Model Checking Using SMT and Theory of Lists Aleksandar Milicevic 1 - - PowerPoint PPT Presentation

Motivation Approach Software Model Checking Evaluation Summary

Model Checking Using SMT and Theory of Lists

Aleksandar Milicevic 1 Hillel Kugler 2

1Massachusetts Institute of Technology

Cambridge, MA

2Microsoft Research

Cambridge, UK

Third NASA Formal Methods Symposium, April 18, 2011

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 1

Motivation Approach Software Model Checking Evaluation Summary

Solving Planning Problems

Rush Hour puzzle Goal: drive the red car out of the jam

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2

Motivation Approach Software Model Checking Evaluation Summary

Solving Planning Problems

Rush Hour puzzle Goal: drive the red car out of the jam solve using a satisfiability solver

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2

Motivation Approach Software Model Checking Evaluation Summary

Solving Planning Problems

Rush Hour puzzle Goal: drive the red car out of the jam solve using a satisfiability solver problem: number of necessary steps is not known

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2

Motivation Approach Software Model Checking Evaluation Summary

Software Model Checking without Loop Unrolling

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Selection Sort algorithm Goal: verify for all int arrays

• f size up to N

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3

Motivation Approach Software Model Checking Evaluation Summary

Software Model Checking without Loop Unrolling

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Selection Sort algorithm Goal: verify for all int arrays

• f size up to N

verify using model checking with satisfiability solving

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3

Motivation Approach Software Model Checking Evaluation Summary

Software Model Checking without Loop Unrolling

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Selection Sort algorithm Goal: verify for all int arrays

• f size up to N

verify using model checking with satisfiability solving problem: number of necessary loop unrollings is not known

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3

Motivation Approach Software Model Checking Evaluation Summary

Software Model Checking without Loop Unrolling

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Selection Sort algorithm Goal: verify for all int arrays

• f size up to N

verify using model checking with satisfiability solving problem: number of necessary loop unrollings is not known moreover, the number of loop unrollings is not independent of N

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3

Motivation Approach Software Model Checking Evaluation Summary

Use Lists to Model State Transitions

head states

...

nil cons tail

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4

Motivation Approach Software Model Checking Evaluation Summary

Use Lists to Model State Transitions

head states

...

nil cons tail

The length of the list is not explicitly bounded

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4

Motivation Approach Software Model Checking Evaluation Summary

Use Lists to Model State Transitions

head states

...

nil cons tail

The length of the list is not explicitly bounded Specify what the list should look like, not how long it should be.

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4

Motivation Approach Software Model Checking Evaluation Summary

Use Lists to Model State Transitions

head states

...

nil cons tail

The length of the list is not explicitly bounded Specify what the list should look like, not how long it should be. To solve the rush hour puzzle: use a list to model a sequence of car movements don’t have to specify the number of steps

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4

Motivation Approach Software Model Checking Evaluation Summary

Use Lists to Model State Transitions

head states

...

nil cons tail

The length of the list is not explicitly bounded Specify what the list should look like, not how long it should be. To solve the rush hour puzzle: use a list to model a sequence of car movements don’t have to specify the number of steps To solve a software model-checking problem: use a list to model a program trace don’t have to specify the number of loop unrollings

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4

Motivation Approach Software Model Checking Evaluation Summary

Background: Bounded Model Checking

s1 s2

...

sk

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5

Motivation Approach Software Model Checking Evaluation Summary

Background: Bounded Model Checking

s1 s2

...

sk s1 θ(s1)

Initial state constraint: θ(s1)

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5

Motivation Approach Software Model Checking Evaluation Summary

Background: Bounded Model Checking

s1 s2

...

sk s1 θ(s1) ρ(s1,s2) ρ(s2,s3) ρ(sk−1,sk)

Initial state constraint: θ(s1) Transition constraint: ρ(s1,s2)∧ρ(s2,s3)∧···∧ρ(sk−1,sk)

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5

Motivation Approach Software Model Checking Evaluation Summary

Background: Bounded Model Checking

s1 s2

...

sk s1 θ(s1) ρ(s1,s2) ρ(s2,s3) ρ(sk−1,sk) s1 P(s1) s2 P(s2)

...

sk ¬P(sk)

Initial state constraint: θ(s1) Transition constraint: ρ(s1,s2)∧ρ(s2,s3)∧···∧ρ(sk−1,sk) Safety Property constraint: P(s1)∧P(s2)∧···∧P(sk−1)∧¬P(sk)

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and if (not P(tail(lst))) then is nil(tail(tail(lst))) else is cons(tail(tail(lst)))

