qf bv property directed reachability with mixed type atomic … · 2014. 3. 12. · qf bv property...

QF BV Property Directed Reachability

with Mixed Type Atomic Reasoning Units

Tobias Welp and Andreas Kuehlmann

Outliney

1. Introduction

2. QF BV Property Directed Reachability

3. Mixed Type Atomic Reasoning Units

4. Experimental Results

5. Summary

1 January 23, 2014 c©Tobias Welp

Motivation for Property Directed Reachabilityy

• In 2011, Bradley proposed Property Directed Reachability (a.k.a

IC3) for model checking [Brad11].

• Experiments indicate that PDR outperforms model checking based

on Interpolation [McMi03] on representative benchmark sets.

0 100 200 300 400 500 600

020

040

060

0

Time (s)

Num

ber

Sol

ved

Inst

ance

s

PDRInterpolation

[EénM11]


Other Favorable Properties of PDRy

, No unrolling of transition relation.

, Parallizable.

, Allows for initialization with known invariants.

, Good for finding counterexamples and proving that none exists.


Research Pertaining PDRy

Property Directed

ReachabilityAnalysis

Understanding

IC3

[Brad12]

Where

Monolithic/

Incremental

Meet

[Some11]

Generalization

QF LA

[Hode12]

QF BV

[Welp13]

timed

systems

[Kind12]

WSTS

[Kloo13]

push-down

systems

[Hode12]

Optimizations

PDR with

Non-State

Variables

[Back13]

Ternary

Simulation

[EénM11]


Model Checkingy

• Given are

– A set of initial states: I(x)

– A set of bad states: B(x)

– A transition relation: T (x,x′)

• Question: Is a bad state reachable from an initial state using valid

transitions?


Model Checking with PDRy

PDR

No

Yes

Counterexample Sequence

...

badstate 1init

PDR Trace

init

0 1 2 3

x1 = 1

x2 = 0

x1 = 0

x2 = 1

x1 = 1

x2 = 1

I, T, B

T T T


Proving a Safety Property with PDRy

Legend:

Initial set I

Bad set B

Proof oblig.

Cover

bad

0

• Can bad be reached within zero steps?



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

0

• No, only the initial set is reachable within zero steps.

• Everything else is covered , i.e. not reachable.



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

bad

0 1

• Can bad be reached within one step?

• Conservatively, we initially assume that everything is reachable .



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

bad

0 1

• Find a point in bad that is not yet covered .



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

bad

0 1

• Expand proof obligation using simulation.



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

bad

0 1

• The cube cannot be reached from the reachable area in frame 0.



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

bad

0 1

• Hence, we can consider the proof obligation covered .



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

bad

0 1

• Expand the covered cube as much as possible.



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

bad

init

0 1

• Repeat with finding a new point in bad that is not covered .



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

bad

init

0 1

• Again, the point cannot be reached from the reachable area in

the previous frame.

• Expand the covered cube.

• Now, bad is completely covered .



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

bad

init

0 1 2

• Can bad be reached within two steps?



. . .



Legend:

Initial set I

Bad set B

Proof oblig.

Cover

init

0 1 2 3

• Identified an inductive invariant disjoint from bad .

• This proves the property.


Outliney

1. Introduction




5. Summary


Property Directed Reachability for QF BVy

Original QF BV QF BV

Formulation Polytopes Hybrid

Atomic Reasoning BooleanPolytopes

Boolean Cubes

Unit Cubes and Polytopes

Expansion of bad Ternary Interval Hybrid

Proof Obligations Simulation Simulation Simulation

Strengths logic arithmeticarithmetic

logic

Weaknesses arithmetic logic -


Example Hybrid Invarianty

I := (2× y ≡ x) ∧ (x+ y ≤ 3)

T := (y′ ≡ y + 1) ∧ (x′ ≡ x− 2) ∧ (y′ > y) ∧ (x′ < x)

B := (x+ y ≥ 4) ∨ (x mod 2 ≡ 1)

4 2 4 6 x

2

4

6

yf0 Legend:

Initial set I

Bad set B

Proof oblig.

