Gianluca Redondi,Alessandro Cimatti,Alberto Griggio,Kenneth McMillan

2024-02-29

Abstract:This paper addresses the problem of checking invariant properties for a large class of symbolic transition systems, defined by a combination of SMT theories and quantifiers. State variables can be functions from an uninterpreted sort (finite, but unbounded) to an interpreted sort, such as the the integers under the theory of linear arithmetic. This formalism is very expressive and can be used for modeling parameterized systems, array-manipulating programs, and more. We propose two algorithms for finding universal inductive invariants for such systems. The first algorithm combines an IC3-style loop with a form of implicit predicate abstraction to construct an invariant in an incremental manner. The second algorithm constructs an under-approximation of the original problem, and searches for a formula which is an inductive invariant for this case; then, the invariant is generalized to the original case, and checked with a portfolio of techniques. We have implemented the two algorithms and conducted an extensive experimental evaluation, considering various benchmarks and different tools from the literature. As far as we know, our method is the first capable of handling in a large class of systems in a uniform way. The experiment shows that both algorithms are competitive with the state of the art.

Logic in Computer Science

Feijun Zheng,Yanling Weng,Xiaolang Yan

DOI: https://doi.org/10.1109/icasic.2007.4415843

2007-01-01

Abstract:This paper presents a sequential equivalence checking (SEC) framework based upon Boolean satisfiability (SAT) related engines such as sequential SAT and invariant checking. By detecting invariants in the miter circuits, the search space can be dramatically reduced. Some techniques such as timeframe expansion and dynamic candidate selection are introduced to enhance the invariant checking accuracy. Furthermore, a heuristic is presented to quickly find counter-examples for those in-equivalent tasks. The efficiency of the approach is demonstrated using some larger ISCAS89 circuits and hard-to-verify industrial circuits.

Fei He,Yuan Gao,Liangze Yin

DOI: https://doi.org/10.1007/s11704-016-6048-7

IF: 2.6688

2018-01-01

Frontiers of Computer Science

Abstract:Software product line (SPL) engineering is increasingly being adopted in safety-critical systems. It is highly desirable to rigorously show that these systems are designed correctly. However, formal analysis for SPLs is more difficult than for single systems because an SPL may contain a large number of individual systems. In this paper, we propose an efficient model-checking technique for SPLs using induction and a SAT (Boolean satisfiability problem) solver. We show how an induction-based verification method can be adapted to the SPLs, with the help of a SAT solver. To combat the state space explosion problem, a novel technique that exploits the distinguishing characteristics of SPLs, called feature cube enlargement, is proposed to reduce the verification efforts. The incremental SAT mechanism is applied to further improve the efficiency. The correctness of our technique is proved. Experimental results show dramatic improvement of our technique over the existing binary decision diagram (BDD)-based techniques.

Kedar S. Namjoshi

DOI: https://doi.org/10.4204/EPTCS.129.25

2013-09-20

Abstract:Fully automated verification of concurrent programs is a difficult problem, primarily because of state explosion: the exponential growth of a program state space with the number of its concurrently active components. It is natural to apply a divide and conquer strategy to ameliorate state explosion, by analyzing only a single component at a time. We show that this strategy leads to the notion of a "split" invariant, an assertion which is globally inductive, while being structured as the conjunction of a number of local, per-component invariants. This formulation is closely connected to the classical Owicki-Gries method and to Rely-Guarantee reasoning. We show how the division of an invariant into a number of pieces with limited scope makes it possible to apply new, localized forms of symmetry and abstraction to drastically simplify its computation. Split invariance also has interesting connections to parametric verification. A quantified invariant for a parametric system is a split invariant for every instance. We show how it is possible, in some cases, to invert this connection, and to automatically generalize from a split invariant for a small instance of a system to a quantified invariant which holds for the entire family of instances.

Logic in Computer Science

Herbert Rocha,Hussama Ismail,Lucas Cordeiro,Raimundo Barreto

DOI: https://doi.org/10.48550/arXiv.1509.02471

2015-09-08

Logic in Computer Science

Abstract:We present a proof by induction algorithm, which combines k-induction with invariants to model check embedded C software with bounded and unbounded loops. The k-induction algorithm consists of three cases: in the base case, we aim to find a counterexample with up to k loop unwindings; in the forward condition, we check whether loops have been fully unrolled and that the safety property P holds in all states reachable within k unwindings; and in the inductive step, we check that whenever P holds for k unwindings, it also holds after the next unwinding of the system. For each step of the k-induction algorithm, we infer invariants using affine constraints (i.e., polyhedral) to specify pre- and post-conditions. Experimental results show that our approach can handle a wide variety of safety properties in typical embedded software applications from telecommunications, control systems, and medical devices; we demonstrate an improvement of the induction algorithm effectiveness if compared to other approaches.

