Software Model Checking with Horn Clauses

Beamed by Daan Leijen's Madoko

Nikolaj Bjørner
In collaboration with Arie Gurfinkel, Ken McMillan, Andrey Rybalchenko
VTSA Summer School, 2014

Contents

  • Horn Clauses
  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Why Horn Clauses?

Reduce Program Analysis to Constraint Solving

Program Semantics $\equiv$ Hoare Logic [20, 24, 29, 37]
$\equiv$ Existential Fixedpoint Logic [13]
$\equiv$ Constrained Horn Clauses
$\equiv$ Proof rules [26]



Note: Specialized algorithms are used to solve Horn clauses.

  • Top down: start with query (bad state) (SLD resolution)
  • Bottom up: start with facts (initial states)

Horn Clauses

  • Constrained Horn Clause:

    • $p(x) \leftarrow q(y), r(z), \varphi(x,y,z)$
    • Logical interpretation
      • $\forall x, y, z\ .\ q(z) \land r(z) \land \varphi(x,y,z) \rightarrow p(x)$
    • $p, q, r$ - predicate symbols
    • $\varphi, \psi$ - formulas over assertion language $\mathcal{A}$.
    • $\mathcal{A}$ - quantifier-free (integer) linear arithmetic,
  • Abbreviations:

    • $p(x) \leftarrow (q(y) \lor r(z)), \varphi(x,y,z)$.
    • $(p(x)\land q(x)) \leftarrow r(y), \psi(x,y)$.

Horn+ Clauses

  • Universal Horn Clauses [10]:

    • $p(x) \leftarrow (\forall u . q(u, y)), r(z), \varphi(x,y,z)$
    • uses universal quantifier in body.

  • Existential Horn Clauses [6]:

    • $(\exists y . p(x,y)) \leftarrow q(y), r(z), \varphi(x,y,z)$
    • uses existential quantifier in head.

Horn SAT and UNSAT

UNSAT SAT
Produce a Produce an explicit model, or
resolution proof proof that there is no resolution proof
Focus of CLP Aim of our efforts


  • Claim: relative completeness:
    • There is no third case, modulo completeness of assertion language.
  • Claim: UNSAT is r.e. when SAT for $\mathcal{A}$ is r.e.
    • e.g., if assertion is wrong, there is a finite counter-example.
  • Claim: SAT is generally not r.e.
    • Bounds for finite domains given by Datalog query complexity
  • Note: relative completeness does not hold for Horn+ clauses.

Transitions $\Rightarrow$ Horn Clauses

  • $v$ - program variables
  • $\mathit{init}(v)$ - initial states
  • $\mathit{step}(v, v')$ - transition relation
  • $\mathit{safe}(v)$ - safe states

Transitions $\Rightarrow$ Horn Clauses

\[    \begin{array}[t]{@{}l@{}}
      \exists \unk{\mathit{inv}}:\\[\jot]
      \begin{array}[t]{@{}l@{\hspace{10ex}}l@{}}
        \unk{\mathit{inv}(v)} \leftarrow \mathit{init}(v)  &\\[\jot]
        \unk{\mathit{inv}(v')} \leftarrow \unk{\mathit{inv}(v)} \land 
        \mathit{step}(v,v') & \\[\jot]
        \mathit{safe}(v) \leftarrow \unk{\mathit{inv}(v)} & \text{safety}
      \end{array}
    \end{array}\]

Programs $\Rightarrow$ Horn Clauses

  • $v$ - program variables
  • $\mathit{init}(v)$ - initial states of main procedure
  • $\mathit{step}(v, v')$ - intra-procedural transition relation
  • $\mathit{safe}(v)$ - safe states
  • $\mathit{call}(v, v')$ - parameter passing relation
  • $\mathit{ret}(v, v')$ - return value passing

