IC3: Where Monolithic and Incremental Meet Fabio Somenzi Aaron R. - PowerPoint PPT Presentation

Proving Invariants by Induction IC3 Bibliography IC3: Where Monolithic and Incremental Meet Fabio Somenzi Aaron R. Bradley Department of Electrical, Computer, and Energy Engineering University of Colorado at Boulder FMCAD, 30 October 2011

Proving Invariants by Induction IC3 Bibliography Outline Proving Invariants by Induction 1 Induction for Transition Systems Strengthening Relative Induction IC3 2 Basic Algorithm Examples Efficiency

Proving Invariants by Induction IC3 Bibliography Outline Proving Invariants by Induction 1 Induction for Transition Systems Strengthening Relative Induction IC3 2 Basic Algorithm Examples Efficiency

Proving Invariants by Induction IC3 Bibliography Finite-State Transition Systems IC3 works on a symbolic representation of a system: S : ( i , x , I ( x ) , T ( i , x , x ′ )) i : primary inputs x : state variables x ′ : next state variables I ( x ): initial states T ( i , x , x ′ ): transition relation

Proving Invariants by Induction IC3 Bibliography Invariance Properties IC3 proves (or refutes) invariants Prove that every reachable state satisfies P ( x ) P is a propositional formula Checking safety properties is reduced to checking invariance properties

Proving Invariants by Induction IC3 Bibliography Mutual Exclusion for a Simple Arbiter 00 00 r 1 01 , 11 g 1 00 DFF 10 00 01 , 11 10 10 01 01 10 , 11 00 01 10 , 11 g 2 DFF r 2 11 I ( g ) = ¬ g 1 ∧ ¬ g 2 ∃ r 1 , r 2 . T ( r , g , g ′ ) = ¬ g ′ 1 ∨ ¬ g ′ 2 P ( g ) = ¬ g 1 ∨ ¬ g 2

Proving Invariants by Induction IC3 Bibliography Inductive Proofs for Transition Systems Prove initiation (base case) I ( x ) ⇒ P ( x ) All initial states satisfy P ( ¬ g 1 ∧ ¬ g 2 ) ⇒ ( ¬ g 1 ∨ ¬ g 2 ) Prove consecution (inductive step) P ( x ) ∧ T ( i , x , x ′ ) ⇒ P ( x ′ ) All successors of states satisfying P satisfy P ( ¬ g 1 ∨ ¬ g 2 ) ∧ ( ¬ g ′ 1 ∨ ¬ g ′ 2 ) ⇒ ( ¬ g ′ 1 ∨ ¬ g ′ 2 ) If both pass, all reachable states satisfy the property S | = P

Proving Invariants by Induction IC3 Bibliography Visualizing Inductive Proofs 00 10 01 11 The inductive assertion ( ∼ yellow) contains all initial (blue) states and no arrow leaves it (it is closed under the transition relation)

Proving Invariants by Induction IC3 Bibliography Counterexamples to Induction: The Troublemakers 00 01 11 10

Proving Invariants by Induction IC3 Bibliography Counterexamples to Induction: The Troublemakers 00 01 11 10 CTI

Proving Invariants by Induction IC3 Bibliography Invariant Strengthening 00 01 11 10 CTI

Proving Invariants by Induction IC3 Bibliography Invariant Strengthening 00 01 11 10

Proving Invariants by Induction IC3 Bibliography Invariant Strengthening 00 01 11 10

Proving Invariants by Induction IC3 Bibliography Invariant Strengthening 00 01 11 10

Proving Invariants by Induction IC3 Bibliography Strong and Weak Invariants 000 001 110 100 010 011 111 101 Induction is not restricted to: the strongest inductive invariant (forward-reachable states) . . . or the weakest inductive invariant (complement of the backward-reachable states) ¬ x 1 is simpler than ¬ x 1 ∧ ( ¬ x 2 ∨ ¬ x 3 ) (strongest) and ( ¬ x 1 ∨ ¬ x 3 ) (weakest)

