Generalized Property Directed Reachability Krytof Hoder Nikolaj Bjrner
Generalized Property Directed Reachability Kryštof Hoder Nikolaj Bjørner The University Of Manchester Microsoft Research Cool. Press Ltd (Easy. Chair)
Generalized Property Directed Reachability Kryštof Hoder Nikolaj Bjørner The University Of Manchester Microsoft Research Cool. Press Ltd (Easy. Chair)
Tools using Z 3 for fixedpoints Methodology Sep. Logic Simulation Relation Summaries SLAyer Gate. Keeper Abstract Interpretation Logic Programming Predicate Based MC SAGE Abstraction Refinement Houdini Fixed-Point BDD MC Datalog Havoc Poirot Corral Interpolating MC
Solvers for Recursive Predicates Points-to analysis Contract Checking Symbolic Software Checking Property Directed Datalog + Relational domains Reachability solver Services for other solvers (Quantifier elimination, Fold-unfold simplification)
Psst, BTW, SAT/SMT rocks Developer’s comment on a bug recently found by SAGE is a white-box fuzzing tool used internally at Microsoft. It has invoked Z 3 several billion times by now and uncovered hundreds of bugs. Try the Pex tool on Pex 4 fun. com
PDR: Property Directed Reachability The IC 3 Algorithm for Symbolic Model Checking by Aaron Bradley This paper Transition System Formulation Decomposes main steps ÷ priority queue Procedures Regular vs. Push Down systems Beyond Propositional Logic Linear Real Arithmetic - Timed Automata Decision Procedure - Interpolants from models
Motivation: Recursive Procedures mc(x) = x-10 mc(x) = mc(mc(x+11)) assert (mc(x) 91) if x > 100 if x 100
Motivation: Recursive Procedures
Motivation: Recursive Procedures
Motivation: Recursive Procedures
![Program Verification as SMT [Bjørner, Mc. Millan, Rybalchenko, SMT workshop 2012] Program Verification (Safety)](http://slidetodoc.com/presentation_image/baf2dd62fbb6588dfbea354745d77b7e/image-11.jpg "Program Verification as SMT [Bjørner, Mc. Millan, Rybalchenko, SMT workshop 2012] Program Verification (Safety)")
Program Verification as SMT [Bjørner, Mc. Millan, Rybalchenko, SMT workshop 2012] Program Verification (Safety) as Solving fixed-points as Satisfiability of Horn clauses
PDR as a Transition System
PDR as a Transition System
Non-linear fixed-points Recall:
Non-linear transformers M(87) = M(M(98)) = M(M(M(109))) = M(M(99)) = M(M(M(110))) = M(M(100)) = M(M(M(111))) = M(M(101)) = M(91) = M(M(102)) = M(92) = M(M(103)) = M(93) … Benchmarks from the SLAM Research toolkit
Arithmetic R(0, 0, 0, 0). Initial states T(L, M, Y 1, Y 2, L’, M’, Y 1’, Y 2’) R(L, M, Y 1, Y 2) R(L’, M’, Y 1’, Y 2’) Reachable states R(2, 2, Y 1, Y 2) false Is unsafe state reachable? Step(L, L’, Y 1, Y 2, Y 1’) T(L, M, Y 1, Y 2, L’, M, Y 1’, Y 2) Step(M, M’, Y 2, Y 1, Y 2’) T(L, M, Y 1, Y 2, L, M’, Y 1, Y 2’) P 1 takes a step P 2 takes a step
Search: Mile-high perspective Conflict Propagation Conflict Resolution
PDR(T): Conflict Resolution
PDR(T): Generalization from T-lemmas
PDR(T): Generalization from T-lemmas
PDR(LRA): Timed automata
PDR(T): Interpolants as a side-effect
Summary PDR in Z – a New algorithm for Symbolic Model Checking PDR as an abstract Transition System Generalized PDR for Non-Linear Fixed-point operators Counter-examples as DAGs A new Model-Checker for Bebop PDR with Theories Using Farkas to generalize failed counter-example traces Difference Logic – a Model Checking algorithm for Timed Automata Propagate also properties for predicates (so far inefficient) http: //rise 4 fun. com/Z 3 Py/tutorial/fixedpoints
- Slides: 24