Programs $\Rightarrow$ Horn Clauses

\[    \begin{array}[t]{@{}l@{}}
      \exists \unk{\mathit{sum}}:\\[\jot]
      \mbox{}\\[\jot]
      \quad
      \begin{array}[t]{@{}l@{}}
    \unk{\mathit{sum}(v_0,v_0)} \leftarrow \mathit{init}(v_0) 
    \\[\jot]          
    \unk{\mathit{sum}(v_0,v_2)} \leftarrow
        \unk{\mathit{sum}(v_0,v_1)} \land \mathit{step}(v_1, v_2)
        \\[\jot]
        \unk{\mathit{sum}(v_0,v_2)} \leftarrow
        \unk{\mathit{sum}(v_0,v_1)} \land \mathit{call}(v_1, v_2)
        \\[\jot]
    \unk{\mathit{sum}(v_0,v_4)} \leftarrow
        \unk{\mathit{sum}(v_0,v_1)} \land \mathit{call}(v_1, v_2) \land 
        \unk{\mathit{sum}(v_2,v_3)} \land \mathit{ret}(v_3, v_4)
        \\[\jot]
        \mathit{safe}(v_1)  \leftarrow \unk{\mathit{sum}(v_0, v_1)} 
      \end{array}
      \end{array}\]

Programs $\Rightarrow$ Horn Clauses

  • Alternative lenses:
    • Define Hoare Logic, extract Horn clauses.
      • Boogie does this as a side-effect
    • Define continuation passing style semantics of program
      • Success and Failure continuation.
      • Failure contionation feeds into assertions.
      • Success continuation feeds into the next statement.

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}%
\mathindent{2}\mathid{x}\mathspace{1}:=\mathspace{1}\mathid{E}\mathspace{15}&\mathspace{1}\mathid{WP}(\mathid{x}\mathspace{1}:=\mathspace{1}\mathid{E},\mathspace{1}\mathid{Q})\mathspace{9}&\mathspace{1}=\mathspace{1}\mathid{Q}[\mathid{E}/\mathid{x}]\mathbr{}
\mathindent{2}\mathid{havoc}\mathspace{1}\mathid{x}\mathspace{14}&\mathspace{1}\mathid{WP}(\mathid{havoc}\mathspace{1}\mathid{x},\mathspace{1}\mathid{Q})\mathspace{8}&\mathspace{1}=\mathspace{1}\forall \mathid{x}\mathspace{1}\ .\mathspace{1}\ \mathid{Q}\mathbr{}
\mathindent{2}\mathid{S}_1;\mathspace{1}\mathid{S}_2\mathspace{13}&\mathspace{1}\mathid{WP}(\mathid{S}_1;\mathid{S}_2,\mathspace{1}\mathid{Q})\mathspace{8}&\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{S}_1,\mathspace{1}\mathid{WP}(\mathid{S}_2,\mathspace{1}\mathid{Q}))\mathbr{}
\mathindent{2}\mathid{S}_1\mathspace{1}\mid \mathid{S}_2\mathspace{9}&\mathspace{1}\mathid{WP}(\mathid{S}_1\mathspace{1}\mid \mathid{S}_2,\mathspace{1}\mathid{Q})\mathspace{3}&\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{S}_1,\mathspace{1}\mathid{Q})\mathspace{1}\land \mathid{WP}(\mathid{S}_2,\mathspace{1}\mathid{Q})\mathbr{}
\mathindent{2}\mathid{assert}\mathspace{1}\varphi       &\mathspace{1}\mathid{WP}(\mathid{assert}\mathspace{1}\varphi,\mathspace{1}\mathid{Q})\mathspace{1}&\mathspace{1}=\mathspace{1}\varphi \land \mathid{Q}\mathbr{}
\mathindent{2}\mathid{assume}\mathspace{1}\varphi       &\mathspace{1}\mathid{WP}(\mathid{assume}\mathspace{1}\varphi,\mathspace{1}\mathid{Q})\mathspace{1}&\mathspace{1}=\mathspace{1}\varphi \rightarrow \mathid{Q}
\end{mdMathprearray}\]

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}%
\mathindent{2}\mathid{if}\mathspace{1}\varphi \mathid{then}\mathspace{1}\mathid{S}_1\mathspace{1}\mathid{else}\mathspace{1}\mathid{S}_2\mathspace{1}&\mathspace{1}(\mathid{assume}\mathspace{1}\varphi;\mathspace{1}\mathid{S}_1)\mathspace{1}\mid (\mathid{assume}\mathspace{1}\neg \varphi;\mathspace{1}\mathid{S}_2)\mathbr{}
\mathindent{2}\mathid{while}\mathspace{1}\mathid{E}\mathspace{1}\mathid{invariant}\mathspace{1}\mathid{J}\mathspace{1}\mathid{do}\mathspace{1}\mathid{S}\mathspace{5}&\mathspace{1}\mathid{assert}\mathspace{1}\mathid{J};\mathspace{1}\mathid{havoc}\mathspace{1}\mathid{x};\mathspace{1}\mathid{assume}\mathspace{1}\mathid{J};\mathspace{1}\mathbr{}
\mathindent{31}&\mathspace{1}((\mathid{assume}\mathspace{1}\mathid{E};\mathspace{1}\mathid{S};\mathspace{1}\mathid{assert}\mathspace{1}\mathid{J};\mathspace{1}\mathid{assume}\mathspace{1}\mathkw{false})\mathspace{1}\mid \mathid{assume}\mathspace{1}\neg \mathid{E})\mathbr{}
\mathbr{}
\mathindent{2}\mathid{ToHorn}(\mathid{P})\mathspace{1}:=\mathspace{1}\mathid{WP}(\mathid{P},\true)
\end{mdMathprearray}\]

What about procedure calls?

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}%
\mathindent{2}\mathid{def}\mathspace{1}\mathid{P}(\mathid{x},\mathid{x}'):\mathspace{18}&\mathspace{2}\mathid{WP}(\mathid{P}(\mathid{x},\mathid{x}'),\mathspace{1}\mathid{Q})\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{assert}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x});\mathspace{1}\mathid{havoc}\mathspace{1}\mathid{x};\mathspace{1}\mathid{assume}\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}'),\mathspace{1}\mathid{Q})\mathbr{}
\mathindent{4}\mathid{assume}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x})\mathspace{13}&\mathspace{19}\land \mathid{WP}(\mathid{assume}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x});\mathspace{1}\mathid{Body},\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}'))\mathbr{}
\mathindent{4}\mathid{assert}\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}')\mathbr{}
\mathindent{4}\mathid{Body}
\end{mdMathprearray}\]
  • Claim: Other translations exist.
  • Research question: which one is most suitable?

Dealing with Loose Semantics

  • Is this program safe?
     l0: if (unknown(x) > 0) goto :error
  • Horn clauses (attempt 1) $\Safe(l_0, \mathit{error}, unknown) \equiv$
    l0(x) <- true.
    error <- l0(x), unknown(x) > 0.
  • Possible interpretation:
    unknown(x) := 0;
    l0 := true;
    error := false;
  • This is probably not what we want.

Dealing with Loose Semantics

Proper semantics obtained by quantifying over all loose models.

\[  \forall f \exists l_0, \mathit{error}\ .\ \Safe(\ell_0, \mathit{error}, f)\]


which is equivalent to:

\[  \exists l_0, \mathit{error} . \forall f \ . \ \Safe(\ell_0(f), \mathit{error}(f), f)\]

Dealing with Loose Semantics and Abduction

More generally, proper semantics is for:

\[  \forall \mathit{aux} \ . \mathit{Background}(\mathit{aux})\ \Rightarrow \ \exists P \ . \ \mathit{Safe}(P, \mathit{aux})\]


When there is a canonical interpretation for background theory (arithmetic without division), proper semantics coincides with satisfiability modulo theories , e.g,:

\[  \exists \mathit{aux} \ . \mathit{Background}(\mathit{aux})\ \land \ \exists P \ . \ \mathit{Safe}(P, \mathit{aux})\]

Compare to constraint handling rules in logic programming.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Bottom-up Datalog in $\mu{Z}$.

