SAT-Based Verification with IC3: Foundations and Demands

Similar documents
IC3 and Beyond: Incremental, Inductive Verification

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Understanding IC3. Aaron R. Bradley. ECEE Department, University of Colorado at Boulder

IC3: Where Monolithic and Incremental Meet

The Journey. Inductive Invariants. Söllerhaus IC3 FSIS. 2 of 21

or simply: IC3 A Simplified Description

Pushing to the Top FMCAD 15. Arie Gurfinkel Alexander Ivrii

An Incremental Approach to Model Checking Progress Properties

Incremental, Inductive Model Checking

IC3, PDR, and Friends

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

SAT-based Model Checking: Interpolation, IC3, and Beyond

An Incremental Approach to Model Checking Progress Properties

Solving Constrained Horn Clauses by Property Directed Reachability

Incremental, Inductive CTL Model Checking

Lecture 2: Symbolic Model Checking With SAT

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Model Checking: An Introduction

Property Checking By Logic Relaxation

Trading-off incrementality and dynamic restart of multiple solvers in IC3

Generalized Property Directed Reachability

IC3 Modulo Theories via Implicit Predicate Abstraction

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Interpolant-based Transition Relation Approximation

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Predicate Abstraction: A Tutorial

FMCAD 2013 Parameter Synthesis with IC3

Abstractions and Decision Procedures for Effective Software Model Checking

Ivy: Safety Verification by Interactive Generalization

SAT-based Model-Checking

IC3 Software Model Checking on Control Flow Automata

Tutorial 1: Modern SMT Solvers and Verification

Automata-Theoretic Model Checking of Reactive Systems

Property Checking Without Invariant Generation

SAT in Formal Hardware Verification

Solving Constrained Horn Clauses using Interpolation

Property-Directed k-induction

Solving SAT Modulo Theories

arxiv: v1 [cs.lo] 29 May 2014

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

From SAT To SMT: Part 1. Vijay Ganesh MIT

Integrating Induction and Deduction for Verification and Synthesis

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Internals of SMT Solvers. Leonardo de Moura Microsoft Research

Lecture Notes on Software Model Checking

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Hardware Model Checking Competition Armin Biere, Tom van Dijk, Keijo Heljanko FMCAD th International Conference on

Linear Temporal Logic and Büchi Automata

Verification of Distributed Protocols Using Decidable Logic

3-Valued Abstraction-Refinement

An Introduction to Z3

SMT: Satisfiability Modulo Theories

Integrating Induction, Deduction and Structure for Synthesis

Property Directed Equivalence via Abstract Simulation. Grigory Fedyukovich, Arie Gurfinkel, and Natasha Sharygina

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

CS156: The Calculus of Computation

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Incremental Formal Verification of Hardware

CS256/Winter 2009 Lecture #6. Zohar Manna

Chapter 6: Computation Tree Logic

Vinter: A Vampire-Based Tool for Interpolation

EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

Static Program Analysis

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

Applications of Craig Interpolants in Model Checking

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

SMT Unsat Core Minimization

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Program Analysis Part I : Sequential Programs

The Polyranking Principle

Property Directed Abstract Interpretation

Complexity and algorithms for monomial and clausal predicate abstraction

Chapter 4: Computation tree logic

LRA Interpolants from No Man s Land. Leonardo Alt, Antti E. J. Hyvärinen, and Natasha Sharygina University of Lugano, Switzerland

Predicate abstrac,on and interpola,on. Many pictures and examples are borrowed from The So'ware Model Checker BLAST presenta,on.

The Eager Approach to SMT. Eager Approach to SMT

arxiv: v3 [cs.lo] 11 Jul 2016

SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang

Computation Tree Logic

Sciduction: Combining Induction, Deduction, and Structure for Verification and Synthesis

Constraint Solving for Program Verification: Theory and Practice by Example

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Reasoning about State Constraints in the Situation Calculus

Symbolic Computation and Theorem Proving in Program Analysis

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Bounded Model Checking

Constraint Solving for Program Verification: Theory and Practice by Example

A Liveness Checking Algorithm that Counts

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Software Verification with Abstraction-Based Methods

Program Verification as Probabilistic Inference

Floyd-Hoare Style Program Verification

Solving Quantified Verification Conditions using Satisfiability Modulo Theories

Nested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski POPL University of Freiburg, Germany

Selfless Interpolation for Infinite-State Model Checking

Transcription:

