small inductive safe invariants alexander ivrii arie
play

Small Inductive Safe Invariants Alexander Ivrii, Arie Gurfinkel, - PowerPoint PPT Presentation

Dec 24, 2023 •200 likes •538 views

Small Inductive Safe Invariants Alexander Ivrii, Arie Gurfinkel, Anton Belov Introduction Consider a verification problem (INIT, TR, P) In the case that P holds, a Model Checker may produce a proof in terms of a safe inductive

  1. Small Inductive Safe Invariants Alexander Ivrii, Arie Gurfinkel, Anton Belov

  2. Introduction Consider a verification problem (INIT, TR, P) ● In the case that P holds, a Model Checker may produce a proof in ● terms of a safe inductive invariant A safe inductive invariant is a set of states G, satisfying: ● – G contains all the initial states P – All the transitions from G G lead back to G INIT – G is contained in the set of states where P holds

  3. Introduction Equivalently, a safe inductive invariant is a Boolean function G, ● satisfying: – INIT  G – TR  G  G' (inductive) – G  P (safe) Following IC3, a recent trend is to produce such an invariant as a ● conjunction of many simple lemmas (such as clauses) – G = C 1  …  C n A typical invariant may contain 10,000s of clauses ●

  4. Introduction Our motivation is that smaller inductive invariants are more useful: ● – They are relevant in the context of FAIR [Bradley et al. 2011] ● The cited paper introduces the problem and presents a solution – They produce better abstractions ● A state variable not in the invariant is irrelevant for correctness – They increase user comprehension – They improve regression verification In this work we minimize inductive invariants by removing clauses ● – Look for minimal (or small) subsets – “Minimal” does not mean “of minimum size” (the latter is harder)

  5. Problem Statement Following the standard (abuse of) notation for CNFs, we denote the ● conjunction of clauses as a set (and vice versa) Minimal Safe Inductive Invariants (MSIS): Given a safe inductive ● invariant {C 1 , …, C n }, find a subset {C i1 , …, C ik } of {C 1 , …, C n }, so that: – {C i1 , …, C ik } is also a safe inductive invariant – {C i1 , …, C ik } is minimal (no proper subset of {C i1 , …, C ik } is safe and inductive) We want the solution to be efficient (ideally the time to minimize a ● safe inductive invariant should be much smaller than to compute it)

  6. Why finding an MSIS is not simple Recall that in particular we need to make sure that ● – TR  C i1  …  C ik  C i1 '  …  C ik ' This query is non-monotone: each clause appears both as a premise ● and a conclusion – With fewer clauses, we need to prove less, but we can also assume less For example, it might be that: ● – {C 1 , C 2 , C 3 , C 4 } is inductive, – {C 1 , C 2 , C 3 } is not inductive, – {C 1 , C 2 } is inductive

  7. Basic MSIS algorithm First, we present the approach described in [Bradley et al. 2011] ● The main idea is to tentatively remove a clause, and then to iteratively ● tentatively remove all no longer implied clauses, until: – Either a smaller inductive invariant is obtained ● We can restrict to this smaller invariant – Or the property itself is no longer implied ● We should restore all the tentatively removed clauses Repeat for every clause ●

  8. Basic MSIS algorithm – Example Initially: {C 1 , C 2 , C 3 , C 4 , C 5 , C 6 } is a safe inductive invariant for P ● Remove C 1 : {C 2 , C 3 , C 4 , C 5 , C 6 } ● – Suppose that C 2 ' and C 4 ' are no longer implied Remove C 2 and C 4 as well (as they cannot be part of any MSIS of ● {C 2 , C 3 , C 4 , C 5 , C 6 }) : {C 3 , C 5 , C 6 } – Suppose that C 5 ' is no longer implied Remove C 5 as well : {C 3 , C 6 } ● – Suppose that C 6 and P are no longer implied It follows that C 1 cannot be removed (must be present in every MSIS ● of {C 1 , C 2 , C 3 , C 4 , C 5 , C 6 }) Restore all removed clauses ●

  9. Basic MSIS algorithm – Example Currently: ● – {C 1 , C 2 , C 3 , C 4 , C 5 , C 6 } is a safe inductive invariant for P – C 1 cannot be removed Remove C 2 : {C 1 , C 3 , C 4 , C 5 , C 6 } ● – Suppose that C 3 ' and C 6 ' are no longer implied Remove C 3 and C 6 as well : {C 1 , C 4 , C 5 } ● – Suppose that all remaining clauses and P are implied It follows that {C 1 , C 4 , C 5 } is a smaller safe inductive invariant ●

  10. Basic MSIS algorithm – Example Currently: ● – {C 1 , C 4 , C 5 } is a safe inductive invariant for P – C 1 cannot be removed Proceed with the remaining clauses in a similar fashion ●

  11. Basic MSIS algorithm Denote by MaxInductiveSubset(S, P) the procedure that computes ● the maximum inductive subset of S, aborting if it does not imply P Given a safe inductive invariant G for P, in the basic approach we ● – Iteratively ● Choose a not-yet-considered clause C in G ● Compute X = MaxInductiveSubset(G\C, P) ● If X is safe (X implies P), then replace G by X Claim: the described algorithm computes an MSIS of G ● Unfortunately, this algorithm is not efficient ● – A large number of SAT calls is required (~quadratic) – Does repeated work

  12. What can we do better? Efficiently under-approximate an MSIS ● – Find clauses that must be present in any MSIS of G Efficiently over-approximate an MSIS ● – Remove clauses that are not part of some MSIS of G Optimize the basic MSIS algorithm ● – Minimizing the amount of wasted work – Taking clause dependency into account Combine under- and over- approximations with the optimized MSIS ● algorithm

  13. Under-Approximation Given a safe inductive invariant G = {C 1 , …, C n }, we say that a clause ● C i is safe necessary if C i is present in every MSIS of G. We exploit the following observations: ● – Given a clause C in G, if (G \ C)  TR  P does not hold then C is safe necessary – Given a clause C in G and a safe necessary clause D (different from C), if (G \ C)  TR  D' does not hold then C is safe necessary The under-approximation algorithm iteratively applies the above two ● observations until fix-point The algorithm can be implemented very efficiently using an ● incremental SAT-solver

  14. Under-Approximation – Example Initially: ● – {C 1 , C 2 , C 3 , C 4 , C 5 , C 6 } is a safe inductive invariant for P – No clauses are marked as necessary Check if there is an unmarked clause without which P is not implied ● – Suppose that we find C 4 – Mark C 4 as necessary Check if there is an unmarked clause without which P is not implied ● – Suppose that we find C 5 – Mark C 5 as necessary Check if there is an unmarked clause without which P is not implied ● – Suppose that we find none

  15. Under-Approximation – Example Check if there is an unmarked clause without which C 4 ' is not implied ● – Suppose that we find C 1 – Mark C 1 as necessary Check if there is an unmarked clause without which C 4 ' is not implied ● – Suppose that we find none Check if there is an unmarked clause without which C 5 ' is not implied ● – Suppose that we find none Check if there is an unmarked clause without which C 1 ' is not implied ● – Suppose that we find none Therefore: C 1 , C 4 , C 5 belong to every MSIS of {C 1 , C 2 , C 3 , C 4 , C 5 , C 6 } ●

  16. Under-Approximation Claim: the described algorithm computes a set of clauses that must ● be present in every MSIS of G (however, it does not compute all such clauses) The algorithm makes only a linear number of SAT calls ● (even in the size of the solution) The algorithm can be further improved if some clauses are initially ● known to be necessary For IC3 proofs, the algorithm is very efficient and usually marks a ● large number of clauses

  17. Over-Approximation Given a safe inductive invariant G = {C 1 , …, C n } and two subsets A ● and B of G, we say that A inductively supports B (or equivalently that B is supported by A) if TR  A  B  B' Greedily compute a safe inductive subset of G as follows: ● – Choose any minimal subset A 1 of clauses needed to support P (and any necessary clauses, if known) – Choose any minimal subset A 2 of clauses needed to inductively support A 1 – Choose any minimal subset A 3 of clauses needed to inductively support A 2 ... – Stop when the last computed set is empty The over-approximation is the union of all the sets considered ●

  18. Over-Approximation Claim: the described algorithm computes a safe inductive subset of G ● (however, it is not guaranteed to be minimal) The algorithm makes only a linear number of MUS calls ● The quality and the run-time of the algorithm are greatly improved ● – If we compute minimal supporting sets – If we follow the presented recursive approach ● Instead of computing a global unsatisfiable core as suggested in [Bradley et al. 2011] – If we consider all the clauses of A i together, rather than 1-by-1 – If some of the clauses are initially marked as necessary

  19. Optimized MSIS algorithm An immediate optimization to the basic MSIS algorithm consists of ● – Marking necessary clauses as soon as they are discovered, and – Aborting the computation as soon as one of the necessary clauses becomes non-implied Given a safe inductive invariant G for P, in the optimized approach we ● – Keep track of necessary clauses N – Iteratively ● Choose a not-yet-considered clause C in G\N ● Compute X = MaxInductiveSubset(G\C, P  N') ● If X is safe, then replace G by X ● Otherwise, add C to N

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Arie Gurfinkel Alexander Ivrii Safety Verification Consider a verification problem (Init, Tr,

Arie Gurfinkel Alexander Ivrii Safety Verification Consider a verification problem (Init, Tr,

Pushing to the Top FMCAD 15 Arie Gurfinkel Alexander Ivrii Safety Verification Consider a verification problem (Init, Tr, Bad) The problem is UNSAFE if and only if there exists a path from an Init-state to a Bad-state , that is Init(X 0 )

667 views • 27 slides
Hari Govind V K, Arie Gurfinkel, Yakir Vizel and Vijay Ganesh Given < Init , Tr , P >

Hari Govind V K, Arie Gurfinkel, Yakir Vizel and Vijay Ganesh Given < Init , Tr , P >

Hari Govind V K, Arie Gurfinkel, Yakir Vizel and Vijay Ganesh Given < Init , Tr , P > prove that P holds on all states reachable from Init Safety can be proven using inductive invariants Init Inv Inv & Tr Inv Inv P

316 views • 10 slides
Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of Recurrence Sets via Constraint Solving Andreas Podelski January 17, 2012 1 Program Verification and Constraints Reasoning about program

422 views • 28 slides
Towards Automatic Inference of Inductive Invariants Haojun Ma , Aman Goel, Jean-Baptiste Jeannin

Towards Automatic Inference of Inductive Invariants Haojun Ma , Aman Goel, Jean-Baptiste Jeannin

Towards Automatic Inference of Inductive Invariants Haojun Ma , Aman Goel, Jean-Baptiste Jeannin Manos Kapritsos, Baris Kasikci, Karem A. Sakallah University of Michigan Distributed systems are subtle 1 The alternative: formal verification

390 views • 19 slides
Safety Proofs using Appearance and Behaviours Sumanth Prabhu S, Kumar Madhukar, R Venkatesh

Safety Proofs using Appearance and Behaviours Sumanth Prabhu S, Kumar Madhukar, R Venkatesh

Safety Proofs using Appearance and Behaviours Sumanth Prabhu S, Kumar Madhukar, R Venkatesh TRDDC, Pune July 20, 2018 Safe Inductive Invariants: x y x y x int x = y = 0 while (*) { x = x + 1 y = y + x } assert(y >= 0) Inductive

605 views • 43 slides
Invariants of degree 3 and torsion in the Chow group of a versal flag Alexander Merkurjev (UCLA),

Invariants of degree 3 and torsion in the Chow group of a versal flag Alexander Merkurjev (UCLA),

Invariants of degree 3 and torsion in the Chow group of a versal flag Alexander Merkurjev (UCLA), Alexander Neshitov (Steklov Institute/UOttawa), Kirill Zainoulline (UOttawa) 2014 1 / 31 Let G be a split semisimple linear algebraic group over

1.23k views • 106 slides
Practice problems Oleg Ivrii July 12, 2020 Oleg Ivrii Practice problems Exam topics The exam

Practice problems Oleg Ivrii July 12, 2020 Oleg Ivrii Practice problems Exam topics The exam

Practice problems Oleg Ivrii July 12, 2020 Oleg Ivrii Practice problems Exam topics The exam will have 6 problems, the topics are: 1 Solve an IVP or a BVP 2 Gronwalls inequality, continuation of solutions 3 ODEs with variable coefficients

640 views • 27 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Volu olunt ntee eer r Na Name me: Anne Anne M Marie arie de del l Castil Castillo lo

Volu olunt ntee eer r Na Name me: Anne Anne M Marie arie de del l Castil Castillo lo

Volu olunt ntee eer r Na Name me: Anne Anne M Marie arie de del l Castil Castillo lo Cou Count ntry ry: : Tanzan Tanzania ia Count Cou ntry ry pr projec oject: t: Small Small Bus Busines iness s Mento Men torin

389 views • 11 slides
Upsilon-invariants and Alexander polynomials of torus knots Motoo Tange University of Tsukuba

Upsilon-invariants and Alexander polynomials of torus knots Motoo Tange University of Tsukuba

Upsilon-invariants and Alexander polynomials of torus knots Motoo Tange University of Tsukuba 2016/12/20 1. Motivation and results Ozsv ath-Stipsicz-Szab o defined a concordant invariant K ( t ) (OSS14/7). Torus knots

782 views • 51 slides
On Computing Minimal Independent Support and Its Applications to Sampling and Counting Alexander

On Computing Minimal Independent Support and Its Applications to Sampling and Counting Alexander

On Computing Minimal Independent Support and Its Applications to Sampling and Counting Alexander Ivrii 1 , Sharad Malik 2 , Kuldeep S. Meel 3 , Moshe Y. Vardi 3 1 IBM Research Haifa 2 Princeton University 3 Rice University (Author names are

552 views • 25 slides
> b x 2 w 3 x 3 Neuroscience 101 CMPSCI 689 Subhransu Maji (UMASS) 3 /19 CMPSCI 689

> b x 2 w 3 x 3 Neuroscience 101 CMPSCI 689 Subhransu Maji (UMASS) 3 /19 CMPSCI 689

So far in the class Decision trees ! Inductive bias: use a combination of small number of features ! Nearest neighbor classifier ! Perceptron Inductive bias: all features are equally good Perceptrons Today ! Subhransu Maji

565 views • 7 slides
Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive definitions Inference rules in action Judgments, axioms, and rules Reasoning about inductive definitions Direct proofs Admissibility Rule induction

498 views • 25 slides
Inductive types in Coq Wessel van Staal November 23, 2012 Inductive types Inductive nattree :

Inductive types in Coq Wessel van Staal November 23, 2012 Inductive types Inductive nattree :

Inductive types in Coq Wessel van Staal November 23, 2012 Inductive types Inductive nattree : Set := leaf : nat -> nattree | node : nattree -> nattree -> nattree. Adds constant or function with final type Prop , Set or Type to

325 views • 14 slides
Smooth Interpolation Arie Israel Courant Institute June 18, 2012 Arie Israel (Courant

Smooth Interpolation Arie Israel Courant Institute June 18, 2012 Arie Israel (Courant

