Global guidance for local generalization in model checking

In the theory of Linear Integer Arithmetic (LIA), formulas are defined over a signature that includes interpreted function symbols \(+\), −, \(\times \), interpreted predicate symbols <, \(\le \), \(\mid \), interpreted constant symbols \(0,1,2,\ldots \), and uninterpreted constant symbols \(a, b,\ldots , x,y,\ldots \). We write \(\mathbb {Z}\) for the set of interpreted constant symbols, and call them integers. We use constants to refer exclusively to the uninterpreted constants (these are often called variables in LIA literature). Terms (and accordingly formulas) in LIA are restricted to be linear, that is, multiplication is never applied to two constants.

We write \(\textsc {LIA}^{-\text {div}}\) for the fragment of LIA that excludes divisiblity (\(d \mid h\)) predicates. A literal in \(\textsc {LIA}^{-\text {div}}\) is a linear inequality; a cube is a conjunction of such inequalities, that is, a polytope. We find it convenient to use matrix-based notation for representing cubes in \(\textsc {LIA}^{-\text {div}}\). A ground cube \(c \in \textsc {LIA}^{-\text {div}} \) with p inequalities (literals) over k (uninterpreted) constants is written as \(A \cdot \vec{x}\le \vec{n}\), where A is a \(p \times k\) matrix of coefficients in \(\mathbb {Z}^{p \times k}\), \(\vec{x}= (x_1 \cdots x_k)^T\) is a column vector that consists of the (uninterpreted) constants, and \(\vec{n}= ( n_1 \cdots n_p)^T\) is a column vector in \(\mathbb {Z}^p\). For example, the cube \(x \ge 2 \wedge 2x + y \le 3\) is written as \( \begin{bmatrix}-1 &{} 0 \\ 2 &{} 1 \end{bmatrix} \cdot \begin{bmatrix} x \\ y \end{bmatrix} \le \begin{bmatrix} -\;2 \\ 3\end{bmatrix}. \) In the sequel, all vectors are column vectors, super-script T denotes transpose, dot is used for a dot product and \([\vec{n}_1; \vec{n}_2]\) stands for a matrix of column vectors \(\vec{n}_1\) and \(\vec{n}_2\).

A common pre-condition for all of our global rules in Algorithm 3 is the existence of a subset of lemmas \(\mathcal {L}\) of some frame \(\mathcal {O}_i\). Attempting to apply the rules for every subset of \(\mathcal {O}_i\) is infeasible. In practice, we use syntactic similarity between lemmas as a predictor that one of the global rules is applicable, and restrict \(\mathcal {L}\) to subsets of syntactically similar lemmas. In the rest of this section, we formally define what we mean by syntactic similarity, and how syntactically similar subsets of lemmas, called clusters, are maintained efficiently throughout the algorithm.

Syntactic similarity. A formula \(\pi \) with free variables is called a pattern. Note that we do not require \(\pi \) to be in LIA. Let \(\sigma \) be a substitution, i.e., a mapping from variables to terms. We write \(\pi \sigma \) for the result of replacing all occurrences of free variables in \(\pi \) with their mapping under \(\sigma \). A substitution \(\sigma \) is called numeric if it maps every variable to an integer, i.e., the range of \(\sigma \) is \(\mathbb {Z}\). We say that a formula \(\varphi \) numerically matches a pattern \(\pi \) iff there exists a numeric substitution \(\sigma \) such that \(\varphi = \pi \sigma \). Note that, as usual, the equality is syntactic. For example, consider the pattern \(\pi = v_0a + v_1b \le 0\) with free variables \(v_0\) and \(v_1\) and uninterpreted constants a and b. The formula \(\varphi _1 = 3a + 4b \le 0\) matches \(\pi \) via a numeric substitution \(\sigma _1 = \{v_0 \mapsto 3, v_1 \mapsto 4\}\). However, \(\varphi _2 = 4b + 3a \le 0\), while semantically equivalent to \(\varphi _1\), does not match \(\pi \). \(\varphi _3 = a + b \le 0\) also does not match \(\pi \) because a and b do not have coefficients in \(\varphi _3\), whereas \(\pi \) only matches literals with coefficients for both a and b.

Matching is extended to patterns in the usual way by allowing a substitution \(\sigma \) to map variables to variables. We say that a pattern \(\pi _1\) is more general than a pattern \(\pi _2\) if \(\pi _2\) matches \(\pi _1\). A pattern \(\pi \) is a numeric anti-unifier for a pair of formulas \(\varphi _1\) and \(\varphi _2\) if both \(\varphi _1\) and \(\varphi _2\) match \(\pi \) numerically. We write \(\textit{anti}(\varphi _1, \varphi _2)\) for a most general numeric anti-unifier of \(\varphi _1\) and \(\varphi _2\). We say that two formulas \(\varphi _1\) and \(\varphi _2\) are syntactically similar if there exists a numeric anti-unifier between them (i.e., \(\textit{anti}(\varphi _1, \varphi _2)\) is defined). Anti-unification is extended to sets of formulas in the usual way.

Clusters. We use anti-unification to define clusters of syntactically similar formulas. Let \(\Phi \) be a fixed set of formulas, and \(\pi \) a pattern. A cluster, \(\mathcal {C}_{\Phi }(\pi )\), is a subset of \(\Phi \) such that every formula \(\varphi \in \mathcal {C}_{\Phi }(\pi )\) numerically matches \(\pi \). That is, \(\pi \) is a numeric anti-unifier for \(\mathcal {C}_{\Phi }(\pi )\). In the implementation, we restrict the pre-conditions of the global rules so that a subset of lemmas \(\mathcal {L}\subseteq \mathcal {O}_i\) is a cluster for some pattern \(\pi \), i.e., \(\mathcal {L}= \mathcal {C}_{\mathcal {O}_i}(\pi )\).

Clustering lemmas. We use the following strategy to efficiently keep track of available clusters. Let \(\ell _{\text {new}}\) be a new lemma to be added to \(\mathcal {O}_i\). Assume there is at least one lemma \(\ell \in \mathcal {O}_i\) that numerically anti-unifies with \(\ell _{\text {new}}\) via some pattern \(\pi \). If such an \(\ell \) does not belong to any cluster, a new cluster \(\mathcal {C}_{\mathcal {O}_i}(\pi ) = \{\ell _{\text {new}}, \ell \}\) is formed, where \(\pi = \textit{anti}(\ell _{\text {new}}, \ell )\). Otherwise, for every lemma \(\ell \in \mathcal {O}_{i}\) that numerically matches \(\ell _{\text {new}}\) and every cluster \(\mathcal {C}_{\mathcal {O}_i}(\hat{\pi })\) containing \(\ell \), \(\ell _{\text {new}}\) is added to \(\mathcal {C}_{\mathcal {O}_i}(\hat{\pi })\) if \(\ell _{\text {new}}\) matches \(\hat{\pi }\), or a new cluster is formed using \(\ell \), \(\ell _{\text {new}}\), and any other lemmas in \(\mathcal {C}_{\mathcal {O}_i}(\hat{\pi })\) that anti-unify with them. Note that a new lemma \(\ell _{\text {new}}\) might belong to multiple clusters.

For example, suppose \(\ell _{\text {new}}= (a \le 6 \vee b \le 6)\), and there is already a cluster \(\mathcal {C}_{\mathcal {O}_i}(a \le v_0 \vee b \le 5) = \{ (a \le 5 \vee b \le 5), (a \le 8 \vee b \le 5)\}\). Since \(\ell _{\text {new}}\) anti-unifies with each of the lemmas in the cluster, but does not match the pattern \(a \le v_0 \vee b \le 5\), a new cluster that includes all of them is formed w.r.t. a more general pattern: \(\mathcal {C}_{\mathcal {O}_i}(a \le v_0 \vee b \le v_1) = \{ (a \le 6 \vee b \le 6), (a \le 5 \vee b \le 5), (a \le 8 \vee b \le 5)\}\).

In the presentation above, we assumed that anti-unification is completely syntactic. This is problematic in practice since it significantly limits the applicability of the global rules. Recall, for example, that \(a + b \le 0\) and \(2a + 2b \le 0\) do not anti-unify numerically according to our definitions, and, therefore, do not cluster together. In practice, we augment syntactic anti-unification with simple rewrite rules that are applied greedily. For example, we normalize all \(\textsc {LIA} \) terms, take care of implicit multiplication by 1, and of associativity and commutativity of addition. In the future, it is interesting to explore how advanced anti-unification algorithms, such as [12, 13], can be adapted for our purpose.

Recall that the Subsume rule (Algorithm 3) takes a cluster of lemmas \(\mathcal {L}= \mathcal {C}_{\mathcal {O}_i}(\pi )\) and computes a new lemma \(\psi \) that subsumes all the lemmas in \(\mathcal {L}\), that is \(\psi \Rightarrow \bigwedge \mathcal {L}\). We find it convenient to dualize the problem. Let \(\mathcal {S}= \{ \lnot \ell \mid \ell \in \mathcal {L}\}\) be the dual of \(\mathcal {L}\), clearly \(\psi \Rightarrow \bigwedge \mathcal {L}\) iff \((\bigvee \mathcal {S}) \Rightarrow \lnot \psi \). Note that \(\mathcal {L}\) is a set of clauses, \(\mathcal {S}\) is a set of cubes, \(\psi \) is a clause, and \(\lnot \psi \) is a cube. In the case of \(\textsc {LIA}^{-\text {div}}\), this means that \(\bigvee \mathcal {S}\) represents a union of convex sets, and \(\lnot \psi \) represents a convex set that the Subsume rule must find. The strongest such \(\lnot \psi \) in \(\textsc {LIA}^{-\text {div}}\) exists, and is the convex closure of \(\mathcal {S}\). Thus, applying Subsume in the context of \(\textsc {LIA}^{-\text {div}}\) is reduced to computing a convex closure of a set of (negated) lemmas in a cluster. Full LIA extends \(\textsc {LIA}^{-\text {div}}\) with divisibility constraints. Therefore, Subsume obtains a stronger \(\lnot \psi \) by adding such constraints.

In the sequel, we describe subsumeCube (Algorithm 4) which computes a cube \(\varphi \) that over-approximates \((\bigvee \mathcal {S})\). Subsume is then implemented by removing from \(\mathcal {L}\) lemmas that are already subsumed by existing lemmas in \(\mathcal {L}\), dualizing the result into \(\mathcal {S}\), invoking subsumeCube on \(\mathcal {S}\) and returning \(\lnot \varphi \) as a lemma that subsumes \(\mathcal {L}\).

Recall that Subsume is tried only in the case \(\mathcal {L}= \mathcal {C}_{\mathcal {O}_i}(\pi )\). We further require that the negated pattern, \(\lnot \pi \), is of the form \(A \cdot \vec{x}\le \vec{v} \), where A is a coefficients matrix, \(\vec{x}\) is a vector of constants and \( \vec{v} = (v_1 \cdots v_p)^T\) is a vector of p free variables. Under this assumption, \(\mathcal {S}\) (the dual of \(\mathcal {L}\)) is of the form \(\{ (A \cdot \vec{x}\le \vec{n}_i) \mid 1 \le i \le q\}\), where \(q = \vert \mathcal {S}\vert \), and for each \(1 \le i \le q\), \(\vec{n}_i\) is a numeric substitution to \( \vec{v} \) from which one of the negated lemmas in \(\mathcal {S}\) is obtained. That is, \(\vert \vec{n}_i \vert = \vert \vec{v} \vert \). In Example 4, \(\lnot \pi = x \le v_1 \wedge -x \le v_2 \wedge y \le v_3\) andEach cube \((A \cdot \vec{x}\le \vec{n}_i )\in \mathcal {S}\) is equivalent to \(\exists \vec{v} . A \cdot \vec{x}\le \vec{v} \wedge ( \vec{v} = \vec{n}_i)\). Finally, \(( \bigvee \mathcal {S}) \equiv \exists \vec{v} .(A \cdot \vec{x}\le \vec{v} ) \wedge (\bigvee ( \vec{v} = \vec{n}_i))\). Thus, computing the over-approximation of \(\mathcal {S}\) is reduced to (a) computing the convex hull H of a set of points \(\{\vec{n}_i \mid 1 \le i \le q\}\), (b) computing divisibility constraints D that are satisfied by all the points, (c) substituting \(H \wedge D\) for the disjunction in the equation above, and (c) eliminating variables \( \vec{v} \). Both the computation of \(H \wedge D\) and the elimination of \( \vec{v} \) may be prohibitively expensive. We, therefore, over-approximate them. Our approach for doing so is presented in Algorithm 4, and explained in detail below.

Computing the convex hull of \(\{\vec{n}_i \mid 1 \le i \le q\}\). Lines 3 to 8 compute the convex hull of \(\{\vec{n}_i \mid 1 \le i \le q\}\) as a formula over \( \vec{v} \), where variable \(v_j\), for \(1\le j \le p\), represents the \(j^\text {th}\) coordinates in the vectors (points) \(\vec{n}_i\). Some of the coordinates, \(v_j\), in these vectors may be linearly dependent upon others. To simplify the problem, we first identify such dependencies and compute a set of linear equalities that expresses them (L in line 4). To do so, we consider a matrix \(N_{q \times p}\), where the ith row consists of \(\vec{n}_i^T\). The \(j^\text {th}\) column in N, denoted \(N_{*j}\), corresponds to the \(j^\text {th}\) coordinate, \(v_j\). The rank of N is the number of linearly independent columns (and rows). The other columns (coordinates) can be expressed by linear combinations of the linearly independent ones. To compute these linear combinations we use the kernel of \([N; \vec{1}]\) (N appended with a column vector of 1’s), which is the set of all vectors \(\vec{y}\) such that \([N; \vec{1}]\cdot \vec{y} = \vec{0}\), where \(\vec{0}\) is the zero vector. Let \(B = {{\,\textrm{kernel}\,}}([N; \vec{1}])\) be a basis for the kernel of \([N; \vec{1}]\). Then \(|B| = p - {{\,\textrm{rank}\,}}(N)\), and for each vector \(\vec{y} \in B\), the linear equality \([ v_1 \cdots v_p \; 1] \cdot \vec{y} = 0\) holds in all the rows of N (i.e., all the given vectors satisfy it). We accumulate these equalities, which capture the linear dependencies between the coordinates, in L. Further, the equalities are used to compute \({{\,\textrm{rank}\,}}(N)\) coordinates (columns in N) that are linearly independent and, modulo L, uniquely determine the remaining coordinates. We denote by \( \vec{v} ^{L_{\downarrow }}\) the subset of \( \vec{v} \) that consists of the linearly independent coordinates. We further denote by \(\vec{n}_i^{L_{\downarrow }}\) the projection of \(\vec{n}_i\) to these coordinates and by \(N^{L_{\downarrow }}\) the projection of N to the corresponding columns. We have that \((\bigvee ( \vec{v} = \vec{n}_i)) \equiv L \wedge (\bigvee ( \vec{v} ^{L_{\downarrow }} = \vec{n}_i^{L_{\downarrow }})\). In Example 4, the numeral matrix is \( N = \left[ {\begin{array}{*{20}c} 2 & {\; - 2} & 3 \\ 4 & {\; - 4} & 5 \\ 8 & {\; - 8} & 9 \\ \end{array} } \right] \), for which \({{\,\textrm{kernel}\,}}([N; \vec{1}]) = \{ \begin{matrix} 1&1&0&0 \end{matrix}^T, \begin{matrix} \;1&0&\;-1&1 \end{matrix}^T \}\). Therefore, L is the conjunction of equalities \(v_1 + v_2 = 0 \wedge v_1 - v_3 + 1 = 0 \), or, equivalently \(v_3 = v_1 + 1 \wedge v_2 = -v_1\), \( \vec{v} ^{L_{\downarrow }} = \begin{pmatrix} v_1 \end{pmatrix}^T\), andNext, we compute the convex closure of \(\bigvee ( \vec{v} ^{L_{\downarrow }} = \vec{n}_i^{L_{\downarrow }})\), and conjoin it with L to obtain H, the convex closure of \((\bigvee ( \vec{v} = \vec{n}_i))\).

If the dimension of \( \vec{v} ^{L_{\downarrow }}\) is one, as is the case in the example above, convex closure, C, of \(\bigvee ( \vec{v} ^{L_{\downarrow }} = \vec{n}_i^{L_{\downarrow }})\) is obtained by bounding the sole element of \( \vec{v} ^{L_{\downarrow }}\) based on its values in \(N^{L_{\downarrow }}\) (line 6). In Example 4, we obtain \(C = 2 \le v_1 \le 8\).

If the dimension of \( \vec{v} ^{L_{\downarrow }}\) is greater than one, just computing the bounds of one of the constants is not sufficient. Instead, we use the concept of syntactic convex closure from [14] to compute the convex closure of \(\bigvee ( \vec{v} ^{L_{\downarrow }} = \vec{n}_i^{L_{\downarrow }})\) as \(\exists \vec{\alpha}.C\) where \(\vec{\alpha}\) is a vector that consists of q fresh rational variables and C is defined as follows (line 8): \(C = \vec{\alpha}\ge 0 \wedge \Sigma \vec{\alpha}= 1 \wedge \vec{\alpha}^T \cdot N^{L_{\downarrow }} = ( \vec{v} ^{L_{\downarrow }})^T\). C states that \(( \vec{v} ^{L_{\downarrow }})^T\) is a convex combination of the rows of \(N^{L_{\downarrow }}\), or, in other words, \( \vec{v} ^{L_{\downarrow }}\) is a convex combination of \(\{ \vec{n}_i^{L_{\downarrow }} \mid 1 \le i \le q\}\).

To illustrate the syntactic convex closure, consider a second example with a set of cubes: \( \mathcal {S}= \{(x \le 0 \wedge y \le 6), (x \le 6 \wedge y \le 0), (x \le 5 \wedge y \le 5)\}\). The coefficient matrix A, and the numeral matrix N are then: \( A = \left[ {\begin{array}{*{20}c} 1 & 0 \\ 0 & 1 \\ \end{array} } \right] \) and \(N = \left[{\begin{matrix} 0 &{} 6 \\ 6 &{} 0 \\ 5 &{} 5\end{matrix}} \right]\). Here, \({{\,\textrm{kernel}\,}}([N; \vec{1}])\) is empty – all the columns are linearly independent, hence, \(L = true \) and \( \vec{v} ^{L_{\downarrow }} = \vec{v} \). Therefore, syntactic convex closure is applied to the full matrix N, resulting inThe convex closure of \(\bigvee ({ \vec{v} } = {\vec{n}_i})\) is then \(L \wedge \exists \vec{\alpha}.C\), which is \(\exists \vec{\alpha}.C\) here.

Divisibility constraints. Inductive invariants for verification problems often require divisibility constraints. We, therefore, use such constraints, denoted D, to obtain a stronger over-approximation of \(\bigvee ({ \vec{v} } = {\vec{n}_i})\) than the convex closure. To add a divisibility constraint for \(v_j \in \vec{v} ^{L_{\downarrow }}\), we consider the column \(N_{*j}^{L_{\downarrow }}\) that corresponds to \(v_j\) in \(N^{L_{\downarrow }}\). We find the largest positive integer d such that each integer in \(N_{*j}^{L_{\downarrow }}\) leaves the same remainder when divided by d; namely, there exists \(0 \le r < d\) such that \(n \bmod d = r\) for every \(n \in N_{*j}^{L_{\downarrow }}\). This means that \(d \mid (v_j - r)\) is satisfied by all the points \(\vec{n}_i\). Note that such r always exists for \(d=1\). To avoid this trivial case, we add the constraint \(d \mid (v_j - r)\) only if \(d \ne 1\) (Line 4). We repeat this process for each \(v_j \in \vec{v} ^{L_{\downarrow }}\).

In Example 4, all the elements in the (only) column of the matrix \(N^{L_{\downarrow }}\), which corresponds to \(v_1\), are divisible by 2, and no larger d has a corresponding r. Thus, Line 12 of Algorithm 4 adds the divisibility condition \((2 \mid v_1)\) to D.

Eliminating existentially quantified variables using MBP. By combining the linear equalities exhibited by N, the convex closure of \(N^{L_{\downarrow }}\) and the divisibility constraints on \( \vec{v} \), we obtain \(\exists \vec{\alpha}.L \wedge C \wedge D\) as an over-approximation of \(\bigvee ({ \vec{v} } = {\vec{n}_i})\). Accordingly, \(\exists \vec{v} .\exists \vec{\alpha}.\psi \), where \(\psi = (A \cdot \vec{x}\le \vec{v} ) \wedge L \wedge C \wedge D\), is an over-approximation of \((\bigvee \mathcal {S}) \equiv \exists \vec{v} .(A \cdot \vec{x}\le \vec{v} ) \wedge (\bigvee ( \vec{v} = \vec{n}_i))\) (Line 13). In order to get a LIA cube that overapproximates \(\bigvee \mathcal {S}\), it remains to eliminate the existential quantifiers. Since quantifier elimination is expensive, and does not necessarily generate convex formulas (cubes), we approximate it using MBP. Namely, we obtain a cube \(\varphi \) that under-approximates \(\exists \vec{v} .\exists \vec{\alpha}.\psi \) by applying MBP on \(\psi \) and a model \(M_0 \models \psi \). We then use an SMT solver to drop literals from \(\varphi \) until it over-approximates \(\exists \vec{v} .\exists \vec{\alpha}.\psi \), and hence also \(\bigvee \mathcal {S}\) (lines 16 to 19). The result is returned by Subsume as an over-approximation of \(\bigvee \mathcal {S}\).

Models \(M_0\) that satisfy \(\psi \) and do not satisfy any of the cubes in \(\mathcal {S}\) are preferred when computing MBP (line 14) as they ensure that the result of MBP is not subsumed by any of the cubes in \(\mathcal {S}\).

Note that our final step is to do an MBP over the formula \(\exists \vec{v} .\vec{\alpha}.(A \cdot \vec{x}\le \vec{v} ) \wedge L \wedge D \wedge C\). This requires MBP to support a mixture of integer and rational variables. To achieve this, we first push the quantifier over the rational variables inside; the formula becomes \(\exists \vec{v} .(A \cdot \vec{x}\le \vec{v} ) \wedge L \wedge D \wedge \exists \vec{\alpha}.C\)). Then, we relax all constants in the constraints C to be rational and do an MBP over LRA to eliminate \(\vec{\alpha}\). We then adjust the resulting formula back to integer arithmetic by multiplying each atom by the least common multiple of the denominators of the coefficients in it. Finally, we apply MBP over the integers to eliminate \( \vec{v} \).

Considering Example 4 again, we get that \(\psi = (x \le v_1) \wedge (-x \le v_2) \wedge (y \le v_3) \wedge (v_3 = 1 + v_1) \wedge (v_2 = -v_1) \wedge (2 \le v_1 \le 8) \wedge (2 \mid v_1) \) (the first three conjuncts correspond to \((A \cdot (x\; y)^T \le (v_1\; v_2 \; v_3)^T)\)). Note that in this case we do not have rational variables \(\vec{\alpha}\) since \(\vert \vec{v} ^{L_{\downarrow }}\vert = 1\). Depending on the model, the result of MBP can be one ofHowever, we prefer a model that does not satisfy any cube in \(\mathcal {S}= \{(x \ge 2 \wedge x \le 2 \wedge y \le 3), (x \le 4 \wedge x \ge 4 \wedge y \le 5), (x \le 8 \wedge x \ge 8 \wedge y \le 9) \}\), rules off the two possibilities on the right. None of these cubes cover \(\psi \), hence generalization is used.

If the first cube is obtained by MBP, it is generalized into \(y \le x + 1 \wedge x \ge 2 \wedge x \le 8 \wedge (2 \mid x)\); the second cube is already an over-approximation; the third cube is generalized into \(y \le x + 1 \wedge y \le 9\). Indeed, each of these cubes over-approximates \(\bigvee \mathcal {S}\).

The Concretize rule (Algorithm 3) takes a cluster of lemmas \(\mathcal {L}= \mathcal {C}_{\mathcal {O}_i}(\pi )\) and a pob \(\langle \varphi , j \rangle \) such that each lemma in \(\mathcal {L}\) partially blocks \(\varphi \), and creates a new pob \(\gamma \) that is still not blocked by \(\mathcal {L}\), but \(\gamma \) is more concrete, i.e., \(\gamma \Rightarrow \varphi \). In our implementation, this rule is applied when \(\varphi \) is in \(\textsc {LIA}^{-\text {div}}\). We further require that the pattern, \(\pi \), of \(\mathcal {L}\) is non-linear, i.e., some of the constants appear in \(\pi \) with free variables as their coefficients. We denote these constants by U. An example is the pattern \(\pi = v_0 x + v_1 y + z \le 0\), where \(U = \{x,y\}\). Having such a cluster is an indication that attempting to block \(\varphi \) in full with a single lemma may require to track non-linear correlations between the constants, which is impossible to do in LIA. In such cases, we identify the coupling of the constants in U in pobs (and hence in lemmas) as the potential source of non-linearity. Hence, we concretize (strengthen) \(\varphi \) into a pob \(\gamma \) where the constants in U are no longer coupled to any other constant.

