Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007."— Presentation transcript:

1 Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007

2 Mike Case, DES Seminar2 Motivation Want to build the fastest unbounded model checker –Can get significant speedup from knowledge of a few local properties (inductive invariants) Want to find and prove inductive invariants –Not all invariants are useful for model checking In previous work, we have a way to quickly prove many local properties –Can these be limited to properties that are useful for verification? –Is there an easy way to incorporate this information into a model checker?

3 April 10, 2007Mike Case, DES Seminar3 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Known-unreachable states are sequential don’t-cares IWLS ’06 Upcoming IBM Internship Quickly find and prove small properties Approximation to reachability EECS 290a, IWLS ’06 Efficiently store candidate properties IWLS ’06, WG ’06, WG ’07 EECS 219C Build reachability approximation Interpolation explores a smaller state space EECS 219C Only help where reachability info needed most Motivated by work at Calypto IWLS ’07 Quickly refute candidate properties Under investigation Finding Inductive Invariants Synthesis Verification

4 April 10, 2007Mike Case, DES Seminar4 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

5 April 10, 2007Mike Case, DES Seminar5 Approximating the Reachable States Prove local properties hold  reachable states Conjunction gives reachability approximation I

6 April 10, 2007Mike Case, DES Seminar6 Quickly Proving Local Properties Use simple induction to prove the properties –“Sequential Equivalence Checking without State Space Traversal,” van Eijk, DATE ‘98 Biggest obstacle is an overly large set of candidate properties –Candidates discovered through random simulation, but inadequate for large designs –Candidates are Boolean implications Lots of expressive power Can minimize the number of implications under test by applying a reduction technique on the implication graph –Can also window the candidate set to only prove small subsets at a time Can hurt results because sometimes we need multiple implications to be proved in parallel

7 April 10, 2007Mike Case, DES Seminar7 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

8 April 10, 2007Mike Case, DES Seminar8 Motivation for interpolation Desire to experiment with a state-of-the-art model checker Chose interpolation because it is complete and fast –“Interpolation and SAT-Based Model Checking,” McMillan, CAV ’03 –“An Analysis of SAT-based Model Checking Techniques in an Industrial Environment,” Amla, CHARME ‘05

9 April 10, 2007Mike Case, DES Seminar9 Fixed Point? Bad state reached? Property Verified Property Falsified frontier := initial states frontier += image(frontier) unsat sat yes no I Image 1 B 2 Reachability-Based Verification

10 April 10, 2007Mike Case, DES Seminar10 Fixed Point? Bad state reached? Property Verified Property Falsified frontier := initial states frontier += approxImage(frontier) Initialize approximation parameters Cex reached on a BMC from the initial state? Tighten approximation parameters unsat sat no yes no I B Image 1 2 Interpolation Image2 1 I B S Reachability: Interpolation:

11 April 10, 2007Mike Case, DES Seminar11 Problems With Interpolation Can explore unreachable states –No control over the approximate image and can contain unreachable states –If an unreachable state enters start, many other unreachables will follow –Can lead to an unreachable bad state being explored Requires frequent model refinements –Refining the approximation parameters and restarting is the most expensive operation –Discards all prior work

12 April 10, 2007Mike Case, DES Seminar12 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

13 April 10, 2007Mike Case, DES Seminar13 Enhanced Interpolation Interpolation may explore unreachable states Approximate reachable states to help bound number of interpolation iterations Interpolate Property Verified Quickly approximate reachable states Property Falsified

14 April 10, 2007Mike Case, DES Seminar14 Key Observations From Experimental Results Preprocessing imposes a runtime penalty –Can be minimized by resource thresholding –Need to give it sufficient time to prove properties Ignoring overhead… –Faster in 92% of designs, can solve 4% that previously timed out –Slower in 4% of the benchmarks Not all invariants help the model checker Adding a constraint to a SAT solver might slow it down We can do better!

15 April 10, 2007Mike Case, DES Seminar15 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

16 April 10, 2007Mike Case, DES Seminar16 Image I B 1 2 S A Better Way to Enhance Interpolation Abstraction refinement most expensive Show either S or B unreachable –No other constraints matter Suppose we had a tool to find invariants to do this

17 April 10, 2007Mike Case, DES Seminar17 Targetted Invariant Tool Given a state S that we want to prove unreachable Find {P} such that –Implies that S is unreachable –Can be proved with simple induction

18 April 10, 2007Mike Case, DES Seminar18 Can we find invariants? Fixed Point? Bad state reached? Property Verified Property Falsified frontier := initial states frontier += approxImage(frontier) Initialize approximation parameters Cex reached on a BMC from the initial state? Tighten approximation parameters unsat sat no yes no yes no

19 April 10, 2007Mike Case, DES Seminar19 Another Application We’ve helped interpolation –Short-circuited expensive refinement Can we help other applications? –Consider simple induction –Technique used to prove properties –Is often incomplete. Can we fix this?

20 April 10, 2007Mike Case, DES Seminar20 Simple Induction Can Also Be Helped Is there a way to violate the base case? Remaining candidates hold  reachable states Remove violated candidates Obtain a set of candidate properties Is there a way to violate the inductive step? Remove violated candidates yes no yes no Base Case Inductive Step “Sequential Equivalence Checking without State Space Traversal,” van Eijk, DATE ‘98 Do all properties hold in all initial states? For all states where the properties hold, do they hold in all next states also?

21 April 10, 2007Mike Case, DES Seminar21 ¬pp p SXS Enhancing Simple Induction Simple induction is fast, but often fails to prove properties that are true If can show that S or XS unreachable, then this structure can’t disrupt the proof

22 April 10, 2007Mike Case, DES Seminar22 Proving Properties by Induction Remove violated candidates Can we find invariants? yes no Is there a way to violate the base case? Remaining candidates hold  reachable states Remove violated candidates Obtain a set of candidate properties Is there a way to violate the inductive step? Remove violated candidates yes no yes no … with possibly reachable counterexample states yes

23 April 10, 2007Mike Case, DES Seminar23 Proving That A State Is Unreachable Multiple areas could benefit from a tool that could prove 1 state unreachable –Interpolation –Simple Induction Previous work proves a large set of states unreachable –Proves many small properties –Can we limit the properties to target states of interest?

24 April 10, 2007Mike Case, DES Seminar24 {P} S {P} S The Proof Graph Every property in the set is violated in S Proving any such property implies that S is unreachable {P} are how we will prove S unreachable S is the reason the inductive proof of the properties does not succeed –S is the counterexample in the inductive step of the proof Proving S unreachable is a necessary condition for proving any property in the set S is why we can’t prove {P} (a state) (a set of properties) (a state)

25 April 10, 2007Mike Case, DES Seminar25 Proof Graph Example S 0 {P 0 } 1 {P 0 } 2 {P 0 } 3 S 1 S 3 S 2 {P 1 }{P 3 }{P 2 } Input S 0 Find properties violated in S 0 Prove {P 0 } Cover the new states with properties Prove {P 3 } Prove {P 0 3 }

26 April 10, 2007Mike Case, DES Seminar26 Proof Graph Notes Proof of a property set implies that all parent states are unreachable Proof attempt on leaves only Leaves can be proved independently Select shallowest leaf for next proof

27 April 10, 2007Mike Case, DES Seminar27 Special Case: Cycles If a cycle develops… Cannot prove either property set independently Might be able to prove them together Successful proof implies both states unreachable {P 2 }={P 0 }  {P 1 } S 0 S 1 {P 1 } {P 0 }

28 April 10, 2007Mike Case, DES Seminar28 Can we find invariants? Fixed Point? Bad state reached? Property Verified Property Falsified frontier := initial states frontier += approxImage(frontier) Initialize approximation parameters Cex reached on a BMC from the initial state? Tighten approximation parameters unsat sat no yes no yes no

29 April 10, 2007Mike Case, DES Seminar29 Interpolation Results Solves some problems that previously timed out Needs work

30 April 10, 2007Mike Case, DES Seminar30 Notes on Performance What is “good performance” for a verification tool? –Only meaningful statistics are time, memory, and whether or not verification completed –Industry very concerned with completion on a large set of problems –Slower on average is ok, if we complete on most benchmarks We verify a few designs that previously timed out, but not enough –Lack a powerful simulator –Lots of false properties in the candidate set –This is a work in progress

31 April 10, 2007Mike Case, DES Seminar31 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

32 April 10, 2007Mike Case, DES Seminar32 Simulation Motivation Safety property in S420 –“Small” design –Timeout for me 50% of candidates remain after 10 minute sim –Initial candidate set is quite poor –Can we refine it in 30 seconds?

33 April 10, 2007Mike Case, DES Seminar33 Future Work Continue improving my implementation –Refine candidates with more/better simulation –Try other property domains – maybe implications are the wrong choice Apply my tool in other applications –Could synthesis benefit from knowing that 1 interesting state is unreachable? –Can another state of the art model checker (UCSB) be fitted to use my tool?

34 April 10, 2007Mike Case, DES Seminar34 Questions?

35 April 10, 2007Mike Case, DES Seminar35 Backup

36 April 10, 2007Mike Case, DES Seminar36 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

37 April 10, 2007Mike Case, DES Seminar37 Sequential Synthesis Over-approximate reachable states Under-approximate unreachables Safe to use as sequential don’t cares Sequential don’t cares from 2 minutes of pre-processing give same synthesis results as exact seqdc set

38 April 10, 2007Mike Case, DES Seminar38 Approximate Reachable States SequentialSynthesis Graph Theory Better Verification Interpolation SequentialSimulation Finding Inductive Invariants Synthesis Verification Outline

39 April 10, 2007Mike Case, DES Seminar39 Why Graph Theory motivation

40 April 10, 2007Mike Case, DES Seminar40 Minimum Equivalent Graph C A BFEG D

41 April 10, 2007Mike Case, DES Seminar41 Sequential Simulation Many parallel random walks Identify “interesting” states Re-start random walk from each interesting state Alan Mishchenko BMC from the interesting states Jason Baumgartner, IBM

Download ppt "Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.

Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
IBM Labs in Haifa © 2005 IBM Corporation Adaptive Application of SAT Solving Techniques Ohad Shacham and Karen Yorav Presented by Sharon Barner.

IBM Labs in Haifa © 2005 IBM Corporation Adaptive Application of SAT Solving Techniques Ohad Shacham and Karen Yorav Presented by Sharon Barner.
Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.

Towards More Efficient SAT-Based Model Checking Joao Marques-Silva Electronics & Computer Science University of Southampton LAA C&V Workshop, Isaac Newton.
SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.

SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.
Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
On-The-Fly Resolve Trace Minimization Ohad Shacham and Karen Yorav IBM Haifa Research Laboratory.

On-The-Fly Resolve Trace Minimization Ohad Shacham and Karen Yorav IBM Haifa Research Laboratory.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.

Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.
Equivalence Checking Sean Weaver.

Equivalence Checking Sean Weaver.
Efficient Reachability Checking using Sequential SAT G. Parthasarathy, M. K. Iyer, K.-T.Cheng, Li. C. Wang Department of ECE University of California –

Efficient Reachability Checking using Sequential SAT G. Parthasarathy, M. K. Iyer, K.-T.Cheng, Li. C. Wang Department of ECE University of California –

Similar presentations

Ads by Google