Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]
Scalable Program Verification Little theorems about big programs Partial Specifications Device drivers use kernel API correctly Applications use root privileges correctly Behavioral, path-sensitive properties
Predicate Abstraction: A crash course Error Initial Program State Space Abstraction Abstraction: Predicates on program state Signs: x > 0 Aliasing: &x &y States satisfying the same predicates are equivalent Merged into single abstract state
(Predicate) Abstraction: A crash course Error Initial Program State Space Abstraction Q1: Which predicates are required to verify a property ?
Scalability vs. Verification Few predicates tracked e.g. type of variables Imprecision hinders Verification Spurious counterexamples Many predicates tracked e.g. values of variables State explosion Analysis drowned in detail
Example Predicate p1 makes trace abstractly infeasible while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock T F unlock scalability lock Only track lock Bogus Counterexample Must correlate branches Predicate p1 makes trace abstractly infeasible pi required for verification
How can we get scalable verification ? Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability verification lock Only track lock Track lock, pi s Bogus Counterexample Must correlate branches State Explosion > 2n distinct states intractable How can we get scalable verification ?
By Localizing Precision while (*) { 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } p1 p2 pn Preds. Used locally Ex: 2 £ n states Preds. used globally Ex: 2n states Highlight WHERE … Q2: Where are the predicates required ?
Counterexample Guided Refinement What predicates remove trace ? Make it abstractly infeasible Where are predicates needed ? Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation explanation Why infeasible ? Refine BUG feasible Why infeasible ? [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’01]
Counterexample Guided Refinement Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation Why infeasible ? Refine BUG feasible
Counterexample Guided Refinement safe Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation Why infeasible ? Refine BUG feasible
This Talk: Counterexample Analysis What predicates remove trace ? Make it abstractly infeasible Where are predicates needed ? Seed Abstraction Program Abstract Is model safe ? Check NO! (Trace) YES SAFE explanation Why infeasible ? Refine BUG feasible
Plan Motivation Refinement using Traces Simple Procedure calls Results
Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.
Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.
Traces pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: if (x = i-1){ pc5: if (y != i){ ERROR: } } pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) y = x +1
Trace Feasibility Formulas pc1: x = ctr pc2: ctr = ctr+1 pc3: y = ctr pc4: assume(x=i-1) pc5: assume(yi) pc1: x1 = ctr0 pc2: ctr1 = ctr0+1 pc3: y1 = ctr1 pc4: assume(x1=i0-1) pc5: assume(y1i0) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 Trace SSA Trace Trace Feasibility Formula Theorem: Trace is Feasible , TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]
Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.
Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Where are preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Extract Predicate Map: Prog Ctr ! Predicates Proof of Unsat.
Proof of Unsatisfiability x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 x1 = ctr0 x1 = i0 -1 ctr0 = i0-1 ctr1= ctr0+1 ctr1 = i0 y1= ctr1 y1= i0 y1 i0 ; Trace Formula Proof of Unsatisfiability PROBLEM Proof uses entire history of execution Information flows up and down No localized or state information !
The Present State… … is all the information the Trace pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) … is all the information the executing program has here State… 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible At pc4, which predicate on present state shows infeasibility of suffix ?
What Predicate is needed ? Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 State… Predicate … 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by TF prefix
What Predicate is needed ? Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 x1 x1 State… Predicate … 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by TF prefix … on common variables
What Predicate is needed ? Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 State… Predicate … 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible … implied by TF prefix … on common variables … & TF suffix is unsatisfiable
What Predicate is needed ? Trace Trace Formula (TF) pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 State… Predicate … 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible … implied by TF prefix … on common variables … & TF suffix is unsatisfiable
Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant for - , + , s.t. - implies has symbols common to -, + Æ + is unsatisfiable computable from Proof of Unsat. of - Æ + [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]
Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 - Interpolate + Require: Interpolant: 1. - implies 2. has symbols common to -,+ 3. Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables common = current value 3. Predicate & suffix yields a contradiction
Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 - Interpolate + y1 = x1 + 1 Require: Interpolant: 1. - implies 2. has symbols common to -,+ 3. Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction
Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 Predicate at pc4: y= x+1 - Interpolate pc4 + y1 = x1 + 1 Require: Interpolant: 1. - implies 2. has symbols common to -,+ 3. Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction
Building Predicate Maps pc2: x= ctr Trace Trace Formula - pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 Interpolate x1 = ctr0 pc2 + Cut + Interpolate at each point Pred. Map: pci Interpolant from cut i
Building Predicate Maps pc2: x = ctr pc3: x= ctr-1 Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 - Interpolate x1= ctr1-1 pc3 + Cut + Interpolate at each point Pred. Map: pci Interpolant from cut i
Building Predicate Maps pc2: x = ctr pc3: x = ctr-1 pc4: y = x+1 pc5: y= i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 - Interpolate y1= i0 pc5 + Cut + Interpolate at each point Pred. Map: pci Interpolant from cut i
Building Predicate Maps pc2: x = ctr pc3: x = ctr-1 pc4: y = x+1 pc5: y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 Theorem: Predicate map makes trace abstractly infeasible
Plan Motivation Refinement using Traces Simple Procedure calls Results
Traces with Procedure Calls Trace Formula pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume(x1=x3+2) pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume (x1=x3+2) Find predicate needed at point i i i
Interprocedural Analysis Trace Trace Formula NO Find predicate needed at point i YES i i NO Require at each point i: Well-scoped predicates YES: Variables visible at i NO: Caller’s local variables Procedure Summaries [Reps,Horwitz,Sagiv ’95] Polymorphic Predicate Abstraction [Ball,Millstein,Rajamani ’02]
Problems with Cutting - + i i Trace Trace Formula Caller variables common to - and + Unsuitable interpolant: not well-scoped
Interprocedural Cuts Trace Trace Formula Call begins i i
Interprocedural Cuts + - i i Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from cut i
Common Variables + - i i Predicate at pci = Interpolant from i-cut Trace Trace Formula Common Variables Formals + - Formals i i Current locals Well-scoped Predicate at pci = Interpolant from i-cut
Plan Motivation Refinement using Traces Simple Procedure calls Results
Implementation Algorithms implemented in BLAST Verifier for C programs, Lazy Abstraction [POPL ’02] FOCI : Interpolating decision procedure Examples: Windows Device Drivers (DDK) IRP Specification: 22 state FSM Current: Security properties of Linux programs
Results Program LOC* kbfiltr 12k 1m12s 3m48s 72 6.5 floppy 17k 7m10s Windows DDK IRP 22 state Results Program LOC* Previous Time New Predicates Total Average kbfiltr 12k 1m12s 3m48s 72 6.5 floppy 17k 7m10s 25m20s 240 7.7 diskperf 14k 5m36s 13m32s 140 10 cdaudio 18k 20m18s 23m51s 256 7.8 parport 61k DNF 74m58s 753 8.1 parclass 138k 77m40s 382 7.2 * Pre-processed
Localizing works… Program LOC* kbfiltr 12k 1m12s 3m48s 72 6.5 floppy Windows DDK IRP 22 state Localizing works… Program LOC* Previous Time New Predicates Total Average kbfiltr 12k 1m12s 3m48s 72 6.5 floppy 17k 7m10s 25m20s 240 7.7 diskperf 14k 5m36s 13m32s 140 10 cdaudio 18k 20m18s 23m51s 256 7.8 parport 61k DNF 74m58s 753 8.1 parclass 138k 77m40s 382 7.2 * Pre-processed
Conclusion Scalability and Precision by localizing Craig Interpolation Interprocedural cuts give well-scoped predicates Some Current and Future Work: Multithreaded Programs Project local info of thread to predicates over globals Hierarchical trace analysis
Berkeley Lazy Abstraction Software * Tool BLAST Berkeley Lazy Abstraction Software * Tool www.eecs.berkeley.edu/~blast/
Pointers and Aliasing McCarthy’s Axioms (Arrays, Select, Update) Theory of arrays doesn’t have q.f. interpolants! Instantiate axioms when building TF Using Morris’ generalized rule for assignment Cuts, Interpolants remain the same
