Computer-Aided Reasoning for Product-Line Model Checking by Dawagne, Bruno
Institutional Repository - Research Portal
Dépôt Institutionnel - Portail de la Recherche
THESIS / THÈSE
Author(s) - Auteur(s) :
Supervisor - Co-Supervisor / Promoteur - Co-Promoteur :
Publication date - Date de publication :
Permanent link - Permalien :
Rights / License - Licence de droit d’auteur :
Bibliothèque Universitaire Moretus Plantin
researchportal.unamur.beUniversity of Namur
MASTER IN COMPUTER SCIENCE
Computer-Aided Reasoning for Product-Line Model Checking
Dawagne, Bruno
Award date:
2014
Awarding institution:
University of Namur
Link to publication
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
            • Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
            • You may not further distribute the material or use it for any profit-making activity or commercial gain
            • You may freely distribute the URL identifying the publication in the public portal ?
Take down policy
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately
and investigate your claim.
Download date: 23. Jun. 2020
Universite´ de Namur
Faculte´ d’informatique
Anne´e acade´mique 2013–2014
Computer-Aided Reasoning for Product-Line
Model Checking
Bruno Dawagne
Maˆıtre de stage : Vijay Ganesh
Promoteur : (Signature pour approbation du de´poˆt - REE art. 40)
Patrick Heymans
Co-promoteur : Maxime Cordy
Me´moire pre´sente´ en vue de l’obtention du grade de
Master en Sciences Informatiques.
Acknowledgements
I would like to thank Prof. Patrick Heymans for all the opportunities he
gave me. I would also like to thank Maxime Cordy for all his support and the
time he took helping me through the redaction of this master thesis. Finally, I
would like to thank Prof. Vijay Ganesh for its guidance and valuable advice.
Contents
Introduction 3
I Theoretical Background 6
1 The Satisfiability Problem 7
1.1 Boolean Functions and Satisfiability Problem . . . . . . . . . . . 7
1.2 Normal forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.1 Negation Normal Form . . . . . . . . . . . . . . . . . . . 8
1.2.2 Conjunctive Normal Form . . . . . . . . . . . . . . . . . . 9
1.2.3 Disjunctive Normal Form . . . . . . . . . . . . . . . . . . 10
1.3 Satisfiability over CNF . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.1 The DPLL Algorithm . . . . . . . . . . . . . . . . . . . . 11
1.3.2 The CDCL Algorithm . . . . . . . . . . . . . . . . . . . . 13
1.4 Binary Decision Diagrams . . . . . . . . . . . . . . . . . . . . . . 18
1.4.1 Principles and Canonicity . . . . . . . . . . . . . . . . . . 18
1.4.2 Operations on BDD’s . . . . . . . . . . . . . . . . . . . . 21
2 Satisfiability Modulo Theories 23
2.1 First-Order Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1.1 Syntax And Semantics . . . . . . . . . . . . . . . . . . . . 23
2.1.2 The Satisfiability Problem . . . . . . . . . . . . . . . . . . 25
2.2 Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3 Common Theories . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.1 Theory of Equality with Uninterpreted Functions . . . . . 26
2.3.2 Presburger Arithmetic . . . . . . . . . . . . . . . . . . . . 27
2.3.3 Peano arithmetic . . . . . . . . . . . . . . . . . . . . . . . 28
2.4 SMT Solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4.1 The Eager Approach . . . . . . . . . . . . . . . . . . . . . 28
2.4.2 The Lazy Approach . . . . . . . . . . . . . . . . . . . . . 29
2.4.3 The DPLL(T) Architecture . . . . . . . . . . . . . . . . . 30
3 Software Product Line Model Checking 31
3.1 LTL Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1.1 Program Graphs and Transition Systems . . . . . . . . . 31
3.1.2 Linear Time Properties and Temporal Logic . . . . . . . . 34
3.1.3 Bu¨chi Automata . . . . . . . . . . . . . . . . . . . . . . . 35
3.1.4 Verifying ω-regular Properties . . . . . . . . . . . . . . . . 37
1
3.2 Product Lines and Feature Diagrams . . . . . . . . . . . . . . . . 38
3.3 Product Line Model Checking . . . . . . . . . . . . . . . . . . . . 41
3.3.1 Featured Program Graphs and Transition Systems . . . . 41
3.3.2 Verifying ω-regular Properties on Featured Transition Sys-
tem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3.3 SNIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.3.4 ProVeLines 2 . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
II Contribution 50
4 Efficient Integration of a SAT Solver into ProVeLines 51
4.1 Clause Production . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1.1 Tree Representation of Boolean Formulas . . . . . . . . . 51
4.1.2 Conversion into Equivalent CNF . . . . . . . . . . . . . . 52
4.1.3 Equisatisfiability and Tseitin Transformation . . . . . . . 53
4.1.4 Graph Representation of Boolean Formulas . . . . . . . . 57
4.1.5 Cache Mechanism . . . . . . . . . . . . . . . . . . . . . . 57
4.2 Incremental Solving . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2.1 Principle of Incremental Solving . . . . . . . . . . . . . . 60
4.2.2 Solving Under Assumptions . . . . . . . . . . . . . . . . . 61
4.2.3 Incremental Algorithms . . . . . . . . . . . . . . . . . . . 62
4.2.4 SMT Solvers and Incremental Solving . . . . . . . . . . . 62
5 Experimental Results 67
5.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.1.1 Integrating SAT and SMT solvers . . . . . . . . . . . . . 67
5.1.2 Integrating fPromela in ProVeLines 2 . . . . . . . . . . . 68
5.2 Empirical Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.2.1 Minisat-based Configurations . . . . . . . . . . . . . . . . 72
5.2.2 Z3-based Configurations . . . . . . . . . . . . . . . . . . . 72
5.2.3 Observations . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.2.4 Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Conclusion 75
2
Introduction
A software system is considered correct if it meets its design requirements. In
the case of a distributed software, made of several processes working together,
it is not always easy, or even practically possible, to verify that the system
matches its functional requirements. The most common approach to ensure
its correctness is testing. Tests can be realized on several abstraction levels:
Unit tests verify the correctness of individual modules, integration tests check
their proper cooperation and acceptance tests validate the functionalities of the
complete system with respect to the end user’s expectations. However, even
with an high test coverage, some bugs can survive. Errors like race conditions
and deadlocks are sometime hard to detect. They might for instance be triggered
due to the scheduling policy of the running operating system. In this case, they
might not even be reproducible on another platform.
Model checking is a formal verification technique that can, in some way,
prove the absence of mistakes. It requires two inputs: A behavioral specification
of the software system and a property in temporal logic. In return, a model
checker yields an example of execution of the system that violates the property,
or the certainty that no such execution exists. As one may expect, modeling a
distributed system is a critical step. The behavioral model should indeed include
all the information needed to decide on its correctness, as the communication
sequences between processes, and avoid computation details, as the complete
processing of the exchanged messages.
Model-checking tools have been applied with success in thousands of projects
[Hol04]. For instance, they can prove the validity of mutual exclusion algorithms,
such as Peterson’s Algorithm. Before the appearance of model checking, prov-
ing or disproving such algorithm could lead to long and ponderous hand-written
proofs. Now, concrete models of these algorithms can be checked against sev-
eral temporal properties. This set of properties can include the effectiveness
of mutual exclusion, i.e. that only one process at a time can enter a critical
section, the absence of deadlocks or the fairness between processes induced by
the verified algorithm.
A limitation of model checking is that it only allows one to verify the cor-
rectness of one single product. A modern approach when building software
systems is however to create a set of strongly correlated products called a prod-
uct line. Variants of a product line share common pieces or behaviors, and
are built from a common, managed set of assets. Reusing core assets from one
product to another allows one to benefit from economies of scale when devel-
oping a large number of products. A software product line is a product line
of software-intensive systems. The variability that can take place in a product
line is usually expressed in terms of features. Simply said, a feature is an asset
3
that can be included in a product and be missing in another. It usually defines
some set of additional functionalities that can be inserted to a specific product
to enhance it, or retrieved from another for incompatibility, economical or even
simplicity reasons. Developing a software product line is like developing a highly
configurable software system in which features can be activated or deactivated
depending on the target’s needs or specificities. Relations between features, as
dependencies or incompatibilities, are usually expressed in a feature diagram.
Verifying properties on a software product line requires to specify the behav-
ior of every single product of the product line and to verify them individually.
However, the number of variants in a product line tends to grow exponentially
with the number of features. Therefore, verifying products individually may
require a huge amount of time and be unfeasible in practice. To workaround
this, researchers from the University of Namur have adapted model-checking
algorithms to software product lines. The process requires three inputs: A
behavioral specification of the software product line, the feature diagram repre-
senting the variability of this product line, and a temporal property. In return, it
yields the set of products that violate the property or the certainty that no such
product exists. It also delivers an example of execution violating the property
for each concerned product. The proposed algorithms have been implemented
in a tool, named ProVeLines.
The aforementioned algorithms work as follows. The state-space of the prod-
uct line is explored starting an initial state and following a nested depth-first
search. On the other hand, the set of products that are actually able to go
through a particular path is represented using boolean formulas. In order to
avoid the verification of non existing products, these boolean formulas are often
checked for satisfiability.
The boolean satisfiability problem is arguably the most famous example of
NP-complete problem. Different algorithms and techniques have been proposed
to solve it. In ProVeLines, the retained approach is to represent boolean formu-
las using Binary Decision Diagrams (BDDs). However, ProVeLines has recently
been extended to support, in addition to standard boolean features, two addi-
tional types that are intensively used in practice: multi-features, i.e. features
that may appear several times in a given product, and numeric features. The
former entails changes only to the semantics of feature diagrams. The latter,
however, also raises the need for non boolean expressions. To this end, an SMT
solver has been integrated into ProVeLines to replace the BDD implementation.
SMT solvers are somehow the result of centuries of history in automated
reasoning. Philosophers like George Boole have for long tried to formalize the
law of thought, some of them dreaming about a machine to think, able to
compute the result of any problem, or to prove any theorem. Unfortunately,
the first order logic has been proved to be undecidable. In this context, SMT
solvers might be the most evolved tools that we can get. This kind of solvers
work by considering some subsets of the first order logic, like linear arithmetics
over the integers, called theories.
The integration of an SMT solver into ProVeLines revealed a large overhead
in verification time compared to the BDD implementation. Verifying a temporal
property, even on a fully boolean model, could indeed take until 96,144 % more
time using the SMT solver [CSHL13]. However, the cause of this problem is
unclear. The present thesis is an attempt to investigate and solve that problem.
In the Chapter 1, we expand on the boolean satisfiability problem. We in-
4
troduce several ways of representing boolean formulas and different algorithms
that we can use to quickly solve this problem. In particular, we mention BDDs
and SAT solvers, which are at the heart of SMT solvers. Chapter 2 introduces
the notion of theories, gives some examples, and presents the core algorithms
running SMT solvers. Chapter 3 briefly explain the theories and practices be-
hind ProVeLines and the mentioned software product-line model-checking algo-
rithms. Among others, the link between these algorithms and the satisfiability
problem is clarified. Chapter 4 presents a theoretical approach to efficiently
integrate a SAT solver into ProVeLines. This is seen as an intermediary step
between a BDD-based and an SMT-based implementation. As we shall see,
this allows us to define new model-checking algorithms aimed at better inte-
grate themselves with SAT and SMT solvers. In Chapter 5, we undertake the
implementation of this theoretical approach and a concrete empirical study.
5
Part I
Theoretical Background
6
Chapter 1
The Satisfiability Problem
The boolean satisfiability problem, often denoted SAT, was the first known
example of NP-complete decision problem. Other NP-complete problems have
been proved to be by direct or indirect reduction to this first one. Understanding
the satisfiability problem is therefore of paramount importance in the field of
computational complexity. It is also the starting point of this thesis.
Due to its theoretical hardness, people sometime considered pointless to look
for an efficient algorithm to solve it. However, different breakthroughs have, in
the late 90’s, renewed a common interest in solving the SAT problem on large
formulas. This chapter aims at introducing this problem and several techniques
to solve it, including the core algorithm of these so-called modern SAT solvers.
1.1 Boolean Functions and Satisfiability Prob-
lem
This section introduces the basic definitions needed in this chapter. These
definitions are adapted from [SS96] and [MMZ+01].
Let X = {xi}ni=1 be a set of n ∈ N boolean variables. A boolean function is
a function of the form f : Bn → B, where B = {⊥,>} is the boolean domain. It
can be represented by a well-formed formula. Any variable x ∈ X, as well as
both constants ⊥ and > are well-formed formulas. Moreover, if F and G are
both well-formed formulas, their negations ¬F and ¬G, their conjunction F ∧G,
their disjunction F ∨G, their implication F ⇒ G and their equivalence F ⇔ G
are all well-formed formulas. Henceforth, we simply call formula a well-formed
formula.
Let Y = {yi}mi=1 be a set of m ∈ N boolean variables. A truth assignment
A over Y is a mapping from the variables of Y to values from the boolean
domain. It can be equally represented by a function A : Y → B or by a set
A = {y → vy}y∈Y , where each variable y ∈ Y is mapped to the value vy ∈ B.
Let F be a formula over a set of variable X. The assignment A is complete with
respect to F if X ⊆ Y . It is partial otherwise.
Under a complete truth assignment, any formula F evaluates to either ⊥ or
>. The evaluation of F under A, denoted [A]F , is determined according to the
7
following rules:
[A]> = >
[A]⊥ = ⊥
[A]x = > if, and only if, A(x) = >
[A]¬F = > if, and only if, [A]F = ⊥
[A](F ∧G) = > if, and only if, [A]F = > and [A]G = >
[A](F ∨G) = > if, and only if, [A]F = > or [A]G = >
[A](F ⇒ G) = > if, and only if, [A]F = > implies [A]G = >
[A](F ⇔ G) = > if, and only if, [A]F = [A]G
If [A]F = >, A is called a satisfying assignment for F , and F is said to be
satisfied by A. If [A]F = ⊥, A is called an unsatisfying assignment for F , and F
is said to be unsatisfied by A. A formula F is said to be satisfiable if there exists
a satisfying assignment for it. It is said to be unsatisfiable otherwise. F is also
said to be valid , or tautological , if it is satisfied by any complete assignment. It
follows that a valid formula is always satisfiable.
The satisfiability problem, denoted SAT, is concerned with finding a satisfy-
ing assignment for a formula, or with proving that this formula is unsatisfiable.
This problem has been proved to be NP-complete by Cook [Coo71].
The validity problem is concerned with proving that a formula is valid, or
with finding an unsatisfying assignment for it. The validity problem is dual
with the satisfiability problem, as a formula F is satisfiable if, and only if, ¬F
is not valid. Moreover, a satisfying assignment for the former is an unsatisfying
one for the latter.
1.2 Normal forms
A boolean function can be represented by an infinite number of formulas.
Among those formulas, however, several subsets can be defined to enclose all
those that share a common syntactical form. These formulas are said to be in a
normal form. Keeping formulas in a normal form facilitates their manipulation
and allows one to easily determine some of their properties, as satisfiability and
validity. In this section, three kinds of normal forms are discussed: Negation
Normal Form, Conjunctive Normal Form and Disjunctive Normal Form.
1.2.1 Negation Normal Form
A formula is in Negation Normal Form, or NNF , if any negation operator ¬
appears before a single variable. A literal is a boolean variable or the negation
of one. Any literal is a formula in NNF. Moreover, if F and G are both formulas
in NNF, their conjunction F ∧ G, their disjunction F ∨ G, their implication
F ⇒ G and their equivalence F ⇔ G are all formulas in NNF. Their negations
¬F and ¬G, however, are not necessarily in NNF.
Any formula can easily be transformed in NNF by pushing the negation
8
symbols toward the variables, using the following set of transformation rules:
¬( n∧
i=1
Fi
) −→ n∨
i=1
¬Fi
¬( n∨
i=1
Fi
) −→ n∧
i=1
¬Fi
¬¬F −→ F
In these rules, the symbol −→ should be read as “is transformed in”. The
equivalence between the left hand side and right hand side of each of these
rules relies on the validity of either one of the De Morgan’s laws or the double
negation rule.
¬( n∧
i=1
Fi
)
=
n∨
i=1
¬Fi
¬( n∨
i=1
Fi
)
=
n∧
i=1
¬Fi
(De Morgan’s laws)
¬¬F = F (Double negation rule)
We will see that formulas in Disjunctive Normal Form or Conjunctive Nor-
mal Form are also, by definition, in Negation Normal Form. This form can
consequently be seen as less restrictive than, or a generalization of, the two
hereafter mentioned normal forms.
Example 1.2.1. The formula F = ¬(¬a∨ (a∧¬b)) is not in Negation Normal
Form, as the first negation symbol applies to the whole remaining formula. The
formula G = a ∧ (¬a ∨ b), however, is in NNF. G is actually obtained from F
by iterated application of the mentioned transformation rules. This process can
be observed in the following series of steps:
¬(¬a ∨ (a ∧ ¬b))
−→ (¬¬a ∧ ¬(a ∧ ¬b))
−→ (¬¬a ∧ (¬a ∨ ¬¬b))
−→ (a ∧ (¬a ∨ b))
The two first transformation steps rely on the De Morgan’s laws while the last
step is obtained by application of the double negation rule.
1.2.2 Conjunctive Normal Form
A formula is in Conjunctive Normal Form, or CNF , if it consists of a conjunction
of clauses. A clause is a disjunction of literals. Any formula F in CNF is
therefore of the form
F =
n∧
i=1
mi∨
j=1
li,j
where ∀i ∈ {1, 2, . . . n} : ∀j ∈ {1, 2, . . .mi} : li,j is a literal. As stated before, a
formula in CNF is also in NNF. The negation operator ¬ indeed appears only
in literals.
9
A formula in CNF is canonical if each of its clauses contains at most one
occurrence of a variable. Henceforth, we consider that any formula in CNF is
actually canonical. This goes without loss of generality given that
1. If a literal l appears several times in a clause, only one of these appearances
can be kept.
2. If, for a variable x, both literals x and ¬x appear in a clause, then this
clause is satisfied by any complete assignment and can be removed from
the original CNF.
This hypothesis allows us to consider the following result. A formula in CNF
is valid if, and only if, it is reduced to the empty conjunction of clauses. Indeed,
let us consider a formula F in CNF with a clause C such that
C =
m∨
i=1
li
Then any unsatisfying assignment for C is also an unsatisfying assignment for
F . Such assignment is easy to find. It only need to include the set {xi → vi}ni=1,
where for any i ∈ {1, . . . n}, xi is the variable of the literal li and vi the boolean
value that, assigned to this variable, makes this literal being evaluated to ⊥, i.e.
vi =
{ ⊥ if li = xi
> if li = ¬xi
A formula in CNF is often called, throughout this thesis, a clause database.
Example 1.2.2. Let us consider the formula F = (¬a ∨ c) ∧ (¬b ∨ ¬c ∨ d) ∧
(¬d∨f)∧(¬d∨g)∧(¬f ∨¬g). This formula is obviously in Conjunctive Normal
Form. Moreover, it is canonical. As it is not reduced to the empty conjunction
of clauses, i.e. it contains at least one clause, it is not valid. The first clause
¬a ∨ c is indeed unsatisfied by the assignment {a→ >, c→ ⊥}. Any complete
superset of it is therefore an unsatisfying assignment for F .
