Understanding IC3 Aaron R. Bradley ECEE, CU Boulder & Summit - PowerPoint PPT Presentation

Understanding IC3 Aaron R. Bradley ECEE, CU Boulder & Summit Middle School Understanding IC3 – 1/55

Further Reading This presentation is based on Bradley, A. R. “Understanding IC3.” In SAT , June 2012. http://theory.stanford.edu/~arbrad Understanding IC3 – 2/55

Induction Foundation of verification for 40+ years (Floyd, Hoare) To prove that S : ( I, T ) has safety property P , prove: • Base case ( initiation ): I ⇒ P • Inductive case ( consecution ): P ∧ T ⇒ P ′ Understanding IC3 – 3/55

Understanding IC3 – 4/55

When Induction Fails We present two solutions. . . 1. Use a stronger assertion, or 2. Construct an incremental proof, using previously established invariants. – Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Method 1 = “Monolithic” Method 2 = “Incremental” Understanding IC3 – 5/55

Outline 1. Illustration of the two methods 2. SAT-based model checkers 3. Understanding IC3 as a prover 4. Understanding IC3 as a bug finder 5. Beyond IC3: Incremental, inductive verification Understanding IC3 – 6/55

Two Transition Systems x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 x , y := 1 , 1 1 while ∗ : 2 S 2 : x , y := x + y , y + x 3 P : y ≥ 1 Understanding IC3 – 7/55

Induction on System 1 x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 • Initiation: x = 1 ∧ y = 1 ⇒ y ≥ 1 � �� � � �� � initial condition P • Consecution (fails): ∧ x ′ = x + 1 ∧ y ′ = y + x �⇒ y ′ ≥ 1 y ≥ 1 � �� � � �� � � �� � transition relation P P ′ Understanding IC3 – 8/55

Incremental Proof x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 Problem: y decreases if x is negative. But... ϕ 1 : x ≥ 0 • Initiation: x = 1 ∧ y = 1 ⇒ x ≥ 0 • Consecution: ∧ x ′ = x + 1 ∧ y ′ = y + x ⇒ x ′ ≥ 0 x ≥ 0 � �� � � �� � � �� � ϕ 1 ϕ ′ transition relation 1 Understanding IC3 – 9/55

Back to P x , y := 1 , 1 1 while ∗ : 2 S 1 : x , y := x + 1 , y + x 3 Consecution: ∧ x ′ = x + 1 ∧ y ′ = y + x ⇒ y ′ ≥ 1 x ≥ 0 ∧ y ≥ 1 � �� � � �� � � �� � � �� � ϕ 1 P transition relation P ′ P is inductive relative to ϕ 1 . Understanding IC3 – 10/55

Induction on System 2 x , y := 1 , 1 1 while ∗ : 2 S 2 : x , y := x + y , y + x 3 Induction fails for P as in System 1. Additionally, x ≥ 0 ∧ x ′ = x + y ∧ y ′ = y + x �⇒ x ′ ≥ 0 x ≥ 0 is not inductive, either. Understanding IC3 – 11/55

Monolithic Proof x , y := 1 , 1 1 while ∗ : 2 S 2 : x , y := x + y , y + x 3 Invent strengthening all at once: � P : x ≥ 0 ∧ y ≥ 1 Consecution: ∧ x ′ = x + y ∧ y ′ = y + x ⇒ x ′ ≥ 0 ∧ y ′ ≥ 1 x ≥ 0 ∧ y ≥ 1 � �� � � �� � � � P P ′ Understanding IC3 – 12/55

Understanding IC3 – 13/55

Incremental vs. Monolithic Methods • Incremental: does not always work • Monolithic: relatively complete • Incremental: apply induction iteratively (“modular”) • Monolithic: invent one strengthening formula We strongly recommend its use whenever applicable. Its main advantage is that of modularity . – Manna and Pnueli Temporal Verification of Reactive Systems: Safety 1995 Understanding IC3 – 14/55

Finite-state System Transition system: ( i, x, I ( x ) , T ( x, i, x ′ )) S : Cube s : • Conjunction of literals, e.g., x 1 ∧ ¬ x 2 ∧ ¬ x 3 ∧ x 4 ∧ · · · • Represents set of states (that satisfy it) Clause: ¬ s Understanding IC3 – 15/55

SAT-Based Backward Model Checking 1. Search for predecessor s to some error state: P ∧ T ⇒ P ′ If none, property holds. 2. Reduce cube s to ¯ s : • Expand to others with bad successors [McMillan 2002] , [Lu et al. 2005] • If P ∧ ¬ s ∧ T ⇒ ¬ s ′ , reduce by implication graph [Lu et al. 2005] • Apply inductive generalization [Bradley 2007] 3. P := P ∧ ¬ ¯ s Understanding IC3 – 16/55

Inductive Generalization Given : cube s Find : c ⊆ ¬ s such that • Initiation: I ⇒ c • Consecution (relative to information P ): P ∧ c ∧ T ⇒ c ′ • No strict subclause of c is inductive relative to P Understanding IC3 – 17/55

Understanding IC3 – 18/55

Understanding IC3 – 19/55

Analysis of Backward Search Strengths: • Easy SAT queries, low memory • Property focused • Some are approximating, computing neither strongest nor weakest strengthening Weaknesses: • Essentially undirected search (bad for bug finding) • Ignore initial states Understanding IC3 – 20/55

Analysis of FSIS [Bradley 2007] Strengths (essentially, great when it works): • Can significantly reduce backward search • Can find strong lemmas with induction Weaknesses: • Like others when inductive generalization fails Understanding IC3 – 21/55

BMC [Biere et al. 1999] Compared to backward search: • Considers initial and final states • Requires solving hard SAT queries • Practically incomplete (UNSAT case) k − 1 � ( P ( i ) ∧ T ( i ) ) ∧ ¬ P ( k ) I ∧ i =0 Understanding IC3 – 22/55

Understanding IC3 – 23/55

k -Induction [Sheeran et al. 2000] Addresses practical incompleteness of BMC: • Initiation: BMC • Consecution: k − 1 � ( P ( i ) ∧ T ( i ) ) ⇒ P ( k ) i =0 (plus extra constraints to consider loop-free paths) Understanding IC3 – 24/55

Understanding IC3 – 25/55

ITP [McMillan 2003] Property-focused over-approximating post-image: k − 1 � ( P ( i ) ∧ T ( i ) ) ⇒ P ( k ) F i ∧ i =0 • { states ≤ i steps from initial states } ⊆ F i • If holds, finds interpolant F i +1 : k − 1 � ( P ( i ) ∧ T ( i ) ) ⇒ P ( k ) F i ∧ T ⇒ F ′ F ′ i +1 ∧ i +1 i =1 • If fails, increases k Understanding IC3 – 26/55

Understanding IC3 – 27/55

BMC → k -Induction → ITP • Completeness from unrolling transition relation • Evolution: reduce max k in practice (UNSAT case) • Monolithic: • hard SAT queries • induction at top-level only • Consider both initial and final states Understanding IC3 – 28/55

Best of Both? Desire: • Stable behavior (backward search) • Low memory, reasonable queries • Can just let it run • Consideration of initial and final states (BMC) • Modular reasoning (incremental method) Avoid: • Blind search (backward search) • Queries that overwhelm the SAT solver (BMC) Understanding IC3 – 29/55

IC3: A Prover Stepwise sets F 0 , F 1 , . . . , F k , F k +1 (CNF): • { states ≤ i steps from initial states } ⊆ F i • F i ⊆ { states ≥ k − i + 1 steps from error } Four invariants: • F 0 = I • F i ⇒ F i +1 • F i ∧ T ⇒ F ′ i +1 • Except F k +1 , F i ⇒ P ∴ if ever F i = F i +1 , F i is inductive & P is invariant Understanding IC3 – 30/55

Understanding IC3 – 31/55

Induction at Top Level Is P inductive relative to F k ? F k ∧ T ⇒ P ′ (Recall: F k ⇒ P ) • Possibility #1: Yes • Conclusion: P is inductive relative to F k Understanding IC3 – 32/55

Understanding IC3 – 33/55

Induction at Top Level Monolithic behavior (predicate abstraction): • For i from 1 to k : find largest C ⊆ F i s.t. F i ∧ T ⇒ C ′ F i +1 := F i +1 ∧ C • F k +1 := F k +1 ∧ P • New frontier: F k +1 If ever F i = F i +1 , done: P is invariant. Understanding IC3 – 34/55

Counterexample To Induction (CTI) F k ∧ T ⇒ P ′ • Possibility #2: No • Conclusion: ∃ F k -state s with error successor • If s is an initial state, done: P is not invariant • Otherwise... Understanding IC3 – 35/55

Understanding IC3 – 36/55

Induction at Low Level Inductive Generalization in IC3 • Given : cube s • Find : c ⊆ ¬ s such that • Initiation: I ⇒ c • Consecution (relative to F i ): F i ∧ c ∧ T ⇒ c ′ • No strict subclause of c is inductive relative to F i Understanding IC3 – 37/55

Understanding IC3 – 38/55

Addressing CTI s • Find highest i such that F i ∧ ¬ s ∧ T ⇒ ¬ s ′ • Apply inductive generalization: F i ∧ c ∧ T ⇒ c ′ c ⊆ ¬ s I ⇒ c • ∴ F i +1 := F i +1 ∧ c (also update F j , j ≤ i ) • If i < k , new proof obligation : ( s, i + 1) “Inductively generalize s relative to F i +1 ” Understanding IC3 – 39/55

Addressing Proof Obligation ( t, j ) SAT query: F j ∧ ¬ t ∧ T ⇒ ¬ t ′ If UNSAT: • Inductive generalization must succeed: F j ∧ c ∧ T ⇒ c ′ c ⊆ ¬ t I ⇒ c • F j +1 := F j +1 ∧ c • Updated proof obligation (if j < k ): ( t, j + 1) Understanding IC3 – 40/55

Addressing Proof Obligation ( t, j ) SAT query: F j ∧ ¬ t ∧ T ⇒ ¬ t ′ If SAT: New CTI u , treat as before • Find highest i s.t. ¬ u is inductive relative to F i • Inductively generalize ( c ⊆ ¬ u ): F i +1 := F i +1 ∧ c • New proof obligation (if i < k ): ( u, i + 1) Understanding IC3 – 41/55

One of IC3’s Insights • Suppose CTI s was inductively generalized at F i • F i +1 := F i +1 ∧ c • Removed s and some predecessors from F i +1 • Updated proof obligation: ( s, i + 1) Understanding IC3 – 42/55