Coupling. Formally, constants u and v are coupled in a cube c, denoted \(u \bowtie _{c} v\), if there exists a literal \(\textit{lit}\) in c such that both u and v appear in \(\textit{lit}\) (i.e., their coefficients in \(\textit{lit}\) are non-zero). For example, x and y are coupled in \(x + y \le 0 \wedge z \le 0\) whereas neither of them are coupled with z. A constant u is said to be isolated in a cube c, denoted \(\textsc {Iso}(u, c)\), if it appears in c but it is not coupled with any other constant in c. In the above cube, z is isolated.

Concretization by decoupling. Given a pob \(\varphi \) (a cube) and a cluster \(\mathcal {L}\), Algorithm 5 presents our approach for concretizing \(\varphi \) by decoupling the constants in U — those that have variables as coefficients in the pattern of \(\mathcal {L}\) (line 2). Concretization is guided by a model \(M \models \varphi \wedge \bigwedge \mathcal {L}\), representing a part of \(\varphi \) that is not yet blocked by the lemmas in \(\mathcal {L}\) (line 3). Given such M, we concretize \(\varphi \) into a model-preserving under-approximation that isolates all the constants in U and preserves all other couplings. That is, we find a cube \(\gamma \), such thatNote that \(\gamma \) is not blocked by \(\mathcal {L}\) since M satisfies both \(\bigwedge \mathcal {L}\) and \(\gamma \). For example, if \(\varphi = (x + y \le 0) \wedge (x - y \le 0) \wedge (x + z \ge 0)\) and \(M = [x = 0, y = 0, z = 1]\), then \(\gamma = 0 \le y \le 0 \wedge x \le 0 \wedge x + z \ge 1\) is a model preserving under-approximation that isolates \(U = \{y\}\).

Algorithm 5 computes such a cube \(\gamma \) by a point-wise concretization of the literals of \(\varphi \) followed by the removal of subsumed literals. Literals that do not contain constants from U remain unchanged. A literal of the form \(\textit{lit}= t \le b\), where \(t=\sum _i n_ix_i\) (recall that every literal in \(\textsc {LIA}^{-\text {div}}\) can be normalized to this form), that includes constants from U is concretized into a cube by (1) isolating each of the summands \(n_i x_i\) in t that include U from the rest, and (2) for each of the resulting sub-expressions creating a literal that uses its value in M as a bound. Formally, t is decomposed to \(s + \sum _{x_i \in U} n_i x_i\), where \(s = \sum _{x_i \not \in U} n_i x_i\). The concretization of \(\textit{lit}\) is the cube \(\gamma ^{\textit{lit}} = s \le M[s] \wedge \bigwedge _{x_i \in U} n_i x_i \le M[n_i x_i]\), where \(M[t']\) denotes the interpretation of \(t'\) in M. Note that \(\gamma ^{\textit{lit}} \Rightarrow \textit{lit}\) since the bounds are stronger than the original bound on t: \(M[s] + \sum _{x_i \in U} M[n_i x_i] = M[t] \le b\). This ensures that \(\gamma \), obtained by the conjunction of literal concretizations, implies \(\varphi \). It trivially satisfies the other conditions of Eq. (1).

For example, the concretization of the literal \((x + y \le 0)\) with respect to \(U = \{y\}\) and \(M = [x = 0, y = 0, z = 1]\) is the cube \(x \le 0 \wedge y \le 0\). Applying concretization in a similar manner to all the literals of the cube \(\varphi = (x + y \le 0) \wedge (x - y \le 0) \wedge (x + z \ge 0)\) from the previous example, we obtain the concretization \( x \le 0 \wedge 0 \le y \le 0 \wedge x + z \ge 0\). Note that the last literal is not concretized as it does not include y.

The Conjecture rule (see Algorithm 3) takes a set of lemmas \(\mathcal {L}\) and a pob \(\varphi \equiv \alpha \wedge \beta \) such that all lemmas in \(\mathcal {L}\) block \(\beta \), but none of them blocks \(\alpha \), where \(\alpha \) does not include any known reachable states. It returns \(\alpha \) as a new pob.

For LIA, Conjecture is applied when the following conditions are met: If all four conditions are met, we conjecture \(\alpha = \varphi _1 \wedge \varphi _2\). This is implemented by conjecture, that returns \(\alpha \) (or \(\bot \) when the pre-conditions are not met).

For example, consider the pob \(\varphi = x \ge 10 \wedge (x + y \ge 10) \wedge y \le 10\) and a cluster of lemmas \(\mathcal {L}= \{ (x + y \le 0 \vee y \ge 101), (x + y \le 0 \vee y \ge 102)\}\). In this case, \(\varphi _1 = x \ge 10\), \(\varphi _2 = (x + y \ge 10)\), \(\varphi _3 = y \le 10\), and \(bg =x + y \le 0\). Each of the lemmas in \(\mathcal {L}\) block \(\varphi _2 \wedge \varphi _3\) but none of them block \(\varphi _1 \wedge \varphi _2\). Therefore, we conjecture \(\varphi _1 \wedge \varphi _2\): \(x \ge 10 \wedge (x + y \ge 10)\).

Having explained the implementation of the new rules for LIA, we now put all the ingredients together into an algorithm, GSpacer. In particular, we present our choices as to when to apply the new rules, and on which clusters of lemmas and pobs. As can be seen in Sect. 5, this implementation works very well on a wide range of benchmarks.

Algorithm 6 presents GSpacer. The comments to the right side of a line refer to the abstract rules in Algorithms 1 and 3. Just like Spacer, GSpacer iteratively computes predecessors (Line 10) and blocks them (Line 14) in an infinite loop. Whenever a pob is proven to be reachable, the reachable states are updated (line 38). If \( Bad \) intersects with a reachable state, GSpacer terminates and returns unsafe  (line 12). If one of the frames is an inductive invariant, GSpacer terminates with safe  (line 20).

When a pob \(\langle \varphi , i \rangle \) is handled, we first apply the Concretize rule, if possible (Line 7). Recall that Concretize (Algorithm 5) takes as input a cluster that partially blocks \(\varphi \) and has a non-linear pattern. To obtain such a cluster, we first find, using \(\mathcal {C}_{\textit{pob}}(\langle \varphi , i\rangle )\), a cluster \(\langle \pi _1, \mathcal {L}_1 \rangle = \mathcal {C}_{\mathcal {O}_k}(\pi _1)\), where \(k \le i\), that includes some lemma (from frame k) that blocks \(\varphi \); if none exists, \(\mathcal {L}_1 = \emptyset \). We then filter out from \(\mathcal {L}_1\) lemmas that completely block \(\varphi \) as well as lemmas that are irrelevant to \(\varphi \), i.e., we obtain \(\mathcal {L}_2\) by keeping only lemmas that partially block \(\varphi \). We apply Concretize on \(\langle \pi _1, \mathcal {L}_2\rangle \) to obtain a new pob that under-approximates \(\varphi \) if (1) the remaining sub-cluster, \(\mathcal {L}_2\), is non-empty, (2) the pattern, \(\pi _1\), is non-linear, and (3) \(\bigwedge \mathcal {L}_2 \wedge \varphi \) is satisfiable, i.e., a part of \(\varphi \) is not blocked by any lemma in \(\mathcal {L}_2\).

Once a pob is blocked, and a new lemma that blocks it, \(\ell \), is added to the frames, an attempt is made to apply the Subsume and Conjecture rules on a cluster that includes \(\ell \). To that end, the function \(\mathcal {C}_{\textit{lemma}}(\ell )\) finds a cluster \(\langle \pi _3, \mathcal {L}_3 \rangle = \mathcal {C}_{\mathcal {O}_i}(\pi _3)\) to which \(\ell \) belongs (Sect. 4.2). Note that the choice of cluster is arbitrary. The rules are applied on \(\langle \pi _3, \mathcal {L}_3 \rangle \) if the required pre-conditions are met (Line 49 and Line 53, respectively). When applicable, Subsume returns a new lemma that is added to the frames, while Conjecture returns a new pob that is added to the queue. Note that the latter is a may pob, in the sense that some of the states it represents may not lead to safety violation.

Ensuring progress. Spacer always makes progress: as its search continues, it establishes absence of counterexamples of deeper and deeper depths. However, GSpacer does not ensure progress. Specifically, unrestricted application of the Concretize and Conjecture rules can make GSpacer diverge even on executions of a fixed bound. In our implementation, we ensure progress by allotting a fixed amount of gas to each pattern, \(\pi \), that forms a cluster. Each time Concretize or Conjecture is applied to a cluster with \(\pi \) as the pattern, \(\pi \) loses some gas. Whenever \(\pi \) runs out of gas, the rules are no longer applied to any cluster with \(\pi \) as the pattern. There are finitely many patterns (assuming LIA terms are normalized). Thus, in each bounded execution of GSpacer, the Concretize and Conjecture rules are applied only a finite number of times, thereby, ensuring progress. Since the Subsume rule does not hinder progress, it is applied without any restriction on gas.

So far, we have described our implementation of global guidance rules for LIA. The implementation for LRA is very similar. In fact, procedure for clustering lemmas, the pre-conditions for applying the three global guidance rules, and the procedures to conjecture and concretize pobs carry over without any modifications. The only difference is in the implementation of the Subsume rule (Algorithm 4). For LIA, the procedure involves three main steps: computing convex hull (Line 8), adding divisibility constraints (Line 16), and eliminating auxiliary variables (Line 12). Since we cannot have divisibility constraints for rational variables, we skip this step when implementing Subsume for LRA. The rest of the algorithm remains the same.

Comparison on LIA instances Table 3 summarizes the comparison between Spacer and GSpacer on LIA instances from CHC-COMP. Since both tools can use a variety of interpolation strategies during lemma generalization (Line 45 in Algorithm 6), we compare three different configurations of each: bw and fw stand for two interpolation strategies, backward and forward, respectively, already implemented in Spacer, and sc stands for turning interpolation off and generalizing lemmas only by subset clauses computed by inductive generalization. VBS stands for the Virtual Best Solver.

Any configuration of GSpacer solves significantly more instances than even the best configuration of Spacer. Figure 3 provides a more detailed comparison between the best configurations of both tools in terms of running time and depth of convergence. There is no clear trend in terms of running time on instances solved by both tools. This is not surprising—SMT-solving run time is highly non-deterministic and any change in strategy has a significant impact on performance of SMT queries involved. In terms of depth, it is clear that GSpacer converges at the same or lower depth. The depth is significantly lower for instances solved only by GSpacer.

Moreover, the performance of GSpacer is not significantly affected by the interpolation strategy used. In fact, the configuration sc in which interpolation is disabled performs the best in non-linear instances from CHC-COMP 2019, and only slightly worse in other categories. In comparison, disabling interpolation hurts Spacer significantly.

Comparison on LRA benchmarks To see how well the global guidance rules scale across theories, we compared GSpacer with Spacer on LRA benchmarks from CHC-COMP. The results are summarized in Table 4. The meanings of the columns are the same as in Table 3.

Most significantly, we find that global guidance is robust. While Spacer has a noticeable drop in performance when interpolation is turned off, GSpacer does not. Second, while the number of instances solved by GSpacer is similar to the number of instances solved by Spacer, the instances solved are different. In particular, the VBS significantly outperforms both solvers. Finally, the improvement in GSpacer on LRA benchmarks is not as significant as on LIA benchmarks. We believe this is a property of the benchmark set rather than the intrinsic difference between LIA and LRA. We conjecture that additional global guidance rules, specifically ones taking advantage of symmetry in the lemmas, will boost the performance of GSpacer.

Comparison on unsafe instances Spacer consistently solves more unsafe instances than GSpacer. This is an expected side effect of the global guidance rules. GSpacer explores different ways to find an inductive invariant and, on unsafe instances, this exploration is completely wasteful. This exploration comes at a cost. Each pob that global guidance generates is checked for reachability and, if blocked, generalized using inductive generalization. Both these are one or more queries to an SMT solver. The cost of exploration is checked using gas (Sect. 4.6). For each cluster, gas is initially set to a constant value and decreased each time a global guidance rule is applied. Once a cluster runs out of gas, global guidance rules are not applied to the cluster. While this heuristic reduces exploration, it does not reduce it to zero, hence the deterioration in performance.Figure 4 provides a detailed comparison of GSpacer with and without interpolation. Interpolation makes no difference to the depth of convergence. This implies that lemmas that are discovered by interpolation are discovered as efficiently by the global rules of GSpacer. On the other hand, interpolation significantly increases the running time. Interestingly, the time spent in interpolation itself is insignificant. However, the lemmas produced by interpolation tend to slow down other aspects of the algorithm. Most of the slow down is in increased time for inductive generalization and in computation of predecessors. The comparison between the other interpolation-enabled strategy and GSpacer-sc shows a similar trend.We used the ML-based data-driven invariant inference tool LinearArbitrary [6] as a baseline for purely global reasoning. Compared to other similar approaches, LinearArbitrary stands out by supporting invariants with arbitrary Boolean structure over arbitrary linear predicates. It is completely automated and does not require user-provided predicates, grammars, or any other guidance. For the comparison with LinearArbitrary, we have used both the CHC-COMP benchmarks, as well as the benchmarks from the artifact evaluation of [6]. The machine and timeout remain the same. Our evaluation shows that GSpacer is superior in this case as well.

In [6], the authors show that LinearArbitrary, to which we refer as LArb for short, significantly outperforms Spacer on a curated subset of benchmarks from SV-COMP [16] competition.

We first compare LArb against GSpacer on CHC-COMP instances. Table 5 shows the number of instances solved by both solvers. We see that LArb solves way fewer instances than even baseline Spacer.

For a more meaningful comparison, we compared Spacer, LArb, and GSpacer on the benchmarks from the artifact evaluation of [6]. The results are summarized in Table 6. As expected, LArb outperforms the baseline Spacer on the safe benchmarks. On unsafe benchmarks, Spacer is significantly better than LArb. In both categories, GSpacer dominates solving more safe benchmarks than either Spacer or LArb, while matching performance of Spacer on unsafe instances. Furthermore, GSpacer remains orders of magnitude faster than LArb on benchmarks that are solved by both. This comparison shows that incorporating local reasoning with global guidance not only mitigates its shortcomings but also surpasses global data-driven reasoning.

Table  7 summarizes the effectiveness of individual global guidance rules on CHC-COMP LIA benchmarks. Each column in Table 7 corresponds to running GSpacer with just one of the three global guidance rules enabled. We see that the Subsume configuration (that is, running GSpacer with just the Subsume rule) solves many more instances than either of the other configurations. However, even the Subsume rule individually does not solve merely as many instances as GSpacer with all three rules combined. Figure 5 compares the running time and depth of convergence of Subsume configuration (x-axis) against those of the full GSpacer  (y-axis). Clearly, there are many instances in which GSpacer with all three rules converges at a significantly lower depth than the GSpacer with just the Subsume rule.