Nikolaj Bjørner Microsoft Research Based on joint work with Kryštof Hoder, Ken McMillan, Leonardo de Moura, Andrey Rybalchenko.

Download Report

Transcript Nikolaj Bjørner Microsoft Research Based on joint work with Kryštof Hoder, Ken McMillan, Leonardo de Moura, Andrey Rybalchenko. 

Nikolaj Bjørner
Microsoft Research
Based on joint work with Kryštof Hoder, Ken McMillan, Leonardo de Moura, Andrey Rybalchenko
Many custom solvers:
Free functions
Linear Arithmetic
Bit-vectors
Algebraic data-types
Arrays
Polynomials
Quantifiers
Several Applications:
Analysis, Testing, …
Leonardo de Moura, B, Christoph Wintersteiger
from http://rise4fun.com/z3
Engine
SLAyer
Arrrays
API
Simplifier
BitVectors
Cores
Arith
metic
Quantifier Inst
SAGE
Models
Proofs
Quantifier-elim
Isabelle
HOL4
Methodology
Sep.
Logic
Simulation
Relation
Summaries
SLAyer
Fixed-Point
Abstract
Interpretation
GateKeeper
Logic
Programming
Predicate
Based MC
SAGE
BDD MC
Abstraction
Refinement
Datalog
Houdini
Havoc Poirot Corral
Interpolating
MC
Points-to
analysis
Contract
Checking
Symbolic Software
Checking
Property Directed
Datalog +
Relational domains Reachability solver
Services for
other solvers
(Quantifier elimination,
Fold-unfold simplification)
Recursive predicates: Some “anecdotal” experience
Expressed as Horn clauses + query
GateKeeper
(sparse hash-tables)
Magnus Madsen
µZ: Points-to
Portfolio of
solvers and services for fixed-points:
analysis
KOP2 database
(using magic sets)
Bottom-up Datalog Engine
DKAL
- Finite Tables
(e.g., Hash-tables, B-Trees)
CAV
2011
(encoding Primal Infon Logic)
Checking
-Contract
Symbolic Tables
(e.g., BDDs)
[Hoder, Bjørner,
Moura]
- Composition of Relations:
Bebopdebenchmarks
- Abstract interpretation domains
(evaluate PDR
generalized to PDA)
- Reduced products
Symbolic Software
Symbolic Checking
Engine Modulo Theories
Corral samples
SAT 2012
(evaluate
PDR
- Generalized Property Directed Reachability Modulo
[Hoder,
Bjørner]
Arithmetic
)
mc(x) = x-10
mc(x) = mc(mc(x+11))
assert (mc(x)  91)
if x > 100
if x  100
Formulate as Horn clauses.
∀𝑿. 𝑿 > 𝟏𝟎𝟎  mc(𝑿, 𝑿 − 𝟏𝟎)
∀𝑿, 𝒀, 𝑹. 𝑿 ≤ 𝟏𝟎𝟎  mc(𝑿 + 𝟏𝟏, 𝒀)  mc(𝒀, 𝑹)  mc(𝑿, 𝑹)
∀𝑿, 𝑹. mc(𝑿, 𝑹)  𝑹 ≥ 𝟗𝟏
Solve for mc
Formulate as Predicate Transformer:
F
𝑋 > 100 ∧ 𝑅 = 𝑋 − 10
(mc)(𝑋,𝑅) =
∨ 𝑋 ≤ 100 ∧ ∃𝑌. mc 𝑋 + 11, 𝑌 ∧ mc(𝑌, 𝑅)
Check:
μF mc 𝑋,𝑅 → 𝑅 ≥ 91
Instead of computing μF mc 𝑋,𝑅 ,
then checking μF mc 𝑋,𝑅 → 𝑅 ≥ 91
Suffices to find post-fixed point mc𝒑𝒐𝒔𝒕 satisfying:
∀𝑿, 𝑹.
F
mc𝒑𝒐𝒔𝒕 𝑿, 𝑹 → mc𝒑𝒐𝒔𝒕 𝑿, 𝑹
∀𝑿, 𝑹. mc𝒑𝒐𝒔𝒕 𝑿, 𝑹 → 𝑹 ≥ 91
Program Verification (Safety)
as
Solving least fixed-points
as
Satisfiability of Horn clauses
[Bjørner, McMillan, Rybalchenko, SMT workshop 2012]
Hilbert Sausage Factory: [Grebenshchikov, Lopes, Popeea, Rybalchenko et.al. PLDI 2012]
Should really not be a surprise:
- 90’s Program Analyses using Datalog
- Existential Fixedpoint Logic for Hoare Logic [Blass, Gurevich]
- Induction-less induction, …
Under-appreciated:
- Many language-specific tools using custom analysis
- “.. but there has to be a catch” [FOL < FOL+Transitivity]
- A flurry of recent progress on Modern Symbolic Model
checking tools/algorithms.
Claim: they are all strategies for Horn Clause satisfiability.
The Quest: Horn Clause Satisfiability
HAVOC
Program
annotated with
inductive invariants
Verification
condition
Dafny
Houdini
HAVOC
Program
partially
annotated with
inductive invariants
Verification
condition
Slicing
Corral
Inductive variable
selection
Dafny
Verification Condition Generators can already produce Horn Clauses
Corral
HAVOC
Program
partially
annotated with
inductive invariants
Dafny
Why, LLVM
Horn Clauses
Kind
Leon
Aligator
Synergy
HSF
UFO
Duality
MCMT
SAFARI
IC3
…
Summary as
commands
Verifying
procedure calls
𝐼𝑛𝑖𝑡 − 𝐼𝑛𝑖𝑡𝑖𝑎𝑙 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛
𝑆𝑎𝑓𝑒 − 𝑆𝑎𝑓𝑒𝑡𝑦 𝑎𝑠𝑠𝑒𝑟𝑡𝑖𝑜𝑛
𝜌𝑖 𝑋𝑖 , 𝑌, 𝑋𝑖′ , 𝑌 ′ − 𝑇𝑟𝑎𝑛𝑠𝑖𝑡𝑖𝑜𝑛 𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠 𝑖
𝑅𝑖 𝑋𝑖 , 𝑌 − 𝑆𝑢𝑚𝑚𝑎𝑟𝑦 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠 𝑖
𝐸𝑖 𝑌, 𝑌 ′ − 𝑆𝑢𝑚𝑚𝑎𝑟𝑦 𝑜𝑓 𝑝𝑟𝑜𝑐𝑒𝑠𝑠 𝑖 ′ 𝑠 𝑒𝑛𝑣𝑖𝑟𝑜𝑛𝑚𝑒𝑛𝑡
𝐼𝑛𝑖𝑡 ⇒ 𝑅𝑖 𝑋𝑖 , 𝑌
𝑅𝑖 𝑋𝑖 , 𝑌 ∧ 𝜌𝑖 𝑋𝑖 , 𝑌, 𝑋𝑖′ , 𝑌 ′ ⇒ 𝑅𝑖 𝑋𝑖′ , 𝑌 ′
𝑅𝑖 𝑋𝑖 , 𝑌 ∧ 𝐸𝑖
𝑌, 𝑌 ′
⇒ 𝑅𝑖 𝑋𝑖
, 𝑌′
𝑅𝑖 𝑋𝑖 , 𝑌 ∧ 𝜌𝑖 𝑋𝑖 , 𝑌, 𝑋𝑖′ , 𝑌 ′ ⇒ 𝐸𝑗 𝑌, 𝑌 ′
𝑅1 𝑋1 ∧ ⋯ ∧ 𝑅𝑁 𝑋𝑁 ⇒ 𝑆𝑎𝑓𝑒
𝑗≠𝑖
[Predicate Abstraction and
Refinement for Verifying
Multi-Threaded Programs
Gupta, Popeea, Rybalchenko,
POPL 2011]
Γ ⊢ 𝑥: 𝜏 𝑃(𝑥)} → 𝑦: 𝜎 𝑄(𝑥, 𝑦) } ≺ 𝑥: 𝜏 𝑃′(𝑥)} → 𝑦: 𝜎 𝑄′(𝑥, 𝑦) }
Extract sufficient Horn Conditions
Γ ∧ 𝑃′ 𝑥 ⇒ 𝑃 𝑥
Γ ∧ 𝑃′ 𝑥 ∧ 𝑄 𝑥, 𝑦 ⇒ 𝑄′ 𝑥, 𝑦
In a nutshell, solving partial correctness amounts to
checking truth value of formulas of the form:
∃𝑃
∀𝑥 𝑃𝑖 𝑥 ∧ 𝑃𝑗 𝑥 ∧ 𝜙 𝑥 ⇒ 𝑃𝑘 𝑥
E.g., satisfiability of:
∀𝑥 𝑃𝑖 𝑥 ∧ 𝑃𝑗 𝑥 ∧ 𝜙 𝑥 ⇒ 𝑃𝑘 𝑥
Handling background axioms:
∀𝑅, 𝑓 . 𝐵𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑅, 𝑓 ⇒ ∃𝑃
∀𝑥 𝑃𝑖 𝑥 ∧ 𝑃𝑗 𝑥 ∧ 𝜙 𝑅, 𝑓, 𝑥 ⇒ 𝑃𝑘 𝑥
Remark:
Abductive Logic Programming amounts to symbolic simulation:
- 𝑃𝑟𝑜𝑔𝑟𝑎𝑚 + 𝐴𝑏𝑑𝑢𝑐𝑖𝑏𝑙𝑒𝑠 ⊨ ∃𝑎𝑛𝑠 . 𝑄𝑢𝑒𝑟𝑦(𝑎𝑛𝑠)
- 𝐴𝑏𝑑𝑢𝑐𝑖𝑏𝑙𝑒𝑠 + 𝐼𝑛𝑡𝑒𝑔𝑟𝑖𝑡𝑦 𝐶𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡𝑠 is consistent
eg. solve for negation of above formula:
∃𝐴𝑏. 𝐼𝐶 𝐴𝑏 ∧ (∀𝑃 . 𝑃𝑟𝑜𝑔𝑟𝑎𝑚 𝐴𝑏, 𝑃 → ∃𝑎𝑛𝑠 . 𝑄𝑢𝑒𝑟𝑦(𝑎𝑛𝑠, 𝐴𝑏, 𝑃))
PDR (aka. IC3) – Property Directed Reachability algorithm
Breakthrough in Symbolic Model Checking of Hardware [Aaron Bradley, VMCAI 2011]
Original Algorithm Description
in code.
Transition
Decomposes
main steps
Tough to digest. Rule
+ strategy
description could help
System
÷ priority
queue
deconstruct the steps.
Formulation
Original Algorithm Applies
to vs.
Hardware
(Finite
State Automata).
Procedures
Regular
Push Down
systems
Software has procedure calls.
Beyond
Real
Arithmetic
Original Algorithm isLinear
for Finite
State
Systems
Propositional
Decision Procedure
Open question what-itTimed
meantAutomata
to incorporate
Logic
- Interpolants
Infinite State systems
(= theories) from models
[Hoder & Bjørner, SAT 2012]
Objective is to solve for R such that
F
𝑹 𝑿 →𝑹 𝑿
𝑹 𝑿 → 𝑺𝒂𝒇𝒆 𝑿 , ∀𝑿
Elements of PDR encoded as transitions:
Over-approximate reachable states
𝑹𝟎 ≔ F 𝐟𝐚𝐥𝐬𝐞 , 𝑹𝟏 → 𝑹𝟐 → ⋯ → 𝑹𝑵
Search for counter-examples to 𝑺𝒂𝒇𝒆
Resolve and Propagate conflicts
Objective is to solve for R such that
F
𝑹 𝑿 →𝑹 𝑿
Initialize:
𝑹 𝑿 → 𝑺𝒂𝒇𝒆 𝑿 , ∀𝑿
𝑺𝒂𝒇𝒆
↖
↗
𝑹𝟏 ≔ 𝒕𝒓𝒖𝒆
𝑹𝟎 ≔ F 𝒇𝒂𝒍𝒔𝒆
F 𝑹𝟎
𝑺𝒂𝒇𝒆
Main invariant:
↖
↖
↗
𝑹𝒊
𝑹𝒊+𝟏
↖
F 𝑹𝒊
Is
Search for over-approximations of states
valid?
Is
𝑆
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
Initially: N = 0, start with 𝑅0
valid?
