Verifying safety properties of Lustre programs: An SMT-based approach

An important problem in hardware and software design is ensuring a designed system is error-free. Even small errors in a computer system can have disastrous consequences to a project, sometimes costing large amounts of money to correct, or even leading to unexpected and catastrophic system failure. There are a number of steps one can take to eliminate as many errors as possible. We focus on a set of techniques known as formal methods that are used in computer science to help ensure correct system behavior. In order to minimize the potential for human error and to reduce the time and expertise needed, we seek to use techniques that are highly automatable. We focus on one such approach, an inductive variation of model checking that can be used to verify formally the invariance of properties or produce counterexamples. One class of systems of particular interest for verification are reactive systems. This is a class of systems that continuously react to their environment in a timely manner. Reactive systems are pervasive in everyday life, ranging from simple thermostats to the controls of nuclear power plants. As a representative language to describe these systems, we look at an established specification and programming language, Lustre. We have developed a set of techniques based on inductive reasoning and Satisfiability Modulo Theories (SMT) that are automatically able to prove invariant properties of systems described in Lustre. These techniques involve the translation

[1]  Fabio Somenzi,et al.  Automatic invariant strengthening to prove properties in bounded model checking , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[2]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[3]  Aarti Gupta,et al.  Lazy constraints and SAT heuristics for proof-based abstraction , 2005, 18th International Conference on VLSI Design held jointly with 4th International Conference on Embedded Systems Design.

[4]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[5]  Ofer Shtrichman Tuning SAT Checkers for Bounded Model Checking , 2000, CAV 2000.

[6]  Daniel Kroening,et al.  Efficient Computation of Recurrence Diameters , 2003, VMCAI.

[7]  Anders Franzen Combining SAT Solving and Integer Programming for Inductive Verification of Lustre Programs , 2004 .

[8]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[9]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[10]  Armin Biere,et al.  Bounded model checking , 2003, Adv. Comput..

[11]  Sanjit A. Seshia,et al.  Modeling and Verifying Systems Using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions , 2002, CAV.

[12]  Edmund M. Clarke,et al.  Expressibility results for linear-time and branching-time logics , 1988, REX Workshop.

[13]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[14]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[15]  Roberto J. Bayardo,et al.  Using CSP Look-Back Techniques to Solve Real-World SAT Instances , 1997, AAAI/IAAI.

[16]  Nicolas Halbwachs,et al.  A TUTORIAL OF LUSTRE , 2007 .

[17]  Moshe Y. Vardi,et al.  SAT-based Induction for Temporal Safety Properties , 2005, BMC@CAV.

[18]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[19]  Ofer Shtrichman Pruning Techniques for the SAT-Based Bounded Model Checking Problem , 2001 .

[20]  Hilary Putnam,et al.  A Computing Procedure for Quantification Theory , 1960, JACM.

[21]  Doron A. Peled,et al.  Software Reliability Methods , 2001, Texts in Computer Science.

[22]  Nicolas Halbwachs,et al.  Synchronous Observers and the Verification of Reactive Systems , 1993, AMAST.

[23]  Cesare Tinelli A DPLL-Based Calculus for Ground Satisfiability Modulo Theories , 2002, JELIA.

[24]  E. Clarke,et al.  Verifying Safety Properties of a PowerPC TM 1 Microprocessor Using Symbolic Model Checking without BDDs , 1999 .

[25]  Fabio Somenzi,et al.  An Incremental Algorithm to Check Satisfiability for Bounded Model Checking , 2005, Electron. Notes Theor. Comput. Sci..

[26]  Edmund M. Clarke SAT-Based Counterexample Guided Abstraction Refinement , 2002, SPIN.

[27]  Joël Ouaknine,et al.  Completeness and Complexity of Bounded Model Checking , 2004, VMCAI.

[28]  Edmund M. Clarke,et al.  Symbolic model checking for sequential circuit verification , 1993, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[29]  Helmut Veith,et al.  Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT Based Conflict Analysis , 2002, FMCAD.

