Generalized Craig Interpolation for Stochastic ... - Hybride Systeme

Generalized Craig Interpolation for Stochastic Boolean Satisfiability Problems Tino Teige Martin Fr¨anzle Carl von Ossietzky Universit¨ at Oldenburg, Germany Research Group Hybrid Systems Transregional Collaborative Research Center “AVACS”, German Research Council, SFB/TR 14

[email protected]

TACAS @ ETAPS 2011 Saarbr¨ ucken, Germany, March 29, 2011

1 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

No crash!

2 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ... g2/a p˙ = v s2

p˙ = v s1 g1 crash

3 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ... g2/a p˙ = v s2

p˙ = v s1 g1 crash

Symbolic encoding

INIT (~x ) TRANS (~x , ~x ′) BAD(~x )

4 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ... g2/a p˙ = v s2

p˙ = v s1 g1 crash

Symbolic encoding

Model checking

INIT (~x ) TRANS (~x , ~x ′) BAD(~x )

5 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

INIT (~x )

Model checking Bounded MC by SAT/SMT

Falsification

TRANS (~x , ~x ′) BAD(~x )

6 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

INIT (~x )

Model checking Bounded MC by SAT/SMT

Falsification

TRANS (~x , ~x ′) BAD(~x )

Craig interpolation− based MC by SAT/SMT

Verification

7 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

INIT (~x )

Model checking Bounded MC by SAT/SMT

Falsification

TRANS (~x , ~x ′) BAD(~x )

Craig interpolation− based MC by SAT/SMT

Verification

Probabilistic case: 20%

80%

Probability of crash < 0.1%!

8 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

INIT (~x )

Model checking Bounded MC by SAT/SMT

Falsification

TRANS (~x , ~x ′) BAD(~x )

Craig interpolation− based MC by SAT/SMT

Verification

Probabilistic case: 20%

80%

Probability of crash < 0.1%!

...

p˙ = v s1 g2/a g1 97%

p˙ = v s2

3%

crash

9 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

Model checking Bounded MC by SAT/SMT

INIT (~x )

Falsification

TRANS (~x , ~x ′) Craig interpolation− based MC by SAT/SMT

BAD(~x )

Verification

Probabilistic case: 80%

Probability of crash < 0.1%!

...

p˙ = v s1 g2/a g1 97%

p˙ = v s2

3%

crash

INIT (~x )

∃nc ~

R

20%

~ d pc

:

~ TRANS (~x , nc, ~ ~x ′) pc, BAD(~x )

10 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

Model checking Bounded MC by SAT/SMT

INIT (~x )

Falsification

TRANS (~x , ~x ′) Craig interpolation− based MC by SAT/SMT

BAD(~x )

Verification

Probabilistic case: 80%

Probability of crash < 0.1%!

...

p˙ = v s1 g2/a g1 97%

p˙ = v s2

3%

crash

Bounded MC by Stochastic SAT/ Stochastic SMT

INIT (~x )

∃nc ~

R

20%

~ d pc

:

Falsification

~ TRANS (~x , nc, ~ ~x ′) pc, BAD(~x )

11 / 89

Motivation: Symbolic model checking of probabilistic systems Non−probabilistic case: Real−world system

Safety property

Formal model

No crash! ...

p˙ = v s1 g2/a g1

p˙ = v s2

crash

Symbolic encoding

Model checking Bounded MC by SAT/SMT

INIT (~x )

Falsification

TRANS (~x , ~x ′) Craig interpolation− based MC by SAT/SMT

BAD(~x )

Verification

Probabilistic case: 80%

Probability of crash < 0.1%!

...

p˙ = v s1 g2/a g1 97%

p˙ = v s2

3%

crash

Bounded MC by Stochastic SAT/ Stochastic SMT

INIT (~x )

∃nc ~

R

20%

~ d pc

:

~ TRANS (~x , nc, ~ ~x ′) pc, BAD(~x )

Falsification Craig interpolation− based MC by SSAT/SSMT

Verification

12 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x ) 0

\ (~x ) = REACH INIT (~x )

13 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: 0

\ (′~x ) ∃′~x : REACH ∧TRANS(′~x , ~x )

BAD(~x )

0

\ (~x ) = REACH INIT (~x )

14 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: 0

\ (′~x ) ∃′~x : REACH ∧TRANS(′~x , ~x )

BAD(~x )

0

\ (~x ) = REACH INIT (~x ) I 1 (~x )

15 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x ) 1

\ (~x ) REACH

16 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x ) 1

\ (~x ) REACH 1

\ (′~x ) ∃′~x : REACH ∧TRANS(′~x , ~x )

17 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x ) 1

\ (~x ) REACH 1

2

I (~x )

\ (′~x ) ∃′~x : REACH ∧TRANS(′~x , ~x )

18 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x ) 2

\ (~x ) REACH

19 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x )

\ REACH

k+1

k

\ (~x ) (~x ) ⇒ REACH

20 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x )

\ REACH

k+1

k

\ (~x ) (~x ) ⇒ REACH

Probabilistic case: BAD(~x ) k

\ (~x ) REACH

21 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x )

\ REACH

k+1

k

\ (~x ) (~x ) ⇒ REACH

Probabilistic case: BAD(~x ) k

\ (~x ) REACH

k

\ (′~x ) ∃′~x : REACH ∧TRANS(′~x , ~x ) 22 / 89

Motivation: Craig interpolation in model checking Non−probabilistic case: BAD(~x )

\ REACH

k+1

k

\ (~x ) (~x ) ⇒ REACH

Probabilistic case:

? BAD(~x )

k

\ (~x ) REACH

k

\ (′~x ) ∃′~x : REACH ∧TRANS(′~x , ~x )

23 / 89

Stochastic Boolean satisfiability (SSAT)

Stochastic Boolean Satisfiability [Papadimitriou 1985] =

Boolean Satisfiability + Randomized quantifiers

24 / 89

Stochastic Boolean satisfiability (SSAT)

Stochastic Boolean Satisfiability [Papadimitriou 1985] =

Boolean Satisfiability + Randomized quantifiers

SSAT formula Q : ϕ where 1. prefix Q of quantified propositional variables : :

∃x 0.3

R

existential randomized

y

2. propositional SAT formula ϕ (matrix), e.g. ϕ = (x ∨ ¬y ) ∧ (¬x ∨ y )

24 / 89

SSAT: Quantification ∃x : ϕ. p y : ϕ.

I.e., for I.e., for

some random

value ϕ holds. values ϕ holds.

25 / 89

R

SSAT: Quantification ∃x : ϕ. p y : ϕ.

I.e., for I.e., for

some random

value ϕ holds. values ϕ holds.

R

Randomized quantification to describe probabilistic events:

0.5

heads 25 / 89

R

SSAT: Semantics ◮

SSAT formula: Φ = Q1 x1 . . . Qn xn : ϕ (Φ has no free variables)

Semantics: maximum probability of satisfaction Pr (Φ)  0 if ϕ ≡ false Pr (ε : ϕ) = 1 if ϕ ≡ true Pr (∃x Q : ϕ) R

◮

Pr (

p

= max

y Q : ϕ) =



Pr (Q : ϕ[true/x]), Pr (Q : ϕ[false/x])



p · Pr (Q : ϕ[true/y ]) + (1 − p) · Pr (Q : ϕ[false/y ])

26 / 89

SSAT: Semantics

0.3

R

Φ = ∃x


y : (x ∨ ¬y ) ∧ (¬x ∨ y )

Pr (Φ) = max(0.3, 0.7) = 0.7 x x = true

Pr = 0.3 · 1 + 0.7 · 0 = 0.3 y = true p = 0.3

x = false

y

y y = false y = true p = 0.7 p = 0.3

Pr = 0.3 · 0 + 0.7 · 1 = 0.7 y = false p = 0.7

true

false

false

true

Pr = 1

Pr = 0

Pr = 0

Pr = 1

27 / 89

SSAT: Decision procedures ◮

SSAT algorithms used in practice are based on Davis-Putnam-Logemann-Loveland (DPLL) procedure

◮

DPLL-SSAT [Littman 1999; Littman, Majercik, Pitassi 2001] ◮

backtrack search explicitly traversing the quantifier tree

◮

algorithmic optimizations like unit propagation, purification, thresholding 28 / 89

SSAT: Decision procedures ◮

SSAT algorithms used in practice are based on Davis-Putnam-Logemann-Loveland (DPLL) procedure

◮

DPLL-SSAT [Littman 1999; Littman, Majercik, Pitassi 2001] ◮

backtrack search explicitly traversing the quantifier tree

◮

algorithmic optimizations like unit propagation, purification, thresholding 28 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

(A ⇒ ¬B)

B

29 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

I

¬I

(A ⇒ ¬B)

• I is Craig interpolant iff

30 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

I

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B)

¬I

31 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

32 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

33 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

B

34 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

• Pr (Q : (A ∧ B)) might be very small

B

35 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

• Pr (Q : (A ∧ B)) might be very small

B • A ∧ B “almost” unsatisfiable • A ∧ B satisfiable with insufficient probability 36 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

• Pr (Q : (A ∧ B)) might be very small

B • A ∧ B “almost” unsatisfiable

I

¬I

• A ∧ B satisfiable with insufficient probability 37 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

• Pr (Q : (A ∧ B)) might be very small

B • A ∧ B “almost” unsatisfiable

I

¬I

• A ∧ B satisfiable with insufficient probability 38 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

• Pr (Q : (A ∧ B)) might be very small

B • A ∧ B “almost” unsatisfiable

I

¬I

• A ∧ B satisfiable with insufficient probability 39 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

• Pr (Q : (A ∧ B)) might be very small

B • A ∧ B “almost” unsatisfiable

I

¬I

• A ∧ B satisfiable with insufficient probability 40 / 89

Towards generalized Craig interpolation • A ∧ B unsatisfiable

A

B

(A ⇒ ¬B)

• I is Craig interpolant iff ◦ V (I) ⊆ V (A) ∩ V (B) ◦ A ∧ ¬I unsatisfiable (A ⇒ I)

I

¬I

◦ I ∧ B unsatisfiable

(I ⇒ ¬B)

• A ∧ B not necessarily unsatisfiable

A

I

?

• Pr (Q : (A ∧ B)) might be very small

B • A ∧ B “almost” unsatisfiable ¬I

• A ∧ B satisfiable with insufficient probability 41 / 89

Generalized Craig interpolation: Idea

VA,B

A

VA

B VB 42 / 89

Generalized Craig interpolation: Idea

VA,B

A

VA

B VB 43 / 89

Generalized Craig interpolation: Idea

VA,B

A A∧B VA

B VB 44 / 89

Generalized Craig interpolation: Idea

VA,B

A A A∧B VA

B

B VB 45 / 89

Generalized Craig interpolation: Idea

VA,B

A A A∧B VA SA,B

B

SA,B

B VB 46 / 89

Generalized Craig interpolation: Idea

VA,B I

I

A A A∧B VA SA,B

B

SA,B

B VB 47 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B)

A

B

I

¬I

48 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B) • SA,B ≡ ∃VA, VB : (A ∧ B)

A

I

B SA,B

((A ∧ ¬SA,B ) ⇒ ¬B) (A ⇒ ¬(B ∧ ¬SA,B ))

¬I

49 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B) • SA,B ≡ ∃VA, VB : (A ∧ B)

A

((A ∧ ¬SA,B ) ⇒ ¬B) (A ⇒ ¬(B ∧ ¬SA,B ))

B

• I is generalized Craig interpolant iff I

SA,B

¬I

◦ V (I) ⊆ V (A) ∩ V (B)

50 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B) • SA,B ≡ ∃VA, VB : (A ∧ B)

A

((A ∧ ¬SA,B ) ⇒ ¬B) (A ⇒ ¬(B ∧ ¬SA,B ))

B

• I is generalized Craig interpolant iff I

SA,B

¬I

◦ V (I) ⊆ V (A) ∩ V (B) ◦ Pr (Q : (A ∧ ¬SA,B ∧ ¬I)) = 0

((A ∧ ¬SA,B ) ⇒ I)

◦ Pr (Q : (I ∧ B ∧ ¬SA,B )) = 0

(I ⇒ ¬(B ∧ ¬SA,B ))

51 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B) • SA,B ≡ ∃VA, VB : (A ∧ B)

A

((A ∧ ¬SA,B ) ⇒ ¬B) (A ⇒ ¬(B ∧ ¬SA,B ))

B

• I is generalized Craig interpolant iff I

SA,B

¬I

◦ V (I) ⊆ V (A) ∩ V (B) ◦ Pr (Q : (A ∧ ¬SA,B ∧ ¬I)) = 0

((A ∧ ¬SA,B ) ⇒ I)

◦ Pr (Q : (I ∧ B ∧ ¬SA,B )) = 0

(I ⇒ ¬(B ∧ ¬SA,B ))

52 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B) • SA,B ≡ ∃VA, VB : (A ∧ B)

A

((A ∧ ¬SA,B ) ⇒ ¬B) (A ⇒ ¬(B ∧ ¬SA,B ))

B

• I is generalized Craig interpolant iff SA,B

I

¬I

◦ V (I) ⊆ V (A) ∩ V (B) ◦ Pr (Q : (A ∧ ¬SA,B ∧ ¬I)) = 0

((A ∧ ¬SA,B ) ⇒ I)

◦ Pr (Q : (I ∧ B ∧ ¬SA,B )) = 0

(I ⇒ ¬(B ∧ ¬SA,B ))

∃VA : A ⇒ I ⇒ ¬∃VB : B ¬∃VB : B ∃VA : A A

B ∃VB : B 53 / 89

Generalized Craig interpolant: Definition • SSAT formula Q : (A ∧ B) • SA,B ≡ ∃VA, VB : (A ∧ B)

A

((A ∧ ¬SA,B ) ⇒ ¬B) (A ⇒ ¬(B ∧ ¬SA,B ))

B

• I is generalized Craig interpolant iff SA,B

I

¬I

∃VA : A ⇒ I ⇒ ¬∃VB : B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ Pr (Q : (A ∧ ¬SA,B ∧ ¬I)) = 0

((A ∧ ¬SA,B ) ⇒ I)

◦ Pr (Q : (I ∧ B ∧ ¬SA,B )) = 0

(I ⇒ ¬(B ∧ ¬SA,B ))

(∃VA : A ∧ ¬∃VB : B) ⇒ I ⇒ (∃VA : A ∨ ¬∃VB : B) ¬∃VB : B

¬∃VB : B ∃VA : A A

∃VA : A A

B

B ∃VB : B

∃VB : B 54 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z } A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

x A

a b B

y

55 / 89

R

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z } A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

x A

a b B SA,B

y

56 / 89

R

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z } A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a

x A

a b B SA,B

y

57 / 89

R

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z } A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

x

x A

a b B SA,B

y

58 / 89

R

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z } A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

x false

0

x A

a b B SA,B

y

59 / 89

R

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

x false

0

(x)0, ⊤ x A

a b B SA,B

y

60 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

x false

true

0

0

(x)0, ⊤ x A

a b B SA,B

y

61 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

x false

true

0

0

(x)0, ⊤

(a ∨ ¬x)0, ⊥ x A

a b B SA,B

y

62 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

(a)0, ¬x

x

false

true

0

0

(x)0, ⊤

(a ∨ ¬x)0, ⊥ x A

a b B SA,B

y

63 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a true

false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

(a)0, ¬x

x

false

x

true

0

0

(x)0, ⊤

(a ∨ ¬x)0, ⊥ x A

a b B SA,B

y

64 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

0

(a ∨ ¬x)0, ⊥ x A

a b B SA,B

y

65 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

B

◦ V (I) ⊆ V (A) ∩ V (B) ◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x A

a b B SA,B

y

66 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

0

true

y

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x A

a b B SA,B

y

67 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

false

0

A

a b B SA,B

y

68 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

false

0

(y )0, ⊥

A

a b B SA,B

y

69 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

false

0

true

b

(y )0, ⊥

A

a b B SA,B

y

70 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

true

false

b

0

(y )0, ⊥

A

false

a b

0

B SA,B

y

71 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

true

false

b

0

(y )0, ⊥

A

false

a b B

0

(b)0, ⊤

SA,B

y

72 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

true

false

b

0

(y )0, ⊥

A

false

true

a b B

0

1

(b)0, ⊤

SA,B

y

73 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

true

false

b

0

(y )0, ⊥

A

false

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

74 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

0

false

0

(x)0, ⊤

true

y

0

(a ∨ ¬x)0, ⊥ (x)0, ⊤ x

true

false

b

0 0

A

(y ) , ⊥

false

(¬a ∨ ¬x ∨ ¬y )0.3,

⊤∧⊤≡⊤ ⊤∧⊥≡⊥

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

75 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

x

true

false

0

0

0

0

0

0

(x) , ⊤

true

y

(a ∨ ¬x) , ⊥ (x) , ⊤ x

(¬a ∨ ¬x)0.15, true

false

b

0 0

A

(y ∨ ⊥) ∧ (¬y ∨ ⊤) ≡ y (y ∨ ⊥) ∧ (¬y ∨ ⊥) ≡ ⊥

(y ) , ⊥

false

(¬a ∨ ¬x ∨ ¬y )0.3,

⊤∧⊤≡⊤ ⊤∧⊥≡⊥

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

76 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

R

A

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥)

true

(a)0, ¬x

x

false

true

false

0

0

0

0

0

0

(x) , ⊤

true

y

(a ∨ ¬x) , ⊥ (x) , ⊤ x

(x ∨ ⊤) ∧ (¬x ∨ y ) ≡ ¬x ∨ y (x ∨ ⊤) ∧ (¬x ∨ ⊥) ≡ ¬x

(¬a)0.15,

x

(¬a ∨ ¬x)0.15, true

false

b

0 0

A

(y ∨ ⊥) ∧ (¬y ∨ ⊤) ≡ y (y ∨ ⊥) ∧ (¬y ∨ ⊥) ≡ ⊥

(y ) , ⊥

false

(¬a ∨ ¬x ∨ ¬y )0.3,

⊤∧⊤≡⊤ ⊤∧⊥≡⊥

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

77 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

R

A

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥) false

∅0.12,

¬x ∨ (¬x ∨ y ) ≡ ¬x ∨ y ¬x ∨ ¬x ≡ ¬x

true

false

0

0

0

0

0

0

true

y

(a ∨ ¬x) , ⊥ (x) , ⊤ x

(x ∨ ⊤) ∧ (¬x ∨ y ) ≡ ¬x ∨ y (x ∨ ⊤) ∧ (¬x ∨ ⊥) ≡ ¬x

(¬a)0.15,

x

true

(x) , ⊤

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

(a)0, ¬x

x

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

(¬a ∨ ¬x)0.15, true

false

b

0 0

A

(y ∨ ⊥) ∧ (¬y ∨ ⊤) ≡ y (y ∨ ⊥) ∧ (¬y ∨ ⊥) ≡ ⊥

(y ) , ⊥

false

(¬a ∨ ¬x ∨ ¬y )0.3,

⊤∧⊤≡⊤ ⊤∧⊥≡⊥

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

78 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

R

A

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥) false

∅0.12,

¬x ∨ (¬x ∨ y ) ≡ ¬x ∨ y ¬x ∨ ¬x ≡ ¬x

true

false

0

0

0

0

0

0

true

y

(a ∨ ¬x) , ⊥ (x) , ⊤ x

(x ∨ ⊤) ∧ (¬x ∨ y ) ≡ ¬x ∨ y (x ∨ ⊤) ∧ (¬x ∨ ⊥) ≡ ¬x

(¬a)0.15,

x

true

(x) , ⊤

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

(a)0, ¬x

x

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

(¬a ∨ ¬x)0.15, true

false

b

0 0

A

(y ∨ ⊥) ∧ (¬y ∨ ⊤) ≡ y (y ∨ ⊥) ∧ (¬y ∨ ⊥) ≡ ⊥

(y ) , ⊥

false

(¬a ∨ ¬x ∨ ¬y )0.3,

⊤∧⊤≡⊤ ⊤∧⊥≡⊥

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

79 / 89

Generalized Craig interpolant: Computation 0.5

R

a ∃x

y

0.3

R

0.8

R

A

a false

(x ∨ ⊤)∧ ≡ ¬x (¬x ∨ ⊥) false

∅0.12,

¬x ∨ (¬x ∨ y ) ≡ ¬x ∨ y ¬x ∨ ¬x ≡ ¬x

true

false

0

0

0

0

0

0

true

y

(a ∨ ¬x) , ⊥ (x) , ⊤ x

(x ∨ ⊤) ∧ (¬x ∨ y ) ≡ ¬x ∨ y (x ∨ ⊤) ∧ (¬x ∨ ⊥) ≡ ¬x

(¬a)0.15,

x

true

(x) , ⊤

◦ (A ∧ ¬SA,B ) ⇒ I ⇒ ¬(B ∧ ¬SA,B )

