Software Model Checking with Horn Clauses

Beamed by Daan Leijen's Madoko

Nikolaj Bjørner
In collaboration with Arie Gurfinkel, Ken McMillan, Andrey Rybalchenko
VTSA Summer School, 2014

Contents

  • Horn Clauses
  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Why Horn Clauses?

Reduce Program Analysis to Constraint Solving

Program Semantics $\equiv$ Hoare Logic [20, 24, 29, 37]
$\equiv$ Existential Fixedpoint Logic [13]
$\equiv$ Constrained Horn Clauses
$\equiv$ Proof rules [26]



Note: Specialized algorithms are used to solve Horn clauses.

  • Top down: start with query (bad state) (SLD resolution)
  • Bottom up: start with facts (initial states)

Horn Clauses

  • Constrained Horn Clause:

    • $p(x) \leftarrow q(y), r(z), \varphi(x,y,z)$
    • Logical interpretation
      • $\forall x, y, z\ .\ q(z) \land r(z) \land \varphi(x,y,z) \rightarrow p(x)$
    • $p, q, r$ - predicate symbols
    • $\varphi, \psi$ - formulas over assertion language $\mathcal{A}$.
    • $\mathcal{A}$ - quantifier-free (integer) linear arithmetic,

  • Abbreviations:

    • $p(x) \leftarrow (q(y) \lor r(z)), \varphi(x,y,z)$.
    • $(p(x)\land q(x)) \leftarrow r(y), \psi(x,y)$.

Horn+ Clauses

  • Universal Horn Clauses [10]:

    • $p(x) \leftarrow (\forall u . q(u, y)), r(z), \varphi(x,y,z)$
    • uses universal quantifier in body.

  • Existential Horn Clauses [6]:

    • $(\exists y . p(x,y)) \leftarrow q(y), r(z), \varphi(x,y,z)$
    • uses existential quantifier in head.

Horn SAT and UNSAT

UNSAT SAT
Produce a Produce an explicit model, or
resolution proof proof that there is no resolution proof
Focus of CLP Aim of our efforts


  • Claim: relative completeness:
    • There is no third case, modulo completeness of assertion language.
  • Claim: UNSAT is r.e. when SAT for $\mathcal{A}$ is r.e.
    • e.g., if assertion is wrong, there is a finite counter-example.
  • Claim: SAT is generally not r.e.
    • Bounds for finite domains given by Datalog query complexity
  • Note: relative completeness does not hold for Horn+ clauses.

Transitions $\Rightarrow$ Horn Clauses

  • $v$ - program variables
  • $\mathit{init}(v)$ - initial states
  • $\mathit{step}(v, v')$ - transition relation
  • $\mathit{safe}(v)$ - safe states

Transitions $\Rightarrow$ Horn Clauses

\[ \begin{array}[t]{@{}l@{}} \exists \unk{\mathit{inv}}:\\[\jot] \begin{array}[t]{@{}l@{\hspace{10ex}}l@{}} \unk{\mathit{inv}(v)} \leftarrow \mathit{init}(v) &\\[\jot] \unk{\mathit{inv}(v')} \leftarrow \unk{\mathit{inv}(v)} \land \mathit{step}(v,v') & \\[\jot] \mathit{safe}(v) \leftarrow \unk{\mathit{inv}(v)} & \text{safety} \end{array} \end{array}\]

Programs $\Rightarrow$ Horn Clauses

  • $v$ - program variables
  • $\mathit{init}(v)$ - initial states of main procedure
  • $\mathit{step}(v, v')$ - intra-procedural transition relation
  • $\mathit{safe}(v)$ - safe states
  • $\mathit{call}(v, v')$ - parameter passing relation
  • $\mathit{ret}(v, v')$ - return value passing

Programs $\Rightarrow$ Horn Clauses

\[ \begin{array}[t]{@{}l@{}} \exists \unk{\mathit{sum}}:\\[\jot] \mbox{}\\[\jot] \quad \begin{array}[t]{@{}l@{}} \unk{\mathit{sum}(v_0,v_0)} \leftarrow \mathit{init}(v_0) \\[\jot] \unk{\mathit{sum}(v_0,v_2)} \leftarrow \unk{\mathit{sum}(v_0,v_1)} \land \mathit{step}(v_1, v_2) \\[\jot] \unk{\mathit{sum}(v_0,v_2)} \leftarrow \unk{\mathit{sum}(v_0,v_1)} \land \mathit{call}(v_1, v_2) \\[\jot] \unk{\mathit{sum}(v_0,v_4)} \leftarrow \unk{\mathit{sum}(v_0,v_1)} \land \mathit{call}(v_1, v_2) \land \unk{\mathit{sum}(v_2,v_3)} \land \mathit{ret}(v_3, v_4) \\[\jot] \mathit{safe}(v_1) \leftarrow \unk{\mathit{sum}(v_0, v_1)} \end{array} \end{array}\]

