Quantified Invariant Generation using an Interpolating Saturation Prover

1
Quantified Invariant Generationusing
anInterpolating Saturation Prover

• Ken McMillan
• Cadence Research Labs

TexPoint fonts used in EMF AAAAA
2
Introduction

• Interpolants derived from proofs can provide an
  effective relevance heuristic for constructing
  inductive invariants
• Provides a way of generalizing proofs about
  bounded behaviors to the unbounded case
• Exploits a provers ability to focus on relevant
  facts
• Used in various applications, including
• Hardware verification (propositional case)
• Predicate abstraction (quantifier-free)
• Program verification (quantifier-free)
• This talk
• Moving to the first-order case, including FO(TC)
• Modifying SPASS to create an interpolating FO
  prover
• Apply to program verification with arrays, linked
  lists

3
Invariants from unwindings

• Consider this very simple approach
• Partially unwind a program into a loop-free,
  in-line program
• Construct a Floyd/Hoare proof for the in-line
  program
• See if this proof contains an inductive invariant
  proving the property
• Example program

x y 0 while() x y while(x ! 0)
x-- y-- assert (y 0)
4
Unwind the loops

• Assertions may diverge as we unwind
• A practical method must somehow prevent this kind
  of divergence!

5
Interpolation Lemma
Craig,57

• If A Ù B false, there exists an interpolant A'
  for (A,B) such that
• A implies A
• A is inconsistent with B
• A is expressed over the common vocabulary of A
  and B

A variety of techniques exist for deriving an
interpolant from a refutation of A Ù B, generated
by a theorem prover.
6
Interpolants as Floyd-Hoare proofs
2. Each is over common symbols of prefix and
suffix
3. Begins with true, ends with false
7
Need for quantified interpolants
for(i 0 i lt N i) ai i for(j 0
j lt N j) assert aj j

• Existing interpolating provers cannot produce
  quantified interpolants
• Problem how to prevent the number of quantifiers
  from diverging in the same way that constants
  diverge when we unwind the loops?
• For linked structures we also require a theory of
  reachability (in effect, transitive closure)

Can we build an interpolating prover for full
FOL than that handles reachability, and avoids
divergence?
8
Clausal provers

• A clausal refutation prover takes a set of
  clauses and returns a proof of unsatisfiability
  (i.e., a refutation) if possible.
• A prover is based on inference rules of this form

P1 ... Pn
C

• where P1 ... Pn are the premises and C the
  conclusion.
• A typical inference rule is resolution, of which
  this is an instance

p(a) p(U) ! q(U)
q(a)

• This was accomplished by unifying p(a) and P(U),
  then dropping the complementary literals.

9
Superposition calculus

• Modern FOL provers based on the superposition
  calculus
• example superposition inference

Q(a) P ! (a c)
P ! Q(c)

• this is just substitution of equals for equals
• in practice this approach generates a lot of
  substitutions!
• use reduction order to reduce number of
  inferences

10
Reduction orders

• A reduction order  is
• a total, well founded order on ground terms
• subterm property f(a) Â a
• monotonicity a  b implies f(a)  f(b)
• Example Recursive Path Ordering (with Status)
  (RPOS)
• start with a precedence on symbols a  b  c Â
  f
• induces a reduction ordering on ground terms
• f(f(a)  f(a)  a  f(b)  b  c  f

11
Ordering Constraint

• Constrains rewrites to be downward in the
  reduction order

Q(a) P ! (a c)
P ! Q(c)
example this inference only possible if a  c
12
Local Proofs

• A proof is local for a pair of clause sets (A,B)
  when every inference step uses only symbols from
  A or only symbols from B.
• From a local refutation of (A,B), we can derive
  an interpolant for (A,B) in linear time.
• This interpolant is a Boolean combination of
  formulas in the proof

13
Reduction orders and locality

• A reduction order is oriented for (A,B) when
• s  t for every s ? L (B) and t 2L(B)
• Intuition rewriting eliminates first A
  variables, then B variables.

oriented x y c d f
x y f(x) c f(y) c
Local!!
f(y) c f(y) d c d
c d c ? d ?
14
Orientation is not enough
A
B
Q(a)
a c
Q  a  b  c
b c
Q(b)

• Local superposition gives only cc.
• Solution replace non-local superposition with
  two inferences

Second inference can be postponed until after
resolving with Q(b)
This procrastination step is an example of a
reduction rule, and preserves completeness.
15
Completeness of local inference

• Thm Local superposition with procrastination is
  complete for refutation of pairs (A,B) such that
• (A,B) has a universally quantified interpolant
• The reduction order is oriented for (A,B)
• This gives us a complete method for generation of
  universally quantified interpolants for arbitrary
  first-order formulas!
• This is easily extensible to interpolants for
  sequences of formulas, hence we can use the
  method to generate Floyd/Hoare proofs for inline
  programs.

16
Avoiding Divergence

• As argued earlier, we still need to prevent
  interpolants from diverging as we unwind the
  program further.
• Idea stratify the clause language

Example Let Lk be the set of clauses with at
most k variables and nesting depth at most k.
Note that each Lk is a finite language.

• Stratified saturation prover
• Initially let k 1
• Restrict prover to generate only clauses in Lk
• When prover saturates, increase k by one and
  continue

The stratified prover is complete, since every
proof is contained in some Lk.
17
Completeness for universal invariants

• Lemma For every safety program M with a 8
  safety invariant, and every stratified saturation
  prover P, there exists an integer k such that P
  refutes every unwinding of M in Lk, provided
• The reduction ordering is oriented properly
• This means that as we unwind further, eventually
  all the interpolants are contained in Lk, for
  some k.
• Theorem Under the above conditions, there is
  some unwinding of M for which the interpolants
  generated by P contain a safety invariant for M.

This means we have a complete procedure for
finding universally quantified safety invariants
whenever these exist!
18
In practice

• We have proved theoretical convergence. But does
  the procedure converge in practice in a
  reasonable time?
• Modify SPASS, an efficient superposition-based
  saturation prover
• Generate oriented precedence orders
• Add procrastination rule to SPASSs reduction
  rules
• Drop all non-local inferences
• Add stratification (SPASS already has something
  similar)
• Add axiomatizations of the necessary theories
• An advantage of a full FOL prover is we can add
  axioms!
• As argued earlier, we need a theory of arrays and
  reachability (TC)
• Since this theory is not finitely axiomatizable,
  we use an incomplete axiomatization that is
  intended to handle typical operations in
  list-manipulating programs

19
Simple example
for(i 0 i lt N i) ai i for(j 0
j lt N j) assert aj j
20
Unwinding simple example

• Unwind the loops twice

note stratification prevents constants
diverging as 0, succ(0), succ(succ(0)), ...
21
List deletion example
a create_list() while(a) tmp a-gtnext
free(a) a tmp

• Invariant synthesized with 3 unwindings (after
  some simplification)

rea(next,a,nil)
8 x (rea(next,a,x)! x nil _ alloc(x))

• That is, a is acyclic, and every cell is
  allocated
• Note that interpolation can synthesize Boolean
  structure.

22
More small examples
This shows that divergence can be controlled.
But can we scale to large programs?...
23
Conclusion

• Interpolants and invariant generation
• Computing interpolants from proofs allows us to
  generalize from special cases such as loop-free
  unwindings
• Interpolation can extract relevant facts from
  proofs of these special cases
• Must avoid divergence
• Quantified invariants
• Needed for programs that manipulating arrays or
  heaps
• FO equality prover modified to produce local
  proofs (hence interpolants)
• Complete for universal invariants
• Can be used to construct invariants of simple
  array- and list-manipulating programs, using
  partial axiomatization of FO(TC)
• Language stratification prevents divergence
• Might be used as a relevance heuristic for shape
  analysis, IPA

24
Expressiveness hierarchy
Canonical Heap Abstractions
8FO(TC)
Indexed Predicate Abstraction
8FO
Expressiveness
Predicate Abstraction
QF
Interpolant Language
Parameterized Abstract Domain
25
Interpolants for sequences

• Let A1...An be a sequence of formulas
• A sequence A0...An is an interpolant for
  A1...An when
• A0 True
• Ai-1 Ai ) Ai, for i 1..n
• An False
• and finally, Ai 2 L (A1...Ai) \ L(Ai1...An)

In other words, the interpolant is a
structured refutation of A1...An
26
Need for Reachability
... node a create_list() while(a)
assert(alloc(a)) a a-gtnext
...
invariant
8 x (rea(next,a,x) x ? nil ! alloc(x))

• This condition needed to prove memory safety (no
  use after free).
• Cannot be expressed in FO
• We need some predicate identifying a closed set
  of nodes that is allocated
• We require a theory of reachability (in effect,
  transitive closure)

Can we build an interpolating prover for full
FOL than that handles reachability, and avoids
divergence?
27
Partially Axiomatizing FO(TC)

• Axioms of the theory of arrays (with select and
  store)

8 (A, I, V) (select(update(A,I,V), I) V
8 (A,I,J,V) (I ? J ! select(update(A,I,V), J)
select(A,J))

• Axioms for reachability (rea)

8 (L,E) rea(L,E,E)
8 (L,E,X) (rea(L,select(L,E),X) ! rea(L,E,X))
if e-gtlink reaches x then e reaches x
8 (L,E,X) (rea(L,E,X) ! E X _
rea(L,select(L,E),X))
if e reaches x then e x or e-gtlink reaches x
etc...
Since FO(TC) is incomplete, these axioms must be
incomplete