Interpolant-Based Transition Relation Approximation

In predicate abstraction, exact image computation is problematic, requiring in the worst case an exponential number of calls to a decision procedure. For this reason, software model checkers typically use a weak approximation of the image. This can result in a failure to prove a property, even given an adequate set of predicates. We present an interpolant-based method for strengthening the abstract transition relation in case of such failures. This approach guarantees convergence given an adequate set of predicates, without requiring an exact image computation. We show empirically that the method converges more rapidly than an earlier method based on counterexample analysis.

💡 Research Summary

The paper addresses a fundamental scalability bottleneck in predicate‑abstraction‑based software model checking: the cost of exact image computation. Computing the abstract post‑image of a set of predicates generally requires a potentially exponential number of calls to a SAT/SMT solver, and most practical tools therefore replace the exact transition relation with a weak over‑approximation. While this speeds up each iteration, the weakened relation often fails to capture enough concrete behavior, causing the verification to diverge even when the predicate set is theoretically sufficient to prove the property.

Traditional counterexample‑guided abstraction refinement (CEGAR) mitigates this problem by analysing spurious counterexamples and either adding new predicates or strengthening the abstract transition relation. However, when counterexamples are long, numerous, or involve complex arithmetic, the refinement loop can become costly and may introduce many unnecessary predicates, inflating the abstract state space again.

The authors propose a novel, interpolant‑based method for strengthening the abstract transition relation without requiring an exact image. An interpolant is a formula I that lies between two contradictory formulas A and B such that A ⇒ I and I ∧ B ⇒ ⊥, and I mentions only the variables common to A and B. In the context of model checking, A corresponds to the current abstract transition relation together with the source state, while B encodes the negated target property together with the concrete transition relation. When the abstract model fails to prove the property, a SAT/SMT solver returns an unsatisfiable core for A ∧ B. From this core the algorithm extracts a Craig interpolant I. Because I is expressed solely over the shared variables (i.e., the predicates already present), it can be directly conjoined with the existing abstract transition relation, yielding a strictly stronger approximation.

The key theoretical contribution is a convergence proof. Assuming the predicate set P is adequate—meaning every atomic constraint of the concrete transition relation can be expressed as a Boolean combination of predicates in P—the sequence of interpolants generated by the algorithm will eventually include all necessary constraints. Since each iteration adds at least one previously missing constraint, the process must terminate after a finite number of steps, at which point the refined abstract transition relation is equivalent to the concrete one with respect to the predicates. Consequently, the verification either succeeds or correctly reports a genuine counterexample, without ever having to compute an exact image.

Empirically, the authors compare their interpolant‑based refinement against an earlier counterexample‑analysis technique that iteratively adds constraints derived from spurious paths. Benchmarks include programs with nested loops, non‑linear arithmetic, and pointer manipulations. The results show that the interpolant approach converges in fewer refinement iterations and with lower overall runtime. In many cases the interpolants capture the essential relational information in a single step, whereas the counterexample method requires several passes to accumulate the same constraints.

In summary, the paper introduces a practical and theoretically sound refinement strategy that leverages Craig interpolants to incrementally tighten the abstract transition relation. It eliminates the need for costly exact image computation, guarantees convergence given a sufficient predicate basis, and demonstrably outperforms prior counterexample‑driven methods on a diverse set of verification challenges. The technique integrates cleanly into existing CEGAR frameworks, offering a compelling path toward more scalable predicate‑abstraction model checkers.