IC3 and Beyond: Incremental, Inductive Verification

Similar documents
SAT-Based Verification with IC3: Foundations and Demands

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Understanding IC3. Aaron R. Bradley. ECEE Department, University of Colorado at Boulder

An Incremental Approach to Model Checking Progress Properties

IC3: Where Monolithic and Incremental Meet

The Journey. Inductive Invariants. Söllerhaus IC3 FSIS. 2 of 21

or simply: IC3 A Simplified Description

Incremental, Inductive Model Checking

Pushing to the Top FMCAD 15. Arie Gurfinkel Alexander Ivrii

An Incremental Approach to Model Checking Progress Properties

SAT-based Model Checking: Interpolation, IC3, and Beyond

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

IC3, PDR, and Friends

Lecture 2: Symbolic Model Checking With SAT

Incremental, Inductive CTL Model Checking

FMCAD 2013 Parameter Synthesis with IC3

Property Checking By Logic Relaxation

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Model Checking: An Introduction

Solving Constrained Horn Clauses by Property Directed Reachability

Predicate Abstraction: A Tutorial

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

SAT-Based Explicit LTL Reasoning

Tutorial 1: Modern SMT Solvers and Verification

Trading-off incrementality and dynamic restart of multiple solvers in IC3

Integrating Induction and Deduction for Verification and Synthesis

Abstractions and Decision Procedures for Effective Software Model Checking

Linear Temporal Logic and Büchi Automata

Property Checking Without Invariant Generation

IC3 Modulo Theories via Implicit Predicate Abstraction

Automata-Theoretic Model Checking of Reactive Systems

Synthesis of Designs from Property Specifications

Generalized Property Directed Reachability

Ivy: Safety Verification by Interactive Generalization

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Computer-Aided Program Design

The State Explosion Problem

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Interpolant-based Transition Relation Approximation

SAT-based Model-Checking

Applications of Craig Interpolants in Model Checking

SAT in Formal Hardware Verification

IC3 Software Model Checking on Control Flow Automata

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Lecture Notes on Software Model Checking

3-Valued Abstraction-Refinement

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg

From Liveness to Promptness

Automata, Logic and Games: Theory and Application

Solving Constrained Horn Clauses using Interpolation

Lecture 11 Safety, Liveness, and Regular Expression Logics

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Reasoning about State Constraints in the Situation Calculus

Software Verification with Abstraction-Based Methods

Constraint Solving for Program Verification: Theory and Practice by Example

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

A Symbolic Approach to Safety LTL Synthesis

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Overview. overview / 357

A Liveness Checking Algorithm that Counts

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang

Automata-based Verification - III

SMT: Satisfiability Modulo Theories

Nested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski POPL University of Freiburg, Germany

Property-Directed k-induction

Chapter 6: Computation Tree Logic

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

LRA Interpolants from No Man s Land. Leonardo Alt, Antti E. J. Hyvärinen, and Natasha Sharygina University of Lugano, Switzerland

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Knowledge Compilation and Theory Approximation. Henry Kautz and Bart Selman Presented by Kelvin Ku

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Automata-based Verification - III

Symbolic Computation and Theorem Proving in Program Analysis

Solving SAT Modulo Theories

EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES

CS256/Winter 2009 Lecture #6. Zohar Manna

Constraint Solving for Program Verification: Theory and Practice by Example

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Bounded Synthesis. Sven Schewe and Bernd Finkbeiner. Universität des Saarlandes, Saarbrücken, Germany

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

From SAT To SMT: Part 1. Vijay Ganesh MIT

Bounded Model Checking

CS156: The Calculus of Computation

Generalized Parity Games

The Polyranking Principle

Integrating Induction, Deduction and Structure for Synthesis

Chapter 4: Computation tree logic

An Introduction to Z3

Bounded Model Checking for Weak Alternating Büchi Automata

arxiv: v1 [cs.lo] 29 May 2014

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

ESE601: Hybrid Systems. Introduction to verification

Infinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Sciduction: Combining Induction, Deduction, and Structure for Verification and Synthesis

