Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Similar documents
IC3 and Beyond: Incremental, Inductive Verification

SAT-Based Verification with IC3: Foundations and Demands

Understanding IC3. Aaron R. Bradley. ECEE Department, University of Colorado at Boulder

IC3: Where Monolithic and Incremental Meet

An Incremental Approach to Model Checking Progress Properties

Incremental, Inductive Model Checking

or simply: IC3 A Simplified Description

The Journey. Inductive Invariants. Söllerhaus IC3 FSIS. 2 of 21

An Incremental Approach to Model Checking Progress Properties

Pushing to the Top FMCAD 15. Arie Gurfinkel Alexander Ivrii

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

SAT-based Model Checking: Interpolation, IC3, and Beyond

Incremental, Inductive CTL Model Checking

Lecture 2: Symbolic Model Checking With SAT

IC3, PDR, and Friends

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Model Checking: An Introduction

Property Checking By Logic Relaxation

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

CS256/Winter 2009 Lecture #6. Zohar Manna

Lecture Notes on Software Model Checking

Automata-Theoretic Model Checking of Reactive Systems

Predicate Abstraction: A Tutorial

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Integrating Induction and Deduction for Verification and Synthesis

Knowledge Compilation and Theory Approximation. Henry Kautz and Bart Selman Presented by Kelvin Ku

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Ivy: Safety Verification by Interactive Generalization

Program Verification as Probabilistic Inference

Trading-off incrementality and dynamic restart of multiple solvers in IC3

arxiv: v1 [cs.lo] 29 May 2014

Abstractions and Decision Procedures for Effective Software Model Checking

Chapter 6: Computation Tree Logic

Tutorial 1: Modern SMT Solvers and Verification

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Program Analysis Part I : Sequential Programs

SAT-based Model-Checking

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Interpolant-based Transition Relation Approximation

Introduction to Formal Verification Methods Exercise 4

SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang

Chapter 3 Deterministic planning

Integrating Induction, Deduction and Structure for Synthesis

Reasoning about State Constraints in the Situation Calculus

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Property Directed Abstract Interpretation

Sciduction: Combining Induction, Deduction, and Structure for Verification and Synthesis

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Chapter 4: Computation tree logic

3-Valued Abstraction-Refinement

Heuristics for Efficient SAT Solving. As implemented in GRASP, Chaff and GSAT.

Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 3: Practical SAT Solving

Learning Abstractions for Model Checking

Hoare Logic and Model Checking

Generalized Property Directed Reachability

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

Linear Temporal Logic and Büchi Automata

Computer-Aided Program Design

Bounded Model Checking

Property Checking Without Invariant Generation

An Introduction to Temporal Logics

Solving Constrained Horn Clauses by Property Directed Reachability

FAIRNESS FOR INFINITE STATE SYSTEMS

Static Program Analysis

Learning Invariants using Decision Trees and Implication Counterexamples

Constraint Solving for Program Verification: Theory and Practice by Example

Overview. overview / 357

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Finite-State Model Checking

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

The State Explosion Problem

Model Checking with CTL. Presented by Jason Simas

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

IC3 Modulo Theories via Implicit Predicate Abstraction

Bounded Model Checking Using Satisfiability Solving

Sciduction: Combining Induction, Deduction, and Structure for Verification and Synthesis

SMT: Satisfiability Modulo Theories

CTL satisfability via tableau A C++ implementation

Floyd-Hoare Style Program Verification

Symbolic Computation and Theorem Proving in Program Analysis

Topics in Verification AZADEH FARZAN FALL 2017

Solving Constrained Horn Clauses using Interpolation

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Lecture 16: Computation Tree Logic (CTL)

SAT in Formal Hardware Verification

CS156: The Calculus of Computation

Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs

Proving Unsatisfiability in Non-linear Arithmetic by Duality

Software Verification with Abstraction-Based Methods

Homework 2: Temporal logic

Ranking Verification Counterexamples: An Invariant guided approach

Constraint Solving for Program Verification: Theory and Practice by Example

Proof Calculus for Partial Correctness

The Polyranking Principle

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Counterexample-Guided Abstraction Refinement

