Automated Extraction of Inductive Invariants to Aid Model Checking - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Automated Extraction of Inductive Invariants to Aid Model Checking

Description:

Automated Extraction of Inductive Invariants to Aid Model Checking. Michael L. Case, Alan Mishchenko, and Robert K. Brayton. EECS Department, UC Berkeley ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 26
Provided by: Mik7455
Category:

less

Transcript and Presenter's Notes

Title: Automated Extraction of Inductive Invariants to Aid Model Checking


1
Automated Extraction of Inductive Invariants to
Aid Model Checking
  • Michael L. Case, Alan Mishchenko, and Robert K.
    Brayton
  • EECS Department, UC Berkeley
  • IWLS 2006, May 31, 2007

2
Motivation
  • Formal verification can be greatly helped by
    external knowledge about the design
  • Internal signal equivalences, unreachable states,
    etc
  • Reduction in problem size
  • Identifying this extra information is non-trivial
  • Which extra data will help the verification
    problem?
  • Are some hints extraneous?
  • How do we know when we have enough?
  • Propose a way to automatically find extra
    information
  • Inductive invariants are identified and proved
    automatically
  • Limited in number and applied only where they are
    needed
  • Focus on speeding up interpolation

3
Outline
  • Forming a reachability approximation
  • Brief introduction to Interpolation
  • Tailoring reachable approximation for a target
    application
  • Helping interpolation
  • Proof graph formulation
  • Experimental results

4
Outline
  • Forming a reachability approximation
  • Brief introduction to Interpolation
  • Tailoring reachable approximation for a target
    application
  • Helping interpolation
  • Proof graph formulation
  • Experimental results

5
Approximating the Reachable States
  • Prove local properties hold ? reachable states
  • Conjunction gives reachability approximation

6
Quickly Proving Local Properties
  • Our previous work
  • Derive a large set of candidate properties
    (implications)
  • Proved in a van Eijk-style induction
  • Tries to prove as many candidate properties as
    possible
  • Do we need to prove all candidate properties?
  • Are some better than others?
  • Tight reachability approx. or just good enough?

7
Outline
  • Forming a reachability approximation
  • Brief introduction to Interpolation
  • Tailoring reachable approximation for a target
    application
  • Helping interpolation
  • Proof graph formulation
  • Experimental results

8
The Interpolation Algorithm
Initialize approximation parameters
Reachability
Tighten approximation parameters
frontier initial states
Bad state reached?
yes
Interpolation
no
frontier approxImage(frontier)
Cex reached directly from the initial state?
no
Fixed Point?
no
yes
Property Falsified
yes
Property Verified
9
Problems With Interpolation
  • Can explore unreachable states
  • No control over the approximate image
  • Often cant decide if an encountered bad state is
    reachable
  • Requires frequent restarts
  • Refining the approximation parameters and
    restarting is the most expensive operation
  • Discards all prior work

10
Enhancing Interpolation
  • Possible to avoid the model refinement
  • Show either S or B unreachable
  • Suppose we had a tool to find invariants to do
    this
  • Adding the invariants to our satisfiability
    solver would prevent S or B from being explored

2
1
11
Outline
  • Forming a reachability approximation
  • Brief introduction to Interpolation
  • Tailoring reachable approximation for a target
    application
  • Helping interpolation
  • Proof graph formulation
  • Experimental results

12
Targetted Invariant Tool
  • Given a state S that we want to prove unreachable
  • Find P such that
  • Implies that S is unreachable
  • Can be proved with simple induction

13
Initialize approximation parameters
Tighten approximation parameters
no
frontier initial states
Can we find invariants?
yes
Bad state reached?
yes
no
frontier approxImage(frontier)
Cex reached directly from the initial state?
no
Fixed Point?
no
yes
Property Falsified
yes
Property Verified
14
Proving A State Unreachable
  • Previous work proves a large set of states
    unreachable
  • Proves many small properties
  • Can we limit the properties to target states of
    interest?

15
Outline
  • Forming a reachability approximation
  • Brief introduction to Interpolation
  • Tailoring reachable approximation for a target
    application
  • Helping interpolation
  • Proof graph formulation
  • Experimental results

16
The Proof Graph
(a set of properties)
(a state)
(a set of properties)
(a state)
  • S is the reason the inductive proof of the
    properties does not succeed
  • S is the counterexample in the simple induction
    proof
  • Proving S unreachable is a necessary condition
    for proving any property in the set
  • S is why we cant prove P
  • Every property in the set is violated in S
  • Proving any such property implies that S is
    unreachable
  • P are how we will prove S unreachable

17
Proof Graph Example
  • Input S0
  • Find properties violated in S0
  • Prove P0
  • Cover the new states with properties
  • Prove P3
  • Prove P03

2
18
Outline
  • Forming a reachability approximation
  • Brief introduction to Interpolation
  • Tailoring reachable approximation for a target
    application
  • Helping interpolation
  • Proof graph formulation
  • Experimental results

19
Experimental Results
  • ABC logic synthesis system used as software base
  • Extended through two C plugin libraries
  • Interpolation
  • Proof graph formulation (this work)
  • User can select to use interpolation alone or
    interpolation proof graph
  • Refuting error traces is an option
  • Tested on extensively on both academic and
    industrial benchmarks

20
Hard Academic Benchmarks
  • Verified 154 academic benchmarks (TIP suite)
  • 18 timeout in 2 hours with standard interpolation
  • 9 of these are easy when the proof graph
    refutes counterexample traces

21
Hard Industrial Benchmarks
  • 43 industrial benchmarks
  • Sequential Equivalence Checking benchmarks
  • 1800 second timeout
  • Problems hard for standard interpolation
  • Enabling proof graph dramatically helps runtime

1800
1800
22
Summary
  • Motivated need for a tool to show that a selected
    state is unreachable
  • Constructed such a tool using the proof graph
    formulation
  • Applied the tool to help interpolation
  • Demonstrated the effectiveness on a variety of
    benchmarks
  • Thank you.

23
Backup Material
24
Proof Graph Notes
  • Proof of a property set implies that all parent
    states are unreachable
  • Proof attempt on leaves only
  • Leaves can be proved independently
  • Select shallowest leaf for next proof
  • Cycles can develop
  • Require more complex handling
  • See paper

25
Special Case Cycles
  • If a cycle develops
  • Cannot prove either property set independently
  • If either S0 or S1 is reachable, the proof will
    not succeed
  • Might be able to prove them together
  • Proof can succeed if we simultaneously prove S0
    and S1 unreachable
  • Successful proof implies both states unreachable
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Automated Extraction of Inductive Invariants to Aid Model Checking" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!