Interpolant Generation for UTVPI

The problem of computing Craig interpolants in SMT has recently received a lot of interest, mainly for its applications in formal verification. Efficient algorithms for interpolant generation have been presented for some theories of interest –including that of equality and uninterpreted functions (EUF), linear arithmetic over the rationals (LA(Q)), and some fragments of linear arithmetic over the integers (LA(Z))– and they are successfully used within model checking tools. In this paper we address the problem of computing interpolants in the theory of Unit-Two-Variable-Per-Inequality (UT VPI). This theory is a very useful fragment of LA(Z), since it is expressive enough to encode many hardware and software verification queries while still admitting a polynomial time decision procedure. We present an efficient graph-based algorithm for interpolant generation in UT VPI, which exploits the power of modern SMT techniques. We have implemented our new algorithm within the MathSAT SMT solver. Our experimental evaluation demonstrates both the efficiency and the usefulness of the new algorithm. 1 Motivations and goals Given two formulas A and B such that A∧B is inconsistent, a Craig interpolant (simply “interpolant” hereafter) for (A,B) is a formula I s.t. A entails I, I ∧B is inconsistent, and all uninterpreted symbols of I occur in both A and B. Since the seminal work of McMillan [17], interpolation has been recognized to be a substantial tool for formal verification. For instance, in the context of software model checking based on counter-example-guided-abstraction-refinement (CEGAR), interpolants of quantifier-free formulas in suitable theories are computed for automatically refining abstractions in order to rule out spurious counterexamples (see, e.g. [8, 11, 19]). This technique is used by state-of-the-art software model checkers like, e.g., Blast [2] and Impact [19]. Consequently, the problem of computing interpolants in SMT has received a lot of interest in the last years (e.g., [18, 26, 12, 22, 13, 5, 10, 3, 14]). In the recent years, efficient algorithms and tools for interpolant generation for quantifier-free formulas in SMT have been presented for some theories of ⋆ The first author is partly supported by the European Commission under project FP72007-IST-1-217069 COCONUT. The second and third authors are partly supported by SRC under GRC Custom Research Project 2009-TJ-1880 WOLFLING, and by MIUR under PRIN project 20079E5KM8 002. interest, including that of equality and uninterpreted functions (EUF) [18, 14], linear arithmetic over the rationals (LA(Q)) [18, 22, 5], and for their combination [26, 25, 5, 3]. In many applications, however, the domain of rational numbers is often inadequate for representing variables, which could be represented much more precisely in the integer domain (see, e.g., [7, 15]). Unfortunately, the computation of interpolants in the theory of linear arithmetic over the integers (LA(Z)) raises many more problems than LA(Q), and in fact there is no known and efficient algorithm for computing interpolants in LA(Z). The only known algorithm is based on quantifier elimination, which is typically prohibitively expensive, and also requires the introduction of divisibility predicates. Therefore, it is useful to investigate interpolation for fragments of LA(Z), simple enough to be treated efficiently, although general enough to allow for encoding a significant amount of verification problems. To this extent, Jain, Clarke and Grunberg [10] proposed efficient algorithms for computing interpolants for conjunctions of linear Diophantine equations and disequations and for conjunctions of linear modular equations, and showed that these algorithms enabled the verification of simple programs which could not be previously checked by CEGAR-based model checkers. In this paper, we move along the same track of Jain et al. [10], and we tackle the problem of computing interpolants in another important fragment of LA(Z), the theory of Unit-Two-Variable-Per-Inequality (UT VPI). In UT VPI a formula is a Boolean combination of atoms in the form (0 ≤ ax1 + bx2 + k), where xi are variables over Z, k is an integer constant, and a, b ∈ {−1, 0, 1}. UT VPI is a very interesting theory: it generalizes the well-known Difference Logic (DL(Z)) (where the a and b coefficient are forced to the 1 and −1 values, respectively), and it is one of the most expressive fragments of LA(Z) with a polynomial decision procedure [9]. (In fact, it is sufficient to extend the fragment to contain three unit variables, or to add non-unit coefficients, to make the decision problems NP-complete.) UT VPI is also a very useful fragment of LA(Z), since it allows to naturally express the queries occurring in many hardware and software verification problems [1, 24]. The problem of satisfiability modulo UT VPI can be tackled following the approach proposed in [20, 16], where the consistency check of a conjunction of UT VPI constraints is based on an encoding into DL. This allows for the use of very efficient graph-based decision procedures for DL [21, 6]: these algorithms have a O(n·m) time complexity for problems with n variables andm constraints, and are extremely fast in practice. In addition, they have all the features required for a tight integration within a modern SMT solver: incrementalitly and backtrackability, construction of minimal conflict sets, and deduction of unassigned literals (see [23] for a survey). The contribution of this paper is the first interpolation algorithm for UT VPI. The algorithm follows the decision procedure for UT VPI, working in two phases. In the first phase, it checks whether the conjunction of UT VPI constraints is inconsistent in the rational domain (UT VPI(Q)). If so, an interpolant is obtained with a generalization of the graph-based algorithm for DL [5]. The second phase is entered if the problem is consistent in the rational domain, but inconsistent in the integer domain. The second phase is also based on the analysis of the graph resulting from the encoding into DL. However, unlike with DL(Q) and DL(Z), the problem of interpolant generation on UT VPI(Z) is by no means a straightforward variant of that in UT VPI(Q), and several cases must be covered. The proposed algorithm has the following merits. First, it generates interpolants that are within UT VPI. This is important for applications where the computed interpolants are iteratively combined with the original problem, such as in interpolation-based bounded model checking [17]. Second, the approach can be easily implemented on top of a modern SMT procedure for UT VPI, and runs with very limited overhead. We have implemented our new algorithm within the MathSAT SMT solver [4], and performed experiments in order to evaluate both its efficiency and its usefulness. Our results demonstrate not only that our specialized UT VPI(Q) algorithm is faster and generates smaller interpolants than general LA(Q) interpolation procedures (and thus is interesting in itself), but also that our UT VPI(Z) algorithm can be useful for the verification of software model checking problems which require reasoning on the integers, and which could not be proved before by the Blast software model checker [2], due to the approximation resulting from its use of LA(Q) interpolation procedures. Content of the paper. In §2 we provide the necessary background knowledge on SMT and interpolant generation in SMT. In §3 we present our novel graphbased interpolant technique for UT VPI(Q), whilst in §4 we show how to extend it to the case of UT VPI over Z. In §5 we report some empirical results. In §6 we draw some conclusions, and outline directions for future research.