Download
1 / 45
450 likes | 549 Views
Generating Tiny Interpolants and Near-interpolants from a Resolution Refutation. Alexander Nadel 3 , Vadim Ryvchin 2,3 and Yakir Vizel 1 Interpolation’13 Workshop Saint Petersburg, Russia July 14 th , 2013 1 - Computer Science Dept . , The Technion, Haifa, Israel
E N D
Generating TinyInterpolants and Near-interpolantsfrom a Resolution Refutation Alexander Nadel3, Vadim Ryvchin2,3 and Yakir Vizel1 Interpolation’13 Workshop Saint Petersburg, Russia July 14th, 2013 1 - Computer Science Dept., The Technion, Haifa, Israel 2 - Information Systems Engineering Dept., The Technion, Haifa, Israel 3 - Intel, Haifa, Israel
Problem Statement • Interpolation-based model checking (ITP)is an efficient and complete model checking procedure. • One invocation of ITP uses many interpolants, where the interpolants are generated from a resolution refutationproduced by the SAT solver • Interpolants generated by the current method are highly redundant and might become too large rendering ITP slowor even intractable.
The Solution in Our CAV’13 Paper • Resolution-driven Variable Elimination (RVE) • is a new way to generate interpolants from a resolution refutation • generates tiny interpolants very fastin the vast majority of cases, but • when it gets stuckfor even ONE invocation for a given model checking instance, the model checker gets stuck • Solution to : • Adjust RVE so that it never gets stuck: when it cannot find an interpolant, it generates a near-interpolant • Only few additional clauses are required to make it an interpolant • We complete it to an interpolant with new model checkingtechniques • Main results: our model checking algorithm outperforms ITP on most test-cases; and the interpolants are 117x smaller
Today’s Agenda • In focus: algorithms for generating interpolants and near-interpolants from a resolution refutation: • A comparative description of 3 methods for generating interpolants: • McMillan’s approach: the fundamental widely used algorithm • A-local variable elimination • Resolution-driven variable elimination (RVE) • Adjusting RVE to generate near-interpolants in the worst case • Not in focus: • Completing a near-interpolant to an interpolant • Our model checking algorithm CNF-ITP
Interpolant Generation: Problem Definition • Input: propositional formulas A and B, such that A B⇒ • Output: a formula I, such that • A⇒I • I B⇒ • V(I) G, where G V(A) V(B) • Model checking needs: the interpolant is fed back into the SAT solver ⇒ it must be in CNF
Resolution • Resolution: given two clauses c1=c3 p and c2=c4 p, derive a logical consequence c5=c1pc2=c3c4 • p is the pivot variable • Resolution refutation: a derivation by resolution of the empty clause from a given unsatisfiable formula • A SAT solver can generate a resolution refutation
Example g3 g3 g2 g2 g3 a1 a1 g2 g3 A-local variables: a1 Global variables: g1, g2, g3 g4 a1 g2 g3 g2 g4 A B g1 a1 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
Method 1 for Interpolant Generation: McMillan’s Method • Associate a formula p(c) with each node as follows • An input node: • cA⇒p(c) = g(c) • g(c): c restricted to global literals • cB⇒p(c) = T • An internal node c3 = c1 pc2 • p is A-local ⇒p(c3) = p(c1) p(c2) • p isn’t A-local ⇒p(c3) = p(c1) p(c2) • p() is the interpolant
I McMillan’s Method g3 I g3 I = [(g1 g2) (g1 g3)] [(g2 g3 g4) (g2 g4)] g2 g2 g3 a1 (g2 g3 g4) (g2 g4) a1 g2 g3 (g1 g2) (g1 g3) g2 g4 g4 a1 g2 g3 g2 g4 g1 a1 g1 g2 g2 g3 g4 T g4 g1 g3 g2 T a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
