1. Horn Clauses
mc(x) = x-10 if x > 100 mc(x) = mc(mc(x+11)) if x  100 assert (x ≤𝟏𝟎𝟏→mc(x) = 91)
∀𝑿. 𝑿 > 𝟏𝟎𝟎  mc(𝑿,𝑿−𝟏𝟎)
∀𝑿,𝒀,𝑹. 𝑿≤ 𝟏𝟎𝟎  mc(𝑿+𝟏𝟏,𝒀)  mc(𝒀,𝑹)  mc(𝑿,𝑹)
∀𝑿,𝑹. mc(𝑿,𝑹) ∧𝑿≤𝟏𝟎𝟏→𝑹= 𝟗𝟏
Solver finds solution for mc

2. Horn Clauses and E+LFP Formulate as Horn clauses: Solve for mc
∀𝑿,𝒀,𝑹. 𝑿≤ 𝟏𝟎𝟎  mc(𝑿+𝟏𝟏,𝒀)  mc(𝒀,𝑹)  mc(𝑿,𝑹)
∀𝑿,𝑹. mc(𝑿,𝑹) ∧𝑿≥𝟏𝟎𝟏  𝑹= 𝟗𝟏
Solve for mc
Symbolic Model:
𝒎𝒄 𝑿,𝒀 ≔𝒀≥𝟗𝟏∧ 𝒀≤𝟗𝟏∨𝒀≤𝑿−𝟏𝟎

3. Caught by the Interpolants
Horn Clauses are Magical
Yakir Vizel
Yo betcha
Interpolation is a special case of finding solutions to Horn Clauses
Program Proof Systems = Horn Clauses
Ergo: Solve Programs = Solve Horn Clauses
Andrey, you just made me sink the past few years into Horn clauses
Ken McMillan
Andrey Rybalchenko

4. How to Solve It? - Z
Z – portfolio of solvers for Horn Clauses in Z3.
Datalog for finite domains using optimized tables, bottom-up evaluation, Magic sets.
Property Directed Reachability algorithm for Horn clauses over arithmetic.
Approach: maintain over-approximations 𝑅 𝑖 of properties derivable in 𝑖 steps. Strengthen approximations by solving interpolation and inductiveness formulas.
[Krystof Hoder & B, SAT 2012]

5. How to Solve It? - HSF
[Grebenshchikov, Lopes, Popeea, Rybalchenko, PLDI 2012]

6. How to Solve It? - Duality
When query fails, build a derivation tree for the unwinding, and compute interpolants, then update the solution with the interpolants.
𝑄 1 𝑥,𝑧 ⇒𝑥≤𝑧
𝑃 0 𝑥,𝑦 :𝐹𝑎𝑙𝑠𝑒
Q 0 𝑥,𝑧 :𝐹𝑎𝑙𝑠𝑒
𝑥=𝑦⇒ 𝑃 1 (𝑥,𝑦)
𝑃 1 𝑥,𝑦 :𝑇𝑟𝑢𝑒
𝑃 1 𝑥,𝑦 ∧𝑧=𝑦+1⇒ 𝑃 2 (𝑥,𝑧)
Q 1 𝑥,𝑧 :𝑇𝑟𝑢𝑒
Q 1 𝑥,𝑧 :𝑥≤𝑧
unwinding solved!
P 2 𝑥,𝑦 :𝑥≤𝑦−1
solution inductive!
𝑃 𝑥,𝑦 : 𝑥=𝑦∨𝑥≤𝑦−1
P 1 𝑥,𝑦 :𝑥=𝑦
𝑄 𝑥,𝑧 : 𝑥≤𝑧
Ken McMillan 2012

7. How to Solve It? - SeaHorn
Arie Gurfinkel

8. Several more Horn Clause Solvers
Eldarica Kuncak, Hojjat, Ruemmer
Fioravanti
Jaffar
Gallagher
We are always recruiting

9. A format for Software Model Checking
Collection of about 10,000 benchmarks from various sources, including device driver software, at Dirk Beyer’s software verification repository.
Used as backend in SeaHorn, HSF, Duality tool chains.

10. Application: Network Verification
Sample belief: packets flow through middle-box
Engine: Network Optimized Datalog:
Datalog
A(src,dst, 0).
R1(src,dst,n) :- A(src,dst,n), Rule1(src,dst).
R2(src,dst,n) :- R1(src,dst,n), Rule2(src,dst).… R4(src,dst,1) :- M(src,dst,_), Rule4(src,dst)…..
? B(src,dst,0).
Nuno Lopes, B, Patrice Godefroid, Karthick Jayaraman, George Varghese [NSDI 2015]

11. Programs  Horn Clauses
Boogie/Duality
– Weakest liberal pre-conditions
HSF
– Reps-Horwitz-Sagiv based transformation
SeaHorn
– Large block encoding with error propagation
Terraces Winery, Rutherford, Napa

12. Boogie/Dijkstra A procedure def p(x) { .. ret := y}
Rustan Leino
A procedure
def p(x) { .. ret := y}
is a predicate 𝑝 𝑥, 𝑟𝑒𝑡 for effect, and 𝑝 𝑝𝑟𝑒 (𝑥) for pre-condition.

13. Transforming Horn Clauses
Query-Answer transformation (Magic Sets)
Inlines calling context
Fold-Unfold
- Complete for refutations
K-induction
- Variant of Unfold operation
Assertion in-lining
Inlines paths to assertion check
All: Symbolic Models preserved modulo feasible interpolation

14. K-induction as reinforced unfold
𝑖𝑛𝑖𝑡 𝑣 →𝐼𝑛𝑣 𝑣
𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ →𝐼𝑛𝑣 𝑣 ′
𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣)
𝑖𝑛𝑖𝑡 𝑣′ ∨(𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ )→𝐼𝑛𝑣 𝑣 ′
𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣)
𝑖𝑛𝑖𝑡 𝑣′ ∨((𝑖𝑛𝑖𝑡 𝑣 0 ∨ 𝐼𝑛𝑣 𝑣 0 ∧𝑠𝑡𝑒𝑝 𝑣 0 ,𝑣 ∧𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ )→𝐼𝑛𝑣 𝑣 ′
𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣)
𝑖𝑛𝑖𝑡 𝑣 →𝑠𝑎𝑓𝑒 𝑣
𝑖𝑛𝑖𝑡 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ →𝑠𝑎𝑓𝑒 𝑣 ′
𝑠𝑎𝑓𝑒(𝑣)∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ ∧𝐼𝑛𝑣 𝑣 ′ ∧𝑠𝑡𝑒𝑝( 𝑣 ′ , 𝑣 ′′ )→𝑠𝑎𝑓𝑒 𝑣 ′′
𝑠𝑎𝑓𝑒(𝑣)→𝑠𝑎𝑓𝑒(𝑣)
𝑖𝑛𝑖𝑡 𝑣 →𝐼𝑛𝑣 𝑣
𝑖𝑛𝑖𝑡 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ →𝐼𝑛𝑣 𝑣 ′
𝐼𝑛𝑣 𝑣 ∧𝑠𝑡𝑒𝑝 𝑣, 𝑣 ′ ∧𝐼𝑛𝑣 𝑣 ′ ∧𝑠𝑡𝑒𝑝( 𝑣 ′ , 𝑣 ′′ )→𝐼𝑛𝑣 𝑣 ′′
𝐼𝑛𝑣 𝑣 →𝑠𝑎𝑓𝑒(𝑣)