Efficient Generation of Small
Interpolants in CNF
(for Model Checking)
Yakir Vizel1
Vadim Ryvchin2,3
Alexander Nadel3
CAV 2013
St. Petersburg, Russia
1. Computer Science Department, Technion, Israel
2. Information Systems Engineering Department, Technion, Israel
3. Design Technology Solutions Group, Intel Corporation, Israel
Reachability Analysis
Does an invariant P hold?
…Rn
R1
INIT
R2
Bad=¬P
2
Interpolants
• Given an unsatisfiable pair (A,B) of
propositional formulas
• There exists a formula I such that:
–AI
– I ∧ B is unsatisfiable
– I is over the common variables of A and B
ITP – Interpolation-based MC
McMillan, CAV 2003
A
B
INIT(V) ∧T(V,V1) ∧ T(V1,V2)∧T(V2,V3)∧(¬P(V1) ∨… ∨¬P(V3))
I
• I over-approximates the states
reachable from INIT in one transition
– It satisfies P and cannot reach a bad state
in two transitions or less
ITP – Interpolation-based MC
McMillan, CAV 2003
A
B
I(V)∧T(V,V1) ∧ T(V1,V2)∧T(V2,V3)∧(¬P(V1) ∨… ∨¬P(V3))
I’
• I is fed back to the formula
– A new interpolant is computed I’
– Iterative process
Motivation
• In ITP, a computed interpolant is fed
back into the BMC problem
• BMC problem is solved with a SAT solver
1. “Big” interpolant causes the BMC
problem to be hard to solve
2. Non-CNF interpolant needs to be
translated to CNF
6
g3
g3
g2
g2  g3
a1
A-local variables: a1
Global variables: g1, g2, g3
a1  g 2  g 3
g1
a1  g 1  g 2
a1  g2  g3
g4
g2  g 4
a1
a1  g1  g3 a1  g2  g3  g4 a1  g2
a1  g4 g2  g3 g3 7 g1
McMillan’s Method
I
I
I = [(g1  g2)  (g1  g3)] 
[(g2  g3  g4)  (g2  g4)]
g3
g3
g2
g2  g3
a1
(g2  g3  g4)  (g2  g4)
a1  g2  g3
(g1  g2)  (g1  g3)
g4
a1  g 2  g 3
g2  g 4
g2  g4
g1
g1  g2
a1  g 1  g 2
a1
g1  g3
g2  g3  g4
g2
a1  g1  g3 a1  g2  g3  g4 a1  g2
g4
a1  g 4
T
g2  g3
T
g
8 3
Our Method
• A two-phase method:
• Step one: Use both Quantifier
Elimination (QE) and the Resolution
Graph (RG) to compute an “almost”
interpolant
• Step two: Specifically for Model
Checking - use the structure of the
formula to apply inductive reasoning
9
Step One
• Use both QE and RG to compute an “almost”
interpolant
– For A(X,Y) ∧B(Y,Z)
• (∃X)(A(X,Y)) is an interpolant
– Quantifier elimination
• In SAT, eliminating existential quantifier amounts to
Variable Elimination (VE)
• Use the RG to guide VE
– More efficient than pure VE
– Yet, may be hard to compute
10
I
I
g3
g3
g2
I = [(g1  g2  g3  g4)  (g1  g2  g3  g
4)]  (g2  g4)]
g2  g3
a1
(a1  g1  g2)  (a1  g1  g3)
a1  g 2  g 3
g1
a1  g 1  g 2
a1  g 1  g 2
a1  g1  g3
a1  g1  g3
(a1  g2  g3  g4)  (g2  g4)
a 1  g 2  g 3
g4
g2  g 4
g2  g 4
a1
a1  g2  g3  g4 a1  g2 a1  g4
a1  g2  g3  g4 a1  g2 a1  g4 g2  g3
g3
11
A-local variable elimination:
I = (g1  g2  g3  g4)  (g1  g2)  (g1  g2  g3  g4)  (g1  g2  g3)  (g2  g4)
Resolution-driven
I = (g1  g2  g3  g4)  (g1  g2  g3  g4)  (g2  g4)
variable elimination:
g3
Saved!
g2  g 3
g3
g2
a1
a1  g2  g3
a1  g 2  g 3
g1
a1  g 1  g 2
g1  g2
g4
g1  g2  g3
g2  g4
a1
a1  g1  g3 a1  g2  g3  g4 a1  g2
a1  g 4
g2  g3
g3
12
Almost an Interpolant
• Bweak interpolant is a formula Iw s.t.:
– A  Iw
– I is over the common variables of A and B
– Iw ∧ B is not necessarily unsatisfiable
• Non-global interpolant is a formula In
s.t.:
– A  In
– In ∧ B is unsatisfiable
– In may contain variables local to A
Find Bweak Interpolant
• Apply resolution-driven variable
elimination but:
– Eliminate only when intermediate interpolant
does not grow as a result
• Apply incomplete A-local variable
elimination to I
– Eliminate A-local variables, but apply
resolution only to some of the pairs
• each input clause contributes to at least one
output clause
14
I
I is a non-global
Variable elimination is skipped,
since it would
interpolant
increase the number of clauses
I
I = (a1  g1  g2)  (a1  g2  g4)  (a1  g3  g4) 
(a1  g6  g5)  (a1  g6)
g4  g5
g5
g4
a1
(a1  g1  g2)  (a1  g2  g4)  (a1  g3  g4)
a1  g 4
(a1  g1  g2)  (a1  g2  g4)
a1  g 3  g 4
g3
(a1  g6  g5)  (a1  g6)
a1  g5
g2
a1  g 1  g 2
a1  g 2  g 3
a1  g 1  g 2
a1  g 1  g 2
g1
g5
g4  g5
g6
a1  g2  g4
g1  g3 a1  g2  g4
a1  g3  g4
a1  g6  g5
a1  g3  g4 a1  g6  g5
a1  g6
a1 15
 g6
I’ is a Bweak interpolant!
Incomplete variable elimination example: each input clause contributes to the
output
I’ = (g1  g2  g6  g5)  (g2  g4  g6)  (g3  g4  g6  g5)
I = (a1  g1  g2)  (a1  g2  g4)  (a1  g3  g4)  (a1  g6  g5)  (a1  g6)
16
Our Method
• A two-fold method:
• Step one: Use both Quantifier
Elimination (QE) and the Resolution
Graph (GR) to compute an “almost”
interpolant
• Step two: Specifically for Model
Checking - use the structure of the
formula to apply inductive reasoning
17
Step Two
……
I
s
F
Iw
¬P
Backward reachable from ¬P
in k-1 steps
Strengthening
Generalize
a state s in
Remove
Need atoset
using
inductive
Iw that
can
remove
of states
it
generalization
reach Bad
(a-la IC3)
Find a new
……
state s
I
F
¬P
Iw
s cannot be in
F(V)
s cannot
∧T(V,V’)
be
in F
……
F(V) => ¬s(V)
F(V) ∧T(V,V’) => ¬s(V’)
I’m an
Interpolant!
Yay!!
CNF-ITP
k=1;
while(BMC(INIT,k,Bad) = false) {
R = INIT;
n=0;
do {
n++;
Iw = ExtractBweakItp();
PushInductiveClauses(Iw); // Push forward
Iw = Iw ∧ nIk-1
// Incremental
nIk = Strengthen(R, I , k); // R is strengthened as well
w
n
k
if ( I => R) return valid;
R = R ∨ nIk;
}
while(BMC(nIk,k,Bad) = false);
k++;
}
return cex;
Average Clause Size Comparison (Log. Scale)
10000000
1000000
100000
C
N
F
10000
I
1000
T
P
100
10
1
1
10
100
1000
10000
ITP
100000
1000000
10000000
21
ITP vs. CNF-ITP Run-Time
900
800
700
C
N
600
F
500
400
I
T 300
P
200
100
0
0
100
200
300
400
500
ITP
600
700
800
900
22
Conclusions
•
•
•
•
Interpolants computed efficiently in CNF
Specific for MC
CNF used to optimize the MC algorithm
Brings ITP and IC3 together
– More can be done in this direction
Thank You