473 research outputs found
IC3-Guided Abstraction
Abstract-Localization is a powerful automated abstraction-refinement technique to reduce the complexity of property checking. This process is often guided by SATbased bounded model checking, using counterexamples obtained on the abstract model, proofs obtained on the original model, or a combination of both to select irrelevant logic. In this paper, we propose the use of bounded invariants obtained during an incomplete IC3 run to derive higher-quality abstractions for complex problems. Experiments confirm that this approach yields significantly smaller abstractions in many cases, and that the resulting abstract models are often easier to verify
PrIC3: Property Directed Reachability for MDPs
IC3 has been a leap forward in symbolic model checking. This paper proposes
PrIC3 (pronounced pricy-three), a conservative extension of IC3 to symbolic
model checking of MDPs. Our main focus is to develop the theory underlying
PrIC3. Alongside, we present a first implementation of PrIC3 including the key
ingredients from IC3 such as generalization, repushing, and propagation
The JKind Model Checker
JKind is an open-source industrial model checker developed by Rockwell
Collins and the University of Minnesota. JKind uses multiple parallel engines
to prove or falsify safety properties of infinite state models. It is portable,
easy to install, performance competitive with other state-of-the-art model
checkers, and has features designed to improve the results presented to users:
inductive validity cores for proofs and counterexample smoothing for test-case
generation. It serves as the back-end for various industrial applications.Comment: CAV 201
Leveraging Datapath Propagation in IC3 for Hardware Model Checking
IC3 is a famous bit-level framework for safety verification. By incorporating
datapath abstraction, a notable enhancement in the efficiency of hardware
verification can be achieved. However, datapath abstraction entails a coarse
level of abstraction where all datapath operations are approximated as
uninterpreted functions. This level of abstraction, albeit useful, can lead to
an increased computational burden during the verification process as it
necessitates extensive exploration of redundant abstract state space.
In this paper, we introduce a novel approach called datapath propagation. Our
method involves leveraging concrete constant values to iteratively compute the
outcomes of relevant datapath operations and their associated uninterpreted
functions. Meanwhile, we generate potentially useful datapath propagation
lemmas in abstract state space and tighten the datapath abstraction. With this
technique, the abstract state space can be reduced, and the verification
efficiency is significantly improved. We implemented the proposed approach and
conducted extensive experiments. The results show promising improvements of our
approach compared to the state-of-the-art verifiers
Automatic Abstraction in SMT-Based Unbounded Software Model Checking
Software model checkers based on under-approximations and SMT solvers are
very successful at verifying safety (i.e. reachability) properties. They
combine two key ideas -- (a) "concreteness": a counterexample in an
under-approximation is a counterexample in the original program as well, and
(b) "generalization": a proof of safety of an under-approximation, produced by
an SMT solver, are generalizable to proofs of safety of the original program.
In this paper, we present a combination of "automatic abstraction" with the
under-approximation-driven framework. We explore two iterative approaches for
obtaining and refining abstractions -- "proof based" and "counterexample based"
-- and show how they can be combined into a unified algorithm. To the best of
our knowledge, this is the first application of Proof-Based Abstraction,
primarily used to verify hardware, to Software Verification. We have
implemented a prototype of the framework using Z3, and evaluate it on many
benchmarks from the Software Verification Competition. We show experimentally
that our combination is quite effective on hard instances.Comment: Extended version of a paper in the proceedings of CAV 201
Counterexample-Guided Prophecy for Model Checking Modulo the Theory of Arrays
We develop a framework for model checking infinite-state systems by
automatically augmenting them with auxiliary variables, enabling
quantifier-free induction proofs for systems that would otherwise require
quantified invariants. We combine this mechanism with a counterexample-guided
abstraction refinement scheme for the theory of arrays. Our framework can thus,
in many cases, reduce inductive reasoning with quantifiers and arrays to
quantifier-free and array-free reasoning. We evaluate the approach on a wide
set of benchmarks from the literature. The results show that our implementation
often outperforms state-of-the-art tools, demonstrating its practical
potential.Comment: 23 pages, 1 figure, 1 table, extended version of paper to be
published in International Conference on Tools and Algorithms for the
Construction and Analysis of Systems 202
Unbounded Scalable Hardware Verification.
Model checking is a formal verification method that has been successfully applied to real-world hardware and software designs. Model checking tools, however, encounter the so-called state-explosion problem, since the size of the state spaces of such designs is exponential in the number of their state elements. In this thesis, we address this problem by exploiting the power of two complementary approaches: (a) counterexample-guided abstraction and refinement (CEGAR) of the design's datapath; and (b) the recently-introduced incremental induction algorithms for approximate reachability. These approaches are well-suited for the verification of control-centric properties in hardware designs consisting of wide datapaths and complex control logic. They also handle most complex design errors in typical hardware designs. Datapath abstraction prunes irrelevant bit-level details of datapath elements, thus greatly reducing the size of the state space that must be analyzed and allowing the verification to be focused on the control logic, where most errors originate. The induction-based approximate reachability algorithms offer the potential of significantly reducing the number of iterations needed to prove/disprove given properties by avoiding the implicit or explicit enumeration of reachable states. Our implementation of this verification framework, which we call the Averroes system, extends the approximate reachability algorithms at the bit level to first-order logic with equality and uninterpreted functions. To facilitate this extension, we formally define the solution space and state space of the abstract transition system produced by datapath abstraction. In addition, we develop an efficient way to represent sets of abstract solutions involving present- and next-states and a systematic way to project such solutions onto the space of just the present-state variables. To further increase the scalability of the Averroes verification system, we introduce the notion of structural abstraction, which extends datapath abstraction with two optimizations for better classification of state variables as either datapath or control, and with efficient memory abstraction techniques. We demonstrate the scalability of this approach by showing that Averroes significantly outperforms bit-level verification on a number of industrial benchmarks.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/133375/1/suholee_1.pd
Invariant Synthesis for Incomplete Verification Engines
We propose a framework for synthesizing inductive invariants for incomplete
verification engines, which soundly reduce logical problems in undecidable
theories to decidable theories. Our framework is based on the counter-example
guided inductive synthesis principle (CEGIS) and allows verification engines to
communicate non-provability information to guide invariant synthesis. We show
precisely how the verification engine can compute such non-provability
information and how to build effective learning algorithms when invariants are
expressed as Boolean combinations of a fixed set of predicates. Moreover, we
evaluate our framework in two verification settings, one in which verification
engines need to handle quantified formulas and one in which verification
engines have to reason about heap properties expressed in an expressive but
undecidable separation logic. Our experiments show that our invariant synthesis
framework based on non-provability information can both effectively synthesize
inductive invariants and adequately strengthen contracts across a large suite
of programs
- …