Software Model Checking with Horn Clauses

Beamed by Daan Leijen's Madoko

Nikolaj Bjørner
In collaboration with Arie Gurfinkel, Ken McMillan, Andrey Rybalchenko
VTSA Summer School, 2014

Contents

  • Horn Clauses
  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Why Horn Clauses?

Reduce Program Analysis to Constraint Solving

Program Semantics $\equiv$ Hoare Logic [20, 24, 29, 37]
$\equiv$ Existential Fixedpoint Logic [13]
$\equiv$ Constrained Horn Clauses
$\equiv$ Proof rules [26]



Note: Specialized algorithms are used to solve Horn clauses.

  • Top down: start with query (bad state) (SLD resolution)
  • Bottom up: start with facts (initial states)

Horn Clauses

  • Constrained Horn Clause:

    • $p(x) \leftarrow q(y), r(z), \varphi(x,y,z)$
    • Logical interpretation
      • $\forall x, y, z\ .\ q(z) \land r(z) \land \varphi(x,y,z) \rightarrow p(x)$
    • $p, q, r$ - predicate symbols
    • $\varphi, \psi$ - formulas over assertion language $\mathcal{A}$.
    • $\mathcal{A}$ - quantifier-free (integer) linear arithmetic,

  • Abbreviations:

    • $p(x) \leftarrow (q(y) \lor r(z)), \varphi(x,y,z)$.
    • $(p(x)\land q(x)) \leftarrow r(y), \psi(x,y)$.

Horn+ Clauses

  • Universal Horn Clauses [10]:

    • $p(x) \leftarrow (\forall u . q(u, y)), r(z), \varphi(x,y,z)$
    • uses universal quantifier in body.

  • Existential Horn Clauses [6]:

    • $(\exists y . p(x,y)) \leftarrow q(y), r(z), \varphi(x,y,z)$
    • uses existential quantifier in head.

Horn SAT and UNSAT

UNSAT SAT
Produce a Produce an explicit model, or
resolution proof proof that there is no resolution proof
Focus of CLP Aim of our efforts


  • Claim: relative completeness:
    • There is no third case, modulo completeness of assertion language.
  • Claim: UNSAT is r.e. when SAT for $\mathcal{A}$ is r.e.
    • e.g., if assertion is wrong, there is a finite counter-example.
  • Claim: SAT is generally not r.e.
    • Bounds for finite domains given by Datalog query complexity
  • Note: relative completeness does not hold for Horn+ clauses.

Transitions $\Rightarrow$ Horn Clauses

  • $v$ - program variables
  • $\mathit{init}(v)$ - initial states
  • $\mathit{step}(v, v')$ - transition relation
  • $\mathit{safe}(v)$ - safe states

Transitions $\Rightarrow$ Horn Clauses

\[ \begin{array}[t]{@{}l@{}} \exists \unk{\mathit{inv}}:\\[\jot] \begin{array}[t]{@{}l@{\hspace{10ex}}l@{}} \unk{\mathit{inv}(v)} \leftarrow \mathit{init}(v) &\\[\jot] \unk{\mathit{inv}(v')} \leftarrow \unk{\mathit{inv}(v)} \land \mathit{step}(v,v') & \\[\jot] \mathit{safe}(v) \leftarrow \unk{\mathit{inv}(v)} & \text{safety} \end{array} \end{array}\]

Programs $\Rightarrow$ Horn Clauses

  • $v$ - program variables
  • $\mathit{init}(v)$ - initial states of main procedure
  • $\mathit{step}(v, v')$ - intra-procedural transition relation
  • $\mathit{safe}(v)$ - safe states
  • $\mathit{call}(v, v')$ - parameter passing relation
  • $\mathit{ret}(v, v')$ - return value passing

Programs $\Rightarrow$ Horn Clauses

\[ \begin{array}[t]{@{}l@{}} \exists \unk{\mathit{sum}}:\\[\jot] \mbox{}\\[\jot] \quad \begin{array}[t]{@{}l@{}} \unk{\mathit{sum}(v_0,v_0)} \leftarrow \mathit{init}(v_0) \\[\jot] \unk{\mathit{sum}(v_0,v_2)} \leftarrow \unk{\mathit{sum}(v_0,v_1)} \land \mathit{step}(v_1, v_2) \\[\jot] \unk{\mathit{sum}(v_0,v_2)} \leftarrow \unk{\mathit{sum}(v_0,v_1)} \land \mathit{call}(v_1, v_2) \\[\jot] \unk{\mathit{sum}(v_0,v_4)} \leftarrow \unk{\mathit{sum}(v_0,v_1)} \land \mathit{call}(v_1, v_2) \land \unk{\mathit{sum}(v_2,v_3)} \land \mathit{ret}(v_3, v_4) \\[\jot] \mathit{safe}(v_1) \leftarrow \unk{\mathit{sum}(v_0, v_1)} \end{array} \end{array}\]

Programs $\Rightarrow$ Horn Clauses

  • Alternative lenses:
    • Define Hoare Logic, extract Horn clauses.
      • Boogie does this as a side-effect
    • Define continuation passing style semantics of program
      • Success and Failure continuation.
      • Failure contionation feeds into assertions.
      • Success continuation feeds into the next statement.

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}% \mathindent{2}\mathid{x}\mathspace{1}:=\mathspace{1}\mathid{E}\mathspace{15}&\mathspace{1}\mathid{WP}(\mathid{x}\mathspace{1}:=\mathspace{1}\mathid{E},\mathspace{1}\mathid{Q})\mathspace{9}&\mathspace{1}=\mathspace{1}\mathid{Q}[\mathid{E}/\mathid{x}]\mathbr{} \mathindent{2}\mathid{havoc}\mathspace{1}\mathid{x}\mathspace{14}&\mathspace{1}\mathid{WP}(\mathid{havoc}\mathspace{1}\mathid{x},\mathspace{1}\mathid{Q})\mathspace{8}&\mathspace{1}=\mathspace{1}\forall \mathid{x}\mathspace{1}\ .\mathspace{1}\ \mathid{Q}\mathbr{} \mathindent{2}\mathid{S}_1;\mathspace{1}\mathid{S}_2\mathspace{13}&\mathspace{1}\mathid{WP}(\mathid{S}_1;\mathid{S}_2,\mathspace{1}\mathid{Q})\mathspace{8}&\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{S}_1,\mathspace{1}\mathid{WP}(\mathid{S}_2,\mathspace{1}\mathid{Q}))\mathbr{} \mathindent{2}\mathid{S}_1\mathspace{1}\mid \mathid{S}_2\mathspace{9}&\mathspace{1}\mathid{WP}(\mathid{S}_1\mathspace{1}\mid \mathid{S}_2,\mathspace{1}\mathid{Q})\mathspace{3}&\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{S}_1,\mathspace{1}\mathid{Q})\mathspace{1}\land \mathid{WP}(\mathid{S}_2,\mathspace{1}\mathid{Q})\mathbr{} \mathindent{2}\mathid{assert}\mathspace{1}\varphi &\mathspace{1}\mathid{WP}(\mathid{assert}\mathspace{1}\varphi,\mathspace{1}\mathid{Q})\mathspace{1}&\mathspace{1}=\mathspace{1}\varphi \land \mathid{Q}\mathbr{} \mathindent{2}\mathid{assume}\mathspace{1}\varphi &\mathspace{1}\mathid{WP}(\mathid{assume}\mathspace{1}\varphi,\mathspace{1}\mathid{Q})\mathspace{1}&\mathspace{1}=\mathspace{1}\varphi \rightarrow \mathid{Q} \end{mdMathprearray}\]

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}% \mathindent{2}\mathid{if}\mathspace{1}\varphi \mathid{then}\mathspace{1}\mathid{S}_1\mathspace{1}\mathid{else}\mathspace{1}\mathid{S}_2\mathspace{1}&\mathspace{1}(\mathid{assume}\mathspace{1}\varphi;\mathspace{1}\mathid{S}_1)\mathspace{1}\mid (\mathid{assume}\mathspace{1}\neg \varphi;\mathspace{1}\mathid{S}_2)\mathbr{} \mathindent{2}\mathid{while}\mathspace{1}\mathid{E}\mathspace{1}\mathid{invariant}\mathspace{1}\mathid{J}\mathspace{1}\mathid{do}\mathspace{1}\mathid{S}\mathspace{5}&\mathspace{1}\mathid{assert}\mathspace{1}\mathid{J};\mathspace{1}\mathid{havoc}\mathspace{1}\mathid{x};\mathspace{1}\mathid{assume}\mathspace{1}\mathid{J};\mathspace{1}\mathbr{} \mathindent{31}&\mathspace{1}((\mathid{assume}\mathspace{1}\mathid{E};\mathspace{1}\mathid{S};\mathspace{1}\mathid{assert}\mathspace{1}\mathid{J};\mathspace{1}\mathid{assume}\mathspace{1}\mathkw{false})\mathspace{1}\mid \mathid{assume}\mathspace{1}\neg \mathid{E})\mathbr{} \mathbr{} \mathindent{2}\mathid{ToHorn}(\mathid{P})\mathspace{1}:=\mathspace{1}\mathid{WP}(\mathid{P},\true) \end{mdMathprearray}\]

What about procedure calls?

Programs $\Rightarrow$ Horn Clauses

\[\begin{mdMathprearray}% \mathindent{2}\mathid{def}\mathspace{1}\mathid{P}(\mathid{x},\mathid{x}'):\mathspace{18}&\mathspace{2}\mathid{WP}(\mathid{P}(\mathid{x},\mathid{x}'),\mathspace{1}\mathid{Q})\mathspace{1}=\mathspace{1}\mathid{WP}(\mathid{assert}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x});\mathspace{1}\mathid{havoc}\mathspace{1}\mathid{x};\mathspace{1}\mathid{assume}\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}'),\mathspace{1}\mathid{Q})\mathbr{} \mathindent{4}\mathid{assume}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x})\mathspace{13}&\mathspace{19}\land \mathid{WP}(\mathid{assume}\mathspace{1}\mathid{Pre}_\mathid{P}(\mathid{x});\mathspace{1}\mathid{Body},\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}'))\mathbr{} \mathindent{4}\mathid{assert}\mathspace{1}\mathid{Post}_\mathid{P}(\mathid{x},\mathid{x}')\mathbr{} \mathindent{4}\mathid{Body} \end{mdMathprearray}\]
  • Claim: Other translations exist.
  • Research question: which one is most suitable?

Dealing with Loose Semantics

  • Is this program safe? 
     l0: if (unknown(x) > 0) goto :error
  • Horn clauses (attempt 1) $\Safe(l_0, \mathit{error}, unknown) \equiv$ 
    l0(x) <- true.
    error <- l0(x), unknown(x) > 0.
  • Possible interpretation: 
    unknown(x) := 0;
    l0 := true;
    error := false;
  • This is probably not what we want.

Dealing with Loose Semantics

Proper semantics obtained by quantifying over all loose models.

\[ \forall f \exists l_0, \mathit{error}\ .\ \Safe(\ell_0, \mathit{error}, f)\]


which is equivalent to:

\[ \exists l_0, \mathit{error} . \forall f \ . \ \Safe(\ell_0(f), \mathit{error}(f), f)\]

Dealing with Loose Semantics and Abduction

More generally, proper semantics is for:

\[ \forall \mathit{aux} \ . \mathit{Background}(\mathit{aux})\ \Rightarrow \ \exists P \ . \ \mathit{Safe}(P, \mathit{aux})\]


When there is a canonical interpretation for background theory (arithmetic without division), proper semantics coincides with satisfiability modulo theories , e.g,:

\[ \exists \mathit{aux} \ . \mathit{Background}(\mathit{aux})\ \land \ \exists P \ . \ \mathit{Safe}(P, \mathit{aux})\]

Compare to constraint handling rules in logic programming.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Bottom-up Datalog in $\mu{Z}$.

  • $p(0,1)$

    • Add row $(0,1)$ to $p$.

  • $p(x,y) \leftarrow q(y,x)$

    • $q' := \mathit{rename}_{[0\mapsto 1,1\mapsto 0]}(q)$
    • $p := p \cup q'$

  • $p(x,y) \leftarrow q(x), r(y).$

    • $p := p \cup \mathit{join}(q,r)$

  • $p(x,y) \leftarrow q(x,y,z)$

    • $p := p \cup \mathit{project}_z(q)$

Bottom-up Datalog in $\mu{Z}$

  • Clauses $\rightarrow$ instructions using relational algebra.
    • join
    • project $z$
    • rename $[0 \mapsto 1, 1\mapsto 0]$
    • select $x = y$, $x = 1$
    • filter $\varphi$
  • For efficiency allow combined operations
    • join-project
    • select-project
  • Implementation depends on table representation.

Network Optimized Datalog NoD

  • Option 1: use BDDs to represent tables.

  • Option 2: build tables from ternary bit-vectors.

    • $0{\color{red}{\ast}}10 \equiv 0{\color{red}{1}}10 \cup 0{\color{red}{0}}10$
    • Table is a union of differences of cubes
      • $0\ast\ast\ast\ast \setminus \{ 010\ast\ast, 001\ast\ast, 0\ast\ast10, 0\ast\ast01\}$
      • Same as 01100, 01111, 00011, 00000

  • Option 3,4,..: Use hash tables, B-trees, bit-maps

    • Work in some pointer-analysis applications, but not for header spaces

Network Optimized Datalog

\begin{picture}(100,70)(-10,0) \thicklines \put(0, 60){$A$} \put(7, 63){\vector(1,0){20}} \put(27, 60){$\router{1}$} \put(37, 63){\vector(1,0){60}} \put(100,60){$\router{2}$} \put(110,63){\vector(1,0){20}} \put(131,60){$B$} \put(32, 59){\vector(2,-3){30}} \put(68, 15){\vector(2, 3){30}} \put(60, 5){$\router{3}$} \put(70, 10){\vector(1,0){30}} \put(105, 5){$D$} \end{picture} $ \begin{array}{lllll} \mathit{in} & dst & src & \mathit{rewrite} & \mathit{out} \\ \hline \router{1} & 10\star & 01\star & & \router{2} \\ \router{1} & 1\star\star & \star\star\star & & \router{3} \\ \hline \router{2} & 10\star & \star\star\star & & B \\ \hline \router{3} & \star\star\star & 1\star\star & & D \\ \router{3} & 1\star\star & \star\star\star & dst[1] := 0 & \router{2} \end{array} $

Network Optimized Datalog

\[\begin{mdMathprearray}% \mathid{G}_{12}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\dst =\mathspace{1}10\star \land\ \src =\mathspace{1}01\star \mathbr{} \mathid{G}_{13}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\neg \mathid{G}_{12}\ \land\ \dst =\mathspace{1}1\star\star\mathbr{} \mathid{G}_{2\mathid{B}}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\dst =\mathspace{1}1\mathspace{1}0\mathspace{1}\star \mathbr{} \mathid{G}_{3\mathid{D}}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\src =\mathspace{1}1\star\star \mathbr{} \mathid{G}_{32}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{7}\neg \mathid{G}_{3\mathid{D}}\mathspace{1}\ \land \ \dst =\mathspace{1}1\star\star \mathbr{} \mathit{Id}\mathspace{2}&\mathspace{1}:=\mathspace{1}&\mathspace{2}\src'\mathspace{1}=\mathspace{1}\src \ \land \ \dst'\mathspace{1}=\mathspace{1}\dst \mathbr{} \mathit{Set0}\mathspace{1}&\mathspace{1}:=\mathspace{1}&\mathspace{1}\src'\mathspace{1}=\mathspace{1}\src \ \land \ \dst'\mathspace{1}=\mathspace{1}\dst[2]\ 0\ \dst[0]\mathspace{1} \end{mdMathprearray}\]

