P3 : Parallelly Performed PDR P3 Matteo Marescotti 1 , Arie - - PowerPoint PPT Presentation

P3 P3: Parallelly Performed PDR

Matteo Marescotti1, Arie Gurfinkel2 Antti E. J. Hyvärinen1, and Natasha Sharygina1

PCR@CADE2017

1 Università della Svizzera italiana, Switzerland 2 University of Waterloo, Canada

Verification Use Case

Matteo Marescotti P3: Parallelly Performed PDR 2

Source code repository

Model Checker

SAT/SMT Solver

Safety Problem

• Program expressed as a transition system over a set of variables:
• Initial states predicate:
• Error states predicate:

Matteo Marescotti P3: Parallelly Performed PDR 3

Tr(X, X0) Init(X) Bad(X) hInit, Tr, Badi ! {Reachable, Unreachable}

Proof for the result

Matteo Marescotti P3: Parallelly Performed PDR 4

Reachable

Tr Init Bad exists n ∈ N such that: Init(X[0]) ∧

n−1

^

i=0

Tr(X[i], X[i+1]) ∧ Bad(X[n])

Inv

Proof for the result

Matteo Marescotti P3: Parallelly Performed PDR 5

Init Bad

Unreachable

Init = ⇒ Inv Inv = ⇒ ¬Bad Inv ∧ Tr = ⇒ Inv0

Linear Constrained Horn Clauses

A linear CHC is a First Order Logic formula in the following form A set of CHC is satisfiable if and only if: ∃ an interpretation of the predicates that validates all the clauses

Matteo Marescotti P3: Parallelly Performed PDR 6

∀X · (φ ∧ p(X) = ⇒ h(X))

Program encoding

Matteo Marescotti P3: Parallelly Performed PDR 7

         n n Init Tr Bad

• 1. int x = 1, y = 0
• 2. while (*):

x = x + y; y = y + 1

• 3. assert(x ≥ y)

The program is safe if the error predicate is always false

P0. P1(x, y) ⇐ = P0, x = 1, y = 0. P1(x0, y0) ⇐ = P1(x, y), x0 = x + y, y0 = y + 1. Perr ⇐ = P1(x, y), x < y ⊥ ⇐ = Perr

[Gurfinkel et al. CAV15, Gurfinkel et al. FMCAD15]

Parallelize the work

• Portfolio:
• Different PDR strategies in parallel
• SMT solver random seed
• Exchanging reachability lemmas
• Partitioning:
• The problem is partitioned into sub-problems such that:
• problem is UNSAFE:

exists a sub-problem UNSAFE

• problem is SAFE:

all sub-problems are SAFE

• P3: The combination of the two above

Matteo Marescotti P3: Parallelly Performed PDR 8

[Marescotti et al. FMCAD17]

PDR Strategies Portfolios

A PDR strategy defines which enabled operation to apply at every step

Matteo Marescotti P3: Parallelly Performed PDR 9

• …
• Unfold
• Unfold
• Candidate
• Predecessor
• …
• …
• Candidate
• Blocking
• Inductive
• Unfold
• …
• …
• Unfold
• Candidate
• Blocking
• Unfold
• …

hF 1

1 , F 1 2 , . . . , F 1 ni

hF 2

1 , F 2 2 , . . . , F 2 mi

hF 3

1 , F 3 2 , . . . , F 3 l i

Inductive relative lemmas

Non-inductive invariants when conjoined may become inductive

Matteo Marescotti P3: Parallelly Performed PDR 10

• 1. int x = 1, y = 0
• 2. while (*):

x = x + y; y = y + 1

• 3. assert(x ≥ y)

x y ^ Tr 6 = ) x0 y0 x > 0 ∧ x ≥ y ∧ Tr = ⇒ x0 ≥ y0 x > 0 ^ Tr 6 = ) x0 > 0 x > 0 ^ x y ^ Tr 6 = ) x0 > 0 y ≥ 0 ∧ x > 0 ∧ x ≥ y ∧ Tr = ⇒ x0 > 0

Sharing k-invariants

• A k-invariant is invariant in the first k transition steps
• An invariant is also k-invariant for all k
• Invariants sharing for refining different abstractions
• 3 Lemma sharing modes:
• k-invariants
• ∞-invariants
• *-invariant

Matteo Marescotti P3: Parallelly Performed PDR 11

Matteo Marescotti P3: Parallelly Performed PDR 12

PDR Partitioning

[Marescotti et. al. FMCAD 2017]

Bad

Pre-image of Bad Bad1 Bad2 Bad3

≡ Init hInit, Tr, Bad1i hInit, Tr, Bad2i hInit, Tr, Bad3i hInit, Tr, Badi

Tr

Experiments

Matteo Marescotti P3: Parallelly Performed PDR 13

SMTService:

• Client-Server arch.

designed for distributed environments

• Partitioning
• Lemma Sharing
• Graphical User

Interface [SMT2017]

Experiments

Matteo Marescotti P3: Parallelly Performed PDR 14

Technique less500 more500 #reachable #unreachable #unknown #reachable #unreachable #unknown Spacer(GPDR) 63 175 13 8 317 Spacer(IC3) 64 155 32 2 9 314 Spacer(DEF) 64 155 32 2 13 310 portfolio 66 185 8 40 277 ∞-invariants 66 185 7 49 269 k-invariants 66 182 3 7 90 228 ∗-invariants 66 185 7 90 228 partitioning 66 176 9 10 34 281 partitioning+∞-invariants 66 183 2 11 49 265 partitioning+k-invariants 66 182 3 11 115 199 partitioning+∗-invariants 66 185 16 98 211

• 562 (1802) SV-COMP 2016 LDV Benchmarks, 60 CPUs

Experiments

100 200 300 400 500 600 700 800 900 1000 20 40 60 80 100 120 140 160 runtime (sec.) # solved instances (out of 325)

Matteo Marescotti P3: Parallelly Performed PDR 15

100 200 300 400 500 600 700 800 900 1000 210 215 220 225 230 235 240 245 250 runtime (sec.) # solved instances (out of 251) Spacer(GPDR) Spacer(IC3) Spacer(DEF) portfolio partitioning ∞-invariants partitioning+∞-invariants k-invariants partitioning+k-invariants ∗-invariants partitioning+∗-invariants virtual best

more500 (left, 27×) less500 (right, 59×)

Experiments

Complementary techniques

Matteo Marescotti P3: Parallelly Performed PDR 16

1 10 100 1000 1 10 100 1000 t/o partitioning+∞-invariants pure portfolio+∞-invariants

Parallel technique less500 more500 time #lemmas time #lemmas portfolio + ∞-invariants 0.35% 141 0.41% 670 k-invariants 1.24% 252 1.00% 347 ∗-invariants 1.55% 243 0.83% 348 partitioning + ∞-invariants 1.46% 170 0.87% 403 k-invariants 3.51% 140 4.55% 238 ∗-invariants 3.27% 221 4.45% 320

Lemma sharing numbers

Graphical User Interface

Support for visualization

• f Divide and Conquer

and Portfolio combined for SAT/SMT and PDR solving supported by SMTS

Matteo Marescotti P3: Parallelly Performed PDR 17

Future work

• PDR frame lemmas analysis
• Reproducibility
• Any suggestions?

Matteo Marescotti P3: Parallelly Performed PDR 18

Thank you

SMTS public repository:

$ git clone https://scm.ti-edu.ch/repogit/smts.git