The Eager Approach to SMT. Eager Approach to SMT

Transcription:

IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder & Summit Middle School IC3 and Beyond: Incremental, Inductive Verification 1/62

Induction Foundation of verification for 40+ years (Floyd, Hoare) To prove that S : (I,T) has safety property P, prove: Base case (initiation): I P Inductive case (consecution): P T P IC3 and Beyond: Incremental, Inductive Verification 2/62

IC3 and Beyond: Incremental, Inductive Verification 3/62

When Induction Fails We present two solutions... 1. Use a stronger assertion, or 2. Construct an incremental proof, using previously established invariants. Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Method 1 = Monolithic Method 2 = Incremental IC3 and Beyond: Incremental, Inductive Verification 4/62

Outline 1. Illustration of incremental vs. monolithic methods 2. SAT-based model checkers 3. Understanding IC3 4. FAIR: for ω-regular properties 5. Recent work IC3 and Beyond: Incremental, Inductive Verification 5/62

Two Transition Systems S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 P : y 1 IC3 and Beyond: Incremental, Inductive Verification 6/62

Induction on System 1 S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 Initiation: Consecution (fails): x = 1 y = 1 }{{} initial condition y 1 }{{} P y 1 }{{} P x = x+1 y = y +x }{{} transition relation y 1 }{{} P IC3 and Beyond: Incremental, Inductive Verification 7/62

Incremental Proof S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 Problem: y decreases if x is negative. But... ϕ 1 : x 0 Initiation: Consecution: x = 1 y = 1 x 0 } x {{ 0 } x = x+1 y = y +x }{{} ϕ 1 transition relation x 0 }{{} ϕ 1 IC3 and Beyond: Incremental, Inductive Verification 8/62

Back to P S 1 : Consecution: x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 } x {{ 0 } y 1 }{{} ϕ 1 P P is inductive relative to ϕ 1. x = x+1 y = y +x }{{} transition relation y 1 }{{} P IC3 and Beyond: Incremental, Inductive Verification 9/62

Induction on System 2 S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 Induction fails for P as in System 1. Additionally, x 0 x = x+y y = y +x x 0 x 0 is not inductive, either. IC3 and Beyond: Incremental, Inductive Verification 10/62

Monolithic Proof S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 Invent strengthening all at once: Consecution: x 0 y 1 }{{} P P : x 0 y 1 x = x+y y = y+x x 0 y 1 }{{} P IC3 and Beyond: Incremental, Inductive Verification 11/62

IC3 and Beyond: Incremental, Inductive Verification 12/62

Incremental vs. Monolithic Methods Incremental: does not always work Monolithic: relatively complete Incremental: apply induction iteratively ( modular ) Monolithic: invent one strengthening formula We strongly recommend its use whenever applicable. Its main advantage is that of modularity. Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 IC3 and Beyond: Incremental, Inductive Verification 13/62

Finite-state System Transition system: Cube s: S : (i,x,i(x),t(x,i,x )) Conjunction of literals, e.g., x 1 x 2 x 3 x 4 Like any formula, represents set of states (that satisfy it) Clause: s IC3 and Beyond: Incremental, Inductive Verification 14/62

SAT-Based Backward Model Checking 1. Search for predecessor s to some error state: If none, property holds. 2. Reduce cube s to s: P T P Expand to others with bad successors [McMillan 2002], [Lu et al. 2005] If P s T s, reduce by implication graph [Lu et al. 2005] Apply inductive generalization [Bradley 2007] 3. P := P s IC3 and Beyond: Incremental, Inductive Verification 15/62

Inductive Generalization Given: cube s Find: c s such that Initiation: I c Consecution (relative to information P ): P c T c No strict subclause of c is inductive relative to P IC3 and Beyond: Incremental, Inductive Verification 16/62

