A Combination Method for
Generating Interpolants
by G. Yorsh and M. Masuvathi
Presentation by: Emilia Katz
1
The Goal
• Given:
restrictions on
T1 and T2 will
be seen later…
– theory T – combination of T1 and T2
– A and B – two logical T-formulas
– A ⋀ B is unsatisfiable in T
– efficient interpolant-generation procedures
exist for T1 and T2
• Find:
– interpolant for <A,B>
if both sub-procedures are
polynomial, the resulting
procedure will also be polynomial
2
The Idea
• How to find an interpolant efficiently?
– Derive it from unsatisfiability proof
• But how? And how to get the proof?
• We don’t want to make further assumptions about
T1 and T2, so
– We don’t know how their interpolant-generation
procedures work
– We don’t know how their decision procedures work
• The idea: use them as black boxes
– Combine d.p.-s for T1 and T2 into a d. p. for T.
– Use the proof and the interpolant-generation
procedures for T1 and T2 to derive an interpolant in T.
Nelson-Oppen
framework…
3
Example
T1 = UIF (uninterpreted functions theory)
T2 = LI (linear equalities theory)
A ≝ (f(x1)+x2=x3)  (f(y1)+y2=y3) (y1x1)
B ≝ (x2=g(b))(y2=g(b))(x1  y1)(x3 < y3)
• UIF and LI satisfy the requirements
[assume it meanwhile, we’ll return to it later]
• A  B is unsatisfiable
[we’ll see this in a couple of minutes]
4
Nelson – Oppen framework
… for combining decision procedures
• Given:
– theory T – combination of T1 and T2
– A and B – two conjunctions of literals in T
• Goal: is A ⋀ B satisfiable in T ?
• Assumptions:
–
–
–
–
= every quantifierfree Σi-formula is
satisfiable in Ti iff it is
satisfied by a Tiinterpretation with
infinite domain
Σ = Σ1  Σ2 (denote: Σ = ΣT, Σi = ΣTi)
Σ1  Σ2 = {=}
T1, T2 are stably-infinite
T1, T2 have decision procedures for satisfiability of
conjunctions of Σi literals
5
N.-O. framework application example
T1 = UIF (uninterpreted functions theory)
T2 = LI (linear equalities theory)
A ≝ (f(x1)+x2=x3)  (f(y1)+y2=y3) (y1x1)
B ≝ (x2=g(b))(y2=g(b))(x1  y1)(x3 < y3) replace:
f(x1) by a1,
f(y1) by a2
1. Purification:
ALI = (a1+x2=x3)  (a2+y2=y3) (y1x1) add equalities
for a1, a2
AUIF = ((a1 = f(x1))  (a2 = f(y1))
no replacements
BLI = (x1  y1)(x3 < y3)
needed
BUIF = (x2=g(b))(y2=g(b))
6
Application Example – contd.
2. Equality propagation:
UIF
under the line:
EqUIF
LI
(1) a1 = f(x1)
(5) a1+x2=x3
(2) a2 = f(y1)
(6) a2+y2=y3
(3) x2=g(b)
(7) y1x1
(4) y2=g(b)
(8) x1  y1
-------------------(10) x1 = y1
(9) x3 < y3
-------------------(11) a1 = a2
(12) x2 = y2
under the line:
EqLI
Unsatisfiable! Theory: LI
Eq = (a1=a2  x2=y2)
7
Nelson – Oppen framework
in T
AB
adding new variables to replace
objects of the “wrong” type, and
equalities “defining” them
Purification
in T1
in T2
A1 
A2 
B1
B2
F2:= A2 
F1:= A1 
Equality propagation
B2
B1
Dec. proc.
Dec. proc.
for T1
for T2
Unsat.
Unsat.
Sat.
Sat.
Equality
derivation
in T1 (Eq1)
F2 :=
F2Eq
Unsatisfiable!
(found by Ti,
with Eq)
Equality
F1 :=
derivation
F1Eq
in T2 (Eq2)
2
1
no more new equalities
Satisfiable!
