All-Solution Satisfiability Modulo Theories: applications, algorithms and benchmarks

keywords: Automated Test Generation;Bounded Model Checking;Quantitative Information Flow;Reliability Analysis;Satisfiability Modulo Theories;Symbolic ExecutionPasquale Malacaria's research was supported by grant EP/K032011/1

Software Model Checking with Explicit Scheduler and Symbolic Threads

In many practical application domains, the software is organized into a set of threads, whose activation is exclusive and controlled by a cooperative scheduling policy: threads execute, without any interruption, until they either terminate or yield the control explicitly to the scheduler. The formal verification of such software poses significant challenges. On the one side, each thread may have infinite state space, and might call for abstraction. On the other side, the scheduling policy is often important for correctness, and an approach based on abstracting the scheduler may result in loss of precision and false positives. Unfortunately, the translation of the problem into a purely sequential software model checking problem turns out to be highly inefficient for the available technologies. We propose a software model checking technique that exploits the intrinsic structure of these programs. Each thread is translated into a separate sequential program and explored symbolically with lazy abstraction, while the overall verification is orchestrated by the direct execution of the scheduler. The approach is optimized by filtering the exploration of the scheduler with the integration of partial-order reduction. The technique, called ESST (Explicit Scheduler, Symbolic Threads) has been implemented and experimentally evaluated on a significant set of benchmarks. The results demonstrate that ESST technique is way more effective than software model checking applied to the sequentialized programs, and that partial-order reduction can lead to further performance improvements.Comment: 40 pages, 10 figures, accepted for publication in journal of logical methods in computer scienc

Efficient symbolic model checking of concurrent systems

Design errors in software systems consisting of concurrent components are potentially disastrous, yet notoriously difficult to find by testing. Therefore, more rigorous analysis methods are gaining popularity. Symbolic model checking techniques are based on modeling the behavior of the system as a formula and reducing the analysis problem to symbolic manipulation of formulas by computational tools. In this work, the aim is to make symbolic model checking, in particular bounded model checking, more efficient for verifying and falsifying safety properties of highly concurrent system models with high-level data features. The contributions of this thesis are divided to four topics. The first topic is symbolic model checking of UML state machine models. UML is a language widely used in the industry for modeling software-intensive systems. The contribution is an accurate semantics for a subset of the UML state machine language and an automatic translation to formulas, enabling symbolic UML model checking. The second topic is bounded model checking of systems with queues. Queues are frequently used to model, for example, message buffers in distributed systems. The contribution is a variety of ways to encode the behavior of queues in formulas that exploit the features of modern SMT solver tools. The third topic is symbolic partial order methods for accelerated model checking. By exploiting the inherent independence of the components of a concurrent system, the executions of the system are compressed by allowing several actions in different components to occur at the same time. Making the executions shorter increases the performance of bounded model checking. The contribution includes three alternative partial order semantics for compressing the executions, with analytic and experimental evaluation. The work also presents a new variant of bounded model checking that is based on a concurrent instead of sequential view of the events that constitute an execution. The fourth topic is efficient computation of predicate abstraction. Predicate abstraction is a key technique for scalable model checking, based on replacing the system model by a simpler abstract model that omits irrelevant details. In practice, constructing the abstract model can be computationally expensive. The contribution is a combination of techniques that exploit the structure of the underlying system to partition the problem into a sequence of cheaper abstraction problems, thus reducing the total complexity

Structure-Aware Computation of Predicate Abstraction

The precise computation of abstractions is a bottleneck in many approaches to CEGAR-based verification. In this paper, we propose a novel approach, based on the use of structural information. Rather than computing the abstraction as a single, monolithic quantification, we provide a \emph{structure-aware} abstraction algorithm, based on two complementary steps. The first, high-level step exploits the structure of the system, and partitions the abstraction problem into the combination of several smaller abstraction problems. This is represented as a formula with quantifiers. The second, low-level step exploits the structure of the formula, in particular the occurrence of variables within the quantifiers, and applies a set of low-level rewriting rules aiming at further reducing the scope of quantifiers. We experimentally evaluate the approach on a substantial set of benchmarks, and show significant speed ups compared to monolithic abstraction algorithms

Proceedings of Formal Methods in Computer Aided Design, FMCAD 2009

Table of Contents: Preface (p. v) -- Organizing Committee (p. vii) -- Program Committee (p. vii) -- Referees (p. ix) -- Keynote Presentations (p. x) -- Tutorials (p. xii) -- Industrial Experience Reports (p. xiv) -- Panels (p. xvii) -- Session 1. Model Checking -- Interpolation-Sequence Based Model Checking / by Yakir Vizel and Orna Grumberg, The Technion (p. 1) -- Structure-Aware Computation of Predicate Abstraction / by Alessandro Cimatti, FBK-irst; Jori Dubrovin, Helsinki University of Technology; Tommi Junttila, Helsinki University of Technology; and Marco Roveri, FBK-irst (p. 9) -- Enhanced Verification by Temporal Decomposition / by Michael L. Case, Hari Mony, Jason Baumgartner, and Robert Kanzelman, IBM (p. 17) -- Session 2. Software Verification -- Software Model Checking via Large-Block Encoding / by Dirk Beyer, Simon Fraser University; Alessandro Cimatti, FBK-irst; Alberto Griggio, University of Trento & Simon Fraser University; M. Erkan Keremoglu, Simon Fraser University; and Roberto Sebastiani, University of Trento (p. 25) -- Verification of Recursive Methods on Tree-like Data Structures / by Jyotirmoy Deshmukh and E. Allen Emerson, University of Texas at Austin (p. 33) -- MCC: A Runtime Verification Tool for MCAPI User Applications / by Subodh Sharma and Ganesh Gopalakrishnan, University of Utah; Eric Mercer, Brigham Young University; and Jim Holt, Freescale Semiconductor (p. 41) -- Session 3. Satisfiability Modulo Theory -- Generalized and Efficient Array Decision Procedures / by Leonardo de Moura and Nikolaj Bjørner, Microsoft Research (p. 45) -- Decision Diagrams for Linear Arithmetic / by Sagar Chaki and Arie Gurfinkel, SEI/CMU; Ofer Strichman, Technion (p. 53) -- Efficient Decision Procedure for Non-linear Arithmetic Constraints using CORDIC / by Malay Ganai and Franjo Ivančić, NEC Laboratories America (p. 61) -- Mixed Abstractions for Floating-Point Arithmetic / by Angelo Brillout, ETH Zurich; Daniel Kroening and Thomas Wahl, Oxford University (p. 69) -- Session 4. Games -- Safety First: A Two-Stage Algorithm for LTL Games / by Saqib Sohail and Fabio Somenzi, University of Colorado at Boulder (p. 77) -- Synthesizing Robust Systems / by Roderick Bloem and Karin Greimel, Graz University of Technology; Thomas Henzinger, EPFL & IST Austria; Barbara Jobstmann, EPFL (p. 85) -- Session 5. Quantitative Reasoning -- Formal Verification of Analog Designs Using MetiTarski / by William Denman, Behzad Akbarpour, and Sofiène Tahar, Concordia University, Montreal; Mohamed H. Zaki, University of British Columbia; and Lawrence Paulson, University of Cambridge (p. 93) -- Formal Verification of Correctness and Performance of Random Priority-based Arbiters / by Krishnan Kailas, IBM T.J. Watson Research Center; Viresh Paruthi and Brian Monwai, IBM Systems & Technology Group (p. 101) -- Session 6. Assume Guarantee Reasoning -- Assume-Guarantee Validation for STE Properties within an SVA Environment / by Zurab Khasidashvili and Gavriel Gavrielov, Intel Israel; and Tom Melham, Oxford University (p. 108) -- Data Mining Based Decomposition for Assume-Guarantee Reasoning / by He Zhu and Fei He, Tsinghua University; William N. N. Hung, Synopsys; Xiaoyu Song, Portland State University; and Ming Gu, Tsinghua University (p. 116) -- Session 7. Equivalence Checking -- Scalable Conditional Equivalence Checking: An Automated Invariant-Generation Based Approach / by Jason Baumgartner, Hari Mony, and Michael Case, IBM Systems & Technology Group; Jun Sawada, IBM Austin Research Laboratory; and Karen Yorav, IBM Haifa (p. 120) -- Verifying Equivalence of Memories Using a First Order Logic Theorem Prover / by Zurab Khasidashvili and Mahmoud Kinanah, Intel Israel; and Andrei Voronkov, University of Manchester (p. 128) -- A Compositional Theory for Post-Reboot Observational Equivalence Checking of Hardware / by Zurab Khasidashvili, Daher Kaiss, and Doron Bustan, Intel Israel (p. 136) -- Session 8. Debugging -- Scaling VLSI Design Debugging with Interpolation / by Brian Keng and Andreas Veneris, University of Toronto (p. 144) -- Debugging Formal Specifications Using Simple Counterstrategies / by Robert Könighofer, Georg Hofferek, and Roderick Bloem, Graz University of Technology (p. 152) -- Connecting Pre-silicon and Post-silicon Verification / by Sandip Ray and Warren Hunt, University of Texas at Austin (p. 160) -- Session 9. Case Studies and Verification in the Large -- A Verified Platform for a Gate-Level Electronic Control Unit / by Sergey Tverdyshev, Saarland University (p. 164) -- Protocol Verification Using Flows: An Industrial Experience / by John O’Leary, Murali Talupur, and Mark Tuttle, Intel (p. 172) -- Industrial Strength Refinement Checking / by Jesse Bingham, John Erickson, Gaurav Singh, and Flemming Andersen, Intel (p. 180) -- Towards a Formally Verified Network-on-Chip / by Tom van den Broek and Julien Schmaltz, Radboud University Nijmegen (p. 184) -- Hardware/Software Co-Verification of Cryptographic Algorithms using Cryptol / by Levent Erkök, Magnus Carlsson, and Adam Wick, Galois, Inc. (p. 188) -- Session 10. Synthesis -- Retiming and Resynthesis with Sweep Are Complete for Sequential Transformation / by Hai Zhou, Northwestern University (p. 192) -- SAT-Based Synthesis of Clock Gating Functions Using 3-Valued Abstraction / by Eli Arbel, Oleg Rokhlenko, and Karen Yorav, IBM Haifa (p. 198) -- Finding Heap-Bounds for Hardware Synthesis / by Byron Cook, MSR; Ashutosh Gupta, MPI-SWS; Stephen Magill, CMU; Andrey Rybalchenko, MPI-SWS; Jiri Simsa, CMU; Satnam Singh, MSR; and Viktor Vafeiadis, MSR (p. 205) -- Author Index (p. 213)15-18 November, 2009 in Austin, TexasIEEE, IBM, Intel, Jasper Design Automation, NEC Labs America, NVIDIAhttp://www.cs.utexas.edu/users/hunt/FMCAD/Computer Science