אימות אוטומטי Intertwined Forward-Backward Reachability Analysis Using Interpolants Work by: Yakir Vizel, Orna Grumberg and Sharon Shoham (TACAS 2013)

Notations System is modeled as (V,INIT,T), where: V is a finite set of variables INIT  2V is the set of initial states T  2V2V is the set of transitions A safety property of the form AGP p is a propositional formula over V Notions we will use during the talk. Our system is modeled as a tupple where V is a finite set of variables that induces a set of states. INIT, initial states and T the transition relation. We deal with safety properties of the form AGp since we know that all other kinds of LTL properties can be reduced to AGp.

Interpolants Given an inconsistent pair (A,B) of propositional formulas Then, there exist a formula I such that: A  I I ∧ B is unsatisfiable I is over the common variables of A and B I = Itp(A,B)

Interpolation in the context of model checking Given the following BMC formula k B A I

Interpolation in the context of model checking I is over V1 A I I over-approximates the set S1 I  B  false States in I cannot reach a bug in k-1 steps

Interpolation-Sequence The same BMC formula partitioned in a different manner: A2 A3 Ak Ak+1 A1 I1 I2 I3 Ik-1 Ik 6 6 6

Interpolation-Sequence Ij – over-approximation of the set of states reachable in j steps Ik  Ak+1  false the states in Ik do not violate p

Forward Reachability Analysis Does AGp hold? Fn=Img(Fn-1,T) F2=Img(F1,T) F1=Img(INIT,T) Bad=¬P INIT How do we do that? How do we determine if our safety property hold? We have a set of states that we call “bad states” this set is simply defined by the negation of P. We compute the states that are reachable in the system. As it usually described, our system has a set of initial states, and a transition relation describing how the system moves from one state to the other. So we start from the initial state, and then by applying one step we get the set F_1. This is done with an Image operator. I will refer to the set F_1 as the states reachable in the first time frame. We then apply another step and get F_2 which is the states reachable in the second time frames and so on. The i-th time frame, states reachable in i steps. The computation stops either when a fixpoint is reached or either when the states computed intersect with the bad states. F_i is the set of reachable states at the i-th time frame (explain that we use the term time frame to indicate the number of TRs applied) Usually, doing the exact Image and PreImage operations is expansive so usually an approximated Image operator is used.

Approximated Forward Reachability F(V) – a set of states For the unsatisfiable formula F(V) ∧T(V,V’) ∧¬P(V’), define: A = F(V) ∧T(V,V’) B = ¬P(V’) Approximated forward reachability: ApxImg(F,T) = Itp(A, B)

Backward Reachability Analysis Does AGp hold? Bn=PreImg(Bn-1,T) B2=PreImg(B1,T) B1=PreImg(¬P,T) Bad=¬P INIT We can also do the analysis in a "backward" manner. What does it mean? Instead of starting from the initial states we start from the bad states. Then instead of going forward with the TR we go backwards. We define a PreImage operator and compute predecessors of the states. This is also done till a fixpoint is found or untill the initial states are intersected.

Duality In a SAT Query INIT(V) ∧T(V,V’) ∧¬P(V’) Do we reach the bad states? and making one step forwards Starting from the initial states INIT(V) ∧T(V,V’) ∧¬P(V’) We tend to read it "Forwards" From left to right

Duality In a SAT Query INIT(V) ∧T(V,V’) ∧¬P(V’) and making one step backwards Starting from the bad states Do we reach the initial states? INIT(V) ∧T(V,V’) ∧¬P(V’) We tend to read it "Forwards" From left to right We can also read it "Backwards" From right to left Does the pre-image of the bad states intersect the initial states This observation is the motivation for this work.

Approximated Backward Reachability B(V) – a set of states For the unsatisfiable formula INIT(V) ∧T(V,V’) ∧ B(V’), define: A = T(V,V’) ∧ B(V’) B = INIT(V) Approximated backward reachability: ApxPreImg(B,T) = Itp(A, B)

Dual Approximated Reachability (DAR) Compute two sequences of reachable states Forward Sequence: <F0,F1,…,Fn> Backward Sequence: <B0,B1,…,Bn> Sequences are over-approximations For the forward sequence: Fi(V)  T(V,V’)  Fi+1(V’) Fi(V)  P(V) For the backward sequence Bi+1(V)  T(V,V’)  Bi(V’) Bi(V)  INIT(V) Formally, DAR computes these two sequences. What makes DAR unique is the way these sequences are computed

Dual Approximated Reachability (DAR) Two main phases during the computation Local Strengthening No unrolling Global Strengthening Limited unrolling In case the Local Strengthening fails DAR uses two main phases to compute the Forward Sequence and Backward Sequence. The first is called Local Strengthing. It is called “Local” since during this phase no unrolling of the TR is used. The other phase is called Global Strengthening. Global Strengthening is used when the Local phase fails. In the GS phase, unrolling is applied gradually. We will see this in a few moments.

Dual Approximated Reachability Check the formula: INIT(V) ∧ T(V,V’) ∧ ¬P(V’) B0=¬P F0=INIT Lets assume that the initial states do not intersect the bad states and therefore there are no trivial CEXs. So the next thing to do is to check for a CEX of length 1. This is done with the following SAT query. From the unsatisfiability of this query two things can be derived: If SAT then CEX is found

Dual Approximated Reachability UNSAT: INIT(V) ∧ T(V,V’) ∧ ¬P(V’) A B A B B1 F1 B0=¬P F0=INIT Lets assume that the initial states do not intersect the bad states and therefore there are no trivial CEXs. So the next thing to do is to check for a CEX of length 1. This is done with the following SAT query. From the unsatisfiability of this query two things can be derived:

Local Strengthening - Intuition What if F1 and B1 intersect each other? There may be a counterexample B1 F1 B0=¬P F0=INIT There may be a CEX. But it may also be due to the over-approximation.

Local Strengthening - Intuition What if F1 and B1 intersect each other? F1(V) ∧ T(V,V’) ∧ B0(V’) F0(V) ∧ T(V,V’) ∧ B1(V’) B1 F1 B0=¬P F0=INIT

Local Strengthening - Intuition B A B F1(V) ∧ T(V,V’) ∧ B0(V’) Compute forward and backward interpolants F2 is the forward interpolant Backward interpolant strengthens the already existing B1 F2 B1 F1 B1 B0=¬P F0=INIT

Local Strengthening - Intuition B A B F0(V) ∧ T(V,V’) ∧ B1(V’) Must be UnSAT Compute forward and backward interpolants B2 is the backward interpolant F’1 is strengthening the already existing F1 F2 B2 F1 F1 B1 B0=¬P F0=INIT

Local Strengthening Assume: F[n]=<F0,F1,…,Fn> and B[n]=<B0,B1,…,Bn> Fi over-approximates states reachable from INIT in i steps Bj over-approximates states that can reach p in j steps.  Fi  Bj over-approximates states that appear in the i-th step of a counterexample of length i+j (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> over-approximate all CEXs of length n+1 Fi  Bj over-approximate states that appear in the i-th step of a counterexample of length i+j

Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> At each iteration: Check (locally) if no CEX of length n+1 exists For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) If UNSAT: no CEX of length n+1

Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) Check: For every 1in-1: Fi(V)Bn-i+1(V)T(V,V’)Fi+1(V’)Bn-i(V’) INIT(V) T(V,V’)F1(V’)Bn(V’) Fn(V)B1(V)T(V,V’)p(V’)

Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) Check: For every 1in-1: Fi(V)  T(V,V’)  Bn-i(V’) F0(V)  T(V,V’)  Bn(V’) Fn(V)  T(V,V’)  B0(V’)

Local Strengthening (F[n],B[n])= <INIT,F1Bn,F2Bn-1,….,FnB1,p> For every 0in: check if SAT: i(V)  T(V,V’)  i+1(V’) Check: For every 0in: Fi(V)  T(V,V’)  Bn-i(V’) If for some i Fi(V)T(V,V’)Bn-i(V’) UNSAT: apply local strengthening and extract (F[n],B[n])

Local Strengthening Assume: Fi(V)T(V,V’)Bn-i(V’) unsat for some i Extraction: If Fn(V)T(V,V’)B0(V’) unsat: obtain Fn+1 If F0(V)T(V,V’)Bn(V’) unsat: obtain Bn+1 If Fi(V)T(V,V’)Bn-i(V’) unsat for some i then not necessarily true Need to strengthen F[n] and B[n]

Fi(V)T(V,V’)Bn-i(V’) Local Strengthening Fi(V)T(V,V’)Bn-i(V’) Find forward interpolant and strengthen Fi+1: Fi+1=Fi+1  Itp(A,B) Find backward interpolant and strengthen Bn-i+1: Bn-i+1=Bn-i+1  Itp(A,B) B A A B

Fi(V)T(V,V’)Bn-i(V’) Local Strengthening Fi(V)T(V,V’)Bn-i(V’) Fi+1=Fi+1  Itp(A,B): Fi+1  Bn-i After stengthening: Fi+1(V)T(V,V’)Bn-(i+1)(V’) is unsat Strengthen Fi+2 similarly Dually, Bn-i+1  Fi: Fi-1(V)T(V,V’)Bn-i+1(V’) is unsat Strengthen Bn-i+2 similarly

Iterative Local Strengthening Given i s.t. Fi(V)T(V,V’)Bj(V’) unsat: Function IterativeLS(F[n],B[n],i,j) while i<n do Fi+1 = Fi+1  Itp(Fi(V)T(V,V’),Bn-i(V’)) i=i+1 end while Fn+1=Itp(Fn(V)T(V,V’),B0(V’)) while j<n do Bj+1 = Bj+1  Itp(T(V,V’)Bj(V’),Fn-j (V)) j=j+1 Bn+1=Itp(T(V,V’)Bn(V’),F0(V))

Local Strengthening Fails F1(V) ∧ T(V,V’) ∧ B2(V’) F0(V) ∧ T(V,V’) ∧ B3(V’) F2(V) ∧ T(V,V’) ∧ B1(V’) F3(V) ∧ T(V,V’) ∧ ¬P(V’) B3 B2 F3 F2 B1 F1 B0=¬P F0=INIT All checks are independent. Therefore they can be executed in parallel. It is enough that only one check is UnSAT to apply Local Strengthening.

Global Strengthening Apply unrolling gradually Start from the initial states Try to reach the backward sequence using an increasing number of T’s

Global Strengthening F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧T(V’’’,V’’’’)∧¬P(V’’’’) F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ B2(V’’) F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’) B3 B2 B1 B0=¬P F0=INIT

Interpolantion-Sequence Given a sequence <A1,…,An> such that its conjunction is unsatisfiable Then, there exist an interpolation sequence <I0,…,In> such that: I0 = TRUE, In=FALSE Ii ∧ Ai+1  Ii+1 is unsatisfiable Ii is over the common variables of A1,…,Ai and Ai+1,…,An

F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’) Global Strengthening A1 A2 A3 A4 I1 I2 I3 T F F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’)

F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’) Global Strengthening F0(V) ∧ T(V,V’) ∧ T(V’,V’’) ∧ T(V’’,V’’’)∧ B1(V’’’) Formula is unsatisfiable Extract an interpolation-sequence: I1, I2, I3 Ij over-approximates states reachable in j steps Use Ij to strengthen Fj Example: F3’ = F3 ∧ I3 F3 ∧ B1 is unsatisfiable Re-Apply Local Strengthening F3(V) ∧ T(V,V’) ∧ ¬P(V’) is unsatisfiable

Global Strengthening If a CEX exists – Full unrolling Otherwise, gradually unroll the model Try to reach the Backward sequence When the backward sequence is not reachable Extract interpolation sequence Strengthen forward sequence Reapply Local Strengthening

Global Strengthening of (F[n],B[n]) Function GlobalStrengthen(F[n],B[n]) for i=2 to n+1 do if INITT T.. T Bn-i+1 == UNSAT then I=GetInterpolationSeq() for j=1 to min{i,n} do Fj=Fj  Ij end for IterativeLS(F[n],B[n],i-1,n-i+1) end if return CEX

Summary Interpolation-based model checking algorithm Uses both Forwards and Backwards traversals Two main phases during the computation Local Strengthening No unrolling Global Strengthening Limited unrolling In case the Local Strengthening fails Mostly local – No unrolling When unrolling is used, it is restricted