Horn Clauses mc(x) = x-10 if x > 100 mc(x) = mc(mc(x+11)) if x  100 assert (x ≤𝟏𝟎𝟏→mc(x) = 91) ∀𝑿. 𝑿 > 𝟏𝟎𝟎  mc(𝑿,𝑿−𝟏𝟎) ∀𝑿,𝒀,𝑹. 𝑿≤ 𝟏𝟎𝟎  mc(𝑿+𝟏𝟏,𝒀)  mc(𝒀,𝑹)  mc(𝑿,𝑹) ∀𝑿,𝑹. mc(𝑿,𝑹) ∧𝑿≤𝟏𝟎𝟏→𝑹= 𝟗𝟏 Solver finds solution for mc

Horn Clauses and E+LFP Formulate as Horn clauses: Solve for mc ∀𝑿,𝒀,𝑹. 𝑿≤ 𝟏𝟎𝟎  mc(𝑿+𝟏𝟏,𝒀)  mc(𝒀,𝑹)  mc(𝑿,𝑹) ∀𝑿,𝑹. mc(𝑿,𝑹) ∧𝑿≥𝟏𝟎𝟏  𝑹= 𝟗𝟏 Solve for mc Symbolic Model: 𝒎𝒄 𝑿,𝒀 ≔𝒀≥𝟗𝟏∧ 𝒀≤𝟗𝟏∨𝒀≤𝑿−𝟏𝟎

Caught by the Interpolants Horn Clauses are Magical Yakir Vizel Yo betcha Interpolation is a special case of finding solutions to Horn Clauses Program Proof Systems = Horn Clauses Ergo: Solve Programs = Solve Horn Clauses Andrey, you just made me sink the past few years into Horn clauses Ken McMillan Andrey Rybalchenko

How to Solve It? - Z Z – portfolio of solvers for Horn Clauses in Z3. Datalog for finite domains using optimized tables, bottom-up evaluation, Magic sets. Property Directed Reachability algorithm for Horn clauses over arithmetic. Approach: maintain over-approximations 𝑅 𝑖 of properties derivable in 𝑖 steps. Strengthen approximations by solving interpolation and inductiveness formulas. [Krystof Hoder & B, SAT 2012]

How to Solve It? - HSF [Grebenshchikov, Lopes, Popeea, Rybalchenko, PLDI 2012]

How to Solve It? - Duality When query fails, build a derivation tree for the unwinding, and compute interpolants, then update the solution with the interpolants. 𝑄 1 𝑥,𝑧 ⇒𝑥≤𝑧 𝑃 0 𝑥,𝑦 :𝐹𝑎𝑙𝑠𝑒 Q 0 𝑥,𝑧 :𝐹𝑎𝑙𝑠𝑒 𝑥=𝑦⇒ 𝑃 1 (𝑥,𝑦) 𝑃 1 𝑥,𝑦 :𝑇𝑟𝑢𝑒 𝑃 1 𝑥,𝑦 ∧𝑧=𝑦+1⇒ 𝑃 2 (𝑥,𝑧) Q 1 𝑥,𝑧 :𝑇𝑟𝑢𝑒 Q 1 𝑥,𝑧 :𝑥≤𝑧 unwinding solved! P 2 𝑥,𝑦 :𝑥≤𝑦−1 solution inductive! 𝑃 𝑥,𝑦 : 𝑥=𝑦∨𝑥≤𝑦−1 P 1 𝑥,𝑦 :𝑥=𝑦 𝑄 𝑥,𝑧 : 𝑥≤𝑧 Ken McMillan 2012

How to Solve It? - SeaHorn Arie Gurfinkel

Several more Horn Clause Solvers Eldarica Kuncak, Hojjat, Ruemmer Fioravanti Jaffar Gallagher We are always recruiting

A format for Software Model Checking Collection of about 10,000 benchmarks from various sources, including device driver software, at Dirk Beyer’s software verification repository. Used as backend in SeaHorn, HSF, Duality tool chains.

Application: Network Verification Sample belief: packets flow through middle-box Engine: Network Optimized Datalog: Datalog A(src,dst, 0). R1(src,dst,n) :- A(src,dst,n), Rule1(src,dst). R2(src,dst,n) :- R1(src,dst,n), Rule2(src,dst).… R4(src,dst,1) :- M(src,dst,_), Rule4(src,dst)….. ? B(src,dst,0). Nuno Lopes, B, Patrice Godefroid, Karthick Jayaraman, George Varghese [NSDI 2015]

Programs  Horn Clauses Boogie/Duality – Weakest liberal pre-conditions HSF – Reps-Horwitz-Sagiv based transformation SeaHorn – Large block encoding with error propagation Terraces Winery, Rutherford, Napa

Boogie/Dijkstra A procedure def p(x) { .. ret := y} Rustan Leino A procedure def p(x) { .. ret := y} is a predicate 𝑝 𝑥, 𝑟𝑒𝑡 for effect, and 𝑝 𝑝𝑟𝑒 (𝑥) for pre-condition.

Transforming Horn Clauses Query-Answer transformation (Magic Sets) Inlines calling context Fold-Unfold - Complete for refutations K-induction - Variant of Unfold operation Assertion in-lining Inlines paths to assertion check All: Symbolic Models preserved modulo feasible interpolation

K-induction as reinforced unfold 𝑖𝑛𝑖𝑡 𝑣 →𝐼𝑛𝑣 𝑣 𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ →𝐼𝑛𝑣 𝑣 ′ 𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣) 𝑖𝑛𝑖𝑡 𝑣′ ∨(𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ )→𝐼𝑛𝑣 𝑣 ′ 𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣) 𝑖𝑛𝑖𝑡 𝑣′ ∨((𝑖𝑛𝑖𝑡 𝑣 0 ∨ 𝐼𝑛𝑣 𝑣 0 ∧𝑠𝑡𝑒𝑝 𝑣 0 ,𝑣 ∧𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ )→𝐼𝑛𝑣 𝑣 ′ 𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣) 𝑖𝑛𝑖𝑡 𝑣 →𝑠𝑎𝑓𝑒 𝑣 𝑖𝑛𝑖𝑡 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ →𝑠𝑎𝑓𝑒 𝑣 ′ 𝑠𝑎𝑓𝑒(𝑣)∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ ∧𝐼𝑛𝑣 𝑣 ′ ∧𝑠𝑡𝑒𝑝( 𝑣 ′ , 𝑣 ′′ )→𝑠𝑎𝑓𝑒 𝑣 ′′ 𝑠𝑎𝑓𝑒(𝑣)→𝑠𝑎𝑓𝑒(𝑣) 𝑖𝑛𝑖𝑡 𝑣 →𝐼𝑛𝑣 𝑣 𝑖𝑛𝑖𝑡 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ →𝐼𝑛𝑣 𝑣 ′ 𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ ∧𝐼𝑛𝑣 𝑣 ′ ∧𝑠𝑡𝑒𝑝( 𝑣 ′ , 𝑣 ′′ )→𝐼𝑛𝑣 𝑣 ′′ 𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣)