1

Abstractions From ProofsPresented in POPL’04

Authors: Thomas A. Henzinger,

Ranjit Jhala, Rupak Majumdar and Kenneth L. McMillan

Presented by: Yael MellerJune 2008

2

Program abstraction

1: while(*) {

2: if(p1)3: lock();4: if(p1) 5: unlock();6: if(p2) 7: lock();8: if(p2) 9: unlock();…4n-2: if(pn) lock();4n-1: if(pn) unlock();

}

return

true

1

4

ret

2

3

6

5

true

┐p1

p1

unlock()

p1

┐p1

lock()

3

Main obstacle when using CEGAR

Analyze a false negative efficiently:Learn a small set of predicates eliminating spurious counterexample.

4

Predicate abstraction example

Goal: check whether locking and unlocking alternate.

Try #1:

Analyze counterexample: Spurious! Need to track predicate p1.

ret

5

true

┐p1

p1

unlock()

p1

┐p1

lock()

1

2

3

4

6

7lock()

8

p2

┐p2

assume p1;

lock();

assume !p1;

assume p2;

lock();

5

Predicate abstraction example

5

true

p1

p1

unlock()

p1

lock()

1

2

3

4

6

7lock()

8

p2

2p1p1

p1

p2

p1

4

6

ret

5

p1

unlock()

p1

lock()3

7lock()

8

p2

p1

p1

p1

p1

p1

p1

p1

p1

p1

p1

true

p1

p2

6

Reminder - Interpolant

Interpolant definition: then and

. ,ITP

false

false

7

Paper’s main contributions

Interpolants from unsatisfiability proof of a formula -+.

Local predicates from interpolants

8

Outline of method

Th is not spuriouscheck spurious

counterexample

Th

stop

Mh |=

model check

Mh

generate initialabstraction

M and

refinement

This spurious

refinement

Formula unsatisfiable: Th is spurious. generate local predicates

generatecounterexample Th

Mh |=

Prove trace formula

Formula satisfiable: Th is not spurious

Trace formula

9

Build trace formula

1: x:=ctr;

2: ctr:=ctr+1;

3: y:=ctr;

4: assume(x=m);

5: assume(y≠m+1);

<x,1>=<ctr,0>

<ctr,1>=<ctr,0>+1

<y,2>=<ctr,1>

<x,1>=<m,0>

<y,2>≠<m,0>+1

Abstract trace Constraints (SSA)

Conjunction of constraints is the trace formula.

10

Check trace formula

1: x:=ctr;

2: ctr:=ctr+1;

3: y:=ctr;

4: assume(x=m);

5: assume(y≠m+1);

<x,1>=<ctr,0>

<ctr,1>=<ctr,0>+1

<y,2>=<ctr,1>

<x,1>=<m,0>

<y,2>≠<m,0>+1

Abstract trace Constraints

User theorem prover on trace formula

Prove unsatisfiable – returns proof. No proof of unsatisfiablity – concrete

trace.

11

Splitting the trace

- first 2 constraints:

- last 3 constraints:

Interpolant according to proof :

Replace constants with variables:

2 ,1 ,0 ,0 ,1 1x ctr ctr ctr

2 , 2 ,1 ,1 ,0 ,2 ,0 1y ctr x m y m

2 2 2. , . ,1 ,1 1ITP x ctr

2ˆ 1x ctr

2

2

12

Predicates from interpolants

: over-approximation of reachable states.

: no continuation of the trace from any state satisfying

can be used as a predicate. should be used at location 2.

1x ctr

2ˆ 1x ctr

2 2

2 2 false

2̂

2̂

13

Predicates from interpolants

1: x:=ctr;

2: ctr:=ctr+1;

3: y:=ctr;

4: assume(x=m);

5: assume(y≠m+1);

<x,1>=<ctr,0>

<ctr,1>=<ctr,0>+1

<y,2>=<ctr,1>

<x,1>=<m,0>

<y,2>≠<m,0>+1

Infeasible trace Constraints

x=ctr

x=ctr-1

x=y-1

y=m+1

Predicates

14

Adding predicates from interpolants - example

1x:=ctr

2

3

... 5

ctr:=ctr+1

y:=ctr1: x:=ctr;

2: ctr:=ctr+1;

3: y:=ctr;

4: assume(x=m);

5: assume(y≠m+1);

4x=m

ERR…

x≠m

y=m+1y≠m+1

15

Adding predicates from interpolants - example

1x:=ctr

2

3

... 5

ctr:=ctr+1

y:=ctr

4x=m

ERR

…

x≠m

y=m+1

y≠m+1

1: x:=ctr;

2: ctr:=ctr+1;

3: y:=ctr;

4: assume(x=m);

5: assume(y≠m+1);

x=ctr

x=ctr-1

x=y-1

y=m+1

x=ctr

x=ctr-1x=y-1

y=m+1

ERR

y≠m+1

16

What do we have so far?Create trace formula from counterexample

If trace infeasible - get unsatisfiablity proof

Split trace formula at cut-points

Learn local predicates from interpolants based on different cuts

Missing: derive interpolant from proof

17

Interpolants from proofs

Use theorem prover to generate refutations.