[30]  Ofer Strichman,et al.  Pruning Techniques for the SAT-Based Bounded Model Checking Problem , 2001, CHARME.

[31]  David Notkin,et al.  Improving efficiency of symbolic model checking for state-based system requirements , 1998, ISSTA '98.

[32]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[33]  Hantao Zhang,et al.  SATO: An Efficient Propositional Prover , 1997, CADE.

[34]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[35]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[36]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..

[37]  Fabio Somenzi,et al.  Proving More Properties with Bounded Model Checking , 2004, CAV.

[38]  Harald Ruess,et al.  Bounded Model Checking and Induction: From Refutation to Verification (Extended Abstract, Category A) , 2003, CAV.

[39]  Robert de Simone,et al.  Syntax-Driven Reachable State Space Construction of Synchronous Reactive Programs , 2005, CAV.

[40]  Niklas Sörensson,et al.  Temporal induction by incremental SAT solving , 2003, BMC@CAV.

[41]  Martin Fränzle,et al.  Efficient Proof Engines for Bounded Model Checking of Hybrid Systems , 2005, FMICS.

[42]  Cadence Berkeley Labs Applications of Craig Interpolants in Model Checking , 2005 .

[43]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[44]  Zijiang Yang,et al.  Iterative Abstraction using SAT-based BMC with Proof Analysis , 2003, ICCAD 2003.

[45]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[46]  Nicolas Halbwachs,et al.  LUSTRE: a declarative language for real-time programming , 1987, POPL '87.

[47]  Dominique Borrione,et al.  Automatic diagnosis may replace simulation for correcting simple design errors , 1996, Proceedings EURO-DAC '96. European Design Automation Conference with EURO-VHDL '96 and Exhibition.

[48]  Anders Franzén Using Satisfiability Modulo Theories for Inductive Verification of Lustre Programs , 2006, Electron. Notes Theor. Comput. Sci..

[49]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[50]  Joao Marques-Silva,et al.  GRASP-A new search algorithm for satisfiability , 1996, Proceedings of International Conference on Computer Aided Design.

[51]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[52]  M.K. Ganai,et al.  Accelerating High-level Bounded Model Checking , 2006, 2006 IEEE/ACM International Conference on Computer Aided Design.

[53]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[54]  Klaus Schneider,et al.  Verification of Reactive Systems: Formal Methods and Algorithms , 2003 .

[55]  Stephan Merz,et al.  Model Checking , 2000 .

[56]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[57]  Nicolas Halbwachs,et al.  A synchronous language at work: the story of Lustre , 2005, Proceedings. Second ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2005. MEMOCODE '05..

[58]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[59]  Bertrand Jeannet,et al.  Dynamic Partitioning in Linear Relation Analysis. Application to the Verification of Synchronous Programs , 2000 .

[60]  Karem A. Sakallah,et al.  From Propositional Satisfiability to Satisfiability Modulo Theories , 2006, SAT.

[61]  Albert Benveniste,et al.  The synchronous approach to reactive and real-time systems , 1991 .

[62]  Koen Claessen,et al.  SAT-Based Verification without State Space Traversal , 2000, FMCAD.

[63]  Cesare Tinelli,et al.  DPLL( T): Fast Decision Procedures , 2004, CAV.

[64]  Bruce H. Krogh,et al.  Integration of Formal Analysis into a Model-Based Software Development Process , 2007, FMICS.

[65]  E. Clarke,et al.  Symbolic model checking using SAT procedures instead of BDDs , 1999, Proceedings 1999 Design Automation Conference (Cat. No. 99CH36361).

[66]  Alan J. Hu,et al.  Structural Abstraction of Software Verification Conditions , 2007, CAV.

[67]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[68]  Nicolas Halbwachs,et al.  Programming and Verifying Real-Time Systems by Means of the Synchronous Data-Flow Language LUSTRE , 1992, IEEE Trans. Software Eng..

[69]  Nicolas Halbwachs,et al.  Counter-example generation in symbolic abstract model-checking , 2004, International Journal on Software Tools for Technology Transfer.