automated extraction of inductive invariants to aid model checking

Automated Extraction of Inductive Invariants to Aid Model Checking

Michael L. Case, Alan Mishchenko, and Robert K. BraytonUniversity of California, Berkeley

FMCAD 2007

November 14, 2007 Mike Case, FMCAD 2007 2

Design w/Safety Property

Verification Time

Design w/Safety Property

Additional DesignInformation

Motivation

What kind of information will help verification? How do we know when we’ve given enough information? Is the additional information easily verifiable?


Abstract

Present a framework to automatically find/prove this extra design information Local properties (Inductive Invariants) Only considered if they help the verification Limited in number, easy to prove correct

Verifying safety properties in a gate-level hardware design Interpolation used as a case study


Outline

Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target

application Helping interpolation Proof graph formulation Experimental results


Outline




Approximating the Reachable States Prove inductive invariants

(local properties that hold reachable states) Conjunction gives reachability approximation

I


Quickly Proving Local Properties Our previous work

Derive a large set of candidate invariants (implications)

Proved in a van Eijk-style induction Tries to prove as many properties as possible Do we need to prove all properties?

Are some better than others? Tight reachability approx. or just “good

enough”?


Outline




Fixed Point?

Bad state reached?

Property Verified

Property Falsified

frontier := initial states

frontier +=approxImage(frontier)

Initialize approximationparameters

Cex reacheddirectly from the

initial state?

Tighten approximationparameters

no

yes

no

yes

yes

no

I BImage 1

Image 2

The Interpolation Algorithm

Image 2

Image 1

I BS

Reachability:

Interpolation:


Problems With Interpolation

Can explore unreachable states No control over the approximate image Often can’t decide if an encountered bad state is

reachable Requires frequent restarts

Refining the approximation parameters and restarting is the most expensive operation

Discards all prior work


Image

Image

I B

1

2

S

Enhancing Interpolation Possible to avoid the model refinement

Show either S or B unreachable Invariants that are violated in either S or B

Suppose we had a tool to find invariants to do this Adding the invariants to our satisfiability solver would

prevent S or B from being explored


Outline




Targetted Invariant Tool

Given a state S that we want to prove unreachable

Find {P} such that Implies that S is unreachable Can be proved with simple (one-step) induction


Can wefind invariants?

Fixed Point?

Bad state reached?

Property Verified

Property Falsified

frontier := initial states

frontier +=approxImage(frontier)

Initialize approximationparameters

Cex reacheddirectly from the

initial state?

Tighten approximationparameters

no

yes

no

yes

yes

no

yes

no


Proving A State Unreachable

Previous work proves a large set of states unreachable Proves many small properties Can we limit the invariants to target states of

interest?


Outline




{ P }

S { P }

S

The Proof Graph

Every property in the set is violated in S

Proving any such property implies that S is unreachable

{P} are how we will prove S unreachable

S is the reason the inductive proof of the properties does not succeed S is the counterexample in the

simple induction proof Proving S unreachable is a

necessary condition for proving any property in the set

S is why we can’t prove {P}

(a state)

(a set of properties)

(a set of properties)

(a state)


Proof Graph Example

S0

{ P0 }1{ P0 }2

{ P0 }3

S1 S3S2

{ P1 }

{ P3 }{ P2 }

Input S0

Find properties violated in S0

Prove {P0} Cover the new states

with properties Prove {P3}

Prove {P03}


Outline




Experimental Results

ABC logic synthesis system used as software base Extended through two C++ plugin libraries:

Interpolation Proof graph formulation (this work)

User can select to use interpolation alone or interpolation + proof graph Refuting error traces is an option

Tested on extensively on both academic and industrial benchmarks


“Hard” Academic Benchmarks

Verified 154 academic benchmarks (TIP suite) 18 timeout in 2 hours with standard interpolation 9 of these are “easy” when the proof graph refutes

counterexample traces Why are there no false properties here?


“Hard” Industrial Benchmarks 43 industrial

benchmarks Sequential

Equivalence Checking benchmarks

1800 second timeout Problems “hard” for

standard interpolation Enabling proof graph

dramatically helps runtime

1800

1800


Summary

Motivated need for a tool to show that a selected state is unreachable

Constructed such a tool using the proof graph formulation

Applied the tool to help interpolation Demonstrated the effectiveness on a variety

of benchmarks Thank you.

automated extraction of inductive invariants to aid model checking

Documents