Control-flow guided clause generation for property directed reachability

Abstract

Property directed reachability (PDR) has been introduced as a very efficient verification method for synchronous hardware circuits which is based on induction rather than fixpoint computation. The method incrementally refines a sequence of clause sets that over-approximate the states that are reachable in finitely many steps. Even being valid, safety properties may not be provable by induction due to so-called counterexamples to induction (CTIs) that result from the over-approximation of the reachable states. Crucial steps of the PDR method therefore consist of (1) deciding about the reachability of states derived from counterexamples, and (2) generalizing them to clauses that cover as many unreachable states as possible that are then excluded from consideration by adding the generated clause to the reachable state approximation sequence. In this paper, we describe a refinement of the PDR method for synchronous programs that makes effective use of the distinction between the control- and dataflow of synchronous programs. If a CTI candidate is found, we reduce it to its control-flow part and check whether the obtained control-flow states are unreachable in the corresponding extended finite state machine of the program. If so, we can immediately exclude all these states by adding the negation of the control-flow part as a new clause to the current reachable state approximations; otherwise, the usual steps of the PDR method are applied. This additional step in the PDR method is not expensive, and can significantly increase the performance of PDR.