Citation Context

...nal arithmetic (based on interpolation) was proposed, in order to strengthen ¬s before adding it to Fi after having successfully blocked it. 2.3 Implicit Abstraction Predicate abstraction Abstraction =-=[9]-=- is used to reduce the search space while preserving the satisfaction of some properties such as invariants. If Ŝ is an abstraction of S, if a condition is reachable in S, then also its abstract vers...

Citation Context

...is led to the development of various techniques, based on quantifier elimination or theory-specific clause generalization procedures. Unfortunately, such extensions are typically ad-hoc, and might not always be applicable in all theories of interest. Furthermore, being based on the fully detailed SMT representation of the transition systems, some of these solutions (e.g. based on quantifier elimination) can be highly inefficient. We present a novel approach to IC3 Modulo Theories, which is able to deal with infinite-state systems by means of a tight integration with predicate abstraction (PA) [12], a standard abstraction technique that partitions the state space according to the equivalence relation induced by a set of predicates. In this work, we leverage Implicit Abstraction (IA) [23], which allows to express abstract transitions without computing explicitly the abstract system, and is fully incremental with respect to the addition of new predicates. In the resulting algorithm, called IC3+IA, the search proceeds as if carried out in an abstract system induced by the set of current predicates P – in fact, IC3+IA only generates clauses over P. The key insight is to exploit IA to obtain...

Citation Context

...ralization procedures. The only requirement is the availability of an effective technique for abstraction refinement, for which various solutions exist for many important theories (e.g. interpolation =-=[14]-=-, unsat core extraction, or weakest precondition). Second, the analysis of the infinite-state transition system is now carried out in the abstract space, which is often as effective as an exact analys...

Citation Context

...tential applications to software, RTL models, timed and hybrid systems, although the problem is in general undecidable. These approaches are set in the framework of Satisfiability Modulo Theory (SMT) =-=[1]-=- and hereafter are referred to as IC3 Modulo Theories [7,17,15,24]: the infinite-state transition system is symbolically described by means of SMT formulas, and an SMT solver plays the same role of th...

Citation Context

...on, abstraction and IC3. Among the existing abstraction techniques, predicate abstraction [11] has been successfully applied to the verification of infinite-state transition systems, such as software =-=[19]-=-. Implicit abstraction [22] was first used with k-induction to avoid the explicit computation of the abstract system. In our work, we exploit implicit abstraction in IC3 to avoid theory-specific gener...

Citation Context

...ent. Second, compared to a direct exploration of the concrete transition system, the use of abstraction gives a significant performance improvement, as our experiments demonstrate. 1 Introduction IC3 =-=[5]-=- is an algorithm for the verification of invariant properties of transition systems. It builds an over-approximation of the reachable state space, using clauses obtained by generalization while dispro...

Citation Context

...n terms of performance IC3+IA proved to be uniformly superior to a wide range of alternative techniques and tools, including state-of-the-art implementations of the bit-level IC3 algorithm ([11, 22, 3]), other approaches for IC3 Modulo Theories ([7, 16, 18]), and techniques based on k-induction and invariant discovery ([14, 17]). A remarkable property of IC3+IA is that it can deal with a large number of predicates: in several benchmarks, hundreds of predicates were introduced during the search. Considering that an explicit computation of the abstract transition relation (e.g. based on All-SMT [19]) often becomes impractical with a few dozen predicates, we conclude that IA is fundamental to scalability, allowing for efficient reasoning in a fine-grained abstract space. The rest of the paper is structured as follows. In Section 2 we present some background on IC3 and Implicit Abstraction. In Section 3 we describe IC3+IA and prove its formal properties. In Section 4 we discuss the related work. In Section 5 we experimentally evaluate our method. In Section 6 we draw some conclusions and present directions for future work. 2 Background 2.1 Transition Systems Our setting is standard first o...

Citation Context

...used in §5.1, but using BV instead of LRA as background theory; – the instances of the bitvector set of the Software Verification Competition SVCOMP [2]; – the instances from the test suite of InvGen =-=[12]-=-, a subset of which was used also in [24]. We have compared the performance of our tools with various implementations of the Boolean IC3 algorithm, run on the translations of the benchmarks to the bit...

Citation Context

...oach is completely incremental, without having to discard or reconstruct clauses found in the previous iterations. We experimentally evaluated IC3+IA on a set of benchmarks from heterogeneous sources =-=[2,13,17]-=-, with very positive results. First, our implementation of IC3+IA is significantly more expressive than the SMT-based IC3 of [7], being able to handle not only the theory of Linear Rational Arithmetic...

Citation Context

...ybrid systems, although the problem is in general undecidable. These approaches are set in the framework of Satisfiability Modulo Theory (SMT) [1] and hereafter are referred to as IC3 Modulo Theories =-=[7,17,15,24]-=-: the infinite-state transition system is symbolically described by means of SMT formulas, and an SMT solver plays the same role of the SAT solver in the discrete case. The key difference is the need ...

Citation Context

...or Lustre [13]. Since such programs do not have an explicit CFG, we have only evaluated IC3+IA(LIA), by comparing it with Z3 and with the latest versions of KIND as well as its parallel version PKIND =-=[16]-=-.6 The results are summarized in Figure 7. Also in this case, IC3+IA(LIA) outperforms the other systems. 6 Conclusion In this paper we have presented IC3+IA, a new approach to the verification of infi...

Citation Context

...ided the first integration of implicit abstraction in a CEGAR loop. The IC3 [5] algorithm has been widely applied to the hardware domain [10,6] to prove safety and also as a backend to prove liveness =-=[4]-=-. In [23], IC3 is combined with a lazy abstraction technique in the context of hardware verification. The approach has some similarities with our work, but it is limited to Boolean systems, it uses a ...

Citation Context

... abstraction [12] has been successfully applied to the verification of infinite-state transition systems, such as software [20]. Implicit abstraction [23] was first used with k-induction to avoid the explicit computation of the abstract system. In our work, we exploit implicit abstraction in IC3 to avoid theory-specific generalization techniques, widening the applicability of IC3 to transition systems expressed over some background theories. Moreover, we provided the first integration of implicit abstraction in a CEGAR loop. The IC3 [5] algorithm has been widely applied to the hardware domain [11, 6] to prove safety and also as a backend to prove liveness [4]. In [24], IC3 is combined with a lazy abstraction technique in the context of hardware verification. The approach has some similarities with our work, but it is limited to Boolean systems, it uses a “visible variables” abstraction rather than PA, and applies a modified concrete version of IC3 for refinement. Several approaches adapted the original IC3 algorithm to deal with infinite-state systems [7, 16, 18, 25]. The techniques presented in [7, 16] extend IC3 to verify systems described in the linear real arithmetic theory. In contra...

Citation Context

...ybrid systems, although the problem is in general undecidable. These approaches are set in the framework of Satisfiability Modulo Theory (SMT) [1] and hereafter are referred to as IC3 Modulo Theories =-=[7,17,15,24]-=-: the infinite-state transition system is symbolically described by means of SMT formulas, and an SMT solver plays the same role of the SAT solver in the discrete case. The key difference is the need ...

Citation Context

... Second, in terms of performance IC3+IA proved to be uniformly superior to a wide range of alternative techniques and tools, including state-of-the-art implementations of the bit-level IC3 algorithm (=-=[10,21,3]-=-), other approaches for IC3 Modulo Theories ([7,15,17]), and techniques based on k-induction and invariant discovery ([13,16]). A remarkable property of IC3+IA is that it can deal with a large number ...

Citation Context

... first integration of implicit abstraction in a CEGAR loop. The IC3 [5] algorithm has been widely applied to the hardware domain [10,6] to prove safety and also as a backend to prove liveness [4]. In =-=[23]-=-, IC3 is combined with a lazy abstraction technique in the context of hardware verification. The approach has some similarities with our work, but it is limited to Boolean systems, it uses a “visible ...

Citation Context

...ybrid systems, although the problem is in general undecidable. These approaches are set in the framework of Satisfiability Modulo Theory (SMT) [1] and hereafter are referred to as IC3 Modulo Theories =-=[7,17,15,24]-=-: the infinite-state transition system is symbolically described by means of SMT formulas, and an SMT solver plays the same role of the SAT solver in the discrete case. The key difference is the need ...

Citation Context

...n (PA) [11], a standard abstraction technique that partitions the state space according to the equivalence relation induced by a set of predicates. In this work, we leverage Implicit Abstraction (IA) =-=[22]-=-, which allows to express abstract transitions without computing explicitly the abstract system, and is fully incremental with respect to the addition of new predicates. In the resulting algorithm, ca...

Citation Context

...t properties of transition systems. It builds an over-approximation of the reachable state space, using clauses obtained by generalization while disproving candidate counterexamples. In the case of finite-state systems, the algorithm is implemented on top of Boolean SAT solvers, fully leveraging their features. IC3 has demonstrated to be extremely effective, and it is a fundamental core in all the engines in hardware verification. There have been several attempts to lift IC3 to the case of infinite-state systems, for its potential applications to software, RTL models, timed and hybrid systems [9], although the problem is in general undecidable. These approaches are set in the framework of Satisfiability Modulo Theory (SMT) [1] and hereafter are referred to as IC3 Modulo Theories [7, 18, 16, 25]: the infinite-state transition system is symbolically described by means of SMT formulas, and an SMT solver plays the same role of the SAT solver in the discrete case. The key difference is the need in IC3 Modulo Theories for specific theory reasoning to deal with candidate counterexamples. This led to the development of various techniques, based on quantifier elimination or theory-specific cla...

Citation Context

...oach is completely incremental, without having to discard or reconstruct clauses found in the previous iterations. We experimentally evaluated IC3+IA on a set of benchmarks from heterogeneous sources =-=[2,13,17]-=-, with very positive results. First, our implementation of IC3+IA is significantly more expressive than the SMT-based IC3 of [7], being able to handle not only the theory of Linear Rational Arithmetic...

Citation Context

...er-free formulas, the computation of ŜP requires the elimination of the existential quantifiers. This may result in a bottleneck and some techniques compute weaker/more abstract systems (cfr., e.g., =-=[20]-=-). E Q T E Q E Q E Q T T Fig. 1. Abstract path. Implicit predicate abstraction Implicit predicate abstraction [22] embeds the definition of the predicate abstraction in the encoding of the path. This ...

Citation Context

...ybrid systems, although the problem is in general undecidable. These approaches are set in the framework of Satisfiability Modulo Theory (SMT) [1] and hereafter are referred to as IC3 Modulo Theories =-=[7,17,15,24]-=-: the infinite-state transition system is symbolically described by means of SMT formulas, and an SMT solver plays the same role of the SAT solver in the discrete case. The key difference is the need ...