Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto.

Published byStanley Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto."— Presentation transcript:

1 Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto

2 Generalization Interpolants are generalizations We use them as a way of forming conjectures and lemmas Many proof search methods uses interpolants as generalizations SAT/SMT solvers CEGAR, lazy abstraction, etc. Interpolant-based invariants, IC3, etc. There is widespread use of the idea that interpolants are generalizations, and generalizations help to form proofs

3 In this talk We will consider measures of the quality of these generalizations I will argue: The evidence for these generalizations is often weak This motivates a retrospective approach: revisiting prior generalizations in light of new evidence This suggests new approaches to interpolation and proof search methods that use it. We’ll consider how these ideas may apply in SMT and IC3.

4 Criteria for generalization A generalization is an inference that in some way covers a particular case Example: a learned clause in a SAT solver We require two properties of a generalization: Correctness: it must be true Utility: it must make our proof task easier A useful inference is one that occurs in a simple proof Let us consider what evidence we might produce for correctness and utility of a given inference…

5 What evidence can we provide? Evidence for correctness: Proof (best) Bounded proof (pretty good) True in a few cases (weak) Evidence for utility: Useful for one truth assignment Useful for one program path

6 Interpolants as generalizations Consider a bounded model checking formula: Evidence for interpolant as conjectured invariant Correctness: true after 3 steps Utility: implies property after three steps Note the duality In invariant generation, correctness and utility are time-reversal duals. interpolant

7 CDCL SAT solvers A learned clause is a generalization (interpolant) Evidence for correctness: Proof by resolution (strong!) Evidence for utility: Simplifies proof of current assignment (weak!) In fact, CDCL solvers produce many clauses of low utility that are later deleted. Retrospection CDCL has a mechanism of revisiting prior generalization in the light of new evidence This is called “non-chronological backtracking”

8 Retrospection in CDCL CDCL can replace an old generalization with a new one that covers more cases That is, utility evidence of the new clause is better The decision stack: Conflict!

9 Retrospection in CEGAR This path has two possible refutations of equal utility CEGAR considers one counterexample path at a time

10 Retrospection and Lazy SMT

11 Diamond example with lazy SMT Theory lemmas correspond to program paths: … (16 lemmas, exponential in number of diamonds) Lemmas have low utility because each covers only once case Lazy SMT framework does not allow higher utility inferences

12 Diamond example (cont.) We can produce higher utility inferences by structurally decomposing the problem Each covers many paths Proof is linear in number of diamonds

13 Compositional SMT Use SMT solver As block box With each new sample, we reconsider the interpolant to maximize utility

14 Example in linear rational arithmetic

15 Compositional approach 3. Interpolant now covers all disjuncts Notice we reconsidered our first interpolant choice in light of further evidence.

16 Comparison to Lazy SMT Interpolant from a lazy SMT solver proof: Each half-space corresponds to a theory lemma Theory lemmas have low utility Four lemmas cover six cases

17 B3B3 Why is the simpler proof better? A simple fact that covers many cases may indicate an emerging pattern... B4B4 Greater complexity allows overfitting Especially important in invariant generation

18 Finding simple interpolants We break this problem into two parts Search for large subsets of the samples that can be separated by linear half-spaces. Synthesize an interpolant as a Boolean combination of these separators. The first part can be accomplished by well-established methods, using an LP solver and Farkas’ lemma. The Boolean function synthesis problem is also well studied, though we may wish to use more light-weight methods.

19 Farkas’ lemma and linear separators Farkas’ lemma says that inconsistent rational linear constraints can be refuted by summation: constraints solve

20 Finding separating half-spaces

21 Half-spaces to interpolants Each region is a cube over half- spaces Must be true Must be false Don’t care In practice, we don’t have to synthesize an optimal combination

22 Sequential verification We can extend our notions of evidence and retrospection to sequential verification A “case” may be some sequence of program steps Consider a simple sequential program: x = y = 0; while(*) x++; y++; while(x != 0) x--; y--; assert (y <= 0); Wish to discover invariant:

23 {y = 0} {y = 1} {y = 2} {y = 1} {y = 0} {False} {True} {False} {True} Execute the loops twice These interpolants cover all the cases with just one predicate. In fact, they are inductive. These predicates have low utility, since each covers just one case. As a result, we “overfit” and do not discover the emerging pattern. x = y = 0; x++; y++; [x!=0]; x--; y--; [x!=0]; x--; y--; [x == 0] [y > 0] Choose interpolants at each step, in hope of obtaining inductive invariant.

