PKind: A parallel k-induction based model checker

Jiri Barnat and Keijo Heljanko (Eds.) 10th International Workshop on Parallel and Distributed Methods in verifiCation (PDMC 2011) EPTCS 72, 2011, pp. 55–62, doi:10.4204/EPTCS.72.6 c⃝T. Kahsai & C. Tinelli This work is licensed under the Creative Commons Attribution License. PKIND: A parallel k-induction based model checker∗ Temesghen Kahsai The University of Iowa temesghen-kahsaiazene@uiowa.edu Cesare Tinelli The University of Iowa cesare-tinelli@uiowa.edu PKIND is a novel parallel k-induction-based model checker of invariant properties for finite- or infinite-state Lustre programs. Its architecture, which is strictly message-based, is designed to min- imize synchronization delays and easily accommodate the incorporation of incremental invariant generators to enhance basic k-induction. We describe PKIND’s functionality and main features, and present experimental evidence that PKIND significantly speeds up the verification of safety proper- ties and, due to incremental invariant generation, also considerably increases the number of provable ones. 1 Introduction PKIND is a parallel model checker based on the k-induction principle, used to verify invariant properties of programs written in the specification/programming language Lustre [8]. Lustre is a synchronous data- flow language that operates on infinite streams of values of three basic types: bool, int (finite precision integers), and real (floating point numbers). PKIND assumes an idealized version of Lustre, which treats int as the type of mathematical integers, and real as the type of rational numbers. Its reasoning about Lustre programs is done in the context of a first-order quantifier-free logic that includes uninterpreted functions and mixed real-integer linear arithmetic. Idealized Lustre programs can be faithfully and read- ily encoded as transition systems in this logic (see [7] for more details). PKIND relies on the SMT solvers CVC3 [3] and Yices [5], in alternative, as satisfiability solvers for this logic. PKIND’s architecture is strictly message-based and designed to minimize synchronization delays and easily accommodate the concurrent automatic generation of invariants to bolster basic k-induction. A first level of parallelism is introduced in the k-induction procedure itself by executing the base and the inductive steps concurrently. A second level allows the addition of one or more independent processes that incrementally generate auxiliary invariants for the system being verified. These invariants are fed to the k-induction loop as soon as they are produced and used to strengthen the induction hypothesis. To the best of our knowledge, this sort of parallel architecture has not been presented in previous work on parallel model checking. Our approach is orthogonal to those in previous work [2] that focus on other sources of parallelism, including parallelization across the processes of an asynchronous transition system. Most closely related to ours is the work by E´en et al. [6] who describe a sequential imple- mentation of SAT-based k-induction in which a Bounded Model Checking loop is interleaved with one performing just the inductive step of k-induction. Our approach goes beyond that work, not only in using a genuinely parallel architecture, but also by incorporating concurrent invariant generation processes. Another line of related work is exemplified by [1, 13, 4], which discuss a different type of parallelism in the BMC algorithm. There, satisfiability checks are done concurrently within the SAT solver. This too is orthogonal to our approach, as the parallelism we exploit is not at the level of the underlying solver, but at the level of the k-induction procedure. ∗Work partially supported by AFOSR grant #FA9550-09-1-0517 and NSF grant #1049674. 56 PKind In the current version of PKIND, invariant generation is achieved using a novel incremental version of an offline invariant discovery scheme we developed in previous work [9]. This general scheme consists in sifting through a large set of formulas generated automatically from a transition system’s description, looking for possible invariants. The formulas in the set, the candidate invariants, are all instances of a template encoding a decidable relation over the system’s data types. In [9], a single invariant is generated at the end of the process as a conjunction of template instances, each of which is k-inductive for some k. In contrast, in the version developed for PKIND, instances that are k-inductive for the same k are discovered and returned before instances that are k′-inductive for some k′ > k. Before describing PKIND’s architecture, we briefly recall the definition of k-induction [12]. Assume a logic L and a transition system S specified in the logic by an initial state condition I(x) and a two-state transition relation T(x,x′) where x,x′ are vectors of state variables. A state property P(x) is invariant for S, i.e., satisfied by every reachable state of S, if the following entailments hold in L f

This content is AI-processed based on open access ArXiv data.