Quantified Invariant Generation using an Interpolating Saturation Prover - PowerPoint PPT Presentation

Quantified invariant generation using an interpolating saturation prover l.jpg
1 / 27

  • Uploaded on
  • Presentation posted in: General

Quantified Invariant Generation using an Interpolating Saturation Prover. Ken McMillan Cadence Research Labs. TexPoint fonts used in EMF: A A A A A. Introduction. Interpolants derived from proofs can provide an effective relevance heuristic for constructing inductive invariants

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Quantified Invariant Generation using an Interpolating Saturation Prover

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Quantified invariant generation using an interpolating saturation prover l.jpg

Quantified Invariant Generationusing anInterpolating Saturation Prover

Ken McMillan

Cadence Research Labs

TexPoint fonts used in EMF: AAAAA

Introduction l.jpg


  • Interpolants derived from proofs can provide an effective relevance heuristic for constructing inductive invariants

    • Provides a way of generalizing proofs about bounded behaviors to the unbounded case

      • Exploits a prover’s ability to focus on relevant facts

    • Used in various applications, including

      • Hardware verification (propositional case)

      • Predicate abstraction (quantifier-free)

      • Program verification (quantifier-free)

  • This talk

    • Moving to the first-order case, including FO(TC)

    • Modifying SPASS to create an interpolating FO prover

    • Apply to program verification with arrays, linked lists

Invariants from unwindings l.jpg


{x == y}

Invariants from unwindings

  • Consider this very simple approach:

    • Partially unwind a program into a loop-free, in-line program

    • Construct a Floyd/Hoare proof for the in-line program

    • See if this proof contains an inductive invariant proving the property

  • Example program:

x = y = 0;


x++; y++;

while(x != 0)

x--; y--;

assert (y == 0);

Unwind the loops l.jpg



x = y = 0;

x++; y++;

x++; y++;


x--; y--;


x--; y--;

[x == 0]

[y != 0]

{y = 0}

{x = 0 ^ y = 0}

{y = 1}

{x = y}

{y = 2}

{x = y}

Proof of inline program

contains invariants

for both loops

{y = 1}

{x = y}

{y = 0}

{x = 0 ) y = 0}



Unwind the loops

  • Assertions may diverge as we unwind

  • A practical method must somehow prevent this kind of divergence!

Interpolation lemma l.jpg

Interpolation Lemma


  • If A Ù B = false, there exists an interpolant A' for (A,B) such that:

    • A implies A’

    • A’ is inconsistent with B

    • A’ is expressed over the common vocabulary of A and B

A variety of techniques exist for deriving an interpolant from a refutation of A Ù B, generated by a theorem prover.

Interpolants as floyd hoare proofs l.jpg



x = y

x1= y0


1. Each formula implies the next











[x == y]





Proving in-line programs








Interpolants as Floyd-Hoare proofs

2. Each is over common symbols of prefix and suffix

3. Begins with true, ends with false

Need for quantified interpolants l.jpg


{8 x. 0 · x ^ x < i ) a[x] = x}

Need for quantified interpolants

  • Existing interpolating provers cannot produce quantified interpolants

  • Problem: how to prevent the number of quantifiers from diverging in the same way that constants diverge when we unwind the loops?

  • For linked structures we also require a theory of reachability (in effect, transitive closure)

for(i = 0; i < N; i++)

a[i] = i;

for(j = 0; j < N; j++)

assert a[j] = j;

Can we build an interpolating prover for full FOL

than that handles reachability, and avoids divergence?

Clausal provers l.jpg

Clausal provers

  • A clausal refutation prover takes a set of clauses and returns a proof of unsatisfiability (i.e., a refutation) if possible.

  • A prover is based on inference rules of this form:

P1 ... Pn


  • where P1 ... Pn are the premises and C the conclusion.

  • A typical inference rule is resolution, of which this is an instance:

p(a) p(U) ! q(U)


  • This was accomplished by unifying p(a) and P(U), then dropping the complementary literals.

Superposition calculus l.jpg

Superposition calculus

Modern FOL provers based on the superposition calculus

  • example superposition inference:

Q(a) P ! (a = c)

P ! Q(c)

  • this is just substitution of equals for equals

  • in practice this approach generates a lot of substitutions!

  • use reduction order to reduce number of inferences

Reduction orders l.jpg

Reduction orders

  • A reduction order  is:

    • a total, well founded order on ground terms

    • subterm property: f(a) Â a

    • monotonicity: a  b implies f(a)  f(b)

  • Example: Recursive Path Ordering (with Status) (RPOS)

    • start with a precedence on symbols: a  b  c  f

    • induces a reduction ordering on ground terms:

      f(f(a)  f(a)  a  f(b)  b  c  f

Ordering constraint l.jpg

These terms must be maximal in their clauses

Thm: Superposition with OC is complete for refutation in FOL with equality.

So how do we get interpolants from these proofs?

Ordering Constraint

  • Constrains rewrites to be “downward” in the reduction order:

Q(a) P ! (a = c)

P ! Q(c)

example: this inference only possible if a  c

Local proofs l.jpg

Local Proofs

  • A proof is local for a pair of clause sets (A,B) when every inference step uses only symbols from A or only symbols from B.

  • From a local refutation of (A,B), we can derive an interpolant for (A,B) in linear time.

  • This interpolant is a Boolean combination of formulas in the proof

Reduction orders and locality l.jpg



x = y

f(y) = d

f(x) = c

c d

Reduction orders and locality

  • A reduction order is oriented for (A,B) when:

    • s  t for every s L (B) and t 2L(B)

  • Intuition: rewriting eliminates first A variables, then B variables.

oriented: x y c d f

x = y f(x) = c ` f(y) = c


f(y) = c f(y) = d ` c = d

c = d c  d `?

Orientation is not enough l.jpg

Q(a) a = c



a = c

a = U ! Q(U)


Orientation is not enough

  • Local superposition gives only c=c.

  • Solution: replace non-local superposition with two inferences:




a = c

Q  a  b  c

b = c

: Q(b)

Second inference can be postponed until after resolving with : Q(b)

This “procrastination” step is an example of a reduction rule,

and preserves completeness.

Completeness of local inference l.jpg

Completeness of local inference

  • Thm: Local superposition with procrastination is complete for refutation of pairs (A,B) such that:

    • (A,B) has a universally quantified interpolant

    • The reduction order is oriented for (A,B)

  • This gives us a complete method for generation of universally quantified interpolants for arbitrary first-order formulas!

  • This is easily extensible to interpolants for sequences of formulas, hence we can use the method to generate Floyd/Hoare proofs for inline programs.

Avoiding divergence l.jpg

Avoiding Divergence

  • As argued earlier, we still need to prevent interpolants from diverging as we unwind the program further.

  • Idea: stratify the clause language

Example: Let Lk be the set of clauses with at most k variables and nesting depth at most k.

Note that each Lk is a finite language.

  • Stratified saturation prover:

    • Initially let k = 1

    • Restrict prover to generate only clauses in Lk

    • When prover saturates, increase k by one and continue

The stratified prover is complete, since every proof is contained

in some Lk.

Completeness for universal invariants l.jpg

Completeness for universal invariants

  • Lemma: For every safety program M with a 8 safety invariant, and every stratified saturation prover P, there exists an integer k such that P refutes every unwinding of M in Lk, provided:

    • The reduction ordering is oriented properly

  • This means that as we unwind further, eventually all the interpolants are contained in Lk, for some k.

  • Theorem: Under the above conditions, there is some unwinding of M for which the interpolants generated by P contain a safety invariant for M.

This means we have a complete procedure for finding universally quantified safety invariants whenever these exist!

In practice l.jpg

In practice

  • We have proved theoretical convergence. But does the procedure converge in practice in a reasonable time?

  • Modify SPASS, an efficient superposition-based saturation prover:

    • Generate oriented precedence orders

    • Add procrastination rule to SPASS’s reduction rules

    • Drop all non-local inferences

    • Add stratification (SPASS already has something similar)

  • Add axiomatizations of the necessary theories

    • An advantage of a full FOL prover is we can add axioms!

    • As argued earlier, we need a theory of arrays and reachability (TC)

      • Since this theory is not finitely axiomatizable, we use an incomplete axiomatization that is intended to handle typical operations in list-manipulating programs

Simple example l.jpg


{8 x. 0 · x ^ x < i ) a[x] = x}

Simple example

for(i = 0; i < N; i++)

a[i] = i;

for(j = 0; j < N; j++)

assert a[j] = j;

Unwinding simple example l.jpg

i0 = 0

i0 < N

a1 = update(a0,i0,i0)

i1 = i0 + 1

i1 < N

a2 = update(a1,i1,i1)

i2 = i+1 + 1

i ¸ N ^ j0 = 0

j0 < N ^ j1 = j0 + 1

j1 < N

select(a2,j1)  j1

{i0 = 0}

i = 0;

[i < N];

a[i] = i; i++;

[i < N];

a[i] = i; i++;

[i >= N]; j = 0;

[j < N]; j++;

[j < N];

a[j] != j;


{0 · U ^ U < i1) select(a1,U)=U}

{0 · U ^ U < i2) select(a2,U)=U}


{j · U ^ U < N ) select(a2,U)=U}

{j · U ^ U < N ) select(a2,U) = U}

Unwinding simple example

  • Unwind the loops twice

note: stratification prevents constants diverging

as 0, succ(0), succ(succ(0)), ...

List deletion example l.jpg

List deletion example

  • Invariant synthesized with 3 unwindings (after some: simplification):

a = create_list();


tmp = a->next;


a = tmp;


{rea(next,a,nil) ^

8 x (rea(next,a,x)! x = nil _ alloc(x))}

  • That is, a is acyclic, and every cell is allocated

  • Note that interpolation can synthesize Boolean structure.

More small examples l.jpg

More small examples

This shows that divergence can be controlled.

But can we scale to large programs?...

Conclusion l.jpg


  • Interpolants and invariant generation

    • Computing interpolants from proofs allows us to generalize from special cases such as loop-free unwindings

    • Interpolation can extract relevant facts from proofs of these special cases

    • Must avoid divergence

  • Quantified invariants

    • Needed for programs that manipulating arrays or heaps

    • FO equality prover modified to produce local proofs (hence interpolants)

      • Complete for universal invariants

    • Can be used to construct invariants of simple array- and list-manipulating programs, using partial axiomatization of FO(TC)

      • Language stratification prevents divergence

    • Might be used as a relevance heuristic for shape analysis, IPA

Expressiveness hierarchy l.jpg

Expressiveness hierarchy
















Abstract Domain

Interpolants for sequences l.jpg

















Interpolants for sequences

  • Let A1...An be a sequence of formulas

  • A sequence A’0...A’n is an interpolant for A1...An when

    • A’0 = True

    • A’i-1^ Ai) A’i, for i = 1..n

    • An = False

    • and finally, A’i2L (A1...Ai) \L(Ai+1...An)

In other words, the interpolant is a structured

refutation of A1...An

Need for reachability l.jpg

Need for Reachability

  • This condition needed to prove memory safety (no use after free).

  • Cannot be expressed in FO

    • We need some predicate identifying a closed set of nodes that is allocated

  • We require a theory of reachability (in effect, transitive closure)


node *a = create_list();



a = a->next;




8 x (rea(next,a,x) ^ x  nil ! alloc(x))

Can we build an interpolating prover for full FOL

than that handles reachability, and avoids divergence?

Partially axiomatizing fo tc l.jpg

Partially Axiomatizing FO(TC)

  • Axioms of the theory of arrays (with select and store)

8 (A, I, V) (select(update(A,I,V), I) = V

8 (A,I,J,V) (I  J ! select(update(A,I,V), J) = select(A,J))

  • Axioms for reachability (rea)

8 (L,E) rea(L,E,E)

8 (L,E,X) (rea(L,select(L,E),X) ! rea(L,E,X))

[ if e->link reaches x then e reaches x]

8 (L,E,X) (rea(L,E,X) ! E = X _ rea(L,select(L,E),X))

[ if e reaches x then e = x or e->link reaches x]


Since FO(TC) is incomplete, these axioms must be incomplete

  • Login