\documentclass[11pt,twoside]{scrartcl}

%opening
\newcommand{\lecid}{15-414}
\newcommand{\leccourse}{Bug Catching: Automated Program Verification}
\newcommand{\lecdate}{} %e.g. {October 21, 2013}
\newcommand{\lecnum}{24}
\newcommand{\lectitle}{CEGAR \& Craig Interpolation}
\newcommand{\lecturer}{Matt Fredrikson}

\usepackage{lecnotes}

\usepackage[irlabel]{bugcatch}

\usepackage{tikz}
\usetikzlibrary{automata,shapes,positioning,matrix,shapes.callouts,decorations.text,patterns,trees}

\usepackage{listings}
\definecolor{mygray}{rgb}{0.5,0.5,0.5}
\definecolor{backgray}{gray}{0.95}
\lstdefinestyle{whyml}{
  belowcaptionskip=1\baselineskip,
  breaklines=true,
  language=[Objective]Caml,
  showstringspaces=false,
  numbers=left,
  xleftmargin=2em,
  framexleftmargin=1.5em,
  numbersep=5pt,
  numberstyle=\tiny\color{mygray},
  basicstyle=\footnotesize\ttfamily,
  keywordstyle=\color{blue},
  commentstyle=\itshape\color{purple!40!black},
  tabsize=2,
  backgroundcolor=\color{backgray},
  escapechar=\%,
  morekeywords={predicate,invariant}
}


%% \traceget{v}{i}{\zeta} is the state of trace v at time \zeta of the i-th discrete step
\newcommand{\traceget}[3]{{#1}_{#2}(#3)}
\def\limbo{\mathrm{\Lambda}}
%% the last state of a trace
\DeclareMathOperator{\tlast}{last}
%% the first state of a trace
\DeclareMathOperator{\tfirst}{first}

\begin{document}
\lstset{  
  basicstyle=\ttfamily\small,
  mathescape
}
%% the name of a trace
\newcommand{\atrace}{\sigma}%
%% the standard interpretation naming conventions
\newcommand{\stdI}{\dTLint[state=\omega]}%
\newcommand{\Ip}{\dTLint[trace=\atrace]}%
\def\I{\stdI}%
% \let\tnext\ctnext
% \let\tbox\ctbox
% \let\tdiamond\ctdiamond

\maketitle
\thispagestyle{empty}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\section{Introduction}

In the previous lecture we saw how to create a Kripke structure whose language is equivalent to the trace semantics of a program. However, this is problematic for model checking due to the fact that there are an infinite number of states in the structure. We began describing a way to address this using predicate abstraction, which overapproximates the Kripke structure by partitioning Kripke states into a finite number of abstract states.

Today we will continue with predicate abstraction, and see how to create an abstract transition structure for an arbitrary program. The good news is that it is always feasible to do so, as there are a finite number of states and the transitions can be computed using familiar techniques. The bad news is that often it is the case that crucial information gets lost in the approximation, leaving us unable to find real bugs or verify their absence. We'll see how to incrementally fix this using a technique called refinement, which leads to interesting new questions about automated software verification.

\section{Review: Predicate abstraction}

\begin{definition}\label{def:concret}
Given a set of predicates $A \in \hat{\Sigma}$, let $\gamma(A)$ be the set of program states $\sigma \in \mathcal{S}$ that satisfy the conjunction of predicates in $A$:
\[
\textstyle
\gamma(A) = \{\sigma\in\mathcal{S} : \sigma\models\bigwedge_{a\in A} a\}
\]
\end{definition}

\begin{definition}[Abstract Transition Structure]\label{def:abstrans}
Given a program $\asprg$, a set of abstract atomic predicates $\hat{\Sigma}$, and control flow transition relation $\epsilon(\asprg)$, let $L$ be a set of \emph{locations} given by the inductively-defined function $\plocs{\asprg}$, $\ilocs{\asprg}$ be the \emph{initial} locations of $\asprg$, and $\flocs{\asprg}$ be the \emph{final} locations of $\asprg$. The abstract transition structure $\hat{K_\asprg} = (\hat{W},\hat{I},\hat{\stepto},\hat{v})$ is a tuple containing:
\begin{itemize}
\item $\hat{W} = \plocs{\asprg} \times \powerset{\hat{\Sigma}}$ are the states defined as pairs of program locations and sets of abstraction predicates.