Yanyan Gao,Xi Li

DOI: https://doi.org/10.1109/samos.2013.6621107

2013-01-01

Abstract:SystemC has become a de-facto standard language for SoC and ASIP designs. The verification of implementation with SystemC is the key to guarantee the correctness of designs and prevent the errors from propagating to the lower levels. The gap between SystemC TLM model and its corresponding formal model makes it hard to perform automated translation between them. SystemC describes process behavior in sequential statements and usually employs intermediate variables, while most model checking languages for hardware only describe parallel behaviors, in which the usage of intermediate variables not only increases state space and may prolong execution time, but also introduce potential errors. For a model checking language which supports parallel description, the elimination of redundant intermediate variables is requisite and also an efficient way to reduce the state space. This paper intends to solve these issues: (1) proposing an extraction method that can implement the translation from a description which supports sequential execution to a description supports parallel execution; (2) identifying and removing redundant intermediate variables. In this paper, a novel mechanism is presented to automatically extract behavior description from SystemC to a widespreadly used model checking language SMV. We have implemented a tool SC2SMV and performed actual extraction process on it to demonstrate the effectiveness of the method presented in this paper.

Marius Bozga,Radu Iosif,Joseph Sifakis

DOI: https://doi.org/10.48550/arXiv.1902.02696

2019-02-07

Abstract:We consider concurrent systems consisting of a finite but unknown number of components, that are replicated instances of a given set of finite state automata. The components communicate by executing interactions which are simultaneous atomic state changes of a set of components. We specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology (i.e.\ architecture) of the system (e.g.\ pipeline, ring) via a decidable interaction logic, which is embedded in the classical weak sequential calculus of one successor (WS1S). Proving correctness of such system for safety properties, such as deadlock freedom or mutual exclusion, requires the inference of an inductive invariant that subsumes the set of reachable states and avoids the unsafe states. Our method synthesizes such invariants directly from the formula describing the interactions, without costly fixed point iterations. We applied our technique to the verification of several textbook examples, such as dining philosophers, mutual exclusion protocols and concurrent systems with preemption and priorities.

Formal Languages and Automata Theory

Daisuke Ishii,Takashi Tomita,Toshiaki Aoki,Quyen Ngo,Thi Bich Ngoc Do,Hideaki Takai

DOI: https://doi.org/10.48550/arXiv.2206.02992

2022-06-07

Abstract:The development of embedded systems requires formal analysis of models such as those described with MATLAB/Simulink. However, the increasing complexity of industrial models makes analysis difficult. This paper proposes a model checking method for Simulink models using SMT solvers. The proposed method aims at (1) automated, efficient and comprehensible verification of complex models, (2) numerically accurate analysis of models, and (3) demonstrating the analysis of Simulink models using an SMT solver (we use Z3). It first encodes a target model into a predicate logic formula in the domain of mathematical arithmetic and bit vectors. We explore how to encode various Simulink blocks exactly. Then, the method verifies a given invariance property using the k-induction-based algorithm that extracts a subsystem involving the target block and unrolls the execution paths incrementally. In the experiment, we applied the proposed method and other tools to a set of models and properties. Our method successfully verified most of the properties including those unverified with other tools.

Logic in Computer Science

Dirk Beyer,Po-Chun Chien,Nian-Ze Lee

2024-10-25

Abstract:Software model checking is a challenging problem, and generating relevant invariants is a key factor in proving the safety properties of a program. Program invariants can be obtained by various approaches, including lightweight procedures based on data-flow analysis and intensive techniques using Craig interpolation. Although data-flow analysis runs efficiently, it often produces invariants that are too weak to prove the properties. By contrast, interpolation-based approaches build strong invariants from interpolants, but they might not scale well due to expensive interpolation procedures. Invariants can also be injected into model-checking algorithms to assist the analysis. Invariant injection has been studied for many well-known approaches, including k-induction, predicate abstraction, and symbolic execution. We propose an augmented interpolation-based verification algorithm that injects external invariants into interpolation-based model checking (McMillan, 2003), a hardware model-checking algorithm recently adopted for software verification. The auxiliary invariants help prune unreachable states in Craig interpolants and confine the analysis to the reachable parts of a program. We implemented the proposed technique in the verification framework CPAchecker and evaluated it against mature SMT-based methods in CPAchecker as well as other state-of-the-art software verifiers. We found that injecting invariants reduces the number of interpolation queries needed to prove safety properties and improves the run-time efficiency. Consequently, the proposed invariant-injection approach verified difficult tasks that none of its plain version (i.e., without invariants), the invariant generator, or any compared tools could solve.

Software Engineering

Ming-e Jing,Gengshen Chen,Wenbo Yin,Dian Zhou

DOI: https://doi.org/10.1109/asicon.2009.5351339

2009-01-01

Abstract:Bounded model checking shows that satisfiability (SAT) problem can be widely used for model checking. The performance of SAT solver depends heavily on the quality of the learnt clauses in the conflict analysis process. Combining with the characters of model checking, we propose to add efficient implied clauses to the clause database to enhance the conflict analysis. Experimental results show that the average running time of our algorithm is reduced by 35% compared with the traditional FUIP algorithm(1).

Zhi Yang,Guangsheng Ma,Gang Feng,Jingbo Shao

2008-01-01

Abstract:A bounded model checking method for the high-level design verification using Wu's method is proposed. By modeling high-level designs and targeting properties as polynomial equations, bounded model checking is reduced to the task of theorem proving, which can be solved by Wu's method efficiently. Experimental results demonstrated the superiority in time consumption of the proposed approach compared with the property checking methods based on Boolean SAT, LP-based RTL SAT and non-linear solver.

YP Fan,JS Bei,JI Bian,HX Xue,XL Hong,J Gu

DOI: https://doi.org/10.1007/978-1-4757-3281-8_9

2001-01-01

Abstract:in this paper a solution for property verification of synchronous VHDL designs is introduced, and an efficient symbolic model checker is implemented. The model checker applies the feature of synchronous circuit design and the locality feature of property to reduce the size of the state space of the internal finite state machine (FSM) model, thus speeding up the reachability analysis and property checking of circuits. A counterexample generation mechanism is also implemented. We have used the implemented model checker to verify several benchmark circuits; the experimental results contrast with another well-known model checker and demonstrate that our solution is more practicable.

Junyan Qian,Baowen Xu,Yingzhou Zhang

2007-01-01

Journal of Computational Information Systems

Abstract:Model checking is an automatic formal verification technique for a finite state system. Iterative abstraction refinement has emerged recently as the leading approach to software model checking. We present a methodology for automatically verifying programs against safety specifications based on finite state machine. As the first step, an initial abstract model is automatically extracted from source code using predicate abstraction and theorem proving. In order to reduce time complexities of this process, we partition the set of candidate predicates into subsets, and then construct abstract model independently.

Liangze Yin,Fei He,Ming Gu

DOI: https://doi.org/10.1109/TASE.2013.11

2013-01-01

Abstract:This paper considers bounded model checking for extended labeled transition systems. Bounded model checking relies on a SAT solver to prove (or disprove) the existence of a counterexample with a bounded length. During the translation of a BMC problem to a SAT problem, much useful information is lost. This paper proposes an algorithm to analyze the transition system model, and then utilize the structure information hidden in the model to refine the decision ordering of variables in SAT solving. The basic idea is to guide the search process of SAT solving by the structure of the transition system. Experiments with this heuristic on real industrial designs show 5-12 times speedup over standard bounded model checking.

Javier Esparza,Mikhail Raskin,Christoph Welzel-Mohr

2024-07-30

Abstract:Regular model checking is a well-established technique for the verification of infinite-state systems whose configurations can be represented as finite words over a suitable alphabet. It applies to systems whose set of initial configurations is regular, and whose transition relation is captured by a length-preserving transducer. To verify safety properties, regular model checking iteratively computes automata recognizing increasingly larger regular sets of reachable configurations, and checks if they contain unsafe configurations. Since this procedure often does not terminate, acceleration, abstraction, and widening techniques have been developed to compute a regular superset of the set of reachable configurations. In this paper we develop a complementary approach. Instead of approaching the set of reachable configurations from below, we start with the set of all configurations and compute increasingly smaller regular supersets of it. We use that the set of reachable configurations is equal to the intersection of all inductive invariants of the system. Since the intersection is in general non-regular, we introduce $b$-bounded invariants, defined as those representable by CNF-formulas with at most $b$ clauses. We prove that, for every $b \geq 0$, the intersection of all $b$-bounded inductive invariants is regular, and show how to construct an automaton recognizing it. We study the complexity of deciding if this automaton accepts some unsafe configuration. We show that the problem is in \textsc{EXPSPACE} for every $b \geq 0$, and \textsc{PSPACE}-complete for $b=1$. Finally, we study how large must $b$ be to prove safety properties of a number of benchmarks.

