SAT-Based Model Checking

Modern satisfiability (SAT) solvers have become the enabling technology of many model checkers. In this chapter, we will focus on those techniques most relevant to industrial practice. In bounded model checking (BMC), a transition system and a property are jointly unwound for a given number \(k\) of steps to obtain a formula that is satisfiable if there is a counterexample for the property up to length \(k\). The formula is then passed to an efficient SAT solver. The strength of BMC is refutation: BMC has been used to discover subtle flaws in digital systems. We cover the application of BMC to both hardware and software systems, and to hardware/software co-verification. We also discuss means to make BMC complete, including \(k\)-induction, Craig interpolation, abstraction refinement techniques, and inductive techniques with iterative strengthening.

[1]  Bowen Alpern,et al.  Detecting equality of variables in programs , 1988, POPL '88.

[2]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[3]  Daniel Kroening,et al.  Loopfrog: A Static Analyzer for ANSI-C Programs , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[4]  Kenneth L. McMillan,et al.  Automatic Abstraction without Counterexamples , 2003, TACAS.

[5]  Aarti Gupta,et al.  SAT-Based Scalable Formal Verification Solutions , 2007, Series on Integrated Circuits and Systems.

[6]  Thomas Ball,et al.  SLAM2: Static driver verification with under 4% false alarms , 2010, Formal Methods in Computer Aided Design.

[7]  Shuvendu K. Lahiri,et al.  Zapato: Automatic Theorem Proving for Predicate Abstraction Refinement , 2004, CAV.

[8]  Keijo Heljanko,et al.  Exploiting step semantics for efficient bounded model checking of asynchronous systems , 2012, Sci. Comput. Program..

[9]  Wojciech Penczek,et al.  Bounded Model Checking for the Universal Fragment of CTL , 2002, Fundam. Informaticae.

[10]  Dana Fisman,et al.  Functional Specification of Hardware via Temporal Logic , 2018, Handbook of Model Checking.

[11]  Baruch Sterin,et al.  A circuit approach to LTL model checking , 2013, 2013 Formal Methods in Computer-Aided Design.

[12]  Orna Grumberg,et al.  Bounded Model Checking of Concurrent Programs , 2005, CAV.

[13]  Alex Groce,et al.  Making the Most of BMC Counterexamples , 2005, BMC@CAV.

[14]  Alex Groce,et al.  Understanding Counterexamples with explain , 2004, CAV.

[15]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[16]  Alan J. Hu,et al.  Context-Bounded Translations for Concurrent Software: An Empirical Evaluation , 2010, SPIN.

[17]  Armin Biere,et al.  Simulating Circuit-Level Simplifications on CNF , 2011, Journal of Automated Reasoning.

[18]  Kenneth L. McMillan,et al.  A Hybrid of Counterexample-Based and Proof-Based Abstraction , 2004, FMCAD.

[19]  Fabio Somenzi,et al.  Automatic invariant strengthening to prove properties in bounded model checking , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[20]  Bart Selman,et al.  Pushing the Envelope: Planning, Propositional Logic and Stochastic Search , 1996, AAAI/IAAI, Vol. 2.

[21]  Daniel Kroening,et al.  Race analysis for SystemC using model checking , 2008, 2008 IEEE/ACM International Conference on Computer-Aided Design.

[22]  Daniel Kroening,et al.  Mixed abstractions for floating-point arithmetic , 2009, 2009 Formal Methods in Computer-Aided Design.

[23]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[24]  Aaron R. Bradley Understanding IC3 , 2012, SAT.

[25]  Zohar Manna,et al.  Checking Safety by Inductive Generalization of Counterexamples to Induction , 2007 .

[26]  Viktor Schuppan,et al.  Liveness Checking as Safety Checking , 2002, FMICS.

[27]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[28]  Timo Latvala,et al.  Incremental and Complete Bounded Model Checking for Full PLTL , 2005, CAV.

[29]  Scott Cotton Natural Domain SMT: A Preliminary Assessment , 2010, FORMATS.

[30]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[31]  Cesare Tinelli,et al.  Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T) , 2006, JACM.

[32]  Sriram K. Rajamani,et al.  Boolean Programs: A Model and Process for Software Analysis , 2000 .

[33]  Joël Ouaknine,et al.  Deciding Bit-Vector Arithmetic with Abstraction , 2007, TACAS.

[34]  Fabio Somenzi,et al.  Proving More Properties with Bounded Model Checking , 2004, CAV.

[35]  Amir Pnueli,et al.  Temporal Logic and Fair Discrete Systems , 2018, Handbook of Model Checking.

[36]  Armin Biere,et al.  A survey of recent advances in SAT-based formal verification , 2005, International Journal on Software Tools for Technology Transfer.

[37]  Nikolaj Bjørner,et al.  Generalized, efficient array decision procedures , 2009, 2009 Formal Methods in Computer-Aided Design.

[38]  Daniel Kroening,et al.  Counterexamples with Loops for Predicate Abstraction , 2006, CAV.

[39]  Jakob Rehof,et al.  Context-Bounded Model Checking of Concurrent Software , 2005, TACAS.

[40]  Daniel Kroening,et al.  Cogent: Accurate Theorem Proving for Program Verification , 2005, CAV.

[41]  Roberto Sebastiani,et al.  Lazy Satisability Modulo Theories , 2007, J. Satisf. Boolean Model. Comput..

[42]  Daniel Kroening,et al.  Scoot: A Tool for the Analysis of SystemC Models , 2008, TACAS.

[43]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[44]  Daniel Kroening,et al.  Interpolating Quantifier-Free Presburger Arithmetic , 2010, LPAR.

[45]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[46]  Srikanth Vijayaraghavan,et al.  A Practical Guide for SystemVerilog Assertions , 2005 .

[47]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2018, Handbook of Model Checking.

[48]  Kenneth L. McMillan An interpolating theorem prover , 2005, Theor. Comput. Sci..

[49]  Kenneth L. McMillan,et al.  Applying SAT Methods in Unbounded Symbolic Model Checking , 2002, CAV.

[50]  Alberto Griggio,et al.  Software Model Checking via IC3 , 2012, CAV.

[51]  Parosh Aziz Abdulla,et al.  Symbolic Reachability Analysis Based on SAT-Solvers , 2000, TACAS.

[52]  Daniel Kroening,et al.  Model checking concurrent linux device drivers , 2007, ASE.

[53]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[54]  Daniel Kroening,et al.  Predicate Abstraction of ANSI-C Programs Using SAT , 2004, Formal Methods Syst. Des..

[55]  Daniel Kroening,et al.  Strengthening Induction-Based Race Checking with Lightweight Static Analysis , 2011, VMCAI.

[56]  Chao Wang,et al.  On interference abstractions , 2011, POPL '11.

[57]  G. S. Tseitin On the Complexity of Derivation in Propositional Calculus , 1983 .

[58]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[59]  Chao Wang,et al.  Model checking C programs using F-Soft , 2005, 2005 International Conference on Computer Design.

[60]  Daniel Kroening,et al.  Satisfiability Solvers Are Static Analysers , 2012, SAS.

[61]  Daniel Kroening,et al.  Approximating Predicate Images for Bit-Vector Logic , 2006, TACAS.

[62]  Alan J. Hu,et al.  Automatic formal verification of DSP software , 2000, DAC.

[63]  Daniel Kroening,et al.  Beyond Quantifier-Free Interpolation in Extensions of Presburger Arithmetic , 2011, VMCAI.

[64]  Daniel Kroening,et al.  SAT-Based Summarization for Boolean Programs , 2007, SPIN.

[65]  J. R. Büchi Regular Canonical Systems , 1964 .

[66]  Thomas W. Reps,et al.  Reducing concurrent analysis under a context bound to sequential analysis , 2009, Formal Methods Syst. Des..

[67]  Alex Groce,et al.  Counterexample Guided Abstraction Refinement Via Program Execution , 2004, ICFEM.

[68]  Andreas Podelski,et al.  Predicate Abstraction for Program Verification , 2018, Handbook of Model Checking.

[69]  Hans Kleine Büning,et al.  Theory of Quantified Boolean Formulas , 2021, Handbook of Satisfiability.

