Skip to main content

Infinite-state invariant checking with IC3 and predicate abstraction

Formal Methods in System Design volume 49pages 190–218 (2016)Cite this article

Abstract

We address the problem of verifying invariant properties on infinite-state systems. We present a novel approach, IC3ia, for generalizing the IC3 invariant checking algorithm from finite-state to infinite-state transition systems, expressed over some background theories. The procedure is based on a tight integration of IC3 with Implicit Abstraction, a form of predicate abstraction that expresses abstract paths without computing explicitly the abstract system. In this scenario, IC3 operates only at the Boolean level of the abstract state space, discovering inductive clauses over the abstraction predicates. Theory reasoning is confined within the underlying SMT solver, and applied transparently when performing satisfiability checks. When the current abstraction allows for a spurious counterexample, it is refined by discovering and adding a sufficient set of new predicates. Importantly, this can be done in a completely incremental manner, without discarding the clauses found in the previous search. The proposed approach has two key advantages. First, unlike previous SMT generalizations of IC3, it allows to handle a wide range of background theories without relying on ad-hoc extensions, such as quantifier elimination or theory-specific clause generalization procedures, which might not always be available and are often highly inefficient. Second, compared to a direct exploration of the concrete transition system, the use of abstraction gives a significant performance improvement, as our experiments demonstrate.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price includes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Notes

  1. The recursive procedure RecBlock is an oversimplification of the one actually used by IC3 . In practice, RecBlock is implemented using a priority queue. This is however not important for our purposes, and we refer the reader to [12, 25] for more information.

  2. This is a reformulation of a well-known result stated (without proof) in [33], adapted to our context.

  3. http://kind2-mc.github.io/kind2/.

  4. https://github.com/agacek/jkind/.

References

  1. Ball T, Majumdar R, Millstein TD, Rajamani SK (2001) Automatic predicate abstraction of C programs. In: PLDI, pp. 203–213

  2. Ball T, Podelski A, Rajamani SK (2002) Relative completeness of abstraction refinement for software model checking. In: Katoen JP, Stevens P (eds) TACS, LNCS, vol 2280. Springer, pp 158–172

  3. Ball T, Podelski A, Rajamani SK (2003) Boolean and Cartesian abstraction for model checking C programs. STTT 5(1):49–58

    Article  MATH  Google Scholar 

  4. Barrett CW, Sebastiani R, Seshia SA, Tinelli C (2009) Satisfiability modulo theories. In Handbook of satisfiability, vol 185. IOS Press, pp 825–885

  5. Baumgartner J, Ivrii A, Matsliah A, Mony H (2012) IC3-guided abstraction. In: Formal methods in computer-aided design (FMCAD 2012). Cambridge, UK, pp 182–185, 22–25 October 2012

  6. Beyer D (2013) Second competition on software verification—(Summary of SV-COMP 2013). In: TACAS, LNCS, vol 7795. Springer, pp 594–609

  7. Biere A, Artho C, Schuppan V (2002) Liveness checking as safety checking. Electr Notes Theor Comput Sci 66(2):160–177

    Article  Google Scholar 

  8. Birgmeier J, Bradley AR, Weissenbacher G (2014) Counterexample to induction-guided abstraction-refinement (CTIGAR). In CAV, pp 831–848

  9. Bjørner N, Gurfinkel A (2015) Property directed polyhedral abstraction. In VMCAI, pp 263–281

  10. Bradley A. IC3ref. https://github.com/arbrad/IC3ref

  11. Bradley A, Somenzi F, Hassan Z, Zhang Y (2011) An incremental approach to model checking progress properties. In: FMCAD

  12. Bradley AR (2011) SAT-based model checking without unrolling. In: VMCAI, LNCS, vol 6538. Springer, pp 70–87

  13. Bradley AR, Manna Z (2007) Checking safety by inductive generalization of counterexamples to induction. In: FMCAD. IEEE Computer Society, pp 173–180

  14. Cavada R, Cimatti A, Dorigatti M, Griggio A, Mariotti A, Micheli A, Mover S, Roveri M, Tonetta S (2014) The nuXmv symbolic model checker. In CAV, LNCS, vol 8559, pp 334–342

  15. Cavada R, Cimatti A, Franzén A, Kalyanasundaram K, Roveri M, Shyamasundar RK (2007) Computing predicate abstractions by integrating BDDs and SMT solvers. In: FMCAD. IEEE Computer Society, pp 69–76

  16. Chokler H, Ivrii A, Matsliah A, Moran S, Nevo Z (2011) Incremental formal verification of hardware. In: FMCAD

  17. Cimatti A, Franzén A, Griggio A, Kalyanasundaram K, Roveri M (2010) Tighter integration of BDDs and SMT for predicate abstraction. In: DATE. IEEE, pp 1707–1712

  18. Cimatti A, Griggio A (2012) Software model checking via IC3. In: CAV, pp 277–293

  19. Cimatti A, Griggio A, Mover S, Tonetta S (2014) IC3 modulo theories via implicit predicate abstraction. In: TACAS, pp 46–61

  20. Cimatti A, Griggio A, Schaafsma B, Sebastiani R (2013) The MathSAT5 SMT solver. In: TACAS, LNCS, vol 7795. Springer

  21. Cimatti A, Griggio A, Sebastiani R (2010) Efficient generation of Craig interpolants in satisfiability modulo theories. ACM Trans Comput Log 12(1):7

    MathSciNet  Article  MATH  Google Scholar 

  22. Claessen K, Sörensson N (2012) A liveness checking algorithm that counts. In: FMCAD. IEEE, pp 52–59

  23. Clarke EM, Grumberg O, Jha S, Lu Y, Veith H (2003) Counterexample-guided abstraction refinement for symbolic model checking. J ACM 50(5):752–794

    MathSciNet  Article  MATH  Google Scholar 

  24. Clarke EM, Grumberg O, Long DE (1994) Model checking and abstraction. ACM Trans Program Lang Syst 16(5):1512–1542

    Article  Google Scholar 

  25. Een N, Mishchenko A, Brayton R (2011) Efficient implementation of property-directed reachability. In: FMCAD

  26. Graf S, Saïdi H (1997) Construction of abstract state graphs with PVS. In: CAV, pp 72–83

  27. Griggio A, Roveri M (2016) Comparing different variants of the IC3 algorithm for hardware model checking. IEEE Trans CAD Integr Circuits Syst 35(6):1026–1039

  28. Gupta A, Rybalchenko A (2009) InvGen: An efficient invariant generator. In: CAV, LNCS, vol 5643. Springer, pp 634–640

  29. Gupta A, Strichman O (2005) Abstraction refinement for bounded model checking. In: CAV, pp 112–124

  30. Gurfinkel A, Ivrii A (2015) Pushing to the top. In: Formal methods in computer-aided design (FMCAD 2015) Austin, Texas, USA, pp 65–72, 27–30 September 2015

  31. Hagen G, Tinelli C (2008) Scaling up the formal verification of lustre programs with SMT-based techniques. In: FMCAD. IEEE, pp 1–9

  32. Hassan Z, Bradley AR, Somenzi F (2013) Better generalization in IC3. In: FMCAD. IEEE, pp 157–164

  33. Henzinger TA, Jhala R, Majumdar R, McMillan KL (2004) Abstractions from proofs. In: POPL, pp 232–244

  34. Henzinger TA, Jhala R, Majumdar R, Sutre G (2002) Lazy abstraction. In: POPL, pp 58–70

  35. Hoder K, Bjørner N (2012) Generalized property directed reachability. In: SAT, pp 157–171

  36. Isenberg T, Wehrheim H (2014) Timed automata verification via IC3 with zones. In: ICFEM, pp 203–218

  37. Itzhaky S, Bjørner N, Reps TW, Sagiv M, Thakur AV (2014) Property-directed shape analysis. In: CAV, pp 35–51

  38. Jain H, Kroening D, Sharygina N, Clarke EM (2005) Word level predicate abstraction and refinement for verifying RTL verilog. In: DAC, pp 445–450

  39. Kahsai T, Tinelli C (2011) PKind: A parallel k-induction based model checker. In: PDMC, EPTCS, vol 72, pp 55–62

  40. Karbyshev A, Bjørner N, Itzhaky S, Rinetzky N, Shoham S (2015) Property-directed inference of universal invariants or proving their absence. In: CAV, pp 583–602

  41. Kindermann R, Junttila TA, Niemelä I (2012) SMT-based induction methods for timed systems. In: FORMATS, LNCS, vol 7595. Springer, pp 171–187

  42. Kurshan RP (1994) Computer aided verification of coordinating processes. Princeton University Press, Princeton

    MATH  Google Scholar 

  43. Lahiri SK, Nieuwenhuis R, Oliveras A (2006) SMT techniques for fast predicate abstraction. In: CAV, pp 424–437

  44. Lange T, Neuhäußer MR, Noll T (2015) IC3 software model checking on control flow automata. In: Formal methods in computer-aided design (FMCAD 2015) Austin, Texas, USA, pp 97–104, 27–30 September 2015

  45. McMillan KL (2006) Lazy Abstraction with Interpolants. In: CAV, LNCS, vol 4144. Springer, pp 123–136

  46. Sorensson N, Claessen K. Tip. https://github.com/niklasso/tip

  47. Tonetta S (2009) Abstract model checking without computing the abstraction. In: FM, pp 89–105

  48. Vizel Y, Grumberg O, Shoham S (2012) Lazy abstraction and SAT-based reachability in hardware model checking. In: FMCAD. IEEE, pp 173–181

  49. Vizel Y, Gurfinkel A (2014) Interpolating property directed reachability. In: CAV, pp 260–276

  50. Vizel Y, Weissenbacher G, Malik S (2015) Boolean satisfiability solvers and their applications in model checking. Proc IEEE 103(11):2021–2035

  51. Welp T, Kuehlmann A (2013) QF_BV model checking with property directed reachability. In: DATE, pp 791–796

Download references

Acknowledgments

This work was carried out within the D-MILS project, which is partially funded under the European Commission’s Seventh Framework Programme (FP7).

Author information

Authors and Affiliations

  1. Fondazione Bruno Kessler, Trento, Italy

    Alessandro Cimatti, Alberto Griggio & Stefano Tonetta

  2. University of Colorado Boulder, Boulder, USA

    Sergio Mover

Authors
  1. Alessandro Cimatti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alberto Griggio
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sergio Mover
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefano Tonetta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alberto Griggio.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Cimatti, A., Griggio, A., Mover, S. et al. Infinite-state invariant checking with IC3 and predicate abstraction. Form Methods Syst Des 49, 190–218 (2016). https://doi.org/10.1007/s10703-016-0257-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-016-0257-4

Keywords

  • Model checking
  • Infinite-state systems
  • IC3
  • Predicate abstraction
  • SMT
  • Inductive invariants