1.2.3 Disjunctive Normal Form
A formula is in Disjunctive Normal Form, or DNF , if it consists of a disjunction
of cubes. A cube is a conjunction of literals. Any formula F in DNF is therefore
of the form
F =
n∨
i=1
mi∧
j=1
li,j
where ∀i ∈ {1, 2, . . . n} : ∀j ∈ {1, 2, . . .mi} : li,j is a literal. As stated before, a
formula in DNF is also in NNF.
A formula in DNF is canonical if each of its cubes contains at most one
occurrence of a variable. Henceforth, we consider that any formula in CNF is
actually canonical. As for formulas in CNF, this goes without loss of generality.
Considering this hypothesis, a formula in CNF is unsatisfiable if, and only if, it
is reduced to an empty disjunction of cubes.
Conjunctive Normal Form and Disjunctive Normal Form are dual. Indeed,
negating a formula in CNF and transforming it in NNF by iterated application
10
of the rules mentioned in Section 1.2.1 yields a formula in DNF. Moreover, the
validity problem is easy to solve on CNF while the satisfiability problem is easy
on DNF. The duality between these two normals forms is therefore correlated
to the duality between these two problems. The actual hard remaining problem
is to solve the satisfiability problem over formulas in CNF, or in an equivalent
way, the validity problem over formulas in DNF. This challenge will be tackled
in the next section.
1.3 Satisfiability over CNF
The satisfiability problem over formulas in CNF is tackled by application pro-
grams often called SAT solvers. As we shall see, these tools have known major
improvements during the last decades. This section first introduces the classical
DPLL alogrithm before presenting the breakthroughs of the CDCL algorithm,
which is the core algorithm of most modern SAT solvers.
1.3.1 The DPLL Algorithm
The satisfiability problem over a clause database can be solved using a back-
tracking search algorithm. This was first published by Davis and Putnam as
part of a solver for the first order logic [DP60] [DLL62]. It is now known as the
Davis-Putnam-Logemann-Loveland , or DPLL, algorithm.
This algorithm maintains a truth assignment and tries to expand it until
reaching a complete and satisfying assignment for a clause database. During
this process, conflicts can arise that will force it backtrack. The algorithm
actually iterates through different sub-processes.
The decision process first extends the current truth assignment by making
a decision assignment , i.e. by selecting a free variable and a value for it. At
this stage, a decision tree is maintained. Each node in the decision tree specifies
a decision assignment. The decision level of a decision assignment is defined
as its depth in the decision tree. If no free variable remains, then the current
assignment is complete and satisfies the clause database. An example of decision
tree is shown in Figure 1.1.
Once a decision has been made, the deduction process extends the current
truth assignment by inferring some logical implications of this decision with
respect to the clause database. This inference mechanism relies on the presence
of asserting clauses. A clause is said to be asserting if all of its literals are
assigned to ⊥, except one. During the deduction process, the last free literal of
each asserting clause is assigned to >. This principle is called Basic Constraint
Propagation, or BCP. It is iterated until no asserting clause remains or until a
conflict arises. A conflict occurs when a clause is unsatisfied by BCP, i.e. when
all of its literals are propagated to ⊥.
Example 1.3.1. Let us consider the clause database F = a ∧ (¬a ∨ b) ∧ (¬a ∨
¬b). Under the empty truth assignment, the first clause a is asserting and the
assignment a→ > can be derived by BCP. The two other clauses then become
asserting. From the second clause, ¬a∨ b, the assignment b→ > is propagated.
However, this leads to a conflict as all the literals of the third clause are afterward
assigned to ⊥.
11
a→ ⊤
b→ ⊥
d→ ⊤ d→ ⊥
e→ ⊤
b→ ⊤
decision level 0
decision level 1
decision level 2
decision level 3
decision level 4
conflict
conflict
satisfied
Figure 1.1: Decision tree created by the DPLL algorithm in the example 1.3.2
The additional variable assignments derived during the deduction process
are called deduction assignments. The decision level associated with a deduction
assignment is defined as the decision level of the decision assignment that has
led to it.
If a conflict occurred during the deduction process, the backtracking process
undoes all the assignments made at the current decision level and go back to
the previous level in order for the opposite assignment to be tried. If it is not
possible to backtrack any further, then the clause database is not satisfiable.
The overall process is formalized in Algorithm 1. This procedure determines
whether a formula F in CNF is satisfiable or not. The procedure propagate first
applies BCP to the partial assignment A, which is initially empty, with respect
with the clause database F . If a conflict occurred during BCP, the process
tries to backtrack. The procedure backtrack undoes all variable assignments
made at the current decision level and returns the last decision assignment,
so that it can be reverted. If it is not possible to backtrack any further, the
process ends, returning false. If no conflict occurred, and if A is a complete
and satisfying assignment for F , the process stops, returning true. Finally, if no
conflict occurred and if A is not complete with respect to F , a decision is made.
The function decide returns an arbitrary variable assignment x→ v where x is
a free variable of F and v ∈ B. The process then restarts from the top of the
algorithm.
Example 1.3.2. Let us suppose that a satisfying assignment need to be found
for the clause database F = (¬a∨c)∧(¬b∨¬c∨d)∧(¬d∨e)∧(¬d∨f)∧(¬e∨¬f).
Let us also suppose that the decision process picks the variables alphabetically
and always tries to assign > first.
The decision tree produced by this scenario is shown in Figure 1.1. The
algorithm first decides the assignment of a to > and derives, as the first clause
¬a ∨ c becomes asserting, c → >. It then decides the value of b as being >,
propagates the assignment d → > due to the second clause, and runs into a
conflict, as e and f are propagated to > by the third and fourth clauses, leading
the last clause ¬e ∨ ¬f to be unsatisfied. This last decision is consequently
reverted. The process decides next to assign d to >, and runs into the exact
12
Algorithm 1 The DPLL Algorithm
boolean DPLL(cnf F )
Integer decisionLevel← 0
Assignment A← ∅
loop
propagate(A, F )
if a conflict occurred then
if decisionLevel = 0 then
return false
else
(x→ v)← backtrack(A, decisionLevel)
decisionLevel← decisionLevel − 1
A← A ∪ {x→ ¬v}
end if
else if A is complete then
return true
else
(x→ v)← decide(A, F )
decisionLevel← decisionLevel + 1
A← A ∪ {x→ v}
end if
end loop
same conflict, i.e. both e and f are propagated to >. This decision is therefore
also reverted. The last decision taken by the process, e→ >, leads to a complete
solution by propagating f to ⊥. The satisfying assignment found is {a → >,
b→ ⊥, c→ >, d→ ⊥, e→ >, f → ⊥}.
This algorithm actually falls twice into the same trap, as both conflicts
occurring during this run have the same root cause: d cannot, and should not,
be assigned to >. As we shall see, part of the power of modern solvers relies on
their ability to learn from that kind of mistakes.
1.3.2 The CDCL Algorithm
Over the past twenty years, several improvements have been made on top of
the DPLL algorithm. The most noticeable are clause learning and backjumping
[SS96], efficient propagation by use of lazy data structures and activity-based
heuristics [MMZ+01]. They result in what is commonly named the Conflict-
Driven Clause Learning , or CDCL, algorithm, which we present in this section.
Clause learning and backjumping
Clause learning and backjumping have first been introduced by Silva and Sakallah
with the GRASP (Generic seaRch Algorithm for the Satisfiability Problem)
solver [SS96]. Both mechanisms make use of a specific data structure main-
tained during the deduction process called the implication graph.
Let the deduction assignment x → vx be the result of an asserting clause
C. The antecedent assignments of x, denoted A(x), are defined as the set of
assignments over variables of C that have led C to become asserting. The
13
implication graph is a Directed Acyclic Graph (DAG) such that each vertex is
either a variable assignment or a special conflict vertex, denoted κ. The set
of predecessors of an assignment vertex y → vy correspond to the antecedent
assignments A(y). An assignment vertex without any predecessor therefore
corresponds to a decision assignment. A special conflict vertex κ is introduced
when a conflict occurs. Its predecessors are all the assignments over variables
of a clause which have led this clause to be unsatisfied. The implication graph
created from the first conflict occurring in example 1.3.2 is presented in Figure
1.2.
a→ ⊤ c→ ⊤
b→ ⊤ d→ ⊤ e→ ⊤
f → ⊤ κ
decision level 1
decision level 2
decision level 0
first
UIP
cut
Figure 1.2: Implication graph produced by the first conflict occurring in example
1.3.2
When a conflict arises, a so-called conflict clause is generated by the anal-
ysis process and added to the clause database. The analysis process creates a
partition of all the nodes in the implication graph by cutting it in half, putting
all the decision assignments on one side, called the reason side, and the conflict
vertex κ on the other side, called the conflict side. The conflict clause is then
generated by taking all the assignments in the reason side that have at least
one outgoing edge targeting an element of the conflict side. Let Ac be this set
of assignments. The conflict clause Cc is then defined as
Cc =
∨
(x→v)∈Ac
lx
where
lx =
{
x if v = ⊥
¬x if v = >
Several learning schemes have been introduced in the literature, each one
characterized by its way of creating the aforementioned partition. In the First
Unique Implication Point , or FUIP , scheme [SS96], the reason side is the largest
set such that only one assignment made at the highest decision level in which
a variable of the unsatisfied clause has been assigned has an outgoing edge
targeting an element of the conflict side. This scheme is by far the most widely
used and has empirically proved its efficiency [ZMMM01]. This clause can be
further strengthened by a minimizing process [SB09], which we do not detail
here.
Example 1.3.3. The implication graph created from the first conflict occurring
in Example 1.3.2 is presented in Figure 1.2. It is partitioned according to the
14
FUIP scheme. One can see that the two edges crossing the partition line actually
come from the same assignment d→ >. The conflict clause generated from this
graph by the mentioned scheme is therefore composed of the only literal ¬d.
Such clause, containing only one literal, is called a unit clause. It has the
particularity to be always asserting, even under the empty truth assignment.
A conflict clause is always a logical implication of the original clause database
and, consequently, its addition does not modify the set of satisfying assignment
of the original formula. As we shall see, however, conflict clauses facilitates the
deduction process by improving the deductive power of the overall formula.
Let F1 and F2 be two equivalent set of clauses. We say that F1 has a
deductive power greater than or equal to F2 relative to BCP if and only if
[HS07]
1. For any variable assignment A that leads to a conflict in F2, A also leads
to a conflict in F1.
2. For any variable assignment A that does not lead to a conflict in F2 and
any literal l such that l is derivable by BCP from A and F2, l is also
derivable from A and F1.
Let suppose that a conflict occurred due to an unsatisfied clause Cu. Let us
note L the highest decision level in which a variable of Cu has been assigned
and Cc the conflict clause produced by the analysis process using the FUIP
scheme. By construction, all the literals of Cc are assigned to ⊥, exactly one
of them at the decision level L, all the others at decision levels lower that
L. The backjumping process therefore undoes all variable assignments made at
decision levels higher or equal to L and the conflict clause is added to the clause
database. At this stage, this new clause becomes asserting. Its addition to
the clause database consequently increases the deductive power of the original
formula by allowing BCP to produce an additional deduction assignment. For
this reason, conflict clauses are also characterized as 1-empowering [PD11]. It
is noteworthy that L could not correspond to the highest decision level reached
by the process. This case can only take place when the conflict in question is
produced as a direct consequence of the addition of a clause due to a previous
conflict. In this situation, the backjumping process actually undoes several
decision levels, pruning an entire area of the decision tree.
Example 1.3.4. Let us go back to the conflict clause generated in Example
1.3.3. Once the clause ¬d has been produced by the analysis process, the back-
jumping process undoes all the assignments made at decision level 2 and the
conflict clause is added to the clause database. The deduction assignments ¬d
and ¬b are consequently derived by BCP. From that state, any decision would
lead the algorithm to a complete and satisfying assignment.
The resulting CDCL algorithm is presented in Algorithm 2. This procedure
is very close to the one presented in Algorithm 1. We can however observe
the appearance of the analyze function, producing a new clause when a conflict
occurs. The highestLevel function then determines the highest decision level in
which a variable of this clause has been assigned, and the backjump function
undoes all the assignments made at decision levels higher or equal to this decision
level. The process stops, returning false, when an empty clause is produced by
the analysis process.
15
Algorithm 2 The CDCL Algorithm
boolean CDCL(cnf F )
Integer decisionLevel← 0
Assignment A← ∅
ImplicationGraph I
loop
propagate(A, F , I)
if a conflict occurred then
Clause C ← analyze(I)
if C is empty then
return false
end if
decisionLevel← highestLevel(C)
backjump(decisionLevel, A, I)
else if A is complete then
return true
else
(x→ v)← decide(A, F )
decisionLevel← decisionLevel + 1
A← A ∪ {x→ v}
end if
end loop
This algorithm omits a large number of details concerning the building blocks
of modern SAT solvers. The following sections introduces some techniques and
heuristics widely used in this area.
Clause Removal Policy
The clause learning mechanism can lead to an exponential growth of the clause
database. Indeed, a modern SAT solver can produce several thousands of con-
flict clauses per second, and it may run for hours. That kind of situation can
lead to a huge number of learned clauses that can actually slow down the prop-
agation process. Hence, the implementers often face a trade-off between clause
learning empowering and fastness of BCP. Several strategies can be considered,
two of the most common being
1. Conflict clauses of length greater than a chosen integer k are only kept
around and used for backjumping. Consequently, they are deleted as
soon as they contain more than one free literal. Using this, the worst-
case growth become polynomial in the number of variables in the clause
database. This strategy was used by the GRASP solver [SS96].
2. An activity score is associated to each learned clause. The score of a clause
is incremented when it is used during the analysis process. Inactive clause
are then periodically removed. This strategy is used in the Minisat SAT
solver [ES03a].
16
Activity Heuristic
The choice of assignments to make during the decision process is of paramount
importance. Some decisions may indeed lead the algorithm to a straightforward
solution while others lead to a long series of conflicts and backtracking. The
decision process, however, can only rely on heuristics. A good decision heuristic
should ideally find a good balance between the search of an optimal choice and a
short execution time. In that matter, the Variable State Independent Decaying
Sum, or VSIDS , heuristic appears as an efficient solution [MMZ+01].
This mechanism can be described as follows. Each literal is associated with
an activity score, initialized to 0. When a conflict clause is added to the clause
database, the score associated with each literal of the clause is incremented.
Periodically, all scores are divided by a constant. During the decision process,
the unassigned literal with the highest score is assigned to >. Ties are broken
randomly.
The actual implementation of this strategy can widely vary from one solver
to another. In [ES03a], for instance, track of a score is not kept for each literal,
but only for each variable. The choice of the assigned value is then purely
arbitrary. We have here described the heuristic as it was first published by
Moskewicz et al. Moreover, even if this mechanism has empirically proved its
efficiency, there is still no theoretical evidence of it. An intuitive explanation
is that the VSIDS heuristic forces the solver to decide on conflicting variables,
keeping hammering them until finding the appropriate assignments.
Watched Literals Scheme
During the deduction process, it is necessary to identify all the asserting clauses
of a clause database. Giving the size that can be reached by such a formula, a
simple traversal of it, scanning all clauses, could only deliver a poor efficiency.
In that context, the watched literals scheme [MMZ+01] has appeared as a quick
mechanism to identify all new asserting clauses. The idea is to pick for every
clause in the database an arbitrary couple of literals of it and to consider them as
being watched. While none of these two literals are assigned to ⊥, the associated
clause is guaranteed not to become asserting. However, when one of the two
watched literals is assigned to ⊥, one of the three following scenarios must occur:
1. The clause is already satisfied, meaning that at least one of its literals is
assigned to >. The clause can therefore not become asserting.
2. The clause is neither satisfied nor asserting. Consequently, it still contains
at least two unassigned literals, one of them being unwatched. This latter
one can be used to replace the newly assigned literal as watched literal.
3. The clause is asserting and should be propagated.
The use of the watched literals scheme can greatly diminish the propagation
time. Moreover, at the time of backtracking, there is no need for the search
process to modify or replace the watched literals. Consequently, reassigning
a variable that has recently been unassigned will tend to be fast. This can
represent a significant gain of time when conflicts are likely to arise.
Example 1.3.5. Let C be a clause such that C = a∨¬b∨¬c∨d. The first two
literals are watched literals. When the variable c is assigned to >, the clause is
17
not even scanned, as c is not watched. However, if a is additionally assigned to
⊥, we fall in the second scenario, and a new watched literal has to be selected.
The literal d is picked. When b is also assigned to >, the third scenario occurs
and d is propagated. This series of steps is illustrated in Figure 1.3.
a ¬b ¬c dC:
A: ∅
(a)
a ¬b ¬c dC:
A: {c→ ⊤}
(b)
a ¬b ¬c dC:
A: {a→ ⊥, c→ ⊤}
(c)
a ¬b ¬c dC:
A: {a→ ⊥, b→ ⊤, c→ ⊤}
(d)
Figure 1.3: The watched literal scheme applied to the clause a ∨ ¬b ∨ ¬c ∨ d
Restart Heuristic
Restarts are parts of another heuristic mechanism used with the CDCL algo-
rithm. It was included in the GRASP [SS96] and Chaff [MMZ+01] solvers. The
idea is to stop the current resolution process and restart it while keeping some
information acquired during the previous run, such as learned clauses and activ-
ity scores. Consequently, the algorithm does not follow the same path, taking
different decisions. Furthermore, one can add a certain amount of randomness
in the decision process to help in the selection of distinct paths.
The insight behind this method is that the search process can be stuck in a
unproductive area of the search space, where previous decisions inevitably lead
to conflicts. Rebooting the overall process could then allow the solver to get out
of this area. In order to maintain the completeness of the algorithm, the restart
period is usually extended each time it occurs. The process could otherwise
restart infinitely.
1.4 Binary Decision Diagrams
A Binary Decision Diagram, or BDD , is a representation for boolean functions
first introduced by Bryant [Bry86] which can be used to solve the satisfiability
problem on arbitrary formulas.
1.4.1 Principles and Canonicity
Let us first recall the definition of a strict total order. A strict total order ≺
over a set of elements X is a binary relation over this set which is
1. transitive: ∀x, y, z ∈ X : (x ≺ y) ∧ (y ≺ z)⇒ x ≺ z
18
2. trichotomous: ∀x, y ∈ X exactly one of the three statements x ≺ y, y ≺ x
and x = y is true
Lets X = {xi}ni=1 be a set of boolean variables and ≺ a strict total order
over that set. An Ordered Binary Decision Diagram, or OBDD , over 〈X,≺〉
is defined as a Directed Acyclic Graph (DAG) with the following properties.
Each terminal vertex is labeled with either > or ⊥. Each non terminal vertex is
labeled with a boolean variable x ∈ X and has two outgoing edges. The target
of the first edge is called the high value while the second target is called the low
value. Moreover, if any of these targets is also a non terminal node, its label
y ∈ X must be such that x ≺ y. Therefore, when following a path in the graph
from the root to a leaf, variables must appear according to the order defined by
≺. Example of OBDDs are shown in Figure 1.4.
a
b
c
d⊤
⊥
⊥
⊤
b
c
⊤ d
⊥ ⊤
(a) OBDD
a
bc
d
⊥⊤
(b) ROBDD
Figure 1.4: An unconstrained OBDD and an ROBDD, both representing the
boolean formula (¬a ∨ b) ∧ (¬c ∨ d)
Each OBDD represents a boolean formula or, equivalently, a boolean func-
tion. The formula F encoded by an OBDD with root vertex v can be recursively
described as follows:
1. If v is a terminal vertex, then
(a) If v is labeled with ⊥ then F = ⊥
(b) If v is labeled with > then F = >
2. If v is a non terminal vertex labeled with the variable x then F = (¬x ∧
Flow) ∨ (x ∧ Fhigh), where Flow and Fhigh are respectively the formulas
defined by the low and high values of v.