Network Optimized Datalog

\[\begin{mdMathprearray}% \mathindent{4}&\mathspace{1}&\mathspace{1}\mathid{B}(\dst,\src)\mathspace{1}\mathbr{} \mathindent{4}\router{1}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{12}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \router{2}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{1}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{13}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \router{3}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{2}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{2\mathid{B}}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \mathid{B}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{3}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{3\mathid{D}}\mathspace{1}\land \mathit{Id}\mathspace{1}\land \mathid{D}(\dst',\src')\mathspace{1}\mathbr{} \mathindent{4}\router{3}(\dst,\src)\mathspace{1}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\mathid{G}_{32}\mathspace{1}\land \mathit{Set0}\mathspace{1}\land \router{2}(\dst',\src')\mathbr{} \mathindent{4}\mathid{A}(\dst,\src)\mathspace{3}&\mathspace{1}:-\mathspace{1}&\mathspace{2}\router{1}(\dst,\src)\mathspace{1}\mathbr{} \mathindent{9}&\mathspace{1}?\mathspace{1}&\mathspace{2}\mathid{A}(\dst,\src)\mathspace{1} \end{mdMathprearray}\]

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Fold-Unfold

\[\begin{mdMathprearray}% \mathindent{25}&\mathspace{1}\mathid{fold}\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x})\mathbr{} \mathid{nat}(0).\mathspace{1}\mathbr{} \mathid{nat}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{p}(\mathid{x})),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{1}\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{p}(\mathid{x})),\mathspace{1}\mathid{nat}(\mathid{x}).\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{s}(\mathid{x})),\mathspace{1}\mathid{pre}(\mathid{x}).\mathbr{} \mathid{pre}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathbr{} \mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{2} \end{mdMathprearray}\]

Fold-Unfold

\[\begin{mdMathprearray}% \mathid{nat}(0).\mathspace{1}\mathbr{} \mathid{nat}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathkw{false}.\mathspace{1}\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathkw{false}.\mathbr{} \mathid{pre}(\mathid{p}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathspace{5}&\mathspace{1}\mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathbr{} \mathid{pre}(\mathid{s}(\mathid{x}))\mathspace{1}\leftarrow \mathid{pre}(\mathid{x}).\mathbr{} \mathkw{false}\mathspace{1}\leftarrow \mathid{nat}(\mathid{x}),\mathspace{1}\mathid{pre}(\mathid{x}).\mathspace{2} \end{mdMathprearray}\]

Fold-Unfold

\[ \begin{array}{ll} \begin{array}{l} nat(0). \\ nat(s(x)) \leftarrow nat(x). \\ pre(p(x)) \leftarrow nat(x). \\ pre(p(x)) \leftarrow pre(x). \\ pre(s(x)) \leftarrow pre(x). \\ \false \leftarrow nat(x), pre(x). \end{array} \begin{array}{l} \false \leftarrow \false. \\ \false \leftarrow \false. \\ \underbrace{\false \leftarrow \false.}_{\mbox{fold with original def.}} \\ \end{array} \end{array}\]

Fold-Unfold

Unfold

\[ \begin{array}{ll} q(y) \leftarrow B_1 & \\ q(y) \leftarrow B_2 & p(x) \leftarrow B_1, C \\ p(x) \leftarrow q(y), C & p(x) \leftarrow B_2, C \end{array}\]

Fold

\[ \begin{array}{ll} p(x) \leftarrow B[x,y], C & p(x) \leftarrow q(x,y), C \\ p'(x) \leftarrow B[x,y], C' & p'(x) \leftarrow q(x,y), C' \end{array}\]

Fold-Unfold

New Definition

\[ p(x) \leftarrow B[x,y], C. \ \ q(x,y) \leftarrow B[x,y]\]

Rewriting, such as rewriting equalites

\[ \begin{array}{ll} p(x) \leftarrow B[t,y] & p(x) \leftarrow B[z,y], t = z \end{array}\]

Fold-Unfold Analysis

  • Fold-unfold used in context of Prolog or CLP.
    • Highly expressive assertion language.
  • When does Fold-Unfold terminate if $\false$ is derivable?
  • When is fold-unfold a decision procedure?
    • Boolean Horn clauses (finite domains).
    • Horn clauses for simple push-down systems?

Fold-Unfold References

  • [15, 43, 44] Classics
  • [39] Unfold/Fold for Verification
  • MAPS system, [28]
  • [25] Fold/unfold + magic + polyhedra + interpolants

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Magic

  • $A(x) \leftarrow p(y), q(z), \phi(x, y, z).$
  • $r(x) \leftarrow B(x,z), A(z) $


  • $A_{ans}(x) \leftarrow A_{query}(x), p_{ans}(y), q_{ans}(z), \phi(x,y,z).$
  • $A_{query}(z) \leftarrow r_{query}(x), B(x,z).$

Magic Example

\[\begin{array}{rcl} Q(x) & \leftarrow & A(y), B(z), \phi_1(x,y,z). \\ Q(x) & \leftarrow & C(y), \phi_2(x,y). \\ A(x) & \leftarrow & C(y), \phi_3(x,y). \\ A(x) & \leftarrow & A(y), \phi_3(x,y). \\ B(x) & \leftarrow & C(y), A(z), \phi_4(x,y,z). \\ C(x) & \leftarrow & \phi_5(x). \end{array}\]
\[\begin{mdMathprearray}% \mathindent{4}\mathid{Q}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{A}(\mathid{y}),\mathspace{1}\mathid{B}(\mathid{z}),\mathspace{1}\phi_1(\mathid{x},\mathid{y},\mathid{z}).\mathbr{} \mathindent{4}\mathid{Q}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\phi_2(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{} \mathindent{4}\mathid{A}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\phi_3(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{} \mathindent{4}\mathid{A}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{A}(\mathid{y}),\mathspace{1}\phi_3(\mathid{x},\mathid{y}).\mathspace{1}\mathbr{} \mathindent{4}\mathid{B}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\mathid{C}(\mathid{y}),\mathspace{1}\mathid{A}(\mathid{z}),\mathspace{1}\phi_4(\mathid{x},\mathid{y},\mathid{z}).\mathbr{} \mathindent{4}\mathid{C}(\mathid{x})\mathspace{2}&\mathspace{1}\leftarrow &\mathspace{2}\phi_5(\mathid{x}).\mathspace{1} \end{mdMathprearray}\]

Magic Example

\[\begin{array}{rcl} Q_{ans}(x) & \leftarrow & Q_{query}(x), A_{ans}(y), B_{ans}(z), \phi_1(x,y,z). \\ Q_{ans}(x) & \leftarrow & Q_{query}(x), C_{ans}(y), \phi_2(x,y). \\ Q_{query}(x) & \leftarrow & \true. \end{array}\]

Magic Example

\[\begin{array}{rcl} A_{ans}(x) & \leftarrow & A_{query}(x), C_{ans}(y), \phi_2(x,y). \\ A_{ans}(x) & \leftarrow & A_{query}(x), A_{ans}(y), \phi_3(x,y). \\ A_{query}(y) & \leftarrow & Q_{query}(x), \phi_1(x,y,z). \\ A_{query}(y) & \leftarrow & A_{query}(x), \phi_3(x,y). \\ A_{query}(z) & \leftarrow & B_{query}(x), C_{ans}(y), \phi_4(x,y,z). \end{array}\]

Magic Example

\[\begin{array}{rcl} B_{ans}(x) & \leftarrow & B_{query}(x), C_{ans}(y), A_{ans}(z), \phi_4(x,y,z). \\ B_{query}(z) & \leftarrow & Q_{query}(x), A_{ans}(y), \phi_1(x,y,z). \end{array}\]
\[\begin{array}{rcl} C_{ans}(x) & \leftarrow & C_{query}(x), \phi_5(x). \\ C_{query}(y) & \leftarrow & Q_{query}(x), \phi_2(x,y). \\ C_{query}(y) & \leftarrow & Q_{query}(x), \phi_3(x,y). \\ C_{query}(y) & \leftarrow & B_{query}(x), \phi_4(x,y,z). \end{array}\]

What is the Magic?

  • Introduced in Datalog to emulate top-down using bottom-up evalution.
  • Supplies constraints from calling context.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Infinite Descent Example

  1. $\mathit{plus}(0,x,x).$

  2. $\mathit{plus}(s(x),y,s(z)) \leftarrow \mathit{plus}(x,y,z).$

  3. $x = y \leftarrow \mathit{plus}(x,0,y)$

  4. $x = y \leftarrow \mathit{plus}(x,0,y), x = 0, y = 0$ [1,3, tautology]

  5. $s(x) = s(y) \leftarrow \mathit{plus}(x,0,y)$ [2,3]

  6. $x = y \leftarrow \mathit{plus}(x,0,y)$ [simplify 5, subsumed 3]

Infinite Descent

  • Goal:

    • A conjunction of predicates and constraints
    • $\varphi(x,y,z) \leftarrow p(x), q(y), r(z)$

  • Subsumption:

    • Goal $G_1$ subsumes $G_2$ if there is $\theta$, such that
    • $G_1 \rightarrow G_2\theta$.
    • Thus,
      • Every solution to $\neg G_2$ contains a solution to $\neg G_1$.