Is
valid?
𝑆
↖
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
Unfold to the next level if 𝑅0 ⇒ 𝑆
Is
valid?
𝑅1
≔ 𝑡𝑟𝑢𝑒
𝑆
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
𝐹(𝑅0 )
Main Invariant is established for N = 1
Is
valid?
𝑆
M ⊨ 𝑅1 ∧ ¬𝑆
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
𝐹(𝑅0 )
Model candidate when 𝑅1 ∧ ¬𝑆 𝑖𝑠 𝑆𝐴𝑇 𝑤𝑖𝑡ℎ 𝑚𝑜𝑑𝑒𝑙 𝑀
Is
valid?
𝑆
𝑅1 ≔ 𝑅1 ∧ 𝜑
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
𝐹(𝑅0 )
C𝐨𝐧𝐟𝐥𝐢𝐜𝐭 when 𝐹(𝑅0 ) ⇒ 𝜑, 𝜑 ⇒ ¬𝑀 𝑎𝑟𝑒 𝑉𝑎𝑙𝑖𝑑,𝑓𝑜𝑟 𝑠𝑜𝑚𝑒 ¬𝜑 ⊆ 𝑀
Is
valid?
𝑅2
≔ 𝑡𝑟𝑢𝑒
𝑆
↖
𝑆
↗
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Unfold to the next level if 𝑅1 ⇒ 𝑆
Is
valid?
↖
𝑆
↗
𝑅2
↖
𝑆
↗
𝐹(𝑅2 )
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
Etc.
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Is
valid?
𝑆
𝑅3
↖
𝑆
↗
𝑅2
↖
𝑆
↗
𝐹(𝑅2 )
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
Etc.
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Is
valid?
𝑆
𝑅2 is a post-fixed point
𝑅2 implies 𝑆
𝑅3
↖
𝑆
↗↙
𝑅2
↖
𝑆
↗
𝐹(𝑅2 )
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Valid Formula is valid if 𝑅3 ⇒ 𝑅2
Is
valid?
𝑆
𝑅3 ∧ 𝜑
↖
𝑆
↗
𝑅2
↖
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
𝑆
𝑅3 ∧ 𝜑
↖
𝑆
↗
𝑅2 ∧ 𝜑
↖
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
𝑆
𝑅3 ∧ 𝜑
↖
𝑆
↗
𝑅2 ∧ 𝜑
↖
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1 ∧ 𝜑
↖
↗
𝑅0
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
𝑆
𝑅3 ∧ 𝜑
↖
𝑆
↗
𝑅2 ∧ 𝜑
↖
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1 ∧ 𝜑
↖
↗
𝑅0 ∧ 𝜑
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
Monotonicity of F
𝑆
↖
𝑆
↗
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1 ∧ 𝜑
↗
𝑅0 ∧ 𝜑
↖
𝑅2 ∧ 𝜑
↖
↖
𝑅3 ∧ 𝜑
↗
𝐹(𝑅1 ∧ 𝜑)
↖
↗
𝐹(𝑅0 ∧ 𝜑)
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
𝑆
𝑅3 ∧ 𝜑
↖
𝑆
↗
𝑅2 ∧ 𝜑
↖
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1 ∧ 𝜑
↖
↗
𝑅0 ∧ 𝜑
↖
↗
𝐹(𝑅1 ∧ 𝜑)
↖
↗
𝐹(𝑅0 ∧ 𝜑)
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
𝑆
𝑅3 ∧ 𝜑
↖
𝑆
↗
𝑅2 ∧ 𝜑
↖
𝑆
↗
𝐹(𝑅2 ∧ 𝜑)
↖
𝑅1 ∧ 𝜑
↖
↗
𝑅0 ∧ 𝜑
↖
↗
𝐹(𝑅1 ∧ 𝜑)
↖
↗
𝐹(𝑅0 ∧ 𝜑)
Induction when 𝐹(𝑅2 ∧ 𝜑) ⇒ 𝜑
Is
valid?
𝑆
M ⊨ 𝑅3 ∧ ¬𝑆
↖
𝑆
↗
M, M′ ⊨ F(𝑅2 )
↖
𝑆
↗
𝐹(𝑅2 )
↖
𝑅1
↖
↗
𝑅0
≔ 𝐹(𝑓𝑎𝑙𝑠𝑒)
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Decide next unfolding of model, backwards
Is
valid?
𝑆
M ⊨ 𝑅3 ∧ ¬𝑆
↖
𝑆
↗
M, M′ ⊨ F(𝑅2 )
↖
↗
𝐹(𝑅2 )
↖
M, M ′ , M′′ ⊨
𝐹 𝑅1
𝑆
↖
↗
𝑅0
↖
↗
𝐹(𝑅1 )
↖
↗
𝐹(𝑅0 )
Decide next unfolding of model, backwards
Recall:
F
Is
𝑋 > 100 ∧ 𝑅 = 𝑋 − 10
(mc)(𝑋,𝑅) =
∨ 𝑋 ≤ 100 ∧ ∃𝑌. mc 𝑋 + 11, 𝑌 ∧ mc(𝑌, 𝑅)
mc 𝑋, 𝑅 ∧ 𝑅 < 91
feasible?
Start with summary mc 𝑌, 𝑅 ≔ true
Is
𝐭𝐫𝐮𝐞 ∧ 𝑅 < 91
feasible?
Yes, e.g., 𝑅 = 90 ⊨ 𝑅 < 91
Is
𝑅 = 90
reachable? (in 𝝁F mc )
M(87)
= M(M(98))
R = 90
= M(M(M(109)))
= M(M(99))
= M(M(M(110)))
= M(M(100))
= M(M(M(111)))
𝑋 = 91 ∧
𝑋 = 98 ∧
= M(M(101))
𝑅 = 90
𝑅 = 91
= M(91)
= M(M(102))
= M(92)
= M(M(103))
𝑋 = 109
𝑋 = 99
𝑋 = 102
𝑋 = 92
= M(93)
…
𝑅 = 99
𝑅 = 91
𝑅 = 92
𝑅 = 90
Benchmarks
from the SLAM
Research toolkit
Checking against 𝑹𝟏 , 𝑹𝟐 , … , 𝑹𝑵 controls depth, but potentially wide tree.
Our approach: build DAG by sharing states.
Sharing is cheap, even no sharing works on Bebop
R(0,0,0,0).
Initial states
T(L,M,Y1,Y2,L’,M’,Y1’,Y2’)R(L,M,Y1,Y2)  R(L’,M’,Y1’,Y2’)
Reachable states
R(2,2,Y1,Y2)  false
Is unsafe state reachable?
Step(L,L’,Y1,Y2,Y1’)  T(L,M,Y1,Y2,L’,M,Y1’,Y2)
Step(M,M’,Y2,Y1,Y2’)  T(L,M,Y1,Y2,L,M’,Y1,Y2’)
Step(0,1,Y1,Y2,Y2+1)
(Y1 ≤ Y2 ∨ Y2 = 0)  Step(1,2,Y1,Y2,Y1)
Step(2,3,Y1,Y2,Y1)
Step(3,0,Y1,Y2,0)
P1 takes a step