8
Theory-specific Interpolant
Given:
not necessary
• T – first order theory of signature Σ
for the method
to work
•
L – class of quantifier-free Σ-formulas
properly
• ΣT  Σ – interpreted symbols in T
• A, B ∈ L such that A ⋀ B ⊦T ⊥
Then theory-specific interpolant for <A,B> is
I ∈ L such that:
new requirement: quantifier-free interpolants
(for completeness of SAT-checks with
1. A ⊦T I
interpolants [in subsequent analysis stages])
2. I ⋀ B ⊦T ⊥
less strict
requirement: I can
3. V(I )  (V(A)V(B)) ΣT
set of symbols that
appear in the formula
contain not only ABcommon symbols
9
Requirement (3) Change Motivation
contradictio
n with B!
Example:
A ≝ c2 = car(c1) ⋀ c3 = cdr(c1) ⋀ atom(c1)
Axiom of T:
B ≝ c1 = cons(c2 ,c3)
∀x(atom(x) ⇒
In theory of Lisp structures
cons(car(x),cdr(x))=x)
Apply to x=A:
• ci – s are lists
A ⇒ (c1 = cons(c2 ,c3))
• car(c) = “head” element of the list c
Interpolant (by
• cdr(c) = “tail” of the list c
def.)
• cons(c,d) = concatenation of d after c c1 =new
cons(c2 ,c3)
• ΣT = {car, cdr, cons, atom}
• A ⋀ B ⊦T ⊥
“cons” is not AB–common; “cons”,
“atom”, “cdr”, “car” not alowed in I
=> no interpolant for <A,B>!
10
Interpolants Generation Method
first-order
theories
Assumptions:
Input: <Ai,Bi> - conjunctions
of Σi literals; output –
• T – combination of T1, T2
interpolant as Li formula
• Σ = Σ1  Σ2
• efficient interpolant-generation procedures exist for T1
and T2
• Restrictions from Nelson-Oppen framework:
– Σ1  Σ2 = {=}
– T1, T2 are stably-infinite
– T1, T2 have decision procedures for satisfiability of conjunctions
of Σi literals
to be
explained
• T1, T2 are equality-interpolating
• T1, T2 are convex
( (xi = yi)) ⇒ ∃k.
(xk=yk)
Guarantee:
• Output: theory-specific interpolant for <A,B> in T
11
Simple Case
Constraints to be relaxed later:
• A, B – conjunctions of literals
Constraints possible to relax
• T1, T2 are convex theories
Arise from the use
of the NelsonOppen framework
Relaxed in another
work of the
authors…
12
Naïve approach
Given: AB ⊦T
⊥
in T
AB
Nelson-Oppen
framework for <T1,T2>
“Satisfiable!”
“Unsatisfiable!”
+ Eq (propagated equalities)
+ P (proof of AiBi ⊦Ti ⊥)
Ai  Eq|Ai
Interpolant I
for <A,B>
?
P
Interpolant generation
procedure for Ti
Bi  Eq|Bi
13
The problem - example
A ≝ (f(x1)+x2=x3)  (f(y1)+y2=y3) (y1x1)
B ≝ (x2=g(b))(y2=g(b))(x1  y1)(x3 < y3)
• Contradiction found by LI between
A’ = ALI(a1=a2); B’ = BLI(x1=y1)(x2=y2)
• Interpolant found for <A’,B’> in LI:
I = (x2-y2=x3-y3)
• Is I interpolant for <A,B> in T?
– I B T ⊥
– But A  I:
(f(x1)+x2=x3)  (f(y1)+y2=y3) (y1x1)  (x2-y2=x3-y3)
– A → A’ doesn’t have to hold => A  I
additional information
from B might appear in A’
14
Proposed solution:
Partial Interpolants
Attach one to each
equality propagated in
the unsatisfiability
proof in NelsonOppen framework
Definition: Projection
Given Θ – conjunction of AB-pure literals
Define Θ|A – conjunction of A-local literals,
Θ|B – conjunction of B-local and AB-common literals
Note: Θ = Θ|A  Θ|B
Example: A = (a1=f(x1)  a2 = f(y1)),
B = (a1=f(x1)  a3 = f(y1))
Θ = A  B = (a2 = f(y1)  a1=f(x1)  a3 = f(y1))
Θ|A
Θ|B
15
Partial Interpolant – defn.
in our case, V(A’)V(A), V(B’)V(B) => interpolant
for e contains only AB-common symbols
Definition: Theory-specific partial interpolant
A’,B’ - conjunctions of pure literals in Σi,
e – AB-pure atomic formula generated by decision
procedure for the theory Ti: A’B’ Ti e
thus, A’B’ e Ti ⊥
Then:
Theory-specific partial interpolant for e w.r.t. <A’,B’>,
φiA’,B’(e), is the interpolant generated for
<A’(e|A’), B’(e|B’)> by Ti’s procedure
16
LI-Partial Interpolant Example
• First equality propagated:
e=(x1=y1); A’ = ALI, B’ = BLI
• (7)  ALI, (8)  BLI
• e|A’= true, e|B’= (x1=y1)
• Interpolant for < y1x1 ,
(x1y1)  (x1=y1) >:
φLIA’,B’(x1=y1)= y1  x1
UIF
LI
(1) a1 = f(x1)
(5) a1+x2=x3
(2) a2 = f(y1)
(6) a2+y2=y3
(3) x2=g(b)
(7) y1x1
(4) y2=g(b)
(8) x1  y1
------------------ (9) x3 < y3
(10) x1 = y1
------------------
x1, y1 are AB-common
17
Partial Interpolant – contd.
reason for restriction to
equality-interpolating theories
Definition: Partial interpolant
• e – AB-pure equality derived from AB in Nelson-Oppen
framework by a theory Ti: AiBiEq Ti e derived from AB
• Ai, Bi – conjunctions of pure literals
by Nelson-Oppen
procedure…
• Eq – a set of AB-pure equalities
Partial interpolant for e w.r.t. <A,B>, φA,B(e), is defined
inductively:
• Base:
– e  Ai ⇒ φA,B(e) = ⊥,
– e  Bi ⇒ φA,B(e) = ⊤
• Inductive step: Let A’ ≝ AiEq|A, B’ ≝ BiEq|B
φA,B(e) = (φiA’,B’(e)  ⋁aA’ φA,B(a))  ⋀bB’ φA,B(b)
a, b - equalities
18
Partial interpolant - example
• Find partial interpolant for <A,B>, φA,B(⊥),
from the running example:
• Follow the proof step-by-step
• Step1: deriving (x1=y1)
– Ti = LI
– Eq = ⊤, thus:
– A’ = ALI = (a1+x2=x3)  (a2+y2=y3) (y1x1)
– B’ = BLI = (x1  y1)(x3 < y3)
– φA,B(x1=y1) = φLIA’,B’(x1=y1) = y1  x1
19
Partial interpolant example – contd.
• Step2: deriving (a1=a2)
– Ti = UIF
propagated eq. used
to derive a1=a2
– Eq = (x1=y1)
A’=AUIF => we have
results only from
– Eq|A = ⊤, Eq|B = (x1=y1), thus:
the base case
– A’ = AUIF = ((a1 = f(x1))  (a2 = f(y1))
– B’ = BUIF(x1=y1) = (x2=g(b))(y2=g(b))
(x1=y1)
– φA,B(a1=a2) = (φUIFA’,B’(a1=a2)  ⊥) =
⋀(xbB’
φ=A,B
(b)
φA,B
=y
)
(y1

1
1
x1)
– φUIFA’,B’(a1=a2)= (x1=y1)
– φinterpolant-generation
= rest
(y1is<True
x 1)
A,B(a1=a2) = (x1=y1)(y1  x1)the
proc. of UIF
from the base case
20
Partial interpolant example – contd.
• Step3: deriving (x2=y2)
–
–
–
–
–
no propagated eq.
Ti = UIF
needed to derive x2=y2
Eq = ⊤, thus:
A’ = AUIF = ((a1 = f(x1))  (a2 = f(y1))
B’ = BUIF = (x2=g(b))(y2=g(b))
φA,B(x2=y2) = φUIFA’,B’(x2=y2) =
= interpolant, derived by UIF’s procedure for
<A’(x2=y2)|A’, B’  (x2=y2)|B’> =
=⊤
=
(x2=y2)
=interpolant for < ((a
1 = f(x1))  (a2 = f(y1)),
(x2=g(b))(y2=g(b))  (x2=y2) >
=> Internal contradiction => φA,B(x2=y2) = ⊤
21
Partial interpolant example – contd.
• Step4: deriving ⊥
–
–
–
–
propagated eq.-s
Ti = LI
used to derive ⊥
Eq = (x2=y2) (a1=a2)
Eq|A = (x2=y2) (a1=a2), Eq|B = ⊤, thus:
A’ = ALI(x2=y2)(a1=a2) = ((a1 = f(x1))(a2 = f(y1))
(x2=y2)(a1=a2)
⋀bB’ φA,B(b) = ⊤
from the base case
– B’ = BLI = (x2=g(b))(y2=g(b))
– φA,B(⊥) = (φLIA’,B’(⊥)  (φA,B(x2=y2)  φA,B(a1=a2)))  ⊤
= (x2-y2=x3-y3)
=⊤
= (y1<x1)
=> φA,B(⊥) = ((x2-y2=x3-y3))  (y1 < x1)
interpolant-generation
proc. of UIF
22
Correctness
Lemma 1:
The partial interpolant, φA,B(e), is an
interpolant for < A (e|A), B (e|B) >
in the combined theory T.
φA,B(⊥) is an interpolant for < A, B >
23
Equality-interpolating theories
• Restriction on T1, T2 : they should be equalityinterpolating
Definition:
Theory T is equality-interpolating if whenever
– A, B  T
– AB T (a=b)
– a V(A)-V(B), b V(B)-V(A)
=> Exists a term t s.t.
– AB T (a=t)  (b=t)
– V(t)  V(A)  V(B)
thus propagation of
AB-pure equalities
only in the NelsonOppen framework is
enough indeed
t is called equality-interpolating term for (a=b)
with respect to <A,B>
24
Equality-interpolating theories (contd.)
• LI, UIF, Lisp are equality-interpolating
theories
• Not all the theories are equality-interpolating.
Example:
– theory with two relation symbols, P and Q
– axiom: abc P(a,c)Q(c,b) ⇒ (a=b)
– let A ≝ P(a,c), B ≝ Q(c,b)
– A  B (a=b)
– But: no equality-interpolating term for (a=b) !
25
Relaxing constraints
• Constraints to be relaxed:
– A, B – conjunctions of literals
• The idea: use
i.e., CNF
formulas
– Extended Pudlák’s algorithm
=> propositional interpolants for a pair of clause sets
– Lazy Proof-Explication framework (using SAT-slover)
=> checking satisfiability of arbitrary quantifier-free
FOL formulas
26
Pudlák’s algorithm
•
Input:
–
–
–
•
•
A, B – pair of clause sets
A ⋀ B ⊦T ⊥
T – proof of unsatisfiability for A ⋀ B
For each clause c in T, define p(c):
variant of the
seen before
partial
interpolant
for c
c is a
result of
resolution;
x - pivot
1. (a) cA ⇒ p(c) := ⊥
(b) cB ⇒ p(c) := ⊤
x – A-local
• otherwise, x,c1,c2.(c = resolvex(c1,c2))
x – B-local
(a) xA and xB ⇒ p(c) := p(c1)p(c2)
(b) xB and xA ⇒ p(c) := p(c1)p(c2)
(c) x - AB-common ⇒ p(c) := (x  p(c1))(x 
p(c2))
p(⊥) is the interpolant for <A,B>
27
Pudlák’s algorithm correctness
•
•
Invariant:
For each clause c  T,
p(c) is an interpolant for <gA(c), gB(c)>
gA(c) =A(c)|A, gB(c)=B(c)|B
Thus:
(c = ⊥) ⇒ gA(⊥) = A, gB(⊥) = B
⇒[invariant] p(⊥) is the interpolant for <A,B>
28
Lazy Proof-Explication framework
• Our input – quantifier-free FOL formulas
• Nelson-Oppen framework works on
conjunctions of literals
• How to bridge the gap?
• Use SAT-solver!
29
Lazy Proof-Explication framework
L.P.E.
φ=A 
B
SATsolver
atomic formulas replaced
by boolean variables
propositional abstraction
result: φ’
satisfiability check
Unsat.
+ C (conflict clauses set)
Sat.
satisfying ass. s for φ’
Nelson-Oppen
framework for <T1,T2>
“Unsatisfiable!”
s = conjunction of literals;
satisfies φ propositionally
Sat.
“Satisfiable!”
Unsat.
φ’:= φ’ s; C:= C 
{s}
s = new conflict clause
30
Obtaining the interpolant
•
We would like to :
–
–
•
give Pudlák’s algorithm the proof obtained from
L.P.E. framework
obtain interpolant
Problem: the base case!
(a) cA ⇒ p(c) := ⊥
(b) cB ⇒ p(c) := ⊤
•
Now possible: cA and cB
–
Conflict clauses appear in the proof, and a conflict
clause may involve local literals from both A and B
31
L.P.E. framework - observations
• For each conflict clause cC, c is a
conjunction of literals
• c is unsatisfiable (proven by N.-O.)
• c contains only literals from A and B
=> every literal in c is AB-pure
• Thus we can apply previously described
method (“simple case”) to find an
interpolant between (c)|A and (c)|B
32
Partial Interpolant for Clauses
Definition: Partial interpolant for clauses
• AB T ⊥
• C – corresponding set of conflict clauses
• ABC – propositionally unsatisfiable
• cC
Partial interpolant for c, φA,B(c), is defined inductively:
• Base:
– c  A ⇒ φA,B(c) = ⊥,
– c  B ⇒ φA,B(c) = ⊤
• Inductive step:
φA,B(c) = interpolant for <c|A ,c|B> in T
can be
calculated by
the “simple
case” method
33
Extended Pudlák’s algorithm
•
Input:
–
–
–
•
<A,B; C> where A, B, C – clause sets
A ⋀ B ⊦T ⊥
T – proof of unsatisfiability for A ⋀ B
C – set of
conflict
clauses
For each clause c in T, define p(c):
1. c is not a resolution result ⇒ p(c):= φA,B(c)
2. otherwise, x,c1,c2.(c = resolvex(c1,c2))
No change
needed
(a) xA and xB ⇒ p(c) := p(c1)p(c2)
here…
(b) xB and xA ⇒ p(c) := p(c1)p(c2)
(c) x - AB-common ⇒ p(c) := (x  p(c1))(x 
p(c2))
•
p(⊥) is the interpolant for <A,B>
34
Extended algorithm correctness
•
•
Enough to show the invariant is maintained, i.e.,
c  T, p(c) is an interpolant for <gA(c), gB(c)>
gA(c) =A(c)|A, gB(c)=B(c)|B
Observation: in the base case,
–
–
–
cA ⇒ φA,B(c) = ⊥ ⇒
p(c) := ⊥ (as in the original algorithm) ⇒
old proof works
cB ⇒ φA,B(c) = ⊤ ⇒
p(c) := ⊤ (as in the original algorithm) ⇒
old proof works
new case: cA and cB ⇒ need new proof
35
Extended algorithm correctness(2)
• Base case:
– left to prove for the case cA and cB
– then φA,B(c) is interpolant for <c|A ,c|B>
(by definition)
⇒ ((c)|A  φA,B(c)) ⇒ ((A(c)|A)  φA,B(c))
⇒ (φA,B(c) (c)|B  ⊥) ⇒ ((B (c)|B)  φA,B(c)  ⊥)
– thus p(c)=φA,B(c) is indeed an interpolant for
<A (c)|A,B (c)|B > in T
• Induction step:
– the proof relied only on the fact that the invariant
holds in the base case => the old proof stays correct
36
Conclusions
• Presented: efficient and modular method
for interpolant-generation
• Generic, and not theory-specific method
• Easy to incrementally extend interpolationgeneration to additional theories
• Uses Nelson-Oppen framework in a
modular way, and in case of its
improvement can easily connect to the
new version
37
Thank you!
38