Efficient Craig Interpolation For Subsets of Integer Linear Arithmetic Himanshu Jain, CMU Edmund M. Clarke, CMU Orna Grumberg, Technion

Interpolants [Craig 1957] G(y,z) F(x,y) Given formulas F, G such that F Æ G is unsatisfiable An interpolant for (F,G) is a formula I: 1. F ) I 2. I Æ G is unsatisfiable 3. I contains only common variables of F and G I(y) G(y,z) F(x,y)

Interpolants Example Example 1 (propositional logic): F := p Æ q G := : q Æ r Æ s I := q Example 2 (linear arithmetic): F := x + 2y ≤ 3 Æ –x - y ≤ -1 G := y ≥ 3 F ) y ≤ 2 I := y ≤ 2

Interpolants in Verification [McMillan 2003] Useful in symbolic model checking Interpolant based image Reach1(S) S Computing Reach1(S) requires existential quantification (costly using BDDs or SAT)

Interpolants in Verification [Jhala et al. 2004] Useful for Property Directed Invariant Generation Program P Predicate Abstraction Invariants for P expressible in terms of S Predicates S Interpolants help in finding right set of predicates

How are Interpolants Obtained proof of unsatisfiability of F Æ G F Æ G F, G Interpolant for (F, G)

Existing Work on Computing Interpolants Pudlak, McMillan, Jhala et al Existing Work on Computing Interpolants Pudlak, McMillan, Jhala et al., Yorsh et al., Kapur et al., Rybalchenko et al., Kroening et al., Cimatti et al., Beyer et al. Can efficiently compute interpolants For rational/real linear arithmetic For equality with uninterpreted function symbols Propositional logic (using SAT solvers) No efficient interpolation algorithms for Integer linear arithmetic Bit-vector arithmetic Decision problem for conjunctions is itself NP-hard We make progress in this direction.

Difference between rational and integer linear arithmetic Let H := x=2y Æ x=2z+1 If x, y, z are rational variables H is satisfiable (take x=1,y=1/2, z=0) If x, y, z are integer variables H is unsatisfiable

Our results Polynomial time interpolation algorithms For useful subsets of integer linear arithmetic Integer (Diophantine) linear equations E.g. x = 3y Æ 5x = 3z+u+2 Æ … Integer linear congruences (modular equations) E.g. 4x = 2y + 9 (mod 3) Æ 2z + 5x –y = 7 (mod 4) Æ … Integer linear equations and disequations E.g. : (4x + 5y = 8) Æ x = 3y Æ …

Outline Introduction Integer Linear Equations Craig Interpolation Related Work Integer Linear Equations Integer Linear Congruences Integer Linear Equations+Disequations Experimental results New interpolation algorithms We will only give intuition and examples in the talk. See paper for precise description of results.

Interpolation for Integer Linear Equations F, G be conjuctions of integer linear equations We show that interpolant for (F,G) is always: An integer linear equation or An integer linear congruence F := (x = 2y) and G := (x=2z+1) An interpolant is x = 0 (mod 2)

Interpolation Algorithm Step 1 Obtain a proof of unsatisfiability of F Æ G (How to get a contradiction from F Æ G) F := (30 x + 4y = 2) G := ( y + 5z = 2) [1/5, 1/5] 1/5 F + 1/5 G is equal to 6x+y+z=4/5 (Contradiction)

Interpolation Algorithm Step 2 Sum the equations from F according to the proof of unsatisfiability F G 1/5 (30 x + 4y = 2) + 1/5 (y + 5z = 2) 6 x + 4/5 y = 2/5 Partial interpolant We do not want x

Interpolation Algorithm Step 3 Remove variables not common to F and G 6 x + 4/5 y = 2/5 4/5 y -2/5 = -6x ) 4/5 y – 2/5 is divisible by 6 ) 4/5 y – 2/5 = 0 (mod 6) ) 4y-2=0 (mod 30) 4y - 2 = 0 (mod 30) is an interpolant for (F, G) We have proved the correctness of above algorithm

Complexity of the Algorithm Obtain proof of unsatisfiability (step 1) Polynomial time using Hermite Normal Form Overall algorithm is polynomial time Can also use modern SMT solvers Multiple interpolants can be obtained

Multiple Interpolants G := y+5z=2 F := 30x+4y=2 4y – 2 = 0 (mod 10) 4y – 2 = 0 (mod 30) 4y – 2 = 0 (mod 15) 4y – 2 = 0 (mod 5)

Outline Introduction Integer Linear Equations Craig Interpolation Related Work Integer Linear Equations Integer Linear Congruences Integer Linear Equations+Disequations Experimental results New interpolation algorithms

Integer Linear Congruences a = b (mod m) iff m divides (a-b) a, b, m can be rational numbers Integer Linear Congruence: i ai xi = b (mod m) xi are integer variables Example: 3x+2y+5z = 0 (mod 6) SATISFIABLE (x=2,y=0,z=0)

Interpolation for Integer Linear Congruences F, G be conjuctions of integer linear congruences We show that interpolant for (F,G) is always: An integer linear congruence Basic steps same as before Proof of unsatisfiability is more interesting

Proof of Unsatisfiability Congruences may not hold with rational multipliers 9 = 5 (mod 2). But 9/4 ≠ 5/4 (mod 2) We show get a proof of unsatisfiability With integer multipliers for equations Congruence hold with integer multipliers

Proof of Unsatisfiability for Congruences 2 (2x + 2y = 4) (mod 8) + -4 (2x + y = 4) (mod 8) + 1 (4x = 4) (mod 8) 0 = -4 (mod 8) 2x + 2y = 4 (mod 8) Æ 2x + y = 4 (mod 8) Æ 4x = 4 (mod 8) Both proofs of unsatisfiability and (multiple) interpolants can be obtained in polynomial time

Outline Introduction Integer Linear Equations Craig Interpolation Related Work Integer Linear Equations Integer Linear Congruences Integer Linear Equations+Disequations Experimental results New interpolation algorithms

Integer Linear Equations + Disequations Example: (x+2y+z=1) Æ :(x=1) Æ … All integer variables Let F = Feq Æ Fneq We show F has no integral solution iff F has no rational solution, OR Feq has no integral solution

Interpolation for Integer Linear Equations + Disequations Given F = Feq Æ Fneq , G = Geq Æ Gneq , F Æ G is unsat F Æ G has no rational solution Interpolant as integer linear eqn/disequation Feq Æ Geq has no integral solution Interpolant as integer linear eqn/congruence

Outline Introduction Integer Linear Equations Craig Interpolation Related Work Integer Linear Equations Integer Linear Congruences Integer Linear Equations+Disequations Experimental results New interpolation algorithms

Predicate Discovery Loop invariant: x+y is divisible by 4 void main() { int x=0, y=0; while(*) x = x + 4*nondet(); y = y + 8*nondet(); assert(x+y != 1); assert(x+y != 2); assert(x+y != 3); } Loop invariant: x+y is divisible by 4 That is, x+y=0 (mod 4) Such predicates can be found using our interpolation algorithms C program

Predicate Discovery Experiments Existing state-of-the-art tools such as BLAST, SATABS, VCEGAR cannot verify these programs. With the help of predicates found by our algorithms they can (VCEGAR). Predicate Discovery Experiments Example Predicates/Interpolants Time (secs) ex1 y = 1 (mod 2) 2.72 ex2 x + y = 0 (mod 2) 0.83 ex4 x + y + z = 0 (mod 4) 0.95 ex5 x=0 (mod 4), y=0 (mod 4) 1.1 ex6 4x+2y+z = 0 (mod 8) 0.93 ex7 4x-2y+z = 0 (mod 222) 0.54 forb1 x + y = 0 (mod 3) 0.1

Conclusion Efficient Interpolation Algorithms Easy to implement Integer linear equations Integer linear congruences Integer linear equations and disequations Easy to implement Proofs of unsatisfiability

Future Work Full integer linear arithmetic Bit-vector arithmetic Cutting-plane proofs/Pudlak’s algorithm Bit-vector arithmetic Boolean Combinations using SMT

Questions