Smooth Interpolation Arie Israel Courant Institute June 18, 2012 Arie Israel (Courant Institute) Smooth Interpolation June 18, 2012 1 / 45 Contributions from Whitney (1930s) Glaeser (1950s) Brudnyi-Shvartsman (1980s-present)

1.11k views • 68 slides
Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning

Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning

Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning Sanjit A. Seshia EECS Department UC Berkeley Joint work with Susmit Jha (UTC) Dagstuhl Seminar Verified SW Working Group August 2014 July

661 views • 28 slides
Multivariate linear regression technique for computing solar irradiance estimations using the

Multivariate linear regression technique for computing solar irradiance estimations using the

Multivariate linear regression technique for computing solar irradiance estimations using the SURFRAD and ISIS networks C. T. M. Clack, A. Alexander and A. E. MacDonald Purpose The create accurate total, direct (normal and horizontal), and

640 views • 15 slides
CS-5630 / CS-6630 Visualization for Data Science Design and Evaluation of Visualizations

CS-5630 / CS-6630 Visualization for Data Science Design and Evaluation of Visualizations

CS-5630 / CS-6630 Visualization for Data Science Design and Evaluation of Visualizations Alexander Lex alex@sci.utah.edu Tasks & Design Problem-Driven vs Technique- Driven problem-driven top-down approach identify a problem encountered

1.04k views • 56 slides
Semi-Supervised Learning Tutorial Xiaojin Zhu Department of Computer Sciences University of

Semi-Supervised Learning Tutorial Xiaojin Zhu Department of Computer Sciences University of

Semi-Supervised Learning Tutorial Xiaojin Zhu Department of Computer Sciences University of Wisconsin, Madison, USA ICML 2007 Xiaojin Zhu (Univ. Wisconsin, Madison) Semi-Supervised Learning Tutorial ICML 2007 1 / 135 Outline Introduction

1.69k views • 156 slides
Lifelong Machine Learning in the Big Data Era Zhiyuan Chen and Bing Liu Department of Computer

Lifelong Machine Learning in the Big Data Era Zhiyuan Chen and Bing Liu Department of Computer

IJCAI-2015 tutorial , July 25, 2015, Buenos Aires, Argentina Lifelong Machine Learning in the Big Data Era Zhiyuan Chen and Bing Liu Department of Computer Science University of Illinois at Chicago czyuanacm@gmail.com, liub@cs.uic.edu

1.52k views • 130 slides
6/22/2018 Outline Parkinsons Disease Demographics PARKINSONS DISEASE PRIMER

6/22/2018 Outline Parkinsons Disease Demographics PARKINSONS DISEASE PRIMER

6/22/2018 Outline Parkinsons Disease Demographics PARKINSONS DISEASE PRIMER Parkinsons Disease Motor Symptoms Parkinsons Disease Progression Parkinsons Disease Pathophysiology Maya Katz, M.D. Assistant Professor of

681 views • 17 slides
Digital Pre-Distortion Derek Kozel What is Digital Pre-Distortion (DPD) A technique for

Digital Pre-Distortion Derek Kozel What is Digital Pre-Distortion (DPD) A technique for

Digital Pre-Distortion Derek Kozel What is Digital Pre-Distortion (DPD) A technique for improving the linearity of power amplifiers Ideally the output signal of a PA is the input scaled up perfectly Instead the semiconductor

319 views • 29 slides
Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R.

Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R.

Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R. Crandall University of New Mexico, USA How do you measure something? Interact directly T ake samples Multiple tests 2 Problem How

533 views • 26 slides
E x p l a i n i n g M a c h i n e L e a r n i n g D e c i s i o n

E x p l a i n i n g M a c h i n e L e a r n i n g D e c i s i o n

E x p l a i n i n g M a c h i n e L e a r n i n g D e c i s i o n s G r g o i r e M o n t a v o n , T U B e r l i n J o i n t w o r k w i t h : W o j c i e c h S a

802 views • 45 slides

More recommend