The Journey. Inductive Invariants. Söllerhaus IC3 FSIS. 2 of 21

Transcription

1 ..

2 The Journey Inductive Invariants. Söllerhaus FSIS 2 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification IC3

3 Inductive Invariants Finite State Inductive Strengthening IC3 Road ahead 3 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

4 Inductive Invariants Finite State Inductive Strengthening IC3 Road ahead 4 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

5 Inductivity A property P is inductive if it satisfies initiation and consection: Initiation: I P Consecution: P T P Inductive invariant [MP95] Given a property P of a system, if P is inductive on S it is an invariant on S. [MP95] Zohar Manna and Amir Pnueli.. Springer, of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

6 Inductivity A property P is inductive if it satisfies initiation and consection: Initiation: I P Consecution: P T P Inductive invariant [MP95] Given a property P of a system, if P is inductive on S it is an invariant on S. Not vice versa Even if P is an invariant on S, it may not be inductive. [MP95] Zohar Manna and Amir Pnueli.. Springer, of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

7 Inductive Invariants Finite State Inductive Strengthening IC3 Road ahead 6 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

8 Proving a property P on a system S Proving that P holds on S in general is hard. But if P would be inductive, it would be trivial. If we only had a way to make P inductive Inductive Strengthening [BM07] Try to find a formula F that is an inductive strengthening of P, i.e. Initiation: I P F Consecution: P F T P F [BM07] Aaron R. Bradley and Zohar Manna. ``Checking Safety by Inductive Generalization of Counterexamples to Induction''. In:. 2007, pp of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

9 The bad guys An F -state that has a transition to a F -state is called (CTI) and is a direct wittness for why F is not inductive. Finding CTIs A CTI can be found using a simple satisfiability query sat(f T F ). If the query is sat, there exists a CTI and we can extract the state from the model of the solver (satisfying variable assignment). 8 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

10 Handling CTIs After finding a CTI s we check whether there exists a for s. If not, we update P that we have to prove that s is not reachable. Otherwise we can add s to the strengthening F. Minimal inductive subclause Given a clause c, a clause e is a minimal inductive subclause of c iff 1. e is inductive relative to (P F ), i.e. P F e T e, and 2. there exists no d e that is inductive relative to (P F ). 9 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

11 Happy End? FSIS terminates if either P F becomes inductive, or I P anymore. 10 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

12 Inductive Invariants Finite State Inductive Strengthening IC3 Road ahead 11 of 21 IC3 Tim Lange Software Modeling and Verification

13 Finding F is hard In many cases it can be pretty hard to come up with such a strengthening. Especially finding a minimal inductive subclause e that is inductive relative to P F is hard. Solution Instead of computing F directly, compute a sequence F 0,, F k, called frames, to a find an inductive strengthening within these F i. [Bra11] [Bra11] Aaron R. Bradley. ``SAT-Based Model Checking without Unrolling''. In:. 2011, pp of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

14 Frames For a frame sequence F 0,, F k to be an inductive strengthening, the following must hold: I F 0 (1) F i F i+1 (2) F i P (3) F i T F i+1 (4) 13 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

15 Outer loop bool prove Check 0- and 1-step counterexamples Initialise frames F 0 = I, F 1 = P k = 1 to Blocking phase Propagation phase Check termination 14 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

16 Handling CTIs Given a CTI c in the last frame F k, we check whether c is reachable from F k 1 in one step. Thinking inductive: From an F k 1 state that is not c, do we stay in not c after one step? In other words: Is c inductive relative to F k : F k c T c How to check validity Validity of the implication can be solved as unsat(f k c T c). 15 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

17 Obligation queue Given a proof obligation c at level i, check whether c is inductive relative to F i 1. If not, we can extract a witness from the solver. If it is inductive relative to F i 1 we can block it until frame F i. Propagation phase It might be the case, that a clause c F i which is not in F i+1 is also valid in F i+1, but might not yet be in there. Therefore after the blocking phase, try to push as many clauses to the following frame as possible. Termination If for any frame F i, 0 i < k it holds that F i = F i+1 then F i T F i+1 F i T F i 16 of 21 IC3 Tim Lange tim.lange@cs.rwth-aachen.de Software Modeling and Verification

18 17 of 21 IC3 Tim Lange Software Modeling and Verification

19 Inductive Invariants Finite State Inductive Strengthening IC3 Road ahead 18 of 21 IC3 Tim Lange Software Modeling and Verification

20 Optimizations of bit-level IC3 [HBS13; EMB11; Sud13] Applying IC3 to software model checking bit-vector encoding [WK13] ART-based [CG12] Horn-clause based [HB12] Predicate Abstraction [BBW14] Implicit Abstraction [Cim+14] [HBS13] Zyad Hassan, Aaron R. Bradley, and Fabio Somenzi. ``Better generalization in IC3''. In:. 2013, pp [EMB11] Niklas Eén, Alan Mishchenko, and Robert K. Brayton. ``Efficient implementation of property directed reachability''. In:. 2011, pp [Sud13] Martin Suda. ``Triggered Clause Pushing for IC3''. In: abs/ (2013) [WK13] Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp [CG12] Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp [HB12] Kryštof Hoder and Nikolaj Bjørner. ``Generalized Property Directed Reachability''. In:. 2012, pp isbn: [BBW14] Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''.. In:. 2014, pp [Cim+14] Alessandro Cimatti et al. ``IC3 Modulo Theories via Implicit Predicate Abstraction''. In:. 2014, pp of 21 IC3 Tim Lange Software Modeling and Verification

21 Optimizations of bit-level IC3 [HBS13; EMB11; Sud13] Applying IC3 to software model checking bit-vector encoding [WK13] ART-based [CG12] Horn-clause based [HB12] Predicate Abstraction [BBW14] Implicit Abstraction [Cim+14] [HBS13] Zyad Hassan, Aaron R. Bradley, and Fabio Somenzi. ``Better generalization in IC3''. In:. 2013, pp [EMB11] Niklas Eén, Alan Mishchenko, and Robert K. Brayton. ``Efficient implementation of property directed reachability''. In:. 2011, pp [Sud13] Martin Suda. ``Triggered Clause Pushing for IC3''. In: abs/ (2013) [WK13] Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp [CG12] Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp [HB12] Kryštof Hoder and Nikolaj Bjørner. ``Generalized Property Directed Reachability''. In:. 2012, pp isbn: [BBW14] Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''.. In:. 2014, pp [Cim+14] Alessandro Cimatti et al. ``IC3 Modulo Theories via Implicit Predicate Abstraction''. In:. 2014, pp of 21 IC3 Tim Lange Software Modeling and Verification

22 .

23 Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''. In:. 2014, pp Aaron R. Bradley and Zohar Manna. ``Checking Safety by Inductive Generalization of Counterexamples to Induction''. In:. 2007, pp Aaron R. Bradley. ``SAT-Based Model Checking without Unrolling''. In:. 2011, pp Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp Alessandro Cimatti et al. ``IC3 Modulo Theories via Implicit Predicate Abstraction''. In:. 2014, pp Niklas Eén, Alan Mishchenko, and Robert K. Brayton. ``Efficient implementation of property directed reachability''. In:. 2011, pp Kryštof Hoder and Nikolaj Bjørner. ``Generalized Property Directed Reachability''. In:. 2012, pp isbn: Zyad Hassan, Aaron R. Bradley, and Fabio Somenzi. ``Better generalization in IC3''. In:. 2013, pp Zohar Manna and Amir Pnueli.. Springer, Martin Suda. ``Triggered Clause Pushing for IC3''. In: abs/ (2013). Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp of 21 IC3 Tim Lange Software Modeling and Verification