P2 takes a step
ℓ𝟎 : 𝒚 ≔ 𝒚 + 𝟏; 𝒈𝒐𝒕𝒐 ℓ𝟏
ℓ𝟏 : 𝒂𝒘𝒂𝒊𝒕 𝒚 = 𝟎 ∨ 𝒚 ≤ 𝒚 ; 𝒈𝒐𝒕𝒐 ℓ𝟐
ℓ𝟐 : 𝒄𝒓𝒊𝒕𝒊𝒄𝒂𝒍 ; 𝒈𝒐𝒕𝒐 ℓ𝟑
ℓ𝟑 : 𝒚 ≔ 𝟎; 𝒈𝒐𝒕𝒐 ℓ𝟎
𝐼
F
(𝐼)
F 2 (𝐼)
B2 ¬𝑆
B ¬𝑆
¬𝑆
Conflict Propagation
Conflict Propagation
Conflict Resolution
𝑳=𝟎
𝑴=𝟎
𝒀𝟐 = 𝟎
𝒀𝟏 = 𝟎
𝑳=𝟏
𝑴=𝟏
𝒀𝟏 = 𝟏
𝒀𝟐 = 𝟎
𝑳=𝟎
𝑴=𝟏
𝒀𝟐 = 𝟎
𝑳=𝟏
𝑴=𝟐
𝒀𝟐 = 𝟎
𝑳=𝟐
𝑴=𝟐
Conflict Resolution
𝒀𝟐 ≥ 𝒀𝟏 + 𝟏 ∧ 𝒀𝟏 ≥ 𝟎
∧
Conflict
∧
𝒀𝟐 ≤ 0
𝒀𝟐 ≥ 𝟏
∧
𝒀𝟐 ≤ 0
Resolution
Get Generalization from Farkas Lemma
Eg., resolve away blue internal variables
𝑳=𝟏
𝑴𝑳 =
= 𝟏𝟏
𝑴𝑴==𝟏𝟏
𝑴=𝟐
→
𝒀𝟐 ≥ 𝟏
𝒀𝟏
=
𝟏
→ 𝒀𝟐 ≥ 𝟏
𝒀𝟐 = 𝟎
𝒀𝟐 = 𝟎
Conflict Resolution
Conflict Propagation
Conflict Propagation
𝑳=𝟎
𝑴=𝟎
𝒀𝟐 = 𝟎
𝒀𝟏 = 𝟎
𝑳=𝟎
𝑴𝑴==𝟏𝟏
→𝒀𝟐𝒀𝟐=≥𝟎 𝟏
𝑳=𝟐
𝑴=𝟐
Can we satisfy?
𝑹(𝟎, 𝟎, 𝟎, 𝟎).
Initial states
𝑻 𝑳, 𝑴, 𝒀𝟏, 𝒀𝟐, 𝑳’, 𝑴’, 𝒀𝟏’, 𝒀𝟐’ , 𝑹 𝑳, 𝑴, 𝒀𝟏, 𝒀𝟐 𝑹 𝑳’, 𝑴’, 𝒀𝟏’, 𝒀𝟐’
Reachable states
𝑹 𝑳, 𝑴, 𝒀𝟏, 𝒀𝟐  ¬ 𝑳 = 𝟐 ∧ 𝑴 = 𝟐 .
Unsafe state is unreachable
𝑳 = 𝟎 ∧ 𝑴 = 𝟏 ∧ 𝒀𝟐 = 𝟎 ∧ F 𝑹𝟎
M
𝑷𝒓𝒆
E.g., there is unsat core of:
𝒋 𝒄𝒋
is unsatisfiable
≤ 𝒙𝒋 ≤ 𝒄𝒋 ∧ F 𝑹𝒊
𝑷𝒓𝒆
M
Unsat proof uses T-lemmas
𝟓 > 𝒙𝟏 ∨ 𝟑 < 𝒙𝟑 ∨ 𝒙𝟏 − 𝒙𝟐 > 𝟐 ∨ 𝟐𝒙𝟐 − 𝒙𝟑 > 𝟏
𝑭𝒓𝒐𝒎 ¬𝑷𝒓𝒆
𝑭𝒓𝒐𝒎 ¬M
Can we satisfy?
𝑹(𝟎, 𝟎, 𝟎, 𝟎).
Initial states
𝑻 𝑳, 𝑴, 𝒀𝟏, 𝒀𝟐, 𝑳’, 𝑴’, 𝒀𝟏’, 𝒀𝟐’ , 𝑹 𝑳, 𝑴, 𝒀𝟏, 𝒀𝟐 𝑹 𝑳’, 𝑴’, 𝒀𝟏’, 𝒀𝟐’
Reachable states
𝑹 𝑳, 𝑴, 𝒀𝟏, 𝒀𝟐  ¬ 𝑳 = 𝟐 ∧ 𝑴 = 𝟐 .
Unsafe state is unreachable
Unsat proof uses T-lemmas
𝟓 > 𝒙𝟏 ∨ 𝟑 < 𝒙𝟑 ∨ 𝒙𝟏 − 𝒙𝟐 > 𝟐 ∨ 𝟐𝒙𝟐 − 𝒙𝟑 > 𝟏
𝑭𝒓𝒐𝒎 ¬𝑷𝒓𝒆
𝑭𝒓𝒐𝒎 ¬M
𝟐 ⋅ −𝒙𝟏 ≤ −𝟓
𝒙𝟑 ≤ 𝟑
𝟐 ⋅ (𝒙𝟏 − 𝒙𝟐 ≤ 𝟐)
𝟐𝒙𝟐 − 𝒙𝟑 ≤ 𝟏
−𝟐𝒙𝟏 ≤ −𝟏𝟎
𝒙𝟑 ≤ 𝟑
𝟐𝒙𝟏 − 𝟐𝒙𝟐 ≤ 𝟒
𝟐𝒙𝟐 − 𝒙𝟑 ≤ 𝟏
−−−−− −
𝟎 ≤ −𝟐
𝟐𝐱 𝟏 − 𝐱 𝟑 ≤ 𝟓
𝐁𝐥𝐨𝐜𝐤 𝐚𝐧𝐲 𝐦𝐨𝐝𝐞𝐥
𝒔𝒂𝒕𝒊𝒔𝒇𝒚𝒊𝒏𝒈 𝐭𝐡𝐢𝐬
Observation:
PDR + Model refinement using Farkas strengthening
is a decision procedure for timed push-down systems
Justification:
Every lemma produced is a sum of differences from the input
~
Acyclic path in difference graph.
⇒ Finite set of Farkas lemmas possible.
Objective:
synthesize inductive invariant proving property.
Reaching objective with interpolants:
Synthesize interpolants, use for proving invariants.
Be admired.
Synthesize interpolants, evaluate on random formulas. Admire them.
Write papers about interpolants.
Admire the theorems.
Review papers about generating interpolants.
Watch Kevin Bacon.
Reaching objective with PDR:
…. Nevertheless, interpolants sneak in.
Suppose 𝐴 ⇒ 𝐵
A Craig Interpolant is formula 𝐼:
𝐿𝑎𝑛𝑔 𝐼 ⊆ 𝐿𝑎𝑛𝑔 𝐴 ∩ 𝐿𝑎𝑛𝑔 𝐵
𝐴 ⇒ 𝐼, 𝐼 ⇒ 𝐵
Horn version. Establish satisfiability of:
∀𝑥, 𝑦. 𝐴[𝑥, 𝑦] ⇒ 𝐼 𝑥 ,
∀𝑥, 𝑧. 𝐼 𝑥 ⇒ 𝐵[𝑥, 𝑧]
and find solution for 𝐼.
Intermediary solutions:
Observation:
∀𝑿.
∀𝑿.
∀𝑿.
∀𝑿.
F 𝐟𝐚𝐥𝐬𝐞 𝑿 → 𝑹𝟏 𝑿 ,
F 𝑹𝟏 𝑿 → 𝑹𝟐 𝑿 ,
F 𝑹𝟐 𝑿 → 𝑹𝟑 𝑿 ,
𝑹𝟑 𝑿 → 𝑺𝒂𝒇𝒆 𝑿 ,
Farkas strengthening computes
a “DAG interpolant” for LRA
i.e., solves for non-recursive Horn clauses
The question is:
Quantified Horn Clause Satisfiability Modulo Theories
PDR Generalized:
- as an abstract Transition System
- for Horn Clause Satisfiability over Theory of Arithmetic
-
Using Farkas to generalize failed counter-example traces
Difference Logic – a Model Checking algorithm for Timed Automata
Interpolants from Model refinements
- Propagate also properties for predicates (so far inefficient)
http://rise4fun.com/Z3Py/tutorial/fixedpoints
Parser
Compilation

Rule transformations
Rule
normalization
Compilation
Execution
Results
Late
preprocessing
Restarts
Early
preprocessing
Relational
Algebra
Abstract
Machine
Hash-table
Tables
BDD
x
0
y
Bit-vectors
0
1
z
1
SMT
Relations
𝑅∪𝑆 ≡𝑅∨𝑆
𝜋𝑥 𝑅 ≡ ∃𝑥 𝑅
𝛿𝑥=𝑎 𝑅 ≡ 𝑅 ∧ 𝑥 = 𝑎
Explanations
External
Bounds
Intervals
Intervals
Abstractions
Bounds
Finite
product
Compositions
Relation
product
Pentagons
=
+
=+