1,139 research outputs found
Finite Model Finding Using the Logic of Equality with Uninterpreted Functions
This is a post-peer-review, pre-copyedit version of a paper presented at the International Symposium on Formal Methods. The final authenticated version is available online at: https://dx.doi.org/10.1007/978-3-319-48989-6_41The problem of finite model finding, finding a satisfying model for a set of first-order logic formulas for a finite scope, is an important step in many verification techniques. In MACE-style solvers, the problem is mapped directly to a SAT problem. We investigate an alternative solution of mapping the problem to the logic of equality with uninterpreted functions (EUF), a decidable logic with many well-supported tools (e.g., SMT solvers). EUF reasoners take advantage of the typed functional structures found in the formulas to improve performance. The challenge is that EUF reasoning is not inherently finite scope. We present an algorithm for mapping a finite model finding problem to an equisatisfiable EUF problem. We present results that show our method has better overall performance than existing tools on a range of problems
Linking Alloy with SMT-based Finite Model Finding
Alloy is a well-known declarative language for modelling systems early in the development process. Currently, it uses the Kodkod library as its back-end for finite model finding (finding instances of the model by determining satisfiability for finite sets). Alloy's tool, the Alloy Analyzer, converts the Alloy model to an equivalent Kodkod problem, which is translated to boolean logic and analyzed using an off-the-shelf SAT solver by Kodkod. However, this method can often handle only problems of fairly small size sets.
We present Portus, a tool for translating Alloy into an equisatisfiable many-sorted finite model finding (MSFMF) problem of first-order logic. The MSFMF problem is evaluated by an SMT-based finite model finding method implemented in the Fortress solver, creating an alternative back-end to the Alloy Analyzer. Fortress converts the MSFMF problem into (mostly) the logic of equality with uninterpreted functions (EUF), a decidable fragment of first-order logic that is well-supported in many SMT solvers.
Portus is presented as a two-fold approach. First, we discuss the basic translation of all Alloy constructs in detail. Second, we suggest optimizations applicable to some Alloy models to improve the performance of Portus. We evaluate the effect of each optimization on Portus.
Finally, we compare the performance of Portus with Kodkod, the current solver of the Alloy Analyzer, on a corpus of Alloy models over various scopes. We classify these Alloy models based on certain characteristics and provide a hypothesis regarding the class of Alloy models Portus performs better on
On Deciding Local Theory Extensions via E-matching
Satisfiability Modulo Theories (SMT) solvers incorporate decision procedures
for theories of data types that commonly occur in software. This makes them
important tools for automating verification problems. A limitation frequently
encountered is that verification problems are often not fully expressible in
the theories supported natively by the solvers. Many solvers allow the
specification of application-specific theories as quantified axioms, but their
handling is incomplete outside of narrow special cases.
In this work, we show how SMT solvers can be used to obtain complete decision
procedures for local theory extensions, an important class of theories that are
decidable using finite instantiation of axioms. We present an algorithm that
uses E-matching to generate instances incrementally during the search,
significantly reducing the number of generated instances compared to eager
instantiation strategies. We have used two SMT solvers to implement this
algorithm and conducted an extensive experimental evaluation on benchmarks
derived from verification conditions for heap-manipulating programs. We believe
that our results are of interest to both the users of SMT solvers as well as
their developers
Synthesizing Multiple Boolean Functions using Interpolation on a Single Proof
It is often difficult to correctly implement a Boolean controller for a
complex system, especially when concurrency is involved. Yet, it may be easy to
formally specify a controller. For instance, for a pipelined processor it
suffices to state that the visible behavior of the pipelined system should be
identical to a non-pipelined reference system (Burch-Dill paradigm). We present
a novel procedure to efficiently synthesize multiple Boolean control signals
from a specification given as a quantified first-order formula (with a specific
quantifier structure). Our approach uses uninterpreted functions to abstract
details of the design. We construct an unsatisfiable SMT formula from the given
specification. Then, from just one proof of unsatisfiability, we use a variant
of Craig interpolation to compute multiple coordinated interpolants that
implement the Boolean control signals. Our method avoids iterative learning and
back-substitution of the control functions. We applied our approach to
synthesize a controller for a simple two-stage pipelined processor, and present
first experimental results.Comment: This paper originally appeared in FMCAD 2013,
http://www.cs.utexas.edu/users/hunt/FMCAD/FMCAD13/index.shtml. This version
includes an appendix that is missing in the conference versio
Applying SMT Solvers to the Test Template Framework
The Test Template Framework (TTF) is a model-based testing method for the Z
notation. In the TTF, test cases are generated from test specifications, which
are predicates written in Z. In turn, the Z notation is based on first-order
logic with equality and Zermelo-Fraenkel set theory. In this way, a test case
is a witness satisfying a formula in that theory. Satisfiability Modulo Theory
(SMT) solvers are software tools that decide the satisfiability of arbitrary
formulas in a large number of built-in logical theories and their combination.
In this paper, we present the first results of applying two SMT solvers, Yices
and CVC3, as the engines to find test cases from TTF's test specifications. In
doing so, shallow embeddings of a significant portion of the Z notation into
the input languages of Yices and CVC3 are provided, given that they do not
directly support Zermelo-Fraenkel set theory as defined in Z. Finally, the
results of applying these embeddings to a number of test specifications of
eight cases studies are analysed.Comment: In Proceedings MBT 2012, arXiv:1202.582
Relational Constraint Driven Test Case Synthesis for Web Applications
This paper proposes a relational constraint driven technique that synthesizes
test cases automatically for web applications. Using a static analysis,
servlets can be modeled as relational transducers, which manipulate backend
databases. We present a synthesis algorithm that generates a sequence of HTTP
requests for simulating a user session. The algorithm relies on backward
symbolic image computation for reaching a certain database state, given a code
coverage objective. With a slight adaptation, the technique can be used for
discovering workflow attacks on web applications.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330
- …