IC3 and Beyond: Incremental, Inductive Verification Aaron R. - PowerPoint PPT Presentation

IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder & Summit Middle School IC3 and Beyond: Incremental, Inductive Verification – 1/62

Induction Foundation of verification for 40+ years (Floyd, Hoare) To prove that S : ( I, T ) has safety property P , prove: • Base case ( initiation ): I ⇒ P • Inductive case ( consecution ): P ∧ T ⇒ P ′ IC3 and Beyond: Incremental, Inductive Verification – 2/62

IC3 and Beyond: Incremental, Inductive Verification – 3/62

When Induction Fails We present two solutions. . . 1. Use a stronger assertion, or 2. Construct an incremental proof, using previously established invariants. – Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Method 1 = “Monolithic” Method 2 = “Incremental” IC3 and Beyond: Incremental, Inductive Verification – 4/62

Outline 1. Illustration of incremental vs. monolithic methods 2. SAT-based model checkers 3. Understanding IC3 4. FAIR: for ω -regular properties 5. Recent work IC3 and Beyond: Incremental, Inductive Verification – 5/62

Two Transition Systems x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 x , y := 1 , 1 1 while ∗ : 2 S 2 : x , y := x + y , y + x 3 P : y ≥ 1 IC3 and Beyond: Incremental, Inductive Verification – 6/62

Induction on System 1 x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 • Initiation: x = 1 ∧ y = 1 ⇒ y ≥ 1 � �� � � �� � initial condition P • Consecution (fails): ∧ x ′ = x + 1 ∧ y ′ = y + x �⇒ y ′ ≥ 1 y ≥ 1 � �� � � �� � � �� � transition relation P P ′ IC3 and Beyond: Incremental, Inductive Verification – 7/62

Incremental Proof x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 Problem: y decreases if x is negative. But... ϕ 1 : x ≥ 0 • Initiation: x = 1 ∧ y = 1 ⇒ x ≥ 0 • Consecution: ∧ x ′ = x + 1 ∧ y ′ = y + x ⇒ x ′ ≥ 0 x ≥ 0 � �� � � �� � � �� � ϕ 1 ϕ ′ transition relation 1 IC3 and Beyond: Incremental, Inductive Verification – 8/62

Back to P x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 Consecution: ∧ x ′ = x + 1 ∧ y ′ = y + x ⇒ y ′ ≥ 1 x ≥ 0 ∧ y ≥ 1 � �� � � �� � � �� � � �� � ϕ 1 P transition relation P ′ P is inductive relative to ϕ 1 . IC3 and Beyond: Incremental, Inductive Verification – 9/62

Induction on System 2 x , y := 1 , 1 1 while ∗ : 2 S 2 : x , y := x + y , y + x 3 Induction fails for P as in System 1. Additionally, x ≥ 0 ∧ x ′ = x + y ∧ y ′ = y + x �⇒ x ′ ≥ 0 x ≥ 0 is not inductive, either. IC3 and Beyond: Incremental, Inductive Verification – 10/62

Monolithic Proof x , y := 1 , 1 1 while ∗ : 2 S 2 : x , y := x + y , y + x 3 Invent strengthening all at once: � P : x ≥ 0 ∧ y ≥ 1 Consecution: ∧ x ′ = x + y ∧ y ′ = y + x ⇒ x ′ ≥ 0 ∧ y ′ ≥ 1 x ≥ 0 ∧ y ≥ 1 � �� � � �� � � � P P ′ IC3 and Beyond: Incremental, Inductive Verification – 11/62

IC3 and Beyond: Incremental, Inductive Verification – 12/62

Incremental vs. Monolithic Methods • Incremental: does not always work • Monolithic: relatively complete • Incremental: apply induction iteratively (“modular”) • Monolithic: invent one strengthening formula We strongly recommend its use whenever applicable. Its main advantage is that of modularity . – Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 IC3 and Beyond: Incremental, Inductive Verification – 13/62

Finite-state System Transition system: ( i, x, I ( x ) , T ( x, i, x ′ )) S : Cube s : • Conjunction of literals, e.g., x 1 ∧ ¬ x 2 ∧ ¬ x 3 ∧ x 4 ∧ · · · • Like any formula, represents set of states (that satisfy it) Clause: ¬ s IC3 and Beyond: Incremental, Inductive Verification – 14/62

SAT-Based Backward Model Checking 1. Search for predecessor s to some error state: P ∧ T ⇒ P ′ If none, property holds. 2. Reduce cube s to ¯ s : • Expand to others with bad successors [McMillan 2002] , [Lu et al. 2005] • If P ∧ ¬ s ∧ T ⇒ ¬ s ′ , reduce by implication graph [Lu et al. 2005] • Apply inductive generalization [Bradley 2007] 3. P := P ∧ ¬ ¯ s IC3 and Beyond: Incremental, Inductive Verification – 15/62

Inductive Generalization Given : cube s Find : c ⊆ ¬ s such that • Initiation: I ⇒ c • Consecution (relative to information P ): P ∧ c ∧ T ⇒ c ′ • No strict subclause of c is inductive relative to P IC3 and Beyond: Incremental, Inductive Verification – 16/62

IC3 and Beyond: Incremental, Inductive Verification – 17/62

IC3 and Beyond: Incremental, Inductive Verification – 18/62

Analysis of Backward Search Strengths: • Easy SAT queries, low memory • Property focused • Some are approximating, computing neither strongest nor weakest strengthening Weaknesses: • Essentially undirected search (bad for bug finding) • Ignore initial states IC3 and Beyond: Incremental, Inductive Verification – 19/62

Analysis of FSIS [Bradley 2007] Strengths (essentially, great when it works): • Can significantly reduce backward search • Can find strong lemmas with induction Weaknesses: • Like others when inductive generalization fails IC3 and Beyond: Incremental, Inductive Verification – 20/62

BMC [Biere et al. 1999] Compared to backward search: • Considers initial and final states • Requires solving hard SAT queries • Practically incomplete (UNSAT case) k − 1 � ( P ( i ) ∧ T ( i ) ) ∧ ¬ P ( k ) I ∧ i =0 IC3 and Beyond: Incremental, Inductive Verification – 21/62

IC3 and Beyond: Incremental, Inductive Verification – 22/62

k -Induction [Sheeran et al. 2000] Addresses practical incompleteness of BMC: • Initiation: BMC • Consecution: k − 1 � ( P ( i ) ∧ T ( i ) ) ⇒ P ( k ) i =0 (plus extra constraints to consider loop-free paths) IC3 and Beyond: Incremental, Inductive Verification – 23/62

IC3 and Beyond: Incremental, Inductive Verification – 24/62

ITP [McMillan 2003] Property-focused over-approximating post-image: k − 1 � ( P ( i ) ∧ T ( i ) ) ⇒ P ( k ) F i ∧ i =0 • { states ≤ i steps from initial states } ⊆ F i • If holds, finds interpolant F i +1 : k − 1 � ( P ( i ) ∧ T ( i ) ) ⇒ P ( k ) F i ∧ T ⇒ F ′ F ′ i +1 ∧ i +1 i =1 • If fails, increases k IC3 and Beyond: Incremental, Inductive Verification – 25/62

IC3 and Beyond: Incremental, Inductive Verification – 26/62

BMC → k -Induction → ITP • Completeness from unrolling transition relation • Evolution: reduce max k in practice (UNSAT case) • Monolithic: • hard SAT queries • induction at top-level only • Consider both initial and final states IC3 and Beyond: Incremental, Inductive Verification – 27/62

Best of Both? Desire: • Stable behavior (backward search) • Low memory, reasonable queries • Can just let it run • Consideration of initial and final states (BMC) • Modular reasoning (incremental method) Avoid: • Blind search (backward search) • Queries that overwhelm the SAT solver (BMC) IC3 and Beyond: Incremental, Inductive Verification – 28/62

IC3: A Prover Stepwise sets F 0 , F 1 , . . . , F k , F k +1 (CNF): • { states ≤ i steps from initial states } ⊆ F i • F i ⊆ { states ≥ k − i + 1 steps from error } Four invariants: • F 0 = I • F i ⇒ F i +1 • F i ∧ T ⇒ F ′ i +1 • Except F k +1 , F i ⇒ P ∴ if ever F i = F i +1 , F i is inductive & P is invariant IC3 and Beyond: Incremental, Inductive Verification – 29/62

IC3 and Beyond: Incremental, Inductive Verification – 30/62

Essence of IC3 • Continual refinement of over-approximating stepwise sets • Until one is inductive • Monolithic use of induction • Generation of clauses as response to backward reachable states • Inductive generalization: c ⊆ ¬ s ( c is inductive relative to a stepwise set) • Incremental use of induction IC3 and Beyond: Incremental, Inductive Verification – 31/62

Two Views of IC3 • Prover: Generates predicates from counterexamples • From s : state that can reach error • To c ⊆ ¬ s : inductive relative to F i • c proves that s is unreachable in ≤ i + 1 steps • Bug finder: Guided backward search • Stepwise sets: proximity estimate to initial state IC3 and Beyond: Incremental, Inductive Verification – 32/62

Induction at Top Level Is P inductive relative to F k ? F k ∧ T ⇒ P ′ (Recall: F k ⇒ P ) • Possibility #1: Yes • Conclusion: P is inductive relative to F k IC3 and Beyond: Incremental, Inductive Verification – 33/62

IC3 and Beyond: Incremental, Inductive Verification – 34/62

Induction at Top Level Monolithic behavior (predicate abstraction): • For i from 1 to k : find largest C ⊆ F i s.t. F i ∧ T ⇒ C ′ F i +1 := F i +1 ∧ C • F k +1 := F k +1 ∧ P • New frontier: F k +1 If ever F i = F i +1 , done: P is invariant. IC3 and Beyond: Incremental, Inductive Verification – 35/62