aa r X i v : . [ c s . L O ] O c t Improving Convergence Rate Of IC3
Eugene Goldberg [email protected]
Abstract — IC3 , a well-known model checker, proves a propertyof a transition system ξ by building a sequence of formulas F , . . . , F k . Formula F i , ≤ i ≤ k over-approximates the setof states reachable in at most i transitions. The basic algorithmof IC3 cannot guarantee that the value of k never exceeds thereachability diameter of ξ . We describe an algorithm called IC4 that gives such a guarantee. (
IC4 stands for ”
IC3 + ImprovedConvergence”). One can argue that the average convergence rateof
IC4 is better than for
IC3 as well. Improving convergencecan facilitate some other variations of the basic algorithm. Asan example, we describe a version of
IC4 employing propertydecomposition . The latter means replacing an original (strong)property with a conjunction of weaker properties to prove by
IC4 .We argue that addressing the convergence problem is importantfor making the property decomposition approach work.
I. I
NTRODUCTION
IC3 is a model checker [2] that has become very populardue to its high scalability. Let ξ be a transition system and P be a safety property of ξ . IC3 builds a sequence of formu-las F , . . . , F k where F i over-approximates the set of statesreachable from an initial state of ξ in at most i transitions.Property P is proved when F i becomes an inductive invariantof ξ for some ≤ i ≤ k .One of the reasons for high performance of IC3 is that thevalue of k above is typically much smaller than Diam ( ξ ) (i.e.the reachability diameter of ξ ). So, on average, IC3 convergesto an inductive invariant much faster than an RA-tool (whereRA stands for “reachability analysis”). Interestingly, the worstcase behavior of an RA-tool and
IC3 is quite different fromtheir average behavior. Namely,
IC3 cannot guarantee that k never exceeds Diam ( ξ ) . We introduce a modification of IC3 called
IC4 that fixes the problem above. (
IC4 stands for “
IC3 + Improved Convergence”). On one hand,
IC4 has the sameworst case behavior as an RA-tool. On the other hand, the average convergence rate of
IC4 is arguably better than thatof
IC3 as well.The main difference between
IC4 and
IC3 is as follows.
IC3 checks if formula F k is an inductive invariant by “pushing” theclauses of F k to F k +1 . If every clause of F k can be pushed to F k +1 , the former is an inductive invariant. Otherwise, there isat least one clause C ∈ F k that cannot be pushed to F k +1 . Inthis case, IC3 moves on re-trying to push C to F k +1 when newclauses are added to F k . In contrast to IC3 , IC4 applies extraeffort to push C to F k +1 . Namely, it derives new inductiveclauses to exclude states that prevent C from being pushed to F k +1 . This extra effort results either in successfully pushing C to F k +1 or in proving that C is “ unpushable ”.The proof of unpushability consists of finding a reachable state s that satisfies formula F k +1 and falsifies clause C . The existence of s means that F k cannot be turned into aninductive invariant by adding more clauses. Thus, semantically,the difference between IC4 and
IC3 is that the former startsbuilding a new over-approximation F k +1 only after it provedthat adding one more time frame is mandatory . Operationally, IC4 and
IC3 are different in that
IC4 generates a small set ofreachable states.An appealing feature of
IC3 is its ability to generateproperty-specific proofs. So it seems natural to decompose ahard property P into a conjunction P ∧ . . . P m of weakerproperties and then generate m property-specific proofs for P i . However, the convergence issues of IC3 are arguably morepronounced for weak properties (see Subsection VII-B). So, tomake property decomposition work, one should use
IC4 ratherthan
IC3 to prove properties P i . In this paper, we describe avariation of IC4 employing property decomposition.At the time of writing the first version of the paper wewere not aware of
QUIP , a version of
IC3 published at[1]. We fix this omission and describe the relation between
IC4 and
QUIP in Subsection VII-A.
QUIP more aggressivelythan the basic
IC3 pushes clauses to future time frames andgenerates reachable states as a proof that a clause cannot bepushed. However, no relation of
QUIP ’s good performancewith improvement of its convergence rate has been establishedeither theoretically or experimentally.The contribution of this paper is as follows. First, we showthe reason why
IC3 has a poor upper bound on the convergencerate (Section III). Second, we formulate a new version of
IC3 called
IC4 (Section IV) that is meant for fixing this problem. Inparticular, we show that
IC4 indeed has a better upper boundthan
IC3 (Section V). We also give an estimate of the numberof reachable states
IC4 has to generate (Section VI). Third,we discuss arguments in favor of
IC4 (Section VII). Fourth,we describe
IC4-PD , a version of
IC4 meant for solving hardproblems by property decomposition (Section VIII).II. A B
RIEF O VERVIEW O F IC3
Let I and T be formulas specifying the initial states andtransition relation of a transition system ξ respectively. Let P be a formula specifying a safety property of ξ . IC3 proves P by building a set of formulas F , . . . , F k . Here formula F i , ≤ i ≤ k depends on the set of state variables of i -th timeframe (denoted as S i ) and over-approximates the set of states We assume that all formulas are propositional and are represented in CNF(conjunctive normal form) A state is an assignment to the set of state variables. eachable in at most i transitions. That is every state reachablein at most i transitions is an F i -state . IC3 builds formula F k as follows. Formula F is alwaysequal to I . Every formula F k , k > is originally set to P .(So F k → P is always true because the only modificationapplied to F k is adding clauses.) Then IC3 tries to excludeevery F k -state that is a predecessor of a bad state i.e. a state s that breaks F k ∧ T → P ′ . Here T is a short for T ( S k , S k +1 ) and P ′ , as usual, means that P depends on next-state variables i.e. those of S k +1 . Exclusion of s is done by derivation of aso-called inductive clause C falsified by s . Adding C to F k excludes s from consideration. (If s cannot be excluded, IC3 generates a counterexample.)One of the properties of formulas F i maintained by IC3 is F i → F i +1 . To guarantee this, IC3 maintains two strongerproperties of F i : a) Clauses ( F i +1 ) ⊆ Clauses ( F i ) and b) F i = F i +1 implies that F i F i +1 . That is the set of clauses of F i contains all the clauses of F i +1 and the fact that F i containsat least one clause that is not in F i +1 means that F i and F i +1 are logically inequivalent. Since every formula F i implies P , one cannot have more than | P - states | different formulas F , . . . , F k . That is if the value of k exceeds | P - states | , thereshould be two formulas F i − , F i , i < k such that F i − = F i .This means that F i − is an inductive invariant and property P holds.III. C ONVERGENCE R ATE O F IC3 A ND C LAUSE P USHING
We will refer to the number of time frames one has tounroll before proving property P as the convergence rate .We will refer to the latter as ConvRate ( P ) . As we mentionedin Section II, an upper bound on ConvRate ( P ) of the basicversion of IC3 formulated in [2] is | P - states | . Importantly,the value of | P - states | can be much larger than Diam ( ξ ) (i.e. the reachability diameter of ξ ). Of course, on average, ConvRate ( P ) of IC3 is much smaller than
Diam ( ξ ) , let alone | P - states | . However, as we argue below, a poor upper boundon ConvRate ( P ) is actually a symptom of a problem .Recall that formula F k specifies an over-approximation ofthe set of states reachable in at most k transitions. So, it cannotexclude a state s reachable in j transitions where j ≤ k . (Thatis such a state s cannot falsify F k .) On the other hand, F k mayexclude states reachable in at least k + 1 transitions or more.Suppose IC3 just finished constructing formula F k . At thispoint F k ∧ T → P ′ holds i.e. no bad state can be reachedfrom an F k -state in one transition. After constructing F k , IC3 invokes a procedure for pushing clauses from F k to F k +1 .In particular, this procedure checks for every clause C of F k if implication F k ∧ T → C ′ holds. We will refer to thisimplication as the pushing condition . If the pushing conditionholds for clause C , it can be pushed from F k to F k +1 . If Given a formula H ( S ) , a state s is said to be an H -state if H ( s ) = 1 . Given a property P , a P -state is called a bad state. the pushing condition holds for every clause of F k , then F k ∧ T → F ′ k and F k is an inductive invariant.Suppose that the pushing condition does not hold for aclause C of F k . Below, we describe two different reasonsfor the pushing condition to be broken. IC3 does not tryto identify which of the reasons takes place. This feature of
