Revisiting Generalizations

37
Revisiting Generalizations Ken McMillan Microsoft Research Aws Albarghouthi University of Toronto

description

Revisiting Generalizations. Ken McMillan Microsoft Research. Aws Albarghouthi University of Toronto. Generalization. Interpolants are generalizations We use them as a way of forming conjectures and lemmas Many proof search methods uses interpolants as generalizations - PowerPoint PPT Presentation

Transcript of Revisiting Generalizations

Page 1: Revisiting Generalizations

Revisiting Generalizations

Ken McMillanMicrosoft Research

Aws AlbarghouthiUniversity of

Toronto

Page 2: Revisiting Generalizations

Generalization• Interpolants are generalizations• We use them as a way of forming conjectures and

lemmas• Many proof search methods uses interpolants

as generalizations• SAT/SMT solvers• CEGAR, lazy abstraction, etc.• Interpolant-based invariants, IC3, etc.

There is widespread use of the idea that interpolants are generalizations, and generalizations help to form proofs

Page 3: Revisiting Generalizations

In this talk• We will consider measures of the quality

of these generalizations• I will argue:• The evidence for these generalizations is

often weak• This motivates a retrospective approach:

revisiting prior generalizations in light of new evidence

• This suggests new approaches to interpolation and proof search methods that use it.We’ll consider how these ideas may apply in SMT and IC3.

Page 4: Revisiting Generalizations

Criteria for generalization• A generalization is an inference that in

some way covers a particular caseExample: a learned clause in a SAT solver

• We require two properties of a generalization:• Correctness: it must be true• Utility: it must make our proof task easier

A useful inference is one that occurs in a simple proof

Let us consider what evidence we might produce for correctness and utility of a given inference…

Page 5: Revisiting Generalizations

What evidence can we provide?• Evidence for correctness:• Proof (best)• Bounded proof (pretty good)• True in a few cases (weak)

• Evidence for utility:• Useful for one truth assignment• Useful for one program path

Page 6: Revisiting Generalizations

Interpolants as generalizations• Consider a bounded model checking

formula:

𝐼 ¬𝑃𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝑇 5

• Evidence for interpolant as conjectured invariant• Correctness: true after 3 steps• Utility: implies property after three steps

• Note the duality• In invariant generation, correctness and

utility are time-reversal duals.

interpolant

Page 7: Revisiting Generalizations

CDCL SAT solvers• A learned clause is a generalization

(interpolant)• Evidence for correctness: • Proof by resolution (strong!)

• Evidence for utility:• Simplifies proof of current assignment

(weak!)• In fact, CDCL solvers produce many clauses

of low utility that are later deleted.• Retrospection• CDCL has a mechanism of revisiting prior

generalization in the light of new evidence• This is called “non-chronological

backtracking”

Page 8: Revisiting Generalizations

Retrospection in CDCL

• CDCL can replace an old generalization with a new one that covers more cases• That is, utility evidence of the new clause is

better

The decision stack:

¬𝑥 ⊥Conflict!

Learned clause contradicts Backtrack to here

𝑥𝑟

Learned clause contradicts Backtrack to here

drops out of the proof on backtrack!

¬𝑟

Page 9: Revisiting Generalizations

Retrospection in CEGAR

• Greater evidence for than • Two cases against one

• However, most CEGAR methods cannot remove the useless predicate at this point

𝑄

¬𝑄

𝑃

¬𝑃

This path has two possible refutations of equal utility

Use predicate here

Next path can only be refuted using

CEGAR considers one counterexample path at a time

Page 10: Revisiting Generalizations

Retrospection and Lazy SMT• Lazy SMT is a form of CEGAR• “program path” truth assignment (disjunct in

DNF)• A theory lemma is a generalization

(interpolant)• Evidence for correctness: proof• Evidence for utility: Handles one disjunct• Can lead to many irrelevant theory lemmas

• Difficulties of retrospection in lazy SMT• Incrementally revising theory lemmas• Architecture may prohibit useful

generalizations

Page 11: Revisiting Generalizations

Diamond example with lazy SMT

𝑥1=𝑥0+1

𝑥1=𝑥0

𝑥2=𝑥1+1

𝑥2=𝑥1

𝑥3=𝑥2+1

𝑥3=𝑥2

𝑥4=𝑥3+1

𝑥4=𝑥3

𝑥4<𝑥0

• Theory lemmas correspond to program paths:

¬(𝑥1=𝑥0+1∧𝑥2=𝑥1+1∧𝑥3=𝑥2∧𝑥4=𝑥3∧𝑥4<𝑥0)¬(𝑥1=𝑥0∧𝑥2=𝑥1∧𝑥3=𝑥2+1∧ 𝑥4=𝑥3+1∧𝑥4<𝑥0)

… (16 lemmas, exponential in number of diamonds)

• Lemmas have low utility because each covers only once case• Lazy SMT framework does not allow higher utility inferences

∨ ∨ ∨ ∨

Page 12: Revisiting Generalizations

Diamond example (cont.)

• We can produce higher utility inferences by structurally decomposing the problem• Each covers many paths• Proof is linear in number of diamonds

𝑥1=𝑥0+1

𝑥1=𝑥0

𝑥2=𝑥1+1

𝑥2=𝑥1

𝑥3=𝑥2+1

𝑥3=𝑥2

𝑥4=𝑥3+1

𝑥4=𝑥3

𝑥4<𝑥0

𝑥1≥𝑥0 𝑥2≥ 𝑥0 𝑥3≥ 𝑥0

Page 13: Revisiting Generalizations

Compositional SMT• To prove unsatisfiability of • Infer an interpolant such that and .• The interpolant decomposes the proof

structurally• Enumerate disjuncts (samples) of separately.

𝑆 𝐴 ,𝑆𝐵←∅

Choose so and

If not then add a disjunct to and continue…

If not then add a disjunct to and continue…

is unsatisfiable!

Use SMT solverAs block box

Chose to cover the samples as simply as possible

With each new sample, we reconsider the interpolant to maximize utility

Page 14: Revisiting Generalizations

Example in linear rational arithmetic

• and can be seen as sets of convex polytopes

𝐴= (𝑥 ≤1∧ 𝑦≤3 )∨ (1≤ 𝑥≤2∧ 𝑦 ≤2 )∨ (2≤ 𝑥≤3∧ 𝑦 ≤1 )

𝐴1

𝐴2

𝐴3

𝐵=(𝑥≥2∧ 𝑦 ≥3)∨(𝑥≥3∧2≤ 𝑦 ≤3)

𝐵1

𝐵2

An interpolant is a separator for these sets.

Page 15: Revisiting Generalizations

Compositional approach1. Choose two samples from and and compute an interpolant

Point (1,3) is in , but not

2. Add new sample containing point (1,3) and update interpolant to

3. Interpolant now covers all disjunctsNotice we reconsidered our first interpolant choice in light of further evidence.

Page 16: Revisiting Generalizations

Comparison to Lazy SMT• Interpolant from a lazy SMT solver proof:

• Each half-space corresponds to a theory lemma• Theory lemmas have low utility

• Four lemmas cover six cases

Page 17: Revisiting Generalizations

B3

Why is the simpler proof better?• A simple fact that covers many cases

may indicate an emerging pattern...

B4

• Greater complexity allows overfitting• Especially important in invariant generation

Page 18: Revisiting Generalizations

Finding simple interpolants• We break this problem into two parts• Search for large subsets of the samples that

can be separated by linear half-spaces.• Synthesize an interpolant as a Boolean

combination of these separators.

The first part can be accomplished by well-established methods, using an LP solver and Farkas’ lemma. The Boolean function synthesis problem is also well studied, though we may wish to use more light-weight methods.

Page 19: Revisiting Generalizations

Farkas’ lemma and linear separators• Farkas’ lemma says that inconsistent

rational linear constraints can be refuted by summation:

()()

𝑎𝑏

()constraints solve

• The proof of unsat can be found by an LP solver• We can use this to discover a linear

interpolant for two sets of convex polytopes and .

Page 20: Revisiting Generalizations

Finding separating half-spaces• Use LP to simultaneously solve for:• A linear separator of the form • A proof that for each in • A proof that for each in

• The separator is an interpolant for • The evidence for utility of is the size of

and • Thus, we search for large sample sets that

can be linearly separated.• We can also make simpler by setting as

many coefficients in to zero as possible.

Page 21: Revisiting Generalizations

Half-spaces to interpolants• When every pair of samples in are

separated by some half space, we can build an interpolant as a Boolean combination.

𝐴1

𝐴2

𝐵1

𝐵2

Each region is a cube over half-spaces

Must be true

Must be false

Don’t care

In practice, we don’t have to synthesize an optimal combination

Page 22: Revisiting Generalizations

Sequential verification• We can extend our notions of evidence and

retrospection to sequential verification• A “case” may be some sequence of program steps• Consider a simple sequential program:

x = y = 0;while(*) x++; y++;while(x != 0) x--; y--;assert (y <= 0);

{y x}

Wish to discover invariant:

Page 23: Revisiting Generalizations

{y = 0}

{y = 1}

{y = 2}

{y = 1}

{y = 0}

{False}

{True}

{x y}

{x y}

{x y}

{x y}

{x y}

{False}

{True}

Execute the loops twice

• These interpolants cover all the cases with just one predicate.

• In fact, they are inductive.

• These predicates have low utility, since each covers just one case.

• As a result, we “overfit” and do not discover the emerging pattern.

x = y = 0;

x++; y++;

x++; y++;

[x!=0];x--; y--;

[x!=0];x--; y--;

[x == 0][y > 0]

Choose interpolants at each step, in hope of obtaining inductive invariant.

Page 24: Revisiting Generalizations

𝑥

𝑦

Sequential interpolation strategy• Compute interpolants for all steps

simultaneously• Collect (pre) and (post) samples at each

step• Utility of a half-space measured by how many

sample pairs it separates in total. • Step 0: low evidence

(bad!)

• Step 1: better evidence

(good!)

Page 25: Revisiting Generalizations

• Occam’s razor says simplicity prevents over-fitting• This is not the whose story, however

• Consider different separators of similar complexity

Are simple interpolants enough?

𝑥

𝑦

(good!) (yikes!)

Simplicity of the interpolant may not be sufficient for a good generalization.

Page 26: Revisiting Generalizations

Proof simplicity criterion• Empirically, the strange separators seem

to be avoided by minimizing proof complexity• Maximize zero coefficients in Farkas proofs• This can be done in a greedy way

• Note the difference between applying Occam’s razor in synthetic and analytic cases• We are generalizing not from data but from

an argument• We want the argument to be as simple as

possible

Page 27: Revisiting Generalizations

Value of retrospection• 30 small programs over integers• Tricky inductive invariants involving linear

constraints• Some disjunctive, most conjunctive

Tool Comp. SMT

CPAChecker

UFO InvGenwith AI

InvGen w/o AI

% solved 100 57 57 70 60

• Better evidence for generalizations• Better fits the observed cases• Results in better convergence

• Still must trade off cost v. utility in generalizing• Avoid excessive search while maintaining

convergence

Page 28: Revisiting Generalizations

Value of retrospection (cont)• Bounded model checking of inc/dec

program• Apply compositional SMT to the BMC

unfolding• First half of unfolding is , second half is

• Compare to standard lazy SMT using Z3 Exponential theory lemmas achieved in practice.

Computing one interpolant gives power ½ speedup.

Page 29: Revisiting Generalizations

Incremental inductive methods (IC3)• Compute a sequence interpolant by local

proof

𝑃7𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝑇 5 𝑇 6

⇒ ⇒ ⇒ ⇒ ⇒ ⇒Interpolant successively weakensCheck:

Cex: Check:

Cex: Check:

Goal: Goal:

is inductive relative to

𝑐 𝑐 𝑐 𝑐 𝑐 𝑐Inductive generalization

Infer clause satisfying:

𝐹 4∧𝑐4∧𝑇 4⇒𝑐5𝑐⇒¬𝑠 ′𝐼⇒𝑐

𝐹 0 𝐹 1 𝐹 2 𝐹 3 𝐹 4 𝐹 5 𝐹 6𝐼 0

Valid!

Page 30: Revisiting Generalizations

Generalization in IC3

• Think of inferred clauses as speculated invariants• Evidence for correctness

• Clause is proved up to steps• Relative inductiveness (except initial inferences)

• Clause is “as good as” previous speculations• Evidence for utility

• Rules out one bad sample• Note the asymmetry here

• Correctness and utility are dual• IC3 prefers correctness to utility

• Is the cost paid for this evidence too high?

𝐹 0 𝐹 1 𝐹 2 𝐹 3 𝐹 4 𝐹 5 𝐹 6 𝐹 6

𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝑇 5 𝑇 6 𝑇 6

¬𝑠 (bad state)

𝑐 𝑐 𝑐 𝑐 𝑐 𝑐 𝑐Inductive generalization

Page 31: Revisiting Generalizations

Retrospection in IC3?• Find a relatively inductive clause that

covers as many bad states as possible

𝐹 4∧𝑐4∧𝑇 4⇒𝑐5𝑐⇒¬𝑠∧¬𝑠 ′∧…

𝐼⇒𝑐

• Search might be inefficient, since each test is a SAT problem

• Possible solution: relax correctness evidence• Sample on both A and B side• Correctness evidence is invariance in a sample of

behaviors rather than all up to depth k.

Page 32: Revisiting Generalizations

True in all A samples

Generalization problem

¬𝑎∨¬𝑏separator

A samples(reachable states)

¬𝑎∧𝑏∧¬𝑐¬𝑎∧¬𝑏∧𝑐𝑎∧¬𝑏∧𝑐

False in many B samples

B samples(bad states)

𝑎∧𝑏∧¬𝑐𝑎∧𝑏∧𝑐¬𝑎∧𝑏∧𝑐

• Find a clause to separate A and B samples

This is another two-level logic optimization problem. This suggests logic optimization techniques could be applied to computing interpolants in incremental inductive style.

Page 33: Revisiting Generalizations

Questions to ask• For a given inference technique we can ask

• Where does generalization occur?• Is there good evidence for generalizations?

• Can retrospection be applied?• What form do separators take?• How can I solve for separators? At what cost?

• Theories: arrays, nonlinear arithmetic,…• Can I improve the cost?

• Shift the tradeoff of utility and correctness• Can proof complexity be minimized?

• Ultimately, is the cost of better generalization justified?

Page 34: Revisiting Generalizations

Conclusion• Many proof search methods rely on

interpolants as generalizations• Useful to the extent the make the proof simpler

• Evidence of utility in existing methods is weak• Usually amounts to utility in one case• Can lead to many useless inferences

• Retrospection: revisit inferences on new evidence• For example, non-chronological backtracking• Allows more global view of the problem• Reduces commitment to inferences based on

little evidence

Page 35: Revisiting Generalizations

Conclusion (cont)• Compositional SMT• Modular approach to interpolation• Find simple proofs covering many cases• Constraint-based search method• Improves convergence of invariant discovery

• Exposes emerging pattern in loop unfoldings• Think about methods in terms of• The form of generalization• Quality of evidence for correctness and utility• Cost v. benefit of the evidence provided

Page 36: Revisiting Generalizations

Cost of retrospection• Early retrospective approach due to Anubhav

Gupta• Finite-state localization abstraction method• Finds optimal localization covering all abstract cex’s.• In practice, “quick and dirty” often better than optimal

• Compositional SMT usually slower than direct SMT• However, if bad generalizations imply divergence,

then the cost of retrospection is justified.• Need to understand when revisiting generalizations is

justified.

Page 37: Revisiting Generalizations

Inference problem• Find a clause to separate A and B

samples• Clause must have a literal from every A

sample• Literals must be false in many B samples• This is a binate covering problem

• Wells studied in logic synthesis• Relate to Bloem et al

• Can still use relative inductive strengthening• Better utility and evidence