1 / 25

Automated Extraction of Inductive Invariants to Aid Model Checking

Automated Extraction of Inductive Invariants to Aid Model Checking. Michael L. Case, Alan Mishchenko, and Robert K. Brayton EECS Department, UC Berkeley IWLS 2006, May 31, 2007. Motivation. Formal verification can be greatly helped by external knowledge about the design

tiara
Download Presentation

Automated Extraction of Inductive Invariants to Aid Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Extraction of Inductive Invariants to Aid Model Checking Michael L. Case, Alan Mishchenko, and Robert K. Brayton EECS Department, UC Berkeley IWLS 2006, May 31, 2007

  2. Motivation • Formal verification can be greatly helped by external knowledge about the design • Internal signal equivalences, unreachable states, etc • Reduction in problem size • Identifying this extra information is non-trivial • Which extra data will help the verification problem? • Are some hints extraneous? • How do we know when we have enough? • Propose a way to automatically find extra information • Inductive invariants are identified and proved automatically • Limited in number and applied only where they are needed • Focus on speeding up interpolation Mike Case, IWLS 2007

  3. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, IWLS 2007

  4. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, IWLS 2007

  5. I Approximating the Reachable States • Prove local properties hold  reachable states • Conjunction gives reachability approximation Mike Case, IWLS 2007

  6. Quickly Proving Local Properties • Our previous work • Derive a large set of candidate properties (implications) • Proved in a van Eijk-style induction • Tries to prove as many candidate properties as possible • Do we need to prove all candidate properties? • Are some better than others? • Tight reachability approx. or just “good enough”? Mike Case, IWLS 2007

  7. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, IWLS 2007

  8. 2 Image 1 Image B B I I S Image 2 Image 1 The Interpolation Algorithm Initialize approximation parameters Reachability: Tighten approximation parameters frontier := initial states Bad state reached? yes Interpolation: no frontier += approxImage(frontier) Cex reached directly from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, IWLS 2007

  9. Problems With Interpolation • Can explore unreachable states • No control over the approximate image • Often can’t decide if an encountered bad state is reachable • Requires frequent restarts • Refining the approximation parameters and restarting is the most expensive operation • Discards all prior work Mike Case, IWLS 2007

  10. Image Image B I S Enhancing Interpolation • Possible to avoid the model refinement • Show either S or B unreachable • Suppose we had a tool to find invariants to do this • Adding the invariants to our satisfiability solver would prevent S or B from being explored 2 1 Mike Case, IWLS 2007

  11. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, IWLS 2007

  12. Targetted Invariant Tool • Given a state S that we want to prove unreachable • Find {P} such that • Implies that S is unreachable • Can be proved with simple induction Mike Case, IWLS 2007

  13. Initialize approximation parameters Tighten approximation parameters no frontier := initial states Can we find invariants? yes Bad state reached? yes no frontier += approxImage(frontier) Cex reached directly from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, IWLS 2007

  14. Proving A State Unreachable • Previous work proves a large set of states unreachable • Proves many small properties • Can we limit the properties to target states of interest? Mike Case, IWLS 2007

  15. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, IWLS 2007

  16. S S { { P P } } The Proof Graph • Every property in the set is violated in S • Proving any such property implies that S is unreachable • {P} are how we will prove S unreachable (a set of properties) (a state) (a set of properties) (a state) • S is the reason the inductive proof of the properties does not succeed • S is the counterexample in the simple induction proof • Proving S unreachable is a necessary condition for proving any property in the set • S is why we can’t prove {P} Mike Case, IWLS 2007

  17. S 0 { P } { P } { P } 0 0 0 1 3 S S 2 3 { P } { P } 2 3 S 1 { P } 1 Proof Graph Example • Input S0 • Find properties violated in S0 • Prove {P0} • Cover the new states with properties • Prove {P3} • Prove {P03} 2 Mike Case, IWLS 2007

  18. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, IWLS 2007

  19. Experimental Results • ABC logic synthesis system used as software base • Extended through two C++ plugin libraries: • Interpolation • Proof graph formulation (this work) • User can select to use interpolation alone or interpolation + proof graph • Refuting error traces is an option • Tested on extensively on both academic and industrial benchmarks Mike Case, IWLS 2007

  20. “Hard” Academic Benchmarks • Verified 154 academic benchmarks (TIP suite) • 18 timeout in 2 hours with standard interpolation • 9 of these are “easy” when the proof graph refutes counterexample traces Mike Case, IWLS 2007

  21. “Hard” Industrial Benchmarks • 43 industrial benchmarks • Sequential Equivalence Checking benchmarks • 1800 second timeout • Problems “hard” for standard interpolation • Enabling proof graph dramatically helps runtime 1800 1800 Mike Case, IWLS 2007

  22. Summary • Motivated need for a tool to show that a selected state is unreachable • Constructed such a tool using the proof graph formulation • Applied the tool to help interpolation • Demonstrated the effectiveness on a variety of benchmarks • Thank you. Mike Case, IWLS 2007

  23. Backup Material Mike Case, IWLS 2007

  24. Proof Graph Notes • Proof of a property set implies that all parent states are unreachable • Proof attempt on leaves only • Leaves can be proved independently • Select shallowest leaf for next proof • Cycles can develop • Require more complex handling • See paper Mike Case, IWLS 2007

  25. S 0 { P } 0 S 1 { P } È { P } = { P } { P } 1 2 0 1 Special Case: Cycles • If a cycle develops… • Cannot prove either property set independently • If either S0 or S1 is reachable, the proof will not succeed • Might be able to prove them together • Proof can succeed if we simultaneously prove S0 and S1 unreachable • Successful proof implies both states unreachable Mike Case, IWLS 2007

More Related