Proving Invariants by Induction IC3 Bibliography Completeness for Finite-State Systems CTIs are effectively bad states If a CTI is reachable so is at least one bad state Remove CTI from P and try again Eventually either: An inductive strengthening of P results An initial state is removed from P In the latter case, a counterexample is obtained

Proving Invariants by Induction IC3 Bibliography Examples of Strengthening Strategies Removing one CTI at a time is very inefficient! Several strategies in use to avoid that Fixpoint-based invariant checking: if ν Z . p ∧ AX Z converges 0 ≤ i < n AX i p is an inductive in n > 0 iterations, then � invariant In fact, the weakest inductive invariant k -induction: if all states on length- k paths from the initial states satisfy p , and k distinct consecutive states satisfying p are always followed by a state satisfying p , then all states reachable from the initial states satisfy p . fsis algorithm: try to extract an inductive clause from CTI to exclude multiple CTIs

Proving Invariants by Induction IC3 Bibliography Relative Induction Suppose the assertion ϕ is a conjunction � ϕ = ϕ j 0 ≤ j < n Suppose each ϕ j is inductive relative to the previous assertions and P . That is, for every 0 ≤ j < n , I ⇒ ϕ j and � ϕ i ∧ T ⇒ ϕ ′ P ∧ j 0 ≤ i ≤ j Finally, suppose P is inductive relative to ϕ ; that is, I ⇒ P and � ϕ i ∧ T ⇒ P ′ P ∧ 0 ≤ i < n Then P is an invariant of S

Proving Invariants by Induction IC3 Bibliography Relative Induction 010 000 100 110 011 001 101 111 ϕ = ¬ x 1 ∧ ( x 1 ∨ ¬ x 2 )

Proving Invariants by Induction IC3 Bibliography Relative Induction 010 000 100 110 011 001 101 111 ¬ x 1 is not inductive

Proving Invariants by Induction IC3 Bibliography Relative Induction 010 000 100 110 011 001 101 111 x 1 ∨ ¬ x 2 is inductive

Proving Invariants by Induction IC3 Bibliography Relative Induction 010 000 100 110 011 001 101 111 ¬ x 1 is inductive relative to x 1 ∨ ¬ x 2

Proving Invariants by Induction IC3 Bibliography Shortcoming of Relative Induction 010 100 000 110 011 101 001 111 P = ( x 1 ∨ x 2 ∨ x 3 ) ∧ ( ¬ x 1 ∨ ¬ x 2 ∨ x 3 ) ϕ = ( x 1 ∨ x 2 ) ∧ ( ¬ x 1 ∨ ¬ x 2 )

Proving Invariants by Induction IC3 Bibliography Shortcoming of Relative Induction 010 100 000 110 011 101 001 111 ( x 1 ∨ x 2 ) ∧ P ∧ T �⇒ ( x ′ 1 ∨ x ′ 2 )

Proving Invariants by Induction IC3 Bibliography Shortcoming of Relative Induction 010 100 000 110 011 101 001 111 ( ¬ x 1 ∨ ¬ x 2 ) ∧ P ∧ T �⇒ ( ¬ x ′ 1 ∨ ¬ x ′ 2 )

Proving Invariants by Induction IC3 Bibliography Shortcoming of Relative Induction 010 100 000 110 011 101 001 111 ( x 1 ∨ x 2 ) ∧ ( ¬ x 1 ∨ ¬ x 2 ) ∧ P ∧ T ⇒ ( x ′ 1 ∨ x ′ 2 ) ∧ ( ¬ x ′ 1 ∨ ¬ x ′ 2 )

Proving Invariants by Induction IC3 Bibliography Shortcoming of Relative Induction 010 100 000 110 011 101 001 111 ( x 1 ∨ x 2 ) and ( ¬ x 1 ∨ ¬ x 2 )are mutually inductive