Programs $\Rightarrow$ Horn Clauses

  • Alternative lenses:
    • Define Hoare Logic, extract Horn clauses.
      • Boogie does this as a side-effect
    • Define continuation passing style semantics of program
      • Success and Failure continuation.
      • Failure contionation feeds into assertions.
      • Success continuation feeds into the next statement.

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}% \mathindent{2}\mathid{x}\mathspace{1}:=\mathspace{1}\mathid{E}\mathspace{15}&\mathspace{1}\mathid{WP}(\mathid{x}\mathspace{1}:=\mathspace{1}\mathid{E},\mathspace{1}\mathid{Q})\mathspace{9}&\mathspace{1}=\mathspace{1}\mathid{Q}[\mathid{E}/\mathid{x}]\mathbr{} \mathindent{2}\mathid{havoc}\mathspace{1}\mathid{x}\mathspace{14}&\mathspace{1}\mathid{WP}(\mathid{havoc}\mathspace{1}\mathid{x},\mathspace{1}\mathid{Q})\mathspace{8}&\mathspace{1}=\mathspace{1}\forall \mathid{x}\mathspace{1}\ .\mathspace{1}\ \mathid{Q}\mathbr{} \mathindent{2}\mathid{S}_1;\mathspace{1}\mathid{S}_2\mathspace{13}&\mathspace{1}\mathid{WP}(\mathid{S}_1;\mathid{S}_2,\mathspace{1}\mathid{Q})\mathspace{8}&\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{S}_1,\mathspace{1}\mathid{WP}(\mathid{S}_2,\mathspace{1}\mathid{Q}))\mathbr{} \mathindent{2}\mathid{S}_1\mathspace{1}\mid \mathid{S}_2\mathspace{9}&\mathspace{1}\mathid{WP}(\mathid{S}_1\mathspace{1}\mid \mathid{S}_2,\mathspace{1}\mathid{Q})\mathspace{3}&\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{S}_1,\mathspace{1}\mathid{Q})\mathspace{1}\land \mathid{WP}(\mathid{S}_2,\mathspace{1}\mathid{Q})\mathbr{} \mathindent{2}\mathid{assert}\mathspace{1}\varphi &\mathspace{1}\mathid{WP}(\mathid{assert}\mathspace{1}\varphi,\mathspace{1}\mathid{Q})\mathspace{1}&\mathspace{1}=\mathspace{1}\varphi \land \mathid{Q}\mathbr{} \mathindent{2}\mathid{assume}\mathspace{1}\varphi &\mathspace{1}\mathid{WP}(\mathid{assume}\mathspace{1}\varphi,\mathspace{1}\mathid{Q})\mathspace{1}&\mathspace{1}=\mathspace{1}\varphi \rightarrow \mathid{Q} \end{mdMathprearray}\]

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}% \mathindent{2}\mathid{if}\mathspace{1}\varphi \mathid{then}\mathspace{1}\mathid{S}_1\mathspace{1}\mathid{else}\mathspace{1}\mathid{S}_2\mathspace{1}&\mathspace{1}(\mathid{assume}\mathspace{1}\varphi;\mathspace{1}\mathid{S}_1)\mathspace{1}\mid (\mathid{assume}\mathspace{1}\neg \varphi;\mathspace{1}\mathid{S}_2)\mathbr{} \mathindent{2}\mathid{while}\mathspace{1}\mathid{E}\mathspace{1}\mathid{invariant}\mathspace{1}\mathid{J}\mathspace{1}\mathid{do}\mathspace{1}\mathid{S}\mathspace{5}&\mathspace{1}\mathid{assert}\mathspace{1}\mathid{J};\mathspace{1}\mathid{havoc}\mathspace{1}\mathid{x};\mathspace{1}\mathid{assume}\mathspace{1}\mathid{J};\mathspace{1}\mathbr{} \mathindent{31}&\mathspace{1}((\mathid{assume}\mathspace{1}\mathid{E};\mathspace{1}\mathid{S};\mathspace{1}\mathid{assert}\mathspace{1}\mathid{J};\mathspace{1}\mathid{assume}\mathspace{1}\mathkw{false})\mathspace{1}\mid \mathid{assume}\mathspace{1}\neg \mathid{E})\mathbr{} \mathbr{} \mathindent{2}\mathid{ToHorn}(\mathid{P})\mathspace{1}:=\mathspace{1}\mathid{WP}(\mathid{P},\true) \end{mdMathprearray}\]

