Proving Parameterized Systems Safe by Generalizing Clausal Proofs of Small Instances
We describe an approach to proving safety properties of parameterized reactive systems. Clausal inductive proofs for small instances are generalized to quantified formulae, which are then checked against the whole family of systems. Clausal proofs are generated at the bit-level by the IC3 algorithm. The clauses are partitioned into blocks, each of which is represented by a quantified implication formula, whose antecedent is a conjunction of modular linear arithmetic constraints.
Each quantified formula approximates the set of clauses it represents; good approximations are computed through a process of proof saturation, and through the computation of convex hulls. Candidate proofs are conjunctions of quantified lemmas. For systems with a small-model bound, the proof can often be shown valid for all values of the parameter. When the candidate proof cannot be shown valid, it can still be used to bootstrap finite proofs to permit verification at larger values of the parameter.
While the method is incomplete, it produces non-trivial invariants for a suite of benchmarks including hardware circuits and protocols.
- 9.Conchon, S., Goel, A., Krstic, S., Mebsout, A., Zaïdi, F.: Invariants for finite instances and beyond. In: Formal Methods in Computer-Aided Design, Portland, OR, pp. 61–68, October 2013Google Scholar
- 11.Emerson, E.A., Namjoshi, K.: Reasoning about rings. In: Principles of Programming Languages, San Francisco, California, pp. 85–94 (1995)Google Scholar
- 17.Kurshan, R.P., McMillan, K.L.: A structural induction theorem for processes. In: Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing, Edmonton, Alberta, Canada, pp. 239–247, August 1989Google Scholar