  • $p(0,1)$

    • Add row $(0,1)$ to $p$.
  • $p(x,y) \leftarrow q(y,x)$

    • $q' := \mathit{rename}_{[0\mapsto 1,1\mapsto 0]}(q)$
    • $p := p \cup q'$
  • $p(x,y) \leftarrow q(x), r(y).$

    • $p := p \cup \mathit{join}(q,r)$
  • $p(x,y) \leftarrow q(x,y,z)$

    • $p := p \cup \mathit{project}_z(q)$

Bottom-up Datalog in $\mu{Z}$

  • Clauses $\rightarrow$ instructions using relational algebra.
    • join
    • project $z$
    • rename $[0 \mapsto 1, 1\mapsto 0]$
    • select $x = y$, $x = 1$
    • filter $\varphi$
  • For efficiency allow combined operations
    • join-project
    • select-project
  • Implementation depends on table representation.

Network Optimized Datalog NoD

  • Option 1: use BDDs to represent tables.

  • Option 2: build tables from ternary bit-vectors.

    • $0{\color{red}{\ast}}10 \equiv 0{\color{red}{1}}10 \cup 0{\color{red}{0}}10$
    • Table is a union of differences of cubes
      • $0\ast\ast\ast\ast \setminus \{ 010\ast\ast, 001\ast\ast, 0\ast\ast10, 0\ast\ast01\}$
      • Same as 01100, 01111, 00011, 00000

  • Option 3,4,..: Use hash tables, B-trees, bit-maps

    • Work in some pointer-analysis applications, but not for header spaces

Network Optimized Datalog

\begin{picture}(100,70)(-10,0)
 \thicklines
 \put(0, 60){$A$}
 \put(7, 63){\vector(1,0){20}}
 \put(27, 60){$\router{1}$}
 \put(37, 63){\vector(1,0){60}}
 \put(100,60){$\router{2}$}
 \put(110,63){\vector(1,0){20}}
 \put(131,60){$B$}
 \put(32, 59){\vector(2,-3){30}}
 \put(68, 15){\vector(2, 3){30}}
 \put(60, 5){$\router{3}$}
 \put(70, 10){\vector(1,0){30}}
 \put(105, 5){$D$}
\end{picture}


$
\begin{array}{lllll}
\mathit{in} & dst & src & \mathit{rewrite} & \mathit{out} \\ \hline
\router{1} & 10\star & 01\star & & \router{2} \\
\router{1} & 1\star\star & \star\star\star & & \router{3} \\ \hline
\router{2} & 10\star & \star\star\star & & B   \\ \hline
\router{3} & \star\star\star & 1\star\star & & D   \\
\router{3} & 1\star\star & \star\star\star & dst[1] := 0 & \router{2} 
\end{array}
$

Network Optimized Datalog

\[\begin{mdMathprearray}%
\mathid{G}_{12}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\dst =\mathspace{1}10\star \land\ \src =\mathspace{1}01\star  \mathbr{}
\mathid{G}_{13}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\neg \mathid{G}_{12}\ \land\ \dst =\mathspace{1}1\star\star\mathbr{}
\mathid{G}_{2\mathid{B}}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\dst =\mathspace{1}1\mathspace{1}0\mathspace{1}\star \mathbr{}
\mathid{G}_{3\mathid{D}}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\src =\mathspace{1}1\star\star \mathbr{}
\mathid{G}_{32}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\neg \mathid{G}_{3\mathid{D}}\mathspace{1}\ \land \ \dst =\mathspace{1}1\star\star \mathbr{}
\mathit{Id}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{2}\src'\mathspace{1}=\mathspace{1}\src \ \land \ \dst'\mathspace{1}=\mathspace{1}\dst \mathbr{}
\mathit{Set0}\mathspace{1}&\mathspace{1}:=\mathspace{1}&\mathspace{1}\src'\mathspace{1}=\mathspace{1}\src \ \land \ \dst'\mathspace{1}=\mathspace{1}\dst[2]\ 0\ \dst[0]\mathspace{1}
\end{mdMathprearray}\]