Transcription:

Understanding IC3 Aaron R. Bradley ECEE, CU Boulder & Summit Middle School Understanding IC3 1/55

Further Reading This presentation is based on Bradley, A. R. Understanding IC3. In SAT, June 2012. http://theory.stanford.edu/~arbrad Understanding IC3 2/55

Induction Foundation of verification for 40+ years (Floyd, Hoare) To prove that S : (I,T) has safety property P, prove: Base case (initiation): I P Inductive case (consecution): P T P Understanding IC3 3/55

Understanding IC3 4/55

When Induction Fails We present two solutions... 1. Use a stronger assertion, or 2. Construct an incremental proof, using previously established invariants. Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Method 1 = Monolithic Method 2 = Incremental Understanding IC3 5/55

Outline 1. Illustration of the two methods 2. SAT-based model checkers 3. Understanding IC3 as a prover 4. Understanding IC3 as a bug finder 5. Beyond IC3: Incremental, inductive verification Understanding IC3 6/55

Two Transition Systems S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 P : y 1 Understanding IC3 7/55

Induction on System 1 S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 Initiation: Consecution (fails): x = 1 y = 1 }{{} initial condition y 1 }{{} P y 1 }{{} P x = x+1 y = y +x }{{} transition relation y 1 }{{} P Understanding IC3 8/55

Incremental Proof S 1 : x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 Problem: y decreases if x is negative. But... ϕ 1 : x 0 Initiation: Consecution: x = 1 y = 1 x 0 } x {{ 0 } x = x+1 y = y +x }{{} ϕ 1 transition relation x 0 }{{} ϕ 1 Understanding IC3 9/55

Back to P S 1 : Consecution: x, y := 1, 1 while : x, y := x + 1, y + x 1 2 3 } x {{ 0 } y 1 }{{} ϕ 1 P P is inductive relative to ϕ 1. x = x+1 y = y +x }{{} transition relation y 1 }{{} P Understanding IC3 10/55

Induction on System 2 S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 Induction fails for P as in System 1. Additionally, x 0 x = x+y y = y +x x 0 x 0 is not inductive, either. Understanding IC3 11/55

Monolithic Proof S 2 : x, y := 1, 1 while : x, y := x + y, y + x 1 2 3 Invent strengthening all at once: Consecution: x 0 y 1 }{{} P P : x 0 y 1 x = x+y y = y+x x 0 y 1 }{{} P Understanding IC3 12/55

Understanding IC3 13/55

Incremental vs. Monolithic Methods Incremental: does not always work Monolithic: relatively complete Incremental: apply induction iteratively ( modular ) Monolithic: invent one strengthening formula We strongly recommend its use whenever applicable. Its main advantage is that of modularity. Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Understanding IC3 14/55

Finite-state System Transition system: S : (i,x,i(x),t(x,i,x )) Cube s: Conjunction of literals, e.g., x 1 x 2 x 3 x 4 Represents set of states (that satisfy it) Clause: s Understanding IC3 15/55

SAT-Based Backward Model Checking 1. Search for predecessor s to some error state: If none, property holds. 2. Reduce cube s to s: P T P Expand to others with bad successors [McMillan 2002], [Lu et al. 2005] If P s T s, reduce by implication graph [Lu et al. 2005] Apply inductive generalization [Bradley 2007] 3. P := P s Understanding IC3 16/55

Inductive Generalization Given: cube s Find: c s such that Initiation: I c Consecution (relative to information P ): P c T c No strict subclause of c is inductive relative to P Understanding IC3 17/55

Understanding IC3 18/55

Understanding IC3 19/55

Analysis of Backward Search Strengths: Easy SAT queries, low memory Property focused Some are approximating, computing neither strongest nor weakest strengthening Weaknesses: Essentially undirected search (bad for bug finding) Ignore initial states Understanding IC3 20/55

Analysis of FSIS [Bradley 2007] Strengths (essentially, great when it works): Can significantly reduce backward search Can find strong lemmas with induction Weaknesses: Like others when inductive generalization fails Understanding IC3 21/55

BMC [Biere et al. 1999] Compared to backward search: Considers initial and final states Requires solving hard SAT queries Practically incomplete (UNSAT case) I (P (i) T (i) ) P (k) k 1 i=0 Understanding IC3 22/55

Understanding IC3 23/55

k-induction [Sheeran et al. 2000] Addresses practical incompleteness of BMC: Initiation: BMC Consecution: (P (i) T (i) ) P (k) k 1 i=0 (plus extra constraints to consider loop-free paths) Understanding IC3 24/55

Understanding IC3 25/55

ITP [McMillan 2003] Property-focused over-approximating post-image: F i (P (i) T (i) ) P (k) k 1 i=0 {states i steps from initial states} F i If holds, finds interpolant F i+1 : F i T F i+1 F If fails, increases k i+1 k 1 (P (i) T (i) ) P (k) i=1 Understanding IC3 26/55

Understanding IC3 27/55

BMC k-induction ITP Completeness from unrolling transition relation Evolution: reduce max k in practice (UNSAT case) Monolithic: hard SAT queries induction at top-level only Consider both initial and final states Understanding IC3 28/55

Best of Both? Desire: Stable behavior (backward search) Low memory, reasonable queries Can just let it run Consideration of initial and final states (BMC) Modular reasoning (incremental method) Avoid: Blind search (backward search) Queries that overwhelm the SAT solver (BMC) Understanding IC3 29/55

IC3: A Prover Stepwise sets F 0, F 1,..., F k, F k+1 (CNF): {states i steps from initial states} F i F i {states k i+1 steps from error} Four invariants: F 0 = I F i F i+1 F i T F i+1 Except F k+1, F i P if ever F i = F i+1, F i is inductive & P is invariant Understanding IC3 30/55

Understanding IC3 31/55

Induction at Top Level Is P inductive relative to F k? F k T P (Recall: F k P ) Possibility #1: Yes Conclusion: P is inductive relative to F k Understanding IC3 32/55

Understanding IC3 33/55

Induction at Top Level Monolithic behavior (predicate abstraction): For i from 1 to k: find largest C F i s.t. F i T C F i+1 := F i+1 C F k+1 := F k+1 P New frontier: F k+1 If ever F i = F i+1, done: P is invariant. Understanding IC3 34/55

Counterexample To Induction (CTI) F k T P Possibility #2: No Conclusion: F k -state s with error successor If s is an initial state, done: P is not invariant Otherwise... Understanding IC3 35/55

Understanding IC3 36/55

Induction at Low Level Inductive Generalization in IC3 Given: cube s Find: c s such that Initiation: I c Consecution (relative to F i ): F i c T c No strict subclause of c is inductive relative to F i Understanding IC3 37/55

Understanding IC3 38/55

Addressing CTIs Find highest i such that F i s T s Apply inductive generalization: c s I c F i c T c F i+1 := F i+1 c (also update F j, j i) If i < k, new proof obligation: (s, i+1) Inductively generalize s relative to F i+1 Understanding IC3 39/55

Addressing Proof Obligation(t,j) SAT query: F j t T t If UNSAT: Inductive generalization must succeed: c t I c F j c T c F j+1 := F j+1 c Updated proof obligation (if j < k): (t, j +1) Understanding IC3 40/55

Addressing Proof Obligation(t,j) SAT query: F j t T t If SAT: New CTI u, treat as before Find highest i s.t. u is inductive relative to F i Inductively generalize (c u): F i+1 := F i+1 c New proof obligation (if i < k): (u, i+1) Understanding IC3 41/55