McMillan’s Method: Pros and Cons • Pros: • The interpolant is linear in the size of the resolution refutation • ITP works well when the resolution refutation is not overly complex • Cons: • In many cases, the interpolant is huge and highly redundant • Simplifying the formula on-the-fly helps, but doesn’t eliminate the problem • The interpolant is not natively in CNF, translation is required
McMillan’s Method: Translating to CNF h e g I in CNF f d b a c g1 g2 g3 g4 I = [(g1 g2) (g1 g3)] [(g2 g3 g4) (g2 g4)]
Method 2 for Interpolant Generation: A-Local Variable Elimination • Variable elimination: • Given formula F in CNF and variable p • VE(F, p) is created by replacing clauses containing p with the results of pairwise resolutions between clauses containing p and p • VE(F, p) is equisatisfiable to F and p V(VE(F, p)) VE(A, a1) g1 g2 g3 g4 g1 g2 g3 g1 g2 g3 g4 g2 g4 g1 g2 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 a1 g2
A-Local Variable Elimination • Eliminate all the A-local variables from A one by one. • The resulting formula is an interpolant
A-Local Variable Elimination I = (g1 g2 g3 g4) (g1 g2) (g1 g2 g3 g4) (g1 g2 g3) (g2 g4) g1 g2 g3 g4 g1 g2 g3 g1 g2 g3 g4 g2 g4 g1 g2 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
A-Local Variable Elimination: Correctness • A ⇒I: follows from the correctness of resolution • I B⇒ • Proof: Start with A B⇒ and apply Lemma 1 for each elimination of A-local variable • Lemma 1: Let: (1) X∧ Y⇒ c; (2) p V(Y c). Then:VE(X, p) ∧ Y⇒ c. • V(I) G:by construction
A-Local Variable Elimination: Pros and Cons • Pro:the formula is natively in CNF ⇒ the translation overhead is saved • Con:variable elimination blows up • The same problem as in the DPLL algorithm for deciding SAT • Can one limit the amount of elimination and still get an interpolant?
Method 3 for Interpolant Generation: Resolution-driven Variable Elimination (RVE) • Associate a formula I(c), called the clause interpolant, with each node c reachable from A as follows: • For an input node: c ⇒ I(c) = c • For an internal node c3 = c1 pc2, wherec1 and c2 are reachable from A • p is global ⇒I(c3) = I(c1) I(c2) • pis A-local ⇒ I(c3) = VE(I(c1) I(c2), p) • For an internal node, one of whose parents is not reachable from A: propagate the clause interpolant from the other parent
I RVE g3 I g3 g2 I = [(g1 g2 g3 g4) (g1 g2 g3 g4)] (g2 g4)] g2 g3 a1 (a1 g2 g3 g4) (g2 g4) a1 g2 g3 (a1 g1 g2) (a1 g1 g3) g2 g4 g4 a1 g2 g3 g2 g4 g1 a1 a1 g1 g3 a1 g4 a1 g1 g2 a1 g2 g3 g4 a1 g2 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
RVE: Correctness • I(c) is a clause interpolant of a clause c reachable from A iff: • A⇒I(c) • I(c) B⇒ c • V(I(c)) G L(c) • L(c): A-local variables that appear in c • By definition a clause interpolant of is an interpolant • Proof: show that I(c) is a clause interpolant for every c
RVE: Pros and Cons • Pros • Terminates where A-local variable elimination blows up in many cases because of variable elimination locality
A-local variable elimination: I = (g1 g2 g3 g4) (g1 g2) (g1 g2 g3 g4) (g1 g2 g3) (g2 g4) Resolution-driven variable elimination: I = (g1 g2 g3 g4) (g1 g2 g3 g4) (g2 g4) g3 g3 Saved! g2 g2 g3 a1 a1 g2 g3 g1 g2 g1 g2 g3 g4 a1 g2 g3 g2 g4 g1 a1 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
RVE: Pros and Cons • Pros • Generates significantly smaller interpolants than A-local variable elimination because of variable elimination locality • Unlike McMillan’s method: • Optimizes the interpolant on-the-fly by local variable elimination • Generates the interpolant natively in CNF
Resolution-driven variable elimination: I = (g1 g2 g3 g4) (g1 g2 g3 g4) (g2 g4) g3 g3 g2 McMillan’s method: g2 g3 a1 a1 g2 g3 g4 a1 g2 g3 g2 g4 g1 a1 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
RVE: Pros and Cons • Pros • Generates significantly smaller interpolants than A-local variable elimination because of variable elimination locality • Unlike McMillan’s method: • Optimizes the interpolant on-the-fly by local variable elimination • Generates the interpolant natively in CNF • Cons • Might still blow-up because of variable elimination unlike McMillan’s method
Near-Interpolants • B-weak Interpolant • A ⇒I • I B⇒ • V(I) G • The algorithm: • Adjust RVE to generate a B-weak interpolant missing only few clauses from an interpolant. It may still find interpolants. • Find the remaining clauses with model checking techniques
Find B-weak Interpolant • B-weak Interpolant • A ⇒I • I B⇒ • (I) G • Non-Global Interpolant • A ⇒I • I B⇒ • (I) G • Apply RVE adjusted as follows: • For each node with A-local pivot variable p eliminate p only if the clause interpolant doesn’t grow as a result (bounded elimination) • Apply boundedA-local variable elimination to I globally • Apply incompleteA-local variable elimination to I • Eliminate A-local variables, but apply resolution only to some of the pairs, such that each input clause still contributes to at least one output clause After this stage we have either an interpolant or a non-global interpolant. We return in the former case, and continue in the latter. We have either an interpolant or a non-global interpolant. We return in the former case, and continue in the latter. We return a B-weak interpolant (which perchance may be an interpolant)
I I is a non-global interpolant. Variable elimination is skipped, since it would increase the number of clauses! I g5 I = (a1 g1 g2) (a1 g2 g4) (a1 g3 g4) (a1 g6 g5) (a1 g6) g4 g4 g5 a1 (a1 g1 g2) (a1 g2 g4) (a1 g3 g4) B a1 g4 g5 (a1 g1 g2) (a1 g2 g4) g3 a1 g3 g4 (a1 g6 g5) (a1 g6) a1 g5 g4 g5 g2 a1 g1 g2 a1 g2 g3 g6 g1 a1 g2 g4 a1 g1 g2 a1 g3 g4 a1 g6 g5 a1 g6 a1 g2 g4 a1 g3 g4 a1 g6 g5 a1 g1 g2 a1 g6 g1 g3
I’ is a B-weak interpolant! Incomplete variable elimination example: each input clause contributes to the output I’ = (g1 g2 g6 g5) (g2 g4 g6) (g3 g4 g6 g5) Variable elimination is skipped, since it would increase the number of clauses! I = (a1 g1 g2) (a1 g2 g4) (a1 g3 g4) (a1 g6 g5) (a1 g6)
RVE: Optimizations • Store only such parts of the resolution refutation that are reachable from A • Essential to keep the resolution refutation small • Can also be applied to McMillan’s method
RVE: Optimizations resolution refutation restricted to clauses implied by A Consider the cut as the input clauses instead of A • Start from the vertex cut in A-resolution refutation, such that: • its clauses are implied by Aonly, and • it’s the closest possible to
I I is an interpolant! g3 I g3 g2 I = g2 g3 g2 g3 a1 a1 g2 g3 g4 a1 g2 g3 g2 g4 g1 a1 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
I I is an interpolant I g5 I = (g1 g2 g5) (g2 g4 g5) (g3 g4 g5) g4 g4 g5 a1 (a1 g1 g2) (a1 g2 g4) (a1 g3 g4) a1 g4 g5 (a1 g1 g2) (a1 g2 g4) g3 a1 g3 g4 a1 g5 a1 g5 g4 g5 g2 a1 g1 g2 a1 g2 g3 g6 g1 a1 g2 g4 a1 g1 g2 a1 g3 g4 a1 g2 g4 a1 g3 g4 a1 g6 g5 a1 g1 g2 a1 g6 g1 g3
Experiments • Benchmarks: HWMC’12 benchmark set, 289 instances • Machines: Intel E5-2687W, 3.1GHz freq.; 32GB mem. • Timeout: 900 sec.