Distributed, Parallel, and Cluster Computing,Logic in Computer Science

Yueling Zhang,Jianwen Li,G. Pu,Shufang Zhu,Moshe Y. Vardi

DOI: https://doi.org/10.1109/ICCAD.2017.8203765

2016-11-15

Abstract:Formal-verification techniques, such as model checking, are becoming popular in hardware design. SAT-based model checking techniques, such as IC3/PDR, have gained a significant success in the hardware industry. In this paper, we present a new framework for SAT-based safety model checking, named Complementary Approximate Reachability (CAR). CAR is based on standard reachability analysis, but instead of maintaining a single sequence of reachable-state sets, CAR maintains two sequences of over- and under-approximate reachable-state sets, checking safety and unsafety at the same time. To construct the two sequences, CAR uses standard Boolean-reasoning algorithms, based on satisfiability solving, one to find a satisfying cube of a satisfiable Boolean formula, and one to provide a minimal unsatisfiable core of an unsatisfiable Boolean formula. We applied CAR to 548 hardware model-checking instances, and compared its performance with IC3/PDR. Our results show that CAR is able to solve 42 instances that cannot be solved by IC3/PDR. When evaluated against a portfolio that includes IC3/PDR and other approaches, CAR is able to solve 21 instances that the other approaches cannot solve. We conclude that CAR should be considered as a valuable member of any algorithmic portfolio for safety model checking.

Mathematics,Computer Science,Engineering

Jianhua Zhao,Bin Lei,Xuandong Li,Guoliang Zheng

DOI: https://doi.org/10.1109/ISoLA.2006.28

2006-01-01

Abstract:In this paper, we present a timed automaton reachability analysis algorithm which can use some other properties to improve the model checking efficiency. If the model checker aborts because of memory or CPU time limitation when checking a property P, the users can still use a set of auxiliary properties P_1, P_2, \dots, P_n about the system to reduce the space and time requirement. People can verify these auxiliary properties by either model checking or other methods like theorem proving. This algorithm gives the users a way to reduce the space and time requirement of model checking using their knowledge about the system under check.

Guangyuan Wu,Weining Cao,Yuan Yao,Hengfeng Wei,Taolue Chen,Xiaoxing Ma

DOI: https://doi.org/10.1145/3691620.3695014

2024-01-01

Abstract:Loop invariant inference, a key component in program verification, is a challenging task due to the inherent undecidability and complex loop behaviors in practice. Recently, machine learning based techniques have demonstrated impressive performance in generating loop invariants automatically. However, these methods highly rely on the labeled training data, and are intrinsically random and uncertain, leading to unstable performance. In this paper, we investigate a synergy of large language models (LLMs) and bounded model checking (BMC) to address these issues. The key observation is that, although LLMs may not be able to return the correct loop invariant in one response, they usually can provide all individual predicates of the correct loop invariant in multiple responses. To this end, we propose a "query-filter-reassemble" strategy, namely, we first leverage the language generation power of LLMs to produce a set of candidate invariants, where training data is not needed. Then, we employ BMC to identify valid predicates from these candidate invariants, which are assembled to produce new candidate invariants and checked by off-the-shelf SMT solvers. The feedback is incorporated into the prompt for the next round of LLM querying. We expand the existing benchmark of 133 programs to 316 programs, providing a more comprehensive testing ground. Experimental results demonstrate that our approach significantly outperforms the state-of-the-art techniques, successfully generating 309 loop invariants out of 316 cases, whereas the existing baseline methods are only able to tackle 219 programs at best. The code is publicly available at https://github.com/SoftWiser-group/LaM4Inv.git.

Herbert Rocha,Hussama Ismail,Lucas Cordeiro,Raimundo Barreto

DOI: https://doi.org/10.48550/arXiv.1502.02327

2015-02-09

Logic in Computer Science

Abstract:We present a novel proof by induction algorithm, which combines k-induction with invariants to model check C programs with bounded and unbounded loops. The k-induction algorithm consists of three cases: in the base case, we aim to find a counterexample with up to k loop unwindings; in the forward condition, we check whether loops have been fully unrolled and that the safety property P holds in all states reachable within k unwindings; and in the inductive step, we check that whenever P holds for k unwindings, it also holds after the next unwinding of the system. For each step of the k-induction algorithm, we infer invariants using affine constraints (i.e., polyhedral) to specify pre- and post-conditions. The algorithm was implemented in two different ways, with and without invariants using polyhedral, and the results were compared. Experimental results show that both forms can handle a wide variety of safety properties; however, the k-induction algorithm adopting polyhedral solves more verification tasks, which demonstrate an improvement of the induction algorithm effectiveness.

Mingsheng Ying,Yangjia Li,Nengkun Yu,Yuan Feng

DOI: https://doi.org/10.1145/2629680

2014-07-08

ACM Transactions on Computational Logic

Abstract:We define a formal framework for reasoning about linear-time properties of quantum systems in which quantum automata are employed in the modeling of systems and certain (closed) subspaces of state Hilbert spaces are used as the atomic propositions about the behavior of systems. We provide an algorithm for verifying invariants of quantum automata. Then, an automata-based model-checking technique is generalized for the verification of safety properties recognizable by reversible automata and ω--properties recognizable by reversible Büchi automata.

computer science, theory & methods,logic