\item $\hat{I} = \{\langle\ell, A\rangle \in \hat{W} : \ell \in \ilocs{\asprg}\}$ are the initial states corresponding to initial program locations.

\item $\hat{\stepto} = \{(\langle\ell, A\rangle, \langle\ell', A'\rangle :~\text{for}~(\ell, \bsprg, \ell') \in \epsilon(\asprg)~\text{where there exist}~\sigma,\sigma'~\text{such that}~\sigma\in\gamma(A), \sigma'\in\gamma(A')~\text{and}~(\sigma,\sigma')\in\llbracket\bsprg\rrbracket\}$ is the transition relation.

\item $\hat{v}(\langle\ell, A\rangle) = \langle\ell, A\rangle$ is the labeling function, which is in direct correspondence with states.
\end{itemize}
\end{definition}

\begin{theorem}\label{thm:existential}
For any trace $\langle\ell_0,\sigma_0\rangle,\langle\ell_1,\sigma_1\rangle,\ldots$ of $K_\asprg$, there exists a corresponding trace of $\hat{K_\asprg}$ $\langle\hat{\ell}_0,A_0\rangle,\langle\hat{\ell}_1,A_1\rangle,\ldots$ such that for all $i\ge0$, $\ell_i = \hat{\ell}_i$ and $\sigma_i \in \gamma(A_i)$.
\end{theorem}

\begin{theorem}\label{thm:abstrans}
Let $A, B \subseteq \hat{\Sigma}$ be sets of predicates over program states, and $\bsprg$ be a program. Then for $\sigma\in\gamma(A)$, there exists a state $\sigma'\in\gamma(B)$ such that $(\sigma,\sigma')\in\llbracket\bsprg\rrbracket$ if and only if $\bigwedge_{a\in A} a \limply \dibox{\bsprg}{\bigvee_{b\in B} \lnot b}$ is not valid.
\end{theorem}

\paragraph{Spurious counterexamples}
We looked at a modification of the earlier example from the previous lecture.
\begin{lstlisting}
$\ell_0$:    i := abs(N)+1;
$\ell_1$:    while(0 $\le$ x $<$ N) {
$\ell_2$:      i := i - 1;
$\ell_3$:      x := x + 1;
$\ell_4$:    }
\end{lstlisting}
This yields the following control flow transitions.
\begin{center}
\includegraphics[width=0.45\textwidth]{controlflow4.pdf}
\end{center}
Consider the following counterexample on the predicate set $\hat{\Sigma} = \{0\le i\}$.
\begin{enumerate}
\item $\langle\ell_0,0\le i\rangle\hat{\stepto}\langle\ell_1,0\le i\rangle$. This edge is in $\hat{K_\asprg}$ because $0\le i\limply\dibox{\pumod{i}{\mathtt{abs}(N)+1}}{0>i}$ is equivalent to $0\le i\limply0>\mathtt{abs}(N)+1$, which is not valid.

\item $\langle\ell_1,0\le i\rangle\hat{\stepto}\langle\ell_2,0\le i\rangle$. This edge exists because $0\le i\limply\dibox{\ptest{0\le x<N}}{0>i}$ is equivalent to $0\le i\limply0\le x<N\limply0>i$, which is not valid.

\item $\langle\ell_2,0\le i\rangle\hat{\stepto}\langle\ell_3,0>i\rangle$. This edge exists because $0\le i\limply\dibox{\pumod{i}{i-1}}{0\le i}$ is equivalent to $0\le i\limply0 \le i-1$ and is not valid, seen from the assignment $i=0$.

\item $\langle\ell_3,0>i\rangle\hat{\stepto}\langle\ell_1,0>i\rangle$. This edge exists because $0>i\limply\dibox{\pumod{x}{x+1}}{0\le i}$ is equivalent to $0>i\limply0\le i$, which is not valid.

\item $\langle\ell_1,0>i\rangle\hat{\stepto}\langle\ell_4,0>i\rangle$. This edge exists because $0>i\limply\dibox{\ptest{\lnot(0\le x<N)}}{0\le i}$ is equivalent to $0>i\limply\lnot(0\le x<N)\limply0\le i$ is not valid.
\end{enumerate}
At this point, $\hat{K_\asprg}$ is in a state satisfying $\ell_4\land\lnot(0\le i)$. As before, we need to determine whether this counterexample is spurious. We consider a path which starts in a state where $0\le i$, and transitions through $\ell_0,\ell_1,\ell_2,\ell_3,\ell_1,\ell_4$, ending in a state where $0>i$. This leads us to ask whether the following DL formula is valid:
\[
0 \le i \limply \dibox{\pumod{i}{\mathtt{abs}(N)+1};\ptest{0\le x<N};\pumod{i}{i-1};\pumod{x}{x+1};\ptest{\lnot(0\le x<N)}}0 \le i
\]
Multiple applications of \irref{composeb+testb+assignb} leave us with the valid formula:
\[
0\le i \limply 0\le x<N \limply \lnot(0\le x+1<N) \limply 0\le \mathtt{abs}(N)
\]
The validity of this formula tells us that executing the statements in this counterexample will necessarily lead to a program state where $0\le i$, which does not violate the property $\tbox{\ell_4 \limply 0\le i}$. So this counterexample is \emph{spurious}: it exists in the abstraction $\hat{K_\asprg}$, but not in the true transition system $K_\asprg$ corresponding to the program.

\section{Automatic Refinement}
We'll see how to refine abstractions automatically using information derived from spurious counterexamples. While the refinements computed by this approach may not necessarily be strong enough to verify the original program, they are strong enough to preclude the counterexample that they are derived from. In other words, after refinement, no trace corresponding to the particular spurious counterexample we observed will be in the abstraction. But the abstraction will still be an overapproximation, and subsequent searches may identify more spurious counterexamples. 

\paragraph{Craig interpolation}

Let $\ausfml \limply \busfml$ be a valid first-order formula. A \emph{Craig interpolant} for $\ausfml$ and $\busfml$ is a formula $\cusfml$ that satisfies the following conditions:
\begin{itemize}
\item $\ausfml \limply \cusfml$ and $\cusfml \limply \busfml$ are valid.
\item All of the variables in $\cusfml$ also appear in both $\ausfml$ and $\busfml$.
\end{itemize}
Intuitively, a Craig interpolant for $\ausfml$ and $\busfml$ is a fact about the variables shared by $\ausfml$ and $\busfml$ that is ``explained'' by $\ausfml$, and in turn explains $\busfml$. Theorem~\ref{thm:craig} states that Craig interpolants always exist, and in fact, there are often many interpolants for a given pair of formulas $\ausfml,\busfml$.

\begin{theorem}[Craig's Interpolation Theorem (1957)~\cite{craig1957}]\label{thm:craig}
Let $\ausfml\limply\busfml$ be a valid first order formula, where $\ausfml$ and $\busfml$ share at least one variable symbol. Then there exists a formula $\cusfml$ containing only variable symbols in both $\ausfml$ and $\busfml$ such that $\ausfml\limply\cusfml$ and $\cusfml\limply\busfml$.
\end{theorem}

We present a proof of Theorem~\ref{thm:craig} for the restricted case of propositional logic, i.e., $\ausfml$ and $\busfml$ only contain propositional literals.
\begin{proof}
In the following, let $\atoms{\ausfml}$ be the set of atomic propositions (i.e., variables) in $\ausfml$.

First, notice that if $\atoms{\ausfml} \cap \atoms{\busfml} = \emptyset$, then either $\lnot\ausfml$ is valid or $\busfml$ is valid. In either case, any formula will work as an interpolant. So assume that $\atoms{\ausfml} \cap \atoms{\busfml} \ne \emptyset$, and proceed by induction on the size of the set $\atoms{\ausfml}\setminus\atoms{\busfml}$.
\begin{description}
\item[Base case:] In the base case $\atoms{\ausfml}\setminus\atoms{\busfml} = \emptyset$. Then $\ausfml$ is an interpolant because $\ausfml\limply\ausfml$ is valid, and $\ausfml\limply\busfml$ is valid by assumption.
\item[Inductive case:] Let $\dusfml\in\atoms{\ausfml}\setminus\atoms{\busfml}$. Then define $\ausfml_{\dusfml\mapsto\top}$ to be the same as $\ausfml$, but with all instances of $\dusfml$ replaced with $\top$, and $\ausfml_{\dusfml\mapsto\bot}$ be the same as $\ausfml$ with all instances of $\dusfml$ replaced with $\bot$. Then $|\atoms{\ausfml_{\dusfml\mapsto\top}\lor\ausfml_{\dusfml\mapsto\bot}}\setminus\atoms{\busfml}| = |\atoms{\ausfml}\setminus\atoms{\busfml}|-1$, so by the inductive hypothesis $\ausfml_{\dusfml\mapsto\top}\lor\ausfml_{\dusfml\mapsto\bot}\limply\busfml$ has an interpolant $\cusfml$. Because $\ausfml_{\dusfml\mapsto\top}\lor\ausfml_{\dusfml\mapsto\bot} \equiv \ausfml$, $\cusfml$ is also an interpolant for $\ausfml\limply\dusfml$.
\end{description}
\end{proof}

The proof given above for Theorem~\ref{thm:craig} is constructive: it tells us how to find a Craig interpolant for $\ausfml\limply\busfml$. However, because the size of this interpolant may be exponential due to the splitting of $\ausfml$ into disjunctive cases at each step, this interpolant may not be suitable for use in practice for predicate abstraction. There exist similar constructive proofs for the more general case of propositional logic, and rather than increasing the size of the formula exponentially they may introduce quantifiers. Because we would like to use automated decision procedures to answer queries about our abstractions, interpolants with quantifiers are also not always useful in practice. Automated techniques for finding concise, quantifier-free interpolants is a challenge, and remains an active research topic in the verification literature.

Note that if $\ausfml \limply \busfml$, then $\ausfml \land \lnot\busfml$ is unsatisfiable, and it is equivalent to define a Craig interpolant for $\ausfml,\busfml$ as a formula $\cusfml$ that is implied by $\ausfml$ ($\ausfml\limply\cusfml$), inconsistent with $\lnot\busfml$ ($\cusfml\land\lnot\busfml$ is unsatisfiable), and contains only shared symbols of $\ausfml,\busfml$. This formulation is more commonly used in the model checking literature, and we will use it from this point forward.

\paragraph{Examples}
Let's look at a few examples of Craig interpolants before seeing how they can help with refinement. Consider $\ausfml, \busfml$, where:
\[
\begin{array}{ll}
\ausfml &\equiv \lnot(A \land B) \limply (\lnot D \land B) \\
\busfml &\equiv (E \limply A) \land (E \limply \lnot D)
\end{array}
\]
We can find an interpolant in this case by applying the procedure outlined in the proof of Theorem~\ref{thm:craig} for propositional logic. The only variable in $\atoms{\ausfml}\setminus\atoms{\busfml}$ is $B$. So splitting $\ausfml$ on $B$ we obtain:
\[
\begin{array}{ll}
& (\lnot(A \land \top)\limply(\lnot D \land \top))\lor(\lnot(A \land \bot)\limply(\lnot D \land \bot)) 
\\ \lbisubjunct 
& (\lnot A \limply \lnot D)
\\ \lbisubjunct 
& A \lor \lnot D
\end{array}
\]

Now consider the formula $\ausfml,\busfml$, where the literals are no longer propositional variables.
\[
\begin{array}{ll}
\ausfml &\equiv (c \ne 0 \lor d = 0) \land c = 0 \\
\busfml &\equiv d = 0
\end{array}
\]
One possible Craig interpolant is $d = 0$, which we see by applying the same approach as in the previous example but this time treating the literals $c\ne0$, $d=0$, $c=0$ as we did propositional variables previously. To save steps, we treat $c = 0$ and $c \ne 0$ as one atom, non-negated in the first case and negated in the latter.
\[
\begin{array}{ll}
& ((\lnot\top \lor d = 0) \land \top) \lor ((\lnot\bot \lor d = 0) \land \bot)
\\ \lbisubjunct 
& d = 0
\end{array}
\]
Another possibile interpolant is $d\le 0$. Both interpolants describe a fact implied by $\ausfml$ sufficient to prove $\busfml$. Note that because the interpolant only contains variables in both formulas, it does not reflect anything about $\ausfml$ that is irrelevent to $\busfml$. It is a concise accounting of why $\ausfml$ implies $\busfml$, which will be useful for our purposes.

In the previous example, the second interpolant $d\le 0$ could not be derived using the technique from the proof because $d\le 0$ is not an atom in either formula $\ausfml,\busfml$. The interpolant doesn't necessarily need to mention the literals from the original formula, and in some cases there is no atom shared between $\ausfml$ and $\busfml$. Consider the following $\ausfml,\busfml$:
\[
\begin{array}{ll}
\ausfml &\equiv x = c_0 \land c_1 = c_0 + 1 \land y = c_1 \\
\busfml &\equiv x = m \land y = m + 1
\end{array}
\]
An interpolant in this case is $y = x + 1$. Although there are automated techniques for producing such literals for formulas in most first-order theories relevant to verification~\cite{Henzinger2004,Brillout2010}, we will not cover them in this course.

\paragraph{Refinements from interpolants}
Let us return to the example from previous lecture. Recall that we found a spurious counterexample for the property $\tbox{\ell_4\limply0\le i}$ using the abstraction set $\hat{\Sigma} = \{0 \le i\}$.
\begin{enumerate}
\item $\langle\ell_0,0\le i\rangle\hat{\stepto}\langle\ell_1,0\le i\rangle$. This edge is in $\hat{K_\asprg}$ because $0\le i\limply\dibox{\pumod{i}{\mathtt{abs}(N)+1}}{0>i}$ is equivalent to $0\le i\limply0>\mathtt{abs}(N)+1$, which is not valid.

\item $\langle\ell_1,0\le i\rangle\hat{\stepto}\langle\ell_2,0\le i\rangle$. This edge exists because $0\le i\limply\dibox{\ptest{0\le x<N}}{0>i}$ is equivalent to $0\le i\limply0\le x<N\limply0>i$, which is not valid.

\item $\langle\ell_2,0\le i\rangle\hat{\stepto}\langle\ell_3,0>i\rangle$. This edge exists because $0\le i\limply\dibox{\pumod{i}{i-1}}{0\le i}$ is equivalent to $0\le i\limply0 \le i-1$ and is not valid, seen from the assignment $i=0$.

\item $\langle\ell_3,0>i\rangle\hat{\stepto}\langle\ell_1,0>i\rangle$. This edge exists because $0>i\limply\dibox{\pumod{x}{x+1}}{0\le i}$ is equivalent to $0>i\limply0\le i$, which is not valid.

\item $\langle\ell_1,0>i\rangle\hat{\stepto}\langle\ell_4,0>i\rangle$. This edge exists because $0>i\limply\dibox{\ptest{\lnot(0\le x<N)}}{0\le i}$ is equivalent to $0>i\limply\lnot(0\le x<N)\limply0\le i$ is not valid.
\end{enumerate}
We know that this is a spurious counterexample because we can construct a formula that is valid if and only if the path corresponding to the counterexample satisfies the safety property, which in this case is that $0 \le i$ at the end of the path. Namely, the following is valid:
\[
\dibox{\pumod{i}{\mathtt{abs}(N)+1};\ptest{0\le x<N};\pumod{i}{i-1};\pumod{x}{x+1};\ptest{\lnot(0\le x<N)}}0 \le i
\]
Consider the following deduction:
\begin{sequentdeduction}
\linfer[composeb+assignbeqr] {
  \linfer[testb+implyr] {
    \linfer[assignbeqr+assignbeqr] {
      \linfer[testb] {
        \lsequent{i_0 = |N|+1,0\le x<N,i_1=i_0-1,x_1=x+1,0\le x_1<N}{0 \le i_1}
      } {
        \lsequent{i_0 = |N|+1,0\le x<N,i_1=i_0-1,x_1=x+1}{\dibox{\ptest{\lnot(0\le x_1<N)}}0 \le i_1}
      }
    } {
      \lsequent{i_0 = |N|+1,0\le x<N}{\dibox{\pumod{i}{i_0-1}}\dibox{\pumod{x}{x+1}}\dibox{\ptest{\lnot(0\le x<N)}}0 \le i}
    }
  } {
    \lsequent{i_0 = |N|+1}{\dibox{\ptest{0\le x<N}}\dibox{\pumod{i}{i_0-1}}\dibox{\pumod{x}{x+1}}\dibox{\ptest{\lnot(0\le x<N)}}0 \le i}
  }
} {
  \lsequent{}{\dibox{\pumod{i}{\mathtt{abs}(N)+1};\ptest{0\le x<N};\pumod{i}{i-1};\pumod{x}{x+1};\ptest{\lnot(0\le x<N)}}0 \le i}  
}
\end{sequentdeduction}
The last sequent is valid if and only if the following formula is unsatisfiable:
\[
i_0 = |N|+1 \land 0\le x<N \land i_1=i_0-1 \land x_1=x+1 \land 0\le x_1<N \land 0 > i_1
\]
This is called the \emph{path formula} for the counterexample. Each conjunct on the left of the implication corresponds to a constraint imposed by executing one of the statements on the path. Assignments introduce equalities, and tests introduce direct assertions; updates to variables are accounted for by indexing variable names in the manner of static single-assignment (SSA) form. The final conjunct is the negated safety property

Now consider the interpolant corresponding to:
\[
\begin{array}{ll}
\ausfml &\equiv i_0 = |N|+1 \\
\busfml &\equiv 0\le x<N \land i_1=i_0-1 \land x_1=x+1 \land 0\le x_1<N \land 0 > i_1
\end{array}
\]
Such an interpolant is a fact about the program state immediately after the assignment $\pumod{i}{\mathtt{abs}(N)+1}$ that must hold after executing the assignment. One such fact is $i_0 = |N| + 1$ (i.e., just $\ausfml$). But another is $i_0 > |N|-x$. We can do this for each step of the counterexample, deriving interpolants along the way to learn useful facts.
\begin{itemize}
\item 
  $\ausfml \equiv i_0 = |N|+1$,\\ 
  $\busfml \equiv 0\le x<N \land i_1=i_0-1 \land x_1=x+1 \land 0\le x_1<N \land 0 > i_1$\\
  $\cusfml \equiv i_0 > |N| - x$

\item 
  $\ausfml \equiv i_0 = |N|+1 \land 0\le x<N$,\\ 
  $\busfml \equiv i_1=i_0-1 \land x_1=x+1 \land 0\le x_1<N \land 0 > i_1$,\\ 
  $\cusfml \equiv i_0 > |N|-x \land 0 \le x<N$

\item 
  $\ausfml \equiv i_0 = |N|+1 \land 0\le x<N \land i_1=i_0-1$,\\ 
  $\busfml \equiv x_1=x+1 \land 0\le x_1<N \land 0 > i_1$,\\ 
  $\cusfml \equiv i_1 \ge |N|-x \land 0 \le x<N$  

\item 
  $\ausfml \equiv i_0 = |N|+1 \land 0\le x<N \land i_1=i_0-1 \land x_1=x+1$,\\ 
  $\busfml \equiv 0\le x_1<N \land 0 > i_1$,\\ 
  $\cusfml \equiv i_1 > |N|-x_1 \land 0\le x_1\le N$

\item 
  $\ausfml \equiv i_0 = |N|+1 \land 0\le x<N \land i_1=i_0-1 \land x_1=x+1 \land 0\le x_1<N$,\\ 
  $\busfml \equiv 0 > i_1$,\\ 
  $\cusfml \equiv 0 \le i_1$
\end{itemize}
We can obtain a set of predicates to refine our abstraction with by dropping the subscripts from each interpolant above. We would then be left with,
\[
\hat{\Sigma} = \{0 \le i, i > 0, i > |N|-x, i \ge |N|-x, 0 \le x < N, 0 \le x \le N\}
\]
Using these predicates will ensure that we do not encounter the same spurious counterexample again in future attempts at model checking. To see why, notice the following sequence of observations.
\begin{enumerate}
\item After executing the first assignment $\pumod{i}{\mathtt{abs}(N)+1}$, we have that $i > 0$ must hold. In other words, $\dibox{\pumod{i}{\mathtt{abs}(N)+1}}{i > 0} \lbisubjunct |N|+1 > 0$ is valid.

\item After executing the test $\ptest{0\le x < N}$ (i.e., entering the loop) starting in a state where $i > 0$ holds, $i > |N|-x \land 0 \le x<N$ must hold. This follows from the validity of $(i > 0 \limply \dibox{\ptest{0\le x<N}}{i > |N|-x} \land 0\le x<N) \lbisubjunct (i>0 \land 0\le x<N \limply i > |N| - |x| \land 0 \le x<N)$.

\item Starting in a state where $i > |N|-x \land 0\le x<N$ holds and executing the assignment $\pumod{i}{i-1}$ lands in a state where $i \ge |N|-x \land 0 \le x < N$ holds. This follows from the validity of $(i > |N|-x \land 0\le i<N \limply \dibox{\pumod{i}{i-1}}{i \ge |N|-x \land 0 \le x < N}) \lbisubjunct (i>|N|-x \land 0\le x<N \limply i-1\ge|N|-x \land 0\le x<N)$.

\item Starting in a state where $i \ge |N|-x \land 0\le x<N$ holds and executing the assignment $\pumod{x}{x+1}$ yields a state where $i > |N|-x \land 0\le x\le N$ holds. This follows from the validity of $(i \ge |N|-x \land 0\le x<N \limply \dibox{\pumod{x}{x+1}}{i > |N|-x \land 0 \le x \le N}) \lbisubjunct (i \ge |N|-x \land 0<x<N \limply i > |N|-(x+1) \land 0\le x+1\le N)$.

\item Starting in a state where $i > |N|-x \land 0\le x\le N$ holds and executing the test $\ptest{\top}$ (i.e., going back to the top of the loop) leads to a state where $i > 0$ necessarily holds. This follows from the validity of $(i > |N|-x \land 0 \le x \le N \limply \dibox{\ptest{\top}}{i > 0}) \lbisubjunct (i > |N|-x \land 0 \le x \le N \limply i > 0)$.

\item Starting in a state where $i > 0$ holds and executing the test $\ptest{\lnot(0\le x<N)}$ (i.e., exiting the loop) leads to a state where $0 \le i$ necessarily holds. This follows from the validity of $(i > 0 \limply \dibox{\ptest{\lnot(0 \le x<N)}}{0 \le i}) \lbisubjunct (i > 0 \land \lnot(0 \le x < N) \limply 0 \le i)$.
\end{enumerate}

Most automated techniques for deriving interpolants from counterexample path formulas do so in a way that the interpolant for at each step through the path formula is sufficient to prove the interpolant at the following~\cite{Henzinger2004}. In other words, if $\cusfml_i,\cusfml_{i+1}$ are the interpolants for steps $i$ and $i+1$ of the counterexample, and $\asprg$ is the statement executed at that step, then $\cusfml_i\limply\dibox{\asprg}{\cusfml_{i+1}}$. This guarantees that the counterexample used to refine the abstraction will no longer be a trace in the new transition structure.

\paragraph{Localizing abstraction}
The way in which we derived these predicates gives us more information yet. In particular, we derived each interpolant by splitting the counterexample path formula at all of the program locations along the path. So in addition to telling us which predicates are relevant to refining out the counterexample, this procedure also tells us where in the program they are relevant at. We can use this information to greatly reduce the statespace of the abstraction by localizing the set of abstraction predicates to each control flow location. So rather than using as the statespace of the abstraction $\hat{W} = \mathcal{S} \times \powerset{\hat{\Sigma}}$, we define $\hat{\Sigma}$ to be a function from control flow locations to sets of predicates:
\begin{multline*}
\hat{\Sigma} : \plocs{\asprg} \to \powerset{\text{predicates over program states}}, \\
\text{where}~\hat{\Sigma}(\ell)~\text{is the set of predicates interpolated at location}~\ell
\end{multline*}
Applying this to our running example, we are left with the abstraction depicted below. Notice that there are no paths to a state where $0 > i$ holds, so we can perform exhaustive model checking to conclude that the safety property always holds.

\begin{center}
\includegraphics[width=0.6\textwidth]{abstraction.pdf}
\end{center}

This approach is called \emph{lazy abstraction}~\cite{Henzinger2002}, because the abstraction is constructed as needed and only in relevant locations as required by counterexamples. It is a popular approach for software model checking, and has been implemented in numerous tools available today.

\bibliography{platzer,bibliography}
\end{document}