Theorem Provers, SMT, and Interpolation Philipp Rmmer Uppsala - - PowerPoint PPT Presentation

theorem provers smt and interpolation
SMART_READER_LITE
LIVE PREVIEW

Theorem Provers, SMT, and Interpolation Philipp Rmmer Uppsala - - PowerPoint PPT Presentation

Jul 02, 2023 442 likes •1.54k views

Theorem Provers, SMT, and Interpolation Philipp Rmmer Uppsala University Sweden CP meets CAV June 27th 2012 1 / 49 Outline Some SMT challenges from verification Quantifiers in SMT First-order version of SMT Computation of Craig

slide-1
SLIDE 1

Theorem Provers, SMT, and Interpolation

Philipp Rümmer Uppsala University Sweden CP meets CAV June 27th 2012

1 / 49

slide-2
SLIDE 2

Outline

Some SMT challenges from verification Quantifiers in SMT → First-order version of SMT Computation of Craig interpolants

2 / 49

slide-3
SLIDE 3

Disclaimer

Highly biased challenges (my point of view) Some results shown are not by myself Some results shown are joint work

3 / 49

slide-4
SLIDE 4

Reasoning + first-order logic (FOL)

SAT/SMT solvers DPLL(T), CDCL, Nelson- Oppen E-matching, heuristics Complete on ground fragment Many built-in theories

4 / 49

slide-5
SLIDE 5

Reasoning + first-order logic (FOL)

First-order provers SAT/SMT solvers Resolution, superposition, tableaux, etc. DPLL(T), CDCL, Nelson- Oppen (Free) variables, unification E-matching, heuristics Complete for FOL Complete on ground fragment Many built-in theories

4 / 49

slide-6
SLIDE 6

Reasoning + first-order logic (FOL)

First-order provers SAT/SMT solvers Resolution, superposition, tableaux, etc. DPLL(T), CDCL, Nelson- Oppen (Free) variables, unification E-matching, heuristics Complete for FOL Complete on ground fragment Many built-in theories Tailored to algebra, logic, etc. Tailored to verification; (usually) incomplete on quantified problems

4 / 49

slide-7
SLIDE 7

Classical paradigms in logical reasoning

Analytic → Case-based Synthetic → Consequence-based Gentzen-style sequents Tableaux Hypertableaux Model evolution Model generation DPLL Syllogisms Hilbert-style calculi Resolution Superposition Knuth-Bendix Gröbner bases

New clauses derived Clauses involved in conflict

DPLL: search for models CDCL: learn lemmas from unsatisfiable branches

5 / 49

slide-8
SLIDE 8

Classical paradigms in logical reasoning

Analytic → Case-based Synthetic → Consequence-based Gentzen-style sequents Tableaux Hypertableaux Model evolution Model generation DPLL Syllogisms Hilbert-style calculi Resolution Superposition Knuth-Bendix Gröbner bases SAT combines both paradigms

New clauses derived Clauses involved in conflict

DPLL: search for models CDCL: learn lemmas from unsatisfiable branches

5 / 49

slide-9
SLIDE 9

From SAT to SMT

Theory lemmas

Theory solver(s), handling conjunctions of theory literals

(Arithmetic, functions, arrays, etc.)

New clauses derived Clauses involved in conflict

DPLL: search for models CDCL: learn lemmas from unsatisfiable branches

  • Prop. truth

assignments

6 / 49

slide-10
SLIDE 10

Some challenging theories

Integers Non-linear arithmetic Floating-point arithmetic Words/strings

7 / 49

slide-11
SLIDE 11

Quantifiers in SMT

(one of the main challenges)

slide-12
SLIDE 12

Quantifiers

Theory lemmas

  • Prop. truth

assignments

SAT solver, handling propositional skeleton Theory solver(s), handling conjunctions of theory literals

9 / 49

slide-13
SLIDE 13

Quantifiers

Theory lemmas

  • Prop. truth

assignments

SAT solver, handling propositional skeleton Theory solver(s), handling conjunctions of theory literals Instance generator

Ground terms Instances

9 / 49

slide-14
SLIDE 14

Quantifiers

Theory lemmas

  • Prop. truth

assignments

SAT solver, handling propositional skeleton Theory solver(s), handling conjunctions of theory literals Instance generator

Ground terms Instances

E-matching (Simplify, Stanford Pascal Verifier) Complete instantiation; counterexample-based [Ge, de Moura, 09] Superposition [de Moura, Bjørner, 09]