Infinite Descent

  • Tabling in Datalog/Prolog: memoize answers [42].
  • Tabling + memoize and generalize queries [12, 32, 41].
    • saturation by super-position [22].
  • What relationships can be made between Infinite Descent and Fold/Unfold proofs?

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Predicate Abstraction: Houdini [23]

  • For each predicate $p(x)$
    • Create set of candidate solutions
      • $\mathit{Sol}_p := \{\varphi_1(x), \ldots, \varphi_n(x)\}$
  • Check each clause $p(x) \leftarrow q(y), \psi(x,y)$
    • $\varphi \in \mathit{Sol}_p$:
    • if $\neg (\forall x,y \ . \ (\bigwedge \mathit{Sol}_q(y) \land \psi(x,y) \rightarrow \varphi(x))$
      • then remove $\varphi$ from $\mathit{Sol}_p$.
  • Fail if $\mathit{Sol}_p$ is empty.
  • Succeed if fixedpoint where each clause checks.

Predicate Abstraction: Cartesian Templates [26]

  • For each predicate $p(x)$
    • Create set of candidate properties and states.
      • $P_p := \{\varphi_1(x), \ldots, \varphi_n(x)\}$
      • $S_p := \{ \}$
  • For each clause $p(x) \leftarrow q(x) \land \psi(x)$
    • $S_p := S_p \cup \{ \{ \bigwedge_i \varphi_i\; \mid\; \theta \land \psi(x) \rightarrow \varphi_i(x) \mbox{ is valid} \} \mid \theta \in S_q \}$
  • Fail if query, for “$\theta \land \varphi \rightarrow \false$” is not valid for some $\theta\in S_q$.
  • Succeed if fixedpoint reached while maintaining infeasible query.

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Interpolants [26, 38, 40]

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

IC3

  • $\vec{x}$ are state variables.

  • $m$ is a monome (a conjunction of literals).

  • $\varphi$ is a clause (a disjunction of literals).

  • Convention: $m[\vec{x}]$ is a monome over variables $\vec{x}$, $m[\vec{x}_0]$ is a renaming of the same monome $m$ to variables $\vec{x}_0$.

IC3 recap

  • $\langle \vec{x}, \Init(\vec{x}), \rho(\vec{x_0},\vec{x}), \Safe(\vec{x})\rangle$ - a transition system.
  • $\Safe$ - good states.
  • $\cF(R)[\vec{x}_0,\vec{x}]$ - forward predicate transformer.
    • Given reachable states $R$, produce “states can be reached by including another step”.
    • From Transition System: $\Init[\vec{x}_0] \ \vee \ (R(\vec{x}_0) \wedge \rho[\vec{x}_0,\vec{x}])$
    • From Horn Clauses: $\bigvee_i Body_i[\vec{x}_0,\vec{x}]$, where
      \[ R(\vec{x}) \leftarrow Body_1[\vec{x}_0,\vec{x}] \vee \ldots\vee Body_k[\vec{x}_0,\vec{x}]\]

IC3 recap

  • $R_0, R_1, \ldots, R_N$ properties of states reachable within $i$ steps.
  • $R_i$ are sets of clauses.
  • Initially $R_0 = \Init$.
  • $\Queue$ a queue of counter-example trace properties. Initially $\Queue = \emptyset$.
  • $N$ a level indication. Initially $N = 0$.

Expanding Traces

repeat until ∞

  • Candidate If for some $m$, $m \rightarrow R_N \land \neg \Safe$, then add $\langle m, N\rangle$ to $\Queue$.

  • Unfold If $R_N \rightarrow \Safe$, then set $N \leftarrow N + 1, R_{N} \leftarrow \true$.

Termination

repeat until ∞

  • Unreachable For $i < N$, if $R_i \subseteq R_{i+1}$, return Unreachable.

  • Reachable If $\langle m, 0 \rangle \in \Queue$, return Reachable.

Backtracking

repeat until ∞

  • Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that

    • $\neg\varphi\subseteq m$,
    • $\cF(R_i \land \varphi) \rightarrow \varphi$,
      then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Leaf If $\langle m, i\rangle \in \Queue$, $0 < i < N$ and $m \land \cF(R_{i-1})$ is unsatisfiable, then add $\langle m, i + 1\rangle$ to $\Queue$.

Inductive Generalization

repeat until ∞

  • Induction For $0 \leq i < N$, a clause $(\varphi \lor\psi)\ \in R_i$, $\varphi\not\in R_{i+1}$, if $\cF(R_i \wedge \varphi)\rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for each $j \leq i + 1$.

IC3 beyond SAT

Decide - Generalized form

Decide Add $\langle m_0[\vec{x}], i\rangle$ to $\Queue$ if $\langle m[\vec{x}], i+1\rangle \in \Queue$, $m' \land m_0[\vec{x}_0] \ \rightarrow \ \cF(R_{i})[\vec{x}_0,\vec{x}] \land m$.

  • [14, 21] Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ gives (near prime implicant) $m_0$.
  • [30] Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignment $m_0$.
  • [17, 33] Partial quantifier elimination.
  • [36] $(\exists\vec{x} \ . \ m \land \cF(R_{i})[\vec{x}_0,\vec{x}]) \ \equiv\ \bigvee_i \psi_i[\vec{x}_0]$ where $\psi_i$ are quantifier-free. Use model for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ to compute $\psi_i$ without expanding full disjunction.
  • [19, 31] Keep vocabulary of literals fixed (= predicate abstraction).

Loos-Weispfenning QE

  • $\varphi$ in NNF
  • $E$ set of $x = t$ atoms in $\varphi$
  • $L$ set of $x > s$ atoms in $\varphi$
  • $U$ set of $x < t$ atoms in $\varphi$
  • there are no other occurrences of $x$ in $\varphi[x]$

\[ \exists x \ . \ \varphi[x] \equiv \varphi[\infty] \vee \bigvee_{(x = t) \in E} \varphi[t] \vee \bigvee_{(x < t) \in U} \varphi[t - \epsilon] \]

  • Note: $(x < t')[t - \epsilon] \equiv t \leq t'$
  • Pick disjunction corresponding to satisfied equality or inequality.

Decide - Generalized form

Pssst: I am replacing $m, m_0, m'$ by greek letters.

  • Decide Add $\langle \phidown[\vec{x}], i\rangle$ to $\Queue$, if
    • $\langle \varphi[\vec{x}], i+1\rangle \in \Queue$,
    • $\phidown[\vec{x}_0] \wedge \theta[\vec{x}]$ is consistent,
    • $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$, and
    • $\phidown[\vec{x}_0] \land \theta[\vec{x}] \ \rightarrow\ \cF(R_{i})(\vec{x}_0,\vec{x})$

Interpolating Conflict

Conflict Let $0 \leq i < N$: given a candidate model $\langle m, i+1\rangle\in\Queue$ and clause $\varphi$, such that $\neg\varphi\subseteq m$, if $\cF(R_i \land \varphi) \rightarrow \varphi$, then conjoin $\varphi$ to $R_{j}$, for $j \leq i + 1$.

  • Note: $(\neg\varphi\subseteq m)$ $\equiv$ $(\varphi \rightarrow \neg m)$.
  • By monotonicity: $(\cF(R_i) \rightarrow \varphi) \ \rightarrow \ (\cF(R_i \land \varphi) \rightarrow \varphi)$.
  • Interpolation as special case: $\cF(R_i) \rightarrow \varphi, \varphi \rightarrow \neg m.$
  • Overkill for SAT (use unsat core), but for SMT may supply candidate predicates.
  • For conjunction of inequalities $m$, interpolation is “simple”.