Results Summary • CNF-ITP vs. ITP vs. IC3, run-time • CNF-ITP outperforms ITPin 43 cases, while ITPis better in 18 cases • CNF-ITPoutperformsIC3 in 23 cases, while IC3 is better in 80cases • CNF-ITP outperforms bothITP and IC3 in 18 cases • CNF-ITP vs. ITP,interpolant size: 117x reduction! • RVE in CNF-ITP: • CNF-ITP with RVE only solved 16 instances out of 51 solved by CNF-ITP. • CNF-ITP with RVE onlyoutperforms bothITP and IC3 in 9cases • >95% of the clauses in the interpolants were generated by RVE • Some clauses are used across bounds and iterations in CNF-ITP • The remaining 5% clauses were generated with B-strengthening (inductive generalization)
Challenges • How to direct the SAT solver towards a good interpolant? • How to assess what “good” is? • The ultimate challenge: design an algorithm that instantly generates “good” tiny interpolants in CNF whenever the SAT solver completes
McMillan’s Method: Correctness • A ⇒I • Prove I⇒A as follows • Let m be an assignment that falsifies I • m defines a path from to a clause in A, falsified by m. • Invariant: p(c) is falsified by m for every clause in the path
I m = {a1, g1, g2,g3,g4} Non-A-local pivot: Choose a parent c, whose p(c) is falsified g3 I g3 A-local pivot: Choose a parent c, whose pivot literal is falsified (both p(c)’s are falsified) I = [(g1 g2) (g1 g3)] [(g2 g3 g4) (g2 g4)] g2 g2 g3 A ⇒I holds:the end clause in A is falsified by construction! a1 (g2 g3 g4) (g2 g4) a1 g2 g3 (g1 g2) (g1 g3) g2 g4 g4 a1 g2 g3 g2 g4 g1 a1 g1 g2 g2 g3 g4 T g4 g1 g3 g2 T a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
McMillan’s Method: Correctness • A ⇒I • Prove I ⇒A as follows • Let m be an assignment that falsifies I • m defines a path from to a clause in A, falsified by m. • I B⇒ • Invariant that holds for every clause: p(c) B⇒c • p(c) B⇒c implies (I = p()) B⇒
I McMillan’s Method The invariant: p(c) B⇒c g3 Local pivot: Assume m╞p(c3) B= (p(c1) B) (p(c2) B) Assume WLOG m╞p(c1) B. Since p(c1) B ⇒c1, we have m╞ c1. We have m╞ g(c1), otherwise switching the pivot’s value in m would contradict p(c1) B ⇒c1. c3 =g(c1) g(c2) \ (p G).Hence m╞ c3 The leafs: trivially holds I g3 Global pivot: p(c3) B= p(c1) p(c2) B ⇒ c1 c2 ⇒ c3 I = [(g1 g2) (g1 g3)] [(g2 g3 g4) (g2 g4)] g2 g2 g3 a1 (g2 g3 g4) (g2 g4) a1 g2 g3 m = {a1, g1, g2,g3,g4} (g1 g2) (g1 g3) g2 g4 g4 a1 g2 g3 g2 g4 g1 a1 g1 g2 g2 g3 g4 T g4 g1 g3 g2 T a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
McMillan’s Method: Correctness • A ⇒I • Prove I ⇒A as follows • Let m be an assignment that falsifies I • m defines a path from to a clause in A, falsified by m. • I B⇒ • The following invariant holds: p(c) B⇒c • p(c) B⇒c implies I = p() B⇒ • V(I) G • By construction
Clause interpolant: A⇒I(c) I(c) B⇒ c V(I(c)) G L(c) The leafs: trivially holds I RVE Correctness Global pivot: A⇒I(c1) I(c2) = I(c3) I(c3) B = I(c1) I(c2) B ⇒ c1 c2 ⇒c3 V(I(c3)) = V(I(c1)) V(I(c2)) G L(c1) L(c2) = G L(c3) g3 I g3 g2 Local pivot: A⇒I(c1) I(c2) ⇒VE(I(c1) I(c2), p) = I(c3) I(c3) B = VE(I(c1) I(c2), p) B⇒ c3 V(I(c3)) = V(I(c1)) V(I(c2)) \ {p} G L(c1) L(c2) \ {p} = G L(c3) I = [(g1 g2 g3 g4) (g1 g2 g3 g4)] (g2 g4)] g2 g3 a1 (a1 g2 g3 g4) (g2 g4) a1 g2 g3 I(c1) I(c2) B ⇒ c1 c2⇒ c3 Lemma 1: Let: (1) X ∧ Y ⇒ c; (2) p V(Y c). Then: VE(X, p) ∧ Y ⇒ c. (a1 g1 g2) (a1 g1 g3) g2 g4 g4 a1 g2 g3 g2 g4 g1 a1 a1 g1 g3 a1 g4 a1 g1 g2 a1 g2 g3 g4 a1 g2 a1 g2 g3 g4 a1 g1 g2 a1 g1 g3 a1 g4 g2 g3 g3 a1 g2
