Craig Interpolation for Integer Arithmetic, Uninterpreted - - PowerPoint PPT Presentation

craig interpolation for integer arithmetic uninterpreted
SMART_READER_LITE
LIVE PREVIEW

Craig Interpolation for Integer Arithmetic, Uninterpreted - - PowerPoint PPT Presentation

Nov 05, 2022 474 likes •990 views

Craig Interpolation for Integer Arithmetic, Uninterpreted Functions, and the Theory of Arrays Angelo Brillout 1 Daniel Kroening 2 ome Leroux 3 J er ummer 4 Thomas Wahl 2 Philipp R 1 ETH Zurich 2 University of Oxford 3 Laboratoire

slide-1
SLIDE 1

Craig Interpolation for Integer Arithmetic, Uninterpreted Functions, and the Theory of Arrays

Angelo Brillout1 Daniel Kroening2 J´ erˆ

  • me Leroux3

Philipp R¨ ummer4 Thomas Wahl2

1ETH Zurich 2University of Oxford 3Laboratoire Bordelais de Recherche en Informatique 4Uppsala University

SVARM, April 2nd, 2011

1 / 25

slide-2
SLIDE 2

Motivation: inference of invariants

Generic verification problem (“safety”)

{ pre } while (*) Body { post }

Standard approach: loop rule using invariant

pre ⇒ φ { φ } Body { φ } φ ⇒ post { pre } while (*) Body { post } How to compute φ automatically?

2 / 25

slide-3
SLIDE 3

From intermediate assertions to invariants

{pre} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ1 {pre} Body {ψ1} {ψ1} Body {post} ✦ [McMillan, 2003]

3 / 25

slide-4
SLIDE 4

From intermediate assertions to invariants

{pre} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ1 {pre} Body {ψ1} {ψ1} Body {post} pre is invariant ✦

[ψ1 ⇒ pre]

[McMillan, 2003]

3 / 25

slide-5
SLIDE 5

From intermediate assertions to invariants

{pre} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ1 {pre} Body {ψ1} {ψ1} Body {post} pre is invariant ✦

[ψ1 ⇒ pre] [otherwise]

[McMillan, 2003]

3 / 25

slide-6
SLIDE 6

From intermediate assertions to invariants

{pre ∨ ψ1} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ2 {pre ∨ ψ1} Body {ψ2} {ψ2} Body {post} pre is invariant ✦

[ψ1 ⇒ pre] [otherwise]

[McMillan, 2003]

3 / 25

slide-7
SLIDE 7

From intermediate assertions to invariants

{pre ∨ ψ1} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ2 {pre ∨ ψ1} Body {ψ2} {ψ2} Body {post} pre ∨ ψ1 is invariant ✦

[ψ2 ⇒ pre ∨ ψ1] [otherwise]

[McMillan, 2003]

3 / 25

slide-8
SLIDE 8

From intermediate assertions to invariants

{pre ∨ ψ1} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ2 {pre ∨ ψ1} Body {ψ2} {ψ2} Body {post} pre ∨ ψ1 is invariant ✦

[ψ2 ⇒ pre ∨ ψ1]

. . .

[McMillan, 2003]

3 / 25

slide-9
SLIDE 9

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body(s0,s1) Body → Body(s1,s2) { post } → post(s2)

❼ ❼

4 / 25

slide-10
SLIDE 10

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body(s0,s1) Body → Body(s1,s2) { post } → post(s2)

Theorem (Craig, 1957)

Suppose A ⇒ C is a valid implication. Then there is a formula I (an interpolant) such that

❼ A ⇒ I and I ⇒ C are valid, ❼ every non-logical symbol of I occurs in both A and C.

4 / 25

slide-11
SLIDE 11

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body(s0,s1) I(s1) A(s0,s1) C(s1,s2) Body → Body(s1,s2) { post } → post(s2)

Theorem (Craig, 1957)

Suppose A ⇒ C is a valid implication. Then there is a formula I (an interpolant) such that

❼ A ⇒ I and I ⇒ C are valid, ❼ every non-logical symbol of I occurs in both A and C.

4 / 25

slide-12
SLIDE 12

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body(s0,s1) I(s1) A(s0,s1) C(s1,s2) Body → Body(s1,s2) { post } → post(s2)

Theorem (Craig, 1957)

Suppose A ⇒ C is a valid implication. Then there is a formula I (an interpolant) such that

❼ A ⇒ I and I ⇒ C are valid, ❼ every non-logical symbol of I occurs in both A and C.

Interpolant I can be computed from proofs of A ⇒ C

4 / 25

slide-13
SLIDE 13

Interpolation + theories

Interpolation procedures need to support the program logic:

i n t a [ ] , i ; max = a [ 0 ] ; f o r ( i = 1; i < n ; ++i ) i f ( a [ i ] > max) max = a [ i ] ; a s s e r t (max >= a [ i / 2 ] ) ;

E.g., combined use of linear integer arithmetic and arrays

5 / 25

slide-14
SLIDE 14

Theories investigated by us

❼ Quantifier-free Presburger Arithmetic (PA)

[IJCAR, 2010] [LPAR, 2010] (linear integer arithmetic) +

❼ Quantifiers (Q)

[VERIFY, 2010] [VMCAI, 2011]

❼ Uninterpreted predicates (UP) ❼ Uninterpreted functions (UF) ❼ Arrays (AR)

6 / 25

slide-15
SLIDE 15

Theories investigated by us

❼ Quantifier-free Presburger Arithmetic (PA)

[IJCAR, 2010] [LPAR, 2010] (linear integer arithmetic) +

❼ Quantifiers (Q)

[VERIFY, 2010] [VMCAI, 2011]

❼ Uninterpreted predicates (UP) ❼ Uninterpreted functions (UF) ❼ Arrays (AR)

6 / 25

slide-16
SLIDE 16

Interpolation outline

Theorem prover Implication A ⇒ C Proof of A ⇒ C Model Proof lifting Interpolating proof of A ⇒ C Craig interpolant A ⇒ I ⇒ C

7 / 25

slide-17
SLIDE 17

Interpolation outline

Theorem prover Implication A ⇒ C Proof of A ⇒ C Model Proof lifting Interpolating proof of A ⇒ C Craig interpolant A ⇒ I ⇒ C

7 / 25

slide-18
SLIDE 18

Underlying calculus for Presburger Arithmetic

❼ Gentzen-style sequent calculus for PA

[LPAR, 2008] Calculus rules Possible procedures Equalities Linear combination, fresh constants Omega eq. elimination, Smith decomposition Inequalities Linear combination, rounding, ineq. splitting Omega test, Simplex + Gomory cuts + branch-and-bound

  • Prop. logic

Standard Gentzen propositional rules

8 / 25

slide-19
SLIDE 19

Interpolation outline

Theorem prover QFPA implication A ⇒ C Proof of A ⇒ C Model Proof lifting Interpolating proof of A ⇒ C Craig interpolant A ⇒ I ⇒ C

9 / 25

slide-20
SLIDE 20

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C ∗ . . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ1 ⊢ ∆1 . . . . A ⊢ C

10 / 25

slide-21
SLIDE 21

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ1 ⊢ ∆1 . . . . A ⊢ C

10 / 25

slide-22
SLIDE 22

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ1 ⊢ ∆1 . . . . ⌊A⌋L ⊢ ⌊C⌋R

10 / 25

slide-23
SLIDE 23

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

10 / 25

slide-24
SLIDE 24

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ3 ⊢ ∆3 Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

10 / 25

slide-25
SLIDE 25

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ∗

3 ⊢ ∆∗ 3

Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

10 / 25

slide-26
SLIDE 26

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ∗

3 ⊢ ∆∗ 3

Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

  • propagation of

interpolants

10 / 25

slide-27
SLIDE 27

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ∗

3 ⊢ ∆∗ 3 ▸ I3

Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

  • propagation of

interpolants

10 / 25

slide-28
SLIDE 28

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ∗

3 ⊢ ∆∗ 3 ▸ I3

Γ∗

2 ⊢ ∆∗ 2 ▸ I2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

  • propagation of

interpolants

10 / 25

slide-29
SLIDE 29

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ∗

3 ⊢ ∆∗ 3 ▸ I3

Γ∗

2 ⊢ ∆∗ 2 ▸ I2

Γ∗

1 ⊢ ∆∗ 1 ▸ I1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

  • propagation of

interpolants

10 / 25

slide-30
SLIDE 30

Basic idea of proof lifting

Interpolation problem: A ⇒ I ⇒ C annotation of formulae with labels

. . . . Γ∗

3 ⊢ ∆∗ 3 ▸ I3

Γ∗

2 ⊢ ∆∗ 2 ▸ I2

Γ∗

1 ⊢ ∆∗ 1 ▸ I1

. . . . ⌊A⌋L ⊢ ⌊C⌋R ▸ I

  • propagation of

interpolants

10 / 25

slide-31
SLIDE 31

Properties of the interpolating calculus

Lemma (Soundness)

The annotation at the root of a closed proof is a valid interpolant.

Lemma (Completeness)

Every proof can be lifted to an interpolating proof. This implies: completeness for PA.

Generality

Applicable to various procedures:

❼ Simplex + cuts

(cf. [Griggio, Le, Sebastiani, 2011])

❼ Omega test

11 / 25

slide-32
SLIDE 32

Properties of the interpolating calculus

Lemma (Soundness)

The annotation at the root of a closed proof is a valid interpolant.

Lemma (Completeness)

Every proof can be lifted to an interpolating proof. This implies: completeness for PA.

Generality

Applicable to various procedures:

❼ Simplex + cuts

(cf. [Griggio, Le, Sebastiani, 2011])

❼ Omega test

Can be generalised to further theories . . .

11 / 25

slide-33
SLIDE 33

Beyond Presburger Arithmetic

❼ Quantifier-free Presburger Arithmetic (PA)

[IJCAR, 2010] [LPAR, 2010] (linear integer arithmetic) +

❼ Quantifiers (Q)

[VERIFY, 2010] [VMCAI, 2011]

❼ Uninterpreted predicates (UP) ❼ Uninterpreted functions (UF) ❼ Arrays (AR)

12 / 25

slide-34
SLIDE 34

Fragments of extensions of Presburger Arithmetic

Considered logics:

❼ PA+UP, PA+UF:

PA + unint. predicates/functions

❼ QPA+UP, QPA+UF: PA + quantifiers + ⋯ ❼ PA+AR:

PA + select,store functions φ ∶∶= t = t ∣ t ≤ t ∣ α ∣ t ∣ p(¯ t) ∣ φ ∧ φ ∣ φ ∨ φ ∣ ¬φ ∣ ∀x.φ ∣ ∃x.φ t ∶∶= α ∣ c ∣ x ∣ αt + ⋯ + αt ∣ f (¯ t)

13 / 25

slide-35
SLIDE 35

Interesting questions

❼ Closure under interpolation ❼ Practical interpolation procedures

Definition

Logic L is closed under interpolation if for all A,B ∈ F such that A ⇒ B, there is an interpolant expressible in L. [Kapur et al, 2006: “L is interpolating”]

14 / 25

slide-36
SLIDE 36

Known results

(Q)PA ⇒ closed under interpolation (as it allows quantifier elimination) PA+AR ⇒ not closed (not even without PA, [Kapur et al, 2006]) QPA+AR ⇒ closed (add quantifiers for local variables) QPA+UP QPA+UF ⇒ not closed (since interpolation could simulate second-order quantifier elimination)

15 / 25

slide-37
SLIDE 37

Known results

(Q)PA ⇒ closed under interpolation (as it allows quantifier elimination) PA+AR ⇒ not closed (not even without PA, [Kapur et al, 2006]) QPA+AR ⇒ closed (add quantifiers for local variables) QPA+UP QPA+UF ⇒ not closed (since interpolation could simulate second-order quantifier elimination) PA+UP ⇒ ? PA+UF ⇒ ?

15 / 25

slide-38
SLIDE 38

New negative result

Theorem

PA+UP is not closed under interpolation. (Similarly for PA+UF)

16 / 25

slide-39
SLIDE 39

New negative result

Theorem

PA+UP is not closed under interpolation. (Similarly for PA+UF)

Example

φ ∶∶ (2c = y ∧ p(c)) ⇒ (2d = y ⇒ p(d)) Interpolants: strongest: I1 ∶ ∃c.(2c = y ∧ p(c)) weakest: I2 ∶ ∀d.(2d = y ⇒ p(d)) No quantifier-free interpolants exist!

16 / 25

slide-40
SLIDE 40

Closure results

(Q)PA ⇒ closed under interpolation (as it allows quantifier elimination) PA+AR ⇒ not closed (not even without PA, [Kapur et al, 2006]) QPA+AR ⇒ closed (add quantifiers for local variables) QPA+UP QPA+UF ⇒ not closed (since interpolation could simulate second-order quantifier elimination) PA+UP ⇒ not closed PA+UF ⇒ not closed

17 / 25

slide-41
SLIDE 41

Positive results

Lemma (interpolants with quantifiers)

If A ⇒ B is a valid PA+UP formula, then there is a QPA+UP interpolant A ⇒ I ⇒ B. (Similarly for PA+UF, PA+AR.)

Theorem (extension of PA+UP)

There is a (natural) extension of PA+UP that is

❼ decidable, and ❼ closed under interpolation.

(Similarly for PA+UF.)

18 / 25

slide-42
SLIDE 42

How to close PA+UP under interpolation

Consider example: φ ∶∶ (2c = y ∧ p(c)) ⇒ (2d = y ⇒ p(d)) “Feels-like interpolant”: p(y

2)

19 / 25

slide-43
SLIDE 43

How to close PA+UP under interpolation

Consider example: φ ∶∶ (2c = y ∧ p(c)) ⇒ (2d = y ⇒ p(d)) “Feels-like interpolant”: p(y

2)

Definition

PAID+UP = PA+UP plus guarded quantification: ∃x.(αx = t ∧ φ) ∀x.(αx = t ⇒ φ)

(α / = 0, x not in t) 19 / 25

slide-44
SLIDE 44

How to close PA+UP under interpolation

Consider example: φ ∶∶ (2c = y ∧ p(c)) ⇒ (2d = y ⇒ p(d)) “Feels-like interpolant”: p(y

2)

Definition

PAID+UP = PA+UP plus guarded quantification: ∃x.(αx = t ∧ φ) ∀x.(αx = t ⇒ φ)

(α / = 0, x not in t)

Is this just to accommodate φ’s interpolant??

19 / 25

slide-45
SLIDE 45

Interpolating in PAID+UP

Theorem

PAID+UP is closed under interpolation. (Similarly for PAID+UF) Proof:

  • 1. Define a restricted version of our calculus that only generates

PAID+UP interpolants

❼ Only unify atoms p(¯

s),p(¯ t) or terms f (¯ s),f (¯ t) if ¯ s = ¯ t has been derived

  • 2. Show that the restricted calculus is still complete for

PAID+UP

20 / 25

slide-46
SLIDE 46

Summary of logics

PA

QPA PA+UP ⇓ PAID+UP ⇓ QPA+UP

Legend: decidable undecidable

ABCD = closed

under interpolation ⇓ = subset

21 / 25

slide-47
SLIDE 47

What do we have?

❼ Sound + complete interpolating calculus for

PAID+UP, PAID+UF, PAID+AR

❼ Generated interpolants stay within

PAID+UP, PAID+UF, QPA+AR

❼ Calculus is close to procedures used in SMT solvers ❼ Combinations UP+UF+AR are straightforward

Future directions:

❼ Extensions of PAID+AR closed under interpolation?

(+ decidable)

❼ Implementations ❼ Integration in Yorsh + Musuvathi’s combination framework?

22 / 25

slide-48
SLIDE 48

Related work: integer arithmetic interpolation

❼ Reduction to FOL

[Kapur, Majumdar, Zarba, 2006]

❼ Simplex-based

[Lynch, Tang, 2008]

❼ Sequent calculus-based

[Brillout, Kroening, R¨ ummer, Wahl, 2010]

❼ Again Simplex-based

[Kroening, Leroux, R¨ ummer, 2010]

❼ Simplex-based, targetting SMT

[Griggio, Le, Sebastiani, 2011]

23 / 25

slide-49
SLIDE 49

Related work: interpolation beyond integer arithmetic

❼ Uninterpreted functions

[McMillan, 2005], [Fuchs, Goel, Grundy, Krsti´ c, Tinelli, 2009]

❼ Theory of arrays

[Kapur, Majumdar, Zarba, 2006], [McMillan, 2008]

❼ First-order logic

[Hoder, Kov´ acs, Voronkov, 2010]

❼ Quantifiers

[Christ, Hoenicke, 2010]

❼ Combination of interpolation procedures

[Yorsh, Musuvathi, 2005]

24 / 25

slide-50
SLIDE 50

End of Talk.

25 / 25