According to the Shanon’s expansion law [Sha38], every boolean function can
be represented by an OBDD. This law indeed states that every boolean formula
F containing a boolean variable x can be rewritten as (¬x ∧ F¬x) ∨ (x ∧ Fx)
where F¬x is the formula obtained by instanciating x to ⊥ in F and Fx the
formula obtained by instanciating x to > in F .
19
An OBDD can contain some redundancy, as several subgraphs could be
isomorphic. Two OBDDs are isomorphic if there roots also are. Two vertices
v1 and v2 are isomorphic if one of the following conditions is satisfied:
1. Both v1 and v2 are terminal vertices and are labeled with the same value,
i.e. either ⊥ or >.
2. Both v1 and v2 are non terminal vertices and are labeled with the same
variable. Their high values are isomorphic and so are their low values.
The isomorphism of non terminal nodes is thus a recursive property: it can only
be determined on the basis of their children.
A Reduced Ordered Binary Decision Diagrams, or ROBDD , is an OBDD
with the following properties:
1. Isomorphic but distinct sub-graphs are forbidden. This means that two
isomorphic subgraphs must always have the same root and share the same
data structure.
2. The high value of a non terminal vertex must be distinct from its low-value.
This property forces to remove all irrelevant nodes from the diagram.
These two properties allow ROBDDs to be in a so-called canonical form.
The canonicity property states that, given a strict total order on the set of
variables, a boolean function can only be represented by one ROBDD. Seen
another way, if a boolean function is represented by more than one ROBDD,
all of them are isomorphic. This principle is of paramount importance as it
allows one to rapidly identify several properties of the boolean function behind
an ROBDD. In particular, it is noteworthy that
1. an unsatisfiyable boolean function can only be represented by an ROBDD
consisting of only one terminal vertex labeled with the value ⊥.
2. a valid boolean function can only be represented by an ROBDD consisting
of only one terminal vertex labeled with the value >.
3. all other ROBDD represent boolean function that are neither unsatisfiable
nor valid.
In that last case, a satisfying assignment can easily be retrieved by following
a path ending with a node labeled with >. An ROBDD is commonly simply
called a BDD. We also take this convention in the rest of this thesis.
Example 1.4.1. Let ≺ be a strict total order such that a ≺ b ≺ c ≺ d. Figure
1.4 shows two representations of the boolean formula (¬a ∨ b) ∧ (¬c ∨ d). In
both sub-figures, the plain edges correspond to low values while dashed edges
correspond to high values. Figure 1.4a represents an unconstrained OBDD over
≺, which contains several redundancies due to isomorphic sub-graphs. Figure
1.4b, on the other hand, does not. It actually depicts the only ROBDD over ≺
associated with this boolean function.
20
1.4.2 Operations on BDD’s
When using BDDs, one must be able to manipulate them by performing boolean
operations. The implementation of the negation is straightforward, as one only
needs to negate the values labeling the terminal nodes of the original BDD.
This simple manipulation is indeed sufficient to invert the sets of satisfying
and unsatisfying assignments. We can show this by considering a proof by
induction on the size of the BDD. For a BDD consisting of only one terminal
node, negating the value labeling this node indeed results in negating the BDD.
Let us now consider a BDD with a non terminal root vertex v. As mentioned
before, the formula F represented by this BDD is defined as being F = (¬x ∧
Flow) ∨ (x ∧ Fhigh), where Flow and Fhigh are respectively the formulas defined
by the low and high values of the vertex v. Let us suppose that negating the
values labeling the terminal vertices of the low and high values of v is sufficient
to negate the formulas that they encode. In this case, the formula represented
by the BDD of root vertex v becomes
(¬x ∧ ¬Flow) ∨ (x ∧ ¬Fhigh)
= ¬(x ∨ Flow) ∨ ¬(¬x ∨ Fhigh)
= ¬((x ∨ Flow) ∧ (¬x ∨ Fhigh))
= ¬((x ∧ Fhigh) ∨ (¬x ∧ Flow) ∨ (Flow ∧ Fhigh))
= ¬((x ∧ (Fhigh ∨ (Fhigh ∧ Flow)) ∨ (¬x ∧ (Flow ∨ (Flow ∧ Fhigh))))
= ¬((x ∧ Fhigh) ∨ (¬x ∧ Flow))
= ¬F
Binary operations are more difficult. Algorithm 3 returns the result of an
arbitrary binary boolean operation ◦ on two BDDs of roots v1 and v2. Let x be
a boolean variable. Then, for two formulas F1 = (¬x ∧ F 1low) ∨ (x ∧ F 1high) and
F2 = (¬x ∧ F 2low) ∨ (x ∧ F 2high), the resulting formula F1 ◦ F2 can be rewritten,
by Shanon’s expansion, as
F1 ◦ F2 = (¬x ∧ (F 1low ◦ F 2low) ∨ (x ∧ (F 1high ◦ F 2high) (1)
In the case of two formulas F1 and F2 such that F1 = (¬x∧ F 1low)∨ (x∧ F 1high)
and that F2 is free of the variable x, F1 ◦ F2 can be be rewritten, again by
Shanon’s expansion, as
F1 ◦ F2 = (¬x ∧ (F 1low ◦ F2)) ∨ (x ∧ (F 1high ◦ F2)) (2)
In Algorithm 3, the val function returns the label of a terminal node, while the
var function returns the variable labeling a non terminal vertex. The functions
low and high respectively return the low and high values of a non terminal
vertex. Finally, the makeVertex(v) function creates a vertex from a boolean
value v while the makeVertex(v, v1, v2) builds a vertex labeled with the variable
v and having v1 and v2 as high and low values. The idea of the algorithm is
to recursively apply the two mentioned logical equivalences until reaching the
terminal nodes of the BDDs. When v1 and v2 are both terminal vertices, the
operation ◦ is simply applied on their labels. If v1 and v2 are both non terminal
vertices labeled with the same variable, Equation 1 is applied. If v1 and v2 are
such that var(v1) ≺ var(v2), or such that only v2 is a terminal vertex, then the
BDD of root v2 is free of the variable var(v1), and Equation 2 is applied.
21
Algorithm 3 The Apply operation
vertex Apply(operation ◦, vertex v1, vertex v2)
if v1 and v2 are both terminals then
return makeVertex(val(v1) ◦ val(v2))
else if v2 is terminal or var(v1) ≺ var(v2) then
return makeVertex(var(v1), Apply(◦, high(v1), v2), Apply(◦, low(v1), v2))
else if v1 is terminal or var(v2) ≺ var(v1) then
return makeVertex(var(v2), Apply(◦, v1, high(v2)), Apply(◦, v1, low(v2)))
else
return makeVertex(var(v1), Apply(◦, high(v1), high(v2)), Apply(◦,
low(v1), low(v2)))
end if
One should note that Algorithm 3 returns a BDD that should be reduced.
However, we do not describe the reduction operation here.
Conclusion
In this chapter, we introduced the boolean satisfiability problem and several
computing procedures that can be used to solve it. In particular, we expanded
on SAT solvers and BDDs. These tools are at the heart of the challenge tackled
by this master thesis. As we shall see, a deep understanding of their core
algorithms is sometimes needed to use them efficiently.
22
Chapter 2
Satisfiability Modulo
Theories
When dealing with complex constraints, the propositional logic can be limiting.
For instance, expressing constraints over integer or rational numbers in proposi-
tional logic may require to use a binary encoding. Therefore, the use of a higher
level language seems sometimes more natural.
Unfortunately, the first-order logic, i.e. the logic that includes predicate
symbols, is undecidable. To workaround this limit, we can consider smaller
sub-sets of it, called theories. The goal of this chapter is to introduce the
basic concepts of the first-order logic, the notion of theory, and the common
architectures of so-called SMT solvers.
2.1 First-Order Logic
This section introduces the syntax and semantics of the first-order logic, and
expands on the satisfiability and validity problem. These definitions are adapted
from [Gan13a].
2.1.1 Syntax And Semantics
A first-order language L is a triple 〈C,F ,R〉 where C is a set of constant symbols,
F a set of function symbols and R a set of relation symbols, also called predicate
symbols. Each function symbol, as well as each predicate symbol, is associated
with a natural number called its arity.
Let V be a set of variables. The set of terms T of a first-order language
L = 〈C,F ,R〉 is recursively defined as follows.
1. Any value from C, as well as any variable in V , is a term.
2. If {ti}ni=1 is a set of n ∈ N0 terms and if f is a function symbol from F
with arity n ∈ N0, then f(t1, t2, . . . tn) is a term.
An atomic formula, or atom, over the first-order language L is an expression
p(t1, t2, . . . tm) where p is a predicate symbol of arity n ∈ N0 and {ti}ni=1 a set
of terms. A well-formed formula of L is a boolean composition of atoms. Any
23
atom over L is a well-formed formula. Moreover, if F and G are both well-
formed formulas, their negations ¬F and ¬G, their conjunction F ∧ G, their
disjunction F ∨ G, their implication F ⇒ G and their equivalence F ⇔ G are
also well-formed formulas. Finally, if F is a well-formed formula, its existential
quantification over a variable x ∈ V , denoted ∃x : F , and its universal quantifi-
cation over x, denoted ∀x : F , are both well-formed formulas. Henceforth, we
simply call formula any well-formed formula.
In the formula ∃x : F , as well as in the formula ∀x : F , the sub-formula F
is called the scope of the quantifier. An occurrence of a variable in a formula is
bound if, and only if, it is in the scope of some quantifier over that variable. It
is free otherwise. A formula with no free variable is said to be closed. A closed
formula is also called a sentence. A formula with free variables is called open.
Example 2.1.1. Let p and q be two predicate symbols and x and y two vari-
ables. Then, the formula ∀x : (p(x) ⇒ q(x)) is a sentence. The variable x is
always in the scope of the quantifier ∀. The formula ∀x : (p(x)⇒ q(y)), on the
other hand, is open, because the variable y is free.
The universe of discourse Ω is a set of objects of interest. It often refers to
objects or concepts from the real world and is used to build an interpretation.
An interpretation I for a first-order language L = (C,F ,R) is a function defined
over the set of symbols C ∪ F ∪R such that
1. ∀c ∈ C : I(c) ∈ Ω
2. ∀f ∈ F : I(f) : Ωn → Ω where n is the arity of f
3. ∀r ∈ R : I(r) : Ωn → B where n is the arity of r and B = {⊥,>} is the
boolean domain.
A structure S = 〈Ω, I〉 for a first-order language consists of a universe of dis-
course Ω paired with an interpretation I. An variable assignment A is a mapping
from the variables of V to values from the universe of discourse Ω. It can equally
be represented by a function A : V → Ω or by a set A = {x→ vx}x∈V .
Under a structure S = 〈Ω, I〉 and a variable assignment A, any term t of
a first-order language L = (C,F ,R) evaluates to a value from the universe of
discourse Ω. The evaluation of t under S and A, denoted 〈S,A〉(t), is determined
according to the following rules:
1. ∀c ∈ C : 〈S,A〉(c) = I(c)
2. ∀x ∈ V : 〈S,A〉(x) = A(x)
3. ∀f ∈ F of arity n ∈ N0 and ∀t1, t2, . . . tn ∈ T :
〈S,A〉(f(t1, t2, . . . tn)) = I(f)(〈S,A〉(t1), 〈S,A〉(t2), . . . 〈S,A〉(tn))
In a similar way, under a structure S = 〈Ω, I〉 and a variable assignment A,
any formula F evaluates to either ⊥ or >. The evaluation of F under S and A,
denoted 〈S,A〉(F ), is performed according to the following rules:
∀r ∈ R of arity n ∈ N0 and ∀t1, t2, . . . tn ∈ T :
〈S,A〉(r(t1, t2, . . . tn)) = I(r)(〈S,A〉(t1), 〈S,A〉(t2), . . . 〈S,A〉(tn))
24
〈S,A〉(¬F ) = > if, and only if, 〈S,A〉(F ) = ⊥
〈S,A〉(F ∧G) = > if, and only if, 〈S,A〉(F ) = > and 〈S,A〉(G) = >
〈S,A〉(F ∨G) = > if, and only if, 〈S,A〉(F ) = > or 〈S,A〉(G) = >
〈S,A〉(F ⇒ G) = > if, and only if, 〈S,A〉(F ) = > implies 〈S,A〉(G) = >
〈S,A〉(F ⇔ G) = > if, and only if, 〈S,A〉(F ) = 〈S,A〉(G)
〈S,A〉(∃x : F ) = > if, and only if, there exists a value v ∈ Ω such that
〈S,A ∪ {x→ v}〉(F ) = >
〈S,A〉(∀x : F ) = > if, and only if, all values v ∈ Ω are such that
〈S,A ∪ {x→ v}〉(F ) = >
The fact 〈S,A〉(F ) = > is also denoted by S,A |= F . A structure S is
a model of a formula F , denoted S |= F , if for any variable assignment A,
S,A |= F .
Example 2.1.2. Let us consider the formula p(x) ∨ q(x). Let also S = 〈Ω, I〉
be a structure such that Ω = {,♦,©} and
1. I(p)() = >
2. I(p)(♦) = >
3. I(p)(©) = ⊥
4. I(q)() = ⊥
5. I(q)(♦) = ⊥
6. I(q)(©) = >
Under the assignment A = {x → }, we have 〈S,A〉(p(x)) = I(p)(A(x)) =
I(p)() = > and 〈S,A〉(q(x)) = I(q)(A(x)) = I(q)() = ⊥. Consequently, we
also have 〈S,A〉(p(x) ∨ q(x)) = >. As a matter of fact, the latter also holds for
the two other possible variable assignments A′ = {x→ ♦} and A′′ = {x→©}.
The structure S is therefore a model of F .
2.1.2 The Satisfiability Problem
A formula F in a first-order language is satisfiable if there exists a structure S
and a complete variable assignment A such that S,A |= F . It is unsatisfiable
otherwise. F is also said to be valid if any structure S and any variable assign-
ment A are such that S,A |= F . The satisfiability problem is concerned with
finding a structure S and a variable assignment A for a formula F such that S,
A |= F , or with proving that this formula is unsatisfiable. The validity problem
is concerned with proving that a formula is valid, or with finding a structure
S and a variable assignment A such that 〈S,A〉(F ) = ⊥. As for propositional
logic, the satisfiability problem is dual with the validity problem: a formula F
is satisfiable if, and only if, ¬F is not valid. A valid formula is also called a
theorem.
The satisfiability and validity problems of a first-order formula are undecid-
able. This was first published by both Church [Chu36] and Turing [Tur36]. It
is however possible to build a computing procedure that will eventually confirm
any theorem, but will seek forever in the case of a non valid formula. This was,
for instance, the approach taken by Davis and Putnam [DP60] when publishing
their work at the basis of the DPLL algorithm. The satisfiability and validity
problems are thus semi-decidable.
25
2.2 Theories
Although the first-order logic is undecidable, some its subsets, called theory, are
decidable. The definitions and results introduced in this section are adapted
from [Gan13b]. A theory T is characterized by a signature ΣT and a set of
axioms AT . The signature ΣT is a set of constant, function and predicate
symbols while the axioms of AT are first-order sentences involving the symbols
in ΣT .
A structure S = 〈Ω, I〉 is a model for a theory T , also called a T-model , if
for all axiom A in AT , S |= A. A T -model is thus a model for the axioms of the
theory T . A formula F is satisfiable modulo theory T if there exists a T -model
M and a variable assignment A such that M,A |= F . It is unsatisfiable modulo
theory T otherwise. A formula F is valid modulo theory T if for all T -models
M and for all variable assignments A, M,A |= F .
Example 2.2.1. Let us suppose a theory N with the signature ΣN = {zero,
next, plus} where zero is a constant symbol, next a function symbol of arity 1
and plus a predicate symbol of arity 3. The list of axioms of N , denoted AN ,
is as following:
A1: ∀x : plus(x, zero, x)
A2: ∀x, y, z :
(
plus(x, y, z)⇒ plus(x, next(y), next(z)))
Let also the structure S = 〈N, I〉 be such that
1. I(zero) = 0
2. ∀n ∈ N : I(next)(n) = n+ 1
3. ∀n,m, l ∈ N : I(plus)(n,m, l) = > if, and only if, n+m = l
Then, S is a N -model. Indeed, for all variable assignments A = {x→ n}, where
n ∈ N, we have
〈S,A〉(plus(x, zero, x)) = I(plus)(A(x), I(zero), A(x))
= I(plus)(n, 0, n)
= >
as n+ 0 = n. Consequently, S |= A1. We can also prove that S |= A2.
2.3 Common Theories
In order to better illustrate the previous section, this one introduces some com-
mon theories and related results. The definitions and results introduced in this
section are adapted from [Gan13b] and [Gan07].
2.3.1 Theory of Equality with Uninterpreted Functions
The theory of equality with uninterpreted functions TEUF is characterized by
the signature ΣEUF , including the only predicate symbol = of arity 2. For any
couple of terms t1 and t2, we note t1 = t2 the atomic formula (=)(t1, t2). The
set of axioms AEUF is listed below:
26
1. Reflexivity: ∀x : x = x
2. Symmetry: ∀x, y : ((x = y)⇒ (y = x))
3. Transitivity: ∀x, y, z : (((x = y) ∧ (y = z))⇒ x = z)
Additionally, an atom is added to AEUF for any function symbol f of interest
using the following pattern:
∀x1, . . . xn, y1, . . . yn :
(( n∧
i=1
xi = yi
)⇒ f(x1, . . . xn) = f(y1, . . . yn))
This property is called function congruence. Similarly, an atom is added to
AEUF for any predicate symbol p of interest, using the following pattern:
∀x1, . . . xn, y1, . . . yn :
(( n∧
i=1
xi = yi
)⇒ p(x1, . . . xn)⇔ p(y1, . . . yn))
This property is called predicate congruence.
These two rules are not really atoms, as they must be instanciated and added
to AEUF for every function and predicate symbols. Such pattern is usually called
an axiom schema.
Example 2.3.1. Let us consider the formula
F = p(f(x)) ∧ (x = y) ∧ (f(y) = f(z)) ∧ ¬p(f(z))
Due to x = y, and by function congruence, we know that f(x) = f(y). Moreover,
as f(y) = f(z), and by transitivity, we have f(x) = f(z). Therefore, as p(f(x))
and by predicate congruence, we have p(f(z)), which is obviously inconsistent
with the last statement ¬p(f(z)) of F . This formula is consequently unsatisfiable
modulo theory TEUF .
2.3.2 Presburger Arithmetic
Presburger arithmetic is the common denomination of a theory TPresburger en-
coding addition and equality over natural integers. It was named after Mojz˙esz
Presburger, who first introduced it. Its signature is ΣPresburger = {0, 1,+,=},
where 0 and 1 are constant symbols, + a function symbol of arity 2 and = a
predicate symbol of arity 2. For any couple of terms t1 and t2, we note t1 = t2
the atomic formula (=)(t1, t2). We also note t1 + t2 the term (+)(t1, t2). The
set APresburger of axioms of this theory includes reflexivity, symmetry and tran-
sitivity of =, as defined in Section 2.3.1. It also includes the following axioms:
1. ∀x : ¬(x+ 1 = 0)
2. ∀x : x+ 0 = x
3. ∀x, y : (x+ 1 = y + 1)⇒ x = y
4. ∀x, y : x+ (y + 1) = (x+ y) + 1
27
These axioms are completed by the axiom schema(
p(0) ∧ (p(x)⇒ p(x+ 1)))⇒ p(x+ 1)
where p must be replaced by any predicate symbol of interest.