Cover



I := (2× y ≡ x) ∧ (x+ y ≤ 3)

T := (y′ ≡ y + 1) ∧ (x′ ≡ x− 2) ∧ (y′ > y) ∧ (x′ < x)

B := (x+ y ≥ 4) ∨ (x mod 2 ≡ 1)

4 2 4 6 x

2

4

6

yf0

4 2 4 6 x

2

4

6

yf1 Legend:

Initial set I

Bad set B

Proof oblig.

Cover



Original Polytopes QF BV

Formulation [Welp13] Hybrid


Boolean Cubes





logic







Boolean Cubes





logic




I := (2× y ≡ x) ∧ (x+ y ≤ 3)

T := (y′ ≡ y + 1) ∧ (x′ ≡ x− 2) ∧ (y′ > y) ∧ (x′ < x)

B := (x+ y ≥ 4) ∨ (x mod 2 ≡ 1)

4 2 4 6 x

2

4

6

yf0 Legend:

Initial set I

Bad set B

Proof oblig.

Cover



I := (2× y ≡ x) ∧ (x+ y ≤ 3)

T := (y′ ≡ y + 1) ∧ (x′ ≡ x− 2) ∧ (y′ > y) ∧ (x′ < x)

B := (x+ y ≥ 4) ∨ (x mod 2 ≡ 1)

4 2 4 6 x

2

4

6

yf0

4 2 4 6 x

2

4

6

yf1 Legend:

Initial set I

Bad set B

Proof oblig.

Cover






Boolean Cubes





logic



Outliney

1. Introduction




5. Summary



Original PolytopesHybrid

Formulation [Welp13]


Boolean Cubes





logic




I := (2× y ≡ x) ∧ (x+ y ≤ 3)

T := (y′ ≡ y + 1) ∧ (x′ ≡ x− 2) ∧ (y′ > y) ∧ (x′ < x)

B := (x+ y ≥ 4) ∨ (x mod 2 ≡ 1)

4 2 4 6 x

2

4

6

yf0

4 2 4 6 x

2

4

6

yf1 Legend:

Initial set I

Bad set B

Proof oblig.

Cover


Probabilistic Specializationy

4 2 4 6 x

2

4

6

yf1

4 2 4 6 x

2

4

6

yf1

4 2 4 6 x

2

4

6

yf1

ւspecialize to Boolean

cube with probability c

specialize to polytope

with probability 1− cց



4 2 4 6 x

2

4

6

yf1

4 2 4 6 x

2

4

6

yf1

4 2 4 6 x

2

4

6

yf1







• The favorable event can be expected to happen in a constant

number of steps.

E{trials until Boolean cube specialization} = c∞∑

i=1

i(1−c)i−1 =1

c

• Analogously, one calculates

E{trials until polytope specialization} = (1−c)∞∑

i=1

ici−1 =1

1− c


Simulation-based Expansiony

Simulation-based expansion of proof obligations is e.g. used to expand

a bad ARU that is not yet covered:

bad

1



Simulation-based expansion of proof obligations is e.g. used to expand

a bad ARU that is not yet covered:

bad

1



The check whether or not an expansion is valid can be reduced to

simulation on sets of points [EénM11].

Assume bad is defined as e1 < 2 and we already

covered e1 < −1 with

e1 := (x1 − x2 + 2) ∧ (y1 ∨ y2)

bad

1

Then we may expand an ARU to a larger ARU â if

e := (e1 < 2)︸︷︷︸

bad

∧¬ (e1 < −1)︸︷︷︸

covered

evaluates to true for all values in â.


Ternary Simulationy

Let â := (1 ≤ x1 ≤ 5) ∧ (0 ≤ x2 ≤ 3) ∧ (y1 ∈ -00-) ∧ (y2 ∈ 100-)

∧ ∧

2

∨<

2

≤

0−

+

0 - - -

- 0 0 -

1 0 0 -

0 0 - -

x1

x2

y1

y2

Φ Ternary Simulation

Φ Interval Simulation

Φ Hybrid Simulation


Ternary Simulationy

Let â := (1 ≤ x1 ≤ 5) ∧ (0 ≤ x2 ≤ 3) ∧ (y1 ∈ -00-) ∧ (y2 ∈ 100-)

∧ ∧

2

y1

y2

<

2

≤

0−

x1

x2+

0 - - -

- 0 0 -

1 0 0 -

1 0 0 -

0 0 - -

∨





Ternary Simulationy

Let â := (1 ≤ x1 ≤ 5) ∧ (0 ≤ x2 ≤ 3) ∧ (y1 ∈ -00-) ∧ (y2 ∈ 100-)

∧ ∧

2

y1

y2

<

2

≤

0−

x1

x2+

∨

0 - - -

- - - -

- 0 0 -

1 0 0 -

1 0 0 -

0 0 - -





Ternary Simulationy

Let â := (1 ≤ x1 ≤ 5) ∧ (0 ≤ x2 ≤ 3) ∧ (y1 ∈ -00-) ∧ (y2 ∈ 100-)

∧ ∧

2

y1

∨

y2

<

2

≤

0−

x1

x2+

0 - - -

- - - - 0 0 0 0

0 0 - -

0 0 1 0

- 0 0 -

1 0 0 -

1 0 0 -

0 0 1 0

1

- 0 0 -

- - - -

−

−






The check whether or not an expansion is valid can be reduced to

simulation on sets of points [EénM11].

Assume bad is defined as e1 < 2 and we already

covered e1 < −1 with

e1 := (x1 − x2 + 2) ∧ (y1 ∨ y2)

bad

1

Then we may expand an ARU to a larger ARU â if

e := (e1 < 2)︸︷︷︸

bad

∧¬ (e1 < −1)︸︷︷︸

covered

evaluates to true for all values in â.


Interval Simulationy

Let â := (1 ≤ x1 ≤ 5) ∧ (0 ≤ x2 ≤ 3) ∧ (y1 ∈ -00-) ∧ (y2 ∈ 100-)

∧ ∧

2

y1

∨

y2

<

2

≤

0−

x1

x2+

[1, 5]

[0, 3]

[−2, 5]

[0, 7]

[0, 0]

[1, 1]

[0, 1]

[0, 1]

[2, 2]

[0, 7]

[−8, 7][−8, 1]

[2, 2]

[−8,−7]

0 - - -

- - - - 0 0 0 0

0 0 - -

0 0 1 0

- 0 0 -

1 0 0 -

1 0 0 -

0 0 1 0

1

- 0 0 -

- - - -

−

−





Hybrid Simulationy

Let â := (1 ≤ x1 ≤ 5) ∧ (0 ≤ x2 ≤ 3) ∧ (y1 ∈ -00-) ∧ (y2 ∈ 100-)

∧ ∧

2

y1

∨

y2

<

2

≤

0−

x1

x2+

[1, 5]

[−2, 5] [0, 0]

1

1

1

[2, 2]1 0 0 -

- 0 0 -

[2, 2]

[0, 3][0, 7] → 0 - - -

0 0 0 - → [0, 1]

[1, 5]

[0, 3]

[−2, 5]

[0, 7]

[0, 0]

[1, 1]

[0, 1]

[0, 1]

[2, 2]

[0, 7]

[−8, 7][−8, 1]

[2, 2]

[−8,−7]

1 0 0 -

0 - - -

- - - - 0 0 0 0

0 0 - -

0 0 1 0

- 0 0 -

1 0 0 -

1 0 0 -

0 0 1 0

1

- 0 0 -

- - - -

−

−






Original PolytopesHybrid

Formulation [Welp13]


Boolean Cubes





logic



Outliney

1. Introduction




5. Summary


Experimental Setupy

Verifier

int

foo

{while(x)

{x--;

}assert(!x);

}

Program

MCI

MCI

2

1

3

MCI


Benchmark Setsy

Bitvector set of SV-Comp [Beye12]

int

{int x = 1;

while(1)

{x += 2*n;

assert(x);

}

foo(int n)

}

Mostly Logic Invariants

InvGen-Benchmarks [Gupt09]

int

{int x = 0;

assume(n>=0);

while(x < n)

{x--;

}

foo(int n)

assert(x

Overall Performancey

SV-COMP

[Beye12]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

c

Num

ber

Solv

ed I

nsta

nces

010

2030

40[0s,0.5s](0.5s,5s](5s,50s](50s,500s]

InvGen

[Gupt09]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

c

Num

ber

Solv

ed I

nsta

nces

010

2030

40

[0s,0.5s](0.5s,5s](5s,50s](50s,500s]


Overall Performancey

All

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

c

Num

ber

Solv

ed I

nsta

nces

020

4060

80

[0s,0.5s](0.5s,5s](5s,50s](50s,500s]


Impact of Simulation Typey

SV-COMP

[Beye12]

1 2 5 10 20 50 100 200 500

010

2030

4050

Time (s)

Num

ber

Solv

ed I

nsta

nces

Ternary SimulationInterval SimulationHybrid Simulation

InvGen

[Gupt09]

1 2 5 10 20 50 100 200 500

010

2030

4050

Time (s)

Num

ber

Solv

ed I

nsta

nces



Impact of Simulation Typey

All

1 2 5 10 20 50 100 200 500

020

4060

8010

0

Time (s)

Num

ber

Solv

ed I

nsta

nces



Comparison vs ABC PDRy

Solving Time QF_BV PDR (s)

Sol

ving

Tim

e A

BC

(s)

0.1 1 10 100

0.1

1

10

100

timeout

timeout


Outliney

1. Introduction

2. Property Directed Reachability

3. Generalization of PDR to QF BV


5. Summary


Summaryy

• PDR is an efficient algorithm for

solving model checking problems.

0 100 200 300 400 500 600

020

040

060

0

Time (s)

Num

ber

Sol

ved

Inst

ance

s

PDRInterpolation

• PDR with Boolean cubes performances

poorly with arithmetic invariants.

• PDR with polytopes performances poorly

with bit-level invariants.4 2 4 6 x

2

4

6

yf1

• The hybrid formulation outperforms

the pure versions.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

c

Num

ber

Solv

ed I

nsta

nces

020

4060

80

[0s,0.5s](0.5s,5s](5s,50s](50s,500s]


Blay

Thank you!for your

attention

[email protected]


Referencesy

References[Some11] F. Somenzi, A. R. Bradley: IC3: Where Monolithic

and Incremental Meet., FMCAD 2011.

[Brad12] A. R. Bradley: Understanding IC3., SAT 2012.

[Welp13] T. Welp: QF BV Model Checking with PropertyDirected Reachability. DATE 2013.

[Brad11] A. R. Bradley, Z. Manna: SAT-based modelchecking without unrolling., VMCAI 2011.

[EénM11] N. Eén, A. Mishchenko, R. Brayton: EfficientImplementation of Property Directed Reachability,FMCAD 2011.


Referencesy

References[McMi03] K. L. McMillan: Interpolation and SAT-based

Model Checking, CAV 2003.

[Kind12] R. Kindermann, T. Junttila, I. Niemelä: SMT-basedInduction Methods for Timed Systems, FORMATS2012.

[Hode12] K. Hoder, N. Bjørner: Generalized PropertyDirected Reachability, SAT 2012.

[Kloo13] J. Kloos, R. Majumdar, F. Niksic and R. Piskac:Incremental, Inductive Coverability, CAV 2013.

[Back13] J. Backes, M. Riedel: Using Cubes of Non-stateVariables With Property Directed Reachability,DATE 2013.


Referencesy

References[Beye12] D. Beyer: Competition on Software Verification,

TACAS 2012.

[Gupt09] A. Gupta, A. Rybalchenko: InvGen: An EfficientInvariant Generator, CAV 2009.


qf bv property directed reachability with mixed type atomic … · 2014. 3. 12. · qf bv property...

Documents