Farkas+T Lemmas

  • $m$ is conjunction of inequalities $x \geq 6 \land y \geq 7 \land \ldots$
  • $\cF(R_i)$ is quantifier-fee formula
  • $\cF(R_i) \land m$ is unsat
  • Let $C$ be a conflict that contains literals from $m$: $C := C_m \land C'$
  • Let $r := r_m r'$ be Farkas coefficients
  • So $r\cdot C \equiv 1 < 0$
  • So $m \rightarrow \neg r'C'$
  • Return $\bigwedge \neg r'_iC'_i$ instead of $m$

Interpolating Conflict

Conflict Let $0 \leq i < N$: given a candidate model $\langle \varphi, i+1\rangle\in\Queue$ and a formula $\phiup$, such that $\cF(R_i) \to \phiup$, $\phiup \to \neg \varphi$, then conjoin $\phiup$ to $R_{j}$, for $j \leq i + 1$.

Branching

DAG Branching

Recall predicate transformer for McCarthy91:

$\cF(R_i)[x,z,r] := (x > 100 \land r = x - 10) \lor (x \leq 100 \land R_i(x+11,z) \land R_i(z,r))$


Decide now spawns two children.

Decide If $\langle \varphi[\vec{x}], i+1\rangle \in \Queue$ and there are consistent $\phidown[\vec{x}_0] \land \psidown[\vec{x}_1] \land \theta[\vec{x}]$ such that $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$ and $\phidown[\vec{x}_0] \land \psidown[\vec{x}_1] \land \theta[\vec{x}] \ \rightarrow\ \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$, then add $\langle \phidown[\vec{x}], i\rangle$, $\langle \psidown[\vec{x}], i\rangle$ to $\Queue$.

Searching a DAG

We also have to take DAG unfolding into acount.

Base Mark $\langle \varphi[\vec{x}], i\rangle \in \Queue$ if $i = 0$ or if there is a consistent $\theta[\vec{x}]$ such that $\theta[\vec{x}] \rightarrow \varphi[\vec{x}]$ and $\theta[\vec{x}] \ \rightarrow\ \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$.
Close Mark $\langle \varphi[\vec{x}], i+1\rangle$ if all children are marked.
Reachable If $\langle \varphi, 0 \rangle$ is marked, return Reachable.

Searching a DAG

  • Model from propositional SAT check for $m \land \cF(R_{i})[\vec{x}_0,\vec{x}_1, \vec{x}]$ gives us $\phidown, \psidown$.
  • Idea: Model from SMT check for arithmetical $m \land \cF(R_{i})[\vec{x}_0,\vec{x}]$ produces numerical assignments.
  • Effect: models explored in branches are far from prime $\Rightarrow$ lemmas become too weak.

Search with Under-approximations [36]

  • Instead of tracking progress using marking use under approximations.
  • Maintain $U_0 := \false, U_1, U_2, \ldots, U_N$ of under approximations.
  • Recall that $R_0 := \false, R_1, R_2, \ldots, R_N$ are over approximations.
  • Satisfying
    • $R_i \leftarrow U_i \rightarrow U_{i+1} \rightarrow \cF(U_i)$.

Search with Under-approximations

Decide and Conflict pushing a goal $\langle \varphi, i+1 \rangle$ over $\cF(\_,\_)$

\[\xymatrix @-0.5em{ & \cF(R_i,R_i) \\ \cF(U_i,R_i) \ar[ur] & & \cF(R_i,U_i) \ar[ul] \\ & \cF(U_i,U_i) \ar[ul] \ar[ur] }\]
  • If $\varphi \land \cF(R_i,R_i) \equiv \bot$, then goal cannot be reached.
  • If $\varphi \land \cF(U_i,U_i) \not\equiv \bot$, then goal can be reached.
  • Otherwise case split on $\varphi \land \cF(U_i,R_i)$.

Search with Under-approximations

Reachable If $U_N \land \neg\Safe$ is satisfiable, then return Reachable.
Decide$_1$ For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, add $\langle \phidown, i\rangle$ to $\Queue$ if:
- $\cF(U_i, U_i) \land \varphi \equiv \bot$.
- $\cF(R_i, U_i) \land \varphi \not\equiv \bot$.
- $\phidown[\vec{x}_0] \rightarrow \exists \vec{x}_1, \vec{x} \ . \ \cF(R_i,U_i) \land \varphi$ 
- $\phidown$ is disjoint from $\psi$ for every $\langle \psi, i\rangle \in \Queue$.
Decide$_2$ For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, add $\langle \phidown, i\rangle$ to $\Queue$ if:
- $\cF(R_i, U_i) \land \varphi \equiv \bot$ .
- $\cF(R_i, R_i) \land \varphi \not\equiv \bot$.
- $\phidown[\vec{x}_1] \rightarrow \exists \vec{x}_0, \vec{x} \ . \ \cF(R_i,R_i) \land \varphi$
- $\phidown$ is disjoint from $\psi$ for every $\langle \psi, i\rangle \in \Queue$.
Close For $0 \leq i < N$ for $\langle \varphi, i+1\rangle \in \Queue$, if $\cF(U_i,U_i) \land \varphi$ is satisfiable, but $U_{i+1} \land \varphi$ is unsatsifiable, then update $U_{i+1} := U_{i+1} \ \lor \ \psi$, where $\psi \ \rightarrow \ \exists \vec{x}_0, \vec{x}_1 \ . \ \cF(U_i,U_i) \land \varphi$.

Recursion-free Horn Clauses

  • Interpolation in standard form is a special case of Horn Clause solving.
    (1)
    \[A(\vec{a},\vec{x}) \rightarrow I(\vec{x}), \ \ \ I(\vec{x}) \rightarrow B(\vec{x},\vec{b})\]
  • IC3 (sans Inductive Generalization) produces as side-effect solutions that are interpolants.
  • Interpolants are quaint, almost beautiful [2, 4, 16].

Contents

  • Methods for solving Horn Clauses:
    • Bottom-up Datalog in $\mu{Z}$
    • Fold/Unfold
    • Magic
    • Infinite Descent
    • Predicate Abstraction
    • Interpolants
    • IC3 (with interpolants)
    • Yogi as Horn clause solving

Yogi as Horn clause solving

f(y) {
  int x, lock = 0;      $\ell_1(x,y,0)$
  do {
    lock = 1;           $\ell_3(x,x,1) \leftarrow \ell_1(x,y,l)$
    y = x;
    if (*) {            $\ell_6(x,y,l) \leftarrow \ell_3(x,y,l)$
      lock = 0;
      y = y + 1;        $\ell_6(x,y+1,0) \leftarrow \ell_3(x,y,l)$
    }
  }
  while( x != y);       $\ell_1(x,y,l) \leftarrow \ell_6(x,y,l) \land x \mathop{\neq} y$
  if (lock != 1)        $\ell_7(x,y,l) \leftarrow \ell_6(x,y,l) \land x = y$
    error();            $\mathit{error} \leftarrow \ell_7(x,y,l) \land l \mathop{\neq} 1$
}

Yogi Saturation

Maintain the following data-structures:

  • Abstract Control Flow Graph a set of propositional Horn clauses.
  • Region Abstraction abstractions for program locations.