9 / 49

slide-15
SLIDE 15

E-Matching

Matching of triggers (modulo equations) Γ, ∀¯ x.φ ⊢ , ∆

10 / 49

slide-16
SLIDE 16

E-Matching

Matching of triggers (modulo equations) Γ, ∀¯ x.φ[t[¯ x]] ⊢ , ∆ Identify triggers (sub-expressions) in quantified formulae

10 / 49

slide-17
SLIDE 17

E-Matching

Matching of triggers (modulo equations) Γ, ∀¯ x.φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Identify triggers (sub-expressions) in quantified formulae Check for matching ground terms

10 / 49

slide-18
SLIDE 18

E-Matching

Matching of triggers (modulo equations) Γ, ∀¯ x.φ[t[¯ x]], [¯ x/¯ s]φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Γ, ∀¯ x.φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Identify triggers (sub-expressions) in quantified formulae Check for matching ground terms Create ground instances resulting from match

10 / 49

slide-19
SLIDE 19

E-Matching

Matching of triggers (modulo equations) Γ, ∀¯ x.φ[t[¯ x]], [¯ x/¯ s]φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Γ, ∀¯ x.φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Identify triggers (sub-expressions) in quantified formulae Check for matching ground terms Create ground instances resulting from match \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

10 / 49

slide-20
SLIDE 20

E-Matching

Matching of triggers (modulo equations) Γ, ∀¯ x.φ[t[¯ x]], [¯ x/¯ s]φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Γ, ∀¯ x.φ[t[¯ x]] ⊢ ψ[t[¯ s]], ∆ Identify triggers (sub-expressions) in quantified formulae Check for matching ground terms Create ground instances resulting from match \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

10 / 49

slide-21
SLIDE 21

Examples

b . = sto(a, 1, 2) → sel(b, 2) . = sel(a, 2) \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

11 / 49

slide-22
SLIDE 22

Examples

b . = sto(a, 1, 2) → sel(b, 2) . = sel(a, 2) b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

11 / 49

slide-23
SLIDE 23

Examples

b . = sto(a, 1, 2) → sel(b, 2) . = sel(a, 2) b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) b . = sto(a, 1, 2) → ∃x. sel(b, x + 1) . = sel(a, 2) b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, x) \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

11 / 49

slide-24
SLIDE 24

E-Matching

Heuristic → incomplete Good for “simple” instances User guidance possible → triggers But also brittle, easy to choose wrong triggers Fast → only ground reasoning Restrictions particularly problematic for “deductive verification” ⇒ Complicated specifications without good triggers

12 / 49

slide-25
SLIDE 25

Small engines

SAT solver, handling propositional skeleton Theory solver(s), handling conjunctions of theory literals

13 / 49

slide-26
SLIDE 26

Small engines

SAT solver, handling propositional skeleton Theory solver(s), handling conjunctions of theory literals First-order solver: boolean structure, functions, quantifiers

13 / 49

slide-27
SLIDE 27

Small engines

SAT solver, handling propositional skeleton Theory solver(s), handling conjunctions of theory literals Theory solver: quantified theory constraints First-order solver: boolean structure, functions, quantifiers

13 / 49

slide-28
SLIDE 28

First-order SMT

slide-29
SLIDE 29

Putting things together

Current choices: KE-tableau/DPLL FOL Theory procedures Arithmetic Free variables + constraints Quantifiers E-matching Axiomatisation of theories Interesting completeness results Experimental implementation: PRINCESS More details in [LPAR’08], [LPAR’12] Long-term goal: framework as general as SMT

15 / 49

slide-30
SLIDE 30

In the example

AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) AX = \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

16 / 49

slide-31
SLIDE 31

In the example

AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) AX = \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

16 / 49

slide-32
SLIDE 32

In the example

AX , b . = sto(a, 1, 2) ⊢ sel(b, X) . = sel(a, 2) AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) AX = \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

16 / 49

slide-33
SLIDE 33

In the example

. . . . . . . , 1 . = X → sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) AX , b . = sto(a, 1, 2) ⊢ sel(b, X) . = sel(a, 2) AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) AX = \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

16 / 49

slide-34
SLIDE 34

In the example

∗ [ 1 . = X ] . . . . . . . , 1 . = X → sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) AX , b . = sto(a, 1, 2) ⊢ sel(b, X) . = sel(a, 2) AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) AX = \forall int a, i, v; sel(sto(a, i, v), i) = v \forall int a, i1, i2, v; (i1 != i2 -> sel(sto(a, i1, v), i2) = sel(a, i2))

16 / 49

slide-35
SLIDE 35

The base logic [LPAR’08]

Linear integer arithmetic + uninterpreted predicates: t ::= α | x | c | αt + · · · + αt φ ::= φ ∧ φ | φ ∨ φ | ¬φ | ∀x.φ | ∃x.φ

| t .

= 0 | t

.

≥ 0 | t

.

≤ 0 | α | t | p(t, . . . , t) t . . . terms φ . . . formulae x . . . variables c . . . constants p . . . uninterpreted predicates (fixed arity) α . . . integer literals (❩)

17 / 49

slide-36
SLIDE 36

The base logic [LPAR’08]

Linear integer arithmetic + uninterpreted predicates: t ::= α | x | c | αt + · · · + αt φ ::= φ ∧ φ | φ ∨ φ | ¬φ | ∀x.φ | ∃x.φ

| t .

= 0 | t

.

≥ 0 | t

.

≤ 0 | α | t | p(t, . . . , t) Functions encoded as relations (later) Subsumes FOL and Presburger arithmetic (PA) Valid formulae are not enumerable [Halpern, 1991]

17 / 49

slide-37
SLIDE 37

Constrained sequents

Notation used here: Γ ⊢ ∆

Antecedent, Succedent (sets of formulae)

⇓ C

  • Constraint/approximation

(formula)

Definition Γ ⊢ ∆ ⇓ C is valid if the formula C → Γ → ∆ is valid.

18 / 49

slide-38
SLIDE 38

Iterative proof construction

Γ ⊢ ∆ ⇓ ?

19 / 49

slide-39
SLIDE 39

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  Γ ⊢ ∆ ⇓ ?

19 / 49

slide-40
SLIDE 40

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?

19 / 49

slide-41
SLIDE 41

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  Γ2 ⊢ ∆2 ⇓ ? Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?

19 / 49

slide-42
SLIDE 42

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  Γ3 ⊢ ∆3 ⇓ ? Γ2 ⊢ ∆2 ⇓ ? Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?

19 / 49

slide-43
SLIDE 43

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ ? Γ2 ⊢ ∆2 ⇓ ? Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?

19 / 49

slide-44
SLIDE 44

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ ? Γ2 ⊢ ∆2 ⇓ ? Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?   

  • propagation
  • f constraints

19 / 49

slide-45
SLIDE 45

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ C1 Γ2 ⊢ ∆2 ⇓ ? Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?   

  • propagation
  • f constraints

19 / 49

slide-46
SLIDE 46

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ C1 Γ2 ⊢ ∆2 ⇓ C2 Γ1 ⊢ ∆1 ⇓ ? . . . . Γ ⊢ ∆ ⇓ ?   

  • propagation
  • f constraints

19 / 49

slide-47
SLIDE 47

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ C1 Γ2 ⊢ ∆2 ⇓ C2 Γ1 ⊢ ∆1 ⇓ C3 . . . . Γ ⊢ ∆ ⇓ ?   

  • propagation
  • f constraints

19 / 49

slide-48
SLIDE 48

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ C1 Γ2 ⊢ ∆2 ⇓ C2 Γ1 ⊢ ∆1 ⇓ C3 . . . . Γ ⊢ ∆ ⇓ C   

  • propagation
  • f constraints

19 / 49

slide-49
SLIDE 49

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ C1 Γ2 ⊢ ∆2 ⇓ C2 Γ1 ⊢ ∆1 ⇓ C3 . . . . Γ ⊢ ∆ ⇓ C   

  • propagation
  • f constraints

Constraints are simplified during propagation If C is valid, then so is Γ ⊢ ∆ If C is satisfiable, it describes a solution for Γ ⊢ ∆ If C is unsatisfiable, expand the proof tree further . . .

19 / 49

slide-50
SLIDE 50

Iterative proof construction

analytic reasoning about input formula (SMT-like)

  ∗ . . . . Γ3 ⊢ ∆3 ⇓ C1 Γ2 ⊢ ∆2 ⇓ C2 Γ1 ⊢ ∆1 ⇓ C3 . . . . Γ ⊢ ∆ ⇓ C   

  • propagation
  • f constraints

Constraints are simplified during propagation If C is valid, then so is Γ ⊢ ∆ If C is satisfiable, it describes a solution for Γ ⊢ ∆ If C is unsatisfiable, expand the proof tree further . . . Theories have two roles: analytic + propagation