[70]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[71]  Koen Claessen,et al.  A liveness checking algorithm that counts , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[72]  Edmund M. Clarke,et al.  Efficient SAT solving for non-clausal formulas using DPLL, graphs, and watched cuts , 2009, 2009 46th ACM/IEEE Design Automation Conference.

[73]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[74]  Joël Ouaknine,et al.  Linear Completeness Thresholds for Bounded Model Checking , 2011, CAV.

[75]  Alan Mishchenko,et al.  Applying Logic Synthesis for Speeding Up SAT , 2007, SAT.

[76]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[77]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[78]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[79]  Chao Wang,et al.  Staged concurrent program analysis , 2010, FSE '10.

[80]  Daniel Kroening,et al.  Efficient Computation of Recurrence Diameters , 2003, VMCAI.

[81]  Daniel Kroening,et al.  Context-aware counter abstraction , 2010, Formal Methods Syst. Des..

[82]  Daniel Kroening,et al.  Abstract conflict driven learning , 2013, POPL.

[83]  Aarti Gupta Model Checking Concurrent Programs , 2009, VMCAI.

[84]  Daniel Kroening,et al.  Loop Summarization Using Abstract Transformers , 2008, ATVA.

[85]  Shuvendu K. Lahiri,et al.  Static and Precise Detection of Concurrency Errors in Systems Code Using SMT Solvers , 2009, CAV.

[86]  Ilkka Niemelä,et al.  BMC via on-the-fly determinization , 2003, Electron. Notes Theor. Comput. Sci..

[87]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[88]  Chao Wang,et al.  Monotonic Partial Order Reduction: An Optimal Symbolic Partial Order Reduction Technique , 2009, CAV.

[89]  Malay K. Ganai,et al.  Robust Boolean reasoning for equivalence checking and functional property verification , 2002, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[90]  J. Baumgartner,et al.  Enhanced diameter bounding via structural transformation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[91]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[92]  Enrico Giunchiglia,et al.  Reasoning with Quantified Boolean Formulas , 2021, Handbook of Satisfiability.

[93]  Viktor Schuppan,et al.  Efficient reduction of finite state model checking to reachability analysis , 2004, International Journal on Software Tools for Technology Transfer.

[94]  Martin Lange,et al.  Bounded Model Checking for Weak Alternating Büchi Automata , 2006, CAV.

[95]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[96]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[97]  Rupak Majumdar,et al.  Path slicing , 2005, PLDI '05.

[98]  Joël Ouaknine,et al.  Computational challenges in bounded model checking , 2005, International Journal on Software Tools for Technology Transfer.

[99]  Panagiotis Manolios,et al.  Faster SAT solving with better CNF generation , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.

[100]  Keijo Heljanko,et al.  Electronic Communications of the EASST Volume 46 ( 2011 ) Proceedings of the 11 th International Workshop on Automated Verification of Critical Systems ( AVoCS 2011 ) A Symbolic Model Checking Approach to Verifying Satellite Onboard Software , 2011 .

[101]  Fabio Somenzi,et al.  Incremental, Inductive CTL Model Checking , 2012, CAV.

[102]  Daniel Kroening,et al.  Dynamic Cutoff Detection in Parameterized Concurrent Programs , 2010, CAV.

[103]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.

[104]  Jason Baumgartner,et al.  Enhanced verification by temporal decomposition , 2009, 2009 Formal Methods in Computer-Aided Design.

[105]  C. A. J. van Eijk,et al.  Sequential Equivalence Checking Based on Structural Similarities , 2000 .

[106]  Krzysztof Kuchcinski,et al.  Automatic design of application-specific reconfigurable processor extensions with UPaK synthesis kernel , 2009, TODE.

[107]  Kenneth L. McMillan Interpolation and Model Checking , 2018, Handbook of Model Checking.

[108]  Keijo Heljanko,et al.  Increasing Confidence in Liveness Model Checking Results with Proofs , 2013, Haifa Verification Conference.

[109]  Zvonimir Rakamaric,et al.  Delay-bounded scheduling , 2011, POPL '11.

[110]  Jacob A. Abraham,et al.  Property Checking via Structural Analysis , 2002, CAV.

[111]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[112]  Andreas Podelski,et al.  Boolean and Cartesian Abstraction for Model Checking C Programs , 2001, TACAS.

[113]  Daniel Kroening,et al.  ExpliSAT: Guiding SAT-Based Software Verification with Explicit States , 2006, Haifa Verification Conference.

[114]  Daniel Kroening,et al.  A SAT-based algorithm for reparameterization in symbolic simulation , 2004, Proceedings. 41st Design Automation Conference, 2004..

[115]  Daniel Kroening,et al.  Hardware verification using ANSI-C programs as a reference , 2003, ASP-DAC '03.

[116]  Armin Biere,et al.  Effective Bit-Width and Under-Approximation , 2009, EUROCAST.

[117]  Daniel Kroening,et al.  An Interpolating Decision Procedure for Transitive Relations with Uninterpreted Functions , 2009, Haifa Verification Conference.

[118]  Zurab Khasidashvili,et al.  Implicative Simultaneous Satisfiability and Applications , 2011, Haifa Verification Conference.

[119]  Daniel Kroening,et al.  Computing Mutation Coverage in Interpolation-Based Model Checking , 2012, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[120]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[121]  Armin Biere,et al.  On the Complexity of Fixed-Size Bit-Vector Logics with Binary Encoded Bit-Width , 2012, SMT@IJCAR.

[122]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[123]  Daniel Kroening,et al.  Checking consistency of C and Verilog using predicate abstraction and induction , 2004, ICCAD 2004.

[124]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[125]  A. Kuehlmann Dynamic transition relation simplification for bounded property checking , 2004, ICCAD 2004.

[126]  Armin Biere,et al.  Simple Bounded LTL Model Checking , 2004, FMCAD.

[128]  Chao Wang,et al.  Abstraction refinement in symbolic model checking using satisfiability as the only decision procedure , 2005, International Journal on Software Tools for Technology Transfer.

[129]  Daniel Kroening,et al.  Numeric Bounds Analysis with Conflict-Driven Learning , 2012, TACAS.

[130]  Daniel Kroening Computing Over-Approximations with Bounded Model Checking , 2006, Electron. Notes Theor. Comput. Sci..

[131]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.

[132]  Daniel Kroening,et al.  Symbolic Counter Abstraction for Concurrent Software , 2009, CAV.

[133]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[134]  Joël Ouaknine,et al.  Abstraction-Based Satisfiability Solving of Presburger Arithmetic , 2004, CAV.

[135]  Daniel Kroening,et al.  Partial Orders for Efficient Bounded Model Checking of Concurrent Software , 2013, CAV.

[136]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[137]  Sharad Malik,et al.  Boolean Satisfiability Solvers and Their Applications in Model Checking , 2015, Proceedings of the IEEE.

[138]  Daniel Kroening,et al.  Automatic Analysis of Scratch-Pad Memory Code for Heterogeneous Multicore Processors , 2010, TACAS.

[139]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[140]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[141]  Armin Biere,et al.  Bounded model checking , 2003, Adv. Comput..

[142]  Lucas C. Cordeiro,et al.  Verifying multi-threaded software using smt-based context-bounded model checking , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[143]  Daniel Kroening,et al.  An Interpolating Sequent Calculus for Quantifier-Free Presburger Arithmetic , 2010, IJCAR.

[144]  Bing Li,et al.  Efficient Abstraction Refinement in Interpolation-Based Unbounded Model Checking , 2006, TACAS.

[145]  Daniel Kroening,et al.  Verification of SpecC using predicate abstraction , 2004, Proceedings. Second ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2004. MEMOCODE '04..

[146]  Chao Wang,et al.  Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop , 2006, CAV.

[147]  Viktor Schuppan,et al.  Linear Encodings of Bounded LTL Model Checking , 2006, Log. Methods Comput. Sci..

[148]  Jussi Rintanen,et al.  Planning as satisfiability: Heuristics , 2012, Artif. Intell..

[149]  Fabio Somenzi,et al.  Termination Criteria for Bounded Model Checking: Extensions and Comparison , 2005, BMC@CAV.