2em symbolic computation and theorem proving … › ... › slides › kovacs4.pdfsymbolic...

Symbolic Computation and Theorem Provingin Program Analysis

Laura Kovacs

Chalmers

Outline

Part 1: Weakest Precondition for Program Analysis andVerification

Part 2: Polynomial Invariant Generation (TACAS’08, LPAR’10)

Part 3: Quantified Invariant Generation (FASE’09, MICAI’11)

Part 4: Invariants, Interpolants and Symbol Elimination(CADE’09, POPL’12, APLAS’12)

Part 4: Invariants, Interpolants and Symbol EliminatioSymbol Elimination by First-Order Theorem Proving

Invariants, Interpolants and Symbol Elimination

Interpolants from Proofs

Interpolation in Vampire

Quality of Interpolants

Conclusions

Outline

Conclusions

Invariants, Symbol Elimination, and InterpolationReachability of B in ONE iteration: A(c, d) ∧ T (c, d , c′, d ′)→ B(c′, d ′)

{c = d = 0 ∧ N > 0 ∧ (∀k) (0 ≤ k < N → D[k ] = 0)} precondition A(c,d)

while (c < N) do

C[c] := D[d ]; c < N ∧ C[c] = D[d ] ∧ c′ = c + 1 ∧ d ′ = d + 1 ∧ c′ ≥ N︸︷︷︸T (c,d,c′,d′)

c := c + 1;d := d + 1

end do

{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c,d)

while (c < N) do

c := c + 1;d := d + 1

end do

{(∀k)(0 ≤ k < N → C[k ] = 0)} postcondition B(c′,d ′)

while (c < N) do

c := c + 1;d := d + 1

end do

Refutation: A(c, d) ∧ T (c, d , c′, d ′) ∧ ¬B(c′, d ′)

• The formula is of 2 states (c, d , c′, d ′).• Need a state formula I(c′, d ′) such that: (Jhala and McMillan)

A(c, d) ∧ T (c, d , c′, d ′)→ I(c′, d ′) and I(c′, d ′) ∧ ¬B(c′, d ′)→ ⊥

while (c < N) do

c := c + 1;d := d + 1

end do

while (c < N) do

c := c + 1;d := d + 1

end do

Taks: Compute interpolant I(c′, d ′) by eliminating symbols c, d .

while (c < N) do

c := c + 1;d := d + 1

end do

I(c′,d ′) ≡ 0 < c′ = 1 ∧ C[0] = D[0]

I(c′′,d ′′) ≡ 0 < c′′ = 2 ∧ C[0] = D[0] ∧ C[1] = D[1]

Taks: Compute interpolant I(c′, d ′) by eliminating symbols c, d .

Invariants, Symbol Elimination, and InterpolationReachability of B in TWO iterations: A(c, d)∧T (c, d , c′, d ′)∧T (c′, d ′, c′′, d ′′)→B(c′′, d ′′)

while (c < N) do

c := c + 1;d := d + 1

end do

I(c′,d ′) ≡ 0 < c′ = 1 ∧ C[0] = D[0]

I(c′′,d ′′) ≡ 0 < c′′ = 2 ∧ C[0] = D[0] ∧ C[1] = D[1]

Taks: Compute interpolant I(c′′, d ′′) by eliminating symbols c, d , c′, d ′.

Invariants, Symbol Elimination, and InterpolationReachability of B in TWO iterations: A(c, d)∧T (c, d , c′, d ′)∧T (c′, d ′, c′′, d ′′)→B(c′′, d ′′)

while (c < N) do

c := c + 1;d := d + 1

end do

I(c′,d ′) ≡ (∀k)0 ≤ k < c′ → C[k ] = D[k ]

I(c′′,d ′′) ≡ (∀k)0 ≤ k < c′′ → C[k ] = D[k ]

Taks: Compute interpolant I(c′′, d ′′) implying invariant in any state.

Outline

Conclusions

Symbol Elimination and Interpolation

What is an Interpolant?

Computing InterpolantsI Local DerivationsI Symbol EliminationsI Building Interpolants from Proof

Summary: Invariants, Symbol Elimination, Interpolants

Notation

I First-order predicate logic with equality.

I >: always true,⊥: always false.

I ∀A: universal closure of A.

I Symbols:I predicate symbols;I function symbols;I constants.

Equality is part of the language→ equality is not a symbol.

I LA: the language of A: the set of all formulas built from thesymbols occurring in A.

Let A,B be closed formulas such that A→ B.

Theorem (Craig’s Interpolation Theorem)There exists a closed formula I ∈ LA ∩ LB such that

A→ I and I → B.

I is an interpolant of A and B.

Note: if A and B are ground, they also have a ground interpolant.

Let A,B be closed formulas such that A→ B.

Theorem (Craig’s Interpolation Theorem)There exists a closed formula I ∈ LA ∩ LB such that

A→ I and I → B.

I is an interpolant of A and B.

Reverse interpolant of A and B: any formula I such that

A→ I and I,¬B → ⊥.

Interpolation with Theories

I Theory T : any set of closed formulas.I C1, . . . ,Cn →T C means that the formula C1 ∧ . . . ∧ C1 → C holds in all

models of T .I Interpreted symbols: symbols occurring in T .I Uninterpreted symbols: all other symbols.

TheoremLet A,B be formulas and let A→T B.

Then there exists a formula I such that1. A→T I and I → B;2. every uninterpreted symbol of I occurs both in A and B;3. every interpreted symbol of I occurs in B.

Likewise, there exists a formula I such that

1. A → I and I →T B;

2. every uninterpreted symbol of I occurs both in A and B;

3. every interpreted symbol of I occurs in A.

Interpolation with Theories

I Theory T : any set of closed formulas.I C1, . . . ,Cn →T C means that the formula C1 ∧ . . . ∧ C1 → C holds in all

models of T .I Interpreted symbols: symbols occurring in T .I Uninterpreted symbols: all other symbols.

TheoremLet A,B be formulas and let A→T B.

Then there exists a formula I such that1. A→T I and I → B;2. every uninterpreted symbol of I occurs both in A and B;3. every interpreted symbol of I occurs in B.

Likewise, there exists a formula I such that

1. A → I and I →T B;

2. every uninterpreted symbol of I occurs both in A and B;

3. every interpreted symbol of I occurs in A.

Computing Interpolants using Inference Systems

I Inference Rule:A1 . . . An

I Inference system: a set of inference rules.I Axiom: an inference rule with 0 premises.I Derivation of A: tree with the root A built from inferences.

Interpolants and Local AB-Derivations

AB-derivationLet L = LA ∩ LB.

A derivation Π is an AB-derivation if

(AB1) For every leaf C of Π one of following conditions holds:1. A→T ∀C and C ∈ LA or2. B →T ∀C and C ∈ LB.

(AB2) For every inference

C1 . . . Cn

of Π we have ∀C1, . . . ,∀Cn →T ∀C.

We will refer to property (AB2) as soundness.

Interpolants and Local AB-Derivations

C1 . . . Cn

This inference is local if the following two conditions hold:

(L1) Either {C1, . . . ,Cn,C} ⊆ LA or {C1, . . . ,Cn,C} ⊆ LB.(L2) If all of the formulas C1, . . . ,Cn are colorless, then C is

colorless, too.

A derivation is called local if so is every inference of this derivation.

Shape of local derivations for A→ B

Local Derivations: Example A→ B

[demo]

I A := ∀x(x = c)

I B := a = bI Universal interpolant I: ∀x∀y(x = y)

A local refutation of in the superposition calculus:

x = c y = cx = y a 6= b

y 6= b⊥

Local Derivations: Example A→ B

[demo]

I A := ∀x(x = c)

I B := a = bI Universal interpolant I: ∀x∀y(x = y)

A local refutation of in the superposition calculus:

x = c y = cx = y a 6= b

y 6= b⊥

Interpolants and Symbol Eliminating Inference

I At least one of the premises colored.I The conclusion is not colored.

x = c y = cx = y a 6= b

y 6= b⊥

Interpolant ∀x∀y(x = y): conclusion of a symbol-eliminating inference.

Interpolants and Symbol Eliminating Inference

I At least one of the premises colored.I The conclusion is not colored.

x = c y = cx = y a 6= b

y 6= b⊥

Interpolant ∀x∀y(x = y): conclusion of a symbol-eliminating inference.

Extracting Interpolants from Local Proofs

Theorem (CADE’09)Let Π be a closed local AB-refutation.

Then:I A reverse interpolant I of A and B can be extracted from Π in linear time.I I is ground if all formulas in Π are ground.I I is a boolean combination of conclusions of symbol-eliminating

inferences of Π.

NOTE:I No restriction on the calculus (only soundness required)

– can be used with theories.I Can generate interpolants in theories where no good interpolation

algorithms exist.I Shift of interest: what matters are symbol-eliminating inferences.

inferences of Π.

Building Interpolants from Proofs

I Problem: generation of proofs giving interpolants.I Idea 1: look for local refutations only;I Idea 2: find calculi that guarantee that local proofs exist.