IC3 is the cause of its poor upper bound on
ConvRate ( P ) .Moreover, intuitively, this feature should affect the average value of ConvRate ( P ) as well.The first reason for breaking the pushing condition is thatclause C excludes a state s that is reachable in ( k +1) -th timeframe from an initial state. In this case, formula F k cannot beturned into an inductive invariant by adding more clauses. Inparticular, the broken pushing condition cannot be fixed for C .The second reason for breaking the pushing condition is thatclause C excludes a state s that is unreachable in ( k + 1) -thtime frame from an initial state. In this case, every F k -state q that is a predecessor of s can be excluded by deriving a clausefalsified by q . So in this case, the broken pushing condition can be fixed. In particular, by fixing broken pushing conditionsfor F k one may turn the latter into an inductive invariant.IV. I NTRODUCING
IC4A. A high-level view of IC4
We will refer the version of
IC3 with a better convergencerate described in this paper as
IC4 . The main differencebetween
IC3 and
IC4 is that the latter makes an extra effort inpushing clauses to later time frames. This new feature of
IC4 is implemented in a procedure called
NewPush (see Figure 1).It is invoked after
IC4 has built F k where the predecessors ofbad states are excluded i.e. as soon as F k ∧ T → P ′ holds. Forevery clause C of F k , NewPush checks the pushing condition(see Section III). If this condition is broken,
NewPush triesto fix it or proves that it cannot be fixed and hence C is“unpushable”.Depending on the clause-pushing effort, one can identifythree different versions of IC4 : minimal, maximal and heuris-tic. The minimal IC4 stops fixing pushing conditions as soonas
NewPush finds a clause of F k that cannot be pushed. Afterthat the minimal IC4 switches into the “
IC3 mode” wherethe pushing conditions are not fixed for the remaining clausesof F k . The maximal IC4 tries to fix the pushing condition forevery inductive clause of F k . That is if a clause C ∈ F k cannotbe pushed to F k +1 , the maximal IC4 tries to fix the pushingcondition (regardless of how many unpushable clauses of F k has been already identified). Moreover, if an inductive clause C is added to F i , i < k , the maximal IC4 try to fix the pushingcondition for C if it cannot be immediately pushed to F i +1 .A heuristic IC4 uses a heuristic to stay between minimaland maximal IC4 in terms of the clause-pushing effort. In thispaper, we describe the minimal
IC4 unless otherwise stated.So, when we just say
IC4 we mean the minimal version of it. In reality, since both F k and F k +1 contain the clauses of P , only theinductive clauses of F k added to strengthen P are checked for the pushingcondition. / F k = { F , . . . , F k } ;// NewPush ( I, T, P, F k ) { NewClauses := true ; F k +1 := P while ( NewClauses ) { NewClauses := false ; foreach C ∈ ( F k \ P ) { if ( C ∈ ( F k +1 \ P )) continue; s := SAT ( F k ∧ T ∧ C ′ ) ; if ( s = nil ) { F k +1 := F k +1 ∪ { C } continue; } ( F k , t ) := ExclState ( s , I, T, P, F k ) ; if ( t = nil ) return( C, t ); NewClauses := true }} return( nil , nil ); } Fig. 1. The
NewPush procedure
B. Description of NewPush
The pseudo-code of
NewPush is given in Fig. 1. At this point
IC4 has finished generation of F k . In particular, no bad statecan be reached from an F k -state in one transition. NewPush tries to push every inductive clause of F k to F k +1 . If a clause C ∈ F k is unpushable, NewPush returns C and a trace t leading to a state falsified by clause C . Trace t proves theunpushability of C and hence the fact that F k cannot be turnedinto an inductive invariant by adding more clauses. If everyclause of F k can be pushed to F k +1 , then F k is an inductiveinvariant and NewPush returns ( nil , nil ) instead of clause C and trace t . NewPush consists of two nested loops. A new iteration ofthe outer loop (lines 3-13) starts if variable
NewClauses equals true . The value of this variable is set in the inner loop (lines5-13) depending on whether new clauses are added to F k . Inevery iteration of the inner loop, NewPush checks the pushingcondition (line 7) for an inductive clause of F k that is not in F k +1 . If it holds, then C is pushed to F k +1 .If the pushing condition fails, an F k +1 -state s is generatedthat falsifies clause C . Then NewPush tries to check if s is reachable exactly as IC3 does this when looking for acounterexample. The only difference is that s is a good state .As we mentioned above, if s is reachable by a trace t , NewPush terminates returning C and t . Otherwise, it setsvariable NewClauses to true and starts a new iteration of theinner loop.V. B ETTER C ONVERGENCE R ATE OF
IC4
As we mentioned in Section II, an upper bound on
ConvRate ( P ) is | P - states | . Below, we show that using proce-dure NewPush described in Section IV brings the upper boundon
ConvRate ( P ) for IC4 down to
Diam ( ξ ) . (Note that ifproperty P holds, Diam ( ξ ) ≤ | P - states | .) Recall that at this point of the algorithm, no bad state can be reached froman F k -state in one transition. Let F k be a formula for which NewPush is called when k ≥ Diam ( ξ ) . At this point F k ∧ T → P ′ holds. Let s bea state breaking the pushing condition for a clause C of F k .That is s falsifies C (and hence it is not an F k -state) but isreachable from an F k -state in one transition.Recall that F k is an over-approximation of the set of statesthat can be reached in at most k -transitions. Since s falsifies F k , reaching it from an initial state of ξ requires at least k + 1 transitions. However, this is impossible since k +1 > Diam ( ξ ) and hence state s is unreachable. This means that every F k -state that is a predecessor of s can be excluded by aninductive clause added to F k . So eventually, NewPush will fixthe pushing condition for C . After fixing all broken pushingconditions for clauses of F k , NewPush will turn F k into aninductive invariant.VI. N UMBER O F R EACHABLE S TATES T O G ENERATE
The number of generated reachable states depends on whichof the three versions of
IC4 is considered (see Subsec-tion IV-A). Let k denote the maximal number of time framesunfolded by IC4 . In the case of the minimal
IC4 , the upperbound on the number of reachable states for proving property P is equal to k ∗ ( k + 1) / . For the maximal IC4 , theupper bound is k ∗ | Unpush ( F ) | where F = F ∪ · · · ∪ F k and Unpush ( F ) is the subset of F consisting of unpushableclauses. Indeed, an inductive clause C ∈ F i is provedunpushable only once. This proof consists of a trace to a statefalsified by F i . The length of this trace is equal to i and hencebounded by k . The upper bound for the maximal IC4 aboveis loose because one assumes that • the length of every trace proving unpushability equals k • two (or more) clauses cannot be proved unpushable bythe same reachable state.Re-using reachable states can dramatically reduce the totalnumber of reachable states one needs to generate. For instance,for the minimal IC4 , this number can drop as low as k .For the maximal IC4 , the total number of reachable statescan go as low as m + k where m is the total number ofreachable states generated to prove the unpushability of clausesof Unpush ( F ) .VII. A F EW A RGUMENTS I N F AVOR O F IC4
In this section, we give some arguments in favor of
IC4 .The main argument is given in Subsection VII-A where werelate
IC4 with a model checker called
QUIP . The latter wasintroduced in [1] in 2015. In Subsections VII-B and VII-C,we describe a few potential advantages of IC4 that were notdiscussed in [1] (in terms of
QUIP ). For every formula F i , i = 1 , . . . , k , IC4 generates one reachable state s falsifying a clause of F i . To reach s , one needs to generate a trace of i states.So the number of reachable states generated for F i is equal to i . The totalnumber of reachable states is equal to ... + k . As we mentioned in the introduction, at the time of writing the first versionof our paper we were not aware of
QUIP . . IC4 and QUIP As we mentioned in the introduction,
QUIP makes an extraeffort to push clauses to future time frames. To show that aclause cannot be pushed,
QUIP generates a reachable state.Although the premise of
QUIP is that the strategy abovemay lead to a faster generation of an inductive invariant,this claim has not been justified theoretically. The advantageof
QUIP over
IC3 is shown in [1] in terms of better runtimes and a greater number of solved problems. So, no direct experimental data is provided on whether
QUIP has a betterconvergence rate than
IC3 . (As mentioned in [1] and in the firstversion of our paper, having at one’s disposal reachable statesfacilitates construction of better inductive clauses . So onecannot totally discard the possibility that the performance of QUIP is mainly influenced by this “side effect”.) Nevertheless,great experimental results of
QUIP is an encouraging sign.
B. Proving weak properties
In this subsection, we argue that
IC4 should have morerobust performance than
IC3 on weak properties. Let F i be anover-approximation of the set of states reachable in at most i transitions and P be the property to prove. As we mentionedearlier, there are two conditions one needs to satisfy to turn F i into an inductive invariant: F i ∧ T → P ′ and F i ∧ T → F ′ i . Wewill refer to a state s breaking the first condition (respectivelysecond condition) as a state of the first kind (respectivelysecond kind). Only states of the first kind (i.e. F i -states fromwhich there is a transition to a bad state) are explicitly excludedby IC3 . States of the second kind are excluded implicitly viageneralization of inductive clauses. On the other hand,
IC4 excludes states of both kinds explicitly and implicitly (viageneralization of inductive clauses).First, assume that P is a strong property meaning that thereis a lot of bad states. Then by excluding states of the firstkind coupled with generalization of inductive clauses, IC3 alsoexcludes many states of the second kind. Now assume that P is a weak property that has, say, only one bad state. Let us alsoassume that excluding states reaching this bad state is easy.Intuitively, in this case, IC3 is less effective in excluding thestates of the second kind (because their exclusion is just a sideeffect of excluding states of the first kind). On the other hand,
IC4 does not have this problem and so arguably should have amore robust behavior than
IC3 when proving weak properties.
C. Test generation
Formal verification of some properties of transition system ξ does not guarantee that the latter is correct . In this case,testing is employed to get more confidence in correctness of ξ .Traces generated by IC4 can be used as tests in two scenarios.First, one can check that reachable states found by
IC4 satisfy By avoiding the exclusion of known reachable states, one increases thechance for an inductive clause to be a part of an inductive invariant. Moreover, ξ can be incorrect even if a supposedly complete set ofproperties P , . . . , P n is proved true [4], [3]. For instance, the designer may“misdefine” a property and so instead of verifying the right property P ′ i (thatdoes not hold) a formal tool checks a weaker property P i (that holds). IC4-PD ( I, T, P ) { Inv := ∅ while ( true ) { s := CheckSat ( Inv ∧ P ) if ( s = nil ) return( Inv , nil ) Q := F ormP rop ( s ) ( J, Cex ) :=
IC4 ∗ ( I, T, P,
Inv , Q ) if ( Cex = nil ) return( nil , Cex ) if ( J = Q ) J := Strengthen ( I, T,
Inv , J ) Inv := Inv ∧ J } } Fig. 2. The
IC4-PD procedure the properties that formal verification tools failed to prove.Second, one can just inspect the states visited by ξ and theoutputs produced in those states to check if they satisfy some(formal or informal) criteria of correctness.VIII. I NTRODUCING
IC4-PD
In this section, we present
IC4-PD , a version of
IC4 employing property decomposition. In Subsection VIII-A,we describe two obstacles one has to overcome to makeproperty decomposition work. Subsection VIII-B introducesa straightforward implementation of
IC4-PD . A. Property decomposition: two obstacles to overcome
As we mentioned in the introduction, an appealing feature of
IC3 is its ability to generate property-specific proofs. Let P bea hard property to prove. Let P be represented as P ∧· · ·∧ P k (i.e. P is decomposed into k weaker properties). Let J k be aninductive invariant for property P k . Then J ∧ · · · ∧ J k is aninductive invariant for property P . So one can prove P viafinding property-specific proofs J i , i = 1 , . . . , k .To make the idea of property decomposition work one hasto overcome at least two obstacles. The first obstacle is thatthe search space one has to examine to prove P i is, in general,not a subset of the search space for P . In [5], we show thatthis issue can be addressed by using the machinery of localproofs .The second obstacle is as follows. As we argued in Sub-section VII-B, weak properties are more likely to expose theconvergence rate problem of IC3 . For that reason, replacing astrong property P with weaker properties P i may actually leadto performance degradation if properties P i are proved by IC3 .On the other hand,
IC4 should be more robust when solvingweak properties. So one can address the second obstacle byusing
IC4 (rather than
IC3 ) to prove properties P i . This obstacle is of a general nature and is not caused by using
IC3 . The reason is that when proving P i one may need to consider tracesthat contain two and more P -states. These traces break property P withoutbreaking property P i . To prove that P i holds globally one needs to show that no trace of P i -states reaches a P i -state. Proving P i locally means showing that no trace of P -states (rather than P i -states) reaches a P i -state. As we show in [5], if P is false, there is property P i that breaks both globally and locally. So if every P i holds locally, then it does globally too and P is true. . Description of IC4-PD The pseudocode of
IC4-PD is shown in Fig. 2.
IC4-PD accepts formulas
I, T, P specifying the initial states, the tran-sition relation and the property to prove respectively.
IC4-PD returns either an inductive invariant
Inv or a counterexample
Cex . Computation is performed in a while loop. First,
IC4-PD checks if there is a P -state s breaking Inv → P (line 3).If not, then Inv is an inductive invariant proving P (line 4).Otherwise, IC4-PD forms a new property Q to prove (line 5). Q consists of one clause, namely, the longest clause falsifiedby s . So, the latter is the only Q -state.Then IC4-PD calls
IC4 ∗ , a version of IC4 that proves Q locally with respect to the target property P (see Sub-section VIII-A). That is IC4 ∗ checks is there is a traceof P -states (rather than Q -states) leading to the Q -state. Ifnot, then Q holds locally. IC4 ∗ uses the current Inv as aconstraint . Namely, IC4 ∗ looks for a formula J satisfying Inv ∧ J ∧ T → J ′ (rather than J ∧ T → J ′ ).If IC4 ∗ finds a counterexample Cex , then Q and hence P fail (line 7). Otherwise, IC4 ∗ returns an inductive invariant J . If Q is itself an inductive property (and so J = Q ), IC4 tries to strengthen J like an inductive clause is strengthenedby IC3 (line 9). This is done to avoid enumerating P -statesone by one if many properties Q turn out to be inductive. If J is already strengthened (and so J = Q ), then Inv is replacedwith
Inv ∧ J and a new iteration begins.R EFERENCES[1] A.Ivrii and A.Gurfinkel. Pushing to the top. FMCAD-15, pages 65–72,2015.[2] A. R. Bradley. Sat-based model checking without unrolling. In
VMCAI ,pages 70–87, 2011.[3] E. Goldberg. Complete test sets and their approximations. In
FMCAD-18 .To be published.[4] E. Goldberg. Complete test sets and their approximations. TechnicalReport arXiv:1808.05750 [cs.LO], 2018.[5] E. Goldberg, M. G¨udemann, D. Kroening, and R. Mukherjee. Efficientverification of multi-property designs (the benefit of wrong assumptions).In
DATE ’18 , pages 43–48, Dresden, Germany, 2018. Proving Q locally addresses the first obstacle mentioned in Subsec-tion VIII-A. The second obstacle is addressed by using IC4 instead of
IC3 . It is safe to do because all reachable states satisfy