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and if (not P(tail(lst))) then is nil(tail(tail(lst))) else is cons(tail(tail(lst))) :pat {check tr}

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and if (not P(tail(lst))) then is nil(tail(tail(lst))) else is cons(tail(tail(lst))) :pat {check tr} assert is cons(states) and θ(head(states)) and check tr(states)

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and if (not P(tail(lst))) then is nil(tail(tail(lst))) else is cons(tail(tail(lst))) :pat {check tr} assert is cons(states) and θ(head(states)) and check tr(states) state declaration state transition and safety property enforced with an uninterpreted function and an axiom formula to check

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Translation to SMT

head states

...

nil cons tail Available operations:

• is nil(lst)
• is cons(lst)
• head(lst)
• tail(lst)

tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ(head(lst), head(tail(lst))) and check tr(tail(lst)) and if (not P(tail(lst))) then is nil(tail(tail(lst))) else is cons(tail(tail(lst))) :pat {check tr} assert is cons(states) and θ(head(states)) and check tr(states) state declaration state transition and safety property enforced with an uninterpreted function and an axiom formula to check

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6

Motivation Approach Software Model Checking Evaluation Summary

Application to Software Model Checking

void simpleWhile ( int N) { int x = 0 , i = 0; while ( i < N) { i f ( i % 2 == 0) x += 2; i ++; } assert x == N || x == N + 1; } Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7

Motivation Approach Software Model Checking Evaluation Summary

Application to Software Model Checking

void simpleWhile ( int N) { int x = 0 , i = 0; while ( i < N) { i f ( i % 2 == 0) x += 2; i ++; } assert x == N || x == N + 1; }

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7

Motivation Approach Software Model Checking Evaluation Summary

Application to Software Model Checking

void simpleWhile ( int N) { int x = 0 , i = 0; while ( i < N) { i f ( i % 2 == 0) x += 2; i ++; } assert x == N || x == N + 1; }

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else

goal: find a feasible path from start to an error node

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7

Motivation Approach Software Model Checking Evaluation Summary

Application to Software Model Checking

void simpleWhile ( int N) { int x = 0 , i = 0; while ( i < N) { i f ( i % 2 == 0) x += 2; i ++; } assert x == N || x == N + 1; }

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else

goal: find a feasible path from start to an error node idea: use a list to represent a path in the graph

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 7

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 (id=0) [i < N] (id=1) [i%2 != 0] (id=2) [x == N] (id=3) x:=x+2 (id=4) i:=i+1 (id=5) [x == N+1] (id=6) return (id=7) Error (id=8) then else then else then else then else

• 1. assign IDs to basic blocks

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 (id=0) [i < N] (id=1) [i%2 != 0] (id=2) [x == N] (id=3) x:=x+2 (id=4) i:=i+1 (id=5) [x == N+1] (id=6) return (id=7) Error (id=8) then else then else then else then else

• 1. assign IDs to basic blocks
• 2. state tuple: [id, i, x]

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 (id=0) [i < N] (id=1) [i%2 != 0] (id=2) [x == N] (id=3) x:=x+2 (id=4) i:=i+1 (id=5) [x == N+1] (id=6) return (id=7) Error (id=8) then else then else then else then else

• 1. assign IDs to basic blocks
• 2. state tuple: [id, i, x]
• 3. initial state constraint θ:

head(states).i=0 ∧ head(states).x=0

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 (id=0) [i < N] (id=1) [i%2 != 0] (id=2) [x == N] (id=3) x:=x+2 (id=4) i:=i+1 (id=5) [x == N+1] (id=6) return (id=7) Error (id=8) then else then else then else then else

• 1. assign IDs to basic blocks
• 2. state tuple: [id, i, x]
• 3. initial state constraint θ:

head(states).i=0 ∧ head(states).x=0

• 4. safety constraint P(lst):

head(lst).id = 8

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 (id=0) [i < N] (id=1) [i%2 != 0] (id=2) [x == N] (id=3) x:=x+2 (id=4) i:=i+1 (id=5) [x == N+1] (id=6) return (id=7) Error (id=8) then else then else then else then else

• 1. assign IDs to basic blocks
• 2. state tuple: [id, i, x]
• 3. initial state constraint θ:

head(states).i=0 ∧ head(states).x=0

• 4. safety constraint P(lst):

head(lst).id = 8

• 5. transition constraint ρ(curr,next):

if head(curr).id=0 then head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0 else if head(curr).id=1 then if head(curr).i < N then head(next).id=2 else head(next).id=3 ... else false

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

From CFG to θ, ρ, P

i:=0 x:=0 (id=0) [i < N] (id=1) [i%2 != 0] (id=2) [x == N] (id=3) x:=x+2 (id=4) i:=i+1 (id=5) [x == N+1] (id=6) return (id=7) Error (id=8) then else then else then else then else

• 1. assign IDs to basic blocks
• 2. state tuple: [id, i, x]
• 3. initial state constraint θ:

head(states).i=0 ∧ head(states).x=0

• 4. safety constraint P(lst):

head(lst).id = 8

• 5. transition constraint ρ(curr,next):

if head(curr).id=0 then head(next).id=1 ∧ head(next).i=0 ∧ head(next).x=0 else if head(curr).id=1 then if head(curr).i < N then head(next).id=2 else head(next).id=3 ... else false

• 6. bounds on some pieces of data: N > 0 ∧ N < 10

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 8

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else [i<N] [!(i<N)] Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else [i<N] [!(i<N)] Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else [i<N] [!(i<N)] [i<N] [!(i<N)] Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Empty Nodes

i:=0 x:=0 [i < N] [i%2 != 0] [x == N] x:=x+2 i:=i+1 [x == N+1] return Error then else then else then else then else [i<N] [!(i<N)] [i<N] [!(i<N)] Model Checking Using SMT and Theory of Lists Milicevic, Kugler 9

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g12] [g15] [g14] [g23] [g13] [g32] [g35] [g33] [g34] Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g12] [g23] [g32] Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g23] [g32] [g12] i:=0; x:=0 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g32] [g12] i:=0; x:=0 [g23] x:=x+2 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g12] i:=0; x:=0 [g23] x:=x+2 [g32] i:=i+1 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g12] i:=0; x:=0 [g23] x:=x+2 [g32] i:=i+1 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g12] i:=0; x:=0 [g23] x:=x+2 [g32 ∧g23] i:=i+1; x:=x+2 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g12] i:=0; x:=0 [g23] x:=x+2 [g32 ∧g23] i:=i+1; x:=x+2 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g23] x:=x+2 [g32 ∧g23] i:=i+1; x:=x+2 [g12 ∧g23] i:=0; x:=2 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Optimization: Removing Non-Looping Nodes

i:=0 x:=0 x:=x+2 i:=i+1 return Error [g23] x:=x+2 [g32 ∧g23] i:=i+1; x:=x+2 [g12 ∧g23] i:=0; x:=2 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 10

Motivation Approach Software Model Checking Evaluation Summary

Evaluation: Verifying Simple Algorithms

Simple While Loop

void simpleWhile ( int N) { int x = 0 , i = 0; while ( i < N) { i f ( i % 2 == 0) x += 2; i ++; } assert x == N || x == N + 1; }

Selection Sort Algorithm

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Integer Square Root Algorithm

int intSqRoot ( int N) { int r = 1 , q = N; while ( r +1 < q ) { int p = ( r+q ) / 2; i f (N < p∗p ) q = p ; else r = p ; } assert r∗r <= N && ( r +1)∗( r+1)>N; return r ; }

Bubble Sort Algorithm

void bubbleSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) for ( int i =0; i< N −j −1; i ++) i f ( a [ i ] > a [ i +1]) { int t = a [ i ] ; a [ i ] = a [ i +1]; a [ i +1] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; } Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11

Motivation Approach Software Model Checking Evaluation Summary

Evaluation: Verifying Simple Algorithms

Simple While Loop

50 100 150 200 250 300 100 200 300 400 500 600 700 800 900 time (s) N SimpleWhile No Opt Opt 1 Opt 2 JForge

Selection Sort Algorithm

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Integer Square Root Algorithm

int intSqRoot ( int N) { int r = 1 , q = N; while ( r +1 < q ) { int p = ( r+q ) / 2; i f (N < p∗p ) q = p ; else r = p ; } assert r∗r <= N && ( r +1)∗( r+1)>N; return r ; }

Bubble Sort Algorithm

void bubbleSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) for ( int i =0; i< N −j −1; i ++) i f ( a [ i ] > a [ i +1]) { int t = a [ i ] ; a [ i ] = a [ i +1]; a [ i +1] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; } Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11

Motivation Approach Software Model Checking Evaluation Summary

Evaluation: Verifying Simple Algorithms

Simple While Loop

50 100 150 200 250 300 100 200 300 400 500 600 700 800 900 time (s) N SimpleWhile No Opt Opt 1 Opt 2 JForge

Selection Sort Algorithm

void selectSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; a [ j ] = a [ min ] ; a [ min ] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; }

Integer Square Root Algorithm

50 100 150 200 250 300 20 40 60 80 100 120 140 160 time (s) N SqRoot No Opt Opt 1 Opt 2 JForge

Bubble Sort Algorithm

void bubbleSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) for ( int i =0; i< N −j −1; i ++) i f ( a [ i ] > a [ i +1]) { int t = a [ i ] ; a [ i ] = a [ i +1]; a [ i +1] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; } Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11

Motivation Approach Software Model Checking Evaluation Summary

Evaluation: Verifying Simple Algorithms

Simple While Loop

50 100 150 200 250 300 100 200 300 400 500 600 700 800 900 time (s) N SimpleWhile No Opt Opt 1 Opt 2 JForge

Selection Sort Algorithm

50 100 150 200 250 300 2 4 6 8 10 12 time (s) N SelectSort No Opt Opt 1 Opt 2 JPF JForge

Integer Square Root Algorithm

50 100 150 200 250 300 20 40 60 80 100 120 140 160 time (s) N SqRoot No Opt Opt 1 Opt 2 JForge

Bubble Sort Algorithm

void bubbleSort ( int [ ] a , int N) { for ( int j =0; j< N−1; j ++) for ( int i =0; i< N −j −1; i ++) i f ( a [ i ] > a [ i +1]) { int t = a [ i ] ; a [ i ] = a [ i +1]; a [ i +1] = t ; } for ( int j =0; j< N−1; j ++) assert a [ j ] <= a [ j +1]; } Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11

Motivation Approach Software Model Checking Evaluation Summary

Evaluation: Verifying Simple Algorithms

Simple While Loop

50 100 150 200 250 300 100 200 300 400 500 600 700 800 900 time (s) N SimpleWhile No Opt Opt 1 Opt 2 JForge

Selection Sort Algorithm

50 100 150 200 250 300 2 4 6 8 10 12 time (s) N SelectSort No Opt Opt 1 Opt 2 JPF JForge

Integer Square Root Algorithm

50 100 150 200 250 300 20 40 60 80 100 120 140 160 time (s) N SqRoot No Opt Opt 1 Opt 2 JForge

Bubble Sort Algorithm

50 100 150 200 250 300 1 2 3 4 5 6 7 8 9 time (s) N BblSort No Opt Opt 1 Opt 2 JPF JForge

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 11

Motivation Approach Software Model Checking Evaluation Summary

Evaluation: Solving the Rush Hour Puzzle

Source: http://www.puzzles.com/products/rushhour.htm

Bounded Using Lists #steps Jam 25 1.20s 1.88s 16 Jam 30 1.21s 2.17s 22 Jam 38 4.47s 36.6s 35 Jam 39 1.90s 14.66s 40 Jam 40 6.31s 17.89s 36 bounded: single flat formula, number

• f steps given up front

using lists:

• ur approach with lists

#steps: min number of steps needed to solve the puzzle able to solve all puzzles from in less than 40 seconds limitation: doesn’t terminate if puzzle can’t be solved

possible solution: optimize the solver not to explore same states

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 12

Motivation Approach Software Model Checking Evaluation Summary

Case Study: Execution of Live Sequence Charts

Goal: find valid single and super steps single step - a single message that doesn’t cause a violation super step - a sequence of messages that closes all charts Approach: formulate as a model-checking problem use a list to represent sent messages, and the state after each message transition constraint: messages don’t cause violations safety property: not all charts are closed Result: incorporated in the Synthesizing Biological Theories (SBT) tool [CAV’11]

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 13

Motivation Approach Software Model Checking Evaluation Summary

Summary

Model-checking technique using SMT Theory of Lists Theory of Lists lets you:

model unbounded state sequences perform bounded model checking without explicitly bounding the length of counter examples perform software model checking without loop unrolling

Thank You!

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 14

Motivation Approach Software Model Checking Evaluation Summary

Related Work

Bounded Model Checking with SMT (explicit loop unrolling required) Armando et al. (STTT 2009) Unbounded Model Checking with SAT (multiple invocation of the solver required) Kang et al. (DAC 2003), McMillan et al.(CAV 2002) Bounded Model Checking with SAT (explicit loop unrolling required) CBMC (Clarke04), JForge (Dennis09), Alloy Analyzer (Jackson06) Explicit State Model Checking Java PathFinder (Visser00)

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 15

Motivation Approach Software Model Checking Evaluation Summary

Future Work

Comparison with other tools/approaches planning problems: SMT Lists vs Alloy event paradigm software model checking: SMT Lists vs unbounded SAT Optimization of SMT heuristics for theory of lists explore implementing fixpoint search inside SMT Synthesizing Biological Theories Try out on more models of biological systems

Model Checking Using SMT and Theory of Lists Milicevic, Kugler 16