Network Optimized Datalog

\[\begin{mdMathprearray}%
\mathindent{4}&\mathspace{1}&\mathspace{1}\mathid{B}(\dst,\src)\mathspace{1}\mathbr{}
\mathindent{4}\router{1}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{12}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \router{2}(\dst',\src')\mathspace{1}\mathbr{}
\mathindent{4}\router{1}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{13}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \router{3}(\dst',\src')\mathspace{1}\mathbr{}
\mathindent{4}\router{2}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{2\mathid{B}}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \mathid{B}(\dst',\src')\mathspace{1}\mathbr{}
\mathindent{4}\router{3}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{3\mathid{D}}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \mathid{D}(\dst',\src')\mathspace{1}\mathbr{}
\mathindent{4}\router{3}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{32}\mathspace{1}\land \mathit{Set0}\mathspace{1}\land \router{2}(\dst',\src')\mathbr{}
\mathindent{4}\mathid{A}(\dst,\src)\mathspace{3}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\router{1}(\dst,\src)\mathspace{1}\mathbr{}
\mathindent{9}&\mathspace{1}?\mathspace{1}&\mathspace{2}\mathid{A}(\dst,\src)\mathspace{1}
\end{mdMathprearray}\]

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Fold-Unfold

\[\begin{mdMathprearray}%
\mathindent{25}&\mathspace{1}\mathid{fold}\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x})\mathbr{}
\mathid{nat}(0).\mathspace{1}\mathbr{}
\mathid{nat}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{p}(\mathid{x})),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{1}\mathbr{}
\mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{p}(\mathid{x})),\mathspace{1}\mathid{nat}(\mathid{x}).\mathbr{}
\mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{s}(\mathid{x})),\mathspace{1}\mathid{pre}(\mathid{x}).\mathbr{}
\mathid{pre}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathbr{}
\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{2}
\end{mdMathprearray}\]

Fold-Unfold

\[\begin{mdMathprearray}%
\mathid{nat}(0).\mathspace{1}\mathbr{}
\mathid{nat}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathkw{false}.\mathspace{1}\mathbr{}
\mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathkw{false}.\mathbr{}
\mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathbr{}
\mathid{pre}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathbr{}
\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{2}
\end{mdMathprearray}\]

Fold-Unfold

\[  \begin{array}{ll}
  \begin{array}{l}
  nat(0). \\
  nat(s(x)) \leftarrow nat(x). \\
  pre(p(x)) \leftarrow nat(x). \\
  pre(p(x)) \leftarrow pre(x). \\
  pre(s(x)) \leftarrow pre(x). \\
  \false  \leftarrow nat(x), pre(x).
  \end{array}
  \begin{array}{l}
  \false  \leftarrow \false. \\
  \false  \leftarrow \false. \\
  \underbrace{\false  \leftarrow \false.}_{\mbox{fold with original def.}} \\
  \end{array}
  \end{array}\]

Fold-Unfold

Unfold

\[  \begin{array}{ll}
  q(y) \leftarrow B_1      &               \\
  q(y) \leftarrow B_2      & p(x) \leftarrow B_1, C \\
  p(x) \leftarrow q(y), C    & p(x) \leftarrow B_2, C 
  \end{array}\]

Fold

\[  \begin{array}{ll}
  p(x) \leftarrow B[x,y], C    & p(x) \leftarrow q(x,y), C \\    
  p'(x) \leftarrow B[x,y], C'    & p'(x) \leftarrow q(x,y), C' 
  \end{array}\]

Fold-Unfold

New Definition

\[  p(x) \leftarrow B[x,y], C. \ \  q(x,y) \leftarrow B[x,y]\]

Rewriting, such as rewriting equalites

\[  \begin{array}{ll}
  p(x) \leftarrow B[t,y]    & p(x) \leftarrow B[z,y], t = z
  \end{array}\]

Fold-Unfold Analysis

  • Fold-unfold used in context of Prolog or CLP.
    • Highly expressive assertion language.
  • When does Fold-Unfold terminate if $\false$ is derivable?
  • When is fold-unfold a decision procedure?
    • Boolean Horn clauses (finite domains).
    • Horn clauses for simple push-down systems?

Fold-Unfold References

  • [15, 43, 44] Classics
  • [39] Unfold/Fold for Verification
  • MAPS system, [28]
  • [25] Fold/unfold + magic + polyhedra + interpolants

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Magic

  • $A(x) \leftarrow p(y), q(z), \phi(x, y, z).$
  • $r(x) \leftarrow B(x,z), A(z) $


  • $A_{ans}(x) \leftarrow A_{query}(x), p_{ans}(y), q_{ans}(z), \phi(x,y,z).$
  • $A_{query}(z) \leftarrow r_{query}(x), B(x,z).$

Magic Example

\[\begin{array}{rcl}
    Q(x)  & \leftarrow &  A(y), B(z), \phi_1(x,y,z). \\
    Q(x)  & \leftarrow &  C(y), \phi_2(x,y). \\
    A(x)  & \leftarrow &  C(y), \phi_3(x,y). \\
    A(x)  & \leftarrow &  A(y), \phi_3(x,y). \\
    B(x)  & \leftarrow &  C(y), A(z), \phi_4(x,y,z). \\
    C(x)  & \leftarrow &  \phi_5(x). 
\end{array}\]
\[\begin{mdMathprearray}%
\mathindent{4}\mathid{Q}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{A}(\mathid{y}),\mathspace{1}\mathid{B}(\mathid{z}),\mathspace{1}\phi_1(\mathid{x},\mathid{y},\mathid{z}).\mathbr{}
\mathindent{4}\mathid{Q}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\phi_2(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{}
\mathindent{4}\mathid{A}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\phi_3(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{}
\mathindent{4}\mathid{A}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{A}(\mathid{y}),\mathspace{1}\phi_3(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{}
\mathindent{4}\mathid{B}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\mathid{A}(\mathid{z}),\mathspace{1}\phi_4(\mathid{x},\mathid{y},\mathid{z}).\mathbr{}
\mathindent{4}\mathid{C}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\phi_5(\mathid{x}).\mathspace{1}
\end{mdMathprearray}\]

Magic Example

\[\begin{array}{rcl}
    Q_{ans}(x)   & \leftarrow &  Q_{query}(x), A_{ans}(y), B_{ans}(z), \phi_1(x,y,z). \\
    Q_{ans}(x)   & \leftarrow &  Q_{query}(x), C_{ans}(y), \phi_2(x,y). \\
    Q_{query}(x) & \leftarrow &  \true. 
\end{array}\]

Magic Example

\[\begin{array}{rcl}
    A_{ans}(x)   & \leftarrow &  A_{query}(x), C_{ans}(y), \phi_2(x,y). \\
    A_{ans}(x)   & \leftarrow &  A_{query}(x), A_{ans}(y), \phi_3(x,y). \\
    A_{query}(y) & \leftarrow &  Q_{query}(x), \phi_1(x,y,z). \\
    A_{query}(y) & \leftarrow &  A_{query}(x), \phi_3(x,y). \\
    A_{query}(z) & \leftarrow &  B_{query}(x), C_{ans}(y), \phi_4(x,y,z). 
\end{array}\]

Magic Example

\[\begin{array}{rcl}
    B_{ans}(x)   & \leftarrow &  B_{query}(x), C_{ans}(y), A_{ans}(z), \phi_4(x,y,z). \\
    B_{query}(z) & \leftarrow &  Q_{query}(x), A_{ans}(y), \phi_1(x,y,z). 
\end{array}\]
\[\begin{array}{rcl}
    C_{ans}(x)   & \leftarrow &  C_{query}(x), \phi_5(x). \\
    C_{query}(y) & \leftarrow &  Q_{query}(x), \phi_2(x,y). \\
    C_{query}(y) & \leftarrow &  Q_{query}(x), \phi_3(x,y). \\
    C_{query}(y) & \leftarrow &  B_{query}(x), \phi_4(x,y,z). 
\end{array}\]

What is the Magic?

  • Introduced in Datalog to emulate top-down using bottom-up evalution.
  • Supplies constraints from calling context.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Infinite Descent Example

  1. $\mathit{plus}(0,x,x).$

  2. $\mathit{plus}(s(x),y,s(z)) \leftarrow \mathit{plus}(x,y,z).$

  3. $x = y \leftarrow \mathit{plus}(x,0,y)$

  4. $x = y \leftarrow \mathit{plus}(x,0,y), x = 0, y = 0$ [1,3, tautology]

  5. $s(x) = s(y) \leftarrow \mathit{plus}(x,0,y)$ [2,3]

  6. $x = y \leftarrow \mathit{plus}(x,0,y)$ [simplify 5, subsumed 3]

Infinite Descent

  • Goal:

    • A conjunction of predicates and constraints
    • $\varphi(x,y,z) \leftarrow p(x), q(y), r(z)$
  • Subsumption:

    • Goal $G_1$ subsumes $G_2$ if there is $\theta$, such that
    • $G_1 \rightarrow G_2\theta$.
    • Thus,
      • Every solution to $\neg G_2$ contains a solution to $\neg G_1$.

Infinite Descent

  • Tabling in Datalog/Prolog: memoize answers [42].
  • Tabling + memoize and generalize queries [12, 32, 41].
    • saturation by super-position [22].
  • What relationships can be made between Infinite Descent and Fold/Unfold proofs?

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Predicate Abstraction: Houdini [23]

  • For each predicate $p(x)$
    • Create set of candidate solutions
      • $\mathit{Sol}_p := \{\varphi_1(x), \ldots, \varphi_n(x)\}$
  • Check each clause $p(x) \leftarrow q(y), \psi(x,y)$
    • $\varphi \in \mathit{Sol}_p$:
    • if $\neg (\forall x,y \ . \ (\bigwedge \mathit{Sol}_q(y) \land \psi(x,y) \rightarrow \varphi(x))$
      • then remove $\varphi$ from $\mathit{Sol}_p$.
  • Fail if $\mathit{Sol}_p$ is empty.
  • Succeed if fixedpoint where each clause checks.

Predicate Abstraction: Cartesian Templates [26]

  • For each predicate $p(x)$
    • Create set of candidate properties and states.
      • $P_p := \{\varphi_1(x), \ldots, \varphi_n(x)\}$
      • $S_p := \{ \}$
  • For each clause $p(x) \leftarrow q(x) \land \psi(x)$
    • $S_p := S_p \cup \{ \{ \bigwedge_i \varphi_i\; \mid\; \theta \land \psi(x) \rightarrow \varphi_i(x) \mbox{ is valid} \} \mid \theta \in S_q \}$
  • Fail if query, for “$\theta \land \varphi \rightarrow \false$” is not valid for some $\theta\in S_q$.
  • Succeed if fixedpoint reached while maintaining infeasible query.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Interpolants [26, 38, 40]

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

IC3

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[  R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}]\]

IC3 recap

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until ∞

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until ∞

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until ∞

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until ∞

  • Induction For $0 \leq i < N$, a clause