19 / 49

slide-51
SLIDE 51

A few proof rules

Γ ⊢ φ, ∆ ⇓ C Γ ⊢ ψ, ∆ ⇓ D Γ ⊢ φ ∧ ψ, ∆ ⇓ C ∧ D

AND-RIGHT

Γ, [x/c]φ, ∀x.φ ⊢ ∆ ⇓ [x/c]C Γ, ∀x.φ ⊢ ∆ ⇓ ∃x.C

ALL-LEFT

(c is fresh) Γ, p(¯ s) ⊢ p(¯ t), ¯ s . = ¯ t , ∆ ⇓ C Γ, p(¯ s) ⊢ p(¯ t), ∆ ⇓ C

PRED-UNIFY

∗ Γ, φ1, . . . ⊢ ψ1, . . . , ∆ ⇓ ¬φ1 ∨ · · · ∨ ψ1 ∨ · · · CLOSE (selected formulae are predicate-free)

20 / 49

slide-52
SLIDE 52

A few proof rules

Γ ⊢ φ, ∆ ⇓ C Γ ⊢ ψ, ∆ ⇓ D Γ ⊢ φ ∧ ψ, ∆ ⇓ C ∧ D

AND-RIGHT

Γ, [x/c]φ, ∀x.φ ⊢ ∆ ⇓ [x/c]C Γ, ∀x.φ ⊢ ∆ ⇓ ∃x.C

ALL-LEFT

(c is fresh) Γ, p(¯ s) ⊢ p(¯ t), ¯ s . = ¯ t , ∆ ⇓ C Γ, p(¯ s) ⊢ p(¯ t), ∆ ⇓ C

PRED-UNIFY

∗ Γ, φ1, . . . ⊢ ψ1, . . . , ∆ ⇓ ¬φ1 ∨ · · · ∨ ψ1 ∨ · · · CLOSE (selected formulae are predicate-free)

+ Theory rules!

20 / 49

slide-53
SLIDE 53

In the example

∗ [ 1 . = X ] . . . . . . . , 1 . = X → sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) AX , b . = sto(a, 1, 2) ⊢ sel(b, X) . = sel(a, 2) AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2)

21 / 49

slide-54
SLIDE 54

In the example

⊢ 1 . = X ⇓ ? . . . . sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) ⇓ ? . . . , 1 . = X → sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) ⇓ ? AX , b . = sto(a, 1, 2) ⊢ sel(b, X) . = sel(a, 2) ⇓ ? AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) ⇓ ? AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) ⇓ ?

21 / 49

slide-55
SLIDE 55

In the example

∗ ⊢ 1 . = X ⇓ 1 . = X ∗ . . . . sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) ⇓ true . . . , 1 . = X → sel(b, X) . = sel(a, 2) ⊢ sel(b, X) . = sel(a, 2) ⇓ 1 . = X AX , b . = sto(a, 1, 2) ⊢ sel(b, X) . = sel(a, 2) ⇓ 1 . = X AX, b . = sto(a, 1, 2) ⊢ ∃x. sel(b, x) . = sel(a, 2) ⇓ ∃X.1 . = X AX ⊢ b . = sto(a, 1, 2) → ∃x. sel(b, x) . = sel(a, 2) ⇓ true

21 / 49

slide-56
SLIDE 56

Correctness

Lemma (Soundness) It’s sound! Lemma (Completeness) Complete for fragments: FOL PA Purely existential formulae Purely universal formulae Universal formulae with finite parametrisation (same as ME(LIA))

22 / 49

slide-57
SLIDE 57

Functions

23 / 49

slide-58
SLIDE 58

Functions

Functions almost like in SMT: Terms are always flattened n-ary function f becomes (n + 1)-ary predicate fp E.g. g(f(x), a)

  • f(x) = c ∧ g(c, a) = d
  • fp(x, c) ∧ gp(c, a, d)

23 / 49

slide-59
SLIDE 59

Functions

Functions almost like in SMT: Terms are always flattened n-ary function f becomes (n + 1)-ary predicate fp E.g. g(f(x), a)

  • f(x) = c ∧ g(c, a) = d
  • fp(x, c) ∧ gp(c, a, d)

Axioms necessary: Totality + Functionality ∀¯ x.∃y. fp(¯ x, y) ∀¯ x, y1, y2. (fp(¯ x, y1) → fp(¯ x, y2) → y1 . = y2)

23 / 49

slide-60
SLIDE 60

Functions

Functions almost like in SMT: Terms are always flattened n-ary function f becomes (n + 1)-ary predicate fp E.g. g(f(x), a)

  • f(x) = c ∧ g(c, a) = d
  • fp(x, c) ∧ gp(c, a, d)