24 Sequential interpolation strategy Step 0: low evidence Step 1: better evidence

25 Occam’s razor says simplicity prevents over- fitting This is not the whose story, however Consider different separators of similar complexity Are simple interpolants enough? Simplicity of the interpolant may not be sufficient for a good generalization.

26 Proof simplicity criterion Empirically, the strange separators seem to be avoided by minimizing proof complexity Maximize zero coefficients in Farkas proofs This can be done in a greedy way Note the difference between applying Occam’s razor in synthetic and analytic cases We are generalizing not from data but from an argument We want the argument to be as simple as possible

27 Value of retrospection 30 small programs over integers Tricky inductive invariants involving linear constraints Some disjunctive, most conjunctive ToolComp. SMT CPA Checker UFOInvGen with AI InvGen w/o AI % solved10057 7060 Better evidence for generalizations Better fits the observed cases Results in better convergence Still must trade off cost v. utility in generalizing Avoid excessive search while maintaining convergence

28 Value of retrospection (cont) Exponential theory lemmas achieved in practice. Computing one interpolant gives power ½ speedup.

29 Incremental inductive methods (IC3) Compute a sequence interpolant by local proof Interpolant successively weakens Inductive generalization Valid!

30 Generalization in IC3 (bad state) Inductive generalization

31 Retrospection in IC3? Find a relatively inductive clause that covers as many bad states as possible Search might be inefficient, since each test is a SAT problem Possible solution: relax correctness evidence Sample on both A and B side Correctness evidence is invariance in a sample of behaviors rather than all up to depth k.

32 True in all A samples Generalization problem separator A samples (reachable states) False in many B samples B samples (bad states) Find a clause to separate A and B samples This is another two-level logic optimization problem. This suggests logic optimization techniques could be applied to computing interpolants in incremental inductive style.

33 Questions to ask For a given inference technique we can ask Where does generalization occur? Is there good evidence for generalizations? Can retrospection be applied? What form do separators take? How can I solve for separators? At what cost? Theories: arrays, nonlinear arithmetic,… Can I improve the cost? Shift the tradeoff of utility and correctness Can proof complexity be minimized? Ultimately, is the cost of better generalization justified?

34 Conclusion Many proof search methods rely on interpolants as generalizations Useful to the extent the make the proof simpler Evidence of utility in existing methods is weak Usually amounts to utility in one case Can lead to many useless inferences Retrospection: revisit inferences on new evidence For example, non-chronological backtracking Allows more global view of the problem Reduces commitment to inferences based on little evidence

35 Conclusion (cont) Compositional SMT Modular approach to interpolation Find simple proofs covering many cases Constraint-based search method Improves convergence of invariant discovery Exposes emerging pattern in loop unfoldings Think about methods in terms of The form of generalization Quality of evidence for correctness and utility Cost v. benefit of the evidence provided

36 Cost of retrospection Early retrospective approach due to Anubhav Gupta Finite-state localization abstraction method Finds optimal localization covering all abstract cex’s. In practice, “quick and dirty” often better than optimal Compositional SMT usually slower than direct SMT However, if bad generalizations imply divergence, then the cost of retrospection is justified. Need to understand when revisiting generalizations is justified.

37 Inference problem Find a clause to separate A and B samples Clause must have a literal from every A sample Literals must be false in many B samples This is a binate covering problem Wells studied in logic synthesis Relate to Bloem et al Can still use relative inductive strengthening Better utility and evidence

Download ppt "Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
50.530: Software Engineering

50.530: Software Engineering
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Interpolation and Widening Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolation and Widening Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Similar presentations

Ads by Google