Automated Extraction of Inductive
Invariants to Aid Model Checking
Michael L. Case, Alan Mishchenko, and Robert K. Brayton
University of California, Berkeley
FMCAD 2007
Motivation
Design w/
Safety Property
Design w/
Safety Property
Additional Design
Information
Verification Time



What kind of information will help verification?
How do we know when we’ve given enough information?
Is the additional information easily verifiable?
November 14, 2007
Mike Case, FMCAD 2007
2
Abstract

Present a framework to automatically
find/prove this extra design information




Local properties (Inductive Invariants)
Only considered if they help the verification
Limited in number, easy to prove correct
Verifying safety properties in a gate-level
hardware design

Interpolation used as a case study
November 14, 2007
Mike Case, FMCAD 2007
3
Outline



Forming a reachability approximation
Brief introduction to Interpolation
Tailoring reachable approximation for a target
application



Helping interpolation
Proof graph formulation
Experimental results
November 14, 2007
Mike Case, FMCAD 2007
4
Outline



Forming a reachability approximation
Brief introduction to Interpolation
Tailoring reachable approximation for a target
application



Helping interpolation
Proof graph formulation
Experimental results
November 14, 2007
Mike Case, FMCAD 2007
5
Approximating the Reachable States

Prove inductive invariants


(local properties that hold  reachable states)
Conjunction gives reachability approximation
I
November 14, 2007
Mike Case, FMCAD 2007
6
Quickly Proving Local Properties

Our previous work




Derive a large set of candidate invariants
(implications)
Proved in a van Eijk-style induction
Tries to prove as many properties as possible
Do we need to prove all properties?


Are some better than others?
Tight reachability approx. or just “good
enough”?
November 14, 2007
Mike Case, FMCAD 2007
7
Outline



Forming a reachability approximation
Brief introduction to Interpolation
Tailoring reachable approximation for a target
application



Helping interpolation
Proof graph formulation
Experimental results
November 14, 2007
Mike Case, FMCAD 2007
8
The Interpolation Algorithm
Initialize approximation
parameters
Reachability:
Tighten approximation
parameters
Image 2
Image 1
frontier := initial states
Bad state reached?
B
I
yes
Interpolation:
no
Image 2
frontier +=
approxImage(frontier)
no
Fixed Point?
yes
Property Verified
November 14, 2007
Cex reached
directly from the
initial state?
Image 1
no
I
B
S
yes
Property Falsified
Mike Case, FMCAD 2007
9
Problems With Interpolation

Can explore unreachable states



No control over the approximate image
Often can’t decide if an encountered bad state is
reachable
Requires frequent restarts


Refining the approximation parameters and
restarting is the most expensive operation
Discards all prior work
November 14, 2007
Mike Case, FMCAD 2007
10
Enhancing Interpolation

Possible to avoid the model refinement



Show either S or B unreachable
 Invariants that are violated in either S or B
Suppose we had a tool to find invariants to do this
 Adding the invariants to our satisfiability solver would
prevent S or B from being explored
Image 2
Image 1
I
November 14, 2007
S
Mike Case, FMCAD 2007
B
11
Outline



Forming a reachability approximation
Brief introduction to Interpolation
Tailoring reachable approximation for a target
application



Helping interpolation
Proof graph formulation
Experimental results
November 14, 2007
Mike Case, FMCAD 2007
12
Targetted Invariant Tool


Given a state S that we want to prove
unreachable
Find {P} such that


Implies that S is unreachable
Can be proved with simple (one-step) induction
November 14, 2007
Mike Case, FMCAD 2007
13
Initialize approximation
parameters
Tighten approximation
parameters
frontier := initial states
Bad state reached?
no
yes
Can we
find invariants?
yes
no
frontier +=
approxImage(frontier)
Cex reached
directly from the
initial state?
no
Fixed Point?
yes
no
yes
Property Falsified
Property Verified
November 14, 2007
Mike Case, FMCAD 2007
14
Proving A State Unreachable

Previous work proves a large set of states
unreachable


Proves many small properties
Can we limit the invariants to target states of
interest?
November 14, 2007
Mike Case, FMCAD 2007
15
Outline



Forming a reachability approximation
Brief introduction to Interpolation
Tailoring reachable approximation for a target
application



Helping interpolation
Proof graph formulation
Experimental results
November 14, 2007
Mike Case, FMCAD 2007
16
The Proof Graph
S
{ P}



{ P}
(a state)
(a set of
properties)
S
Every property in the set is
violated in S
Proving any such property
implies that S is unreachable
{P} are how we will prove S
unreachable


November 14, 2007
(a state)
S is the reason the inductive proof
of the properties does not succeed


(a set of
properties)
S is the counterexample in the
simple induction proof
Proving S unreachable is a
necessary condition for proving
any property in the set
S is why we can’t prove {P}
Mike Case, FMCAD 2007
17
Proof Graph Example
S0

{ P0 1 }
{ P0 2 }
{ P0 3 }
S1
S2
S3



{ P2 }
{ P3 }


Input S0
Find properties violated
in S0
Prove {P0}
Cover the new states
with properties
Prove {P3}
Prove {P03}
{ P1 }
November 14, 2007
Mike Case, FMCAD 2007
18
Outline



Forming a reachability approximation
Brief introduction to Interpolation
Tailoring reachable approximation for a target
application



Helping interpolation
Proof graph formulation
Experimental results
November 14, 2007
Mike Case, FMCAD 2007
19
Experimental Results

ABC logic synthesis system used as software
base

Extended through two C++ plugin libraries:



User can select to use interpolation alone or
interpolation + proof graph


Interpolation
Proof graph formulation (this work)
Refuting error traces is an option
Tested on extensively on both academic and
industrial benchmarks
November 14, 2007
Mike Case, FMCAD 2007
20
“Hard” Academic Benchmarks


Verified 154 academic benchmarks (TIP suite)
 18 timeout in 2 hours with standard interpolation
 9 of these are “easy” when the proof graph refutes
counterexample traces
Why are there no false properties here?
November 14, 2007
Mike Case, FMCAD 2007
21
“Hard” Industrial Benchmarks

1800
43 industrial
benchmarks




Sequential
Equivalence Checking
benchmarks
1800 second timeout
Problems “hard” for
standard interpolation
Enabling proof graph
dramatically helps
runtime
1800
November 14, 2007
Mike Case, FMCAD 2007
22
Summary





Motivated need for a tool to show that a
selected state is unreachable
Constructed such a tool using the proof graph
formulation
Applied the tool to help interpolation
Demonstrated the effectiveness on a variety
of benchmarks
Thank you.
November 14, 2007
Mike Case, FMCAD 2007
23