One of IC3 s Insights Suppose CTI s was inductively generalized at F i F i+1 := F i+1 c Removed s and some predecessors from F i+1 Updated proof obligation: (s, i+1) Understanding IC3 42/55

One of IC3 s Insights Suppose CTI s was inductively generalized at F i F i+1 := F i+1 c Removed s and some predecessors from F i+1 Updated proof obligation: (s, i+1) Suppose F i+1 s T s s-predecessor F i+1 -state t But t was not a F i -state t is a relevant predecessor: the difference between F i and F i+1 Inductive generalization at F i focuses IC3 s choice of predecessors at F i+1. Understanding IC3 42/55

Understanding IC3 43/55

Meeting Obligations IC3 pursues proof obligation (t,j) until j = k even if the original CTI has been addressed. Why? Supporting lemmas for this frontier can be useful at next During predicate abstraction phase, supporting clauses propagate forward together Allows IC3 to find mutually (relatively) inductive lemmas, addressing a key weakness of FSIS More... Understanding IC3 44/55

IC3: A Prover Based on CTIs from frontier and predecessors, IC3 generates stepwise-relative inductive clauses. IC3 propagates clauses forward in preparing a new frontier. Some clauses may be too specific. Their loss can break mutual support. But as the frontier advances, IC3 considers ever more general situations. It eventually finds the real reasons (as truly inductive clauses) that P is invariant. Understanding IC3 45/55

IC3: A Bug Finder Suppose: u t s Error Proof obligations: {(s, k 1), (t, k 2), (u, k 1)} That is, s must be inductively generalize relative to F k 1 t must be inductively generalize relative to F k 2 u must be inductively generalize relative to F k 1 Which proof obligation should IC3 address next? Understanding IC3 46/55

Guided Search Two observations: u is the deepest of the states u t s Error t is the state that IC3 considers as likeliest to be closest to an initial state. {(s, k 1), (t, k 2), (u, k 1)} Proximity metric Conclusion: Pursue (t, k 2) next. (It also happens to be the correct choice [Bradley 2011].) Understanding IC3 47/55

Understanding IC3 48/55

IC3: A Bug Finder IC3 executes a guided search. Proximity metric: j of (t,j) IC3 pursues obligation with minimal proximity A new clause updates the proximity metric for many states Same conclusion as proof perspective: Pursue all proof obligations (t,j) until j = k Now: To gain important heuristic information Additionally: Allows IC3 to search deeply even for small k Understanding IC3 49/55

Incremental, Inductive Verification IIV Algorithm: Constructs concrete hypotheses Generates intermediate lemmas incrementally Applies induction many times Generalizes from hypotheses to strong lemmas Understanding IC3 50/55

After IC3 FAIR [Bradley et al. 2011] For ω-regular properties, e.g., LTL Insight: SCC-closed regions can be characterized inductively IICTL [Hassan et al. 2012] For CTL properties Insight: EX (SAT), EU (IC3), EG (FAIR) Standard traversal of CTL property s parse tree Over- and under-approximating sets Task state-driven refinement Understanding IC3 51/55

FAIR: Reachable Fair Cycles Reduce search for reachable fair cycle to a set of safety problems: Skeleton: Together satisfy all fairness constraints. Task: Connect states to form lasso. Understanding IC3 52/55

Reach Queries Each connection task is a reach query. Stem query: Connect initial condition to a state: Cycle query: Connect one state to another: (To itself if skeleton has only one state.) Understanding IC3 53/55

IIV IC3 FAIR IICTL Hypothesis CTI lasso skeleton task state Lemma clause barrier refinement Induction EU (IC3), EG (FAIR) Generalization MIC proof improvement trace generalization Understanding IC3 54/55

Conclusions Attempted to explain why IC3 works: As a compromise between the incremental and monolithic strategies In terms of best and worst qualities of previous SAT-based model checkers As a prover As a bug finder Other IIV algorithms: FAIR and IICTL An indication that IC3 s characteristics work in other contexts Understanding IC3 55/55

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback