Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties...
Transcript of Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties...
![Page 1: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/1.jpg)
Property-Directed k-Induction
Dejan Jovanović Bruno Dutertre
SRI International
FMCAD 2016, Mountain View, CA
Thanks to NASA
![Page 2: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/2.jpg)
Outline
1 Introduction
2 Property-Directed k-Induction
3 Experimental Evaluation
![Page 3: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/3.jpg)
Outline
1 Introduction
2 Property-Directed k-Induction
3 Experimental Evaluation
![Page 4: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/4.jpg)
Introductionthe problem
Given a transition systemS = ⟨I, T⟩withx⃗: state variables,I(⃗x): initial state formula,T(⃗x, x⃗′): state transition formula,
check whether all reachable states satisfy a property P.
Example: ZenoGivenS = ⟨I, T⟩with
I ≡ (x = 0) ∧ (y = 0.5) , T ≡ (x′ = x+ y) ∧ (y′ = y/2) ,
check whether (x < 1).
![Page 5: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/5.jpg)
Introductionthe problem
Given a transition systemS = ⟨I, T⟩withx⃗: state variables,I(⃗x): initial state formula,T(⃗x, x⃗′): state transition formula,
check whether all reachable states satisfy a property P.
Example: ZenoGivenS = ⟨I, T⟩with
I ≡ (x = 0) ∧ (y = 0.5) , T ≡ (x′ = x+ y) ∧ (y′ = y/2) ,
check whether (x < 1).
Automation goals1 Find bugs2 Prove properties
![Page 6: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/6.jpg)
Introductionboundedmodel checking
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
Finite reachabilityX
![Page 7: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/7.jpg)
Introductionboundedmodel checking
I(⃗x0) ∧ ¬P(⃗x0)
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
Finite reachabilityX
![Page 8: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/8.jpg)
Introductionboundedmodel checking
I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ ¬P(⃗x1)
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
Finite reachabilityX
![Page 9: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/9.jpg)
Introductionboundedmodel checking
I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2) ∧ ¬P(⃗x2)
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
Finite reachabilityX
![Page 10: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/10.jpg)
Introductionboundedmodel checking
I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2) ∧ T(⃗x2, x⃗3) ∧ ¬P(⃗x3)
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
Finite reachabilityX
![Page 11: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/11.jpg)
Introductionboundedmodel checking
I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2) ∧ T(⃗x2, x⃗3) ∧ ¬P(⃗x3)
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
Finite reachabilityX
![Page 12: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/12.jpg)
Introductionboundedmodel checking
I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2) ∧ T(⃗x2, x⃗3) ∧ ¬P(⃗x3)
Can find bugs, can not prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensiveFinite reachabilityX
![Page 13: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/13.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solver
![Page 14: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/14.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solver
P
I
![Page 15: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/15.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solver
P P
T
![Page 16: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/16.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solver
P P P
T T
![Page 17: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/17.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solver
P P P P
T T T
![Page 18: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/18.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solver
![Page 19: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/19.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solverZeno: property (x < 1) is not inductive
ZenoI ≡ (x = 0) ∧ (y = 0.5)
T ≡ (x′ = x+ y) ∧ (y′ = y/2)P ≡ (x < 1)
![Page 20: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/20.jpg)
Introductioninduction
I(⃗x0)⇒ P(⃗x0)
P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
Can prove propertiesCan use off-the-shelf SAT/SMT solverZeno: property (x < 1) ∧ (x+ 2y ≤ 1) is inductive
ZenoI ≡ (x = 0) ∧ (y = 0.5)
T ≡ (x′ = x+ y) ∧ (y′ = y/2)P ≡ (x < 1)
![Page 21: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/21.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
![Page 22: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/22.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)
I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
P
I
![Page 23: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/23.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
P P
TI
![Page 24: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/24.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)
P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
P P P
T TI
![Page 25: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/25.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
P P P
T T
P
T
![Page 26: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/26.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
P P P
T T
P
T
P
T
![Page 27: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/27.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensive
![Page 28: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/28.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensiveExample: property (|x| < 1) is not inductive
Stronger
I ≡ (x = 0) ∧ (y = 0)
T ≡ (x′ =3
5x+
2
5y) ∧ (|y′| < 1)
P ≡ (|x| < 1)
![Page 29: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/29.jpg)
Introductionk-induction
I(⃗x0)⇒ P(⃗x0)I(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)I(⃗x0) ∧ T(⃗x0, x⃗1) ∧ T(⃗x1, x⃗2)⇒ P(⃗x2)P(⃗x0) ∧ T(⃗x0, x⃗1) ∧ P(⃗x1) ∧ T(⃗x1, x⃗2) ∧ P(⃗x2) ∧ T(⃗x2, x⃗3)⇒ P(⃗x3)
Can find bugs, can prove propertiesCan use off-the-shelf SAT/SMT solverFor non-trivial systems unrolling can be expensiveExample: property (|x| < 1) is 2-inductive
Stronger
I ≡ (x = 0) ∧ (y = 0)
T ≡ (x′ =3
5x+
2
5y) ∧ (|y′| < 1)
P ≡ (|x| < 1)
![Page 30: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/30.jpg)
Introductionstrengthening
Key problem: find a strengthening that proves the property
I(⃗x0)⇒ P(⃗x0)P(⃗x0) ∧ T(⃗x0, x⃗1)⇒ P(⃗x1)
F (⃗x)⇒ P(⃗x)
T
P P
Same for k-inductionIs k-induction stronger?X
![Page 31: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/31.jpg)
Introductionstrengthening
Key problem: find a strengthening that proves the property
I(⃗x0)⇒ F (⃗x0)F (⃗x0) ∧ T(⃗x0, x⃗1)⇒ F (⃗x1)F (⃗x)⇒ P(⃗x)
T
P
L1
FP
L1
F
Same for k-inductionIs k-induction stronger?X
![Page 32: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/32.jpg)
Introductionstrengthening
Key problem: find a strengthening that proves the property
I(⃗x0)⇒ F (⃗x0)F (⃗x0) ∧ T(⃗x0, x⃗1)⇒ F (⃗x1)F (⃗x)⇒ P(⃗x)
T
P
L1
L2
FP
L2
L1
F
Same for k-inductionIs k-induction stronger?X
![Page 33: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/33.jpg)
Introductionstrengthening
Key problem: find a strengthening that proves the property
I(⃗x0)⇒ F (⃗x0)F (⃗x0) ∧ T(⃗x0, x⃗1)⇒ F (⃗x1)F (⃗x)⇒ P(⃗x)
T
P
L1
L2
L3
FP
L2
L3
L1
F
Same for k-inductionIs k-induction stronger?X
![Page 34: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/34.jpg)
Introductionstrengthening
Key problem: find a strengthening that proves the property
I(⃗x0)⇒ F (⃗x0)F (⃗x0) ∧ T(⃗x0, x⃗1)⇒ F (⃗x1)F (⃗x)⇒ P(⃗x)
T
P
L1
L2
L3
FP
L2
L3
L1
FP
L1
L2
L3
F
Same for k-induction
Is k-induction stronger?X
![Page 35: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/35.jpg)
Introductionstrengthening
Key problem: find a strengthening that proves the property
I(⃗x0)⇒ F (⃗x0)F (⃗x0) ∧ T(⃗x0, x⃗1)⇒ F (⃗x1)F (⃗x)⇒ P(⃗x)
T
P
L1
L2
L3
FP
L2
L3
L1
FP
L1
L2
L3
F
Same for k-inductionIs k-induction stronger?X
![Page 36: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/36.jpg)
Introductiontimeline
InductionBoundedmodel checking [BCCZ99]k-induction [SSS00]Interpolation-basedmodel checking [McM03]IC3/PDR [Bra11]
based on inductionincremental strengtheningno unrolling: lots of “easy” queriesinterpolation-based learning
Lots of work on SMT-based extensions [HB12, CG12, KGC14, CGMT14]
![Page 37: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/37.jpg)
Introductiontimeline
InductionBoundedmodel checking [BCCZ99]k-induction [SSS00]Interpolation-basedmodel checking [McM03]IC3/PDR [Bra11]
based on inductionincremental strengtheningno unrolling: lots of “easy” queriesinterpolation-based learning
Lots of work on SMT-based extensions [HB12, CG12, KGC14, CGMT14]
![Page 38: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/38.jpg)
Introductiontimeline
InductionBoundedmodel checking [BCCZ99]k-induction [SSS00]Interpolation-basedmodel checking [McM03]IC3/PDR [Bra11]
based on inductionincremental strengtheningno unrolling: lots of “easy” queriesinterpolation-based learning
Lots of work on SMT-based extensions [HB12, CG12, KGC14, CGMT14]
![Page 39: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/39.jpg)
Outline
1 Introduction
2 Property-Directed k-Induction
3 Experimental Evaluation
![Page 40: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/40.jpg)
Property-Directed k-Inductionmodules
SMT solvingmore than SAT/UNSAT
1-step reachabilitymore than reachable/unreachable
k-step reachabilitymore than reachable/unreachable
k-inductionsearch for a strengthening and learn from failures
![Page 41: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/41.jpg)
Property-Directed k-Induction1-step reachability
R
FT
Basic satisfiability query
R(⃗x) ∧ T(⃗x, x⃗′) ∧ F(⃗x′)
SAT
: generalize the counterexample to G YICES2 with [KGC14]
UNSAT: interpolate, with J refuting F MATHSAT5
![Page 42: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/42.jpg)
Property-Directed k-Induction1-step reachability
R
FT
Basic satisfiability query
R(⃗x) ∧ T(⃗x, x⃗′) ∧ F(⃗x′)
SAT
: generalize the counterexample to G YICES2 with [KGC14]UNSAT: interpolate, with J refuting F MATHSAT5
![Page 43: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/43.jpg)
Property-Directed k-Induction1-step reachability
R
FTG
Basic satisfiability query
R(⃗x) ∧ T(⃗x, x⃗′) ∧ F(⃗x′)
SAT : generalize the counterexample to G YICES2 with [KGC14]
UNSAT: interpolate, with J refuting F MATHSAT5
![Page 44: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/44.jpg)
Property-Directed k-Induction1-step reachability
R
FT
J
Basic satisfiability query
R(⃗x) ∧ T(⃗x, x⃗′) ∧ F(⃗x′)
SAT : generalize the counterexample to G YICES2 with [KGC14]UNSAT: interpolate, with J refuting F MATHSAT5
![Page 45: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/45.jpg)
Property-Directed k-Inductionk-step reachability
Reachability in k stepsGiven F that is not reachable in< k steps, check if it’s reachable in k steps.
R0 R1 R2
T T T
Ri valid up to i
1-step backward searchlearn and refineRi
all the way: reachableunreachable: learnlearned fact valid up to k
![Page 46: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/46.jpg)
Property-Directed k-Inductionk-step reachability
Reachability in k stepsGiven F that is not reachable in< k steps, check if it’s reachable in k steps.
R0 R1 R2
T T T
Ri valid up to i1-step backward search
learn and refineRi
all the way: reachableunreachable: learnlearned fact valid up to k
![Page 47: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/47.jpg)
Property-Directed k-Inductionk-step reachability
Reachability in k stepsGiven F that is not reachable in< k steps, check if it’s reachable in k steps.
R0 R1 R2
T T T
Ri valid up to i1-step backward searchlearn and refineRi
all the way: reachableunreachable: learnlearned fact valid up to k
![Page 48: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/48.jpg)
Property-Directed k-Inductionk-step reachability
Reachability in k stepsGiven F that is not reachable in< k steps, check if it’s reachable in k steps.
R0 R1 R2
T T T
Ri valid up to i1-step backward searchlearn and refineRi
all the way: reachableunreachable: learnlearned fact valid up to k
![Page 49: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/49.jpg)
Property-Directed k-Inductionk-step reachability
Reachability in k stepsGiven F that is not reachable in< k steps, check if it’s reachable in k steps.
R0 R1 R2
T T T
Ri valid up to i1-step backward searchlearn and refineRi
all the way: reachable
unreachable: learnlearned fact valid up to k
![Page 50: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/50.jpg)
Property-Directed k-Inductionk-step reachability
Reachability in k stepsGiven F that is not reachable in< k steps, check if it’s reachable in k steps.
R0 R1 R2
T T T
Ri valid up to i1-step backward searchlearn and refineRi
all the way: reachableunreachable: learnlearned fact valid up to k
![Page 51: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/51.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setup
single reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 52: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/52.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameF
reasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 53: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/53.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index n
obligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 54: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/54.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ F
FABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 55: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/55.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to n
FCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 56: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/56.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 57: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/57.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 58: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/58.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 59: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/59.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 60: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/60.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 61: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/61.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 62: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/62.jpg)
Property-Directed k-Inductionmain procedure
Require: S = ⟨I, T⟩ and I⇒ P1 function PD-KIND(S, P)2 n← 03 F ← {(P,¬P)}4 loop5 pick k-induction depth 1 ≤ k ≤ n+ 16 ⟨F ,G, np⟩ ← PUSH(S,F , P, n, k)7 if Pmarked invalid then return invalid8 if F = G then return valid9 n← np10 F ← G
Setupsingle reasoning frameFreasoning index nobligations (FABS, FCEX) ∈ FFABS is valid up to nFCEX ¬P, FABS refutes FCEX
InitiallyP is valid up to n = 0
¬P ¬P, P refutes¬P
![Page 63: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/63.jpg)
Property-Directed k-Inductionmain procedure
F
F F
valid in frames 0, ..., n
induction check
T F F F
![Page 64: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/64.jpg)
Property-Directed k-Inductionmain procedure
F
F F
valid in frames 0, ..., n
k-induction check
T F T F ... T F T F F F
![Page 65: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/65.jpg)
Property-Directed k-Inductionmain procedure
F
F F
valid in frames 0, ..., n
k-induction check
T F T F ... T F T F F F
![Page 66: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/66.jpg)
Property-Directed k-Inductionmain procedure
Fvalid in frames 0, ..., n n+1, ..., npF
![Page 67: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/67.jpg)
Property-Directed k-Inductionmain procedure
Fvalid in frames 0, ..., n Gn+1, ..., npF
![Page 68: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/68.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABSF ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
![Page 69: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/69.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABS
F ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
Is FABS k-inductive relative toF?
![Page 70: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/70.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABS
F ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
Is FABS k-inductive relative toF? If yes, push itX
![Page 71: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/71.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABS
F ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
Is FABS k-inductive relative toF? If no, get the generalization GCTI of the CTI
![Page 72: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/72.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABS
F ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
Can we get to FCEX?
If yes, then generalize to GCEX
If GCEX reachable, then we have a counter-example to PXIf GCEX not reachable, learn lemma to eliminate GCEXX
![Page 73: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/73.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABS
F ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
Can we get to FCEX? If yes, then generalize to GCEX
If GCEX reachable, then we have a counter-example to PXIf GCEX not reachable, learn lemma to eliminate GCEXX
![Page 74: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/74.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABSF ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
We have a generalization GCTI of the CTI, and can not get to FCEX
If GCTI reachable,weaken FABS to¬FCEXXIf GCTI not reachable, learn lemma and strengthen FABSX
![Page 75: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/75.jpg)
Property-Directed k-inductionthe PUSH procedure
Pick an obligation (FABS, FCEX) ∈ F
F ∧ T ∧ . . . ∧ F ∧ T⇒ FABSF ∧ T ∧ . . . ∧ F ∧ T ∧ FCEX
We have a generalization GCTI of the CTI, and can not get to FCEXIf GCTI reachable,weaken FABS to¬FCEXXIf GCTI not reachable, learn lemma and strengthen FABSX
![Page 76: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/76.jpg)
Outline
1 Introduction
2 Property-Directed k-Induction
3 Experimental Evaluation
![Page 77: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/77.jpg)
Experimental Evaluationoverall
Z3 SPACER NUXMV PD-KINDproblem set X ⊤/⊥ time X ⊤/⊥ time X ⊤/⊥ time X ⊤/⊥ timeapproximate-agreement (9) 9 8/1 213 7 6/1 1150 9 8/1 2174 9 8/1 164azadmanesh-kieckhafer (20) 20 17/3 3404 20 17/3 4678 20 17/3 294 20 17/3 192cav12 (99) 69 48/21 2102 71 49/22 3529 72 50/22 7443 71 49/22 4990conc (6) 4 4/0 128 4 4/0 655 6 6/0 421 4 4/0 270ctigar (110) 64 44/20 1683 72 52/20 4249 76 56/20 1342 77 57/20 2823hacms (5) 1 1/0 11 1 1/0 4 4 3/1 388 5 3/2 1661lustre (790) 757 421/336 1888 763 427/336 2263 760 424/336 7660 774 438/336 3494oral-messages (9) 9 7/2 16 9 7/2 44 9 7/2 161 9 7/2 2tta-startup (3) 1 1/0 9 1 1/0 8 1 1/0 17 1 1/0 8tte-synchro (6) 6 3/3 969 6 3/3 445 5 2/3 405 6 3/3 21unified-approx (11) 8 5/3 2928 11 8/3 589 11 8/3 139 11 8/3 217
948 559/389 13351 965 575/390 17614 973 582/391 20444 987 595/392 13842
timeout of 20 minutes, Z3 [HB12], NUXMV [CGMT14], SPACER [KGC14]
![Page 78: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/78.jpg)
Experimental Evaluationas a variant of IC3/PDR
Z3 SPACER NUXMV PD-KIND∞ PD-KIND1problem set X ⊤/⊥ time X ⊤/⊥ time X ⊤/⊥ time X ⊤/⊥ time X ⊤/⊥ timeapproximate-agreement (9) 9 8/1 213 7 6/1 1150 9 8/1 2174 9 8/1 164 9 8/1 155azadmanesh-kieckhafer (20) 20 17/3 3404 20 17/3 4678 20 17/3 294 20 17/3 192 20 17/3 107cav12 (99) 69 48/21 2102 71 49/22 3529 72 50/22 7443 71 49/22 4990 74 50/24 6404conc (6) 4 4/0 128 4 4/0 655 6 6/0 421 4 4/0 270 5 5/0 164ctigar (110) 64 44/20 1683 72 52/20 4249 76 56/20 1342 77 57/20 2823 73 53/20 4920hacms (5) 1 1/0 11 1 1/0 4 4 3/1 388 5 3/2 1661 1 1/0 2lustre (790) 757 421/336 1888 763 427/336 2263 760 424/336 7660 774 438/336 3494 769 431/338 2019oral-messages (9) 9 7/2 16 9 7/2 44 9 7/2 161 9 7/2 2 9 7/2 74tta-startup (3) 1 1/0 9 1 1/0 8 1 1/0 17 1 1/0 8 2 1/1 742tte-synchro (6) 6 3/3 969 6 3/3 445 5 2/3 405 6 3/3 21 6 3/3 60unified-approx (11) 8 5/3 2928 11 8/3 589 11 8/3 139 11 8/3 217 11 8/3 158
948 559/389 13351 965 575/390 17614 973 582/391 20444 987 595/392 13842 979 584/395 14805
timeout of 20 minutes, Z3 [HB12], NUXMV [CGMT14], SPACER [KGC14]
![Page 79: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/79.jpg)
Experimental Evaluationoverall
Effective and robust on real-world problemsGood at both proving properties and finding bugsk-induction: can prove properties using a smaller strengtheningk-induction: the only engine that can prove all k-inductive propertiesk-induction: effective bug-finder due to the longer steps of k-induction
![Page 80: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/80.jpg)
Experimental Evaluationk-induction
![Page 81: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/81.jpg)
Summary
Newmethod for infinite-state systems:variant of IC3/PDR based on k-inductioneffective in practice: proofs and bugsfocuses on induction rather than bugsno SMT query left behindmore powerful than k-inductionmodular: tunable, amenable to heuristicsimplemented in SALLY (fork me at GitHub)
![Page 82: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/82.jpg)
References I
[BCCZ99] Armin Biere, Alessandro Cimatti, Edmund Clarke, and Yunshan Zhu.Symbolic model checking without BDDs.Tools and Algorithms for the Construction and Analysis of Systems, pages 193–207, 1999.
[Bra11] Aaron R Bradley.SAT-basedmodel checking without unrolling.In Verification, Model Checking, and Abstract Interpretation, pages 70–87, 2011.
[CG12] Alessandro Cimatti and Alberto Griggio.Software model checking via IC3.In Computer Aided Verification, pages 277–293, 2012.
[CGMT14] Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta.IC3 modulo theories via implicit predicate abstraction.In Tools and Algorithms for the Construction and Analysis of Systems, pages 46–61. 2014.
[HB12] Kryštof Hoder and Nikolaj Bjørner.Generalized property directed reachability.In Theory and Applications of Satisfiability Testing, pages 157–171. 2012.
[KGC14] Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki.SMT-basedmodel checking for recursive programs.In Computer Aided Verification, pages 17–34, 2014.
![Page 83: Property-Directedk-Induction · Introduction boundedmodelchecking Canfindbugs,cannotproveproperties Canuseoff-the-shelfSAT/SMTsolver Fornon-trivialsystemsunrollingcanbeexpensive](https://reader036.fdocuments.net/reader036/viewer/2022071215/60444ab44690c90281436a98/html5/thumbnails/83.jpg)
References II
[McM03] Kenneth L McMillan.Interpolation and SAT-basedmodel checking.In International Conference on Computer Aided Verification, pages 1–13, 2003.
[SSS00] Mary Sheeran, Satnam Singh, and Gunnar Stålmarck.Checking safety properties using induction and a SAT-solver.In Formal Methods in Computer-Aided Design, pages 127–144, 2000.