Axioms necessary: Totality + Functionality ∀¯ x.∃y. fp(¯ x, y) ∀¯ x, y1, y2. (fp(¯ x, y1) → fp(¯ x, y2) → y1 . = y2) Very closely resembles congruence closure

23 / 49

slide-61
SLIDE 61

Relative completeness

In SMT solvers: Choice of triggers determines provability Bad triggers → bad luck In the first-order SMT calculus: Choice of triggers determines performance Regardless of triggers, the same formulae are provable E-matching is complemented by free variables + unification

24 / 49

slide-62
SLIDE 62

Practicality

AUFLIA+p (193) AUFLIA-p (193) Z3 191 191 PRINCESS 145 137 CVC3 132 128 Implementation of our calculus in PRINCESS Unsatisfiable AUFLIA benchmarks from SMT-comp 2011 Intel Core i5 2-core, 3.2GHz, timeout 1200s, 4Gb

http://www.philipp.ruemmer.org/princess.shtml Currently running: CASC 2012

25 / 49

slide-63
SLIDE 63

Related work

ME(LIA): [Baumgartner, Tinelli, Fuchs, 08], [Baumgartner, Tinelli, 11] SPASS+T [Prevosto, Waldmann, 06] DPLL(SP) [de Moura, Bjørner, 08] Complete instantiation [Ge, de Moura, 09] Saturation + theories, e.g. [Stickel, 85], [Bürchert, 90], [Bachmair, Ganzinger, Waldmann, 94], [Korovin, Voronkov, 07], [Althaus, Kruglov, Weidenbach, 09] · · ·

26 / 49

slide-64
SLIDE 64

Conclusion

Overall challenge: Combine the theories and performance of SMT solvers with the completeness of FOL provers Presented work is one step in this direction Ongoing work: Better unification on term level Better heuristics for introducing free variables Lemma learning Generalisation to other theories

27 / 49

slide-65
SLIDE 65

Computation of Craig Interpolants

slide-66
SLIDE 66

Motivation: inference of invariants

Generic verification problem (“safety”) { pre } while (*) Body { post } Standard approach: loop rule using invariant pre ⇒ φ { φ } Body { φ } φ ⇒ post { pre } while (*) Body { post } How to compute φ automatically?

29 / 49

slide-67
SLIDE 67

From intermediate assertions to invariants

{pre} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ1 {pre} Body {ψ1} {ψ1} Body {post} ✦ [McMillan, 2003]

30 / 49

slide-68
SLIDE 68

From intermediate assertions to invariants

{pre} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ1 {pre} Body {ψ1} {ψ1} Body {post} pre is invariant ✦

[ψ1 ⇒ pre]

[McMillan, 2003]

30 / 49

slide-69
SLIDE 69

From intermediate assertions to invariants

{pre} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ1 {pre} Body {ψ1} {ψ1} Body {post} pre is invariant ✦

[ψ1 ⇒ pre] [otherwise]

[McMillan, 2003]

30 / 49

slide-70
SLIDE 70

From intermediate assertions to invariants

{pre ∨ ψ1} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ2 {pre ∨ ψ1} Body {ψ2} {ψ2} Body {post} pre is invariant ✦

[ψ1 ⇒ pre] [otherwise]

[McMillan, 2003]

30 / 49

slide-71
SLIDE 71

From intermediate assertions to invariants

{pre ∨ ψ1} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ2 {pre ∨ ψ1} Body {ψ2} {ψ2} Body {post} pre ∨ ψ1 is invariant ✦

[ψ2 ⇒ pre ∨ ψ1] [otherwise]

[McMillan, 2003]

30 / 49

slide-72
SLIDE 72

From intermediate assertions to invariants

{pre ∨ ψ1} Body; Body {post} ? Bounded model checking problem ✦ Compute intermediate assertion ψ2 {pre ∨ ψ1} Body {ψ2} {ψ2} Body {post} pre ∨ ψ1 is invariant ✦

[ψ2 ⇒ pre ∨ ψ1]

. . .

[McMillan, 2003]

30 / 49

slide-73
SLIDE 73

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body (s0, s1) Body → Body (s1, s2) { post } → post (s2)

31 / 49

slide-74
SLIDE 74

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body (s0, s1) Body → Body (s1, s2) { post } → post (s2) Theorem (Craig, 1957) Suppose A → C is a valid FOL implication. Then there is a formula I (an interpolant) such that A → I and I → C are valid, every non-logical symbol of I occurs in both A and C.

31 / 49

slide-75
SLIDE 75

How to compute intermediate assertions?