IC3 and Beyond: Incremental, Inductive Verification 17/62

IC3 and Beyond: Incremental, Inductive Verification 18/62

Analysis of Backward Search Strengths: Easy SAT queries, low memory Property focused Some are approximating, computing neither strongest nor weakest strengthening Weaknesses: Essentially undirected search (bad for bug finding) Ignore initial states IC3 and Beyond: Incremental, Inductive Verification 19/62

Analysis of FSIS [Bradley 2007] Strengths (essentially, great when it works): Can significantly reduce backward search Can find strong lemmas with induction Weaknesses: Like others when inductive generalization fails IC3 and Beyond: Incremental, Inductive Verification 20/62

BMC [Biere et al. 1999] Compared to backward search: Considers initial and final states Requires solving hard SAT queries Practically incomplete (UNSAT case) I (P (i) T (i) ) P (k) k 1 i=0 IC3 and Beyond: Incremental, Inductive Verification 21/62

IC3 and Beyond: Incremental, Inductive Verification 22/62

k-induction [Sheeran et al. 2000] Addresses practical incompleteness of BMC: Initiation: BMC Consecution: (P (i) T (i) ) P (k) k 1 i=0 (plus extra constraints to consider loop-free paths) IC3 and Beyond: Incremental, Inductive Verification 23/62

IC3 and Beyond: Incremental, Inductive Verification 24/62

ITP [McMillan 2003] Property-focused over-approximating post-image: F i (P (i) T (i) ) P (k) k 1 i=0 {states i steps from initial states} F i If holds, finds interpolant F i+1 : F i T F i+1 F If fails, increases k i+1 k 1 (P (i) T (i) ) P (k) i=1 IC3 and Beyond: Incremental, Inductive Verification 25/62

IC3 and Beyond: Incremental, Inductive Verification 26/62

BMC k-induction ITP Completeness from unrolling transition relation Evolution: reduce max k in practice (UNSAT case) Monolithic: hard SAT queries induction at top-level only Consider both initial and final states IC3 and Beyond: Incremental, Inductive Verification 27/62

Best of Both? Desire: Stable behavior (backward search) Low memory, reasonable queries Can just let it run Consideration of initial and final states (BMC) Modular reasoning (incremental method) Avoid: Blind search (backward search) Queries that overwhelm the SAT solver (BMC) IC3 and Beyond: Incremental, Inductive Verification 28/62

IC3: A Prover Stepwise sets F 0, F 1,..., F k, F k+1 (CNF): {states i steps from initial states} F i F i {states k i+1 steps from error} Four invariants: F 0 = I F i F i+1 F i T F i+1 Except F k+1, F i P if ever F i = F i+1, F i is inductive & P is invariant IC3 and Beyond: Incremental, Inductive Verification 29/62

IC3 and Beyond: Incremental, Inductive Verification 30/62

Essence of IC3 Continual refinement of over-approximating stepwise sets Until one is inductive Monolithic use of induction Generation of clauses as response to backward reachable states Inductive generalization: c s (c is inductive relative to a stepwise set) Incremental use of induction IC3 and Beyond: Incremental, Inductive Verification 31/62

Two Views of IC3 Prover: Generates predicates from counterexamples From s: state that can reach error To c s: inductive relative to F i c proves that s is unreachable in i+1 steps Bug finder: Guided backward search Stepwise sets: proximity estimate to initial state IC3 and Beyond: Incremental, Inductive Verification 32/62

Induction at Top Level Is P inductive relative to F k? F k T P (Recall: F k P ) Possibility #1: Yes Conclusion: P is inductive relative to F k IC3 and Beyond: Incremental, Inductive Verification 33/62

