1 / 23

Automated Extraction of Inductive Invariants to Aid Model Checking

Automated Extraction of Inductive Invariants to Aid Model Checking. Michael L. Case, Alan Mishchenko, and Robert K. Brayton University of California, Berkeley FMCAD 2007. Design w/ Safety Property. Additional Design Information. Motivation. Design w/ Safety Property.

silver
Download Presentation

Automated Extraction of Inductive Invariants to Aid Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Extraction of Inductive Invariants to Aid Model Checking Michael L. Case, Alan Mishchenko, and Robert K. Brayton University of California, Berkeley FMCAD 2007

  2. Design w/Safety Property Additional DesignInformation Motivation Design w/Safety Property • What kind of information will help verification? • How do we know when we’ve given enough information? • Is the additional information easily verifiable? Verification Time Mike Case, FMCAD 2007

  3. Abstract • Present a framework to automatically find/prove this extra design information • Local properties (Inductive Invariants) • Only considered if they help the verification • Limited in number, easy to prove correct • Verifying safety properties in a gate-level hardware design • Interpolation used as a case study Mike Case, FMCAD 2007

  4. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, FMCAD 2007

  5. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, FMCAD 2007

  6. I Approximating the Reachable States • Prove inductive invariants • (local properties that hold  reachable states) • Conjunction gives reachability approximation Mike Case, FMCAD 2007

  7. Quickly Proving Local Properties • Our previous work • Derive a large set of candidate invariants (implications) • Proved in a van Eijk-style induction • Tries to prove as many properties as possible • Do we need to prove all properties? • Are some better than others? • Tight reachability approx. or just “good enough”? Mike Case, FMCAD 2007

  8. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, FMCAD 2007

  9. 2 Image 1 Image B B I I S Image 2 Image 1 The Interpolation Algorithm Initialize approximation parameters Reachability: Tighten approximation parameters frontier := initial states Bad state reached? yes Interpolation: no frontier += approxImage(frontier) Cex reached directly from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, FMCAD 2007

  10. Problems With Interpolation • Can explore unreachable states • No control over the approximate image • Often can’t decide if an encountered bad state is reachable • Requires frequent restarts • Refining the approximation parameters and restarting is the most expensive operation • Discards all prior work Mike Case, FMCAD 2007

  11. Image Image B I S Enhancing Interpolation • Possible to avoid the model refinement • Show either S or B unreachable •  Invariants that are violated in either S or B • Suppose we had a tool to find invariants to do this • Adding the invariants to our satisfiability solver would prevent S or B from being explored 2 1 Mike Case, FMCAD 2007

  12. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, FMCAD 2007

  13. Targetted Invariant Tool • Given a state S that we want to prove unreachable • Find {P} such that • Implies that S is unreachable • Can be proved with simple (one-step) induction Mike Case, FMCAD 2007

  14. Initialize approximation parameters Tighten approximation parameters no frontier := initial states Can we find invariants? yes Bad state reached? yes no frontier += approxImage(frontier) Cex reached directly from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, FMCAD 2007

  15. Proving A State Unreachable • Previous work proves a large set of states unreachable • Proves many small properties • Can we limit the invariants to target states of interest? Mike Case, FMCAD 2007

  16. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, FMCAD 2007

  17. S S { { P P } } The Proof Graph • Every property in the set is violated in S • Proving any such property implies that S is unreachable • {P} are how we will prove S unreachable (a set of properties) (a state) (a set of properties) (a state) • S is the reason the inductive proof of the properties does not succeed • S is the counterexample in the simple induction proof • Proving S unreachable is a necessary condition for proving any property in the set • S is why we can’t prove {P} Mike Case, FMCAD 2007

  18. S 0 { P } { P } { P } 0 0 0 1 3 S S 2 3 { P } { P } 2 3 S 1 { P } 1 Proof Graph Example • Input S0 • Find properties violated in S0 • Prove {P0} • Cover the new states with properties • Prove {P3} • Prove {P03} 2 Mike Case, FMCAD 2007

  19. Outline • Forming a reachability approximation • Brief introduction to Interpolation • Tailoring reachable approximation for a target application • Helping interpolation • Proof graph formulation • Experimental results Mike Case, FMCAD 2007

  20. Experimental Results • ABC logic synthesis system used as software base • Extended through two C++ plugin libraries: • Interpolation • Proof graph formulation (this work) • User can select to use interpolation alone or interpolation + proof graph • Refuting error traces is an option • Tested on extensively on both academic and industrial benchmarks Mike Case, FMCAD 2007

  21. “Hard” Academic Benchmarks • Verified 154 academic benchmarks (TIP suite) • 18 timeout in 2 hours with standard interpolation • 9 of these are “easy” when the proof graph refutes counterexample traces • Why are there no false properties here? Mike Case, FMCAD 2007

  22. “Hard” Industrial Benchmarks • 43 industrial benchmarks • Sequential Equivalence Checking benchmarks • 1800 second timeout • Problems “hard” for standard interpolation • Enabling proof graph dramatically helps runtime 1800 1800 Mike Case, FMCAD 2007

  23. Summary • Motivated need for a tool to show that a selected state is unreachable • Constructed such a tool using the proof graph formulation • Applied the tool to help interpolation • Demonstrated the effectiveness on a variety of benchmarks • Thank you. Mike Case, FMCAD 2007

More Related