Upload
silver
View
17
Download
0
Embed Size (px)
DESCRIPTION
Automated Extraction of Inductive Invariants to Aid Model Checking. Michael L. Case, Alan Mishchenko, and Robert K. Brayton University of California, Berkeley FMCAD 2007. Design w/ Safety Property. Additional Design Information. Motivation. Design w/ Safety Property. - PowerPoint PPT Presentation
Citation preview
Automated Extraction of Inductive Invariants to Aid Model Checking
Michael L. Case, Alan Mishchenko, and Robert K. BraytonUniversity of California, Berkeley
FMCAD 2007
November 14, 2007 Mike Case, FMCAD 2007 2
Design w/Safety Property
Verification Time
Design w/Safety Property
Additional DesignInformation
Motivation
What kind of information will help verification? How do we know when we’ve given enough information? Is the additional information easily verifiable?
November 14, 2007 Mike Case, FMCAD 2007 3
Abstract
Present a framework to automatically find/prove this extra design information Local properties (Inductive Invariants) Only considered if they help the verification Limited in number, easy to prove correct
Verifying safety properties in a gate-level hardware design Interpolation used as a case study
November 14, 2007 Mike Case, FMCAD 2007 4
Outline
Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target
application Helping interpolation Proof graph formulation Experimental results
November 14, 2007 Mike Case, FMCAD 2007 5
Outline
Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target
application Helping interpolation Proof graph formulation Experimental results
November 14, 2007 Mike Case, FMCAD 2007 6
Approximating the Reachable States Prove inductive invariants
(local properties that hold reachable states) Conjunction gives reachability approximation
I
November 14, 2007 Mike Case, FMCAD 2007 7
Quickly Proving Local Properties Our previous work
Derive a large set of candidate invariants (implications)
Proved in a van Eijk-style induction Tries to prove as many properties as possible Do we need to prove all properties?
Are some better than others? Tight reachability approx. or just “good
enough”?
November 14, 2007 Mike Case, FMCAD 2007 8
Outline
Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target
application Helping interpolation Proof graph formulation Experimental results
November 14, 2007 Mike Case, FMCAD 2007 9
Fixed Point?
Bad state reached?
Property Verified
Property Falsified
frontier := initial states
frontier +=approxImage(frontier)
Initialize approximationparameters
Cex reacheddirectly from the
initial state?
Tighten approximationparameters
no
yes
no
yes
yes
no
I BImage 1
Image 2
The Interpolation Algorithm
Image 2
Image 1
I BS
Reachability:
Interpolation:
November 14, 2007 Mike Case, FMCAD 2007 10
Problems With Interpolation
Can explore unreachable states No control over the approximate image Often can’t decide if an encountered bad state is
reachable Requires frequent restarts
Refining the approximation parameters and restarting is the most expensive operation
Discards all prior work
November 14, 2007 Mike Case, FMCAD 2007 11
Image
Image
I B
1
2
S
Enhancing Interpolation Possible to avoid the model refinement
Show either S or B unreachable Invariants that are violated in either S or B
Suppose we had a tool to find invariants to do this Adding the invariants to our satisfiability solver would
prevent S or B from being explored
November 14, 2007 Mike Case, FMCAD 2007 12
Outline
Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target
application Helping interpolation Proof graph formulation Experimental results
November 14, 2007 Mike Case, FMCAD 2007 13
Targetted Invariant Tool
Given a state S that we want to prove unreachable
Find {P} such that Implies that S is unreachable Can be proved with simple (one-step) induction
November 14, 2007 Mike Case, FMCAD 2007 14
Can wefind invariants?
Fixed Point?
Bad state reached?
Property Verified
Property Falsified
frontier := initial states
frontier +=approxImage(frontier)
Initialize approximationparameters
Cex reacheddirectly from the
initial state?
Tighten approximationparameters
no
yes
no
yes
yes
no
yes
no
November 14, 2007 Mike Case, FMCAD 2007 15
Proving A State Unreachable
Previous work proves a large set of states unreachable Proves many small properties Can we limit the invariants to target states of
interest?
November 14, 2007 Mike Case, FMCAD 2007 16
Outline
Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target
application Helping interpolation Proof graph formulation Experimental results
November 14, 2007 Mike Case, FMCAD 2007 17
{ P }
S { P }
S
The Proof Graph
Every property in the set is violated in S
Proving any such property implies that S is unreachable
{P} are how we will prove S unreachable
S is the reason the inductive proof of the properties does not succeed S is the counterexample in the
simple induction proof Proving S unreachable is a
necessary condition for proving any property in the set
S is why we can’t prove {P}
(a state)
(a set of properties)
(a set of properties)
(a state)
November 14, 2007 Mike Case, FMCAD 2007 18
Proof Graph Example
S0
{ P0 }1{ P0 }2
{ P0 }3
S1 S3S2
{ P1 }
{ P3 }{ P2 }
Input S0
Find properties violated in S0
Prove {P0} Cover the new states
with properties Prove {P3}
Prove {P03}
November 14, 2007 Mike Case, FMCAD 2007 19
Outline
Forming a reachability approximation Brief introduction to Interpolation Tailoring reachable approximation for a target
application Helping interpolation Proof graph formulation Experimental results
November 14, 2007 Mike Case, FMCAD 2007 20
Experimental Results
ABC logic synthesis system used as software base Extended through two C++ plugin libraries:
Interpolation Proof graph formulation (this work)
User can select to use interpolation alone or interpolation + proof graph Refuting error traces is an option
Tested on extensively on both academic and industrial benchmarks
November 14, 2007 Mike Case, FMCAD 2007 21
“Hard” Academic Benchmarks
Verified 154 academic benchmarks (TIP suite) 18 timeout in 2 hours with standard interpolation 9 of these are “easy” when the proof graph refutes
counterexample traces Why are there no false properties here?
November 14, 2007 Mike Case, FMCAD 2007 22
“Hard” Industrial Benchmarks 43 industrial
benchmarks Sequential
Equivalence Checking benchmarks
1800 second timeout Problems “hard” for
standard interpolation Enabling proof graph
dramatically helps runtime
1800
1800
November 14, 2007 Mike Case, FMCAD 2007 23
Summary
Motivated need for a tool to show that a selected state is unreachable
Constructed such a tool using the proof graph formulation
Applied the tool to help interpolation Demonstrated the effectiveness on a variety
of benchmarks Thank you.