Boosting k-Induction with Continuously-Refined Invariants

\(k\)-induction is a promising technique to extend bounded model checking from falsification to verification. In software verification, \(k\)-induction works only if auxiliary invariants are used to strengthen the induction hypothesis. The problem that we address is to generate such invariants (1) automatically without user-interaction, (2) efficiently such that little verification time is spent on the invariant generation, and (3) that are sufficiently strong for a \(k\)-induction proof. We boost the \(k\)-induction approach to significantly increase effectiveness and efficiency in the following way: We start in parallel to \(k\)-induction a data-flow-based invariant generator that supports dynamic precision adjustment and refine the precision of the invariant generator continuously during the analysis, such that the invariants become increasingly stronger. The \(k\)-induction engine is extended such that the invariants from the invariant generator are injected in each iteration to strengthen the hypothesis. The new method solves the above-mentioned problem because it (1) automatically chooses an invariant by step-wise refinement, (2) starts always with a lightweight invariant generation that is computationally inexpensive, and (3) refines the invariant precision more and more to inject stronger and stronger invariants into the induction system. We present and evaluate an implementation of our approach, as well as all other existing approaches, in the open-source verification-framework CPAchecker. Our experiments show that combining \(k\)-induction with continuously-refined invariants significantly increases effectiveness and efficiency, and outperforms all existing implementations of \(k\)-induction-based verification of C programs in terms of successful results. Open image in new window

[1]  Daniel Kroening,et al.  Strengthening Induction-Based Race Checking with Lightweight Static Analysis , 2011, VMCAI.

[2]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[3]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[4]  Marsha Chechik,et al.  UFO: Verification with Interpolants and Abstract Interpretation - (Competition Contribution) , 2013, TACAS.

[5]  Daniel Kroening,et al.  Software Verification Using k-Induction , 2011, SAS.

[6]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[7]  Dirk Beyer,et al.  Second Competition on Software Verification - (Summary of SV-COMP 2013) , 2013, TACAS.

[8]  Thomas A. Henzinger,et al.  Program Analysis with Dynamic Precision Adjustment , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[9]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[10]  Ofer Strichman,et al.  Bounded model checking , 2003, Adv. Comput..

[11]  Henny B. Sipma,et al.  Scalable Analysis of Linear Systems Using Mathematical Programming , 2005, VMCAI.

[12]  Dirk Beyer Software Verification and Verifiable Witnesses - (Report on SV-COMP 2015) , 2015, TACAS.

[13]  Thomas A. Henzinger,et al.  Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis , 2007, CAV.

[14]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[15]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[16]  Toby Walsh,et al.  Handbook of satisfiability , 2009 .

[17]  Cesare Tinelli,et al.  Instantiation-Based Invariant Discovery , 2011, NASA Formal Methods.

[18]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[19]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[20]  Cesare Tinelli,et al.  Incremental Invariant Generation Using Logic-Based Automatic Abstract Transformers , 2013, NASA Formal Methods.

[21]  Dirk Beyer,et al.  Explicit-State Software Model Checking Based on CEGAR and Interpolation , 2013, FASE.

[22]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[23]  Rolf Drechsler,et al.  Proving transaction and system-level properties of untimed SystemC TLM designs , 2010, Eighth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE 2010).

[24]  Daniel Kroening,et al.  Automatic analysis of DMA races using model checking and k-induction , 2011, Formal Methods Syst. Des..

[25]  Cesare Tinelli,et al.  PKind: A parallel k-induction based model checker , 2011, PDMC.

[26]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[27]  Zohar Manna,et al.  Property-directed incremental invariant generation , 2008, Formal Aspects of Computing.

[28]  Zohar Manna,et al.  Automatic Generation of Invariants and Intermediate Assertions , 1997, Theor. Comput. Sci..

[29]  Fabio Somenzi,et al.  Automatic invariant strengthening to prove properties in bounded model checking , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[30]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[31]  Alexandre Petrenko,et al.  Establishing Linux Driver Verification Process , 2009, Ershov Memorial Conference.

[32]  Lucas C. Cordeiro,et al.  Handling Unbounded Loops with ESBMC 1.20 - (Competition Contribution) , 2013, TACAS.

[33]  Dirk Beyer,et al.  Combining k-Induction with Continuously-Refined Invariants , 2015, ArXiv.

[34]  Daniel Kroening,et al.  Automatic Analysis of Scratch-Pad Memory Code for Heterogeneous Multicore Processors , 2010, TACAS.

[35]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[36]  Jochen Hoenicke,et al.  SMTInterpol: An Interpolating SMT Solver , 2012, SPIN.

[37]  Dirk Beyer,et al.  Status Report on Software Verification - (Competition Summary SV-COMP 2014) , 2014, TACAS.

[38]  Ashutosh Gupta,et al.  InvGen: An Efficient Invariant Generator , 2009, CAV.

[39]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.

[40]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[41]  Dirk Beyer,et al.  Predicate abstraction with adjustable-block encoding , 2010, Formal Methods in Computer Aided Design.