IC3 Software Model Checking on Control Flow Automata Tim Lange 1 - PowerPoint PPT Presentation

IC3 Software Model Checking on Control Flow Automata Tim Lange 1 Martin R. Neuhäußer 2 Thomas Noll 1 1 Software Modeling and Verification Group, RWTH Aachen 2 Siemens AG FMCAD 2015 at Austin, TX, USA, September 29, 2015

Introduction Outline Introduction Preliminaries Original IC3 Related Work IC3 on Control Flow Automata Conclusion 2 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

Introduction Motivation Lifting to software model checking • IC3 had a deep impact in hardware model checking • Showed much better performance than CEGAR and BMC • Nowadays employed in most major hardware model checking tools Challenges • Domain in hardware model checking finite (bit-level) • How to handle infinite state spaces? • How to encode finite control flow? 3 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

Preliminaries Outline Introduction Preliminaries Original IC3 Related Work IC3 on Control Flow Automata Conclusion 4 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝑔𝑏𝑚𝑡𝑓 Preliminaries Control Flow Automaton (CFA) A CFA 𝒝 = (𝑀, 𝐻, 𝑚 0 , 𝑚 𝐹 ) consists of a set of locations 𝑀 = {0, … , 𝑜} and edges in 𝐻 ⊆ 𝑀 × 𝑅𝐺𝐺𝑃 × 𝑀 labeled with quantifier-free first-order formulas, an initial location 𝑚 0 , and an error location 𝑚 𝐹 . Transition formula Given two locations 𝑚 1 , 𝑚 2 ∈ 𝑀 , we define the transition formula , if (𝑚 1 , 𝑢, 𝑚 2 ) ∈ 𝐻 𝑈 𝑚 1 →𝑚 2 = {(𝑞𝑑 = 𝑚 1 ) ∧ 𝑢 ∧ (𝑞𝑑 ′ = 𝑚 2 ) , otherwise. 5 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

⋁ (𝑚 1 ,𝑢,𝑚 2 )∈𝐻 𝜔 ∧ 𝜒 ∧ 𝑈 ⇒ 𝜒 ′ Preliminaries Relative Inductivity [Bra11] Given a transition formula 𝑈 = 𝑈 𝑚 1 →𝑚 2 , a formula 𝜒 is inductive relative to another formula 𝜔 if is valid. Edge-Relative Inductivity Given a CFA A and locations 𝑚 1 , 𝑚 2 ∈ 𝑀 , a formula 𝜒 is inductive edge-relative to another formula 𝜔 if 𝜔 ∧ 𝜒 ∧ 𝑈 𝑚 1 →𝑚 2 ⇒ 𝜒 ′ is valid. [Bra11] Aaron R. Bradley. “SAT-Based Model Checking without Unrolling”. In: VMCAI. 2011, pp. 70–87 6 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

2 =𝑚 2 2 Preliminaries Region [Hen+02] A region 𝑠 = (𝑚, 𝑡) is a pair consisting of location 𝑚 and formula 𝑡 . The set of corresponding formulas for 𝑠 is given as {𝜒 ∣ 𝜒 ≡ (𝑞𝑑 = 𝑚 ∧ 𝑡)} . Similarly, for ¬𝑠 corresponding formulas are defined as {𝜒 ∣ 𝜒 ≡ ¬(𝑞𝑑 = 𝑚 ∧ 𝑡)} . Edge-Relative Inductive Regions Assume two regions 𝑠 1 = (𝑚 1 , 𝑡 1 ) , ¬𝑠 2 = ¬(𝑚 2 , 𝑡 2 ) , we can reduce edge-relative inductivity of ¬𝑠 2 to 𝑠 1 to , if 𝑚 1 ̸ 𝑡 1 ∧ 𝑈 𝑚 1 →𝑚 2 ⇒ ¬𝑡 ′ , if 𝑚 1 = 𝑚 2 𝑡 1 ∧ ¬𝑡 2 ∧ 𝑈 𝑚 1 →𝑚 2 ⇒ ¬𝑡 ′ [Hen+02] Thomas A. Henzinger et al. “Lazy abstraction”. In: POPL. 2002, pp. 58–70 7 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

Original IC3 Outline Introduction Preliminaries Original IC3 Related Work IC3 on Control Flow Automata Conclusion 8 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 and the property 𝑄(𝑌) . 𝑓 𝐺 5 𝑥 𝑏 𝑐 𝑑 𝑒 𝑢 𝐺 3 𝐺 4 𝑣 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑤 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 5 𝑥 𝑏 𝑐 𝑑 𝑒 𝑢 𝐺 3 𝐺 4 𝑣 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑤 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑢 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 1 = 𝑄 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑢 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 1 = 𝑄 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 5 𝑥 𝑏 𝑐 𝑑 𝑒 𝑢 𝐺 3 𝐺 4 𝑣 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑤 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 5 𝑥 𝑏 𝑐 𝑑 𝑒 𝑢 𝐺 3 𝐺 4 𝑣 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑤 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑢 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 2 = 𝑄 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑢 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 2 = 𝑄 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 5 𝑥 𝑏 𝑐 𝑑 𝑒 𝑢 𝐺 3 𝐺 4 𝑣 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑤 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑢 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 3 = 𝑄 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝑢 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 1 = 𝐺 2 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 4 𝑏 𝑐 𝑑 𝑒 𝑣 𝐺 5 𝐺 3 𝑤 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑢 𝑥 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 𝐺 3 = 𝑄 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015

𝐺 1 = 𝐺 2 𝑓 𝐺 5 𝑥 𝑏 𝑐 𝑑 𝑒 𝑢 𝐺 3 𝐺 4 𝑣 𝐺 2 𝐺 3 𝐺 2 𝐺 1 𝐺 0 𝑄 𝑤 Original IC3 Consider the transition system ℳ = (𝑌, 𝐽, 𝑈) and the property 𝑄(𝑌) . 9 of 20 IC3 Software Model Checking on Control Flow Automata | Tim Lange | Software Modeling and Verification Group, RWTH Aachen | FMCAD 2015 at Austin, TX, USA, September 29, 2015