical interest, but is also useul to express properties about the heap that are important or veriying rame conditions. We prove that our extended theory o linked lists with reachability has partial amalgamation. Using our approach we then obtain the irst ground interpolation procedure or a theory that supports reasoning about complex shape properties o heapallocated data structures. This interpolation procedure has promising applications in CEGAR-based shape analysis [5, 42] and may also provide a new perspective on the construction o shape domains in parametric shape analysis [45]. To show the easibility o our approach, we have implemented a prototype o our interpolation ramework and instantiated it or the theory o linked lists presented in this paper. We have successully applied the resulting interpolation procedure to automatically iner loop invariants or the veriication o list-manipulating programs. Summary. The main contributions o this paper can be summarized as ollows: We present a new ramework to modularly construct interpolation procedures or application-speciic theories. We present a model-theoretic criterion that allows us to identiy the theories or which our interpolation ramework is complete. We present examples o theories that are important or program veriication and to which our ramework applies. In particular, we present the irst decidable theory or reasoning about complex shape properties o heap-allocated data structures that admits ground interpolation. We report on our experience with a prototype implementation o our ramework, which we have successully used to iner loop invariants o simple list-manipulating programs. This technical report is an extended version o a paper appearing in POPL 13 [49]. 2. Motivation and Overview We motivate our approach using the concrete application o interpolation to the problem o inerring invariants or program veriication. Consider the reverse unction given in Figure 1. This unction takes a pointer x to a singly-linked list as input, reverses the list, and then returns a pointer to the head o the reversed list. Our goal is to veriy that the reverse unction preserves acyclicity, i.e., i the input list is acyclic, then so is the output list. We can express acyclicity o list x by saying that null is reachable rom x by ollowing the n pointer ields in the heap. Using the notation that we ormally introduce in Section 5.2, this is denoted by the reachability predicate x n null. Hence, the property we want to veriy is that i the pre-condition x n null holds at the entry point o unction reverse, then the same ormula holds again at the return point. The graph in Figure 1 depicts an intermediate state o the heap that is observed during the execution o reverse when the unction is applied to an acyclic list o length six. This state is observed at the entry point o the while loop, ater the irst three iterations o the loop. An appropriate inductive loop invariant or a Hoare proo o typede struct Node { struct node n; int data; } List ; v n 0 v n 1 v 2 prev x n null curr v 3 v 4 v n n 5 n List reverse ( List x) { List prev, curr, succ; curr = x; prev = null ; while ( curr!= null ) { succ = curr.n; curr.n = prev; prev = curr; curr = succ; } x = prev; return x; } Figure 1. C code or in-place reversal o a linked list. The graph depicts a reachable program state at the entry point o the while loop in unction reverse. our veriication goal must capture the situation depicted in Figure 1, but abstract rom the concrete length o the list segments. That is, the loop invariant must express that the list segments pointed to by prev and curr are acyclic (in act, only the ormer is strictly necessary or the proo), and that the two list segments are disjoint. An appropriate inductive loop invariant is given by the ollowing ormula: prev n null curr n null (prev n curr) = null (1) The term (prev n curr) denotes the join point o the list segments starting rom prev and curr, i.e., (prev n curr) is the irst node that is reachable rom both prev and curr by ollowing n pointer ields in the heap, unless such a node does not exist, in which case its value is prev. The ormula (prev n curr) = null, thus, implies the disjointness o the two list segments. Note that this ormula cannot be expressed in terms o the reachability predicate, unless we allow universal quantiication over heap nodes. We next describe how to compute inductive loop invariants such as (1) using our instantiation-based interpolation approach. 2.1 Interpolation-Based Program Veriication Given an unsatisiable conjunction o ormulas A B, an interpolant or A B is a ormula I such that I is implied by A, the conjunction I B is unsatisiable, and I only speaks about common symbols o A and B. A popular approach to interpolation-based veriication uses bounded model checking to generate ineasible error traces o the analyzed program. These ineasible error traces are then translated into unsatisiable ormulas A B, where A and B encode a partition o the trace into a preix and suix trace. An interpolant I or A B then describes a set o program states that (1) includes all states that are reachable by executing the preix o the trace and (2) only includes states rom which no easible execution o the suix is possible. The interpolant I is then used as a candidate invariant to reine the search or additional ineasible error traces. This process is continued until a ixed point is reached, i.e., until an inductive invariant has been computed that proves the program correct. We illustrated this approach through an example. The let-hand side o Figure 2 shows an error trace o unction reverse that is obtained by unrolling the while loop three times. The irst and last assume statements correspond to the pre-condition, respectively, the negated post-condition o reverse. This error trace is ineasible, i.e., there is no execution that reaches the end o the trace (note that a ailing assume statement blocks an execution). The right-hand side o Figure 2 shows an encoding o this error trace into a irst-order ormula using static single assignments. Note that the symbols,., and [ := ] are interpreted. That /9/12

3 9 assume x n null; curr = x; prev = null; >= assume curr!= null; succ = curr.n; curr.n = prev; prev = curr; >; curr = succ; 9 assume curr!= null; succ = curr.n; curr.n = prev; prev = curr; curr = succ; assume curr!= null; succ = curr.n; curr.n = prev; prev = curr; curr = succ; assume curr == null; x = prev; assume!(x n null); >= >; A B 8 n x 0 0 null curr 0 = x 0 >< prev 0 = null curr 0 null succ 1 = curr 0.n 0 n 1 = n 0[curr 0 := prev 0 ] >: prev 1 = curr 0 8 curr 1 = succ 1 curr 1 null succ 2 = curr 1.n 1 n 2 = n 1[curr 1 := prev 1 ] prev 2 = curr 1 curr 2 = succ 2 >< curr 2 null succ 3 = curr 2.n 2 n 3 = n 2[curr 2 := prev 2 ] prev 3 = curr 2 curr 3 = succ 3 curr 3 = null x 1 = prev 3 >: n (x 3 1 null) Figure 2. Spurious error trace o unction reverse and its encoding as a trace ormula is, they are given meaning by a speciic irst-order theory, here the theory o linked lists with reachability that we introduce in Section 5.2. The symbol is interpreted as described above. The symbol. denotes ield dereerence and the symbol [ := ] ield update. The remaining symbols such as curr 0 and n 1 are uninterpreted. We call this ormula the trace ormula o the error trace because the valuations o uninterpreted symbols that make the trace ormula true exactly correspond to the easible executions o the trace. Since the error trace is ineasible, its trace ormula is unsatisiable. We can now split the trace ormula into two parts A and B, say, where A corresponds to the preix o the trace up to the end o the irst iteration o the while loop and B to the remainder o the trace. This is depicted in Figure 2. Since A B is unsatisiable, we can interpolate the two ormulas. A possible ground interpolant or this choice o A and B is: n prev 1 n 1 null 1 n 1 curr1 null prev1 curr 1 = null (2) Note that this is a valid interpolant or A and B. In particular, it only speaks about uninterpreted symbols that are common to both A and B. Further note that (modulo renaming o variables) ormula (2) exactly corresponds to the inductive loop invariant (1) o reverse. Formula (2) is also the exact interpolant that the prototype implementation o our interpolation ramework produces or this particular conjunction A B. We next describe through an example how our interpolation ramework works in detail. 2.2 Instantiation-Based Interpolation through an Example Our interpolation ramework is parameterized by a theory extension. This theory extension consists o the base theory, or which we assume that a ground interpolation procedure exists, and the symbols and axioms that extend the base theory. In our example, we consider the theory o linked lists with reachability, where the base theory is the empty theory. That is, the base theory only supports uninterpreted constants and equality. The extension symbols are the symbols,., and [ := ], which we described earlier, as well as the constrained reachability predicate /. Intuitively, a /c b means that b is reachable via an -path rom a that does not go through c. In particular, a b is simply a shorthand or a /b b. The meaning o the extension symbols is given by the extension axioms shown in Figure 6 o Section 5.2. All ree variables appearing in these axioms are implicitly universally quantiied. Note in particular how the constrained reachability predicate is used to deine reachability with respect to an updated ield [u := v] in terms o reachability with respect to ield. In the ollowing, we denote this set o extension axioms by K. Instantiation-based interpolation reduces the computation o interpolants in the theory extension to the problem o computing interpolants in the base theory, thus, eectively building new interpolation procedures by reusing existing ones. The reduction works by turning the interpreted extension symbols into uninterpreted ones. This is accomplished by generating initely many ground instances K[T ] o the extension axioms K or a inite set o terms T that is computed rom the input ormula A B. The set o terms T is chosen such that the ormula K[T ] A B is already unsatisiable in the base theory. I in addition, the set K[T ] does not contain instances that mix non-shared symbols o A and B, then K[T ] can be partitioned into K[T ] = K[T A] K[T B] where K[T A] contains only symbols o A and K[T B] only symbols o B. That is, we obtain an instance A 0 B 0 o an interpolation problem or the base theory (modulo uninterpreted unctions) where A 0 = K[T A] A and B 0 = K[T B] B. We then compute a ground interpolant I 0 or A 0 B 0 using the interpolation procedure or the base theory. Finally, rom I 0 we reconstruct a ground interpolant I or A B. We illustrate this approach by computing an interpolant or the ollowing ormula A B: c a a. = c c b b {z } {z } c A B Note that this conjunction is unsatisiable in the theory o linked lists with reachability because A implies that c lies on an cycle, while B implies that this is not the case. From the ormula A B we compute the sets o terms T A and T B that we use to instantiate the extension axioms. In our example, we use T A = {a, c, c.} and T B = {b, c, c.}. Figure 3 then shows the resulting sets o ground clauses A 0 = A K[T A] and B 0 = B K[T B]. Note that we omit all instances o extension axioms that are not needed to prove unsatisiability o A 0 B 0. To see why the conjunction A 0 B 0 is unsatisiable, suppose that a = c. Then clause 2 in A 0 implies c. = c. I on the other hand a c, then clauses 4 and 2 imply a c. Hence together with 8 and 6 this implies a /a c. c. a. I c. a, then 3 implies c. c. I a /a c. then rom 7 ollows again c. c because otherwise clause 5 gives a = c, which contradicts the assumption. Thus, A 0 implies the ormula I c =.c c. c. Using similar reasoning we can show that I B 0 is unsatisiable. Since I only speaks about common symbols o A 0 and B 0, it is an interpolant or A 0 B 0 and hence also or A B. Note that in the above derivation o the interpolant I, all unction and predicate symbols in A 0 and B 0 where treated as uninterpreted symbols, i.e., we can compute I by applying an interpolation procedure or the theory o uninterpreted unctions with equality to the ormula A 0 B 0. We thus reduced the problem o computing ground interpolants in the theory o linked lists with reachability to computing ground interpolants in the combination o the base theory (which is empty in our case) with the theory o uninterpreted unctions and equality. The crux o this instantiation-based reduction approach is whether it is indeed always possible to compute sets o terms T A and T B rom A B such that the reduced ormula A 0 B 0 is an interpolation problem or the base theory. That is, to ind T A and T B (3) /9/12

4 z A 0 } { z B 0 } { 1 : c a 1 : c b 2 : a. = c 3 : c. a a c c. c 4 : a /c a. a = c 5 : a /a c a = c 6 : c /a c. c = a 7 : a c a /a c. a /c c. c. c a /a c c /a c. 8 : c /a c. c a a /a c. c. a 9 :... 2 : b c 3 : c /b c. c. /b c c. b c /c c. 4 : c. c c b c. b 5 : c /c.c c = c. 6 : c /b.c c = b 7 : c. = c c b c = b 8 : c. c c. b c. /c b b c c. /b c c b 9 :... Figure 3. Interpolation problem A 0 B 0 that is obtained rom (3) ater instantiation o the extension axioms. All unction and predicate symbols are uninterpreted. such that (1) A 0 B 0 is unsatisiable and (2) A 0, B 0 do not share terms that are not already shared by A, B. It is here where our semantic completeness criterion o partial amalgamation comes into play. It allows us to systematically construct these sets o terms. 3. Preliminaries In the ollowing, we deine the syntax and semantics o ormulas. We urther recall the notions o partial structures and (Ψ-)local theory extensions as deined in [28, 46]. Finally, we deine the problem that interpolation problems we are considering. Sorted irst-order logic. We present our problem in sorted irstorder logic with equality. A signature Σ is a tuple (S, Ω), where S is a countable set o sorts and Ω is a countable set o unction symbols with associated arity n 0 and associated sort s 1 s n s 0 with s i S or all i n. Function symbols o arity 0 are called constant symbols. We assume that all signatures contain a dedicated sort bool S and dedicated equality symbols = s Ω o sort s s bool or all sorts s S \{bool}. Note that we generally treat predicate symbols o sort s 1,..., s n as unction symbols o sort s 1... s n bool and we typically drop sort annotations rom equality symbols. Terms are built as usual rom the unction symbols in Ω and (sorted) variables taken rom a countably ininite set X that is disjoint rom Ω. A term t is said to be ground, i no variable appears in t. A Σ-atom A is a Σ-term o sort bool. We use inix notation or atoms built rom the equality symbol. A Σ-ormula F is deined via structural recursion as either one o A, F 1, F 1 F 2, or x : s.f 1, where A is a Σ-atom, F 1 and F 2 are Σ-ormulas, and x X is a variable o sort s S. We typically omit sort annotations rom quantiiers i this causes no conusion. We use syntactic sugar or Boolean constants (, ), disjunctions (F 1 F 2), implications (F 1 F 2), and existential quantiication ( x.f 1). Total and partial structures. Given a signature Σ = (S, Ω), a partial Σ-structure M is a unction that maps each sort s S to a non-empty set M(s) and each unction symbol Ω o sort s 1 s n s 0 to a partial unction M() : M(s 1) M(s n) M(s 0). We denote by [M] the support o M which is the non-disjoint union o the interpretation o all sorts in M. We assume that all partial structures interpret the sort bool by the two-element set o Booleans {0, 1}. We urther assume that all structures M interpret each symbol = s by the equality relation on M(s). A partial structure M is called total structure or simply structure i it interprets all unction symbols by total unctions. For a Σ-structure M where Σ extends a signature Σ 0 with additional sorts and unction symbols, we write M Σ0 or the Σ 0-structure obtained by restricting M to Σ 0. Given partial Σ- structures M and N, a weak embedding o M into N is a total injective unction h : [M] [N] such that or all Σ, and a 1,..., a n M, i M() is deined on (a 1,..., a n) then N() is deined on (h(a 1),..., h(a n)) and h(m()(a 1,..., a n)) = N()(h(a 1),..., h(a n)). I h is a weak embedding between M and N, then we denote this by h : M N. We say that M weakly embeds into N i a weak embedding o M into N exists. A weak embedding between total structures is simply called embedding. I M weakly embeds into N and [M] [N], we call M a (partial) substructure o N, which (abusing notation) is denoted by M N. Given a total structure M and a variable assignment β : X M, the evaluation t M,β o a term t in M, β is deined as usual. For the evaluation o a ground term t in M we write just M(t). A quantiied variable o sort s ranges over all elements o M(s). From the interpretation o terms the notions o satisiability, validity, and entailment o atoms, ormulas, clauses, and sets o clauses in total structures are derived as usual. In particular, we use the standard interpretation o propositional connectives in classical logic. We write M, β = F i M satisies F under β where F is a ormula, a clause, or a set o clauses. We write M = F i F is valid in M. In this case we also call M a model o F. The interpretation t M,β o a term t in a partial structure M is as or total structures, except that i t = (t 1,..., t n) or Ω then t M,β is undeined i either t im,β is undeined or some i, or (t 1M,β,..., t nm,β ) is not in the domain o M(). We say that a partial structure M weakly satisies a literal L under β, written M, β = w L, i (i) L is an atom A and either A M,β = 1 or A M,β is undeined, or (ii) L is a negated atom A and either A M,β = 0 or A M,β is undeined. The notion o weak satisiability is extended to (sets o) clauses as or total structures. A clause C (respectively, a set o clauses) is weakly valid in a partial structure M i M weakly satisies C or all assignments β. We then call M a weak partial model o C. Theories and theory extensions. A theory T over signature Σ is simply a set o Σ-ormulas. We consider theories T deined as a set o Σ-ormulas that are consequences o a given set o clauses K. We call K the axioms o the theory T and we oten identiy K and T. For a theory T and ormulas (clauses, sets o clauses) F and G, we use F = T G as a short-hand or T F = G. Let Σ 0 = (S 0, Ω 0) be a signature and assume that signature Σ 1 = (S 0 S e, Ω 0 Ω e) extends Σ 0 by new sorts S e and unction symbols Ω e. We call the elements o Ω e extension symbols and terms starting with extension symbols extension terms. A theory T 1 over Σ 1 is an extension o a theory T 0 over Σ 0, i T 1 is obtained rom T 0 by adding a set o (universally quantiied) Σ 1-clauses K. Ψ-local theory extensions. The ollowing deinition captures one speciic variant o (Ψ-)local theory extensions that is discussed together with other variants o this notion in [46] and [28]. Let T be a theory over signature Σ 0 = (S 0, Ω 0) and T 1 = T 0 K a theory extension o T 0 with inite K and signature Σ 1 = (S 0 S e, Ω 0 Ω e). In the ollowing, when we reer to a set o ground clauses G, we assume they are over the signature Σ c 1 which extends Σ 1 with a set o new constant symbols Ω c. For a set o clauses K, we denote by st(k) the set o all ground subterms that appear in K. An embedding closure or T 1 is a unction Ψ associating with a set o (universally quantiied) clauses K and a inite set o ground terms T a inite set Ψ(T ) o ground terms /9/12

5 such that (i) all ground subterms in K and T are in Ψ(T ); (ii) Ψ is monotone, i.e., or all sets o ground terms T, T i T T then Ψ(T ) Ψ(T ); (iii) Ψ is idempotent, i.e., or all sets o ground terms T, Ψ(Ψ(T )) Ψ(T ). (iv) Ψ is compatible with any map h between constants, i.e., Ψ(h(T )) = h(ψ(t )) where h is homomorphically extended to terms. For a set o ground clauses G, we denote by Ψ(G) the set Ψ(st(G)). Let K[Ψ(G)] be the set o instances o K in which all extension terms are in Ψ(G). We say that T 1 = T 0 K is a Ψ-local theory extension i there exists an embedding closure Ψ such that or every inite set o ground clauses G, T 1 G = i T 0 K[Ψ(G)] G =. Theory extension T 1 = T 0 K is a local theory extension, i it is a Ψ-local extension, where Ψ is deined as Ψ(T ) = st(k) st(t ). Craig interpolation modulo theories. We use a notion o Craig interpolation modulo theories where interpreted symbols are considered to be shared between ormulas. Let Σ be a signature and T a Σ-theory. Let urther Σ c be the signature Σ extended with resh constant symbols Ω c. We say that a Σ c -term t is shared between two sets o Σ c -terms T A and T B, i all constants rom Ω c in t appear in both T A and T B, i.e., st(t) Ω c st(t A) st(t B). We say that t is T A-pure i st(t) Ω c st(t A), respectively, t is T B-pure i st(t) Ω c st(t B). We extend these notions rom sets o terms T A and T B to clauses and sets o clauses, as expected. Given a conjunction A B o Σ c -ormulas A, B that is unsatisiable in T, a Craig interpolant or A B is a Σ c -ormula I such that: (a) I is a consequence o A in T : A = T I, (b) the conjunction o I and B is unsatisiable in T : I B = T, and (c) all terms in st(i) are shared between A and B. We say that T admits ground interpolation i or all inite sets o Σ c -ground clauses A and B with A B = T, there exists a inite set o Σ c -ground clauses I that is a Craig interpolant or A B. 4. Instantiation-Based Interpolation We now present our ramework or instantiation-based interpolation. In the ollowing, when we reer to a theory extension T 1 = T 0 K, we denote by Σ 0 the signature o T 0 and by Σ 1 = Σ 0 Σ e the signature o T 1, where Σ e = (S e, Ω e) are the extension symbols and sorts. In the case o local theories, the instantiation-based reduction approach to interpolation works as ollows [47]. Suppose we are given sets o ground clauses A and B over Σ 1, whose conjunction is unsatisiable in T 1. The goal is to compute a ground interpolant I or A B. Locality tells us that we can reduce the problem o checking (un)satisiability o A B in T 1 to checking (un)satisiability o K[A B] A B in T 0. Here, K[A B] is the (inite) set o instances o clauses in K that are obtained by replacing the ree variables appearing below extension terms in K with ground subterms appearing in K A B, such that all resulting ground extension terms in K[A B] already appear in A B. The instances K[A B] can be partitioned into A-pure instances K A (obtained by instantiating clauses in K with terms rom A only), B-pure instances K B (obtained by instantiating clauses in K with terms rom B only), and mixed instances K C (obtained by instantiating clauses in K with terms rom both A and B). I it is possible to ind a inite set o non-mixed terms that separates the mixed instances K C into sets o A-pure instances K C,A and B-pure instances K C,B, then we obtain an interpolation problem or the base theory A 0 B 0 = T0. Here, A 0 and B 0 are the results o applying Ackermann s expansion to eliminate the extension symbols rom the sets o clauses K A K C,A A, respectively, K B K C,B B. From a ground interpolant I 0 or A 0 B 0 one can then easily reconstruct a ground interpolant I or A B. The question is whether it is indeed possible to separate the instances K C into A-pure and B-pure parts. The result in [47] idenproc Interpolate input T 1 = T 0 K : theory extension Interpolate 0 : ground interpolation procedure or T 0 T EUF W : amalgamation closure or T 1 A, B : sets o ground Σ c 1-clauses with A B = T1 begin A 0 := A K[W (A, B)] B 0 := B K[W (B, A)] I := Interpolate 0 (A 0, B 0) return I end Figure 4. Generic instantiation-based interpolation procedure. tiies suicient conditions on the theory extension to ensure this. Unortunately, these restrictions are quite severe. In particular, the axioms in K are required to be Horn clauses o a speciic orm, which rules out many interesting applications. Instead o imposing such syntactic restrictions on the theory, we irst identiy a stronger completeness condition on the theory extension than just (Ψ-)locality and then relate this condition to a semantic condition on the models o the theory. By combining these two results, we obtain a ramework o complete instantiation-based ground interpolation procedures or a more general class o theory extensions. 4.1 W -Separable Theories To ormalize the set o terms that is required to separate the mixed instances o A and B, we introduce the notion o an amalgamation closure. An amalgamation closure or a theory extension T 1 = T 0 K is a unction W associating with inite sets o ground terms T A and T B, a inite set W (T A, T B) o ground terms such that (i) all ground subterms in K and T A are in W (T A, T B); (ii) W is monotone, i.e., or all T A T A, T B T B, W (T A, T B) W (T A, T B); (iii) W is a closure, i.e., W (W (T A, T B), W (T B, T A)) W (T A, T B); (iv) W is compatible with any map h between constants satisying h(c 1) h(c 2), or all constants c 1 st(t A), c 2 st(t B) that are not shared between T A and T B, i.e., or any such h we require W (h(t A), h(t B)) = h(w (T A, T B)); and (v) W (T A, T B) only contains T A-pure terms. For sets o ground clauses A, B we write W (A, B) as a shorthand or W (st(a), st(b)). For the remainder o this section W always reers to an amalgamation closure. We next identiy the cases where the instances o extension axioms can be separated. Deinition 1. We say that a theory extension T 1 = T 0 K is W - separable i or all sets o ground clauses A, B, T 1 A B = i T 0 K[W (A, B)] A K[W (B, A)] B =. From this deinition we directly obtain the ollowing theorem. Theorem 2. I T 1 = T 0 K is W -separable, then it is Ψ-local where Ψ is deined by Ψ(T ) = W (T, T ), or all sets o ground terms T. Our generic instantiation-based interpolation procedure is described in Figure 4. Procedure Interpolate reduces the given interpolation problem A B or the theory extension T 1 = T 0 K, to an interpolation problem A 0 B 0 in T 0 T EUF, where T EUF is the theory o uninterpreted unction symbols with equality. For W - separable theory extensions, procedure Interpolate is sound and complete, provided that a complete ground interpolation procedure Interpolate 0 or T 0 T EUF exists: Theorem 3. Let T 1 = T 0 K be a theory extension such that: /9/12

6 1. T 0 T EUF has a ground interpolation procedure Interpolate 0, 2. all ree variables in K appear below extension symbols, and 3. T 1 T 0 is W -separable. Then Interpolate is a ground interpolation procedure or T 1. Proo. Let T = T 0 K be such that it satisies all assumptions and let A, B be Σ c 1-ground clauses with A B = T1. Since T 1 T 0 is W -separable, we have that A 0 B 0 = T0. It ollows that A 0, B 0 is an instance o a ground interpolation problem or the theory extension o T 0 with ree extension symbols rom Σ e. We can hence use the ground interpolation procedure Interpolate 0 to compute a ground interpolant I or A 0, B 0. Since K implies K[W (A, B)] we conclude rom A 0 = T0 I that K A = T0 I holds, and hence A = T1 I. Following a similar argument we conclude that B I = T1. From property (v) o W ollows that the common ree constants o A and B are the same as those o A 0 and B 0. Hence I is a ground interpolant or A, B modulo T Identiying W -Separable Theories We now present our semantic criterion to identiy W -separable theories. Let us begin by recalling the model theoretic notion o amalgamation [32]. An amalgam or a theory T is a tuple (M A, M B, M C) where M A, M B, M C are models o T with M A M C M B and [M C] = [M A] [M B]. Theory T has the amalgamation property i or every amalgam (M A, M B, M C) o T, there exists a model M D o T, and embeddings h A : M A M D and h B : M B M D such that h A [MC ] = h B [MC ]. I in addition h A[M A] h B[M B] = h A[M C] = h B[M C] where or any sets X Y and unction with domain Y, X = { (x) x X }, then T is said to have the strong amalgamation property. Note that T has the strong amalgamation property i or all models M A, M B, M C o T with M A M C M B and [M C] = [M A] [M B] there exists a model M D o T with M A M D M B. It is well-known that amalgamation and ground interpolation are strongly related: Theorem 4 ([2]). A theory T has ground interpolation i T has the amalgamation property. Theorem 4 provides an eective tool to check whether a given theory admits ground interpolation. Unortunately, the amalgamation property only tells us that ground interpolants exist, not how to compute them (other than by brute-orce enumeration). To remedy this act, we deine a related notion o partial amalgamation that reers to partial instead o total models and weak embeddings instead o embeddings. This notion allows us to characterize W - separable theories. Together with Theorem 3, we then obtain a powerul model theoretic criterion that does not just allow us to prove the existence o ground interpolants, but also tells us how to generically construct the accompanying interpolation procedure by applying Theorem 3. For a weak partial model M o a theory extension T 1 = T 0 K, we denote by T (Ω e, M) the set o terms T (M) = { (a 1,..., a n) a i [M], Ω e, M()(a 1,..., a n) deined } where we treat the elements o the support [M] as constant symbols that are interpreted by themselves. Further, we denote by PMod(T 1) the set o all weak partial Σ 1-models M o T 1 in which all symbols in Σ 0 are totally deined and T (M) is inite. Let W be an amalgamation closure or theory extension T 1 = T 0 K. A partial W -amalgam or T 1 = T 0 K is a tuple (M A, M B, M C) where (i) M A, M B, M C PMod(T 1); (ii) M C is a substructure o both M A and M B; (iii) [M C] = [M A] [M B]; (vi) both T (M A) and T (M B) are closed under W, i.e., W (T (M A), T (M B)) T (M A) and W (T (M B), T (M A)) T (M B); and (v) T (M A) T (M B) T (M C). Deinition 5. A theory extension T 1 = T 0 K is said to have the partial amalgamation property with respect to W i or all partial W -amalgams (M A, M B, M C) there exists a model M D o T 1, and weak embeddings h A : M A M D and h B : M B M D such that h A [MC ] = h B [MC ]. To simpliy matters, we assume that the extension axioms K are in a speciic normal orm: a clause C is called Σ 1-lat i no term that occurs in C below a predicate symbol or the symbol = contains nested unction symbols. A clause C is called Σ 1-linear i (i) whenever a variable occurs in two non-variable terms in C that do not start with a predicate or the equality symbol, the two terms are identical, and i (ii) no such term contains two occurrences o the same variable. Note that every set o extension axioms can be syntactically transormed into one that is Σ 1-lat and Σ 1-linear. Intuitively, a weak partial model M o A 0 B 0 corresponds to a partial W -amalgam (M A, M B, M C) where M A is obtained rom M by restricting M to the terms in A 0, M B is obtained by restricting M to the terms in B 0, and M C is obtained by restricting M to the common terms o A 0 and B 0. Partial amalgamation then tells us that we can always obtain a total model o A 0 B 0 rom M. This is what the ollowing theorem says: Theorem 6. Let T 1 = T 0 K be a theory extension with K Σ 1- linear and Σ 1-lat. I T 1 has the partial amalgamation property with respect to W, then T 1 is W -separable. Proo. Let M be a (total) model o T 0 K[W (A, B)] A K[W (B, A)]. For a inite set o ground terms T such that st(k) T, we deine M T as the partial structure that shares its support and the interpretation o symbols in Σ 0 with M but in which the interpretation o extension symbols Σ e is restricted as ollows: or every a 1,..., a n M i there exist c 1,..., c n such that a i = M(c i) or all 1 i n, and (c 1,..., c n) T, then M T ()(a 1,..., a n) = M((c 1,..., c n)), and otherwise M T ()(a 1,..., a n) is undeined. We prove that M T PMod(T 1). Note that the set T (M T ) is inite, by construction o M T. Moreover, since M T agrees with M on the interpretation o Σ 0 symbols, the reduct o M T to Σ 0 is a total model o T 0 and by construction M = K[T ] implies M T = w K[T ]. To show that M T weakly satisies K, let D K and β : X M T be a variable assignment such that or all terms t occurring in D, M T is deined on β(t). Because o the way the interpretation o extension symbols is deined in M T, we can construct a substitution σ such that σ(d) K[T ] and β σ = β. Since M T = w K[T ] we have M T = w σ(d) and hence M T, β = w D. Now, deine M A = M W (A,B), M B = M W (B,A), and M C = M W (A,B) W (B,A). Modulo renaming o constants, we have that T (M A) W (A, B) and T (M B) W (B, A). From property (i) o W ollows that st(k) W (A, B) and st(k) W (B, A). Hence, M A, M B and M C are in PMod(T 1). By construction we have M A M C M B and [M A] = [M B] = [M C]. From properties (ii), (iii), and (iv) o amalgamation closure W urther ollows that W (T (M A), T (M B)) T (M A), respectively, W (T (M B), T (M A)) T (M B). Similarly, rom (ii) and (iv) ollows T (M A) T (M B) T (M C). We thus have that (M A, M B, M C) is a partial W -amalgam o T 1. Since T 1 admits partial amalgamation with respect to W, we conclude that there exists a total model M D o T 1, and embeddings h A : M A M D and h B : M B M D with h A [MC ] = h B [MC ]. Since A and B are ground ormulas that are weakly satisied by M A, respectively, M B, and since we have st(a) W (A, B) and /9/12

7 st(b) W (B, A), it ollows that A and B must be both satisied by M D. Finally, in order to apply Theorem 3, we need to be able to identiy the cases where a ground interpolation procedure Interpolate 0 or the theory T 0 T EUF exists. We consider two cases. In the irst case, we view T 0 T EUF as the local extension o T 0 with ree unction symbols. In this case, we only require that a ground interpolation procedure or T 0 exists and that T 0 is convex. Recall that a theory T is convex, i or all conjunctions C o ground atoms and ground atoms A 1,..., A n i C = T W1 i n Ai, then there exists i, 1 i n, such that C = T A i. The ollowing corollary then directly ollows rom Theorem 3 and [48, Theorem 6.2]. Corollary 7. Let T 1 = T 0 K be a theory extension such that: 1. T 0 is convex 2. T 0 has a ground interpolation procedure, 3. all ree variables in K appear below extension symbols, and 4. T 1 T 0 is W -separable. Then Interpolate is a ground interpolation procedure or T 1 where Interpolate 0 is the ground interpolation procedure or the theory extension T 0 T EUF, as described in [47]. In the second case, we view T 0 T EUF as the disjoint combination o the theories T 0 and T EUF. In this case, we require that T 0 is decidable, has the strong amalgamation property, and is stably ininite. Since T EUF satisies the same properties, a ground interpolation procedure or the disjoint combination o the theories T 0 and T EUF exists, as ollows rom [11, Corollary 1]. Corollary 8. Let T 1 = T 0 K be a theory extension such that: 1. satisiability o sets o ground clauses is decidable or T 0, 2. T 0 is stably ininite 3. T 0 has the strong amalgamation property, 4. all ree variables in K appear below extension symbols, and 5. T 1 T 0 is W -separable. Then Interpolate is a ground interpolation procedure or T 1 where Interpolate 0 is the ground interpolation procedure or the disjoint theory combination T 0 T EUF. 5. Examples Our ramework o complete instantiation-based interpolation applies to many known local theory extensions, including those described in [47]. In the ollowing, we discuss two non-trivial examples that go beyond the theories considered in [47]. 5.1 Theory o Arrays with Dierence Function Our irst example is the theory o arrays with dierence unction that has been recently investigated in [10]. We deine this theory o arrays as a theory extension T arr = T 0 K arr that is parametric in its base theory T 0. For this purpose, we assume that the base theory T 0 is over signature Σ 0 = (S 0, Ω 0) with sorts index and elem in S 0, and that T 0 satisies the assumptions o Corollary 8. Examples o appropriate base theories are the empty theory, in which case Ω 0 contains only equality predicates, the theory o uninterpreted unction symbols with equality, and the theory o linear arithmetic, interpreting the sort index as integers. The theory T arr extends T 0 with a resh sort array and extension symbols rd : array index elem, wr : array index elem array, and di : array array index. The unction symbols rd and wr stand or the usual array selection and update unction whose meaning is given by McCarthy s read over write axioms [36]: rd(wr(a, i, e), i) = e, (4) i j rd(wr(a, i, e), j) = rd(a, j) (5) The unction di is deined as ollows: or any two distinct arrays a and b, the term di (a, b) denotes an index at which a and b dier. This is ormalized by the ollowing axiom: a b rd(a, di (a, b)) rd(b, di (a, b)) (6) Note that this axiom is obtained by skolemizing the extensionality axiom or arrays ab. a b i. rd(a, i) rd(b, i) where di is the introduced Skolem unction or the existentially quantiied variable i. The set o extension axioms K arr o our theory o arrays consists o the lattened and linearized versions o the axioms (4), (5), and (6) where a, b, i, j and e are implicitly universally quantiied variables. For instance, the linearized and lattened version o axiom (4) is b = wr(a, i, e) i = j rd(b, j) = e It is well-known that the standard theory o arrays (i.e., the one given by axioms (4) and (5)) does not admit ground interpolation. This is best illustrated through an example due to Ranjit Jhala: consider the ground ormulas A b = wr(a, i, e) and B j k rd(a, j) rd(b, j) rd(a, k) rd(b, k) whose conjunction is unsatisiable. There exists no ground interpolant or (A, B) that only contains the shared constants a, b and the theory symbols wr and rd. However, as has been observed in [10], such a ground interpolant can be constructed i one includes the dierence unction di in the theory. An appropriate ground interpolant or (A, B) in the extended theory is given by b = wr(a, di (a, b), rd(b, di (a, b))). In act, the authors o [10] have shown that including the di unction is suicient or ground interpolation. We now give an alternative proo o this result by showing that T arr has the partial amalgamation property. This leads to an alternative interpolation procedure or theory T arr that can be easily implemented on top o an existing interpolation procedure or the base theory. In order to deine an appropriate amalgamation closure W arr, we need to generalize the example above. That is, we have to deine W arr in such a way that there exists no partial W arr-amalgams (M A, M B, M C) with arrays a and b that are shared between M A and M B and M A, M B disagree on the number o indices at which a and b dier. To this end, inductively deine or any terms a and b o sort array the terms a 0 b = a, and a k b = wr(a k 1 b, di (a k 1 b, b), rd(b, di (a k 1 b, b))) or all k 0. Note that i in some T arr-model two arrays a and b dier in exactly k positions, then b = a k b. Now deine W arr as ollows: W arr(t A, T B) = let T 0 = st(t A { a k b a, b st(t A T B) }) in let T 1 = st(t 0 { rd(a, di (a, b)) a, b st(t A) }) in T 1 { rd(a, i) a, i st(t 1), rd(b, i) T 1 st(t B) } where k is the number o non-shared terms o the orm wr(a, i, e) in T A T B. Note that W arr(t A, T B) can be represented in space that is polynomial in the size o T A T B. Hence, also K arr[w (A, B)] K arr[w (B, A)] is polynomial in A, B or inite sets o ground clauses A, B. Clearly W arr satisies properties (i), (ii), (iv), and (v) o amalgamation closures. To see that it also satisies (iii), note that W arr /9/12

8 does not increase the number o non-shared terms o the orm wr(a, i, e). Lemma 9. W arr is an amalgamation closure. We next state a lemma that is crucial or proving partial amalgamation or T arr because it excludes the kind o counterexamples we have described above. For a partial W arr-amalgam (M A, M B, M C) o T arr with a M A(array) and b M C(array), and k 0, we write M A = a k b to indicate that there exists a sequence o k non-shared writes in M A that relates a and b. Formally, we have M A = a k b i there exists a 0,..., a k M A(array), i 0,..., i k 1 M A(index), and e 0,..., e k 1 M A(elem) such that a 0 = a, a k = b, or all 0 n < m < k, a n a m, and or all 0 n < k, a n+1 = M A(wr)(a n, i n, e n) or a n = M A(wr)(a n+1, i n, e n) and one o a n, a n+1, i n, e n is not in [M B]. Lemma 10. Let (M A, M B, M C) be a partial W arr-amalgam o T arr, a M A(array), and b 1, b 2 M C(array) such that M A = a k 1 b 1 and M A = a k 2 b 2 or some k 1, k 2 0. Then or all j M B(index) \ M A(index), M B(rd)(b 1, j) = M(rd)(b 2, j). Proo. First note that by deinition o W arr and since b 1, b 2 M B(array) and j M B(index), we know that both M B(rd)(b, j) and M(rd)(b, j) are deined. From M A = a k 1 b 1 and M A = a k 2 b 2 ollows b 1 and b 2 dier in at most k indices in M A, where k k 1 + k 2 is smaller than the number o non-shared write terms deined in M A. By deinition o W arr, b k 1 b 2 is deined in M A and M B. It ollows that M A(b k 1 b 2) = M B(b k 1 b 2) = b 2. Since j / M A(index) and b 1 and b 2 only dier at indices i M A(index), we must have M B(rd)(b 1, j) = M B(rd)(b 2, j). Theorem 11. The theory T arr = T 0 K arr has the partial amalgamation property with respect to W arr. Proo. Let (M A, M B, M C) be a partial W arr-amalgam or T arr = T 0 K arr. By deinition M A Σ0, M B Σ0, and M C Σ0 are total models o T 0. Since T 0 has the strong amalgamation property, there exists a model M D,0 o T 0 such that M A Σ0 M D,0 M B Σ0. We extend M D,0 to a total model M D o T 1 as ollows. First, let M D agree with M D,0 on the interpretation o all sorts and symbols in Σ 0. Further, let M D(array) be the set o all total unctions M D(index) M D(elem) and deine M D(rd)(a, i) = a(i) and M D(wr)(a, i, e) = a[i e] or all a M D(array), i M D(index), and e M D(elem). Let e A, e B, e C be distinct elements in M D(elem) such that M A(rd)(a, i) e and M B(rd)(a, i) e or all a M D(array), i M D(index) and e {e A, e B, e C}. I such elements do not exist, we can extend M D,0(elem) accordingly by assumption that T 0 is stably ininite. Then deine h A : [M A] [M D] as ollows: let h A be the identity unction on M A(elem) and M A(index). Further, or every a M A(array), i M D(index) deine h A(a)(i) = M A(rd)(a, i) i i M A(index) and M A(rd)(a, i) is deined, or else h A(a)(i) = M B(rd)(b, i) i M A = a k b or some k and b M C(array) with M B(rd)(b, i) deined, or else h A(a)(i) = e C k i M A = a b or some k and b M C(array), or else h A(a)(i) = e A. Note that rom Lemma 10 ollows that h A is uniquely deined. Deine h B : [M B] [M D] accordingly, using e B instead o e A. To prove that or all a M C(array), h A(a) = h B(a), note that by deinition o W arr, i M A(rd)(a, i) and M B(rd)(a, i) are both deined or some a M C(array) and i M D(index), then so is M C(rd)(a, i). Hence, h A(a)(i) = M A(rd)(a, i) = M B(rd)(a, i) = h B(a)(i). The other cases, where only one (or none) o M A(rd)(a, i) and M B(rd)(a, i) is deined are similar. To prove that h A is injective, note that by deinition o W arr, all o the ollowing terms are deined in M A or distinct a, b M A(array): di (a, b), rd(a, di (a, b)), and rd(b, di (a, b)). Since M A weakly satisies axiom (6), we conclude that or any distinct a, b M A(array) rd(a, di (a, b)) rd(b, di (a, b)) It ollows that h A(a) h A(b). Using the same reasoning we also conclude that h B is injective. Finally, we deine M D(di ) as ollows: or all a, b M D(array), let M D(di )(a, b) be either M A(di )(a A, b A) (i M A(di )(a A, b A) is deined, and h A(a A) = a, h A(b A) = b or some a A, b A M A(array)), or M B(di )(a B, b B) (i M B(di )(a B, b B) is deined, and h B(a B) = a, h B(b B) = b or some a B, b B M B(array)), or else deine M D(di )(a, b) = i with i chosen arbitrarily such that a(i) b(i) whenever a b. By construction M D is a model o T arr. It remains to show that h A and h B are homomorphic with respect to the interpretation o extension symbols in M A, respectively, M B. This is easy to see or rd and di. To prove this or wr, let a, b M A(array), i M A(index), and e M A(elem) such that M A(wr)(a, i, e) = b. Let urther j M D(index). We consider the dierent cases in the deinition o h A(b)(j): Case 1: M A(rd)(b, j) is deined, i.e. h A(b)(j) = M A(rd)(b, j). I j = i, then M A(rd)(b, j) = e because M A weakly satisies axiom (4). I j i, then note that also M A(rd)(a, j) is deined (by deinition o W arr), in which case M A(rd)(b, j) = M A(rd)(a, j) because M A weakly satisies axiom (5). Hence, h A(b)(j) = h A(a)[i e](j). Case 2: M A(rd)(b, j) is undeined. Then by deinition o W arr, j M B(index) \ M A(index) and M A(rd)(a, j) is undeined. We then have two subcases: Case 2.1: M A = b k b or some k 0 and b M C(array) with M B(rd)(b, j) deined, i.e., h A(b)(j) = M B(rd)(b, j). I all o a, i, e and b are in [M C] then b k b is deined in M B and hence M B(b k b ) = b. It ollows that M B(rd)(b)(j) = M B(rd)(b )(j), since b and b only dier at shared indices and M B weakly satisies axiom (5). By the same reasoning, 0 M B(rd)(a)(j) = M B(rd(b)(j). Since M A = a a, we conclude h A(a)(j) = M B(rd)(a)(j) = M B(rd)(b )(j) = h A(b)(j). Otherwise, i one o a, i, e, b is not in M C then M A = a k+1 b and hence h A(a)(j) = M B(rd)(b, j) = h A(b)(j). From i j then ollows in both cases that h A(b)(j) = h A(a)[i e](j). Case 2.2: or all k 0 and b M C(array) M A = b k b, M B(rd)(b, j) is undeined. We have two more subcases: Case 2.2.1: or some k 0 and b k M C(array), M A = b b, i.e., h A(b)(j) = e C; and Case 2.2.2: or no k 0 and b M C(array), M A = b k b, i.e., h A(b)(j) = e A. Both o these subcases ollow similar reasoning as Case Theory o Linked Lists with Reachability Our second example is an extension o Nelson s theory o linked lists with reachability [41], which is also at the core o the LISBQ logic studied in [35]. This theory is useul or reasoning about the correctness o programs that manipulate list-like heap-allocated data structures. We show that neither Nelson s original theory, nor its variation in [35] admit ground interpolation. Using counterexamples to the partial amalgamation property or Nelson s theory, we systematically develop our extension o the theory, which admits ground interpolation. We then obtain the irst complete ground interpolation procedure or a theory o linked data structures /9/12