Symbolic Computation and Theorem Proving in Program Analysis Laura Kov´ acs Chalmers
Symbolic Computation and Theorem Provingin Program Analysis
Laura Kovacs
Chalmers
Outline
Part 1: Weakest Precondition for Program Analysis andVerification
Part 2: Polynomial Invariant Generation (TACAS’08, LPAR’10)
Part 3: Quantified Invariant Generation (FASE’09, MICAI’11)
Part 4: Invariants, Interpolants and Symbol Elimination(CADE’09, POPL’12, APLAS’12)
Part 4: Invariants, Interpolants and Symbol EliminatioSymbol Elimination by First-Order Theorem Proving
Invariants, Interpolants and Symbol Elimination
Interpolants from Proofs
Interpolation in Vampire
Quality of Interpolants
Conclusions
Outline
Invariants, Interpolants and Symbol Elimination
Interpolants from Proofs
Interpolation in Vampire
Quality of Interpolants
Conclusions
Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c,d)
Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
Refutation: A(c, d) ∧ T (c, d , c′, d ′) ∧ ¬B(c′, d ′)
• The formula is of 2 states (c, d , c′, d ′).• Need a state formula I(c′, d ′) such that: (Jhala and McMillan)
A(c, d) ∧ T (c, d , c′, d ′)→ I(c′, d ′) and I(c′, d ′) ∧ ¬B(c′, d ′)→ ⊥
Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
Refutation: A(c, d) ∧ T (c, d , c′, d ′) ∧ ¬B(c′, d ′)
• The formula is of 2 states (c, d , c′, d ′).• Need a state formula I(c′, d ′) such that: (Jhala and McMillan)
A(c, d) ∧ T (c, d , c′, d ′)→ I(c′, d ′) and I(c′, d ′) ∧ ¬B(c′, d ′)→ ⊥
Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
Refutation: A(c, d) ∧ T (c, d , c′, d ′) ∧ ¬B(c′, d ′)
• The formula is of 2 states (c, d , c′, d ′).• Need a state formula I(c′, d ′) such that: (Jhala and McMillan)
A(c, d) ∧ T (c, d , c′, d ′)→ I(c′, d ′) and I(c′, d ′) ∧ ¬B(c′, d ′)→ ⊥
Taks: Compute interpolant I(c′, d ′) by eliminating symbols c, d .
Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
I(c′,d ′) ≡ 0 < c′ = 1 ∧ C[0] = D[0]
I(c′′,d ′′) ≡ 0 < c′′ = 2 ∧ C[0] = D[0] ∧ C[1] = D[1]
Taks: Compute interpolant I(c′, d ′) by eliminating symbols c, d .
Invariants, Symbol Elimination, and InterpolationReachability of B in TWO iterations: A(c, d)∧T (c, d , c′, d ′)∧T (c′, d ′, c′′, d ′′)→B(c′′, d ′′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
I(c′,d ′) ≡ 0 < c′ = 1 ∧ C[0] = D[0]
I(c′′,d ′′) ≡ 0 < c′′ = 2 ∧ C[0] = D[0] ∧ C[1] = D[1]
Taks: Compute interpolant I(c′′, d ′′) by eliminating symbols c, d , c′, d ′.
Invariants, Symbol Elimination, and InterpolationReachability of B in TWO iterations: A(c, d)∧T (c, d , c′, d ′)∧T (c′, d ′, c′′, d ′′)→B(c′′, d ′′)
{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)
while (c < N) do
C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸ ︷︷ ︸T (c,d,c′,d′)
c := c + 1;d := d + 1
end do
{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)
I(c′,d ′) ≡ (∀k)0 ≤ k < c′ → C[k ] = D[k ]
I(c′′,d ′′) ≡ (∀k)0 ≤ k < c′′ → C[k ] = D[k ]
Taks: Compute interpolant I(c′′, d ′′) implying invariant in any state.
Outline
Invariants, Interpolants and Symbol Elimination
Interpolants from Proofs
Interpolation in Vampire
Quality of Interpolants
Conclusions
Symbol Elimination and Interpolation
What is an Interpolant?
Computing InterpolantsI Local DerivationsI Symbol EliminationsI Building Interpolants from Proof
Summary: Invariants, Symbol Elimination, Interpolants
Notation
I First-order predicate logic with equality.
