Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

Similar documents
Software Model Checking. Xiangyu Zhang

Software Model Checking with Abstraction Refinement

Counterexample Guided Abstraction Refinement in Blast

CS 510/13. Predicate Abstraction

THE results of the last four Hardware Model Checking

More on Verification and Model Checking

Parameter Synthesis with IC3

Static Program Analysis

Interpolation-based Software Verification with Wolverine

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Better Generalization in IC3

Having a BLAST with SLAM

Model Checking Parallel Programs with Inputs

EUForia: Uninterpreted Functions Abstraction with Incremental Induction. University of Michigan

Formal Methods for Software Development

Having a BLAST with SLAM

On Reasoning about Finite Sets in Software Checking

BDD-based software verification

Where Can We Draw The Line?

DIPARTIMENTO DI INGEGNERIA E SCIENZA DELL INFORMAZIONE Povo Trento (Italy), Via Sommarive 14

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

BDD-Based Software Verification

Engineering 9867 Advanced Computing Concepts

Software Model Checking. From Programs to Kripke Structures

KRATOS A Software Model Checker for SystemC

Deductive Methods, Bounded Model Checking

KRATOS A Software Model Checker for SystemC

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Property-Directed Shape Analysis

Learning Support Sets in IC3 and Quip: the Good, the Bad, and the Ugly

Lecture 2: Symbolic Model Checking With SAT

Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT

Configurable Software Model Checking

Scalable Program Verification by Lazy Abstraction

Finite Model Generation for Isabelle/HOL Using a SAT Solver

Predicate Abstraction with Adjustable-Block Encoding

An Introduction to Satisfiability Modulo Theories

Having a BLAST with SLAM

Symbolic and Concolic Execution of Programs

Software Model Checking via Large-Block Encoding

Finite State Verification. CSCE Lecture 14-02/25/2016

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Inductive Invariant Generation via Abductive Inference

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Resolution (14A) Young W. Lim 6/14/14

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Towards a Logical Reconstruction of Relational Database Theory

Symbolic Methods. The finite-state case. Martin Fränzle. Carl von Ossietzky Universität FK II, Dpt. Informatik Abt.

Abstraction techniques for Floating-Point Arithmetic

Finite State Verification. CSCE Lecture 21-03/28/2017

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

On Reasoning About Finite Sets in Software Model Checking

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

PANDA: Simultaneous Predicate Abstraction and Concrete Execution

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

From OCL to Propositional and First-order Logic: Part I

Formally Certified Satisfiability Solving

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Ashish Sabharwal Computer Science and Engineering University of Washington, Box Seattle, Washington

Model-Checking Concurrent Systems

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Unbounded Model-Checking with Interpolation for Regular Language Constraints

Having a BLAST with SLAM

CS 512, Spring 2017: Take-Home End-of-Term Examination

The software model checker BLAST

Lecture Notes on Real-world SMT

Bonsai: Cutting Models Down to Size

BDD-Based Software Model Checking with CPAchecker

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Efficiently Reasoning about Programs

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

Motivation. CS389L: Automated Logical Reasoning. Lecture 17: SMT Solvers and the DPPL(T ) Framework. SMT solvers. The Basic Idea.

Integrity Constraints (Chapter 7.3) Overview. Bottom-Up. Top-Down. Integrity Constraint. Disjunctive & Negative Knowledge. Proof by Refutation

Combining Model Checking and Data-Flow Analysis

PKIND: A parallel k-induction based model checker

Incremental Proof Development in Dafny

Formal Verification: Practical Exercise Model Checking with NuSMV

EPR-based k-induction with Counterexample Guided Abstraction Refinement

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Computability Theory

Towards a Software Model Checker for ML. Naoki Kobayashi Tohoku University

SeaHorn: Software Model Checking with SMT and AI

OpenNWA: A Nested-Word-Automaton Library

Proof Pearl: The Termination Analysis of Terminator

TRACER: A Symbolic Execution Tool for Verification

Introduction to Logic Programming

Efficiently Solving Bit-Vector Problems Using Model Checkers

Automatic Abstraction without Counterexamples

What is a Logic Program. Introduction to Logic Programming. Introductory Examples. Introductory Examples. Foundations, First-Order Language

arxiv: v2 [cs.pl] 3 Apr 2018

Multi Domain Logic and its Applications to SAT

Parametric Real Time System Feasibility Analysis Using Parametric Timed Automata

T Reactive Systems: Kripke Structures and Automata

Formal Verification at Higher Levels of Abstraction

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Abstract Interpretation

CSC Discrete Math I, Spring Sets

Transcription:

..

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 3 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Lifting to software model checking IC3 had a deep impact in hardware model checking (HMC) showed much better performance than CEGAR and BMC Today employed in every major hardware model checking tool Challenges Domain in HMC finite (bit-level) How to handle infinite state space? 4 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Bit-blasting Encode variables as bit-vectors and use bit-blasting with bit-level IC3. ART unrolling Unroll abstract reachability tree, search for error path and try to construct clauses necessary to refute the path similar to blocking phase of IC3. Predicate Abstraction [WK13] [CG12] [BBW14] Use predicates to abstract the state space and apply bit-level IC3 on set of predicates. [WK13] Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp. 791 796 [CG12] Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp. 277 293 [BBW14] Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''.. In:. 2014, pp. 831 848 5 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 6 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Control Flow Automaton (CFA) A CFA A = (L, G) consists of a set of L = {0,, n} and edges in G L QF F O L labeled with quantifier-free first-order formulas. Program A program P = (A, l 0, l E ) contains a CFA A representing the control flow, an initial location l 0 and an error location l E. Transition formula Given two locations l 1, l 2 L, we define the T l1 l 2 = { (pc = l 1) t (pc = l 2 ) false, if (l 1, t, l 2 ) G, otherwise. 7 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Relative Inductiveness Given a transition formula T = to another formula ψ if is valid. Edge-Relative Inductiveness T l1 l 2, a formula φ is inductive relative (l 1,t,l 2 ) G ψ φ T φ (1) Given a CFA A and locations l 1, l 2 L, a formula φ is edge-relative inductive to another formula ψ if is valid. ψ φ T l1 l 2 φ (2) 8 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Data Region [Hen+02] A, represented by quantifier-free FO formula s over V ar is the set of all variable assignments σ satisfying s, i.e. {σ σ s}. Region Define a r = (l, s) as a pair consisting of location l and data region s. A corresponding formula for r is the formula φ = (pc = l s) and every formula ψ, s.t. φ ψ. Using correspondence, we can define the meaning of the negation of a region r by its corresponding formula φ = (pc = l s). Given two regions r 1, r 2 and their corresponding propositional formula φ 1, φ 2, then r 1 is inductive relative to r 2 iff φ 1 is inductive relative to φ 2. [Hen+02] Thomas A. Henzinger et al. ``Lazy abstraction''. In:. 2002, pp. 58 70 9 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Edge-Relative Inductive Regions Assume two regions r 1 = (l 1, s 1 ), r 2 = (l 2, s 2 ), we can reduce edge-relative inductiveness of r 2 to r 1 to s 1 T l1 l 2 s 2, if l 2 l 1 (3) s 1 s 2 T l1 l 2 s 2, if l 2 = l 1 (4) 10 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 11 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Recap [Bra11] Initial checks (0- and 1-step reachable counterexamples) Find CTI (P -state with a transition to P -state) Loop: If obligation is inductive relative to F i 1 block it, otherwise new obligation Break loop if obligation at level 0 found (raise cex) or no proof obligation left If no obligation left, push clauses forward check termination proceed with k + 1 [Bra11] Aaron R. Bradley. ``SAT-Based Model Checking without Unrolling''. In:. 2011, pp. 70 87 12 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 13 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

ART unrolling Unroll the ART and search for abstract error path [CG12] Spurious? Procedure that mimics blocking phase of IC3 Try to produce clauses necessary for refutation Successful if empty clause created at some point Termination The algorithm terminates like standard lazy abstraction when all nodes are closed. [CG12] Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp. 277 293 14 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 15 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Idea Encoding of control flow using special pc variable not efficient Extract control flow in form of a CFA Instead of unrolling into ART apply IC3 directly on CFA For every location in the CFA construct frames F 0,, F k Frames represent overapproximations of i-step reachability in location explicit control flow locations allow to take only single transitions into account 16 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Inner loop bool backwardblock( i: int, l : location, s: data region) Q.add( i, l, s) Q > 0 (i, l, s) = Q.pop i = 0 false each l, s.t. (l, f, l ) G l = l and sat(f (i 1,l) s ll s ) generate predecessor c of s add (i 1, l, c) and (i, l, s) to Q l l and sat(f (i 1,l) ll s ) generate predecessor c of s add (i 1, l, c) and (i, l, s) to Q block s in frames F (j,l ) for 0 j i true 17 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

18 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 19 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Queries Through inspection of only specific transitions, we can use a single edge formula instead of giving the whole transition relation to the solver No unrolling By using F i frames in every location of the CFA we can operate on the CFA exclusively. Thus no need for unrolling the CFA and a truer lifting of IC3 to software model checking. Stronger relative inductiveness When considering self-loops we can use the stronger relative inductiveness that is used in the original IC3. 20 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Existing improvements Try to apply existing optimizations to IC3 on CFA, such as Triggered Clause Pushing or learning from Counterexamples to Generalization. Generalizations Generalizations are a crucial point in IC3. However, there is no real generalization for Software IC3 yet. Generalize a WP over multiple locations in CFA? Combine different forms of WP to get something like a generalization? How can generalizations be characterized? Completely new technique for generalization? 21 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. ``Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR)''. In:. 2014, pp. 831 848. Aaron R. Bradley. ``SAT-Based Model Checking without Unrolling''. In:. 2011, pp. 70 87. Alessandro Cimatti and Alberto Griggio. ``Software Model Checking via IC3''. In:. 2012, pp. 277 293. Thomas A. Henzinger et al. ``Lazy abstraction''. In:. 2002, pp. 58 70. Tobias Welp and Andreas Kuehlmann. ``QF BV model checking with property directed reachability''. In:. 2013, pp. 791 796. 22 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback