P3 : Parallelly Performed PDR P3 Matteo Marescotti 1 , Arie - PowerPoint PPT Presentation

P3 : Parallelly Performed PDR P3 Matteo Marescotti 1 , Arie Gurfinkel 2 Antti E. J. Hyvärinen 1 , and Natasha Sharygina 1 1 Università della Svizzera italiana, Switzerland 2 University of Waterloo, Canada PCR@CADE2017

Verification Use Case Source code repository Model Checker SAT/SMT Solver Matteo Marescotti P3: Parallelly Performed PDR 2

Safety Problem • Program expressed as a transition system over a set of variables: Tr ( X, X 0 ) • Initial states predicate: Init ( X ) • Error states predicate: Bad ( X ) h Init, Tr, Bad i ! { Reachable, Unreachable } Matteo Marescotti P3: Parallelly Performed PDR 3

Proof for the result Reachable Tr Init Bad exists n ∈ N such that: n − 1 Init ( X [0] ) ∧ ^ Tr ( X [ i ] , X [ i +1] ) ∧ Bad ( X [ n ] ) i =0 Matteo Marescotti P3: Parallelly Performed PDR 4

Proof for the result Unreachable Inv Init Bad Init = ⇒ Inv Inv = ⇒ ¬ Bad ⇒ Inv 0 Inv ∧ Tr = Matteo Marescotti P3: Parallelly Performed PDR 5

Linear Constrained Horn Clauses A linear CHC is a First Order Logic formula in the following form ∀ X · ( φ ∧ p ( X ) = ⇒ h ( X )) A set of CHC is satisfiable if and only if: ∃ an interpretation of the predicates that validates all the clauses Matteo Marescotti P3: Parallelly Performed PDR 6

Program encoding [Gurfinkel et al. CAV15, Gurfinkel et al. FMCAD15] n P 0 . Init 1 . int x = 1 , y = 0  P 1 ( x, y ) ⇐ = P 0 , x = 1 , y = 0 .   P 1 ( x 0 , y 0 ) ⇐ = P 1 ( x, y ) ,  2 . while (*):  Tr x 0 = x + y, y 0 = y + 1 . x = x + y ; y = y + 1     = P 1 ( x, y ) , x < y P err ⇐ 3 . assert( x ≥ y ) n Bad = P err ⊥ ⇐ The program is safe if the error predicate is always false Matteo Marescotti P3: Parallelly Performed PDR 7

Parallelize the work [Marescotti et al. FMCAD17] • Portfolio: • Different PDR strategies in parallel • SMT solver random seed • Exchanging reachability lemmas • Partitioning: • The problem is partitioned into sub-problems such that: • problem is UNSAFE: exists a sub-problem UNSAFE • problem is SAFE: all sub-problems are SAFE • P3: The combination of the two above Matteo Marescotti P3: Parallelly Performed PDR 8

PDR Strategies Portfolios A PDR strategy defines which enabled operation to apply at every step • … • … • … • Unfold • Candidate • Unfold • Unfold • Blocking • Candidate • Candidate • Inductive • Blocking • Predecessor • Unfold • Unfold • … • … • … h F 1 1 , F 1 2 , . . . , F 1 h F 2 1 , F 2 2 , . . . , F 2 h F 3 1 , F 3 2 , . . . , F 3 n i m i l i Matteo Marescotti P3: Parallelly Performed PDR 9

6 6 6 Inductive relative lemmas Non-inductive invariants when conjoined may become inductive ) x 0 � y 0 1 . int x = 1 , y = 0 x � y ^ Tr = ) x 0 > 0 x > 0 ^ Tr = 2 . while (*): ⇒ x 0 ≥ y 0 x = x + y ; y = y + 1 x > 0 ∧ x ≥ y ∧ Tr = 3 . assert( x ≥ y ) ) x 0 > 0 x > 0 ^ x � y ^ Tr = ⇒ x 0 > 0 y ≥ 0 ∧ x > 0 ∧ x ≥ y ∧ Tr = Matteo Marescotti P3: Parallelly Performed PDR 10

Sharing k -invariants • A k -invariant is invariant in the first k transition steps • An invariant is also k -invariant for all k • Invariants sharing for refining different abstractions • 3 Lemma sharing modes: • k -invariants • ∞ -invariants • * -invariant Matteo Marescotti P3: Parallelly Performed PDR 11

PDR Partitioning [Marescotti et. al. FMCAD 2017] h Init, Tr, Bad 1 i h Init, Tr, Bad i h Init, Tr, Bad 2 i ≡ Bad 1 h Init, Tr, Bad 3 i Init Bad Bad 2 Tr Bad 3 Pre-image of Bad Matteo Marescotti P3: Parallelly Performed PDR 12

Experiments SMTS ervice: • Client-Server arch. designed for distributed environments • Partitioning • Lemma Sharing • Graphical User Interface [SMT2017] Matteo Marescotti P3: Parallelly Performed PDR 13

Experiments • 562 (1802) SV-COMP 2016 LDV Benchmarks, 60 CPUs less500 more500 Technique #reachable #unreachable #unknown #reachable #unreachable #unknown Spacer (GPDR) 63 175 13 0 8 317 Spacer (IC3) 64 155 32 2 9 314 Spacer (DEF) 64 155 32 2 13 310 portfolio 66 185 0 8 40 277 ∞ -invariants 66 185 0 7 49 269 k -invariants 66 182 3 7 90 228 ∗ -invariants 66 185 0 7 90 228 partitioning 66 176 9 10 34 281 partitioning+ ∞ -invariants 66 183 2 11 49 265 partitioning+ k -invariants 66 182 3 11 115 199 partitioning+ ∗ -invariants 66 185 0 16 98 211 Matteo Marescotti P3: Parallelly Performed PDR 14

Spacer(GPDR) Spacer(IC3) Experiments Spacer(DEF) portfolio partitioning ∞ -invariants partitioning+ ∞ -invariants more500 (left, 27× ) less500 (right, 59× ) k -invariants partitioning+ k -invariants ∗ -invariants partitioning+ ∗ -invariants virtual best 1000 1000 900 900 800 800 runtime (sec.) 700 700 runtime (sec.) 600 600 500 500 400 400 300 300 200 200 100 100 0 0 210 215 220 225 230 235 240 245 250 0 20 40 60 80 100 120 140 160 # solved instances (out of 251) # solved instances (out of 325) Matteo Marescotti P3: Parallelly Performed PDR 15

Experiments Complementary techniques Lemma sharing numbers 1000 Parallel less500 more500 partitioning+ ∞ -invariants time #lemmas time #lemmas technique portfolio + 100 ∞ -invariants 0.35% 141 0.41% 670 k -invariants 1.24% 252 1.00% 347 ∗ -invariants 1.55% 243 0.83% 348 10 partitioning + ∞ -invariants 1.46% 170 0.87% 403 1 k -invariants 3.51% 140 4.55% 238 ∗ -invariants 3.27% 221 4.45% 320 t/o 1 10 100 1000 pure portfolio+ ∞ -invariants Matteo Marescotti P3: Parallelly Performed PDR 16

Graphical User Interface Support for visualization of Divide and Conquer and Portfolio combined for SAT/SMT and PDR solving supported by SMTS Matteo Marescotti P3: Parallelly Performed PDR 17

Future work • PDR frame lemmas analysis • Reproducibility • Any suggestions? Thank you SMTS public repository: $ git clone https://scm.ti-edu.ch/repogit/smts.git Matteo Marescotti P3: Parallelly Performed PDR 18