Yogi Saturation

Initially:

Region Abstraction Transition Abstraction
$\ell_0(x,y,l) \rightarrow \true$ $\ell_0$
$\ell_1(x,y,l) \rightarrow \true$ $\ell_1\leftarrow\ell_0 \lor \ell_6$
$\ell_3(x,y,l) \rightarrow \true$ $\ell_3\leftarrow\ell_1$
$\ell_6(x,y,l) \rightarrow \true$ $\ell_6\leftarrow\ell_3$
$\ell_7(x,y,l) \rightarrow \true$ $\ell_7\leftarrow\ell_6$
$\mathit{error} \rightarrow \true$ $\mathit{error} \leftarrow \ell_7$
$\false\leftarrow \mathit{error}$

Yogi Saturation

The abstraction is unsatisfiable. A core selects clauses corresponding to the literals: $\ell_0 \land \ell_1 \land \ell_3 \land \ell_6 \land \ell_7$. We check if the symbolic execution of the path is feasible. It is not:

\[ \underbrace{l_0 = 0}_{\ell_1} \land \underbrace{l_1 = 1 \land y_1 = x}_{\ell_3} \land \underbrace{x = y_1}_{\ell_7} \land \underbrace{l_1 \neq 1}_{\mathit{\mathit{error}}} \]

Extract a condition on $\ell_7$ to cut the path.

\[ \ell_7(x,y,l) \Rightarrow l \neq 1\]

Yogi Saturation

The new abstraction is:

Region Abstraction Transition Abstraction
$\ell_0(x,y,l) \rightarrow \true$ $\ell_0$
$\ell_1(x,y,l) \rightarrow \true$ $\ell_1 \leftarrow \ell_0 \lor \ell_6 $
$\ell_3(x,y,l) \rightarrow \true$ $\ell_2 \leftarrow \ell_1$
$\ell_6(x,y,l) \rightarrow \true$ $\ell_6 \leftarrow \ell_3$
$\mathit{error} \rightarrow \true$ $\color{red}{\mathit{error} \leftarrow u\ell_7}$
$\color{red}{\ell_7(x,y,l) \rightarrow u\ell_7(x,y,l) \lor s\ell_7(x,y,l)}$ $\false\leftarrow\mathit{\mathit{error}} $
$\color{red}{u\ell_7(x,y,l) \rightarrow l \neq 1}$ $\color{red}{u\ell_7\leftarrow\ell_6}$
$\color{red}{s\ell_7(x,y,l) \rightarrow l = 1}$ $\color{red}{s\ell_7 \leftarrow\ell_6}$

Yogi Saturation

The system remains unsatisfiable with core

\[ \underbrace{l_0 = 0}_{\ell_1} \land \underbrace{l_1 = 1 \land y_1 = x}_{\ell_3} \land \underbrace{x = y_1 \land l_1 \neq 1}_{u\ell_7}\]

Notice that the core is smaller, it uses the invariant associated with $u\ell_7$ and does not symbolically execute $u\ell_7$.

The transition $\ell_6$ is refined in a similar way.

Yogi Saturation

Region Abstraction Transition Abstraction
$\ell_0(x,y,l) \rightarrow \true$ $\ell_0$
$\ell_1(x,y,l) \rightarrow \true$ $\ell_1 \leftarrow \ell_0 \lor s\ell_6\lor u\ell_6$
$\ell_3(x,y,l) \rightarrow \true$ $\ell_3 \leftarrow \ell_1$
$\mathit{error} \rightarrow \true$ $\mathit{error} \leftarrow u\ell_7$
$\color{red}{\ell_6(x,y,l) \rightarrow u\ell_6(x,y,l)\lor s\ell_6(x,y,l)}$
$\color{red}{u\ell_6(x,y,l) \rightarrow l\neq 1 \land x = y}$ $\color{red}{u\ell_6 \leftarrow \ell_3}$
$\color{red}{s\ell_6(x,y,l) \rightarrow l = 1 \land x \neq y}$ $\color{red}{s\ell_6 \leftarrow \ell_3}$
${\ell_7(x,y,l) \rightarrow u\ell_7(x,y,l)\lor s\ell_7(x,y,l)}$ $\false\leftarrow \mathit{error}$
${u\ell_7(x,y,l) \rightarrow l \neq 1}$ ${u\ell_7\leftarrow u\ell_6}$
${s\ell_7(x,y,l) \rightarrow l = 1}$ ${s\ell_7\leftarrow s\ell_6}$

Yogi Saturation

The state invariants are used by the symbolic simulator. They are added to the path condition during simulation.

The system remains unsatisfiable with core

\[ \underbrace{l_0 = 0}_{\ell_1} \land \underbrace{l_1 = 1 \land y_1 = x}_{\ell_3} \land \underbrace{x = y_1 \land l_1 \neq 1}_{u\ell_6}\]

Yogi Saturation

Split $\ell_3$:

Region Abstraction Transition Abstraction
$\ell_0(x,y,l) \rightarrow \true$ $\ell_0$
$\ell_1(x,y,l) \rightarrow \true$ $\ell_1\leftarrow \ell_0 \lor u\ell_6\lor s\ell_6$
$\color{red}{u\ell_3(x,y,l) \rightarrow l \neq 1}$
$\color{red}{s\ell_3(x,y,l) \rightarrow l = 1}$ $\color{red}{s\ell_3 \leftarrow\ell_1}$
$\mathit{error} \rightarrow \true$ $\mathit{error} \leftarrow u\ell_7$
$\ell_6(x,y,l) \rightarrow u\ell_6(x,y,l)\lor s\ell_6(x,y,l)$
$u\ell_6(x,y,l) \rightarrow l\neq 1 \land x = y$ $\color{red}{u\ell_6 \leftarrow u\ell_3}$
$s\ell_6(x,y,l) \rightarrow l = 1 \land x \neq y$ $\color{red}{s\ell_6 \leftarrow s\ell_3}$
$\ell_7(x,y,l)\rightarrow u\ell_7(x,y,l)\lor s\ell_7(x,y,l)$ $\false\leftarrow\mathit{\mathit{error}}$
$u\ell_7(x,y,l) \rightarrow l \neq 1$ $u\ell_7 \leftarrow u\ell_6$
$s\ell_7(x,y,l) \rightarrow l = 1$ $s\ell_7 \leftarrow s\ell_6$

Yogi Saturation

The transition $s\ell_3$ to $u\ell_6$ is still feasible. Simulation produces the core:

\[ \underbrace{l_0 = 0}_{\ell_1} \land \underbrace{l_1 = 1 \land y_1 = x}_{s\ell_3} \land \underbrace{y_1+1 = y_2 \land l_2 = 0 \land l_2 \neq 0 \land y_2 = x}_{u\ell_6} \]

So we can conclude that $s\ell_3(x,y,l) \rightarrow x = y$. The resulting abstraction is satisfiable.

Yogi Saturation

Region Abstraction Transition Abstraction
$\ell_0(x,y,l) \rightarrow \true$ $\ell_0$
$\ell_1(x,y,l) \rightarrow \true$ $\ell_1 \leftarrow \ell_0\lor u\ell_6\lor s\ell_6$
$u\ell_3(x,y,l) \rightarrow l \neq 1$
$s\ell_3(x,y,l) \rightarrow l = 1 \color{red}{\land x = y}$ $s\ell_3 \leftarrow \ell_1$
$\ell_6(x,y,l) \rightarrow u\ell_6(x,y,l)\lor s\ell_6(x,y,l)$
$u\ell_6(x,y,l) \rightarrow l\neq 1 \land x = y$
$s\ell_6(x,y,l) \rightarrow l = 1 \land x \neq y$ $s\ell_6 \leftarrow s\ell_3$
$\mathit{error} \rightarrow \true$ $\mathit{error} \leftarrow u\ell_7$
$\ell_7(x,y,l)\rightarrow u\ell_7(x,y,l)\lor s\ell_7(x,y,l)$ $\false \leftarrow \mathit{error}$
$u\ell_7(x,y,l) \rightarrow l \neq 1$ $u\ell_7\leftarrow u\ell_6$
$s\ell_7(x,y,l) \rightarrow l = 1$ $s\ell_7\leftarrow s\ell_6$

Yogi Saturation

The abstraction that is reachable from $\ell_0$ is also a satisfying interpretation for the original set of Horn clauses. That is, the following interpretation satisfies the Horn clauses:

$\ell_0(x,y,l) := \true$ $\ell_0(x,y,l)$
$\ell_1(x,y,l) := \true$ $\ell_1(x,y,0) \leftarrow \ell_0(x,y,l)$
$\ell_1(x,y,l) \leftarrow \ell_6(x,y,l) \wedge x \neq y$
$\ell_3(x,y,l) := l = 1\land x = y$ $\ell_3(x,x,1) \leftarrow \ell_1(x,y,l)$
$\ell_6(x,y,l) := l = 1\lor x\neq y$ $\ell_6(x,y,l) \leftarrow \ell_3(x,y,l)$
$\ell_6(x,y+1,0) \leftarrow \ell_3(x,y,l)$
$\ell_7(x,y,l) := l = 1$ $\ell_7(x,y,l) \leftarrow \ell_6(x,y,l) \wedge x = y$
$\mathit{\mathit{error}} := \false$ $\mathit{\mathit{error}} \leftarrow \ell_7(x,y,l) \wedge l \neq 1$

Yogi

  • Our presentation choses to use a propositional abstraction of the control flow graph
    • Alternative: simulate reachability check based on the original set of Horn clauses for the system.

Yogi - procedures

  • Procedure call $y := f(x)$ summarized as $F(x,y)$.
  • $F(x,y)$ iff there is a computation of $f(x)$ that terminates with $y$.
  • E.g, $F$ is the least fixed-point of the predicate transformer associated with the procedure $f$. For predicates $P$ (pre-condition) and $Q$ (post-condition), define:
\[\begin{array}{rcl} \langle P \stackrel{?}{\Longrightarrow}_f Q \rangle & = & \exists x y \ . \ P(x) \land Q(y) \land F(x,y) \\ \langle P \stackrel{\mathtt{must}}{\Longrightarrow}_f Q \rangle & = & \forall y \ . \ Q(y) \ \rightarrow \ \exists x (P(x) \land F(x,y)) \\ \langle P \stackrel{\neg \mathtt{may}}{\Longrightarrow}_f Q \rangle & = & \forall y \ . \ F(x,y) \ \rightarrow \ (P(x) \ \rightarrow \ \neg Q(y)) \end{array}\]

Yogi - procedures (SMASH)

The $\neg\mathtt{may}$ abstractions corresponds to procedure summaries. The following properties are used to prune search:

\[\begin{array}{rcl} \langle P' \stackrel{\mathtt{must}}{\Longrightarrow}_f Q' \rangle \land P'\subseteq P \land Q \cap Q' \neq \emptyset & \rightarrow & \langle P \stackrel{?}{\Longrightarrow}_f Q\rangle \\ \langle P' \stackrel{\neg\mathtt{may}}{\Longrightarrow}_f Q' \rangle \land P \subseteq P' \land Q \subseteq Q' & \rightarrow & \neg \langle P \stackrel{?}{\Longrightarrow}_f Q\rangle \end{array}\]

Symbolic execution re-uses must summaries to avoid exploring procedures. $\neg\mathtt{may}$ summaries are used to establish inductive properties.

Example POPL2010.

void main(int i,j) { 
0: int x; 
1: if (i > 2 && j > 2) { 
2:   x = foo(i,j); 
3:   if (x < 0)
4:     assert(false);
     }
   }
 
int g(int j) { 
20: if (j > 0) 
21:   return j; 
22: else 
23:   return -j; 
} 
int foo(int i,j) { 
10: int r,y; 
11: y = bar(i); 
12: if (y > 10) 
13:   r = g(j); 
14: else 
15:   r = y; 
16: return r; 
}

Example POPL2010.

  • Assume $\mustsummary{i > 5}{\mathtt{bar}}{20 < \mathit{retval} < 25}$, $\mustsummary{i = 5}{\mathtt{bar}}{0 < \mathit{retval} < 5}$, $\notmaysummary{\mathit{\mathit{true}}}{\mathtt{bar}}{\mathit{retval} < 0}$.
  • Initial query: $\querysummary{i > 2 \land j > 2}{\mathtt{f}}{\mathit{retval} < 0}$.
  • Learn for $\mathtt{g}$: $\notmaysummary{\mathit{\mathit{true}}}{\mathtt{g}}{\mathit{retval} \geq 0}$.
  • Learn for $\mathtt{foo}$: $\notmaysummary{\mathit{\mathit{true}}}{\mathtt{foo}}{\mathit{retval} \geq 0}$.

must summary is used to fast forward for a feasible path to $\mathtt{g}$ where a $\neg\mathtt{may}$ summary gets inferred to rule out the query.

Horn formulation:

\[\begin{array}{rcl} \forall i, j, x \ . \ i > 2 \land j > 2 \land \mathtt{foo}(i,j,x) & \rightarrow & x \geq 0 \\ \forall j \ . \ j > 0 & \rightarrow & \mathtt{g}(j,j) \\ \forall j \ . \ j \leq 0 & \rightarrow & \mathtt{g}(j,-j) \\ \forall i,j,y,r \ . \ \mathtt{bar}(i,y) \land y > 10 \land \mathtt{g}(j,r) & \rightarrow & \mathtt{foo}(i,j,r) \\ \forall i,j,y \ . \ \mathtt{bar}(i,y) \land y \leq 10 & \rightarrow & \mathtt{foo}(i,j,y) \end{array}\]

Example POPL2010.

Initial region abstraction:

\[\begin{array}{rcl} \mathtt{bar}(i,y) & \rightarrow & y \geq 0 \\ \mathtt{foo}(i,j,x) & \rightarrow & \true \\ \mathtt{g}(j,r) & \rightarrow & \true \end{array}\]

It checks:

  • $i > 2 \land j > 2 \land \mathtt{foo}(i,j,x) \land x < 0$ and unfolds (the first branch of) $\mathtt{foo}$:
  • $i > 2 \land j > 2 \land \mathtt{bar}(i,y) \land y > 10 \land \mathtt{g}(j,x) \land x < 0$.
  • must summary for bar establishes that some unfolding is consistent with the current constraints. Analysis can therefore proceed to check if some value that is consistent with the must summary is also consistent with the remaining constraints.
  • Neither unfolding of g is feasible and it gives rise to the updated region abstraction for first g and then foo:
    \[\begin{array}{rcl} \mathtt{bar}(i,y) & \rightarrow & y \geq 0 \\ \mathtt{foo}(i,j,x) & \rightarrow & x \geq 0 \\ \mathtt{g}(j,r) & \rightarrow & r \geq 0 \end{array}\]

Yogi Summary

The SMASH algorithm is about exploiting a particular symbolic execution to simplify weakest pre-conditions. Yogi uses weakest pre-conditions to refine the propositional abstraction.

Corral is a newer symbolic Software Model checking system by Akash Lal, Shaz Qadeer. It uses incremental inlining of procedure calls and relies on Houdini to establish inductiveness.

Research Progress and Challenges

  • [18] Quantitative queries
  • [10] Quantified invariants for arrays
  • [6] Game of Horn: Existentials and well-orderings
  • [11] Higher-order recursion schema solving as IC3 + Horn + Data-types
  • Relations to acceleration, fold-unfold, saturation/infinite descent
  • Bit-vectors, arrays [3], strings [1], non-linear arithmetic, EPR [9], Algebraic data-types, …

Bibliography

  • [8, 26] Proof Rules for Program Verification and Horn Clauses.
  • [33] IC3 for timed automata
  • [17] IC3 with partial quantifier elimination
  • [30] IC3 with interpolating conflicts and Horn Clauses
  • [34] IC3 for Petri nets
  • [40] Interpolation for Horn Clauses
  • [35] $\mu$Z + abstraction

Bibliography

  • [5] $\mu$Z pre-processing and benchmaks
  • [36] IC3 + under-approximations for Horn Clause solving
  • [27] $\mu$Z + abstraction for bit-vectors
  • [38] Lazy annotation revisited
  • [19] IC3 + implicit predicate abstraction
  • [31] IC3 + predicate abstraction for EPR
  • [7] IC3 + Polyhedral abstraction
  • [25] Fold/unfold + magic + polyhedra + interpolants

Madoko daan

  • Madoko is a A Fast Scholarly Markdown Processor,
  • intuitive and powerful integration of markdown and LaTeX,
  • browser and Azure based - no installation,
  • immediate preview,
  • real-time collaborative editing,
  • is written in Koka,
  • is by Daan Leijen, Microsoft Research,
  • Madoko is funct-ing slick!