{ pre } VC generation pre (s0) Body; → Body (s0, s1) I(s1) A(s0, s1) C(s1, s2) Body → Body (s1, s2) { post } → post (s2) Theorem (Craig, 1957) Suppose A → C is a valid FOL implication. Then there is a formula I (an interpolant) such that A → I and I → C are valid, every non-logical symbol of I occurs in both A and C.

31 / 49

slide-76
SLIDE 76

Illustration

C A

32 / 49

Interpolation problem: A → I → C

slide-77
SLIDE 77

Illustration

C I A

32 / 49

Interpolation problem: A → I → C

slide-78
SLIDE 78

Reverse interpolants

Definition Suppose A ∧ B is unsatisfiable. A reverse interpolant is a formula I such that A → I and B → ¬I are valid, every non-logical symbol of I occurs in both A and B. Lemma I is reverse interpolant for A ∧ B ⇐ ⇒ I is interpolant for A → ¬B

33 / 49

slide-79
SLIDE 79

Available interpolation engines (incomplete . . . )

Foci CSIsat MathSAT SMTInterpol OpenSMT iZ3 Princess

34 / 49

slide-80
SLIDE 80

Proof-based interpolation techniques

Theorem prover Implication A → C Proof of A → C Model Proof lifting Interpolating proof of A → C Craig interpolant A → I → C

35 / 49

slide-81
SLIDE 81

Interpolating propositional logic

Interpolation procedures available for many calculi Overview paper for resolution proofs: [D’Silva et al, 2010] Shown here: interpolants from a Gentzen-style proof (similar to calculus from before, but without constraints)

36 / 49

slide-82
SLIDE 82

Basic idea of proof lifting in a sequent calculus

∗ . . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ1 ⊢ ∆1 . . . . A ⊢ C

37 / 49

Interpolation problem: A → I → C

slide-83
SLIDE 83

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ1 ⊢ ∆1 . . . . A ⊢ C

37 / 49

Interpolation problem: A → I → C

slide-84
SLIDE 84

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ1 ⊢ ∆1 . . . . ⌊A⌋L ⊢ ⌊C⌋R

37 / 49

Interpolation problem: A → I → C

slide-85
SLIDE 85

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ3 ⊢ ∆3 Γ2 ⊢ ∆2 Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

37 / 49

Interpolation problem: A → I → C

slide-86
SLIDE 86

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ3 ⊢ ∆3 Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

37 / 49

Interpolation problem: A → I → C

slide-87
SLIDE 87

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ∗

3 ⊢ ∆∗ 3

Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R

37 / 49

Interpolation problem: A → I → C

slide-88
SLIDE 88

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ∗

3 ⊢ ∆∗ 3

Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R   

  • propagation of

interpolants

37 / 49

Interpolation problem: A → I → C

slide-89
SLIDE 89

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ∗

3 ⊢ ∆∗ 3 ◮ I3

Γ∗

2 ⊢ ∆∗ 2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R   

  • propagation of

interpolants

37 / 49

Interpolation problem: A → I → C

slide-90
SLIDE 90

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ∗

3 ⊢ ∆∗ 3 ◮ I3

Γ∗

2 ⊢ ∆∗ 2 ◮ I2

Γ∗

1 ⊢ ∆∗ 1

. . . . ⌊A⌋L ⊢ ⌊C⌋R   

  • propagation of

interpolants

37 / 49

Interpolation problem: A → I → C

slide-91
SLIDE 91

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ∗

3 ⊢ ∆∗ 3 ◮ I3

Γ∗

2 ⊢ ∆∗ 2 ◮ I2

Γ∗

1 ⊢ ∆∗ 1 ◮ I1

. . . . ⌊A⌋L ⊢ ⌊C⌋R   

  • propagation of

interpolants

37 / 49

Interpolation problem: A → I → C

slide-92
SLIDE 92

Basic idea of proof lifting in a sequent calculus

annotation of formulae with labels

  ∗ . . . . Γ∗

3 ⊢ ∆∗ 3 ◮ I3

Γ∗

2 ⊢ ∆∗ 2 ◮ I2

Γ∗

1 ⊢ ∆∗ 1 ◮ I1

. . . . ⌊A⌋L ⊢ ⌊C⌋R ◮ I   

  • propagation of

interpolants

37 / 49

Interpolation problem: A → I → C

slide-93
SLIDE 93

Labelled formulae

Labelled formula Intuition ⌊φ⌋L “φ is subformula of A” ⌊φ⌋R “φ is subformula of C”

38 / 49

Interpolation problem: A → I → C

slide-94
SLIDE 94

Example

Non-interpolating proof: ∗ p ⊢ p, q, r ¬p, p ⊢ q, r ∗ q, p ⊢ q, r ¬p ∨ q, p ⊢ q, r ¬p ∨ q, p ⊢ q ∨ r

39 / 49

slide-95
SLIDE 95

Example

Non-interpolating proof: ∗ p ⊢ p, q, r ¬p, p ⊢ q, r ∗ q, p ⊢ q, r ¬p ∨ q, p ⊢ q, r ¬p ∨ q, p ⊢ q ∨ r Lifted interpolating proof: ∗ ⌊p⌋L ⊢ ⌊p⌋L ⌊¬p⌋L, ⌊p⌋L ⊢ . . . ∗ ⌊q⌋L, ⌊p⌋L ⊢ ⌊q⌋R, ⌊r⌋R ⌊¬p ∨ q⌋L, ⌊p⌋L ⊢ ⌊q⌋R, ⌊r⌋R ⌊¬p ∨ q⌋L, ⌊p⌋L ⊢ ⌊q ∨ r⌋R

39 / 49

slide-96
SLIDE 96

Example

Non-interpolating proof: ∗ p ⊢ p, q, r ¬p, p ⊢ q, r ∗ q, p ⊢ q, r ¬p ∨ q, p ⊢ q, r ¬p ∨ q, p ⊢ q ∨ r Lifted interpolating proof: ∗ ⌊p⌋L ⊢ ⌊p⌋L ◮ false ⌊¬p⌋L, ⌊p⌋L ⊢ . . . ◮ false ∗ ⌊q⌋L, ⌊p⌋L ⊢ ⌊q⌋R, ⌊r⌋R ◮ q ⌊¬p ∨ q⌋L, ⌊p⌋L ⊢ ⌊q⌋R, ⌊r⌋R ◮ false ∨ q ⌊¬p ∨ q⌋L, ⌊p⌋L ⊢ ⌊q ∨ r⌋R ◮ q

39 / 49

slide-97
SLIDE 97

Interpolating propositional rules

Γ, ⌊φ⌋L ⊢ ∆ ◮ I Γ, ⌊ψ⌋L ⊢ ∆ ◮ J Γ, ⌊φ ∨ ψ⌋L ⊢ ∆ ◮ I ∨ J

OR-LEFT-L

Γ, ⌊φ⌋R ⊢ ∆ ◮ I Γ, ⌊ψ⌋R ⊢ ∆ ◮ J Γ, ⌊φ ∨ ψ⌋R ⊢ ∆ ◮ I ∧ J

OR-LEFT-R

Γ, ⌊φ⌋D, ⌊ψ⌋D ⊢ ∆ ◮ I Γ, ⌊φ ∧ ψ⌋D ⊢ ∆ ◮ I

AND-LEFT

Γ ⊢ ⌊φ⌋D, ∆ ◮ I Γ, ⌊¬φ⌋D ⊢ ∆ ◮ I

NOT-LEFT

∗ Γ, ⌊φ⌋L ⊢ ⌊φ⌋L, ∆ ◮ false

CLOSE-LL

∗ Γ, ⌊φ⌋R ⊢ ⌊φ⌋R, ∆ ◮ true

CLOSE-RR

∗ Γ, ⌊φ⌋L ⊢ ⌊φ⌋R, ∆ ◮ φ

CLOSE-LR

∗ Γ, ⌊φ⌋R ⊢ ⌊φ⌋L, ∆ ◮ ¬φ

CLOSE-RL

Γ, ⌊[x/t]φ⌋L, ⌊∀x.φ⌋L ⊢ ∆ ◮ I Γ, ⌊∀x.φ⌋L ⊢ ∆ ◮ ∀Rt I

ALL- LEFT-L

Γ, ⌊[x/t]φ⌋R, ⌊∀x.φ⌋R ⊢ ∆ ◮ I Γ, ⌊∀x.φ⌋R ⊢ ∆ ◮ ∃Lt I

ALL- LEFT-R

Γ, ⌊[x/c]φ⌋D ⊢ ∆ ◮ I Γ, ⌊∃x.φ⌋D ⊢ ∆ ◮ I

EX- LEFT

Γ ⊢ ⌊[x/c]φ⌋D, ∆ ◮ I Γ ⊢ ⌊∀x.φ⌋D, ∆ ◮ I

ALL- RIGHT

40 / 49

slide-98
SLIDE 98

Interpolating integer arithmetic . . .

slide-99
SLIDE 99

Some theory rules for integers

Linear combination of inequalities (α > 0, β > 0) Γ, . . . , αs + βt

.

