# Software Model Checking with Horn Clauses

 Nikolaj Bjørner In collaboration with Arie Gurfinkel, Ken McMillan, Andrey RybalchenkoVTSA Summer School, 2014nbjorner@microsoft.com

## Contents

• Horn Clauses
• Methods for solving Horn Clauses:
• Fold/Unfold
• Magic
• Infinite Descent
• Predicate Abstraction
• Interpolants
• IC3 (with interpolants)
• Yogi as Horn clause solving

## Why Horn Clauses?

Reduce Program Analysis to Constraint Solving

 Program Semantics Hoare Logic [20, 24, 29, 37] Existential Fixedpoint Logic [13] Constrained Horn Clauses Proof rules [26]

Note: Specialized algorithms are used to solve Horn clauses.

## Horn Clauses

• Constrained Horn Clause:

• Logical interpretation
• - predicate symbols
• - formulas over assertion language .
• - quantifier-free (integer) linear arithmetic,
• Abbreviations:

• .
• .

## Horn+ Clauses

• Universal Horn Clauses [10]:

• uses universal quantifier in body.

• Existential Horn Clauses [6]:

• uses existential quantifier in head.

## Horn SAT and UNSAT

UNSAT SAT
Produce a Produce an explicit model, or
resolution proof proof that there is no resolution proof
Focus of CLP Aim of our efforts

• Claim: relative completeness:
• There is no third case, modulo completeness of assertion language.
• Claim: UNSAT is r.e. when SAT for is r.e.
• e.g., if assertion is wrong, there is a finite counter-example.
• Claim: SAT is generally not r.e.
• Bounds for finite domains given by Datalog query complexity
• Note: relative completeness does not hold for Horn+ clauses.

## Transitions Horn Clauses

• - program variables
• - initial states
• - transition relation
• - safe states

## Programs Horn Clauses

• - program variables
• - initial states of main procedure
• - intra-procedural transition relation
• - safe states
• - parameter passing relation
• - return value passing

## Programs Horn Clauses

• Alternative lenses:
• Define Hoare Logic, extract Horn clauses.
• Boogie does this as a side-effect
• Define continuation passing style semantics of program
• Success and Failure continuation.
• Failure contionation feeds into assertions.
• Success continuation feeds into the next statement.

## Programs Horn Clauses

• Claim: Other translations exist.
• Research question: which one is most suitable?

## Dealing with Loose Semantics

• Is this program safe?
 l0: if (unknown(x) > 0) goto :error
• Horn clauses (attempt 1)
l0(x) <- true.error <- l0(x), unknown(x) > 0.
• Possible interpretation:
unknown(x) := 0;l0 := true;error := false;
• This is probably not what we want.

## Dealing with Loose Semantics

Proper semantics obtained by quantifying over all loose models.

which is equivalent to:

## Dealing with Loose Semantics and Abduction

More generally, proper semantics is for:

When there is a canonical interpretation for background theory (arithmetic without division), proper semantics coincides with satisfiability modulo theories , e.g,:

Compare to constraint handling rules in logic programming.

• Clauses instructions using relational algebra.
• join
• project
• rename
• select ,
• filter
• For efficiency allow combined operations
• join-project
• select-project
• Implementation depends on table representation.

## Network Optimized Datalog NoD

• Option 1: use BDDs to represent tables.

• Option 2: build tables from ternary bit-vectors.

• Table is a union of differences of cubes
• Same as 01100, 01111, 00011, 00000

• Option 3,4,..: Use hash tables, B-trees, bit-maps

• Work in some pointer-analysis applications, but not for header spaces

Unfold

Fold

## Fold-Unfold

New Definition

Rewriting, such as rewriting equalites

## Fold-Unfold Analysis

• Fold-unfold used in context of Prolog or CLP.
• Highly expressive assertion language.
• When does Fold-Unfold terminate if is derivable?
• When is fold-unfold a decision procedure?
• Boolean Horn clauses (finite domains).
• Horn clauses for simple push-down systems?

## What is the Magic?

• Introduced in Datalog to emulate top-down using bottom-up evalution.
• Supplies constraints from calling context.

## Infinite Descent Example

1. [1,3, tautology]

2. [2,3]

3. [simplify 5, subsumed 3]

## Infinite Descent

• Goal:

• A conjunction of predicates and constraints
• Subsumption:

• Goal subsumes if there is , such that
• .
• Thus,
• Every solution to contains a solution to .

## Infinite Descent

• Tabling in Datalog/Prolog: memoize answers [42].
• Tabling + memoize and generalize queries [12, 32, 41].
• saturation by super-position [22].
• What relationships can be made between Infinite Descent and Fold/Unfold proofs?

## Predicate Abstraction: Houdini [23]

• For each predicate
• Create set of candidate solutions
• Check each clause
• :
• if
• then remove from .
• Fail if is empty.
• Succeed if fixedpoint where each clause checks.

## Predicate Abstraction: Cartesian Templates [26]

• For each predicate
• Create set of candidate properties and states.
• For each clause
• Fail if query, for “” is not valid for some .
• Succeed if fixedpoint reached while maintaining infeasible query.

## IC3

• are state variables.

• is a monome (a conjunction of literals).

• is a clause (a disjunction of literals).

• Convention: is a monome over variables , is a renaming of the same monome to variables .

## IC3 recap

• - a transition system.
• - good states.
• - forward predicate transformer.
• Given reachable states , produce “states can be reached by including another step”.
• From Transition System:
• From Horn Clauses: , where

## IC3 recap

• properties of states reachable within steps.
• are sets of clauses.
• Initially .
• a queue of counter-example trace properties. Initially .
• a level indication. Initially .

## Expanding Traces

repeat until ∞

• Candidate If for some , , then add to .

• Unfold If , then set .

## Termination

repeat until ∞

• Unreachable For , if , return Unreachable.

• Reachable If , return Reachable.

## Backtracking

repeat until ∞

• Conflict Let : given a candidate model and clause , such that

• ,
• ,
then conjoin to , for .

• Leaf If , and is unsatisfiable, then add to .

## Inductive Generalization

repeat until ∞

• Induction For , a clause