Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

Transcription

1 ..

2 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

3 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 3 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

4 Lifting to software model checking IC3 had a deep impact in hardware model checking (HMC) showed much better performance than CEGAR and BMC Today employed in every major hardware model checking tool Challenges Domain in HMC finite (bit-level) How to handle infinite state space? 4 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

5 Bit-blasting Encode variables as bit-vectors and use bit-blasting with bit-level IC3. ART unrolling Unroll abstract reachability tree, search for error path and try to construct clauses necessary to refute the path similar to blocking phase of IC3. Predicate Abstraction [WK13] [CG12] [BBW14] Use predicates to abstract the state space and apply bit-level IC3 on set of predicates. [WK13] Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp [CG12] Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp [BBW14] Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''.. In:. 2014, pp of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

6 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 6 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

7 Control Flow Automaton (CFA) A CFA A = (L, G) consists of a set of L = {0,, n} and edges in G L QF F O L labeled with quantifier-free first-order formulas. Program A program P = (A, l 0, l E ) contains a CFA A representing the control flow, an initial location l 0 and an error location l E. Transition formula Given two locations l 1, l 2 L, we define the T l1 l 2 = { (pc = l 1) t (pc = l 2 ) false, if (l 1, t, l 2 ) G, otherwise. 7 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

8 Relative Inductiveness Given a transition formula T = to another formula ψ if is valid. Edge-Relative Inductiveness T l1 l 2, a formula φ is inductive relative (l 1,t,l 2 ) G ψ φ T φ (1) Given a CFA A and locations l 1, l 2 L, a formula φ is edge-relative inductive to another formula ψ if is valid. ψ φ T l1 l 2 φ (2) 8 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

9 Data Region [Hen+02] A, represented by quantifier-free FO formula s over V ar is the set of all variable assignments σ satisfying s, i.e. {σ σ s}. Region Define a r = (l, s) as a pair consisting of location l and data region s. A corresponding formula for r is the formula φ = (pc = l s) and every formula ψ, s.t. φ ψ. Using correspondence, we can define the meaning of the negation of a region r by its corresponding formula φ = (pc = l s). Given two regions r 1, r 2 and their corresponding propositional formula φ 1, φ 2, then r 1 is inductive relative to r 2 iff φ 1 is inductive relative to φ 2. [Hen+02] Thomas A. Henzinger et al. ``Lazy abstraction''. In:. 2002, pp of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

10 Edge-Relative Inductive Regions Assume two regions r 1 = (l 1, s 1 ), r 2 = (l 2, s 2 ), we can reduce edge-relative inductiveness of r 2 to r 1 to s 1 T l1 l 2 s 2, if l 2 l 1 (3) s 1 s 2 T l1 l 2 s 2, if l 2 = l 1 (4) 10 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

11 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 11 of 22 Lifting IC3 to Control Flow Automata Tim Lange

12 Recap [Bra11] Initial checks (0- and 1-step reachable counterexamples) Find CTI (P -state with a transition to P -state) Loop: If obligation is inductive relative to F i 1 block it, otherwise new obligation Break loop if obligation at level 0 found (raise cex) or no proof obligation left If no obligation left, push clauses forward check termination proceed with k + 1 [Bra11] Aaron R. Bradley. ``SAT-Based Model Checking without Unrolling''. In:. 2011, pp of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

13 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 13 of 22 Lifting IC3 to Control Flow Automata Tim Lange

14 ART unrolling Unroll the ART and search for abstract error path [CG12] Spurious? Procedure that mimics blocking phase of IC3 Try to produce clauses necessary for refutation Successful if empty clause created at some point Termination The algorithm terminates like standard lazy abstraction when all nodes are closed. [CG12] Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp of 22 Lifting IC3 to Control Flow Automata Tim Lange

15 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 15 of 22 Lifting IC3 to Control Flow Automata Tim Lange

16 Idea Encoding of control flow using special pc variable not efficient Extract control flow in form of a CFA Instead of unrolling into ART apply IC3 directly on CFA For every location in the CFA construct frames F 0,, F k Frames represent overapproximations of i-step reachability in location explicit control flow locations allow to take only single transitions into account 16 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

17 Inner loop bool backwardblock( i: int, l : location, s: data region) Q.add( i, l, s) Q > 0 (i, l, s) = Q.pop i = 0 false each l, s.t. (l, f, l ) G l = l and sat(f (i 1,l) s ll s ) generate predecessor c of s add (i 1, l, c) and (i, l, s) to Q l l and sat(f (i 1,l) ll s ) generate predecessor c of s add (i 1, l, c) and (i, l, s) to Q block s in frames F (j,l ) for 0 j i true 17 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

18 18 of 22 Lifting IC3 to Control Flow Automata Tim Lange

19 Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 19 of 22 Lifting IC3 to Control Flow Automata Tim Lange

20 Queries Through inspection of only specific transitions, we can use a single edge formula instead of giving the whole transition relation to the solver No unrolling By using F i frames in every location of the CFA we can operate on the CFA exclusively. Thus no need for unrolling the CFA and a truer lifting of IC3 to software model checking. Stronger relative inductiveness When considering self-loops we can use the stronger relative inductiveness that is used in the original IC3. 20 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

21 Existing improvements Try to apply existing optimizations to IC3 on CFA, such as Triggered Clause Pushing or learning from Counterexamples to Generalization. Generalizations Generalizations are a crucial point in IC3. However, there is no real generalization for Software IC3 yet. Generalize a WP over multiple locations in CFA? Combine different forms of WP to get something like a generalization? How can generalizations be characterized? Completely new technique for generalization? 21 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

22 Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''. In:. 2014, pp Aaron R. Bradley. ``SAT-Based Model Checking without Unrolling''. In:. 2011, pp Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp Thomas A. Henzinger et al. ``Lazy abstraction''. In:. 2002, pp Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp of 22 Lifting IC3 to Control Flow Automata Tim Lange