≤ 0 ⊢ ∆ Γ, s

.

≤ 0, t

.

≤ 0 ⊢ ∆

FM-ELIM′

Strengthening inequalities (subsumes rounding, Gomory cuts) Γ, t . = 0 ⊢ ∆ Γ, t + 1

.

≤ 0 ⊢ ∆ Γ, t

.

≤ 0 ⊢ ∆

STRENGTHEN′

42 / 49

slide-100
SLIDE 100

Some theory rules for integers

Linear combination of inequalities (α > 0, β > 0) Γ, . . . , αs + βt

.

≤ 0 ⊢ ∆ Γ, s

.

≤ 0, t

.

≤ 0 ⊢ ∆

FM-ELIM′

Strengthening inequalities (subsumes rounding, Gomory cuts) Γ, t . = 0 ⊢ ∆ Γ, t + 1

.

≤ 0 ⊢ ∆ Γ, t

.

≤ 0 ⊢ ∆

STRENGTHEN′

Calculus contains both analytic and synthetic rules ⇒ More general form of labels needed

42 / 49

slide-101
SLIDE 101

Extended labelled formulae

Labelled formula Intuition ⌊φ⌋L “φ is subformula of A” ⌊φ⌋R “φ is subformula of C” φ [ψ] “ψ is A-contribution to φ” ψ is the partial interpolant of φ

43 / 49

Interpolation problem: A → I → C

slide-102
SLIDE 102

Selection of interpolating integer rules

Linear combination of inequalities (α > 0, β > 0) Γ, . . . , αs + βt

.

≤ 0 [αsA + βtA . ≤ 0] ⊢ ∆ ◮ I Γ, s

.

≤ 0 [sA . ≤ 0], t

.

≤ 0 [tA . ≤ 0] ⊢ ∆ ◮ I

FM-ELIM

Closure rules ∗ Γ, α

.

≤ 0 [tA . ≤ 0] ⊢ ∆ ◮ tA . ≤ 0

CLOSE-INEQ

44 / 49

slide-103
SLIDE 103

Interpolating proof example

∗ . . . , 3

.

≤ 0 [6x

.

≤ 0] ⊢ ◮ x

.

≤ 0 . . . , 3x

.

≤ 0 [3x

.

≤ 0], −2x + 1

.

≤ 0 [0

.

≤ 0] ⊢ ◮ x

.

≤ 0 . . . , 3x − 2

.

≤ 0 [3x − 2

.

≤ 0], −2x + 1

.

≤ 0 [0

.

≤ 0] ⊢ ◮ x

.

≤ 0 a + x

.

≤ 0 [a + x

.

≤ 0], −a + 2x − 2

.

≤ 0 [−a + 2x − 2

.

≤ 0], −2x + 1

.

≤ 0 [0

.

≤ 0] ⊢ ◮ x

.

≤ 0 Original proof ∗ . . . , 3

.

≤ 0 ⊢

INEQ-CLOSE′

. . . , 3x

.

≤ 0, −2x + 1

.

≤ 0 ⊢

FM-ELIM′

· · · . . . , 3x − 2

.

≤ 0, −2x + 1

.

≤ 0 ⊢

STRENGTHEN′ × 2

a + x

.

≤ 0, −a + 2x − 2

.

≤ 0, −2x + 1

.

≤ 0 ⊢

FM-ELIM′

45 / 49

slide-104
SLIDE 104

Literature

Difference logic [McMillan, 2006] Integer equalities + divisibility constraints [Jain, Clarke, Grumberg, 2008] Unit-two-variable-per-inequality [Cimatti, Griggio, Sebastiani, 2009] Simplex-based, full PA [Lynch, Tang, 2008] ⇒ Leaves local symbols/quantifiers in interpolants

46 / 49

slide-105
SLIDE 105

Literature (2)

Proof-based methods for full PA: Sequent calculus-based [Brillout, Kroening, Rümmer, Wahl, 2010] Simplex-based, special branch-and-cut rule [Kroening, Leroux, Rümmer, 2010] Simplex-based, targeting SMT [Griggio, Le, Sebastiani, 2011] From Z3 proofs [McMillan, 2011]

47 / 49

slide-106
SLIDE 106

Conclusion

Interpolation engines are today available for many logics/theories Not quite as mature yet as SMT in general Remaining challenges: mixed-integer, bit-vectors, full first-order logic, quantifier-free arrays, . . . exploration of the interpolant space

48 / 49

slide-107
SLIDE 107

Thanks for your attention!

49 / 49