Formulas given in quantifier-free fragment of first-order logic of linear equality. e.g.

Denote:

0 1 10 ... n nc c x c x

1 1... ...n kp p q q 1 1,..., ; ,...,n kp p q q

18

The proof system

1 21 2

0 ; 0, 0

0COMB c c

c c

1

1

,..., 00

,...,n

n

cCONTRA c

HYP

; '

'RES

19

Proof example

0HYP

z y

0 1HYP

x z

0 , 0 , 0 1y x z y x z

0HYP

y x

COMB0 z x

COMB

0 1

0 1 false

This is a refutation proof

1 2 1c c

20

Proof structure

(HYP,COMB)*

Inequality layer

CONTRA RES*

Boolean layer

1 21 2

0 ; 0, 0

0

x yCOMB c c

c x c y

1

1

,..., 00

,...,n

n

cCONTRA c

HYP

; '

'RES

21

Inequality interpolated sequent

(-+) |= (0≤)[0≤’] - |= (0≤ ’) + |= (0≤-’) for all variables +, the

coefficients of in and ’ are the same.

If (0≤) is false then (0≤’) is an interpolant

v v

22

Extracting interpolated sequents from proof

0

, 0 0HYP A

0

, 0 0 0HYP B

HYP

or

Inequality interpolated sequent: - |= (0≤ ’) + |= (0≤-’) for all variables +, the coefficients

of in and ’ are the same.v v

23

Extracting interpolated sequents from proof

1 21 2

0 ; 0, 0

0COMB c c

c c

1 2

1 2 1 2

, 0 0 '

, 0 0 ', 0

, 0 0 ' 'COMB c c

c c c c

Inequality interpolated sequent: - |= (0≤ ’) + |= (0≤-’) for all variables +, the coefficients

of in and ’ are the same.v v

24

Prove soundness

- |= (0≤ c1’+c2’) We know: - |= 0≤’ and - |= 0≤’Apply COMB with c1 and c2

+ |= (0≤ c1+c2- c1’-c2’)We know: + |= (0≤ -’) and + |= (0≤ -’)Apply COMB with c1 and c2

For all variables +, the coefficients of v in , ’ and , ’ are the same.

v

25

Clause interpolation sequence

(-+) |= [] - |= (\+) + |= (+) +

If is false then is an interpolant

26

Extracting interpolated sequents from proof

1

1

,..., 00

,...,n

n

cCONTRA c

1 1

1 1

,..., , ,..., 0 1 0 '

, ,..., , ,..., 0 '

k m

k m

a a b bCONTRA

a a b b

1 1,..., , ,...,m kb b a a

27

Prove soundness - |= (\+) in CONTRA: - |= a1…ak

a1…ak|=

+, |= (+) in CONTRA: +, |= b1…bm

b1…bm|=(0≤-1) thus |= b1…bm

+ : coefficients equality in -1 and ’ for + v

1 1

1 1

,..., , ,..., 0 1 0 '

, ,..., , ,..., 0 '

k m

k m

a a b bCONTRA

a a b b

Inequality interpolant sequent

A |= (0≤ ’) B |= (0≤-’) For all variables B,

the coefficients of v in and ’ are the same.

v

28

Extracting interpolated sequents from proof

, ,

, , ' '

, , ' '

l

lRES A l

; '

'RES

, ,

, , ' '

, , ' '

l

lRES B l

or

29

Extracting interpolated sequents from proof - example

0 1x z

0 0HYP A

z y z y

0 1 0 0HYP B

x z

0 , 0y x z y

0 0HYP A

y x y x

COMB 0 0z x z x

COMB

0 1 0 z x

0≤-1 is equivalent to false,

Thus: 0≤z-x is an interpolant for -+

30

Conclusion

Th is not spuriouscheck spurious

counterexample

Th

stop

Mh |=

model check

Mh

generate initialabstraction

M and

refinement

This spurious

refinement

Formula unsatisfiable: Th is spurious. generate local predicates

generatecounterexample Th

Mh |=

Prove trace formula

Formula satisfiable: Th is not spurious

Trace formula

31

THE END

Thank You!