Abstract Infeasibility Property: Strongest Postcondition of ith predicate w.r.t. opi+1 implies i+1th predicate Predicate Map pc2: x = ctr pc3: x = ctr-1 pc4: y = x-1 pc5: y = i pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x = ctr -1 Æ y = ctr x = ctr -1 ) y=x+1 2nd Predicate Strongest Postcondition 3rd Predicate Trace
Another Interprocedural Cut Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut
Interprocedural Cuts + - Common Symbols Trace Formula Call begins x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 + 1 Æ b1 = r1 Æ a0 b1 - 1 x1 + x1 - r1 r1 Common Symbols x1 : Value of passed parameter x r1 : Value of local r
Interprocedural Cuts + - Predicate r = x + 1 y no longer “live” Trace Formula Call begins x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 + 1 Æ b1 = r1 Æ a0 b1 - 1 x1 + x1 - r1 r1 r1= x1 + 1 Predicate r = x + 1 y no longer “live”
Operations Branch Taken Operation assume (x = i-1) if (x = i-1){ } op ::== x = e | assume p Branch Taken Operation assume (x = i-1) if (x = i-1){ } Branch Not Taken Operation assume (x i-1)
Localizing Works! Program LOC* kbfiltr 12k 1m12s 3m48s 72/16/6.5 Windows DDK IRP 22 state Localizing Works! Program LOC* Previous Time New Predicates (Total/Max/Average) kbfiltr 12k 1m12s 3m48s 72/16/6.5 floppy 17k 7m10s 25m20s 240/77/7.7 diskperf 14k 5m36s 13m32s 140/31/10 cdaudio 18k 20m18s 23m51s 256/27/7.8 parport 61k DNF 74m58s 753/32/8.1 parclass 138k 77m40s 382/28/7.2 * Pre-processed
Building Predicate Maps pc2: x = ctr pc3: x = ctr-1 pc4: y = x-1 pc5: y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 Cut + Interpolate at each point Pred. Map: pci Interpolant from cut i
Example Predicate p1 makes trace abstractly infeasible while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability lock Only track lock Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR Make bigger fonts unreadable … Predicate p1 makes trace abstractly infeasible pi required for verification : lock : lock Æ p1 lock Æ p1 ;
Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 - Interpolate + y1 = x1 + 1 Require: Interpolant: 1. - implies 2. has symbols common to -,+ 3. Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction
Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 x1 - y1 Interpolate x1 + y1 = x1 + 1 y1 Require: Interpolant: 1. - implies 2. has symbols common to -,+ 3. Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction
Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y i) x1 = ctr0 Æ ctr1 = ctr0 + 1 Æ y1 = ctr1 Æ x1 = i0 - 1 Æ y1 i0 - Interpolate + y1 = x1 + 1 Require: Interpolant: 1. - implies 2. has symbols common to -,+ 3. Æ + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables 3. Predicate & suffix yields a contradiction
Example Bogus Counterexample Only track lock lock() assume : p1 while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability lock Only track lock Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR Make bigger fonts unreadable … Must track p1
Example Predicate p1 makes trace abstractly infeasible while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability lock Only track lock Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR Make bigger fonts unreadable … Predicate p1 makes trace abstractly infeasible pi required for verification
Example Bogus Counterexample State Explosion Only track lock while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); n: if (pn) lock(); if (pn) unlock(); } lock unlock scalability verification lock Only track lock Track lock, pi s Bogus Counterexample assume p1 lock() assume : p1 assume p2 ERROR State Explosion > 2n distinct states/paths complete search infeasible Make bigger fonts unreadable …
Procedure Calls Trace pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 main(){ int a,b; b = inc(a); if (a != b-2) ERROR: } int inc (int x){ int r,y; y = x + 1; r = y + 1; return r; } pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 pc4: return r pc5: assume (a b-2) Trace
Interprocedural Analysis pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 pc4: return r pc5: assume (a b-2) Well-scoped predicates YES: Local variables x,y,r NO : Call-site variables a,b Trace Procedure Summaries [Reps,Horwitz,Sagiv ’95] Polymorphic Predicate Abstraction [Ball,Millstein,Rajamani ’02] Relational Analysis [Cousot, Halbwachs ’78]
Cuts don’t work - + Trace Trace Formula a appears in Interpolant pc1: b = inc(a) pc2: y = x + 1 pc3: r = y + 1 pc4: return r pc5: assume (a b-1) x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 +1 Æ b1 = r1 Æ a0 b1 - 1 a0 - + a0 Trace Trace Formula Well-scoped predicates a appears in Interpolant Predicate not well-scoped ! NO call-site variables a,b
Interprocedural Cuts i i Predicate at pci = Interpolant from i-cut Trace Trace Formula pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume(x1=x3+2) pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume (x1=x3+2) Call begins i i Predicate at pci = Interpolant from i-cut
Interprocedural Cuts + - i i Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut
Common Variables i i Predicate at pci = Interpolant from i-cut Trace Trace Formula Formals i i Current Predicate at pci = Interpolant from i-cut
Another Interprocedural Cut Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut
Another Interprocedural Cut Trace Trace Formula Call begins + - i i Predicate at pci = Interpolant from i-cut