IC3 and Beyond: Incremental, Inductive Verification 34/62

Induction at Top Level Monolithic behavior (predicate abstraction): For i from 1 to k: find largest C F i s.t. F i T C F i+1 := F i+1 C F k+1 := F k+1 P New frontier: F k+1 If ever F i = F i+1, done: P is invariant. IC3 and Beyond: Incremental, Inductive Verification 35/62

Counterexample To Induction (CTI) F k T P Possibility #2: No Conclusion: F k -state s with error successor If s is an initial state, done: P is not invariant Otherwise... IC3 and Beyond: Incremental, Inductive Verification 36/62

IC3 and Beyond: Incremental, Inductive Verification 37/62

Induction at Low Level Inductive Generalization in IC3 Given: cube s Find: c s such that Initiation: I c Consecution (relative to F i ): F i c T c No strict subclause of c is inductive relative to F i IC3 and Beyond: Incremental, Inductive Verification 38/62

Induction at Low Level Is c an interpolant? I (F i c T) c c s I (F i c T) c c s Not necessarily: An interpolant is inductive but... An inductive assertion need not be an interpolant. In practice: Quality vs. speed trade-off per clause Quality wins in experiments: faster overall IC3 and Beyond: Incremental, Inductive Verification 39/62

IC3 and Beyond: Incremental, Inductive Verification 40/62

Addressing CTIs Find highest i such that F i s T s Apply inductive generalization: c s I c F i c T c F i+1 := F i+1 c (also update F j, j i) If i < k, new proof obligation: (s, i+1) Inductively generalize s relative to F i+1 IC3 and Beyond: Incremental, Inductive Verification 41/62

Addressing Proof Obligation(t,j) SAT query: F j t T t If UNSAT: Inductive generalization must succeed: c t I c F j c T c F j+1 := F j+1 c Updated proof obligation (if j < k): (t, j +1) IC3 and Beyond: Incremental, Inductive Verification 42/62

Addressing Proof Obligation(t,j) SAT query: F j t T t If SAT: New CTI u, treat as before IC3 and Beyond: Incremental, Inductive Verification 43/62

One of IC3 s Insights Identification of relevant predecessors: Why did inductive generalization of s succeed relative to F i but fail relative to F i+1? Because of some F i+1 -state s-predecessor t. Analysis at F i focuses IC3 s choice of predecessors at F i+1. IC3 and Beyond: Incremental, Inductive Verification 44/62

IC3 and Beyond: Incremental, Inductive Verification 45/62

IC3: A Prover Based on CTIs (s), IC3 generates F i -relative inductive clauses (c s) to refine F i s. IC3 propagates clauses to prepare new frontier. Some clauses may be too specific. Their loss can break mutual support. As the frontier advances, IC3 considers ever more general situations. It eventually finds the real reasons (as truly inductive clauses) that P is invariant. IC3 and Beyond: Incremental, Inductive Verification 46/62

IC3: A Bug Finder Suppose: u t s Error Proof obligations: {(s, k 1), (t, k 2), (u, k 1)} That is, s: inductively generalize relative to F k 1 t: inductively generalize relative to F k 2 u: inductively generalize relative to F k 1 Which proof obligation should IC3 address next? IC3 and Beyond: Incremental, Inductive Verification 47/62

Guided Search Two observations: u is the deepest of the states u t s Error t is the state that IC3 considers as likeliest to be closest to an initial state. {(s, k 1), (t, k 2), (u, k 1)} Proximity metric Conclusion: Pursue (t, k 2) next. (It also happens to be the correct choice [Bradley 2011].) IC3 and Beyond: Incremental, Inductive Verification 48/62

IC3 and Beyond: Incremental, Inductive Verification 49/62

Recent Work: Refinements New heuristic: ternary simulation cube reduction [Een et al., FMCAD 11] Industrial setting: incremental verification [Chockler et al., FMCAD 11] Oh, yeah, and a name change: PDR (Thanks, Niklas!) IC3 and Beyond: Incremental, Inductive Verification 50/62