I LASCA: Superposition + Linear Arithmetic;I Separating orderings (colored symbols are the greatest).

Theorem (CADE’09)

If � is separating, then every AB-derivation in LASCA is local.

First-order interpolation implemented in Vampire.

Theorem (CADE’09)

Formulas Coloring Reverse InterpolantL : z < 0 ∧ x ≤ z ∧ y ≤ xR : y ≤ 0 ∧ x + y ≥ 0

left: zright: - y ≤ x ∧ x < 0

L : g(a) = c + 5 ∧ f (g(a)) ≥ c + 1R : h(b) = d + 4 ∧ d = c + 1 ∧ f (h(b)) < c + 1

left: g, aright: h, b c + 1 ≤ f (c + 5)

L : p ≤ c ∧ c ≤ q ∧ f (c) = 1R : q ≤ d ∧ d ≤ p ∧ f (d) = 0

left: cright: d p ≤ q ∧ (q > p ∨ f (p) = 1)

L : f (x1) + x2 = x3 ∧ f (y1) + y2 = y3 ∧ y1 ≤ x1R : x2 = g(b) ∧ y2 = g(b) ∧ x1 ≤ y1 ∧ x3 < y3

left: fright: g, b x1 > y1 ∨ x2 6= y2 ∨ x3 = y3

L : c2 = car(c1) ∧ c3 = cdr(c1) ∧ ¬(atom(c1))R : c1 6= cons(c2, c3)

left: car, consright: - ¬atom(c1) ∧ c1 = cons(c2, c3)

L : Q(f (a))∧ 6= Q(f (b))R : f (V ) = c

left: Q, a, bright: c ∃x, y : f (x) 6= f (y)

L : a = c ∧ f (c) = aR : c = b∧ 6= (b = f (c))

left: aright: b c = f (c)

L : True ∧ a′ [x′ ] = y ∧ x′ = x ∧ y′ = y + 1 ∧ z′ = x′

R : ¬(y′ = a′ [z′ ] + 1)left: x, yright: - 1 + a′ [x′ ] = y′ ∧ x′ = z′

Table : Interpolation with Vampire, within 1 second time limit.

Conclusions

Interpolation Through Colors in Vampire

I There are three colors: blue, red and green.

I Each symbol (function or predicate) is colored in exactly one ofthese colors.

I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.I We know that→ A→ B.I Our goal is to find a green formula I such that

1. → A→ I;2. → I → B.

I There are three colors: blue, red and green.I Each symbol (function or predicate) is colored in exactly one of

these colors.

I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.I We know that→ A→ B.I Our goal is to find a green formula I such that

1. → A→ I;2. → I → B.

these colors.I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.

I We know that→ A→ B.I Our goal is to find a green formula I such that

1. → A→ I;2. → I → B.

these colors.I We have two formulas: A and B.I Each symbol in A is either blue or green.I Each symbol in B is either red or green.I We know that→ A→ B.I Our goal is to find a green formula I such that

1. → A→ I;2. → I → B.

Interpolation Example in Vampire

fof(fA,axiom, q(f(a)) & ˜q(f(b)) ).fof(fB,conjecture, ?[V]: V != c).

Interpolation Example in Vampire

% request to generate an interpolantvampire(option,show_interpolant,on).% symbol coloringvampire(symbol,predicate,q,1,left).vampire(symbol,function,f,1,left).vampire(symbol,function,a,0,left).vampire(symbol,function,b,0,left).vampire(symbol,function,c,0,right).% formula Lvampire(left_formula).

fof(fA,axiom, q(f(a)) & ˜q(f(b)) ).vampire(end_formula).% formula Rvampire(right_formula).

fof(fB,conjecture, ?[V]: V != c).vampire(end_formula).

Conclusions

Given: a problem (an interpolation problem)Generate: a formula (an interpolant)

which is small

-1 + a + -a = -1 ∧∀x(¬(x ≤ 5) ∨ -6 + x ≤ -1) ∧-(-1 + -1 + a) = -1 ∧∀x((1 ≤ x + --(-1 + a) ∨ ¬(-1 ≤ x))) ∧(a ≤ 6 ∨ 1 ≤ a + -1) ∧∀x(¬(-1 ≤ x) ∨ ¬(x ≤ -2)) ∧∀x(-1 ≤ x + -a ∨ ¬(-1 + a ≤ x)) ∧∀x(-1 + x = 1 + -2 + x) ∧-a + -1 + a = -1 ∧∀x(¬(--(-1 + a) ≤ x) ∨ 1 ≤ x + -1) ∧∀x((¬(x ≤ 4) ∨ -5 + x ≤ -1)) ∧∀x(x + -3 ≤ -1 ∨ ¬(x ≤ 2)) ∧∀x(¬(x ≤ 3) ∨ -4 + x ≤ -1) ∧∀x(x + -a ≤ -1 ∨ ¬(x ≤ -1 + a)) ∧∀x(-1 + x = -1 + -1 + a + -(-1 + a) + x) ∧6 ≤ b

¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))

What is a good interpolant?

I logical strength [Jhala07, D’Silva09, McMillan08];I small size [Kroening10, Brillout11, Griggio11].

Given: a problem (an interpolation problem)Generate: a formula (an interpolant)

which is small

¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))

Given: a problem (an interpolation problem)Generate: a formula (an interpolant) which is small

¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))

Given: a problem (an interpolation problem)Generate: a formula (an interpolant) which is small

¬(a ≤ 6) ∧-a ≤ -1 ∧¬(-1 ≤ -a) ∧a = 3 ∧1 ≤ -1 + a ∧¬(2 + a ≤ 6) ∧¬(-1 + a ≤ 1) ∧(a 6= 6 ∨ ¬(b ≤ 6))

How to Make Interpolants Smaller/Nicer?

I in size;I in weight;I in the number of quantifiers;I . . .

Revised Interpolation Problem:

Given→ R → B, find a green formula I:

� → R → I;

� → I → B;

� I is small.

I in size;I in weight;I in the number of quantifiers;I . . .

Revised Interpolation Problem:

Given→ R → B, find a green formula I:

� → R → I;

� → I → B;

� I is small.

G is in the digest:

- comes from a red block

- followed by a blue or green block

- comes from a blue block

- followed by a red

Digest

Interpolant: boolean combination of {G1, . . . ,G4}[McMillan05, KV09]

G is in the digest:

- followed by a red

Digest

Interpolant: boolean combination of {G1, . . . ,G4}[McMillan05, KV09]

G is in the digest:

- followed by a red

Digest

Interpolant: boolean combination of {G1, . . . ,G4}

[McMillan05, KV09]

G is in the digest:

- followed by a red

Digest

[McMillan05, KV09]

G is in the digest:

- followed by a red

Digest

[McMillan05, KV09]

Task: minimise interpolants = minimise digest

Idea: Change the green areas of the local proof

, but preserve locality!

Slicing off formulas

A1 · · · An

An+1 · · · Am

AA0 −→slicing off A

A1 · · · An An+1 · · · Am

If A is green: Green slicing

A1 · · · An

An+1 · · · Am

AA0 −→slicing off A

A1 · · · An An+1 · · · Am

G0 −→slicing off G1

Idea: Change the green areas of the local proof, but preserve locality!

G0 −→slicing off G1

Digest:

Reverse interpolant:Note that the interpolant has changed from G4 → G7 to ¬G6.

I There is no obvious logical relation between G4 → G7 and ¬G6,for example none of these formulas implies the other one;

I These formulas may even have no common atoms or nocommon symbols.

Digest: {G4,G7}

Reverse interpolant: G4 → G7

Note that the interpolant has changed from G4 → G7 to ¬G6.

Digest:

Digest: {G5,G7}

Digest:

Digest: {G6,G7}

Digest:

Digest: {G6}

Reverse interpolant: ¬G6

Digest:

Reverse interpolant:

Digest:

Reverse interpolant:

If green slicing gives us very different interpolants, we can use it forfinding small interpolants.

Problem: if the proof contains n green formulas, the number ofpossible different slicing off transformations is 2n.

If green slicing gives us very different interpolants, we can use it forfinding small interpolants.

Problem: if the proof contains n green formulas, the number ofpossible different slicing off transformations is 2n.

How to Make Interpolants Smaller/Nicer?Solution:

I encode all sequences of transformations as an instance of SATI solutions encode all slicing off transformations

G3, and at most one of G1,G2 can be sliced off.

¬sliced(G1)→ Green(G1)

sliced(G1)→ red(G1)

sliced(G3)→ (Green(G3)↔ Green(G1) ∧Green(G2))

sliced(G3)→ (red(G3)↔ red(G1) ∨ red(G2))

sliced(G3)→ (blue(G3)↔ blue(G1) ∨ blue(G2))

digest(G1)→ ¬sliced(G1)

· · ·digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))

rc(G3)↔ (¬sliced(G3) ∧ (red(G1) ∨ red(G2))

· · ·

Some predicates on green for-mulas:

I sliced(G): G was slicedoff;

I red(G): the trace of Gcontains a red formula;

I blue(G): the trace of Gcontains a blue formula;

I green(G): the trace of Gcontains only greenformulas;

I digest(G): G belongs tothe digest.

· · ·

digest(G3)↔ (rc(G3) ∧ rf(G3)) ∨ (bc(G3) ∧ bf(G3))

· · ·

Express digest(G)

by considering the possibilities:

I G comes from ared/ blue/green formula

rc(G)/bc(G)

I G is followed by ared/ blue/green formula

bf(G)/rf(G)

· · ·

Express digest(G)

rc(G)/bc(G)

I G is followed by ared/ blue/green formula

bf(G)/rf(G)

· · ·

Express digest(G)

rc(G)/bc(G)

I G is followed by ared/ blue/green formulabf(G)/rf(G)

· · ·

Express digest(G)

rc(G)/bc(G)

· · ·

Express digest(G)

rc(G)/bc(G)

· · ·

Express digest(G)

rc(G)/bc(G)

· · ·

I encode all sequences of transformations as an instance of SAT;

I solutions encode all slicing off transformations;

I compute small interpolants: smallest digest of green formulas;

min{Gi1 ,...,Gin}

(∑Gi

digest(Gi ))

min{Gi1 ,...,Gin}

(∑Gi

quantifier number(Gi) digest(Gi ))

I use a pseudo-boolean optimisation tool or an SMT solver tominimise interpolants;

I minimising interpolants is an NP-complete problem.

min{Gi1 ,...,Gin}

(∑Gi

digest(Gi ))

min{Gi1 ,...,Gin}

(∑Gi

min{Gi1 ,...,Gin}

(∑Gi

digest(Gi ))

min{Gi1 ,...,Gin}

(∑Gi

min{Gi1 ,...,Gin}

(∑Gi

digest(Gi ))

min{Gi1 ,...,Gin}

(∑Gi

min{Gi1 ,...,Gin}

(∑Gi

digest(Gi ))

min{Gi1 ,...,Gin}

(∑Gi

Experiments with Minimising Interpolants

I Experimental results:

I 9632 first-order examples from the TPTP library:

for example, for 2000 problems the size of the interpolants became20-49 times smaller;

I 4347 SMT examples:

I we used Z3 for proving SMT examples;I Z3 proofs were localised in Vampire;I minimal interpolants were generated for 2123 SMT examples.

I Experimental results:

I 9632 first-order examples from the TPTP library:

for example, for 2000 problems the size of the interpolants became20-49 times smaller;

I 4347 SMT examples:

I we used Z3 for proving SMT examples;I Z3 proofs were localised in Vampire;I minimal interpolants were generated for 2123 SMT examples.

I More realistic benchmarks:

I 4048 problems coming from CPAchecker;

I we used Vampire to generate local proofs;I minimal interpolants were generated for 1903 CPAchecker

examples:I for 296 examples the size of the interpolant has decreased by a factor

of 5;I for 6 examples the size of the interpolant has decreased by a factor

of 500.

Conclusions

Summary: Invariant Generation, Interpolation, Symbol Elimination

Given the proof obligation A→ B:

1. Run a theorem prover andeliminate extra symbols;

2. Generate a (reverse)interpolant from a refutation;

3. Interpolant is a booleancombination of consequencesof symbol-eliminatinginferences.

Given a loop:

1. Express loop properties in alanguage containing extra symbols;

2. Every logical consequence of theseproperties is a valid loop property, butnot an invariant;

3. Run a theorem prover for eliminatingextra symbols;

4. Every derived formula in the languageof the loop is a loop invariant;

5. Invariants are consequences ofsymbol-eliminating inferences.

Summary: Invariant Generation, Interpolation, Symbol Elimination

Given the proof obligation A→ B:

1. Run a theorem prover andeliminate extra symbols;

2. Generate a (reverse)interpolant from a refutation;

3. Interpolant is a booleancombination of consequencesof symbol-eliminatinginferences.

Given a loop:

1. Express loop properties in alanguage containing extra symbols;

2. Every logical consequence of theseproperties is a valid loop property, butnot an invariant;

3. Run a theorem prover for eliminatingextra symbols;

4. Every derived formula in the languageof the loop is a loop invariant;

5. Invariants are consequences ofsymbol-eliminating inferences.

End of Session 4

Slides for session 4 ended here . . .

2em symbolic computation and theorem proving … › ... › slides › kovacs4.pdfsymbolic...

Documents