B

(a)0, ¬x

x

◦ V (I) ⊆ V (A) ∩ V (B)

b : ((y ) ∧ (a ∨ ¬x) ∧ (x) ∧ (b)) | {z } | {z }

(¬a ∨ ¬x)0.15, true

false

b

0 0

A

(y ∨ ⊥) ∧ (¬y ∨ ⊤) ≡ y (y ∨ ⊥) ∧ (¬y ∨ ⊥) ≡ ⊥

(y ) , ⊥

false

(¬a ∨ ¬x ∨ ¬y )0.3,

⊤∧⊤≡⊤ ⊤∧⊥≡⊥

true

a b B

0

(b)0, ⊤

1

(¬a ∨ ¬x ∨ ¬y ∨ ¬b)1,

⊤ ⊥

SA,B

y

80 / 89

Generalized Craig interpolant: Controlling computation

◮

given any SSAT formula Φ = Q : (A ∧ B), it is feasible to construct a generalized Craig interpolant I for Φ such that ◮

A ⇒ I

◮

I

or

⇒ ¬B

A ⇒ I

A

I

SA,B

I ⇒ ¬B

B

A

¬I

I

B SA,B

¬I

81 / 89

Generalized Craig interpolation-based probabilistic model checking \ x) Phase 1: symbolic overapproximation BREACH(~ of backward reachable states by generalized Craig interpolation

f i

1

0.1

t

0.9

1

0.5 0.5

e

82 / 89

Generalized Craig interpolation-based probabilistic model checking \ x) Phase 1: symbolic overapproximation BREACH(~ of backward reachable states by generalized Craig interpolation

f i

1

0.1

t

0.9 0.5 0.5

e

1

B0

83 / 89

Generalized Craig interpolation-based probabilistic model checking \ x) Phase 1: symbolic overapproximation BREACH(~ of backward reachable states by generalized Craig interpolation

f i

1

0.1

t

0.9 0.5 0.5

e

1

B0

B1

84 / 89

Generalized Craig interpolation-based probabilistic model checking \ x) Phase 1: symbolic overapproximation BREACH(~ of backward reachable states by generalized Craig interpolation

f i

1

0.1

t

0.9 0.5 0.5

B3, B2

e

1

B0

B1

85 / 89

Generalized Craig interpolation-based probabilistic model checking \ x) Phase 1: symbolic overapproximation BREACH(~ of backward reachable states by generalized Craig interpolation

f i

1

0.1

t

0.9

1

0.5 0.5

e

\ x) BREACH(~

86 / 89

Generalized Craig interpolation-based probabilistic model checking Phase 2: SSAT formula Φ(k) that ◮ ◮

f

describes k-bounded system behavior \ x) forces to stay within BREACH(~

1

0.1

i

t

0.9

1

0.5 0.5

e

\ x) BREACH(~

states reachable within k steps



z

Φ(k) = Q(k) : INIT (~x0 ) ∧

k ^

i =1

}|

stay in back-reach set

{

TRANS(~xi −1 , ~ti , ~xi ) ∧

z k ^

i =0

}|

{

\ xi ) BREACH(~



87 / 89

Generalized Craig interpolation-based probabilistic model checking Phase 2: SSAT formula Φ(k) that ◮ ◮

f

describes k-bounded system behavior \ x) forces to stay within BREACH(~

1

0.1

i

t

0.9

1

0.5 0.5

e

\ x) BREACH(~

states reachable within k steps



z

Φ(k) = Q(k) : INIT (~x0 ) ∧

k ^

i =1

}|

stay in back-reach set

{

TRANS(~xi −1 , ~ti , ~xi ) ∧

z k ^

}|

{

\ xi ) BREACH(~

i =0

◮

Pr (Φ(k)) gives upper bound of (maximum) reachability probability

◮

decreasing: Pr (Φ(0)) ≥ Pr (Φ(1)) ≥ . . . ≥ Pr (Φ(k))



87 / 89

Generalized Craig interpolation-based probabilistic model checking Phase 3: compute upper bounds Pr (Φ(k)) with SSAT/SSMT solver 1 0.95

probability

0.9 0.85 0.8 0.75 0.7 0.65

upper bounds lower bounds

0.6 0

5

10 step depth k

15

20

88 / 89

Generalized Craig interpolation: Future work ◮

tool support + meaningful experiments

◮

other (and smarter) schemes for probabilistic model checking

◮

more application areas (probabilistic stability?)

◮

extension to Stochastic SMT, i.e. SSAT + theories like non-linear arithmetic ◮

; symbolic verification procedure for (discrete-time) probabilistic hybrid systems

89 / 89

Thank you!