Temporal Logics FAIR [Bradley et al., FMCAD 11] For ω-regular properties, e.g., LTL Insight: SCC-closed regions can be characterized inductively IICTL [Hassan et al., CAV 12] For CTL properties Insight: EX (SAT), EU (IC3), EG (FAIR) Standard traversal of CTL property s parse tree Over- and under-approximating sets Task state-driven refinement IC3 and Beyond: Incremental, Inductive Verification 51/62

Infinite-state Systems SMT-based Induction Methods for Timed Systems [Kindermann et al., arxiv 12] Generalized Property Directed Reachability [Hoder et al., SAT 12] Boolean push-down systems Linear real arithmetic Software Model Checking via IC3 [Cimatti et al., CAV 12] Explicit handling of CFG Applies IC3 techniques to McMillan s Lazy Abstraction with Interpolants [McMillan, CAV 06] IC3 and Beyond: Incremental, Inductive Verification 52/62

Handling Proof Obligations Some presentations use LIFO ordering: Trivial correctness; easier to understand [Hoder et al., SAT 12], [Cimatti et al., CAV 12] Downside: not quite as good? PSPACE-complete (finite-state), so... But: fixed-length counterexamples for K And: not aggressive about mutual induction IC3 and Beyond: Incremental, Inductive Verification 53/62

Linear Time Hierarchy Reactivity Recurrence Persistence Progress Obligation Safety: IC3 Safety Progress: FAIR over IC3 Guarantee IC3 and Beyond: Incremental, Inductive Verification 54/62

Generalized Büchi Automata Given: Fair Transition System (FTS) S LTL property P Compute generalized Büchi automaton C = A P S. If S is finite state, nonemptiness of C corresponds to the existence of a reachable fair cycle, aka lasso. IC3 and Beyond: Incremental, Inductive Verification 55/62

Strongly Connected Components A lasso s cycle is contained in a strongly connected component (SCC) of the state graph. A nonempty set of states is SCC-closed if every SCC is either contained in it or disjoint from it. A partition of the states into SCC-closed sets is a coarser partition than the SCC partition. Every cycle of a graph is contained in some SCC-closed set. IC3 and Beyond: Incremental, Inductive Verification 56/62

FAIR: Reachable Fair Cycles Reduce search for reachable fair cycle to a set of safety problems: Skeleton: Together satisfy all fairness constraints. Task: Connect states to form lasso. IC3 and Beyond: Incremental, Inductive Verification 57/62

Reach Queries Each connection task is a reach query. Stem query: Connect initial condition to a state: Cycle query: Connect one state to another: (To itself if skeleton has only one state.) IC3 and Beyond: Incremental, Inductive Verification 58/62

Discovering SCC-Closed Sets Negative cycle query knowledge of SCC structure Inductive proof: one-way barrier Each side of the proof is SCC-closed Subsequent skeletons: all states on one side IC3 and Beyond: Incremental, Inductive Verification 59/62

Key Insight Inductive assertions describe SCC-closed sets Arena: States all on same side of each barrier Unlike previous symbolic methods: Barrier constraints on T + Over-approximating prover (IC3) Simultaneous consideration of all arenas In other words: A proof can provide information about many arenas even though the motivating skeleton comes from one arena IC3 and Beyond: Incremental, Inductive Verification 60/62

Incremental, Inductive Verification IC3 FAIR IICTL Hypothesis CTI skeleton task state Lemma clause barrier refinement Induction clause barrier EU (IC3), EG (FAIR) Generalization MIC proof improvement trace generalization IC3 and Beyond: Incremental, Inductive Verification 61/62

Conclusions Attempted to explain why IC3 works: As a compromise between the incremental and monolithic strategies In terms of characteristics of previous SAT-based MC As a prover IIV: As a bug finder State-driven, inductive generation of lemmas Simple but many SAT queries Parallelizable IC3 and Beyond: Incremental, Inductive Verification 62/62

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback