Efficient Generation of Small Interpolants in CNF (for Model Checking) Yakir Vizel1 Vadim Ryvchin2,3 Alexander Nadel3 Today’s talk is about … CAV 2013 St. Petersburg, Russia 1. Computer Science Department, Technion, Israel 2. Information Systems Engineering Department, Technion, Israel 3. Design Technology Solutions Group, Intel Corporation, Israel

Reachability Analysis Does an invariant P hold? …Rn R2 R1 Bad=¬P INIT

Interpolants Given an unsatisfiable pair (A,B) of propositional formulas There exists a formula I such that: A  I I ∧ B is unsatisfiable I is over the common variables of A and B

ITP – Interpolation-based MC McMillan, CAV 2003 A B INIT(V) ∧T(V,V1) ∧ T(V1,V2)∧T(V2,V3)∧(¬P(V1) ∨… ∨¬P(V3)) I I over-approximates the states reachable from INIT in one transition It satisfies P and cannot reach a bad state in two transitions or less

ITP – Interpolation-based MC McMillan, CAV 2003 A B I(V) ∧T(V,V1) ∧ T(V1,V2)∧T(V2,V3)∧(¬P(V1) ∨… ∨¬P(V3)) I’ I is fed back to the formula A new interpolant is computed I’ Iterative process

Motivation In ITP, a computed interpolant is fed back into the BMC problem BMC problem is solved with a SAT solver “Big” interpolant causes the BMC problem to be hard to solve Non-CNF interpolant needs to be translated to CNF

A B g3 g3 g2 g2  g3 a1 a1  g2  g3 A-local variables: a1 Global variables: g1, g2, g3 g4 a1  g2  g3 g2  g4 A B g1 a1 a1  g1  g2 a1  g1  g3 a1  g2  g3  g4 a1  g2 a1  g4 g2  g3 g3 g1

McMillan’s Method I g3 I g3 I = [(g1  g2)  (g1  g3)]  [(g2  g3  g4)  (g2  g4)] g2 g2  g3 a1 (g2  g3  g4)  (g2  g4) a1  g2  g3 (g1  g2)  (g1  g3) g2  g4 g4 a1  g2  g3 g2  g4 g1 a1 g1  g2 g1  g3 g2  g3  g4 g2 g4 T T a1  g1  g2 a1  g1  g3 a1  g2  g3  g4 a1  g2 a1  g4 g2  g3 g3

Our Method A two-phase method: Step one: Use both Quantifier Elimination (QE) and the Resolution Graph (RG) to compute an “almost” interpolant Step two: Specifically for Model Checking - use the structure of the formula to apply inductive reasoning

Step One Use both QE and RG to compute an “almost” interpolant For A(X,Y) ∧B(Y,Z) (∃X)(A(X,Y)) is an interpolant Quantifier elimination In SAT, eliminating existential quantifier amounts to Variable Elimination (VE) Use the RG to guide VE More efficient than pure VE Yet, may be hard to compute Relax VE with RG

I g3 I g3 g2 I = [(g1  g2  g3  g4)  (g1  g2  g3  g4)]  (g2  g4)] g2  g3 a1 (a1  g2  g3  g4)  (g2  g4) a1  g2  g3 (a1  g1  g2)  (a1  g1  g3) g2  g4 g4 a1  g2  g3 g2  g4 g1 a1 a1  g1  g2 a1  g1  g3 a1  g2  g3  g4 a1  g2 a1  g4 a1  g1  g2 a1  g1  g3 a1  g2  g3  g4 a1  g2 a1  g4 g2  g3 g3

A-local variable elimination: I = (g1  g2  g3  g4)  (g1  g2)  (g1  g2  g3  g4)  (g1  g2  g3)  (g2  g4) Resolution-driven variable elimination: I = (g1  g2  g3  g4)  (g1  g2  g3  g4)  (g2  g4) g3 g3 Saved! g2 g2  g3 a1 a1  g2  g3 g4 g1  g2 g1  g2  g3 a1  g2  g3 g2  g4 g1 a1 a1  g1  g2 a1  g1  g3 a1  g2  g3  g4 a1  g2 a1  g4 g2  g3 g3

Almost an Interpolant Bweak interpolant is a formula Iw s.t.: I is over the common variables of A and B Iw ∧ B is not necessarily unsatisfiable Non-global interpolant is a formula In s.t.: A  In In ∧ B is unsatisfiable In may contain variables local to A

Find Bweak Interpolant Apply resolution-driven variable elimination but: Eliminate only when intermediate interpolant does not grow as a result Apply incomplete A-local variable elimination to I Eliminate A-local variables, but apply resolution only to some of the pairs each input clause contributes to at least one output clause

B I I is a non-global interpolant Variable elimination is skipped, since it would increase the number of clauses I g5 I = (a1  g1  g2)  (a1  g2  g4)  (a1  g3  g4)  (a1  g6  g5)  (a1  g6) g4 g4  g5 a1 (a1  g1  g2)  (a1  g2  g4)  (a1  g3  g4) B a1  g4 g5 (a1  g1  g2)  (a1  g2  g4) g3 a1  g3  g4 (a1  g6  g5)  (a1  g6) a1  g5 g4  g5 a1  g1  g2 g2 a1  g2  g3 g6 g1 a1  g1  g2 a1  g2  g4 a1  g3  g4 a1  g6  g5 a1  g6 a1  g1  g2 a1  g2  g4 a1  g3  g4 a1  g6  g5 g1  g3 a1  g6

I’ is a Bweak interpolant! Incomplete variable elimination example: each input clause contributes to the output I’ = (g1  g2  g6  g5)  (g2  g4  g6)  (g3  g4  g6  g5) I = (a1  g1  g2)  (a1  g2  g4)  (a1  g3  g4)  (a1  g6  g5)  (a1  g6)

Our Method A two-fold method: Step one: Use both Quantifier Elimination (QE) and the Resolution Graph (GR) to compute an “almost” interpolant Step two: Specifically for Model Checking - use the structure of the formula to apply inductive reasoning

Backward reachable from ¬P Step Two Backward reachable from ¬P in k-1 steps …… I ¬P F s Iw

Strengthening Generalize using inductive generalization (a-la IC3) a state s in Iw that can reach Bad Need to remove it Remove a set of states Find a new state s …… I ¬P F …… Iw F(V) => ¬s(V) F(V) ∧T(V,V’) => ¬s(V’) s cannot be in F(V) ∧T(V,V’) s cannot be in F I’m an Interpolant! Yay!!

CNF-ITP k=1; while(BMC(INIT,k,Bad) = false) { R = INIT; n=0; do { n++; Iw = ExtractBweakItp(); PushInductiveClauses(Iw); // Push forward Iw = Iw ∧ nIk-1 // Incremental nIk = Strengthen(R, Iw, k); // R is strengthened as well if (nIk => R) return valid; R = R ∨ nIk; } while(BMC(nIk,k,Bad) = false); k++; return cex;

Conclusions Interpolants computed efficiently in CNF Specific for MC CNF used to optimize the MC algorithm Brings ITP and IC3 together More can be done in this direction

Thank You