This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Since quantifier elimination is expensive, many techniques are basedon sat only.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 13 / 28
BMC
Determine if φ is reachable in k steps.
State variables replicated k + 1 times: V 0,V 1, . . . ,V k−1,V k .
Given ψ(V ), denote ψ[V i/V ] with ψi .
Given ψ(V ,V ′), denote ψ[V i/V ,V i+1/V ′] with ψi .
Encoding of an initial path reaching φ:
I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
Incremental approach:I 0 ∧ φ0
I 0 ∧ T 0 ∧ φ1
I 0 ∧ T 0 ∧ T 1 ∧ φ2
. . .I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 14 / 28
Interpolation-based model checking
If A ∧ B |= ⊥, the Craig interpolant of A ∧ B is a formula I such that|= A→ I , B ∧ I |= ⊥, and which contains only variables common toA and B.
Interpolation-based model checking:
1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
2 I 01 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
I2
3 ... until fixpoint.
If sat with abstract initial states, k is increased.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 15 / 28
Interpolation-based model checking
If A ∧ B |= ⊥, the Craig interpolant of A ∧ B is a formula I such that|= A→ I , B ∧ I |= ⊥, and which contains only variables common toA and B.
Interpolation-based model checking:
1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk I1 interpolant over-approximating the reachable states
2 I 01 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
I2
3 ... until fixpoint.
If sat with abstract initial states, k is increased.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 15 / 28
Interpolation-based model checking
If A ∧ B |= ⊥, the Craig interpolant of A ∧ B is a formula I such that|= A→ I , B ∧ I |= ⊥, and which contains only variables common toA and B.
Interpolation-based model checking:
1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk2 I 0
1 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
I23 ... until fixpoint.
If sat with abstract initial states, k is increased.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 15 / 28
Interpolation-based model checking
If A ∧ B |= ⊥, the Craig interpolant of A ∧ B is a formula I such that|= A→ I , B ∧ I |= ⊥, and which contains only variables common toA and B.
Interpolation-based model checking:
1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk2 I 0
1 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk I2
3 ... until fixpoint.
If sat with abstract initial states, k is increased.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 15 / 28
Interpolation-based model checking
If A ∧ B |= ⊥, the Craig interpolant of A ∧ B is a formula I such that|= A→ I , B ∧ I |= ⊥, and which contains only variables common toA and B.
Interpolation-based model checking:
1 I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk2 I 0
1 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk
I2
3 ... until fixpoint.
If sat with abstract initial states, k is increased.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 15 / 28
K-induction
K-induction proves that if a set of states is not reachable in k steps,then it is not reachable at all.
It consists of a base step (bounded reachability problem), and aninductive step.
Two ways:check if the initial states cannot reach new states in k + 1 stepscheck if the target set of states cannot be reached in k + 1 steps.
Solved by means of satisfiability.
kindfwk := I 0 ∧ T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧∧
0≤i<j≤kV i 6= V j
kindbwk,φ := T 0 ∧ T 1 ∧ . . . ∧ T k−1 ∧ φk ∧∧
0≤i<j≤kV i 6= V j
If, for all i ≤ k, BMCi ,φ is unsat and, either kindfwk+1 or kindbwk+1,φ
is unsat as well, then φ is not reachable in S .
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 16 / 28
Predicate abstraction
Existential abstraction
Iα(V ) := ∃V (I (V ) ∧ Hα(V , V ))
Tα(V , V ′) := ∃V∃V ′(T (V ,V ′) ∧Hα(V , V ) ∧ Hα(V ′, V ′))
Predicate abstraction: abstract state-space is described with a set ofpredicates P.
Each predicate is represented by an abstract variable (VP = {vP}P∈P).
Abstract relation:HP(V ,VP) :=
∧P∈P vP ↔ P(V )
Quantifier elimination with ALL-SMT.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 17 / 28
CEGAR loop
Transitionsystem Abstraction Model Checking No violations
Simulation Real bugRefinement
Counter-example π
Spurious
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 19 / 28
Outline
1 Verification modulo theory
2 VMT techniques
3 VMT techniques with implicit predicate abstraction
4 Conclusions
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 20 / 28
General idea
Key idea
Encode the abstract path in terms of concrete variables.
EQ
T
EQ EQ
EQ
T
T
An abstract path encoding represents a sequence of disconnectedtransitions where every gap lays in the same abstract state.Equivalence induced by abstraction:
s, s |= EQα iff two concrete states correspond to the same abstract one.In the case of predicate abstraction:
EQP(V ,V ) := ∃V (∧P∈P
vP ↔ P(V ) ∧∧P∈P
vP ↔ P(V ))
≡∧P∈P
P(V )↔ P(V )
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 21 / 28
Abstract encodings
We use EQα to provide abstract versions of the formulas used forBMC and k-induction.
Abstract path:
PATHα,k :=∧
1≤h<k(T (Vh−1,V h) ∧ EQα(V h,Vh)) ∧ T (Vk−1,V k)
The encoding represents a sequence of disconnected transitions whereevery gap lays in the same abstract state.
EQ
T
EQ EQ
EQ
T
T
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 22 / 28
Path encoding
Rational
Embed the definition of the abstraction in the encoding of BMC andk-induction.
Consider the BMC encoding of the abstract system:
Iα(V0) ∧ Tα(V0,V1) ∧ · · · ∧ Tα(Vk−1,Vk) ∧ φα(Vk)
If we substitute Iα, Tα, and φα with their definitions, we obtain:
∧ Hα(V 0, V0) ∧ T (V 0,V1) ∧ Hα(V1, V1) ∧ · · · ∧Hα(V k−1, Vk−1) ∧ T (V k−1,Vk) ∧ Hα(Vk , Vk) ∧ Hα(V k , Vk) ∧ φ(V k)
Note that the scope of abstract variables Vi is limited to two copiesof the abstraction relation.
S. Tonetta (FBK-irst) VMT techniques RichModels, 4 October 2011 23 / 28
Path encoding
Rational
Embed the definition of the abstraction in the encoding of BMC andk-induction.