References

[1]  Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holik, Ahmed Rezine, Philipp Rümmer, and Jari Stenman. String constraints for verification. In CAV, pages 150166, 2014. 🔎
[2]  Aws Albarghouthi and Kenneth L. McMillan. Beautiful interpolants. In CAV, pages 313329, 2013. 🔎
[3]  Francesco Alberti, Roberto Bruttomesso, Silvio Ghilardi, Silvio Ranise, and Natasha Sharygina. Safari: Smt-based abstraction for arrays with interpolants. In CAV, pages 679685, 2012. 🔎
[4]  Sam Bayless, Celina Val, Thomas Ball, Holger Hoos, and Alan Hu. Efficient Modular SAT Solving for IC3. In FMCAD, 2013. 🔎
[5]  Josh Berdine, Nikolaj Bjørner, Samin Ishtiaq, Jael E. Kriener, and Christoph M. Wintersteiger. Resourceful reachability as horn-la. In LPAR, pages 137146, 2013. 🔎
[6]  Tewodros A. Beyene, Swarat Chaudhuri, Corneliu Popeea, and Andrey Rybalchenko. A constraint-based approach to solving games on infinite graphs. In POPL, pages 221234, 2014. 🔎
[7]  Nikolaj Bjørner and Arie Gurfinkel. Property Directed Polyhedral Abstraction. In VMCAI, 2015. 🔎
[8]  Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. Program verification as satisfiability modulo theories. In SMT, pages 311, 2012. 🔎
[9]  Nikolaj Bjørner, Arie Gurfinkel, Konstantin Korovin, and Ori Lahav. Instantiations, Zippers and EPR Interpolation. In Short paper at LPAR 19, 2013a. 🔎
[10]  Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. On solving universally quantified horn clauses. In SAS, pages 105125, 2013b. 🔎
[11]  Nikolaj Bjørner, Kenneth L. McMillan, and Andrey Rybalchenko. Higher-order program verification as satisfiability modulo theories with algebraic data-types. CoRR, abs/1306.5264, 2013c. 🔎
[12]  Bruno Blanchet. Using Horn clauses for analyzing security protocols. In Véronique Cortier and Steve Kremer, editors, Formal Models and Techniques for Analyzing Security Protocols, volume 5 of Cryptology and Information Security Series, pages 86111. IOS Press, March 2011. ISBN 978-1-60750-713-0. 🔎
[13]  A. Blass and Y. Gurevich. Existential fixed-point logic. In Computation Theory and Logic, pages 2036, 1987. 🔎
[14]  Aaron R. Bradley. SAT-Based Model Checking without Unrolling. In VMCAI, pages 7087, 2011. 🔎
[15]  R. M. Burstalland and J. Darlington. A transformation system for developing recursive programs. JACM, 24, 1977. 🔎
[16]  Hana Chockler, Alexander Ivrii, and Arie Matsliah. Computing interpolants without proofs. In Armin Biere, Amir Nahir, and Tanja Vos, editors, Hardware and Software: Verification and Testing, volume 7857 of Lecture Notes in Computer Science, pages 7285. Springer Berlin Heidelberg, 2013. 🔎
[17]  Alessandro Cimatti and Alberto Griggio. Software Model Checking via IC3. In CAV, pages 277293, 2012. 🔎
[18]  Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. Parameter synthesis with ic3. In FMCAD, pages 165168, 2013. 🔎
[19]  Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. IC3 Modulo Theories via Implicit Predicate Abstraction. In TACAS, pages 4661, 2014. 🔎
[20]  Stephen A. Cook. Soundness and completeness of an axiom system for program verif. SIAM J. Comput., 7 (1): 7090, 1978. 🔎
[21]  Niklas Eén, Alan Mishchenko, and Robert K. Brayton. Efficient implementation of property directed reachability. In FMCAD, pages 125134, 2011. 🔎
[22]  Arnaud Fietzke and Christoph Weidenbach. Superposition as a decision procedure for timed automata. Mathematics in Computer Science, 6 (4): 409425, 2012. doi:10.1007/s11786-012-0134-5. URL http://dx.doi.org/10.1007/s11786-012-0134-5. 🔎
[23]  Cormac Flanagan and K. Rustan M. Leino. Houdini, an annotation assistant for esc/java. In José Nuno Oliveira and Pamela Zave, editors, FME 2001: Formal Methods for Increasing Software Productivity, International Symposium of Formal Methods Europe, Berlin, Germany, March 12-16, 2001, Proceedings, volume 2021 of Lecture Notes in Computer Science, pages 500517. Springer, 2001. ISBN 3-540-41791-5. doi:10.1007/3-540-45251-6_29. URL http://dx.doi.org/10.1007/3-540-45251-6_29. 🔎
[24]  R.W. Floyd. Assigning meaning to programs. In Proceedings Symposium on Applied Mathematics, volume 19, pages 1932. American Math. Soc., 1967. 🔎
[25]  John P. Gallagher and Bishoksan Kafle. Analysis and transformation tools for constrained horn clause verification. CoRR, abs/1405.3883, 2014. URL http://arxiv.org/abs/1405.3883. 🔎
[26]  Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. Synthesizing software verifiers from proof rules. In PLDI, 2012. 🔎
[27]  Arie Gurfinkel, Anton Belov, and Joao Marques-Silva. Synthesizing safe bit-precise invariants. In TACAS, pages 93108, 2014. 🔎
[28]  Manuel V. Hermenegildo, Francisco Bueno, Manuel Carro, Pedro Lopez-Garcia, Edison Mera, José F. Morales, and Germán Puebla. An overview of ciao and its design philosophy. TPLP, 12 (1-2): 219252, 2012. doi:10.1017/S1471068411000457. URL http://dx.doi.org/10.1017/S1471068411000457. 🔎
[29]  C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12 (10): 576580, 1969. 🔎
[30]  Krystof Hoder and Nikolaj Bjørner. Generalized Property Directed Reachability. In SAT, pages 157171, 2012. 🔎
[31]  Shachar Itzhaky, Nikolaj Bjørner, Thomas W. Reps, Mooly Sagiv, and Aditya V. Thakur. Property-directed shape analysis. In CAV, pages 3551, 2014. 🔎
[32]  Joxan Jaffar, Andrew E. Santosa, and Razvan Voicu. An interpolation method for CLP traversal. In Ian P. Gent, editor, Principles and Practice of Constraint Programming - CP 2009, 15th International Conference, CP 2009, Lisbon, Portugal, September 20-24, 2009, Proceedings, volume 5732 of Lecture Notes in Computer Science, pages 454469. Springer, 2009. ISBN 978-3-642-04243-0. doi:10.1007/978-3-642-04244-7_37. URL http://dx.doi.org/10.1007/978-3-642-04244-7_37. 🔎
[33]  Roland Kindermann, Tommi A. Junttila, and Ilkka Niemelä. SMT-Based Induction Methods for Timed Systems. In FORMATS, pages 171187, 2012. 🔎
[34]  Johannes Kloos, Rupak Majumdar, Filip Niksic, and Ruzica Piskac. Incremental, inductive coverability. In CAV, pages 158173, 2013. 🔎
[35]  Anvesh Komuravelli, Arie Gurfinkel, Sagar Chaki, and Edmund M. Clarke. Automatic Abstraction in SMT-Based Unbounded Software Model Checking. In CAV, pages 846862, 2013. 🔎
[36]  Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. Smt-based model checking for recursive programs. In CAV, pages 1734, 2014. 🔎
[37]  John McCarthy. Towards a mathematical science of computation. In IFIP Congress, pages 2128, 1962. 🔎
[38]  Kenneth L. McMillan. Lazy annotation revisited. In CAV, pages 243259, 2014. 🔎
[39]  A. Pettorossi and M. Proietti. Synthesis and transformation of logic programs using unfold/fold proofs. Technical Report 457, Universitá di Roma Tor Vergata, 1997. 🔎
[40]  Philipp Rümmer, Hossein Hojjat, and Viktor Kuncak. Disjunctive interpolants for horn-clause verification. In CAV, pages 347363, 2013. 🔎
[41]  Sorin Stratulat. A unified view of induction reasoning for first-order logic. In Andrei Voronkov, editor, Turing-100 - The Alan Turing Centenary, Manchester, UK, June 22-25, 2012, volume 10 of EPiC Series, pages 326352. EasyChair, 2012. URL http://www.easychair.org/publications/?page=1987117224. 🔎
[42]  Terrance Swift and David Scott Warren. XSB: extending prolog with tabled logic programming. TPLP, 12 (1-2): 157187, 2012. doi:10.1017/S1471068411000500. URL http://dx.doi.org/10.1017/S1471068411000500. 🔎
[43]  H. Tamaki and T. Sato. Unfold/fold transformation of logic programs. In Proceedings of the Second International Conference on Logic Programming, 1984. 🔎
[44]  V. F. Turchin. The concept of a supercompiler. ACM TOPLAS, 8 (3), 1986. 🔎