I >: always true,⊥: always false.
I ∀A: universal closure of A.
I Symbols:I predicate symbols;I function symbols;I constants.
Equality is part of the language→ equality is not a symbol.
I LA: the language of A: the set of all formulas built from thesymbols occurring in A.
What is an Interpolant?
Let A,B be closed formulas such that A→ B.
Theorem (Craig’s Interpolation Theorem)There exists a closed formula I ∈ LA ∩ LB such that
A→ I and I → B.
I is an interpolant of A and B.
Note: if A and B are ground, they also have a ground interpolant.
What is an Interpolant?
Let A,B be closed formulas such that A→ B.
Theorem (Craig’s Interpolation Theorem)There exists a closed formula I ∈ LA ∩ LB such that
A→ I and I → B.
I is an interpolant of A and B.
Reverse interpolant of A and B: any formula I such that
A→ I and I,¬B → ⊥.
Interpolation with Theories
I Theory T : any set of closed formulas.I C1, . . . ,Cn →T C means that the formula C1 ∧ . . . ∧ C1 → C holds in all
models of T .I Interpreted symbols: symbols occurring in T .I Uninterpreted symbols: all other symbols.
TheoremLet A,B be formulas and let A→T B.
Then there exists a formula I such that1. A→T I and I → B;2. every uninterpreted symbol of I occurs both in A and B;3. every interpreted symbol of I occurs in B.
Likewise, there exists a formula I such that
1. A → I and I →T B;
2. every uninterpreted symbol of I occurs both in A and B;
3. every interpreted symbol of I occurs in A.
Interpolation with Theories
I Theory T : any set of closed formulas.I C1, . . . ,Cn →T C means that the formula C1 ∧ . . . ∧ C1 → C holds in all
models of T .I Interpreted symbols: symbols occurring in T .I Uninterpreted symbols: all other symbols.
TheoremLet A,B be formulas and let A→T B.
Then there exists a formula I such that1. A→T I and I → B;2. every uninterpreted symbol of I occurs both in A and B;3. every interpreted symbol of I occurs in B.
Likewise, there exists a formula I such that
1. A → I and I →T B;
2. every uninterpreted symbol of I occurs both in A and B;
3. every interpreted symbol of I occurs in A.
Computing Interpolants using Inference Systems
I Inference Rule:A1 . . . An
A
I Inference system: a set of inference rules.I Axiom: an inference rule with 0 premises.I Derivation of A: tree with the root A built from inferences.
Interpolants and Local AB-Derivations
AB-derivationLet L = LA ∩ LB.
A derivation Π is an AB-derivation if
(AB1) For every leaf C of Π one of following conditions holds:1. A→T ∀C and C ∈ LA or2. B →T ∀C and C ∈ LB.
(AB2) For every inference
C1 . . . Cn
C
of Π we have ∀C1, . . . ,∀Cn →T ∀C.
We will refer to property (AB2) as soundness.
Interpolants and Local AB-Derivations
C1 . . . Cn
C
This inference is local if the following two conditions hold:
(L1) Either {C1, . . . ,Cn,C} ⊆ LA or {C1, . . . ,Cn,C} ⊆ LB.(L2) If all of the formulas C1, . . . ,Cn are colorless, then C is
colorless, too.
A derivation is called local if so is every inference of this derivation.
Shape of local derivations for A→ B
Local Derivations: Example A→ B
[demo]
I A := ∀x(x = c)
I B := a = bI Universal interpolant I: ∀x∀y(x = y)
A local refutation of in the superposition calculus:
x = c y = cx = y a 6= b
y 6= b⊥
Local Derivations: Example A→ B
[demo]
I A := ∀x(x = c)
I B := a = bI Universal interpolant I: ∀x∀y(x = y)
A local refutation of in the superposition calculus:
x = c y = cx = y a 6= b
y 6= b⊥
Interpolants and Symbol Eliminating Inference
I At least one of the premises colored.I The conclusion is not colored.
x = c y = cx = y a 6= b
y 6= b⊥
Interpolant ∀x∀y(x = y): conclusion of a symbol-eliminating inference.
Interpolants and Symbol Eliminating Inference
I At least one of the premises colored.I The conclusion is not colored.
x = c y = cx = y a 6= b
y 6= b⊥
Interpolant ∀x∀y(x = y): conclusion of a symbol-eliminating inference.
Extracting Interpolants from Local Proofs
Theorem (CADE’09)Let Π be a closed local AB-refutation.
Then:I A reverse interpolant I of A and B can be extracted from Π in linear time.I I is ground if all formulas in Π are ground.I I is a boolean combination of conclusions of symbol-eliminating
inferences of Π.
NOTE:I No restriction on the calculus (only soundness required)
– can be used with theories.I Can generate interpolants in theories where no good interpolation
algorithms exist.I Shift of interest: what matters are symbol-eliminating inferences.
Extracting Interpolants from Local Proofs
Theorem (CADE’09)Let Π be a closed local AB-refutation.
Then:I A reverse interpolant I of A and B can be extracted from Π in linear time.I I is ground if all formulas in Π are ground.I I is a boolean combination of conclusions of symbol-eliminating
inferences of Π.
NOTE:I No restriction on the calculus (only soundness required)
– can be used with theories.I Can generate interpolants in theories where no good interpolation
algorithms exist.I Shift of interest: what matters are symbol-eliminating inferences.
Extracting Interpolants from Local Proofs
Theorem (CADE’09)Let Π be a closed local AB-refutation.
Then:I A reverse interpolant I of A and B can be extracted from Π in linear time.I I is ground if all formulas in Π are ground.I I is a boolean combination of conclusions of symbol-eliminating
inferences of Π.
NOTE:I No restriction on the calculus (only soundness required)
– can be used with theories.I Can generate interpolants in theories where no good interpolation
algorithms exist.I Shift of interest: what matters are symbol-eliminating inferences.
Building Interpolants from Proofs
I Problem: generation of proofs giving interpolants.I Idea 1: look for local refutations only;I Idea 2: find calculi that guarantee that local proofs exist.
I LASCA: Superposition + Linear Arithmetic;I Separating orderings (colored symbols are the greatest).
Theorem (CADE’09)
If � is separating, then every AB-derivation in LASCA is local.
First-order interpolation implemented in Vampire.
Building Interpolants from Proofs
I Problem: generation of proofs giving interpolants.I Idea 1: look for local refutations only;I Idea 2: find calculi that guarantee that local proofs exist.
I LASCA: Superposition + Linear Arithmetic;I Separating orderings (colored symbols are the greatest).
Theorem (CADE’09)
If � is separating, then every AB-derivation in LASCA is local.
First-order interpolation implemented in Vampire.
Building Interpolants from Proofs
I Problem: generation of proofs giving interpolants.I Idea 1: look for local refutations only;I Idea 2: find calculi that guarantee that local proofs exist.
I LASCA: Superposition + Linear Arithmetic;I Separating orderings (colored symbols are the greatest).
Theorem (CADE’09)
If � is separating, then every AB-derivation in LASCA is local.
First-order interpolation implemented in Vampire.
Building Interpolants from Proofs
I Problem: generation of proofs giving interpolants.I Idea 1: look for local refutations only;I Idea 2: find calculi that guarantee that local proofs exist.
I LASCA: Superposition + Linear Arithmetic;I Separating orderings (colored symbols are the greatest).
Theorem (CADE’09)
If � is separating, then every AB-derivation in LASCA is local.
First-order interpolation implemented in Vampire.
Formulas Coloring Reverse InterpolantL : z < 0 ∧ x ≤ z ∧ y ≤ xR : y ≤ 0 ∧ x + y ≥ 0
left: zright: - y ≤ x ∧ x < 0
L : g(a) = c + 5 ∧ f (g(a)) ≥ c + 1R : h(b) = d + 4 ∧ d = c + 1 ∧ f (h(b)) < c + 1
left: g, aright: h, b c + 1 ≤ f (c + 5)
L : p ≤ c ∧ c ≤ q ∧ f (c) = 1R : q ≤ d ∧ d ≤ p ∧ f (d) = 0
left: cright: d p ≤ q ∧ (q > p ∨ f (p) = 1)
L : f (x1) + x2 = x3 ∧ f (y1) + y2 = y3 ∧ y1 ≤ x1R : x2 = g(b) ∧ y2 = g(b) ∧ x1 ≤ y1 ∧ x3 < y3
left: fright: g, b x1 > y1 ∨ x2 6= y2 ∨ x3 = y3
L : c2 = car(c1) ∧ c3 = cdr(c1) ∧ ¬(atom(c1))R : c1 6= cons(c2, c3)
left: car, consright: - ¬atom(c1) ∧ c1 = cons(c2, c3)
L : Q(f (a))∧ 6= Q(f (b))R : f (V ) = c
left: Q, a, bright: c ∃x, y : f (x) 6= f (y)
L : a = c ∧ f (c) = aR : c = b∧ 6= (b = f (c))
left: aright: b c = f (c)
L : True ∧ a′ [x′ ] = y ∧ x′ = x ∧ y′ = y + 1 ∧ z′ = x′
R : ¬(y′ = a′ [z′ ] + 1)left: x, yright: - 1 + a′ [x′ ] = y′ ∧ x′ = z′
Table : Interpolation with Vampire, within 1 second time limit.
Symbol Elimination and Interpolation
Invariants, Interpolants and Symbol Elimination
Interpolants from Proofs
Interpolation in Vampire
Quality of Interpolants
Conclusions
Interpolation Through Colors in Vampire
I There are three colors: blue, red and green.
I Each symbol (function or predicate) is colored in exactly one ofthese colors.
I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.I We know that→ A→ B.I Our goal is to find a green formula I such that
1. → A→ I;2. → I → B.
Interpolation Through Colors in Vampire
I There are three colors: blue, red and green.I Each symbol (function or predicate) is colored in exactly one of
these colors.
I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.I We know that→ A→ B.I Our goal is to find a green formula I such that
1. → A→ I;2. → I → B.
Interpolation Through Colors in Vampire
I There are three colors: blue, red and green.I Each symbol (function or predicate) is colored in exactly one of
these colors.I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.
I We know that→ A→ B.I Our goal is to find a green formula I such that
1. → A→ I;2. → I → B.
Interpolation Through Colors in Vampire
I There are three colors: blue, red and green.I Each symbol (function or predicate) is colored in exactly one of
these colors.I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.I We know that→ A→ B.I Our goal is to find a green formula I such that
1. → A→ I;2. → I → B.
Interpolation Example in Vampire
fof(fA,axiom, q(f(a)) & ˜q(f(b)) ).fof(fB,conjecture, ?[V]: V != c).
Interpolation Example in Vampire
% request to generate an interpolantvampire(option,show_interpolant,on).% symbol coloringvampire(symbol,predicate,q,1,left).vampire(symbol,function,f,1,left).vampire(symbol,function,a,0,left).vampire(symbol,function,b,0,left).vampire(symbol,function,c,0,right).% formula Lvampire(left_formula).
fof(fA,axiom, q(f(a)) & ˜q(f(b)) ).vampire(end_formula).% formula Rvampire(right_formula).
fof(fB,conjecture, ?[V]: V != c).vampire(end_formula).
Symbol Elimination and Interpolation
Invariants, Interpolants and Symbol Elimination
Interpolants from Proofs
Interpolation in Vampire
Quality of Interpolants
Conclusions
Given: a problem (an interpolation problem)Generate: a formula (an interpolant)
which is small
-1 + a + -a = -1 ∧∀x(¬(x ≤ 5) ∨ -6 + x ≤ -1) ∧-(-1 + -1 + a) = -1 ∧∀x((1 ≤ x + --(-1 + a) ∨ ¬(-1 ≤ x))) ∧(a ≤ 6 ∨ 1 ≤ a + -1) ∧∀x(¬(-1 ≤ x) ∨ ¬(x ≤ -2)) ∧∀x(-1 ≤ x + -a ∨ ¬(-1 + a ≤ x)) ∧∀x(-1 + x = 1 + -2 + x) ∧-a + -1 + a = -1 ∧∀x(¬(--(-1 + a) ≤ x) ∨ 1 ≤ x + -1) ∧∀x((¬(x ≤ 4) ∨ -5 + x ≤ -1)) ∧∀x(x + -3 ≤ -1 ∨ ¬(x ≤ 2)) ∧∀x(¬(x ≤ 3) ∨ -4 + x ≤ -1) ∧∀x(x + -a ≤ -1 ∨ ¬(x ≤ -1 + a)) ∧∀x(-1 + x = -1 + -1 + a + -(-1 + a) + x) ∧6 ≤ b
or
¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))
What is a good interpolant?
I logical strength [Jhala07, D’Silva09, McMillan08];I small size [Kroening10, Brillout11, Griggio11].
Given: a problem (an interpolation problem)Generate: a formula (an interpolant)
which is small
-1 + a + -a = -1 ∧∀x(¬(x ≤ 5) ∨ -6 + x ≤ -1) ∧-(-1 + -1 + a) = -1 ∧∀x((1 ≤ x + --(-1 + a) ∨ ¬(-1 ≤ x))) ∧(a ≤ 6 ∨ 1 ≤ a + -1) ∧∀x(¬(-1 ≤ x) ∨ ¬(x ≤ -2)) ∧∀x(-1 ≤ x + -a ∨ ¬(-1 + a ≤ x)) ∧∀x(-1 + x = 1 + -2 + x) ∧-a + -1 + a = -1 ∧∀x(¬(--(-1 + a) ≤ x) ∨ 1 ≤ x + -1) ∧∀x((¬(x ≤ 4) ∨ -5 + x ≤ -1)) ∧∀x(x + -3 ≤ -1 ∨ ¬(x ≤ 2)) ∧∀x(¬(x ≤ 3) ∨ -4 + x ≤ -1) ∧∀x(x + -a ≤ -1 ∨ ¬(x ≤ -1 + a)) ∧∀x(-1 + x = -1 + -1 + a + -(-1 + a) + x) ∧6 ≤ b
or
¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))
What is a good interpolant?
I logical strength [Jhala07, D’Silva09, McMillan08];I small size [Kroening10, Brillout11, Griggio11].
Given: a problem (an interpolation problem)Generate: a formula (an interpolant) which is small
-1 + a + -a = -1 ∧∀x(¬(x ≤ 5) ∨ -6 + x ≤ -1) ∧-(-1 + -1 + a) = -1 ∧∀x((1 ≤ x + --(-1 + a) ∨ ¬(-1 ≤ x))) ∧(a ≤ 6 ∨ 1 ≤ a + -1) ∧∀x(¬(-1 ≤ x) ∨ ¬(x ≤ -2)) ∧∀x(-1 ≤ x + -a ∨ ¬(-1 + a ≤ x)) ∧∀x(-1 + x = 1 + -2 + x) ∧-a + -1 + a = -1 ∧∀x(¬(--(-1 + a) ≤ x) ∨ 1 ≤ x + -1) ∧∀x((¬(x ≤ 4) ∨ -5 + x ≤ -1)) ∧∀x(x + -3 ≤ -1 ∨ ¬(x ≤ 2)) ∧∀x(¬(x ≤ 3) ∨ -4 + x ≤ -1) ∧∀x(x + -a ≤ -1 ∨ ¬(x ≤ -1 + a)) ∧∀x(-1 + x = -1 + -1 + a + -(-1 + a) + x) ∧6 ≤ b
or
¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))
What is a good interpolant?
I logical strength [Jhala07, D’Silva09, McMillan08];I small size [Kroening10, Brillout11, Griggio11].
Given: a problem (an interpolation problem)Generate: a formula (an interpolant) which is small
-1 + a + -a = -1 ∧∀x(¬(x ≤ 5) ∨ -6 + x ≤ -1) ∧-(-1 + -1 + a) = -1 ∧∀x((1 ≤ x + --(-1 + a) ∨ ¬(-1 ≤ x))) ∧(a ≤ 6 ∨ 1 ≤ a + -1) ∧∀x(¬(-1 ≤ x) ∨ ¬(x ≤ -2)) ∧∀x(-1 ≤ x + -a ∨ ¬(-1 + a ≤ x)) ∧∀x(-1 + x = 1 + -2 + x) ∧-a + -1 + a = -1 ∧∀x(¬(--(-1 + a) ≤ x) ∨ 1 ≤ x + -1) ∧∀x((¬(x ≤ 4) ∨ -5 + x ≤ -1)) ∧∀x(x + -3 ≤ -1 ∨ ¬(x ≤ 2)) ∧∀x(¬(x ≤ 3) ∨ -4 + x ≤ -1) ∧∀x(x + -a ≤ -1 ∨ ¬(x ≤ -1 + a)) ∧∀x(-1 + x = -1 + -1 + a + -(-1 + a) + x) ∧6 ≤ b
or
¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))
What is a good interpolant?
I logical strength [Jhala07, D’Silva09, McMillan08];I small size [Kroening10, Brillout11, Griggio11].
How to Make Interpolants Smaller/Nicer?
I in size;I in weight;I in the number of quantifiers;I . . .
Revised Interpolation Problem:
Given→ R → B, find a green formula I:
� → R → I;
� → I → B;
� I is small.
How to Make Interpolants Smaller/Nicer?
I in size;I in weight;I in the number of quantifiers;I . . .
Revised Interpolation Problem:
Given→ R → B, find a green formula I:
� → R → I;
� → I → B;
� I is small.
Extracting Interpolants from Local Proofs
G is in the digest:
- comes from a red block
- followed by a blue or green block
or
- comes from a blue block
- followed by a red
G1G2
G3
G4
Digest
Interpolant: boolean combination of {G1, . . . ,G4}[McMillan05, KV09]
Extracting Interpolants from Local Proofs
G is in the digest:
- comes from a red block
- followed by a blue or green block
or
- comes from a blue block
- followed by a red
G1G2
G3
G4
Digest
Interpolant: boolean combination of {G1, . . . ,G4}[McMillan05, KV09]
Extracting Interpolants from Local Proofs
G is in the digest:
- comes from a red block
- followed by a blue or green block
or
- comes from a blue block
- followed by a red
G1G2
G3
G4
Digest
Interpolant: boolean combination of {G1, . . . ,G4}
[McMillan05, KV09]
Extracting Interpolants from Local Proofs
G is in the digest:
- comes from a red block
- followed by a blue or green block
or
- comes from a blue block
- followed by a red
G1G2
G3
G4
Digest
Interpolant: boolean combination of {G1, . . . ,G4}
[McMillan05, KV09]
Extracting Interpolants from Local Proofs
G is in the digest:
- comes from a red block
- followed by a blue or green block
or
- comes from a blue block
- followed by a red
G1G2
G3
G4
Digest
Interpolant: boolean combination of {G1, . . . ,G4}
[McMillan05, KV09]
How to Make Interpolants Smaller/Nicer?
Task: minimise interpolants = minimise digest
Idea: Change the green areas of the local proof
, but preserve locality!
Slicing off formulas
How to Make Interpolants Smaller/Nicer?
Task: minimise interpolants = minimise digest
Idea: Change the green areas of the local proof
, but preserve locality!
Slicing off formulas
How to Make Interpolants Smaller/Nicer?
Task: minimise interpolants = minimise digest
Idea: Change the green areas of the local proof
, but preserve locality!
Slicing off formulas
A1 · · · An
An+1 · · · Am
AA0 −→slicing off A
A1 · · · An An+1 · · · Am
A0
If A is green: Green slicing
How to Make Interpolants Smaller/Nicer?
Task: minimise interpolants = minimise digest
Idea: Change the green areas of the local proof
, but preserve locality!
Slicing off formulas
A1 · · · An
An+1 · · · Am
AA0 −→slicing off A
A1 · · · An An+1 · · · Am
A0
If A is green: Green slicing
How to Make Interpolants Smaller/Nicer?
Task: minimise interpolants = minimise digest
Idea: Change the green areas of the local proof
, but preserve locality!
Slicing off formulas
B0
R0
G1
G0 −→slicing off G1
B0 R0
G0
If A is green: Green slicing
How to Make Interpolants Smaller/Nicer?
Task: minimise interpolants = minimise digest
Idea: Change the green areas of the local proof, but preserve locality!
Slicing off formulas
B0
R0
G1
G0 −→slicing off G1
B0 R0
G0
If A is green: Green slicing
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest:
Reverse interpolant:Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest: {G4,G7}
Reverse interpolant: G4 → G7
Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest:
Reverse interpolant:Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest: {G5,G7}
Reverse interpolant: G5 → G7
Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest:
Reverse interpolant:Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest: {G6,G7}
Reverse interpolant: G6 → G7
Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest:
Reverse interpolant:Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest: {G6}
Reverse interpolant: ¬G6
Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest:
Reverse interpolant:
Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
R3
R1 G1
G3
B1 G2
G4
G5
G6
R4
G7
⊥
Digest:
Reverse interpolant:
Note that the interpolant has changed from G4 → G7 to ¬G6.
I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;
I These formulas may even have no common atoms or nocommon symbols.
How to Make Interpolants Smaller/Nicer?
If green slicing gives us very different interpolants, we can use it forfinding small interpolants.
Problem: if the proof contains n green formulas, the number ofpossible different slicing off transformations is 2n.
How to Make Interpolants Smaller/Nicer?
If green slicing gives us very different interpolants, we can use it forfinding small interpolants.
Problem: if the proof contains n green formulas, the number ofpossible different slicing off transformations is 2n.
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Some predicates on green for-mulas:
I sliced(G): G was slicedoff;
I red(G): the trace of Gcontains a red formula;
I blue(G): the trace of Gcontains a blue formula;
I green(G): the trace of Gcontains only greenformulas;
I digest(G): G belongs tothe digest.
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Some predicates on green for-mulas:
I sliced(G): G was slicedoff;
I red(G): the trace of Gcontains a red formula;
I blue(G): the trace of Gcontains a blue formula;
I green(G): the trace of Gcontains only greenformulas;
I digest(G): G belongs tothe digest.
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Some predicates on green for-mulas:
I sliced(G): G was slicedoff;
I red(G): the trace of Gcontains a red formula;
I blue(G): the trace of Gcontains a blue formula;
I green(G): the trace of Gcontains only greenformulas;
I digest(G): G belongs tothe digest.
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Some predicates on green for-mulas:
I sliced(G): G was slicedoff;
I red(G): the trace of Gcontains a red formula;
I blue(G): the trace of Gcontains a blue formula;
I green(G): the trace of Gcontains only greenformulas;
I digest(G): G belongs tothe digest.
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Some predicates on green for-mulas:
I sliced(G): G was slicedoff;
I red(G): the trace of Gcontains a red formula;
I blue(G): the trace of Gcontains a blue formula;
I green(G): the trace of Gcontains only greenformulas;
I digest(G): G belongs tothe digest.
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·
digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Express digest(G)
by considering the possibilities:
I G comes from ared/ blue/green formula
rc(G)/bc(G)
I G is followed by ared/ blue/green formula
bf(G)/rf(G)
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Express digest(G)
by considering the possibilities:
I G comes from ared/ blue/green formula
rc(G)/bc(G)
I G is followed by ared/ blue/green formula
bf(G)/rf(G)
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Express digest(G)
by considering the possibilities:
I G comes from ared/ blue/green formula
rc(G)/bc(G)
I G is followed by ared/ blue/green formulabf(G)/rf(G)
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Express digest(G)
by considering the possibilities:
I G comes from ared/ blue/green formula
rc(G)/bc(G)
I G is followed by ared/ blue/green formulabf(G)/rf(G)
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·
digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Express digest(G)
by considering the possibilities:
I G comes from ared/ blue/green formula
rc(G)/bc(G)
I G is followed by ared/ blue/green formulabf(G)/rf(G)
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·
digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations
RG1
BG2
G3
Express digest(G)
by considering the possibilities:
I G comes from ared/ blue/green formula
rc(G)/bc(G)
I G is followed by ared/ blue/green formulabf(G)/rf(G)
G3, and at most one of G1,G2 can be sliced off.
¬sliced(G1)→ Green(G1)
sliced(G1)→ red(G1)
¬sliced(G3)→ Green(G3)
sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))
sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))
sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))
digest(G1)→ ¬sliced(G1)
· · ·
digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))
rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))
· · ·
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SAT;
I solutions encode all slicing off transformations;
I compute small interpolants: smallest digest of green formulas;
min{Gi1 ,...,Gin}
(∑Gi
digest(Gi ))
min{Gi1 ,...,Gin}
(∑Gi
quantifier number(Gi) digest(Gi ))
I use a pseudo-boolean optimisation tool or an SMT solver tominimise interpolants;
I minimising interpolants is an NP-complete problem.
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SAT;
I solutions encode all slicing off transformations;
I compute small interpolants: smallest digest of green formulas;
min{Gi1 ,...,Gin}
(∑Gi
digest(Gi ))
min{Gi1 ,...,Gin}
(∑Gi
quantifier number(Gi) digest(Gi ))
I use a pseudo-boolean optimisation tool or an SMT solver tominimise interpolants;
I minimising interpolants is an NP-complete problem.
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SAT;
I solutions encode all slicing off transformations;
I compute small interpolants: smallest digest of green formulas;
min{Gi1 ,...,Gin}
(∑Gi
digest(Gi ))
min{Gi1 ,...,Gin}
(∑Gi
quantifier number(Gi) digest(Gi ))
I use a pseudo-boolean optimisation tool or an SMT solver tominimise interpolants;
I minimising interpolants is an NP-complete problem.
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SAT;
I solutions encode all slicing off transformations;
I compute small interpolants: smallest digest of green formulas;
min{Gi1 ,...,Gin}
(∑Gi
digest(Gi ))
min{Gi1 ,...,Gin}
(∑Gi
quantifier number(Gi) digest(Gi ))
I use a pseudo-boolean optimisation tool or an SMT solver tominimise interpolants;
I minimising interpolants is an NP-complete problem.
How to Make Interpolants Smaller/Nicer?Solution:
I encode all sequences of transformations as an instance of SAT;
I solutions encode all slicing off transformations;
I compute small interpolants: smallest digest of green formulas;
min{Gi1 ,...,Gin}
(∑Gi
digest(Gi ))
min{Gi1 ,...,Gin}
(∑Gi
quantifier number(Gi) digest(Gi ))
I use a pseudo-boolean optimisation tool or an SMT solver tominimise interpolants;
I minimising interpolants is an NP-complete problem.
Experiments with Minimising Interpolants
I Experimental results:
I 9632 first-order examples from the TPTP library:
for example, for 2000 problems the size of the interpolants became20-49 times smaller;
I 4347 SMT examples:
I we used Z3 for proving SMT examples;I Z3 proofs were localised in Vampire;I minimal interpolants were generated for 2123 SMT examples.
Experiments with Minimising Interpolants
I Experimental results:
I 9632 first-order examples from the TPTP library:
for example, for 2000 problems the size of the interpolants became20-49 times smaller;
I 4347 SMT examples:
I we used Z3 for proving SMT examples;I Z3 proofs were localised in Vampire;I minimal interpolants were generated for 2123 SMT examples.
Experiments with Minimising Interpolants
I More realistic benchmarks:
I 4048 problems coming from CPAchecker;
I we used Vampire to generate local proofs;I minimal interpolants were generated for 1903 CPAchecker
examples:I for 296 examples the size of the interpolant has decreased by a factor
of 5;I for 6 examples the size of the interpolant has decreased by a factor
of 500.
Symbol Elimination and Interpolation
Invariants, Interpolants and Symbol Elimination
Interpolants from Proofs
Interpolation in Vampire
Quality of Interpolants
Conclusions
Summary: Invariant Generation, Interpolation, Symbol Elimination
Given the proof obligation A→ B:
1. Run a theorem prover andeliminate extra symbols;
2. Generate a (reverse)interpolant from a refutation;
3. Interpolant is a booleancombination of consequencesof symbol-eliminatinginferences.
Given a loop:
1. Express loop properties in alanguage containing extra symbols;
2. Every logical consequence of theseproperties is a valid loop property, butnot an invariant;
3. Run a theorem prover for eliminatingextra symbols;
4. Every derived formula in the languageof the loop is a loop invariant;
5. Invariants are consequences ofsymbol-eliminating inferences.
Summary: Invariant Generation, Interpolation, Symbol Elimination
Given the proof obligation A→ B:
1. Run a theorem prover andeliminate extra symbols;
2. Generate a (reverse)interpolant from a refutation;
3. Interpolant is a booleancombination of consequencesof symbol-eliminatinginferences.
Given a loop:
1. Express loop properties in alanguage containing extra symbols;
2. Every logical consequence of theseproperties is a valid loop property, butnot an invariant;
3. Run a theorem prover for eliminatingextra symbols;
4. Every derived formula in the languageof the loop is a loop invariant;
5. Invariants are consequences ofsymbol-eliminating inferences.
End of Session 4
Slides for session 4 ended here . . .