What about procedure calls?

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}% \mathindent{2}\mathid{def}\mathspace{1}\mathid{P}(\mathid{x},\mathid{x}'):\mathspace{18}&\mathspace{2}\mathid{WP}(\mathid{P}(\mathid{x},\mathid{x}'),\mathspace{1}\mathid{Q})\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{assert}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x});\mathspace{1}\mathid{havoc}\mathspace{1}\mathid{x};\mathspace{1}\mathid{assume}\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}'),\mathspace{1}\mathid{Q})\mathbr{} \mathindent{4}\mathid{assume}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x})\mathspace{13}&\mathspace{19}\land \mathid{WP}(\mathid{assume}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x});\mathspace{1}\mathid{Body},\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}'))\mathbr{} \mathindent{4}\mathid{assert}\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}')\mathbr{} \mathindent{4}\mathid{Body} \end{mdMathprearray}\]
  • Claim: Other translations exist.
  • Research question: which one is most suitable?

Dealing with Loose Semantics

  • Is this program safe? 
     l0: if (unknown(x) > 0) goto :error
  • Horn clauses (attempt 1) $\Safe(l_0, \mathit{error}, unknown) \equiv$ 
    l0(x) <- true.
    error <- l0(x), unknown(x) > 0.
  • Possible interpretation: 
    unknown(x) := 0;
    l0 := true;
    error := false;
  • This is probably not what we want.

Dealing with Loose Semantics

Proper semantics obtained by quantifying over all loose models.

\[ \forall f \exists l_0, \mathit{error}\ .\ \Safe(\ell_0, \mathit{error}, f)\]


which is equivalent to:

\[ \exists l_0, \mathit{error} . \forall f \ . \ \Safe(\ell_0(f), \mathit{error}(f), f)\]

Dealing with Loose Semantics and Abduction

More generally, proper semantics is for:

\[ \forall \mathit{aux} \ . \mathit{Background}(\mathit{aux})\ \Rightarrow \ \exists P \ . \ \mathit{Safe}(P, \mathit{aux})\]


When there is a canonical interpretation for background theory (arithmetic without division), proper semantics coincides with satisfiability modulo theories , e.g,:

\[ \exists \mathit{aux} \ . \mathit{Background}(\mathit{aux})\ \land \ \exists P \ . \ \mathit{Safe}(P, \mathit{aux})\]

Compare to constraint handling rules in logic programming.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Bottom-up Datalog in $\mu{Z}$.

  • $p(0,1)$

    • Add row $(0,1)$ to $p$.

  • $p(x,y) \leftarrow q(y,x)$

    • $q' := \mathit{rename}_{[0\mapsto 1,1\mapsto 0]}(q)$
    • $p := p \cup q'$

  • $p(x,y) \leftarrow q(x), r(y).$

    • $p := p \cup \mathit{join}(q,r)$

  • $p(x,y) \leftarrow q(x,y,z)$

    • $p := p \cup \mathit{project}_z(q)$

Bottom-up Datalog in $\mu{Z}$

  • Clauses $\rightarrow$ instructions using relational algebra.
    • join
    • project $z$
    • rename $[0 \mapsto 1, 1\mapsto 0]$
    • select $x = y$, $x = 1$
    • filter $\varphi$
  • For efficiency allow combined operations
    • join-project
    • select-project
  • Implementation depends on table representation.

Network Optimized Datalog NoD

  • Option 1: use BDDs to represent tables.

  • Option 2: build tables from ternary bit-vectors.

    • $0{\color{red}{\ast}}10 \equiv 0{\color{red}{1}}10 \cup 0{\color{red}{0}}10$
    • Table is a union of differences of cubes
      • $0\ast\ast\ast\ast \setminus \{ 010\ast\ast, 001\ast\ast, 0\ast\ast10, 0\ast\ast01\}$
      • Same as 01100, 01111, 00011, 00000

  • Option 3,4,..: Use hash tables, B-trees, bit-maps

    • Work in some pointer-analysis applications, but not for header spaces

Network Optimized Datalog

\begin{picture}(100,70)(-10,0) \thicklines \put(0, 60){$A$} \put(7, 63){\vector(1,0){20}} \put(27, 60){$\router{1}$} \put(37, 63){\vector(1,0){60}} \put(100,60){$\router{2}$} \put(110,63){\vector(1,0){20}} \put(131,60){$B$} \put(32, 59){\vector(2,-3){30}} \put(68, 15){\vector(2, 3){30}} \put(60, 5){$\router{3}$} \put(70, 10){\vector(1,0){30}} \put(105, 5){$D$} \end{picture} $ \begin{array}{lllll} \mathit{in} & dst & src & \mathit{rewrite} & \mathit{out} \\ \hline \router{1} & 10\star & 01\star & & \router{2} \\ \router{1} & 1\star\star & \star\star\star & & \router{3} \\ \hline \router{2} & 10\star & \star\star\star & & B \\ \hline \router{3} & \star\star\star & 1\star\star & & D \\ \router{3} & 1\star\star & \star\star\star & dst[1] := 0 & \router{2} \end{array} $

Network Optimized Datalog

\[\begin{mdMathprearray}% \mathid{G}_{12}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\dst =\mathspace{1}10\star \land\ \src =\mathspace{1}01\star \mathbr{} \mathid{G}_{13}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\neg \mathid{G}_{12}\ \land\ \dst =\mathspace{1}1\star\star\mathbr{} \mathid{G}_{2\mathid{B}}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\dst =\mathspace{1}1\mathspace{1}0\mathspace{1}\star \mathbr{} \mathid{G}_{3\mathid{D}}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\src =\mathspace{1}1\star\star \mathbr{} \mathid{G}_{32}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\neg \mathid{G}_{3\mathid{D}}\mathspace{1}\ \land \ \dst =\mathspace{1}1\star\star \mathbr{} \mathit{Id}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{2}\src'\mathspace{1}=\mathspace{1}\src \ \land \ \dst'\mathspace{1}=\mathspace{1}\dst \mathbr{} \mathit{Set0}\mathspace{1}&\mathspace{1}:=\mathspace{1}&\mathspace{1}\src'\mathspace{1}=\mathspace{1}\src \ \land \ \dst'\mathspace{1}=\mathspace{1}\dst[2]\ 0\ \dst[0]\mathspace{1} \end{mdMathprearray}\]

Network Optimized Datalog

\[\begin{mdMathprearray}% \mathindent{4}&\mathspace{1}&\mathspace{1}\mathid{B}(\dst,\src)\mathspace{1}\mathbr{} \mathindent{4}\router{1}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{12}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \router{2}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{1}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{13}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \router{3}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{2}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{2\mathid{B}}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \mathid{B}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{3}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{3\mathid{D}}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \mathid{D}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{3}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{32}\mathspace{1}\land \mathit{Set0}\mathspace{1}\land \router{2}(\dst',\src')\mathbr{} \mathindent{4}\mathid{A}(\dst,\src)\mathspace{3}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\router{1}(\dst,\src)\mathspace{1}\mathbr{} \mathindent{9}&\mathspace{1}?\mathspace{1}&\mathspace{2}\mathid{A}(\dst,\src)\mathspace{1} \end{mdMathprearray}\]

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Fold-Unfold

\[\begin{mdMathprearray}% \mathindent{25}&\mathspace{1}\mathid{fold}\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x})\mathbr{} \mathid{nat}(0).\mathspace{1}\mathbr{} \mathid{nat}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{p}(\mathid{x})),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{1}\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{p}(\mathid{x})),\mathspace{1}\mathid{nat}(\mathid{x}).\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{s}(\mathid{x})),\mathspace{1}\mathid{pre}(\mathid{x}).\mathbr{} \mathid{pre}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathbr{} \mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{2} \end{mdMathprearray}\]

Fold-Unfold

\[\begin{mdMathprearray}% \mathid{nat}(0).\mathspace{1}\mathbr{} \mathid{nat}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathkw{false}.\mathspace{1}\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathkw{false}.\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathbr{} \mathid{pre}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathbr{} \mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{2} \end{mdMathprearray}\]

Fold-Unfold

\[ \begin{array}{ll} \begin{array}{l} nat(0). \\ nat(s(x)) \leftarrow nat(x). \\ pre(p(x)) \leftarrow nat(x). \\ pre(p(x)) \leftarrow pre(x). \\ pre(s(x)) \leftarrow pre(x). \\ \false \leftarrow nat(x), pre(x). \end{array} \begin{array}{l} \false \leftarrow \false. \\ \false \leftarrow \false. \\ \underbrace{\false \leftarrow \false.}_{\mbox{fold with original def.}} \\ \end{array} \end{array}\]

Fold-Unfold

Unfold

\[ \begin{array}{ll} q(y) \leftarrow B_1 & \\ q(y) \leftarrow B_2 & p(x) \leftarrow B_1, C \\ p(x) \leftarrow q(y), C & p(x) \leftarrow B_2, C \end{array}\]

Fold

\[ \begin{array}{ll} p(x) \leftarrow B[x,y], C & p(x) \leftarrow q(x,y), C \\ p'(x) \leftarrow B[x,y], C' & p'(x) \leftarrow q(x,y), C' \end{array}\]

Fold-Unfold

New Definition

\[ p(x) \leftarrow B[x,y], C. \ \ q(x,y) \leftarrow B[x,y]\]

Rewriting, such as rewriting equalites

\[ \begin{array}{ll} p(x) \leftarrow B[t,y] & p(x) \leftarrow B[z,y], t = z \end{array}\]

Fold-Unfold Analysis

  • Fold-unfold used in context of Prolog or CLP.
    • Highly expressive assertion language.
  • When does Fold-Unfold terminate if $\false$ is derivable?
  • When is fold-unfold a decision procedure?
    • Boolean Horn clauses (finite domains).
    • Horn clauses for simple push-down systems?

Fold-Unfold References

  • [15, 43, 44] Classics
  • [39] Unfold/Fold for Verification
  • MAPS system, [28]
  • [25] Fold/unfold + magic + polyhedra + interpolants

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Magic

  • $A(x) \leftarrow p(y), q(z), \phi(x, y, z).$
  • $r(x) \leftarrow B(x,z), A(z) $


  • $A_{ans}(x) \leftarrow A_{query}(x), p_{ans}(y), q_{ans}(z), \phi(x,y,z).$
  • $A_{query}(z) \leftarrow r_{query}(x), B(x,z).$

Magic Example

\[\begin{array}{rcl} Q(x) & \leftarrow & A(y), B(z), \phi_1(x,y,z). \\ Q(x) & \leftarrow & C(y), \phi_2(x,y). \\ A(x) & \leftarrow & C(y), \phi_3(x,y). \\ A(x) & \leftarrow & A(y), \phi_3(x,y). \\ B(x) & \leftarrow & C(y), A(z), \phi_4(x,y,z). \\ C(x) & \leftarrow & \phi_5(x). \end{array}\]
\[\begin{mdMathprearray}% \mathindent{4}\mathid{Q}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{A}(\mathid{y}),\mathspace{1}\mathid{B}(\mathid{z}),\mathspace{1}\phi_1(\mathid{x},\mathid{y},\mathid{z}).\mathbr{} \mathindent{4}\mathid{Q}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\phi_2(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{} \mathindent{4}\mathid{A}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\phi_3(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{} \mathindent{4}\mathid{A}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{A}(\mathid{y}),\mathspace{1}\phi_3(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{} \mathindent{4}\mathid{B}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\mathid{A}(\mathid{z}),\mathspace{1}\phi_4(\mathid{x},\mathid{y},\mathid{z}).\mathbr{} \mathindent{4}\mathid{C}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\phi_5(\mathid{x}).\mathspace{1} \end{mdMathprearray}\]

Magic Example

\[\begin{array}{rcl} Q_{ans}(x) & \leftarrow & Q_{query}(x), A_{ans}(y), B_{ans}(z), \phi_1(x,y,z). \\ Q_{ans}(x) & \leftarrow & Q_{query}(x), C_{ans}(y), \phi_2(x,y). \\ Q_{query}(x) & \leftarrow & \true. \end{array}\]

Magic Example

\[\begin{array}{rcl} A_{ans}(x) & \leftarrow & A_{query}(x), C_{ans}(y), \phi_2(x,y). \\ A_{ans}(x) & \leftarrow & A_{query}(x), A_{ans}(y), \phi_3(x,y). \\ A_{query}(y) & \leftarrow & Q_{query}(x), \phi_1(x,y,z). \\ A_{query}(y) & \leftarrow & A_{query}(x), \phi_3(x,y). \\ A_{query}(z) & \leftarrow & B_{query}(x), C_{ans}(y), \phi_4(x,y,z). \end{array}\]

Magic Example

\[\begin{array}{rcl} B_{ans}(x) & \leftarrow & B_{query}(x), C_{ans}(y), A_{ans}(z), \phi_4(x,y,z). \\ B_{query}(z) & \leftarrow & Q_{query}(x), A_{ans}(y), \phi_1(x,y,z). \end{array}\]
\[\begin{array}{rcl} C_{ans}(x) & \leftarrow & C_{query}(x), \phi_5(x). \\ C_{query}(y) & \leftarrow & Q_{query}(x), \phi_2(x,y). \\ C_{query}(y) & \leftarrow & Q_{query}(x), \phi_3(x,y). \\ C_{query}(y) & \leftarrow & B_{query}(x), \phi_4(x,y,z). \end{array}\]

What is the Magic?

  • Introduced in Datalog to emulate top-down using bottom-up evalution.
  • Supplies constraints from calling context.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Infinite Descent Example

  1. $\mathit{plus}(0,x,x).$

  2. $\mathit{plus}(s(x),y,s(z)) \leftarrow \mathit{plus}(x,y,z).$

  3. $x = y \leftarrow \mathit{plus}(x,0,y)$

  4. $x = y \leftarrow \mathit{plus}(x,0,y), x = 0, y = 0$ [1,3, tautology]

  5. $s(x) = s(y) \leftarrow \mathit{plus}(x,0,y)$ [2,3]

  6. $x = y \leftarrow \mathit{plus}(x,0,y)$ [simplify 5, subsumed 3]

Infinite Descent

  • Goal:

    • A conjunction of predicates and constraints
    • $\varphi(x,y,z) \leftarrow p(x), q(y), r(z)$

  • Subsumption:

    • Goal $G_1$ subsumes $G_2$ if there is $\theta$, such that
    • $G_1 \rightarrow G_2\theta$.
    • Thus,
      • Every solution to $\neg G_2$ contains a solution to $\neg G_1$.

Infinite Descent

  • Tabling in Datalog/Prolog: memoize answers [42].
  • Tabling + memoize and generalize queries [12, 32, 41].
    • saturation by super-position [22].
  • What relationships can be made between Infinite Descent and Fold/Unfold proofs?

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Predicate Abstraction: Houdini [23]

  • For each predicate $p(x)$
    • Create set of candidate solutions
      • $\mathit{Sol}_p := \{\varphi_1(x), \ldots, \varphi_n(x)\}$
  • Check each clause $p(x) \leftarrow q(y), \psi(x,y)$
    • $\varphi \in \mathit{Sol}_p$:
    • if $\neg (\forall x,y \ . \ (\bigwedge \mathit{Sol}_q(y) \land \psi(x,y) \rightarrow \varphi(x))$
      • then remove $\varphi$ from $\mathit{Sol}_p$.
  • Fail if $\mathit{Sol}_p$ is empty.
  • Succeed if fixedpoint where each clause checks.

Predicate Abstraction: Cartesian Templates [26]

  • For each predicate $p(x)$
    • Create set of candidate properties and states.
      • $P_p := \{\varphi_1(x), \ldots, \varphi_n(x)\}$
      • $S_p := \{ \}$
  • For each clause $p(x) \leftarrow q(x) \land \psi(x)$
    • $S_p := S_p \cup \{ \{ \bigwedge_i \varphi_i\; \mid\; \theta \land \psi(x) \rightarrow \varphi_i(x) \mbox{ is valid} \} \mid \theta \in S_q \}$
  • Fail if query, for “$\theta \land \varphi \rightarrow \false$” is not valid for some $\theta\in S_q$.
  • Succeed if fixedpoint reached while maintaining infeasible query.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Interpolants [26, 38, 40]

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

IC3

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[ R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}]\]

IC3 recap

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until ∞

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until ∞

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until ∞

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until ∞

  • Induction For $0 \leq i < N$, a clause