Let FPresburger be the subset of first-order formulas using only the constant,
function and predicate symbols from ΣPresburger. Then the validity problem
modulo TPresburger over formulas of FPresburger is decidable. Its complexity
is however super exponential, i.e. in O(22n) where n is the size of the for-
mula [FR74]. Common artifacts from linear arithmetic, such as subtraction and
inequalities, can easily be expressed in the language FPresburger.
Example 2.3.2. Let us consider the formula in linear arithmetic 1 − 2 < 0.
This formula can be rewritten as 1 < 2, or even further as ∃x : 1 + x = 1 + 1.
The formula is therefore an atom from FPresburger.
2.3.3 Peano arithmetic
Peano arithmetic is the theory TPeano with signature ΣPeano = {0, 1,+,×,=},
where 0 and 1 are constant symbols, + and × function symbols of arity 2 and
= a predicate symbol of arity 2. It was named after Giuseppe Peano who
axiomatized arithmetic over natural numbers. As for Presburger arithmetic, for
any couple of terms t1 and t2, we note t1 = t2 the atomic formula (=)(t1, t2).
We also respectively note t1 + t2 and t1× t2 the terms (+)(t1, t2) and (×)(t1, t2).
The set of axioms APeano contains all the axioms of Presburger arithmetic in
addition to the following two:
1. ∀x : x = 0
2. ∀x, y : x× (y + 1) = (x× y) + x
Note that the induction axiom schema of Presburger arithmetic also applies.
Let FPeano be the subset of first-order formulas using only the constant,
function and predicate symbols from ΣPeano. Then the validity problem modulo
TPeano over items of FPeano is undecidable.
2.4 SMT Solvers
The current techniques used to solve the satisfiability problem modulo a given
theory T for a formula F can be divided in three categories [GHN+04] [NOT06].
All of them rely on an implementation of the CDCL algorithm.
2.4.1 The Eager Approach
In the eager approach, the formula F is translated, by a satisfiability-preserving
transformation, into a boolean function Feager in Conjunctive Normal Form.
This operation is referred to as encoding , or bit blasting. The satisfiability of
Feager is then verified by a SAT solver. If there exists a satisfiying assignment
for Feager, a variable assignment satisfying F is built from it.
The strength of this approach is that it can always use of the best available
off-the-shelf SAT solvers. Its weakness lies in the lack of flexibility. It is indeed
28
necessary to create a new ad-hoc translation procedure for each new included
theory.
The alternative approaches explained below are commonly considered as
more efficient [NOT06]. However, the eager approach is still used in modern
SMT solvers, especially when dealing with the theory of bit-vectors, which we
do not explain here. An example of modern SMT solver based on this approach
is STP [GD07].
2.4.2 The Lazy Approach
In the lazy approach, each atom occurring in the formula F is initially replaced
by a boolean variable, forgetting about the theory T . This transformation
produces a boolean formula Flazy, which is in turn translated into a boolean
formula Fcnf in CNF. As for the eager approach, a SAT solver is called to decide
the satisfiability of Fcnf . If this formula is unsatisfiable, then F is unsatisfiable
modulo theory T . However, if the formula Fcnf is satisfiable, then the satisfying
assignment A produced by the SAT solver is transformed into a conjunction of
literals Clazy by
Clazy =
∧
(x→vx)∈A
lx
where
lx =
{
x if vx = >
¬x if vx = ⊥
The literals of Clazy are then replaced by the initial atomic formulas that they
were abstracting in order to produce the conjunction of atoms C. This result is
fed to a dedicated decision procedure called a T-solver , which is able to solve the
satisfiability modulo theory T problem on a conjunction of atomic formulas. If
C is satisfiable modulo T , the T -solver delivers a satisfying variable assignment
for it, which is also a satisfying variable assignment for F . If C is unsatisfiable
modulo T , the T -solver determines an inconsistent set of atoms of C, which we
denote by Aunsat. Then a so-called theory lemma L is defined by
L =
∨
a∈Aunsat
¬a
Again, each atom occurring in L is replaced by its corresponding boolean vari-
able to produce a clause, which is added to the clause database Fcnf . This
process is repeated until either a satisfying variable assignment for F is found,
or F is proved to be unsatisfiable.
Example 2.4.1. Let us suppose that we need to decide the satisfiability modulo
the theory of linear arithmetic TLA of the formula
F = (x > 0) ∧ ((x = 7) ∨ (x < 5))
In the above presented method, the formula is first abstracted by the boolean
formula Flazy = a∧(b∨c), which is already in CNF. This formula is fed to a SAT
solver, producing the satisfying truth assignment {a→ >, b→ >, c→ >}. The
conjunction of atomic formulas C is then created as (x > 0)∧ (x = 7)∧ (x < 5)
and given to a specific solver for linear arithmetic. As C is unsatisfiable modulo
29
TLA, the inconsistent set of atoms Aunsat = {x = 7, x < 5} is returned. The
clause ¬b∨¬c is therefore added to the clause database Flazy and the SAT solver
is restarted. The SAT solver delivers the second truth assignment {a → >,
b → >, c → ⊥} and the conjunction of atoms x > 0 ∧ x = 7 ∧ x ≥ 5 is passed
to the TLA-solver. This solver finally yields {x → 7} as a satisfying variable
assignment for F .
2.4.3 The DPLL(T) Architecture
The DPLL(T) architecture is a refinement of the lazy approach that leverage
a finer integration between the T -solver and the SAT solver. In this approach,
the T -solver provides an interface which is used by the SAT solver all along the
resolution process. In a nutshell, as for the lazy approach, a boolean formula
Fcnf is produced by abstracting the original formula F and the SAT solver is
called. Each time the SAT solver makes a decision, the corresponding atom
is asserted in the T -solver. When the set of assertions becomes unsatisfiable
modulo theory T , the SAT solver backtracks. Following this strategy, if the
SAT solver finds a satisfying assignment for the boolean formula, the original
formula is satisfiable modulo theory T . The theory solver can also propagate
theory-specific deduction assignments. However, we do not describe the com-
plete DPLL(T) architecture here. Example of modern SMT solvers based on
this approach are Z3 [DMB08] and CVC4 [BCD+11].
Conclusion
In this chapter, we first introduced the first-order logic and its undecidability
result. We then showed how theories allow one to workaround this result by
considering smaller sets of structures. Finally, we have briefly presented the
possible architectures behind SMT solvers. In particular, we demonstrated the
importance of SAT solvers in these architectures.
30
Chapter 3
Software Product-Line
Model Checking
Model checking is a formal verification technique that allows one to check the
model of a system of interest against temporal properties. It requires two inputs:
A behavioral specification of the system and a temporal property to verify on
it. As we shall see, the actual formalisms used to express these inputs vary.
In return, a model checker yields an example of execution of the system that
violates the property, or the certainty that no such execution exists.
During the past few years, researchers from the University of Namur have
proposed extensions of model-checking algorithms designed to deal with software
product lines (SPL). A SPL is a highly configurable software system that can
be adapted to the specific needs of several organizations. The variability in a
SPL can be represented by boolean formulas, so that the satisfiability problem
plays a major role in the mentioned algorithms.
This chapter first introduces the classical LTL model-checking algorithms,
before generalizing them to software product lines.
3.1 LTL Model Checking
This section introduces the basic concepts of LTL model checking. A more
detailed presentation of this technique can be found in [BK08], from which
most of the definitions and examples of this section are inspired.
3.1.1 Program Graphs and Transition Systems
The behavior of a software system can be modeled by a program graph (PG).
Such graph is not meant to include all the computation details of a software
system, but only those who are relevant for the properties that one wants to
verify. Let V be a set of a variables. Let also A(V ) denote the set of all possible
variable assignments over V and F (V ) the set of all possible formulas over the
variables in V . A program graph PG over V is a graph in which each transition
is labeled with both an action and a condition from F (V ), and where each
action has an effect over the variables in V . Formally, PG is defined as a tuple
〈Loc,Act, Effect, T rans, Loc0, f0〉 where
31
1. Loc is a set of locations
2. Act is a set of actions
3. Trans ⊆ (Loc× F (V )×Act× Loc) is the conditional transition relation
4. Effect : Act×A(V )→ A(V ) is the effect function
5. Loc0 ⊆ Loc is the set of inital locations
6. f0 ∈ F (V ) is the initial condition
This graph represents a process that can start in a location l0 ∈ Loc0, with
an initial variable assignment satisfying f0. This process then moves in the
space of locations by taking transitions and by executing the actions labeling
these transitions. Each executed action has an effect on the current variable
assignment. For a transition to be executable, the current variable assignment
must satisfies the condition labeling this transition.
Example 3.1.1. Let us consider the embedded software system of a very simple
beverage vending machine. This machine delivers either tea or coffee and has
a limited capacity of two cups of each. After reaching this limit, it must be
refilled. The program graph describing the behavior of the system is presented
in Figure 3.1. This representation makes use of a notation close to UML State
Diagrams. The set of states is S = {Start, Select}. The only initial state is
represented with a incoming edge with no source. Edges are labeled with actions
from the set Act = {receive coin, return coin, serve coffee, serve tea, refill}.
The guards between brackets are the conditions that must hold on the variables
from the set V = {ncoffee, ntea} for the corresponding action to be available.
The effect function is represented by sets of statements after forward slashes. We
can observe that the machine automatically returns money when it cannot serve
any drink. We here consider the initial condition as being ncoffee = ntea = 2.
Start
Select
receive coin
return coin
[ncoffee = 0 ∧ ntea = 0]
serve tea[ntea > 0] serve coffee[ncoffee > 0]
/ ncoffee ← ncoffee − 1/ ntea ← nntea − 1
refill
/ ncoffee ← 2 ; ntea ← 2
Figure 3.1: Program graph describing the embedded software system of a very
simple beverage vending machine
The semantics of a program graph can be defined as being a transition
system. A transition system (TS) is defined as a tuple 〈S,Act, T rans, I, AP,L〉
where
32
1. S is a set of states
2. Act is a set of actions
3. Trans ⊆ (S ×Act× S) is the transition relation
4. I ⊆ S is the set of initial states
5. AP is a set of atomic propositions
6. L : S → P(AP ) is the labeling function, where P(AP ) is the powerset of
AP , i.e. the set of all subsets of AP .
Let TS(PG) denote the transition system translating the program graph
PG = 〈Loc,Act, Effect, T ransPG, Loc0, f0〉 over the set of variables V . It is
defined as the tuple 〈S,Act, T ransTS , I, AP,L〉 where
1. S = Loc×A(V )
2. TransTS is the smallest relation such that
(l, f, α, l′) ∈ TransPG a |= f
((l, a), α, (l′, Effect(α, a)) ∈ TransTS
3. I = {(l, a) | l ∈ Loc0 ∧ a |= f0}
4. AP = Loc ∪ F (V )
5. L((l, a)) = {l} ∪ {f ∈ F (V ) | a |= f}
The possible states of the software process defined by a program graph, in
terms of locations and variable assignments, is therefore fully defined by the set
of states of the transition system. The above definition includes a potentially
infinite set of atomic propositions AP . However, a small subset of them is
generally enough.
Example 3.1.2. Figure 3.2 shows the transition system generated from the
program graph presented in Example 3.1.1. One can observe that, as a state
from the transition system is made from an element of the cartesian product
between Loc and A(V ), the size of this structure has grown exponentially with
the number of variables in V .
A terminal state s of a transition system TS = 〈S,Act, T rans, I, AP,L〉 is
a state s in S such that {s′ ∈ S | ∃α ∈ Act : (s, α, s′) ∈ Trans} = ∅. In this
work, we make the hypothesis that no such state exists in a TS. An execution of
TS is an infinite alternating sequence of states and actions (si, αi)i>0 such that
s1 ∈ I and ∀i > 0 : (si, αi, si+1) ∈ Trans. A path of TS is an infinite sequence
of states (si)i>0 such that ∃α1, α2, . . . ∈ Act : (si, αi)i>0 is an execution of TS.
A trace of TS is an infinite sequence of sets of atomic propositions (L(si))i>0
such that (si)i>0 is a path of TS. We denote by Traces(TS) the set of all traces
of TS.
33
(Start, {ncoffee → 2, ntea → 2})
(Select, {ncoffee → 2, ntea → 2})
(Start, {ncoffee → 1, ntea → 2}) (Start, {ncoffee → 2, ntea → 1})
(Select, {ncoffee → 1, ntea → 2}) (Select, {ncoffee → 2, ntea → 1})
(Start, {ncoffee → 1, ntea → 1})(Start, {ncoffee → 0, ntea → 2}) (Start, {ncoffee → 2, ntea → 0})
(Select, {ncoffee → 0, ntea → 2}) (Select, {ncoffee → 1, ntea → 1}) (Select, {ncoffee → 2, ntea → 0})
(Start, {ncoffee → 1, ntea → 0})
(Select, {ncoffee → 1, ntea → 0})
(Start, {ncoffee → 0, ntea → 1})
(Select, {ncoffee → 0, ntea → 1})
(Start, {ncoffee → 0, ntea → 0})
(Select, {ncoffee → 0, ntea → 0})
receive coin
receive coin receive coin
receive coin receive coin receive coin
receive coin receive coin
receive coin return coin
serve tea
serve teaserve tea
serve teaserve tea
serve coffee
serve coffee
serve coffee
serve coffee
serve coffee serve coffee
serve tea
refillrefill
Figure 3.2: Transition system generated from the program graph presented in
Example 3.1.1
3.1.2 Linear Time Properties and Temporal Logic
Let Sω denote the set of all possible infinite sequence of elements from an
arbitrary set S. This means that Sω regroups all sequences of the form (si)i>0
where ∀i > 0 : si ∈ S.
A linear time property over a set of atomic propositions AP defines a set
of correct traces P ⊆ P(AP )ω. A transition system TS over AP satisfies the
property P if Traces(TS) ⊆ P . This is denoted by TS |= P .
Let AP be a set of atomic propositions. The set of all linear temporal logic,
or LTL, formulas over AP is defined recursively as follows. Both constants ⊥
and >, as well as all elements a ∈ AP , are LTL fomulas. Moreover, if F and
G are both LTL formulas, then ¬F , F ∧ G, F ∨ G, F ∪ G, ©F , ♦F and F
are all LTL formulas. The semantics of an LTL formula F over AP is the set
of infinite sequences Words(F ) = {A ∈ P(AP )ω | A |= F} where the relation
34
|= is defined by
A |= >
A 6|= ⊥
A |= a if, and only if, a ∈ A1
A |= ¬F if, and only if, A 6|= F
A |= F ∧G if, and only if, A |= F and A |= G
A |= F ∨G if, and only if, A |= F or A |= G
A |=©F if, and only if, (Ai)i>1 |= F
A |= F ∪G if, and only if,
∃k ≥ 0 :
((∀j ∈ {0, . . . k − 1} : (Ai)i>j |= F ) ∧ ((Ai)i>k |= G))
A |= ♦F if, and only if, A |= > ∪ F
A |= F if, and only if, A |= ¬♦¬F
where A = (Ai)i>0 ∈ P(AP )ω, a ∈ AP and F , G are LTL formulas. Let
a, b ∈ AP . Figure 3.3 shows six LTL formulas with six infinite sequences in
P(AP )ω satisfying them.
. . .B |= ©a . . .
. . .C |= a ∪ b . . .
. . .. . .{a}A |= a A :
{a} {a}
{a}
{a} {b}
∅ ∅ ∅ ∅
∅ ∅ ∅ ∅
∅
B :
C :
. . .B |= a . . .
. . .C |= ♦a . . .
. . .. . . {a}D |= ♦a D :
{a}
∅ ∅∅ ∅
∅
B :
C :
{a}{a}{a}{a}
∅ ∅ {a} {a}
Figure 3.3: Semantics of several LTL formulas
A transition system TS verifies F , denoted TS |= F if TS |= Words(F ) or,
equivalently, if Traces(TS) ⊆Words(F ). For any LTL formula F , the language
of infinite words Words(F ) can be recognized by a Bu¨chi automaton. Bu¨chi
automata are introduced in the next section.
3.1.3 Bu¨chi Automata
A Non-deterministic Bu¨chi Automaton, or NBA, is a tuple A = 〈Q,Σ,∆, Q0, F 〉
where
35
1. Q is a set of states
2. Σ is a set of symbols called the alphabet
3. ∆ ⊆ (Q× Σ×Q) is the transition relation
4. Q0 ⊆ Q is the set of initial states
5. F ⊆ Q is the set of accepting states
An accepting run of a an NBA A = 〈Q,Σ,∆, Q0, F 〉 is an infinite sequence
(qi)i>0 ∈ Qω such that ∀i > 0 : ∃α ∈ Σ : (qi, α, qi+1) ∈ ∆ and such that qi ∈ F
for infinitely many values i > 0. An infinite word w = (αi)i>0 over the alphabet
Σ is accepted by A if there exists an accepting run (qi)i>0 such that ∀i > 0 : (qi,
αi, qi+1) ∈ ∆. The language of an NBA A, denoted L(A), is composed from all
words accepted by A. A language L is said to be ω-regular if, and only if, there
exists a Bu¨chi automaton A such that L(A) = L.
Example 3.1.3. Let us consider the Bu¨chi automaton presented in Figure
3.4. The initial state is represented with an incoming edge with no source.
The accepting state is shown with a double line border. We can see that this
automaton accepts all infinite words over the alphabet {a, b} containing an
infinite number of occurrences of b, i.e. the language (a∗b)ω.
1 2
b
a
a b
Figure 3.4: Bu¨chi automaton recognizing the language (a∗b)ω
There are important differences between finite automata and NBAs. First,
a finite automaton is meant to work on finite words while a Bu¨chi automaton
runs on infinite ones. Second, an execution of a finite automaton is accepting
if ending in a terminal state. A word is accepted by a Bu¨chi automaton when
going through accepting states infinitely many times. Third, contrary to finite
automata, deterministic Bu¨chi automata are generally not as expressive as non
deterministic ones.
The notion of Buˆchi automaton can be generalized. A generalized non deter-
ministic Bu¨chi automaton, or GNBA, is basically a Bu¨chi automaton with sev-
eral sets of accepting states {Fi}ni=1. An accepting run of a GNBA G = 〈Q,Σ,∆,
Q0, {Fi}ni=1〉 is an infinite sequence (qi)i>0 ∈ Qω such that ∀i > 0 : ∃α ∈ Σ : (qi,
α, qi+1) ∈ ∆ and such that ∀j ∈ {1, . . . n} : qi ∈ Fj for infinitely many values
i > 0. For any GNBA G, there exists a NBA A such that A and G accept the
same language. The set of languages accepted by GNBAs is therefore the set of
ω-regular languages. GNBAs reveal to be practical when dealing with temporal
logic. For any LTL formula F , we can indeed define an GNBA recognizing the
language Words(F ).
36
Example 3.1.4. The GNBA recognizing the LTL formula F =©a is presented
in Figure 3.5. One should note that their is no sets of accepting states. Ac-
cording to the definition of a GNBA, this means that every run is accepting.
Consequently, any infinite word associated with a valid run of the GNBA is ac-
cepted by it. However, as there are only two initial states, all infinite sequences
(si)i>0 ∈ P(AP )ω such that a 6∈ s2 cannot be associated with a valid run of this
automaton.
{a,©a} {a,¬© a}
{¬a,©a} {¬a,¬© a}
a
a
¬a
¬a
a¬a
a
¬a
Figure 3.5: Bu¨chi automaton for the LTL formula ©a
3.1.4 Verifying ω-regular Properties
Let TS = 〈S,Act, T rans, I, AP,L〉 be a transition system and P an ω-regular
property over the set of atomic propositions AP . We want to verify if TS |= P ,
i.e. if Traces(TS) ⊆ P . This can be rewritten as Traces(TS)∩(P(AP )ω \P ) =
∅, or even further as Traces(TS) ∩ ¬P = ∅. The set of ω-regular languages
is closed under complementation. Consequently, ¬P is also ω-regular. Let
A = 〈Q,Σ,∆, Q0, F 〉 be a Bu¨chi automaton recognizing ¬P . The verification
comes down to verifying that Traces(TS)∩L(A) = ∅. To do so, we consider the
synchronous product between the transition system and the Bu¨chi automaton.
The synchronous product between TS and A is the transition system TS ⊗
A = 〈S′, Act, T rans′, I ′, AP ′, L′〉 such that
1. S′ = S ×Q
2. AP ′ = Q
3. ∀(s, q) ∈ S′ : L′(s, q) = {q}
4. Trans′ is the smallest relation such that
(s, α, s′) ∈ Trans (q, L(s), q′) ∈ ∆
((s, q), α, (s′, q′)) ∈ Trans′
37
5. I ′ = {(s, q) ∈ S′ | s ∈ I}
Then, the verification problem is reduced to checking that
TS ⊗A |= ♦
∧
q∈F
¬q
This means that there must not exists, in TS ⊗A, any cycle reachable from an
initial state s0 in I
′ and including a state sf such that L′(sf ) ⊆ F . We can
verify this through an exhaustive exploration of the state space of TS ⊗A.
This search process can be realized by a state-space traversal algorithm.
This method consists in two nested depth-first search procedures. The first one,
called the outer depth-first search, is started from an initial state s0. When it
has fully expanded a state s such that L′(s) ⊆ F , the outer search calls the
second procedure, called the inner depth-first search. The inner search then
visits all states reachable from s that is has not visited before. If there exists a
state s′ reachable from s such that s′ is in the path currently occupied by the
outer search process, then there exists a cycle reachable from s0 and including
s, which is labeled by a state in F . The property P is thus violated by TS. If no
such state s′ is reachable, the inner search exits and the outer search continues.
This nested depth-first algorithm is presented in Algorithm 4. This algo-
rithm calls the outer-search function on all initial states of TS ⊗A. The outer-
search function is defined in Algorithm 5. It maintains a set of visited states
visitedInOuter and a stack of states outerStack. When an unvisited state s′
is reachable from the state s at the top of the stack, s′ is added in both the
stack and the set of visited states, and the process continues. When no such
state s′ exists, and if L′(s) ⊆ F , the algorithm calls the inner-search procedure.
Afterwards, the procedure backtracks. The inner-search function is defined in
Algorithm 6. It follows the same traversal strategy than the outer-search func-
tion. However, if it reaches a state contained in outerStack , the stack of states
of the outer-search procedure, then it returns true, which means that a cycle
has been found and that the property P is violated.
Algorithm 4 Nested Depth-First Search Algorithm
boolean ndfs()
for all s0 ∈ I ′ do
if outer-search(s0) then
return true
end if
end for
return false
During the past few years, researchers from the University of Namur have
adapted these algorithms to software product lines. The following section in-
troduces the notion of product line.
3.2 Product Lines and Feature Diagrams
A product line is a set of related products manufactured by a single organization.
Variants of a product line share common pieces or behaviors, and are built
38
Algorithm 5 Outer Depth-First Search
boolean outer-search(State s0)
Stack outerStack ← emptyStack()
Set visitedInOuter ← ∅
Set visitedInInner ← ∅
push(outerStack, s0)
visitedInOuter ← visitedInOuter ∪ {s0}
while not empty(outerStack) do
State s← top(outerStack)
if ∃s′, α : ((s, α, s′) ∈ Trans′) ∧ (s′ 6∈ visitedInOuter) then
push(outerStack, s′)
visitedInOuter ← visitedInOuter ∪ {s′}
else
if L′(s) ⊆ F then
if inner-search(s, visitedInInner, outerStack) then
return true
end if
end if
pop(outerStack)
end if
end while
return false
Algorithm 6 Inner Depth-First Search
boolean inner-search(
State s0, Set visitedInInner, Stack outerStack)
Stack innerStack ← emptyStack()
push(innerStack, s0)
visitedInInner ← visitedInInner ∪ {s0}
while not empty(innerStack) do
State s← top(innerStack)
if ∃s′, α : ((s, α, s′) ∈ Trans′) ∧ (s′ 6∈ visitedInInner) then
if in(outerStack, s′) then
return true
end if
push(innerStack, s′)
visitedInInner ← visitedInInner ∪ {s′}
else
pop(innerStack)
end if
end while
return false
39
from a common, managed set of assets. Reusing core assets from one product
to another allows one to benefit from economies of scale when developing a
large number of products. A software product line is a product line of software-
intensive systems. The variability that can take place in a product line is usually
expressed in terms of features. Simply said, a feature is an asset that can
be included in a product and be missing in another. It usually defines some
set of additional functionalities that can be inserted to a specific product to
enhance it, or retrieved from another for incompatibility, economical or even
simplicity reasons. Developing a software product line is like developing a highly
configurable software system in which features can be activated or deactivated
depending on the target’s needs or specificities.
Relations between features, as dependencies or incompatibilities, are usually
expressed in a feature diagram. Feature diagrams have first been introduced by
Kang et al. [KCH+90] and have received a formal semantic from Schobbens
et al. [SHT06]. A feature diagram can be defined as a tuple d = 〈F, r,DE, λ〉
where
1. F is a set of features
2. r ∈ F is the root features, also called the concept
3. DE ⊆ F × F is the decomposition relation
4. The structure 〈F,DE〉 defines a directed tree of root r
5. ∀f ∈ F : λ(F ) is a boolean function Bn → B where n = |{f ′ ∈ F | (f, f ′) ∈ DE}|
A product of a product line expressed by a feature diagram d = 〈F, r,DE,
λ〉 is a set of feature P ⊆ F . A product P is valid with respect to d, denoted
P |= d, if
1. The concept is in P : r ∈ P
2. All features of P , except the concept, must have their predecessors in P :
∀(p, f) ∈ DE : (f ∈ P ⇒ p ∈ P )
3. For all feature f ∈ P , the boolean function λ(f) is satisfied: Let {fi}ni=1 =
{f ′ ∈ F | (f, f ′) ∈ DE}, then λ(f)(f1 ∈ P, . . . fn ∈ P ) = >
The function λ thus restricts, for an included feature, the set of possible incor-
porated children.
The semantics of a feature diagram can be seen as a boolean formula over
the set of features F . The formula translating the feature diagram d is indeed
r ∧ ( ∧
(p,f)∈DE
(f ⇒ p)) ∧ ( ∧
f∈F
Fλ(f)
)
where Fλ(f) is a boolean formula representing the boolean function λ(f). A
valid product is then as simple as a satisfying assignment for this formula.
Feature diagrams are, however, often represented graphically as trees. The
formal semantics introduced before is therefore important to bridge the gap
between graphical representation and formal logic. Henceforth, a formula over
a set of considered features is called a feature expression.
40
Example 3.2.1. Let us consider a product line of beverage vending machines.
These machines can sell tea, coffee, or both. Each type of drinks is considered
as a feature. If the corresponding feature is activated, it is possible to cancel
an order. High-end products might also be equipped with a motion sensor that
checks whether the user has effectively taken his cup before processing a new
order. A machine may finally deliver beverages for free to the owners of special
badges. The set of features of interest is here {Coffee, Tea, Cancel, Badge,
Sensor}. The feature diagram d = 〈F, r,DE, λ〉 is presented in Figure 3.6.
The set of features is F = {V ending Machine,Beverage, Coffee, Tea, Cancel,
Badge, Sensor}. Vending Machine is the concept and Beverage a composite
feature introduced for hierarchical decomposition. The feature expression de-
scribing this product line is
V ending Machine ∧Beverage ∧ (Coffee ∨ Tea)
A valid product is e.g.
{V ending Machine,Beverage, Coffee,Badge, Sensor}
which corresponds to the satisfying assignment
{V ending Machine→ >, Beverage→ >, Coffee→ >,
T ea→ ⊥, Badge→ >, Sensor → >}
Vending Machine
Beverage
Coffee Tea
Cancel Badge Sensor
Mandatory feature
Optional feature
And ( ∧ ) function
Or ( ∨ ) function
Figure 3.6: Feature diagram describing a product line of beverage vending ma-
chines
3.3 Product-Line Model Checking
3.3.1 Featured Program Graphs and Transition Systems
Verifying properties on a software product line using the model-checking algo-
rithms introduced in Section 3.1.4 requires to specify the behavior of every single
product of the product line and to verify them individually. However, the num-
ber of variants in a product line tends to grow exponentially with the number
41
of features. Indeed, each time a feature is added, the number of product is po-
tentially doubled. Therefore, verifying product individually may require a huge
amount of time and be unfeasible in practice. To address this problem, exten-
sions of program graphs and transition systems have been proposed [CHS+10].
These extensions can be used to specify the behaviors of all the products of a
product line in one single model.
A featured program graph (FPG) over a set of variable V is defined as a tuple
FPG = 〈Loc,Act, Effect, T rans, Loc0, f0, d, γ〉 where
1. 〈Loc,Act, Effect, T rans, Loc0, f0〉 is a program graph over V
2. d = 〈F, r,DE, λ〉 is a feature diagram
3. ∀t ∈ Trans : γ(t) is a feature expression over the set of features F
The semantics of an FPG is defined as being a featured transition system. A
featured transition system (FTS) is defined as a tuple FTS = 〈S,Act, T rans, I,
AP,L, d, γ〉 where
1. 〈S,Act, T rans, I, AP,L〉 is a transition system
2. d a feature diagram
3. ∀t ∈ Trans : γ(t) is a feature expression over the set of features F
Let FTS(FPG) denote the transition system translating the featured program
graph FPG = 〈Loc,Act, Effect, T ransPG, Loc0, f0, d, γPG〉 over the set of vari-
ables V . It is defined as the tuple 〈S,Act, T ransTS , I, AP,L, d, γTS〉 where
1. S,Act, I, AP,L are defined as in Section 3.1.1.
2. TransPG is the smallest relation, and γTS the labeling function, such that
t = (l, f, α, l′) t ∈ TransPG a |= f
t′ = ((l, a), α, (l′, Effect(α, a)) t′ ∈ TransTS γTS(t′) = γPG(t)
Each transition in an FPG or an FTS is annotated with a feature expression
that describes the set of products that can execute this transition. The pro-
jection of the featured transition system FTS = 〈S,Act, T rans, I, AP,L, γ〉 to
a product P , denoted FTS|P , is the transition system TS = 〈S,Act, T rans|P ,
I, AP,L〉 obtained from FTS by removing all transition t ∈ Trans such that
P is not allowed to execute t, i.e. such that P 6|= γ(t). The set Trans|P is
thus defined as {t ∈ Trans | P |= γ(t)}. Therefore, the projection of an FTS
describes the behavior of one product of the product line.
Example 3.3.1. Let us consider again the product line described in Example
3.2.1. The behaviors of the different beverage vending machines are expressed in
the FTS exposed in Figure 3.7. The feature expressions labeling the transitions
are expressed after forward slashes. For instance, an additional step after serving
a cup is executed for the products with the feature Sensor. The projection
of this featured transition system on the product P = {V ending Machine,
Beverage, Coffee, Tea,Badge, Sensor} is shown in figure 3.8.
42
S1 S2 S3
pay change
badge/Badge
S5
S4
chooseTea
/Tea
serveTea
/Tea
S6
serveCoffee
/Coffee
chooseCoffee
/Coffee
cancel/Cancel
end/Sensor take/Sensor
end/¬Sensor
S7
Figure 3.7: FTS for the product line of beverage vending machines described in
Example 3.2.1
S1 S2 S3
pay change
badge
S5
S4
chooseTea serveTea
S6
serveCoffeechooseCoffee
end take
S7
Figure 3.8: Projection of the FTS presented in Figure 3.7 on the product
{V ending Machine,Beverage, Coffee, Tea,Badge, Sensor}
3.3.2 Verifying ω-regular Properties on Featured Transi-
tion System
Let FTS = 〈S,Act, T rans, I, AP,L, d, γ〉 be a featured transition system and P
an ω-regular property over the set of atomic propositions AP . We want to verify
if ∀Prod ⊆ F such that Prod |= d : TS|Prod |= P , i.e. if Traces(TS|Prod) ⊆
P . We also want to avoid verifying products individually. To address this,
Classen et al. defined an algorithm inspired from the one presented in Section
3.1.4. Let A = 〈Q,Σ,∆, Q0, F 〉 be a Bu¨chi automaton recognizing the language
Words(¬P ). The synchronous product between FTS and A is the featured
transition system FTS ⊗A = 〈S′, Act, T rans′, I ′, AP ′, L′, d, γ′〉 such that
1. S′, Act, I ′, AP ′, L′ are defined as in Section 3.1.4
2. Trans′ is the smallest relation, and γ′ the labeling function, such that
t = (s, α, s′) ∈ Trans t ∈ Trans (q, L(s), q′) ∈ ∆
t′ = ((s, q), α, (s′, q′)) t′ ∈ Trans′ γ′(t′) = γ(t)
43
As in Section 3.1.4, a nested depth-first search algorithm is performed to look
for a cycle reachable from an initial state s0 in I
′ and including a state sf such
that L′(sf ) ⊆ F . However, only some products of the product line defined by
the feature diagram d might be able to follow a specific path in the FTS. For this
reason, the algorithm maintains a feature expression e representing the set of all
products that can follow the currently expanded path. This feature expression is
obtained by accumulating those labeling the taken transitions. Two differences
takes place compared to Algorithm 4:
1. Any time a transition is taken, we must verify that there exists at least
one product that can actually follow the path currently expanded by the
algorithm. Such product exists if the feature expression e∧d is satisfiable,
i.e. if there exists a satisfying assignment for both the current feature
expression e and the feature diagram d.
2. When a state s is reached for a second time, it may happen that it has
already been visited for a different set of products. For this reason, the
feature expression f for which s is visited is stored during the process.
When s is reached again by the algorithm, the procedure continues for the
set of products satisfying e ∧ d but not satisfying f , i.e. those satisfying
e ∧ ¬f ∧ d.
The resulting algorithm is presented in Algorithm 7. This algorithm calls
the featured-outer-search function on all initial states of FTS ⊗ A and returns
a feature expression representing the set of products violating the property P .
The featured-outer-search function is presented in Algorithm 8. This algorithm
is similar to Algorithm 5. It maintains a set of visited states visitedInOuter,
a stack outerStack, a mapping outerTable between visited states and feature
expressions, and a feature expression badProducts representing the set of prod-
ucts violating the property P . Elements of the stack are composed from a state
s ∈ S′, a feature expression e, and the set of taken transitions from the state
s. When an unvisited state s′ is reachable from the state s at the top of the
stack, and the transition is executable by a valid product, s′ is added in the
stack outerStack, the set of visited states visitedInOuter, and the mapping
outerTable, and the process continues. The existence of a valid product is veri-
fied by the sat function, performing a satisfiability check on the current feature
expression. When s′ has already been visited by a set of features f , ¬f is added
to the current feature expression, and a new satisfiability check is performed.
When no such state s′ exists, and if L′(s) ⊆ F , the algorithm calls the featured-
inner-search procedure. Afterwards, the procedure backtracks. The featured-
inner-search function is defined in Algorithm 9. It follows the same traversal
strategy than the featured-outer-search function. However, if it reaches a state
contained in outerStack , the stack of states of the featured-outer-search proce-
dure, then it adds the current feature expression to the set of violating product
badProducts. To avoid verifying the same products several times, satisfiability
checks are also performed in conjunction with ¬badProducts.
These algorithms have successively been implemented in two model checkers:
SNIP and ProVeLines 2.
44
Algorithm 7 Featured Nested Depth-First Search Algorithm
FeatureExp fndfs()
FeatureExp badProducts← ⊥
for all s0 ∈ I ′ do
badProduct← badProducts ∨ featured-outer-search(s0)
end for
return badProducts
3.3.3 SNIP
SNIP has first been introduced by Classen et al [CCH+12] as a model checker for
software product lines. Featured program graphs are specified using fPromela,
a feature-aware extension of Promela, the input language of the SPIN model
checker [Hol04]. The syntax of Promela is close to imperative programming
languages such as C or Pascal. fPromela extends it with additional constructs
to guard statements with feature expressions. Feature diagrams are represented
using TVL, a text-based language for expressing variability [CBH11]. SNIP is
coded in C and follows the architecture presented in Figure 3.9. Dashed edges
represent dependencies. The core of SNIP is divided into several layers that have
access to a set of libraries. These libraries are external tools called from the core
of SNIP, implementing several aspects of the model checker. LTL formulas are
parsed and translated into Bu¨chi automata using the LTL 2 BA library [GO01].
Boolean functions are represented by BDDs from the CU Decision Diagram, or
CUDD , package.
Interface (main.c)
Algorithm (checking.c)
fPromela Semantics (execution.c)
States (state.c)
Parsing (automata.c, symbols.c)
Core
Boolean Function (boolFct.h)
Satisfiability (sat.h)
TVL Library (tvl.h)
LTL Library (ltl.h)
Libraries
Figure 3.9: A simplified sketch of the architecture of the SNIP model checker
In the past few years, the functionalities of SNIP have been extended in
many directions. The tool now includes the support for real-time [CSHL12] and
stochastic [CHS+13] software product lines behavior. Support for non boolean
variability [CSHL13] has also been introduced. These additional possibilities
have transformed SNIP into a software product line, named ProVeLines, for
45
Algorithm 8 Featured Outer Depth-First Search
FeatureExp featured-outer-search(State s0)
Stack outerStack ← emptyStack()
Set visitedInOuter ← ∅
Map outerTable← emptyTable()
Set visitedInInner ← ∅
Map innerTable← emptyTable()
FeatureExp badProducts← ⊥
push(outerStack, (s0,>,∅))
visitedInOuter ← visitedInOuter ∪ {s0}
outerTable[s0]← >
while not empty(outerStack) do
(s, e, T )← top(outerStack)
if ∃s′, α : ((s, α, s′) ∈ Trans′) ∧ ((s, α, s′) 6∈ T ) then
T ← T ∪ {(s, α, s′)}
pop(outerStack)
push(outerStack, (s, e, T ))
e← e ∧ γ(s, α, s′)
if sat(e ∧ d∧) then
if s′ ∈ visitedInOuter then
e← e ∧ ¬outerTable[s′]
if sat(e ∧ d∧) then
push(outerStack, (s′, e,∅))
outerTable[s′]← e
end if
else
push(outerStack, (s′, e,∅))
visitedInOuter ← visitedInOuter ∪ {s′}
outerTable[s′]← e
end if
end if
else
if L(s) ⊆ F then
badProducts← featured-inner-search(
s, e, visitedInInner, innerTable, outerStack, badProducts)
end if
pop(outerStack)
end if
end while
return badProducts
46
Algorithm 9 Featured Inner Depth-First Search
boolean featured-inner-search(
State s0, FeatureExp e0,
Set visitedInInner, Map innerTable,
Stack outerStack, FeatureExp badProducts)
Stack innerStack ← emptyStack()
push(innerStack, (s0, e0,∅))
visitedInInner ← visitedInInner ∪ {s0}
innerTable[s0]← e0
while not empty(innerStack) do
(s, e, T )← top(innerStack)
if in(s, outerStack) then
badProducts← badProducts ∨ e
pop(innerStack)
else
if ∃s′, α : ((s, α, s′) ∈ Trans′) ∧ ((s, α, s′) 6∈ T ) then
T ← T ∪ {(s, α, s′)}
pop(innerStack)
push(innerStack, (s, e, T ))
e← e ∧ γ(s, α, s′)
if sat(e ∧ d ∧ ¬badProducts) then
if s′ ∈ visitedInInner then
e← e ∧ ¬innerTable[s′]
if sat(e ∧ d ∧ ¬badProducts) then
push(innerStack, (s′, e,∅))
innerTable[s′]← e
end if
else
push(innerStack, (s′, e,∅))
visitedInInner ← visitedInInner ∪ {s′}
innerTable[s′]← e
end if
end if
else
pop(innerStack)
end if
end if
end while
return badProducts
47
Product line of Verifiers for software product Lines.
In addition to standard boolean features, ProVeLines supports two addi-
tional types that are intensively used in practice: multi-features, i.e. features
that may appear several times in a given product, and numeric features. The
former entails changes only to the semantics of feature diagrams. The latter,
however, also raises the need for non boolean feature expressions. To this end,
the Z3 solver has been integrated into some variants of ProVeLines. In these
variants, boolean formulas are represented using the built-in ASTs of the Z3
API, and the satisfiability problem is solved using the mentioned solver. How-
ever, Cordy’s experiment revealed a large time overhead compared to the BDD
implementation. Verifying LTL properties, even on a fully boolean model, can
indeed take until 96,144 % more time when using the SMT solver instead of the
BDD package.
3.3.4 ProVeLines 2
The large amount of additional possibilities introduced in ProVeLines have ren-
dered the tool difficult to maintain. For this reason, a second version of the
tool was developed. This development aimed at ensuring the maintainability of
the tool by providing a clear and documented architecture. This architecture,
presented in Figure 3.10, facilitates variability. In particular, it makes good use
of the of the Abstract Factory design pattern. The checker package implements
the model-checking algorithm presented in Section 3.3.2.
The major difference between ProVeLines and ProVeLines 2, in terms of
functionalities, is that ProVeLines 2 relies on the FSTM input language. FSTM
stands for Featured State Machines. It is a domain-specific language developed
specifically for one of the industrial partners of the University of Namur. Its
implementation can be seen in the fts package. The math package provides an
implementation for boolean functions and satisfiability checking. The current
implementation also relies on the CUDD package.
3.4 Objectives
As mentioned in Section 3.3.3, the use of SMT solvers to perform satisfiability
checks in ProVeLines has raised an important performance issue. Cordy however
states that
“On the technical side, the use of SMT solvers might be a manda-
tory step. Still, it constitutes an interesting problem [...].”
The goal of this master thesis is therefore to investigate this problem. In a first
time, we want to explore the root cause of it. In a second time, we want to
propose an new integration approach to solve this issue, or at least to reduce it.
Conclusion
This chapter first introduced the basic concepts of LTL model checking before
extending them to software product lines. It then presented a set of tools
implementing these extensions. Finally, it stated the problem tackled in this
master thesis.
48
Figure 3.10: UML Class Diagram presenting a simplified version of the archi-
tecture of ProVeLines 2
49
Part II
Contribution
50
Chapter 4
Efficient Integration of a
SAT Solver into ProVeLines
As we have seen in Chapter 2, an SMT solver is made of two main parts: A
SAT solver and a theory specific solver. The time overhead mentioned in Section
3.3.3 has been revealed during an experiment where the SMT solver was used
exclusively to solve boolean constraint. Therefore, our insight was that the SAT
solver could be the root cause of it. To make sure of this, we decided to integrate
a SAT solver into ProVeLines, and to measure the performance of the resulting
tool.
This chapter goes through the theoretical developments behind this integra-
tion. As we shall see, what seemed to be a straightforward work at first has
revealed to be a very ponderous task.
4.1 Clause Production
SAT solvers work on clause databases exclusively. The first step when inte-
grating a SAT solver is therefore to represent boolean formulas using an ad-hoc
implementation and to transform them into Conjunctive Normal Form.
4.1.1 Tree Representation of Boolean Formulas
When the model checker needs to build and manipulate boolean formulas, by
creating their negations, conjunctions and disjunctions, these formulas can sim-
ply be represented as directed trees. Terminal vertices of these trees are labeled
with either boolean variables or constants from the boolean domain B = {⊥,
>}. Non-terminal vertices are labeled with boolean operators from the set
{¬,∧,∨}. Non-terminal vertices labeled with ¬ have only one child while those
labeled with ∧ and ∨ have exactly two. The boolean formula represented by a
directed tree of root node r, denoted F(r), can be recursively defined by
1. If r is a terminal vertex, then
(a) If r is labeled with ⊥, then F(r) = ⊥
(b) If r is labeled with >, then F(r) = >
51
(c) If r is labeled with a boolean variable x, then F(r) = x
2. If r is a non-terminal vertex, then
(a) If r is labeled with ¬ and has the vertex v as child, then
F(r) = ¬F(v)
(b) If r is labeled with ∧ and has the vertices v1 and v2 as children, then
F(r) = F(v1) ∧ F(v2)
(c) If r is labeled with ∨ and has the vertices v1 and v2 as children, then
F(r) = F(v1) ∨ F(v2)
Example 4.1.1. The tree representing the formula a ∧ (¬a ∨ b) is shown in
figure 4.1.
∧
a ∨
¬
a
b
Figure 4.1: A directed tree representing the boolean formula a ∧ (¬a ∨ b)
4.1.2 Conversion into Equivalent CNF
As mentioned before, when the model checker needs to verify the satisfiability of
an arbitrary formula using a SAT solver, this formula needs to be transformed
into CNF. Let F be an arbitrary boolean formula. In order to produce a formula
in CNF equivalent to F , one can apply the following procedure:
1. Iteratively apply De Morgan’s laws to push the negation operations ¬
towards the literals of F .
¬( n∧
i=1
Fi
) −→ n∨
i=1
¬Fi
¬( n∨
i=1
Fi
) −→ n∧
i=1
¬Fi
(De Morgan’s laws)
52
2. Iteratively apply the double negation rule to eliminate multiple negations
and produce a formula in Negation Normal Form.
¬¬F −→ F (Double negation rule)
3. Iteratively apply the distribution of ∨ over ∧ until the remaining formula
consists of a conjunction of clauses.
f ∨ ( n∧
i=1
fi
) −→ n∧
i=1
(f ∨ fi) (Distribution of ∨ over ∧)
4. Remove all tautological clauses, i.e. clauses containing both literals x and
¬x for any boolean variable x, from the resulting conjunction.
Example 4.1.2. Let us consider the formula F =
∨n
i=1(xi ∧ yi) where n > 0.
This formula is already in NNF, so that the two first steps of the above procedure
can be skipped. The formula in CNF resulting from applying the third step is
composed from the set of clauses of the form
∨n
i=1 αi where for each i ∈ {1,
. . . n}, αi is either xi or yi. The number of item in this set is equal to the
number of arrangements of two elements in an ordered sequence of length n, i.e.
2n. Also, each clause is of size n. The size of the original formula is therefore
of size O(n) while the resulting clause database is of size O(n.2n).
As Example 4.1.2 shows, the application of the aforementioned procedure
can lead to a possible blow-up of the size of the generated CNF. This actually
illustrates the inherent complexity of this approach. As mentioned in Section
1.2.2, a formula in CNF is valid if, and only if, it is reduced to the empty
conjunction of clauses. As the validity problem is dual with the satisfiability
problem, i.e. any boolean formula F is satisfiable if, and only if, ¬F is not
valid, it is easy to reduce the satisfiability problem to the application of the
above procedure. Let F be an arbitrary boolean formula. Assume we negate it
and use the defined procedure to obtain the formula in CNF (¬F )cnf . Then F
is satisfiable if, and only if, (¬F )cnf is not reduced to empty conjunction. In
this case, a satisfying assignment for F is easy to find as an unsatisfying one
for a clause of (¬F )cnf . This has mainly two consequences. First, the problem
of finding a formula in CNF equivalent to an arbitrary boolean formula is NP-
hard. Second, it is pointless to use a SAT solver on a formula in CNF Fcnf
to determine the satisfiability of an equivalent formula F , as the SAT problem
can easily be reduced to the problem of finding Fcnf . To workaround this, it is
necessary to consider the notion of equisatisfiability.
4.1.3 Equisatisfiability and Tseitin Transformation
Two boolean formulas F1 and F2 are equisatisfiable if F1 is satisfiable if, and
only if, F2 is satisfiable. However, their sets of satisfying assignments might not
correspond. As a matter of fact, F1 and F2 could not even be defined on the
same set of boolean variables.
Example 4.1.3. Let F be an arbitrary boolean formula over the set of variables
X. Then the formula F ′ = F ∧x, where x is a boolean variable such that x 6∈ X,
is equisatisfiable with F . Indeed, A is a satisfying assignment for F if, and only
if, A ∪ {x→ >} is a satisfying assignment for F ′.
53
Given an arbitrary boolean formula F , it is possible to find a formula in
CNF Fcnf that is equisatisfiable with F . Such transformation has first been
introduced by Tseitin [Tse68]. It is now often referred to as the Tseitin Trans-
formation. This transformation can be described by a recursive procedure as
follows. The procedure applies to a boolean formula and returns a new literal. If
F , F1 and F2 are boolean formulas such that F = F1 ◦F2, where ◦ is any binary
boolean operator, the Tseitin Transformation is first applied to both F1 and F2,
introducing two literals lF1 and lF2 . A new literal lF is then created such that
lF ⇔ lF1 ◦ lF2 . This last equivalence is transformed into a set of clauses and lF
is returned by the procedure. The constraint lF ⇔ lF1 ∧ lF2 can be transformed
into
(¬lF ∨ lF1)
∧(¬lF ∨ lF2)
∧(lF ∨ ¬lF1 ∨ ¬lF2)
which can be interpreted as
(lF ⇒ lF1)
∧(lF ⇒ lF2)
∧((lF1 ∧ lF2)⇒ lF )
which translates correctly the semantics of conjunction. lF evaluates to > if,
and only if, both lF1 and lF2 also do. The constraint lF ⇔ lF1 ∨ lF2 can be
transformed into
(lF ∨ ¬lF1)
∧(lF ∨ ¬lF2)
∧(¬lF ∨ lF1 ∨ lF2)
which can be interpreted as
(lF1 ⇒ lF )
∧(lF2 ⇒ lF )
∧(lF ⇒ (lF1 ∨ lF2))
which translates correctly the semantics of disjunction. lF evaluates to > if,
and only if, either lF1 or lF2 also does. If F and F
′ are boolean formulas such
that F = ¬F ′, the procedure is first applied to F ′, introducing the literal lF ′ ,
and ¬lF ′ is returned. If F is a boolean formula of the form F = x, where x
is a boolean variable, then x is simply returned by the procedure. Finally, if
F is a boolean formula of the form F = v, where v ∈ B, then a fresh literal
lF is created. If v = ⊥, the clause ¬lF is generated. If v = >, the clause
lF is generated. In both case, the literal lF is returned. The clause database
equisatisfiable to the formula F is obtained by adding the unit clause lF to the
set of clauses previously produced by the procedure.
The overall process is formalized in Algorithm 10. This one calls the produce-
Clauses function defined in Algorithm 11. Both these algorithms work under
the assumption that the formula is represented as a tree, as explained in sec-
tion 4.1.1. The function newLiteral returns a fresh literal while the procedure
addClause adds a clause to the resulting formula in CNF.
54
Algorithm 10 Tseitin Transformation
tseitin(Vertex v)
Literal l← produceClauses(v)
addClause(l)
Example 4.1.4. Let us consider again Example 4.1.1. The result of the ap-
plication of Algorithm 10 on the formula a ∧ (¬a ∨ b) is presented in Figure
4.2. Each vertex is associated with the literal returned by the function produce-
Clauses and the generated clauses are shown in dashed rectangles. The formula
in CNF produced by the Tseitin Transformation is then
v1 ∧ (¬v1 ∨ a) ∧ (¬v1 ∨ v2) ∧ (v1 ∨ ¬a ∨ ¬v2)
∧ (v2 ∨ a) ∧ (v2 ∨ ¬b) ∧ (¬v2 ∨ ¬a ∨ b)
∧
a ∨
¬
a
b
v1
v2
¬a
¬v1 ∨ a
¬v1 ∨ v2
v1 ∨ ¬a ∨ ¬v2
v2 ∨ a
v2 ∨ ¬b
¬v2 ∨ ¬a ∨ b
Figure 4.2: Application of Algorithm 10 on the boolean formula a ∧ (¬a ∨ b)
Example 4.1.4 clearly shows that the Tseitin Transformation yields formulas
of increased size. However, the procedure goes through each sub-formula of the
original formula F only once, and produces, for any one of them, at most three
clauses containing at most three literals. Consequently, its worst-case time com-
plexity, as well as the size of the output formula, are linear with respect to the
size of F , i.e. in O(‖F‖), where ‖F‖ represents the size of F . Furthermore,
as additional variables are introduced during the process, it is quite clear that
the formula F and its result by the Tseitin Transformation Fcnf are not strictly
equivalent, but only equisatisfiable. However, their correlation is strong as a
satisfying assignment for F can be retreived from any satisfying assignment for
Fcnf by removing all variables introduced by the transformation. This trans-
formation is effectively usable to produce formulas in CNF when solving the
satisfiability problem with a SAT solver in ProVeLines. Still, its efficiency can
be further improved.
55
Algorithm 11 Clause Production for Tseitin Transformation
Literal produceClauses(Vertex v)
Literal result
if v is a terminal vertex then
if v is labeled with ⊥ then
Literal l← newLiteral()
addClause(¬l)
result← l
else if v is labeled with > then
Literal l← newLiteral()
addClause(l)
result← l
else if v is labeled with a variable x then
result← x
end if
else if v is a non-terminal vertex then
if v is labeled with ¬ then
Literal l← produceClauses(child(v))
result← ¬l
else if v is labeled with ∧ then
Literal l← newLiteral()
Literal l1 ← produceClauses(leftChild(v))
Literal l2 ← produceClauses(rightChild(v))
addClause(¬l ∨ l1)
addClause(¬l ∨ l2)
addClause(l ∨ ¬l1 ∨ ¬l2)
result← l
else if v is labeled with ∨ then
Literal l← newLiteral()
Literal l1 ← produceClauses(leftChild(v))
Literal l2 ← produceClauses(rightChild(v))
addClause(l ∨ ¬l1)
addClause(l ∨ ¬l2)
addClause(¬l ∨ l1 ∨ l2)
result← l
end if
end if
return result
56
4.1.4 Graph Representation of Boolean Formulas
Instead of directed trees, Directed Acyclic Graphs (DAGs) can be used to rep-
resent boolean formulas. Graphs are useful to avoid the redundancy that occurs
in the presence of isomorphic sub-graphs. Two graphs are isomorphic if their
roots also are. Let v1 and v2 be two vertices of a graph. Then, v1 and v2 are
isomorphic if, and only if, one of the following conditions is satisfied:
1. v1 and v2 are both terminal vertices and are labeled with the same value,
i.e. either ⊥, >, or a boolean variable x
2. v1 and v2 are both non terminal vertices, are labeled with the same oper-
ator and their children are also isomorphic
The isomorphism of non-terminal nodes is therefore a recursive property: it can
only be determined on the basis of their children. In order to avoid redundancy,
we make the hypothesis that the following restriction must hold on every graph
representing a formula: Distinct but isomorphic sub-graphs are forbidden. This
effectively means that two isomorphic sub-graphs must always share the same
root vertex and, consequently, the same data structure. This can be ensured
at build time by a so-called unique table. In a nutshell, when the application
program needs a new vertex, it first looks in this table to find a vertex with the
same label and children. If such node already exists, it is reused. If not, a new
node is created and inserted into the unique table. Under the hypothesis that
all existing nodes are isomorphic if, and only if, they are equal, a new node is
indeed isomorophic to a previously created one if they share the same label and
children.
One should note that we first found the description of a unique table in the
context of an efficient BDD implementation [BRB90].
Example 4.1.5. Let us consider the formula F = (¬a ∨ b) ∧ (a ∧ (¬a ∨ b)).
Figure 4.3a shows the formula represented as a tree while Figure 4.3b shows the
same one represented as a DAG on which the mentioned restriction holds.
4.1.5 Cache Mechanism
The graph representation of boolean formulas can be used to reduce the size
of a formula in CNF produced by the Tseitin Transformation. The mechanism
is fairly simple. The procedure memorizes the literal that it outputs for each
vertex during the transformation. When a vertex is encountered for the second
time during the graph traversal, the memorized literal is reused. The process is
formalized in Algorithm 12.
Example 4.1.6. Let us consider again Example 4.1.5. The results of the appli-
cation of Algorithm 12 on both graphs are presented in Figure 4.4. The resulting
formula of the process presented in Figure 4.4a is
v4 ∧ (¬v4 ∨ v1) ∧(¬v4 ∨ v3) ∧(v4 ∨ ¬v1 ∨ ¬v3)
∧ (v1 ∨ a) ∧(v1 ∨ ¬b) ∧(¬v1 ∨ ¬a ∨ b)
∧ (¬v3 ∨ a) ∧(¬v3 ∨ v2) ∧(v3 ∨ ¬a ∨ ¬v2)
∧ (v2 ∨ a) ∧(v2 ∨ ¬b) ∧(¬v2 ∨ ¬a ∨ b)
57
∧a ∨
¬
a
b
¬
a
b
∨
∧
(a) Tree
∧
¬
a
b
∨
∧
(b) Graph
Figure 4.3: Two representation for the boolean formula (¬a∨ b)∧ (a∧ (¬a∨ b))
Algorithm 12 Clause Production for Tseitin Transformation (Caching Version)
Literal produceClauses(Vertex v)
if contains(cache, v) then
return cache[v]
end if
Literal result
〈 same as in Algorithm 11 〉
cache[v]← result
return result
The resulting formula of the process presented in Figure 4.4b, on the other
hand, is
v3 ∧ (¬v3 ∨ v1) ∧(¬v3 ∨ v2) ∧(v3 ∨ ¬v1 ∨ ¬v2)
∧ (¬v2 ∨ v1) ∧(¬v2 ∨ a) ∧(v2 ∨ ¬v1 ∨ ¬a)
∧ (v1 ∨ ¬b) ∧(v1 ∨ ¬a) ∧(¬v1 ∨ b ∨ ¬a)
In this example, the cache mechanism allows one to reduce the number of
clauses from 13 to 10.
58
∧a ∨
¬
a
b
¬
a
b
∨
∧
¬a
v1
v2
v3
v4
¬a
v2 ∨ a
v2 ∨ ¬b
¬v2 ∨ ¬a ∨ b
¬v3 ∨ a
¬v3 ∨ v2
v3 ∨ ¬a ∨ ¬v2
¬v4 ∨ v1
¬v4 ∨ v3
v4 ∨ ¬v1 ∨ ¬v3
v1 ∨ a
v1 ∨ ¬b
¬v1 ∨ ¬a ∨ b
(a) Tree
∧
¬
a
b
∨
∧
¬a
v1
v2
v3
v1 ∨ ¬b
v1 ∨ a
¬v1 ∨ b ∨ ¬a
¬v3 ∨ v1
¬v3 ∨ v2
v3 ∨ ¬v1 ∨ ¬v2
¬v2 ∨ v1
¬v2 ∨ a
v2 ∨ ¬v1 ∨ ¬a
(b) Graph
Figure 4.4: Application of Algorithm 12 on the two graphs of Example 4.1.5
59
4.2 Incremental Solving
In addition to defining an efficient clause production process, we designed some
modifications in the model-checking algorithm introduced in Section 3.3.2 to be
more consistent with the capabilities of a SAT solver.
4.2.1 Principle of Incremental Solving
When model checking the FTS of a software product line against an LTL prop-
erty, the process presented in Algorithm 7 solves the satisfiability problem over
a large set of closely related formulas. It actually accumulates constraints when
taking transitions, forgets them when backtracking, and performs SAT checks
for every intermediate formulas obtained following this strategy.
To illustrate this, let us consider a featured transition system FTS = 〈S,
Act, Trans, I, AP,L, d, γ〉 such that
1. {S1, S2, S3, S4} ⊆ S
2. {(S1, α1, S2), (S2, α2, S3), (S2, α3, S4)} ⊆ Trans
3. γ(S1, α1, S2) = f1, γ(S2, α2, S3) = f2, γ(S2, α3, S4) = f3
These requirements define the part of FTS illustrated in Figure 4.5. Let us
suppose that Algorithm 7 first reaches the state S1. At this stage, it has to
solve the SAT problem over a formula F . Following the path going through
S3, the process then accumulates the feature expressions labeling the available
transitions to consecutively create and solve the problems F ∧f1 and F ∧f1∧f2.
When it has fully expanded this path, the process backtracks and takes the
second visible path. Therefore, it also solves the SAT problem over F ∧ f1 ∧ f3.
S1 S2 S2 . . .. . .
F F ∧ f1 F ∧ f1 ∧ f2
f1 f2
S2
F ∧ f1 ∧ f3
f3
. . .
Figure 4.5: Accumulation of constraints in Algorithm 7
Let us assume that we use a SAT solver to solve the mentioned SAT prob-
lems. Then, it is inefficient to transform, at each step, the accumulated formula
into a formula in CNF. Instead, it is preferable to transform the additional en-
countered feature expressions into a set of clauses, and to add or retrieve them
to and from a managed clause database throughout the exploration. This way
of proceeding indeed allows one to
1. Avoid the repetitive complete applications of the clause production process
to a set of closely related formulas, which leads to repetitively create the
same subsets of clauses
60
2. Reuse the cached results of previous transformations in the cache mecha-
nism presented in Section 4.1.5
Furthermore, the chosen SAT solver could allow the addition and removal of
clauses. This additional capability enables the reuse of the acquired knowledge
of previous runs, as conflict clauses and activity scores, from one SAT check
to another. To this end, several strategies of clauses management have been
proposed, two of the most common being :
1. Clauses can be added and removed on demand. This strategy requires to
maintain traceability links between original clauses and learned clauses,
so that when a clause C is retrieved, all learned clauses induced by the
presence of C during the analysis process can also be deleted. This ap-
proach was introduced by Whittemore et al. along with the SATIRE SAT
solver [WKS01].
2. A solve under assumptions function is provided by the SAT solver. This
procedure allows one to solve the satisfiability problem under the assump-
tion that an arbitrary set of literals are assigned to >. This comes down to
the problem of finding a satisfying assignment for a formula that is an ex-
tension of an arbitrary partial assignment. This technique was introduced
by Ee´n and So¨renson with the Minisat solver [ES03a]. The way in which
this method can be used to virtually remove sets of clauses is explained
in the next section.
Henceforth, we call incremental solving the technique that consists in solving
the SAT problem over a set of closely related formulas by addition and retrieval
of clauses.
4.2.2 Solving Under Assumptions
Let us suppose that we want to add a clause C to the clause database of a
SAT solver and to remain able to remove it later. If the solver can solve the
satisfiability problem under a set of assumptions, then it is possible to create a
fresh literal l, add it to this set of assumptions, and insert the clause C ′ = C∨¬l
to the clause database. Under the new assumption, the clause C ′ will indeed
behave like the clause C. When we need to remove this clause, l is removed from
the list of assumptions and the unit clause ¬l is added to the clause database.
This clause will propagate the variable assignment {l → ⊥} which satisfies the
clause C ′. From there, this clause can be safely ignored, or removed, by the
solver. Obviously, for this to work correctly, the literal l needs be used solely
to identify a clause, or a set of clauses, and to remove it. One should note the
simplicity of the process, as all learned clauses are here safe to keep and that
no traceability link is needed. This way of virtually add and remove clauses is
presented in [ES03b].
Let us suppose that we use the Tseitin-Transformation. Another way to
solve under assumptions can be used. This method relies on the fact that all
intermediate variables introduced in Algorithm 11 are said to be functionally
dependent on the original variables [ES03b]. Let F be a formula over a set
of variable X, Ftseitin the set of clauses produced by Algorithm 11 applied on
F , I the set of intermediate variables introduced by the process, and l ∈ I
61
the returned literal. Then, any complete variable assignment on F , be it sat-
isfying or unsatisfying, can be extended in exactly one satisfying assignment
for Ftseitin. This means that, given an arbitrary assignment over the variables
of X, the boolean values assigned to the elements of I are implied by Ftseitin.
Consequently, F and Ftseitin are obviously not equisatisfiable. Only the formula
F ′ = Ftseitin ∧ l is equisatisfiable with F by reducing the number of satisfying
assignments. As a consequence, adding the set of clauses Ftseitin to the clause
database of a SAT solver does not modify, on its own, the set of satisfying
assignment of it. However, solving under the assumption l acts as if the for-
mula F was fully asserted. Using this property for incremental solving is quite
straightforward. When F needs to be added to the set of constraint, Ftseitin is
inserted to the clause database and l to a managed set of assumptions. When
backtracking, l is simply retrieved from the the mentioned set of assumptions,
while Ftseitin remains in the clause database. As these clauses cannot be re-
moved by the SAT solver, it could considerably increase the size of its clause
database. However, this approach leverage the cache mechanism presented in
Section 4.1.5 by allowing the reuse of old clauses. Consequently, we believe than
it could considerably fasten the model-checking process, notably when revisiting
previously visited states.
4.2.3 Incremental Algorithms
As such, Algorithms 8 and 9 cannot benefit from incremental solving. To
workaround this, we defined new model-checking algorithms meant to use in-
cremental solving. The interface provided by the Solver class we defined is
presented in Figure 4.6. The addAssertion method allows one to add a for-
mula in the clause database of the SAT solver. The push method is used to
create backtracking points while the pop method revert the state of the SAT
solver to the last created backtracking point. This push/pop interface is in-
spired from the APIs of SMT solvers like Z3 [DMB08] and STP [GD07]. The
addContraint method adds a formula into a set of background constraints that
are not impacted by the creation and deletion of backtracking points. This set
of managed constraints is meant to include the feature diagram d and the set
of violating products badProducts of Algorithms 8 and 9, which must not be
impacted when backtracking. The resulting algorithms are presented in Algo-
rithms 13 and 14. These algorithms are very close to the original algorithms.
Feature expressions accumulated during the state traversal problem are however
managed through the solver interface. The feature expressions are asserted into
the solver when taking transitions. When backtracking, instead of retrieving a
feature expression from the stack, the state of the solver is returned to the last
created backtracking point.
4.2.4 SMT Solvers and Incremental Solving
As mentioned before, the interface presented in Figure 4.6 is inspired from the
APIs of SMT solvers like Z3 [DMB08] and STP [GD07]. Consequently, it is
easy to use this interface as a wrapper around an SMT solver. Moreover, these
SMT solvers also provide built-in representations for boolean-valued formulas.
Therefore, the algorithms introduced in the previous section can be reused as
such when using an SMT solver instead of a SAT solver.
62
/**
* Modi f i e s : t h i s
* E f f e c t s : Creates a backtrack ing po int
*/
void push ( )
/**
* Requires : There e x i s t s at l e a s t one
* backtrack ing po int
* Modi f i e s : t h i s
* E f f e c t s : Backtrack to the l a s t c r ea ted
* backtrack ing po int and d e l e t e i t
*/
void pop ( )
/**
* Modi f i e s : t h i s
* E f f e c t s : As se r t s the formula ’ a s s e r t i o n ’
*/
void addAssert ion ( Formula a s s e r t i o n )
/**
* Returns : A formula r e p r e s e n t i n g a l l the
* a s s e r t i o n s made
*/
Formula g e t A s s e r t i o n s ( )
/**
* Returns : t rue i f f the con junct ion o f a l l the
* a s s e r t i o n s made i s s a t i s f i a b l e with
* r e l a t i o n to the s e t o f c o n s t r a i n t s
*/
Boolean s o l v e ( ) ;
/**
* Modi f i e s : t h i s
* E f f e c t s : Adds the c o n s t r a i n t ’ cons t ra in t ’ to
* the s e t o f c o n s t r a i n t s
*/
void addConstraint ( Formula c o n s t r a i n t )
Figure 4.6: Solver class interface
63
Algorithm 13 Incremental Featured Outer Depth-First Search
FeatureExp incremental-featured-outer-search(
State s0)
Stack outerStack ← emptyStack()
Set visitedInOuter ← ∅
Map outerTable← emptyTable()
Set visitedInInner ← ∅
Map innerTable← emptyTable()
FeatureExp badProducts← ⊥
push(outerStack, (s0,∅))
visitedInOuter ← visitedInOuter ∪ {s0}
outerTable[s0]← >
Solver solver
solver.addConstraint(d)
solver.push()
while not empty(outerStack) do
(s, T )← top(outerStack)
if ∃s′, α : ((s, α, s′) ∈ Trans′) ∧ ((s, α, s′) 6∈ T ) then
T ← T ∪ {(s, α, s′)}
pop(outerStack)
push(outerStack, (s, e, T ))
solver.push()
solver.addAssertion(γ(s, α, s′))
if solver.solve() then
if s′ ∈ visitedInOuter then
solver.addAssertion(¬outerTable[s′])
if solver.solve() then
push(outerStack, (s′,∅))
outerTable[s′]← solver.getAssertions()
else
solver.pop()
end if
else
push(outerStack, (s′,∅))
visitedInOuter ← visitedInOuter ∪ {s′}
outerTable[s′]← solver.getAssertions()
end if
else
solver.pop()
end if
else
if L′(s) ⊆ F then
badProducts← featured-inner-search(
s, solver, visitedInInner, innerTable, outerStack, badProducts)
end if
pop(outerStack)
solver.pop()
end if
end while
return badProducts
64
Algorithm 14 Incremental Featured Inner Depth-First Search
boolean incremental-featured-inner-search(
State s0, Solver solver,
Set visitedInInner, Map innerTable,
Stack outerStack, FeatureExp badProducts)
Stack innerStack ← emptyStack()
push(innerStack, (s0,∅))
visitedInInner ← visitedInInner ∪ {s0}
innerTable[s0]← solver.getAssertions()
solver.push()
while not empty(innerStack) do
(s, T )← top(innerStack)
if in(s, outerStack) then
badProducts← badProducts ∨ solver.getAssertions()
solver.addConstraint(¬solver.getAssertions())
pop(innerStack)
solver.pop()
else
if ∃s′, α : ((s, α, s′) ∈ Trans′) ∧ ((s, α, s′) 6∈ T ) then
T ← T ∪ {(s, α, s′)}
pop(innerStack)
push(innerStack, (s, T ))
solver.push()
solver.addAssertion(γ(s, α, s′))
if solver.solve() then
if s′ ∈ visitedInInner then
solver.addAssertion(¬innerTable[s′])
if solver.solve() then
push(innerStack, (s′,∅))
innerTable[s′]← solver.getAssertions()
else
solver.pop()
end if
else
push(innerStack, (s′,∅))
visitedInInner ← visitedInInner ∪ {s′}
innerTable[s′]← solver.getAssertions()
end if
else
solver.pop()
end if
else
pop(innerStack)
solver.pop()
end if
end if
end while
return badProducts
65
Conclusion
In this chapter, we introduced several techniques that can be used to efficiently
integrate a SAT solver in ProVeLines. Among others, we introduced model-
checking algorithms that are meant to use incremental solving. It is noteworthy
that these algorithms can be reused as such when working with SMT solvers.
The goal of the next chapter is twofold. First, we want to measure the per-
formance of ProVeLines with a SAT solver. Second, we want to evaluate the
effectiveness of Algorithms 13 and 14 with both SAT and SMT solvers.
66
Chapter 5
Experimental Results
Now that we have introduced an approach to efficiently integrate a SAT solver
in ProVeLines, we undertake a concrete empirical study. We mainly have two
objectives:
1. Measure the performance of ProVeLines with a SAT solver
2. Evaluate the efficiency of the incremental algorithms introduced in Section
4.2.3, with both SAT and SMT solvers
To do so, we performed several implementation tasks. This chapter first goes
through the description of the choices and rationale leading these tasks and, in
a second time, undertakes a concrete empirical evaluation.
5.1 Implementation
In order to use its extensible architecture at our best convenience, and in agree-
ment with the current maintainers of the tool, we decided to integrate our
changes to ProVeLines 2. However, this choice had a major drawback. The
lack of FSTM models available rendered it difficult to rely solely on this input
language to realize a deep empirical study. For this reason, we also integrated
the fPromela input language of ProVeLines 1 in ProVeLines 2. This section
describes these two implementation tasks.
5.1.1 Integrating SAT and SMT solvers
Regarding SAT solvers, we choose to work with the Minisat project [ES03a].
Minisat has been conceived as a minimalistic SAT solver written in C++. Its
original goal was to demonstrate the implementation details of a modern SAT
solver and to serve as a basis for further research. The original source code
was about 600 lines of code. Minisat is today considered as a milestone in the
history of SAT and SMT solvers and has served as the starting point of different
other projects as Glucose [AS09] and CVC4 [BCD+11]. For our purpose, we
used the 2.2 version, which is the latest available update.
As for SMT solver, we decided to integrate the Z3 solver [DMB08]. Z3 is an
SMT solver developed by Microsoft Research based on the DPLL(T) architec-
ture. It is often considered as the most advanced project of its category. It was
67
also used during the first attempt of integration of an SMT solver in ProVeLines
1 [CSHL13].
Figure 5.1 shows the result of these two additions upon the architecture of
ProVeLines 2, more precisely in the math package. The most noticeable modifi-
cation is the appearance of the BoolSolver interface, which is the one presented
in Section 4.2.3. This interface allows one to make use of incremental solving
during the model-checking process. For the rest, the integration of both Minisat
and Z3 was rendered rather straightforward due to the extensible architecture
of ProVeLines 2, consisting mainly in providing concrete implementations for
the three interfaces BoolFct , BoolSolver and BoolFctFactory. The concrete im-
plementation using Minisat also makes use of a newly integrated package, called
dag , implementing helper classes to build and manipulate boolean formulas as
graphs.
Two new model-checking algorithms, based on incremental solving, have
been implemented in the checker package. The result is presented in Figure 5.2.
These algorithms make use of the interface of the newly introduced FeatureSolver
class, which is basically a wrapper around the BoolSolver interface.
From this work, we defined six different configurations for ProVeLines 2,
depending on how boolean functions are represented and which model-checking
algorithms are used:
Cudd: This configuration relies on the BDD implementation from the CUDD
package.
Minisat: This configuration relies on the Minisat solver. Boolean formulas
are represented by DAGs as presented in Section 4.1.4, but the Tseitin
transformation is applied without any caching mechanism. Moreover, in-
cremental solving is not used.
Cache: This configuration is similar to the previous one. However, the Tseitin
transformation is applied using the cache mechanism introduced in Section
4.1.5.
Inc: This configuration is similar to the previous one, but this time makes use
of incremental solving.
Z3: This configuration relies on the Z3 SMT solver and does not use incremental
solving.
Zinc: In this configuration, the Z3 solver and incremental solving are both used.
The Z3 set of classes introduced in this section actually implement the
BoolFct , BoolSolver and BoolFctFactory interfaces. Consequently, our Z3-based
implementation only allows one to build and manage boolean formulas. It is
clearly not the goal of an SMT solver to be used to solve solely boolean problems.
However, for the purpose of our experiment, this is sufficient.
5.1.2 Integrating fPromela in ProVeLines 2
Integrating the fPromela input language into ProVeLines 2 has required a large
amount of work, although the high-level architecture resulting from it is quite
simple. The main rationale behind it was the desire to reuse as much code
68
Figure 5.1: Class diagram describing the architecture integrating Minisat and
Z3 into the math package
Figure 5.2: Class diagram describing the architecture integrating incremental
algorithms
69
as possible from the first version of the tool. The solution basically consists
in isolating the C code from ProVeLines 1 dedicated to the parsing and man-
agement of this input language, and wrapping it in a C++ interface. Again,
the architecture of ProVeLines 2 demonstrated its extensibility. It has been
sufficient to implement the interfaces defined in the fts package to allow the
whole project to integrate the input language. The result of this work is shown
in Figure 5.3. The fPromela package contains the C++ wrapper classes while
the C sub-package includes the old C code. One should note the similarities
between the latter package and the architectural sketch presented in Figure 3.9.
The classes from this package refer to the C structures used in ProVeLines 1.
Since this code still need to access the boolFct structure, allowing to build and
manipulate boolean functions, the code of this structure has been rewritten to
consists of a wrapper around the C++ BoolFct interface.
In order to be consistent with the architecture of ProVeLines 2, the C code
needed some major modifications. Among others, the neverState structure ap-
peared as a fork from the state structure. Also, in order for this solution to
work properly, the C++ code needs to be compiled as C++ code while the C
code needs to be compiled as C code. The application program is then created
by correctly linking the compiled codes. For this step to be executed properly,
special preprocessor instructions need to be used to mark the C code called from
C++ or the C++ code called from C.
Figure 5.3: Class diagram describing the architecture integrating the fPromela
input language
70
5.2 Empirical Evaluation
The objective of this section is to evaluate the performance of each of the six
configurations introduced in Section 5.1.1 in terms of verification time. For the
purpose of this evaluation, we used four different benchmarks.
mutex: This model describes a family of mutual exclusion algorithms. It is
written in fPromela. It is the smallest benchmark available.
ano: This FSTM model, the only one available, consists of an anonymized file.