Proving Invariants by Induction IC3 Bibliography Outline Proving Invariants by Induction 1 Induction for Transition Systems Strengthening Relative Induction IC3 2 Basic Algorithm Examples Efficiency

Proving Invariants by Induction IC3 Bibliography What Does IC3 Stand for? Incremental Construction of Inductive Clauses for Indubitable Correctness

Proving Invariants by Induction IC3 Bibliography Basic Tenets Approximate reachability assumptions F i : contains at least all the states reachable in i steps or less If S | = P , F i eventually becomes inductive for some i Approximation is desirable: IC3 does not attempt to get the most precise F i ’s Stepwise relative induction Learn useful facts via induction relative to reachability assumptions Clausal representation Learn clauses from CTIs A form of abstract interpretation

Proving Invariants by Induction IC3 Bibliography IC3 Invariants The four main invariants of IC3. I ⇒ F 0 F i ⇒ F i +1 0 ≤ i < k F i ⇒ P 0 ≤ i ≤ k F i ∧ T ⇒ F ′ 0 ≤ i < k i +1 Established if there are no counterexamples of length 0 or 1 The implicit invariant of the outer loop: no counterexamples of length k .

Proving Invariants by Induction IC3 Bibliography Pseudo-Pseudocode bool IC3 { if ( I �⇒ P or I ∧ T �⇒ P ′ ) return ⊥ ; F 0 = I ; F 1 = P ; k = 1 repeat { while (there are CTIs in F k ) { either find a counterexample and return ⊥ or refine F 1 , . . . , F k } k ++; set F k = P and propagate clauses if ( F i = F i +1 for some 0 < i < k ) return ⊤ } }

Proving Invariants by Induction IC3 Bibliography Passing Property No counterexamples of length 0 or 1 I = ¬ x 1 ∧ ¬ x 2 00 01 11 10 P = ¬ x 1 ∨ x 2 I ⇒ F 0 F i ⇒ F i +1 0 ≤ i < k F i ⇒ P 0 ≤ i ≤ k F i ∧ T ⇒ F ′ 0 ≤ i < k i +1

Proving Invariants by Induction IC3 Bibliography Passing Property Does F 1 ∧ T ⇒ P ′ ? F 0 = I = ¬ x 1 ∧ ¬ x 2 00 01 11 10 F 1 = P = ¬ x 1 ∨ x 2 I ⇒ F 0 F i ⇒ F i +1 0 ≤ i < k F i ⇒ P 0 ≤ i ≤ k F i ∧ T ⇒ F ′ 0 ≤ i < k i +1

Proving Invariants by Induction IC3 Bibliography Passing Property Found CTI s = x 1 ∧ x 2 F 0 = I = ¬ x 1 ∧ ¬ x 2 00 01 11 10 F 1 = P = ¬ x 1 ∨ x 2 I ⇒ F 0 F i ⇒ F i +1 0 ≤ i < k F i ⇒ P 0 ≤ i ≤ k F i ∧ T ⇒ F ′ 0 ≤ i < k i +1

Proving Invariants by Induction IC3 Bibliography Passing Property Is ¬ s inductive relative to F 1 ? F 0 = I = ¬ x 1 ∧ ¬ x 2 00 01 11 10 F 1 = P = ¬ x 1 ∨ x 2 I ⇒ F 0 F i ⇒ F i +1 0 ≤ i < k F i ⇒ P 0 ≤ i ≤ k F i ∧ T ⇒ F ′ 0 ≤ i < k i +1

Proving Invariants by Induction IC3 Bibliography Passing Property No. Is ¬ s inductive relative to F 0 ? F 0 = I = ¬ x 1 ∧ ¬ x 2 00 01 11 10 F 1 = P = ¬ x 1 ∨ x 2 I ⇒ F 0 F i ⇒ F i +1 0 ≤ i < k F i ⇒ P 0 ≤ i ≤ k F i ∧ T ⇒ F ′ 0 ≤ i < k i +1