SAT-Based Verification with IC3: Foundations and Demands Aaron R. Bradley ECEE, CU Boulder & Summit Middle School SAT-Based Verification with IC3:Foundations and Demands 1/55

Induction Foundation of verification for 40+ years (Floyd, Hoare) To prove that S : (I,T) has safety property P, prove: Base case (initiation): I P Inductive case (consecution): P T P SAT-Based Verification with IC3:Foundations and Demands 2/55

SAT-Based Verification with IC3:Foundations and Demands 3/55

When Induction Fails We present two solutions... 1. Use a stronger assertion, or 2. Construct an incremental proof, using previously established invariants. Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Method 1 = Monolithic Method 2 = Incremental SAT-Based Verification with IC3:Foundations and Demands 4/55

Outline 1. Illustration of the two methods 2. SAT-based model checkers 3. Understanding IC3 4. After IC3: Temporal Logics, SMT 5. Challenges for SAT/SMT SAT-Based Verification with IC3:Foundations and Demands 5/55

Two Transition Systems S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 P : y 1 SAT-Based Verification with IC3:Foundations and Demands 6/55

Induction on System 1 S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 Initiation: Consecution (fails): x = 1 y = 1 }{{} initial condition y 1 }{{} P y 1 }{{} P x = x+1 y = y +x }{{} transition relation y 1 }{{} P SAT-Based Verification with IC3:Foundations and Demands 7/55

Incremental Proof S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 Problem: y decreases if x is negative. But... ϕ 1 : x 0 Initiation: Consecution: x = 1 y = 1 x 0 } x {{ 0 } x = x+1 y = y +x }{{} ϕ 1 transition relation x 0 }{{} ϕ 1 SAT-Based Verification with IC3:Foundations and Demands 8/55

Back to P S 1 : Consecution: x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 } x {{ 0 } y 1 }{{} ϕ 1 P P is inductive relative to ϕ 1. x = x+1 y = y +x }{{} transition relation y 1 }{{} P SAT-Based Verification with IC3:Foundations and Demands 9/55

Induction on System 2 S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 Induction fails for P as in System 1. Additionally, x 0 x = x+y y = y +x x 0 x 0 is not inductive, either. SAT-Based Verification with IC3:Foundations and Demands 10/55

Monolithic Proof S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 Invent strengthening all at once: Consecution: x 0 y 1 }{{} P P : x 0 y 1 x = x+y y = y+x x 0 y 1 }{{} P SAT-Based Verification with IC3:Foundations and Demands 11/55

SAT-Based Verification with IC3:Foundations and Demands 12/55

Incremental vs. Monolithic Methods Incremental: does not always work Monolithic: relatively complete Incremental: apply induction iteratively ( modular ) Monolithic: invent one strengthening formula We strongly recommend its use whenever applicable. Its main advantage is that of modularity. Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 SAT-Based Verification with IC3:Foundations and Demands 13/55

Finite-state System Transition system: Cube s: S : (i,x,i(x),t(x,i,x )) Conjunction of literals, e.g., x 1 x 2 x 3 x 4 Like any formula, represents set of states (that satisfy it) Clause: s SAT-Based Verification with IC3:Foundations and Demands 14/55

SAT-Based Backward Model Checking 1. Search for predecessor s to some error state: If none, property holds. 2. Reduce cube s to s: P T P Expand to others with bad successors [McMillan 2002], [Lu et al. 2005] If P s T s, reduce by implication graph [Lu et al. 2005] Apply inductive generalization [Bradley 2007] 3. P := P s SAT-Based Verification with IC3:Foundations and Demands 15/55

Inductive Generalization Given: cube s Find: c s such that Initiation: I c Consecution (relative to information P ): P c T c No strict subclause of c is inductive relative to P SAT-Based Verification with IC3:Foundations and Demands 16/55

SAT-Based Verification with IC3:Foundations and Demands 17/55

SAT-Based Verification with IC3:Foundations and Demands 18/55

Analysis of Backward Search Strengths: Easy SAT queries, low memory Property focused Some are approximating, computing neither strongest nor weakest strengthening Weaknesses: Essentially undirected search (bad for bug finding) Ignore initial states SAT-Based Verification with IC3:Foundations and Demands 19/55

Analysis of FSIS [Bradley 2007] Strengths (essentially, great when it works): Can significantly reduce backward search Can find strong lemmas with induction Weaknesses: Like others when inductive generalization fails SAT-Based Verification with IC3:Foundations and Demands 20/55

BMC [Biere et al. 1999] Compared to backward search: Considers initial and final states Requires solving hard SAT queries Practically incomplete (UNSAT case) I (P (i) T (i) ) P (k) k 1 i=0 SAT-Based Verification with IC3:Foundations and Demands 21/55

SAT-Based Verification with IC3:Foundations and Demands 22/55

k-induction [Sheeran et al. 2000] Addresses practical incompleteness of BMC: Initiation: BMC Consecution: (P (i) T (i) ) P (k) k 1 i=0 (plus extra constraints to consider loop-free paths) SAT-Based Verification with IC3:Foundations and Demands 23/55

SAT-Based Verification with IC3:Foundations and Demands 24/55

ITP [McMillan 2003] Property-focused over-approximating post-image: F i (P (i) T (i) ) P (k) k 1 i=0 {states i steps from initial states} F i If holds, finds interpolant F i+1 : F i T F i+1 F If fails, increases k i+1 k 1 (P (i) T (i) ) P (k) i=1 SAT-Based Verification with IC3:Foundations and Demands 25/55

SAT-Based Verification with IC3:Foundations and Demands 26/55

BMC k-induction ITP Completeness from unrolling transition relation Evolution: reduce max k in practice (UNSAT case) Monolithic: hard SAT queries induction at top-level only Consider both initial and final states SAT-Based Verification with IC3:Foundations and Demands 27/55

Best of Both? Desire: Stable behavior (backward search) Low memory, reasonable queries Can just let it run Consideration of initial and final states (BMC) Modular reasoning (incremental method) Avoid: Blind search (backward search) Queries that overwhelm the SAT solver (BMC) SAT-Based Verification with IC3:Foundations and Demands 28/55

IC3: A Prover Stepwise sets F 0, F 1,..., F k, F k+1 (CNF): {states i steps from initial states} F i F i {states k i+1 steps from error} Four invariants: F 0 = I F i F i+1 F i T F i+1 Except F k+1, F i P if ever F i = F i+1, F i is inductive & P is invariant SAT-Based Verification with IC3:Foundations and Demands 29/55

SAT-Based Verification with IC3:Foundations and Demands 30/55

Essence of IC3 Continual refinement of over-approximating stepwise sets Until one is inductive Monolithic use of induction Generation of clauses as response to backward reachable states Inductive generalization: c s (c is inductive relative to a stepwise set) Incremental use of induction SAT-Based Verification with IC3:Foundations and Demands 31/55

Two Views of IC3 Prover: Generates predicates from counterexamples From s: state that can reach error To c s: inductive relative to F i c proves that s is unreachable in i+1 steps Bug finder: Guided backward search Stepwise sets: proximity estimate to initial state SAT-Based Verification with IC3:Foundations and Demands 32/55

Induction at Top Level Is P inductive relative to F k? F k T P (Recall: F k P ) Possibility #1: Yes Conclusion: P is inductive relative to F k SAT-Based Verification with IC3:Foundations and Demands 33/55

SAT-Based Verification with IC3:Foundations and Demands 34/55

Induction at Top Level Monolithic behavior (predicate abstraction): For i from 1 to k: find largest C F i s.t. F i T C F i+1 := F i+1 C F k+1 := F k+1 P New frontier: F k+1 If ever F i = F i+1, done: P is invariant. SAT-Based Verification with IC3:Foundations and Demands 35/55

Counterexample To Induction (CTI) F k T P Possibility #2: No Conclusion: F k -state s with error successor If s is an initial state, done: P is not invariant Otherwise... SAT-Based Verification with IC3:Foundations and Demands 36/55

SAT-Based Verification with IC3:Foundations and Demands 37/55

Induction at Low Level Inductive Generalization in IC3 Given: cube s Find: c s such that Initiation: I c Consecution (relative to F i ): F i c T c No strict subclause of c is inductive relative to F i SAT-Based Verification with IC3:Foundations and Demands 38/55

SAT-Based Verification with IC3:Foundations and Demands 39/55

Addressing CTIs Find highest i such that F i s T s Apply inductive generalization: c s I c F i c T c F i+1 := F i+1 c (also update F j, j i) If i < k, new proof obligation: (s, i+1) Inductively generalize s relative to F i+1 SAT-Based Verification with IC3:Foundations and Demands 40/55

Addressing Proof Obligation(t,j) SAT query: F j t T t If UNSAT: Inductive generalization must succeed: c t I c F j c T c F j+1 := F j+1 c Updated proof obligation (if j < k): (t, j +1) SAT-Based Verification with IC3:Foundations and Demands 41/55

Addressing Proof Obligation(t,j) SAT query: F j t T t If SAT: New CTI u, treat as before SAT-Based Verification with IC3:Foundations and Demands 42/55

One of IC3 s Insights Identification of relevant predecessors: Why did inductive generalization of s succeed relative to F i but fail relative to F i+1? Because of some F i+1 -state s-predecessor t. Analysis at F i focuses IC3 s choice of predecessors at F i+1. SAT-Based Verification with IC3:Foundations and Demands 43/55

SAT-Based Verification with IC3:Foundations and Demands 44/55

IC3: A Prover Based on CTIs (s), IC3 generates F i -relative inductive clauses (c s) to refine F i s. IC3 propagates clauses to prepare new frontier. Some clauses may be too specific. Their loss can break mutual support. As the frontier advances, IC3 considers ever more general situations. It eventually finds the real reasons (as truly inductive clauses) that P is invariant. SAT-Based Verification with IC3:Foundations and Demands 45/55

IC3: A Bug Finder Suppose: u t s Error Proof obligations: {(s, k 1), (t, k 2), (u, k 1)} That is, s must be inductively generalize relative to F k 1 t must be inductively generalize relative to F k 2 u must be inductively generalize relative to F k 1 Which proof obligation should IC3 address next? SAT-Based Verification with IC3:Foundations and Demands 46/55

Guided Search Two observations: u is the deepest of the states u t s Error t is the state that IC3 considers as likeliest to be closest to an initial state. {(s, k 1), (t, k 2), (u, k 1)} Proximity metric Conclusion: Pursue (t, k 2) next. (It also happens to be the correct choice [Bradley 2011].) SAT-Based Verification with IC3:Foundations and Demands 47/55

SAT-Based Verification with IC3:Foundations and Demands 48/55

Incremental, Inductive Verification IIV Algorithm: Constructs concrete hypotheses Generates intermediate lemmas incrementally Applies induction many times Generalizes from hypotheses to strong lemmas SAT-Based Verification with IC3:Foundations and Demands 49/55

After IC3: Refinements New heuristic: ternary simulation cube reduction [Een et al., FMCAD 11] Industrial setting: incremental verification [Chockler et al., FMCAD 11] Oh, yeah, and a name change: PDR (Thanks, Niklas!) SAT-Based Verification with IC3:Foundations and Demands 50/55

PDR: Temporal Logics FAIR [Bradley et al., FMCAD 11] For ω-regular properties, e.g., LTL Insight: SCC-closed regions can be characterized inductively IICTL [Hassan et al., CAV 12] For CTL properties Insight: EX (SAT), EU (IC3), EG (FAIR) Standard traversal of CTL property s parse tree Over- and under-approximating sets Task state-driven refinement SAT-Based Verification with IC3:Foundations and Demands 51/55

PDR: Infinite-state Systems SMT-based Induction Methods for Timed Systems [Kindermann et al., arxiv 12] Generalized Property Directed Reachability [Hoder et al., SAT 12] Boolean push-down systems Linear real arithmetic Software Model Checking via IC3 [Cimatti et al., CAV 12] Explicit handling of CFG Applies IC3 techniques to McMillan s Lazy Abstraction with Interpolants [McMillan, CAV 06] SAT-Based Verification with IC3:Foundations and Demands 52/55

PDR: Handling Proof Obligations Some presentations use LIFO ordering: Trivial correctness; easier to understand [Hoder et al., SAT 12], [Cimatti et al., CAV 12] Downside: not quite as good? PSPACE-complete (finite-state), so... But: fixed-length counterexamples for K And: not aggressive about mutual induction SAT-Based Verification with IC3:Foundations and Demands 53/55

Challenges for SAT/SMT 1. Emphasizes incremental calls (100s-1000s/sec) (FAIR/IICTL: even pushes/pops sets of clauses) 2. Understand effect of solver s choices on PDR 3. Variable ordering: Vital to practical performance Direct core assumptions and lifting 4. IIV: proofs pushed to block (e.g., FAIR) Solver should report whether proof is useful 5. Multi-threaded access over core constraints SAT-Based Verification with IC3:Foundations and Demands 54/55

Conclusions Attempted to explain why IC3 works: As a compromise between the incremental and monolithic strategies Characteristics of previous SAT-based MC As a prover As a bug finder Subsequent work: temporal logic, SMT Challenges for SAT/SMT SAT-Based Verification with IC3:Foundations and Demands 55/55

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback