model checking using smt and theory of...
TRANSCRIPT
![Page 1: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/1.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Model Checking Using SMT and Theory of Lists
Aleksandar Milicevic 1 Hillel Kugler 2
1Massachusetts Institute of TechnologyCambridge, MA
2Microsoft ResearchCambridge, UK
Third NASA Formal Methods Symposium,April 18, 2011
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 1
![Page 2: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/2.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Solving Planning Problems
Rush Hour puzzle
Goal: drive the red car out of the jam
solve using a satisfiability solverproblem: number of necessary steps is not known
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2
![Page 3: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/3.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Solving Planning Problems
Rush Hour puzzle
Goal: drive the red car out of the jam
solve using a satisfiability solver
problem: number of necessary steps is not known
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2
![Page 4: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/4.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Solving Planning Problems
Rush Hour puzzle
Goal: drive the red car out of the jam
solve using a satisfiability solverproblem: number of necessary steps is not known
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2
![Page 5: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/5.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Software Model Checking without Loop Unrolling
void s e l e c t S o r t ( i n t [ ] a , i n t N) {for ( i n t j =0; j<N−1; j ++) {
i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ;a [ j ] = a [ min ] ;a [ min ] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Selection Sort algorithm
Goal: verify for all int arraysof size up to N
verify using model checking with satisfiability solvingproblem: number of necessary loop unrollings is not knownmoreover, the number of loop unrollings is not independent of N
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
![Page 6: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/6.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Software Model Checking without Loop Unrolling
void s e l e c t S o r t ( i n t [ ] a , i n t N) {for ( i n t j =0; j<N−1; j ++) {
i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ;a [ j ] = a [ min ] ;a [ min ] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Selection Sort algorithm
Goal: verify for all int arraysof size up to N
verify using model checking with satisfiability solving
problem: number of necessary loop unrollings is not knownmoreover, the number of loop unrollings is not independent of N
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
![Page 7: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/7.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Software Model Checking without Loop Unrolling
void s e l e c t S o r t ( i n t [ ] a , i n t N) {for ( i n t j =0; j<N−1; j ++) {
i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ;a [ j ] = a [ min ] ;a [ min ] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Selection Sort algorithm
Goal: verify for all int arraysof size up to N
verify using model checking with satisfiability solvingproblem: number of necessary loop unrollings is not known
moreover, the number of loop unrollings is not independent of N
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
![Page 8: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/8.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Software Model Checking without Loop Unrolling
void s e l e c t S o r t ( i n t [ ] a , i n t N) {for ( i n t j =0; j<N−1; j ++) {
i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ;a [ j ] = a [ min ] ;a [ min ] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Selection Sort algorithm
Goal: verify for all int arraysof size up to N
verify using model checking with satisfiability solvingproblem: number of necessary loop unrollings is not knownmoreover, the number of loop unrollings is not independent of N
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
![Page 9: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/9.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Use Lists to Model State Transitions
head
states
. . . nil
cons
tail
The length of the list is not explicitly bounded
Specify what the list should look like, not how long it should be.
To solve the rush hour puzzle:use a list to model a sequence of car movementsdon’t have to specify the number of steps
To solve a software model-checking problem:use a list to model a program tracedon’t have to specify the number of loop unrollings
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
![Page 10: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/10.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Use Lists to Model State Transitions
head
states
. . . nil
cons
tail
The length of the list is not explicitly bounded
Specify what the list should look like, not how long it should be.
To solve the rush hour puzzle:use a list to model a sequence of car movementsdon’t have to specify the number of steps
To solve a software model-checking problem:use a list to model a program tracedon’t have to specify the number of loop unrollings
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
![Page 11: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/11.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Use Lists to Model State Transitions
head
states
. . . nil
cons
tail
The length of the list is not explicitly bounded
Specify what the list should look like, not how long it should be.
To solve the rush hour puzzle:use a list to model a sequence of car movementsdon’t have to specify the number of steps
To solve a software model-checking problem:use a list to model a program tracedon’t have to specify the number of loop unrollings
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
![Page 12: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/12.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Use Lists to Model State Transitions
head
states
. . . nil
cons
tail
The length of the list is not explicitly bounded
Specify what the list should look like, not how long it should be.
To solve the rush hour puzzle:use a list to model a sequence of car movementsdon’t have to specify the number of steps
To solve a software model-checking problem:use a list to model a program tracedon’t have to specify the number of loop unrollings
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
![Page 13: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/13.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Use Lists to Model State Transitions
head
states
. . . nil
cons
tail
The length of the list is not explicitly bounded
Specify what the list should look like, not how long it should be.
To solve the rush hour puzzle:use a list to model a sequence of car movementsdon’t have to specify the number of steps
To solve a software model-checking problem:use a list to model a program tracedon’t have to specify the number of loop unrollings
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
![Page 14: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/14.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Background: Bounded Model Checking
s1 s2 . . . sk
s1
θ(s1)
ρ(s1,s2) ρ(s2,s3) ρ(sk−1,sk )s1
P(s1)
s2
P(s2)
. . . sk
¬P(sk )
Initial state constraint:θ(s1)
Transition constraint:ρ(s1,s2)∧ρ(s2,s3)∧·· ·∧ρ(sk−1,sk )
Safety Property constraint:P(s1)∧P(s2)∧·· ·∧P(sk−1)∧¬P(sk )
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
![Page 15: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/15.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Background: Bounded Model Checking
s1 s2 . . . sks1
θ(s1)
ρ(s1,s2) ρ(s2,s3) ρ(sk−1,sk )s1
P(s1)
s2
P(s2)
. . . sk
¬P(sk )
Initial state constraint:θ(s1)
Transition constraint:ρ(s1,s2)∧ρ(s2,s3)∧·· ·∧ρ(sk−1,sk )
Safety Property constraint:P(s1)∧P(s2)∧·· ·∧P(sk−1)∧¬P(sk )
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
![Page 16: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/16.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Background: Bounded Model Checking
s1 s2 . . . sks1
θ(s1)
ρ(s1,s2) ρ(s2,s3) ρ(sk−1,sk )
s1
P(s1)
s2
P(s2)
. . . sk
¬P(sk )
Initial state constraint:θ(s1)
Transition constraint:ρ(s1,s2)∧ρ(s2,s3)∧·· ·∧ρ(sk−1,sk )
Safety Property constraint:P(s1)∧P(s2)∧·· ·∧P(sk−1)∧¬P(sk )
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
![Page 17: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/17.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Background: Bounded Model Checking
s1 s2 . . . sks1
θ(s1)
ρ(s1,s2) ρ(s2,s3) ρ(sk−1,sk )s1
P(s1)
s2
P(s2)
. . . sk
¬P(sk )
Initial state constraint:θ(s1)
Transition constraint:ρ(s1,s2)∧ρ(s2,s3)∧·· ·∧ρ(sk−1,sk )
Safety Property constraint:P(s1)∧P(s2)∧·· ·∧P(sk−1)∧¬P(sk )
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
![Page 18: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/18.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 19: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/19.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 20: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/20.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 21: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/21.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 22: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/22.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and
if (not P(tail(lst))) thenis nil(tail(tail(lst)))
elseis cons(tail(tail(lst)))
:pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 23: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/23.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst)))
:pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 24: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/24.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 25: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/25.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to check
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 26: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/26.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to checkModel Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 27: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/27.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Translation to SMT
head
states
. . . nil
cons
tail
Available operations:- is nil(lst)- is cons(lst)- head(lst)- tail(lst)
tupletype State = [v1: INT, v2: INT, ...]datatype StateList = nil | cons(head: State, tail: StateList)def states: StateList
def check tr: StateList → bool
assert forall lst: StateListif (is cons(lst) and is cons(tail(lst))) then
ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) andif (not P(tail(lst))) then
is nil(tail(tail(lst)))else
is cons(tail(tail(lst))):pat {check tr}
assert is cons(states) and θ (head(states)) and check tr(states)
state declaration
state transition andsafety propertyenforced with anuninterpreted functionand an axiom
formula to checkModel Checking Using SMT and Theory of Lists Milicevic, Kugler 6
![Page 28: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/28.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Application to Software Model Checking
void simpleWhi le ( i n t N) {i n t x = 0 , i = 0 ;while ( i < N) {
i f ( i % 2 == 0)x += 2;
i ++;}assert x == N | |
x == N + 1;}
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
goal: find a feasible path from start to an error nodeidea: use a list to represent a path in the graph
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7
![Page 29: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/29.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Application to Software Model Checking
void simpleWhi le ( i n t N) {i n t x = 0 , i = 0 ;while ( i < N) {
i f ( i % 2 == 0)x += 2;
i ++;}assert x == N | |
x == N + 1;}
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
goal: find a feasible path from start to an error nodeidea: use a list to represent a path in the graph
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7
![Page 30: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/30.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Application to Software Model Checking
void simpleWhi le ( i n t N) {i n t x = 0 , i = 0 ;while ( i < N) {
i f ( i % 2 == 0)x += 2;
i ++;}assert x == N | |
x == N + 1;}
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
goal: find a feasible path from start to an error node
idea: use a list to represent a path in the graph
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7
![Page 31: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/31.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Application to Software Model Checking
void simpleWhi le ( i n t N) {i n t x = 0 , i = 0 ;while ( i < N) {
i f ( i % 2 == 0)x += 2;
i ++;}assert x == N | |
x == N + 1;}
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
goal: find a feasible path from start to an error nodeidea: use a list to represent a path in the graph
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7
![Page 32: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/32.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 33: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/33.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0(id=0)
[i < N] (id=1)
[i%2 != 0] (id=2) [x == N] (id=3)
x:=x+2 (id=4)
i:=i+1 (id=5)
[x == N+1] (id=6)
return
(id=7)
Error
(id=8)
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 34: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/34.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0(id=0)
[i < N] (id=1)
[i%2 != 0] (id=2) [x == N] (id=3)
x:=x+2 (id=4)
i:=i+1 (id=5)
[x == N+1] (id=6)
return
(id=7)
Error
(id=8)
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 35: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/35.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0(id=0)
[i < N] (id=1)
[i%2 != 0] (id=2) [x == N] (id=3)
x:=x+2 (id=4)
i:=i+1 (id=5)
[x == N+1] (id=6)
return
(id=7)
Error
(id=8)
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 36: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/36.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0(id=0)
[i < N] (id=1)
[i%2 != 0] (id=2) [x == N] (id=3)
x:=x+2 (id=4)
i:=i+1 (id=5)
[x == N+1] (id=6)
return
(id=7)
Error
(id=8)
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 37: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/37.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0(id=0)
[i < N] (id=1)
[i%2 != 0] (id=2) [x == N] (id=3)
x:=x+2 (id=4)
i:=i+1 (id=5)
[x == N+1] (id=6)
return
(id=7)
Error
(id=8)
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 38: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/38.jpg)
Motivation Approach Software Model Checking Evaluation Summary
From CFG to θ , ρ, P
i:=0
x:=0(id=0)
[i < N] (id=1)
[i%2 != 0] (id=2) [x == N] (id=3)
x:=x+2 (id=4)
i:=i+1 (id=5)
[x == N+1] (id=6)
return
(id=7)
Error
(id=8)
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
1. assign IDs to basic blocks
2. state tuple: [id, i, x]
3. initial state constraint θ :head(states).i=0 ∧ head(states).x=0
4. safety constraint P(lst):head(lst).id 6= 8
5. transition constraint ρ(curr ,next):if head(curr).id=0 then
head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0else if head(curr).id=1 then
if head(curr).i < N then head(next).id=2 else head(next).id=3. . .else
false
6. bounds on some pieces of data: N > 0 ∧ N < 10
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8
![Page 39: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/39.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 40: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/40.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 41: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/41.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 42: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/42.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 43: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/43.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 44: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/44.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 45: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/45.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Empty Nodes
i:=0
x:=0
[i < N]
[i%2 != 0] [x == N]
x:=x+2
i:=i+1
[x == N+1]
return Error
then else
then
else
then
else
then
else
[i<N] [!(i<N)]
[i<N]
[!(i<N)]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9
![Page 46: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/46.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 47: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/47.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g12]
[g23]
[g32]
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 48: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/48.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g23]
[g32]
[g12] i:=0; x:=0
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 49: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/49.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g32]
[g12] i:=0; x:=0
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 50: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/50.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g12] i:=0; x:=0
[g23] x:=x+2
[g32] i:=i+1
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 51: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/51.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g12] i:=0; x:=0
[g23] x:=x+2
[g32] i:=i+1
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 52: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/52.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g12] i:=0; x:=0
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 53: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/53.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g12] i:=0; x:=0
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 54: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/54.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 55: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/55.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Optimization: Removing Non-Looping Nodesi:=0
x:=0
x:=x+2
i:=i+1
return
Error
[g12]
[g15]
[g14]
[g23]
[g13]
[g32]
[g35]
[g33]
[g34]
[g23] x:=x+2
[g32 ∧g23] i:=i+1; x:=x+2
[g12 ∧g23] i:=0; x:=2
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10
![Page 56: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/56.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Evaluation: Verifying Simple AlgorithmsSimple While Loopvoid simpleWhi le ( i n t N) {
i n t x = 0 , i = 0 ;while ( i < N) {
i f ( i % 2 == 0)x += 2;
i ++;}assert x == N | |
x == N + 1;}
Selection Sort Algorithmvoid s e l e c t S o r t ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++) {i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ;}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Integer Square Root Algorithmi n t in tSqRoot ( i n t N) {
i n t r = 1 , q = N;while ( r +1 < q ) {
i n t p = ( r +q ) / 2 ;i f (N < p∗p ) q = p ;else r = p ;
}assert r∗ r <= N &&
( r +1)∗( r+1)>N;return r ;
}
Bubble Sort Algorithmvoid bubbleSort ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++)for ( i n t i =0; i<N−j −1; i ++)
i f ( a [ i ] > a [ i +1 ] ) {i n t t = a [ i ] ;a [ i ] = a [ i + 1 ] ;a [ i +1] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11
![Page 57: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/57.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Evaluation: Verifying Simple AlgorithmsSimple While Loop
0
50
100
150
200
250
300
0 100 200 300 400 500 600 700 800 900
time
(s)
N
SimpleWhile
No OptOpt 1Opt 2
JForge
Selection Sort Algorithmvoid s e l e c t S o r t ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++) {i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ;}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Integer Square Root Algorithmi n t in tSqRoot ( i n t N) {
i n t r = 1 , q = N;while ( r +1 < q ) {
i n t p = ( r +q ) / 2 ;i f (N < p∗p ) q = p ;else r = p ;
}assert r∗ r <= N &&
( r +1)∗( r+1)>N;return r ;
}
Bubble Sort Algorithmvoid bubbleSort ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++)for ( i n t i =0; i<N−j −1; i ++)
i f ( a [ i ] > a [ i +1 ] ) {i n t t = a [ i ] ;a [ i ] = a [ i + 1 ] ;a [ i +1] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11
![Page 58: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/58.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Evaluation: Verifying Simple AlgorithmsSimple While Loop
0
50
100
150
200
250
300
0 100 200 300 400 500 600 700 800 900
time
(s)
N
SimpleWhile
No OptOpt 1Opt 2
JForge
Selection Sort Algorithmvoid s e l e c t S o r t ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++) {i n t min = j ;for ( i n t i = j +1; i < N; i ++)
i f ( a [ min ] > a [ i ] ) min = i ;i n t t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ;}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Integer Square Root Algorithm
0
50
100
150
200
250
300
0 20 40 60 80 100 120 140 160
time
(s)
N
SqRoot
No OptOpt 1Opt 2
JForge
Bubble Sort Algorithmvoid bubbleSort ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++)for ( i n t i =0; i<N−j −1; i ++)
i f ( a [ i ] > a [ i +1 ] ) {i n t t = a [ i ] ;a [ i ] = a [ i + 1 ] ;a [ i +1] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11
![Page 59: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/59.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Evaluation: Verifying Simple AlgorithmsSimple While Loop
0
50
100
150
200
250
300
0 100 200 300 400 500 600 700 800 900
time
(s)
N
SimpleWhile
No OptOpt 1Opt 2
JForge
Selection Sort Algorithm
0
50
100
150
200
250
300
0 2 4 6 8 10 12
time
(s)
N
SelectSort
No OptOpt 1Opt 2
JPFJForge
Integer Square Root Algorithm
0
50
100
150
200
250
300
0 20 40 60 80 100 120 140 160
time
(s)
N
SqRoot
No OptOpt 1Opt 2
JForge
Bubble Sort Algorithmvoid bubbleSort ( i n t [ ] a , i n t N) {
for ( i n t j =0; j<N−1; j ++)for ( i n t i =0; i<N−j −1; i ++)
i f ( a [ i ] > a [ i +1 ] ) {i n t t = a [ i ] ;a [ i ] = a [ i + 1 ] ;a [ i +1] = t ;
}for ( i n t j =0; j<N−1; j ++)
assert a [ j ] <= a [ j + 1 ] ;}
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11
![Page 60: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/60.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Evaluation: Verifying Simple Algorithms
Simple While Loop
0
50
100
150
200
250
300
0 100 200 300 400 500 600 700 800 900
time
(s)
N
SimpleWhile
No OptOpt 1Opt 2
JForge
Selection Sort Algorithm
0
50
100
150
200
250
300
0 2 4 6 8 10 12
time
(s)
N
SelectSort
No OptOpt 1Opt 2
JPFJForge
Integer Square Root Algorithm
0
50
100
150
200
250
300
0 20 40 60 80 100 120 140 160
time
(s)
N
SqRoot
No OptOpt 1Opt 2
JForge
Bubble Sort Algorithm
0
50
100
150
200
250
300
1 2 3 4 5 6 7 8 9
time
(s)
N
BblSort
No OptOpt 1Opt 2
JPFJForge
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11
![Page 61: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/61.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Evaluation: Solving the Rush Hour Puzzle
Source:http://www.puzzles.com/products/rushhour.htm
Bounded Using Lists #stepsJam 25 1.20s 1.88s 16Jam 30 1.21s 2.17s 22Jam 38 4.47s 36.6s 35Jam 39 1.90s 14.66s 40Jam 40 6.31s 17.89s 36bounded: single flat formula, number
of steps given up frontusing lists: our approach with lists
#steps: min number of stepsneeded to solve the puzzle
able to solve all puzzles from in less than 40 secondslimitation: doesn’t terminate if puzzle can’t be solved
possible solution: optimize the solver not to explore same states
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 12
![Page 62: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/62.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Case Study: Execution of Live Sequence Charts
Goal: find valid single and super stepssingle step - a single message that doesn’t cause a violationsuper step - a sequence of messages that closes all charts
Approach: formulate as a model-checking problemuse a list to represent sentmessages, and the state aftereach messagetransition constraint: messagesdon’t cause violationssafety property: not all chartsare closed
Result: incorporated in theSynthesizing Biological Theories (SBT) tool [CAV’11]
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 13
![Page 63: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/63.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Summary
Model-checking technique using SMT Theory of Lists
Theory of Lists lets you:model unbounded state sequences
perform bounded model checking without explicitly bounding thelength of counter examples
perform software model checking without loop unrolling
Thank You!
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 14
![Page 64: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/64.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Related Work
Bounded Model Checking with SMT(explicit loop unrolling required)
Armando et al. (STTT 2009)
Unbounded Model Checking with SAT(multiple invocation of the solver required)
Kang et al. (DAC 2003), McMillan et al.(CAV 2002)
Bounded Model Checking with SAT(explicit loop unrolling required)
CBMC (Clarke04), JForge (Dennis09), Alloy Analyzer(Jackson06)
Explicit State Model CheckingJava PathFinder (Visser00)
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 15
![Page 65: Model Checking Using SMT and Theory of Listspeople.csail.mit.edu/aleks/website/papers/nfm11-smtlist...verify using model checking with satisfiability solving problem: number of necessaryloop](https://reader033.vdocuments.net/reader033/viewer/2022050522/5fa60f61a738bb07300662f9/html5/thumbnails/65.jpg)
Motivation Approach Software Model Checking Evaluation Summary
Future Work
Comparison with other tools/approachesplanning problems: SMT Lists vs Alloy event paradigmsoftware model checking: SMT Lists vs unbounded SAT
Optimization of SMT heuristics for theory of listsexplore implementing fixpoint search inside SMT
Synthesizing Biological TheoriesTry out on more models of biological systems
Model Checking Using SMT and Theory of Lists Milicevic, Kugler 16