The original model has been defined for an industrial partner of the Uni-
versity of Namur. Due to non-disclosure agreements between the Univer-
sity of Namur and the mentioned partner, we do not have any knowledge
of its precise nature. We should however emphasis the atypical nature of
the FTS it defined, presenting a small set of 28 states weaved together
by no less than 626 transitions. At this time, we do not have access to
its feature diagram. Therefore, during our experiment, all products are
considered valid products.
minepump: This model describes a family of systems supposed to keep a mine
shaft clear of water while avoiding methane related explosion. Its main
component consists of a water pump which activates itself when the water
reaches a defined threshold, but only if the methane level stays below a
critical limit. It is written in fPromela.
cfdp: This model is based on a simplified version of the CCSDS (Consultative
Committee for Space Data Systems) File Delivery Protocol (CFDP) rec-
ommended standard. It describes a scenario where two entities connected
via a space data link want to share the content of an arbitrary file. It is
written in fPromela.
For each one of these benchmarks, four properties have been selected and
verified. Additionally, we performed an exhaustive exploration of the FTS with-
out property. Such exploration allows one to verify the reachability of states
or the absence of deadlocks. We provide statistics about these benchmarks in
Figure 5.4. We provide the following statistics:
Size: Number of states defined by the FTS
Revisited: Number of revisited states during the exhaustive exploration pro-
cess
Depth: The maximal depth reached by the depth-first search algorithm during
the exhaustive exploration process
Features: The number of features defined in the feature diagram
The benchmarking process has been repeated six times, i.e. one time for each
of the six configurations mentioned in Section 5.1.1. Execution times have been
measured. A timeout was set to 3600 seconds. Memory usage was limited to 3
GB. The experiment has been run on a personal computer run by a processor
Core i5 2450M (2.5GHz), 4GB of RAM and Ubuntu 13.10. The results are
shown in Figure 5.5. In this table, “oom” stands for “out-of-memory”.
71
Model Size Revisited Depth Features
mutex 287 116 89 4
ano 28 987 12 -
minepump 11,398 52,200 605 11
cfdp 2,384,616 2,622,355 648 13
Figure 5.4: Benchmarks statistics
5.2.1 Minisat-based Configurations
On the mutex benchmark, the Minisat configuration performs 9 to 12.5 times
slower that the Cudd configuration. The Cache configuration takes on average
51% less time that the Minisat configuration. The Inc configuration almost be-
haves like the Cudd configuration. However, the last selected temporal property
takes 72% more than time to be verified by the Inc configuration than by the
Cudd configuration. The Minisat configuration falls out of memory on every
other benchmarks. On the ano benchmark, the Cache configuration performs
on average 149.75 times slower than the Cudd configuration. The Inc configu-
ration performs on average 7.77 times slower that the Cudd configuration, but
takes 95% less time than the Cache configuration. On the minepump bench-
mark, the Cache configuration performs on average 676.85 times slower than the
Cudd configuration. The Inc configuration performs on average 202.10 times
slower that the Cudd configuration, but takes 70% less time than the Cache
configuration. On the cfdp benchmark, the Cache and Inc configuration both
fall out of time.
5.2.2 Z3-based Configurations
On the mutex benchmark, the Z3 configuration performs on average 30.75 times
slower than the Cudd configuration. The Zinc configuration performs on aver-
age 5.20 times slower that the Cudd configuration, but takes 83% less time than
the Z3 configuration. On the ano benchmark, the Z3 configuration performs
on average 994.21 times slower than the Cudd configuration. The Zinc config-
uration performs on average 179.47 times slower that the Cudd configuration
and 23.10 times slower that the Inc configuration, but takes 82% less time than
the Z3 configuration. On the minepump benchmark, the Z3 configuration per-
forms on average 374.87 times slower than the Cudd configuration. The Zinc
configuration performs on average 132.82 times slower that the Cudd configu-
ration, but takes 65% less time than the Z3 configuration and 34% less time
that the Inc configuration. Finally, one the cfdp benchmark, the Z3 and Zinc
configurations both fall out of time during the exploration and on the fourth
property. The Z3 configuration also timeout on the third property. On the two
remaining properties, the Zinc configuration performs 97% faster than the Z3
configuration.
72
5.2.3 Observations
At this point, we can draw several observations:
1. The cache mechanism introduced to reduce the number of clauses pro-
duced when working with a SAT solver proves to have a huge beneficial
impact.
2. The incremental algorithms also prove to have a huge beneficial impact,
with both SAT and SMT solvers.
3. The performance of the SAT and SMT based configurations are not strongly
correlated to the performance of the Cudd configuration. The Cudd con-
figuration takes a similar time to verify the fourth property of the ano
benchmark and the second property of the minepump benchmark, while
the Inc configuration takes about 2000% more time. The performance of
SAT and SMT based configurations seems to be more impacted by the
size of the verified FTS.
4. The Z3-based configurations are slower than the Minisat-based configu-
rations on small examples, i.e. on the mutex and ano benchmarks, but
outperform them on large examples.
5. The five configurations embedding SAT and SMT solvers perform slower
that the Cudd configuration, especially on large models. It is quite clear
that those configurations scale really bad compared to the BDD-based
implementation.
5.2.4 Limitation
It should be noted that the results observed in Figure 5.5 do not correlate
with those published by Cordy [CSHL13]. For some reason, the SMT-based
implementation of ProVeLines 1 is more efficient that the Z3 configuration we
defined. However, the implementation of the Z3 configuration is highly similar
to the one published by Cordy. This may require further investigation.
Conclusion
In this chapter, we showed the implementation details of the theoretical ap-
proach introduced in Chapter 4 and performed a concrete empirical evaluation.
We showed that both the cache mechanism and the incremental model-checking
algorithms we proposed have a huge beneficial impact on the performance of
the tool. However, the use of SAT and SMT solvers suffers from a clear scala-
bility issue compared to the BDD approach. This result allows us to state the
following hypothesis: SMT solvers are inefficient with ProVeLines because SAT
solvers also are.
73
Model Property Configuration
Cudd Inc Cache Minisat Zinc Z3
mutex exploration 20 20 80 180 110 3900
property 1 20 20 100 250 80 2390
property 2 30 30 160 310 160 3970
property 3 50 60 410 600 230 7500
property 4 110 190 430 1020 720 18,920
ano exploration 160 1970 54,020 oom 45,110 367,630
property 1 310 2570 42,670 oom 56,300 276,180
property 2 410 2680 41,470 oom 58,840 256,450
property 3 330 2690 41,430 oom 58,130 258,980
property 4 910 3240 42,540 oom 57,900 268,540
minepump exploration 1900 947,490 2,737,410 oom 621,800 950,630
property 1 1210 143,670 731,280 oom 127,230 460,740
property 2 970 65,610 225,670 oom 40,360 274,130
property 3 2100 341,050 702,800 oom 146,180 620,660
property 4 1450 236,420 1,119,120 oom 174,730 601,860
cfdp exploration 84,860 timeout timeout oom timeout timeout
property 1 13,660 timeout timeout oom 88,710 2,775,040
property 2 8540 timeout timeout oom 68,450 1,957,940
property 3 25,560 timeout timeout oom 218,960 timeout
property 4 oom timeout timeout oom timeout timeout
Figure 5.5: Benchmark results for six configurations of ProVeLines 2 against
four distinct models. Time is given is milliseconds (ms). Timeout is set to 1h
(3,600,000 ms). Memory usage is limited to 3 GB. “oom” stands for “out-of-
memory”.
74
Conclusion
The integration of an SMT solver into ProVeLines revealed a large time overhead
in the verification process compared to a BDD implementation. Clearly, this
problem is a complex one, mainly because it takes place in the crossroads of
three research areas: computer-aided reasoning, and more especially BDDs and
SMT solvers, software product lines, and model checking. Investigating the
problem therefore require a good understanding of these three subjects, and
assembling this knowledge constitutes itself a real challenge. In the first part of
this thesis, we tried to present the knowledge and understanding we acquired
about them during the last year. In the second part of this thesis, we tried to
investigate this problem and to propose a more efficient integration approach.
As we showed in Chapter 2, SMT solvers are mainly build upon SAT solvers.
For this reason, we decided to investigate the efficient integration of a SAT solver
in ProVeLines 2. What seemed to be a very straightforward work at first actually
revealed to be a really ponderous task. However, it was rewarding as some of
the knowledge we acquired doing this job could be reused when working with
SMT solvers. In particular, we defined incremental product-line model-checking
algorithms, which are meant to better integrate themselves with both SAT and
SMT solvers.
We then undertake a concrete empirical evaluation. We had two objectives.
First, we wanted to measure the performance of ProVeLines 2 with a SAT
solver. Second, we wanted to evaluate the actual efficiency of the incremental
algorithms we introduced. This empirical study required a large amount of
work. We integrated a SAT solver and a SMT solver in ProVeLines 2, and
implemented the defined algorithms. Also, in order to benefit from a larger set
of benchmarks, we integrated the fPromela input language of ProVeLines 1 into
ProVeLines 2.
The results were both encouraging and disappointing. Indeed, the incre-
mental algorithms that we defined clearly outperform the original algorithms
of ProVeLines. However, both the SAT-based and SMT-based implementations
we proposed, even using the incremental algorithms, are far slower than the
BDD-based implementation. In particular, we noticed a huge scalability issue
with large models.
Another disappointment come from the fact that the result we obtained with
ProVeLines 2 do not correlate with the results obtained by Cordy et al. when
working with ProVeLines 1 [CSHL13]. Our version was indeed far slower. At
this moment, we do not have any explanation of that fact. This is clearly a lim-
itation of our work. Another limitation is that we only tested our SMT-based
implementation with boolean constraints. Moreover, we believe that it could
have been beneficial to compare our work with other works combining formal
75
verification techniques and SAT solvers. Among others, we now believe that a
strong correlation exists between our work and symbolic execution. Symbolic
execution tools as KLEE [CDE08] exhaustively explore the state-space of a soft-
ware process while representing and verifying the constraints over its variables
using an SMT solver.
Still, incremental algorithms have proved to be efficient. Moreover, our
results allow us to draw the following hypothesis: SMT solvers are inefficient
with ProVeLines because SAT solvers also are. The performance issue of SMT
solvers in this context has nothing to do with the theory-specific part of this
kind of solvers. In this context, ProVeLines could benefit from some sort of SMT
solvers where the boolean part would be managed by BDDs. We do believe that
it might be an interesting topic for future work.
76
Bibliography
[AS09] Gilles Audemard and Laurent Simon. Predicting learnt clauses
quality in modern sat solvers. In Proceedings of the 21st Interna-
tional Jont Conference on Artifical Intelligence, IJCAI’09, pages
399–404, San Francisco, CA, USA, 2009. Morgan Kaufmann Pub-
lishers Inc.
[BCD+11] Clark Barrett, Christopher L. Conway, Morgan Deters, Liana
Hadarean, Dejan Jovanovic´, Tim King, Andrew Reynolds, and Ce-
sare Tinelli. Cvc4. In Proceedings of the 23rd International Con-
ference on Computer Aided Verification, CAV’11, pages 171–177,
Berlin, Heidelberg, 2011. Springer-Verlag.
[BK08] Christel Baier and Joost-Pieter Katoen. Principles of Model Check-
ing. The MIT Press, 2008.
[BRB90] Karl S. Brace, Richard L. Rudell, and Randal E. Bryant. Effi-
cient implementation of a bdd package. In Proceedings of the 27th
ACM/IEEE Design Automation Conference, DAC ’90, pages 40–
45, New York, NY, USA, 1990. ACM.
[Bry86] Randal E. Bryant. Graph-based algorithms for boolean function
manipulation. IEEE Trans. Comput., 35(8):677–691, August 1986.
[CBH11] Andreas Classen, Quentin Boucher, and Patrick Heymans. A text-
based approach to feature modelling: Syntax and semantics of tvl.
Sci. Comput. Program., 76(12):1130–1143, December 2011.
[CCH+12] Andreas Classen, Maxime Cordy, Patrick Heymans, Axel Legay,
and Pierre-Yves Schobbens. Model checking software product lines
with SNIP. International Journal on Software Tools for Technol-
ogy Transfer (STTT), Springer-Verlag, 14(5):589–612, 2012. DOI
10.1007/s10009-012-0234-1.
[CDE08] Cristian Cadar, Daniel Dunbar, and Dawson Engler. Klee: Unas-
sisted and automatic generation of high-coverage tests for complex
systems programs. In Proceedings of the 8th USENIX Conference
on Operating Systems Design and Implementation, OSDI’08, pages
209–224, Berkeley, CA, USA, 2008. USENIX Association.
[CHS+10] Andreas Classen, Patrick Heymans, Pierre-Yves Schobbens, Axel
Legay, and Jean-Franc¸ois Raskin. Model checking lots of systems:
77
Efficient verification of temporal properties in software product
lines. In Proceedings of the 32Nd ACM/IEEE International Confer-
ence on Software Engineering - Volume 1, ICSE ’10, pages 335–344,
New York, NY, USA, 2010. ACM.
[CHS+13] Maxime Cordy, Patrick Heymans, Pierre-Yves Schobbens,
Amir Molzam Sharifloo, Carlo Ghezzi, and Axel Legay. Verification
for reliable product lines. CoRR, abs/1311.1343, 2013.
[Chu36] Alonzo Church. An unsolvable problem of elementary number the-
ory. American Journal of Mathematics, 58(2):345–363, April 1936.
[Coo71] Stephen A. Cook. The complexity of theorem-proving procedures.
In Proceedings of the Third Annual ACM Symposium on Theory of
Computing, STOC ’71, pages 151–158, New York, NY, USA, 1971.
ACM.
[CSHL12] Maxime Cordy, Pierre-Yves Schobbens, Patrick Heymans, and Axel
Legay. Behavioural modelling and verification of real-time software
product lines. In Proceedings of the 16th International Software
Product Line Conference - Volume 1, SPLC ’12, pages 66–75, New
York, NY, USA, 2012. ACM.
[CSHL13] Maxime Cordy, Pierre-Yves Schobbens, Patrick Heymans, and Axel
Legay. Beyond boolean product-line model checking: Dealing with
feature attributes and multi-features. In Proceedings of the 2013
International Conference on Software Engineering, ICSE ’13, pages
472–481, Piscataway, NJ, USA, 2013. IEEE Press.
[DLL62] Martin Davis, George Logemann, and Donald Loveland. A machine
program for theorem-proving. Commun. ACM, 5(7):394–397, July
1962.
[DMB08] Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt
solver. In Proceedings of the Theory and Practice of Software, 14th
International Conference on Tools and Algorithms for the Con-
struction and Analysis of Systems, TACAS’08/ETAPS’08, pages
337–340, Berlin, Heidelberg, 2008. Springer-Verlag.
[DP60] Martin Davis and Hilary Putnam. A computing procedure for quan-
tification theory. J. ACM, 7(3):201–215, July 1960.
[ES03a] Niklas Een and Niklas So¨rensson. An extensible sat-solver [ver 1.2],
2003.
[ES03b] Niklas Een and Niklas So¨rensson. Temporal induction by incremen-
tal sat solving, 2003.
[FR74] M. J. Fischer and M. O. Rabin. Super-exponential complexity of
presburger arithmetic. Technical report, Cambridge, MA, USA,
1974.
[Gan07] Vijay Ganesh. Decision procedures for bit-vectors, arrays and inte-
gers. PhD thesis, Stanford University, 2007.
78
[Gan13a] Vijay Ganesh. First order logic: Syntax and semantics. ECE750T-
28: Computer-aided Reasoning for Software Engineering, 2013.
[Gan13b] Vijay Ganesh. Overview of first-order theories. ECE750T-28:
Computer-aided Reasoning for Software Engineering, 2013.
[GD07] Vijay Ganesh and David L. Dill. A decision procedure for bit-
vectors and arrays. In Proceedings of Computer Aided Verification
(CAV), 2007.
[GHN+04] Harald Ganzinger, George Hagen, Robert Nieuwenhuis, Albert
Oliveras, and Cesare Tinelli. Dpll(t): Fast decision procedures.
pages 175–188. Springer, 2004.
[GO01] Paul Gastin and Denis Oddoux. Fast LTL to Bu¨chi automata
translation. In Ge´rard Berry, Hubert Comon, and Alain Finkel,
editors, Proceedings of the 13th International Conference on Com-
puter Aided Verification (CAV’01), volume 2102 of Lecture Notes in
Computer Science, pages 53–65, Paris, France, July 2001. Springer.
[Hol04] Gerard J. Holzmann. The SPIN Model Checker - primer and ref-
erence manual. Addison-Wesley, 2004.
[HS07] Hyojung Han and Fabio Somenzi. Alembic: An efficient algorithm
for cnf preprocessing. In Proceedings of the 44th Annual Design
Automation Conference, DAC ’07, pages 582–587, New York, NY,
USA, 2007. ACM.
[KCH+90] K. C. Kang, S. G. Cohen, J. A. Hess, W. E. Novak, and A. S.
Peterson. Feature-oriented domain analysis (foda) feasibility study.
Technical report, Carnegie-Mellon University Software Engineering
Institute, November 1990.
[MMZ+01] Matthew W. Moskewicz, Conor F. Madigan, Ying Zhao, Lintao
Zhang, and Sharad Malik. Chaff: Engineering an efficient sat solver.
In Proceedings of the 38th Annual Design Automation Conference,
DAC ’01, pages 530–535, New York, NY, USA, 2001. ACM.
[NOT06] Robert Nieuwenhuis, Albert Oliveras, and Cesare Tinelli. Solv-
ing sat and sat modulo theories: From an abstract davis–putnam–
logemann–loveland procedure to dpll(t). J. ACM, 53(6):937–977,
November 2006.
[PD11] Knot Pipatsrisawat and Adnan Darwiche. On the power of clause-
learning sat solvers as resolution engines. Artif. Intell., 175(2):512–
525, February 2011.
[SB09] Niklas So¨rensson and Armin Biere. Minimizing learned clauses.
In Proceedings of the 12th International Conference on Theory
and Applications of Satisfiability Testing, SAT ’09, pages 237–243,
Berlin, Heidelberg, 2009. Springer-Verlag.
[Sha38] Claude Elwood Shannon. A Symbolic Analysis of Relay and Switch-
ing Circuits. 1938.
79
[SHT06] Pierre-Yves Schobbens, Patrick Heymans, and Jean-Christophe
Trigaux. Feature diagrams: A survey and a formal semantics. In
RE, pages 136–145. IEEE Computer Society, 2006.
[SS96] Joa˜o P. Marques Silva and Karem A. Sakallah. Grasp&mdash;a
new search algorithm for satisfiability. In Proceedings of the 1996
IEEE/ACM International Conference on Computer-aided Design,
ICCAD ’96, pages 220–227, Washington, DC, USA, 1996. IEEE
Computer Society.
[Tse68] G. S. Tseitin. On the complexity of derivations in the propositional
calculus. Studies in Mathematics and Mathematical Logic, Part
II:115–125, 1968.
[Tur36] Alan M. Turing. On computable numbers, with an application to
the Entscheidungsproblem. Proceedings of the London Mathemati-
cal Society, 2(42):230–265, 1936.
[WKS01] Jesse Whittemore, Joonyoung Kim, and Karem Sakallah. Satire:
A new incremental satisfiability engine. In Proceedings of the 38th
Annual Design Automation Conference, DAC ’01, pages 542–545,
New York, NY, USA, 2001. ACM.
[ZMMM01] Lintao Zhang, Conor F. Madigan, Matthew H. Moskewicz, and
Sharad Malik. Efficient conflict driven learning in a boolean satisfi-
ability solver. In Proceedings of the 2001 IEEE/ACM International
Conference on Computer-aided Design, ICCAD ’01, pages 279–285,
Piscataway, NJ, USA, 2001. IEEE Press.
80
