Verification of Software and Hardware using Quantified Boolean Formulas (QBF)

Many problems in formal verification of digital hardware circuits and other finite-state systems are naturally expressed in the language of quantified boolean formulas (QBF). The first two parts of this thesis proposal present techniques that advance the state-of-the-art in solving such QBF problems, thereby enabling the verification of more complex hardware designs. The third part proposes a new technique for software verification using a solver for QBF with free variables. Traditionally, QBF solvers have required that their input formulas be transformed into a special form known as prenex CNF . However, although prenex CNF has the benefit of being simple, it is now recognized that transformation to this form can be detrimental to advanced solvers because it obscures features of the input formula that could be useful to the solver. We present two contributions to the development of nonprenex, non-CNF solvers. First, we reformulate clause/cube learning, an important technique in prenex solvers, and we extend it to non-prenex instances. Second, we introduce a propagation technique using ghost literals that exploits the structure of a non-CNF instance in a manner that is symmetric between the universal and existential variables. The second part of this thesis proposal discusses an approach to QBF using Counterexample-Guided Abstraction Refinement (CEGAR). The approach recursively solves QBF instances with multiple quantifier alternations. Experimental results show that the CEGAR-based solver outperforms existing types of solvers on many publicly-available benchmark families. In addition, we present a method of combining the CEGAR technique with DPLL-based solvers and show that it improves the DPLL solver in many instances. The third part of this thesis proposal presents a method for automatically inferring universally quantified loop invariants for programs with dynamically allocated heap data structures. Our technique works by computing an overapproximation of the set of reachable states via a fixed-point procedure. We target a small dynamically typed intermediate language. Sets of states are described by formulas in a fragment of first-order logic augmented with transitive closure; the fragment includes equality, uninterpreted functions, and total order. We introduce an abstraction function that summarizes the heap memory, returning a formula of bounded size. Summarization of memory locations is based, in part, on how they can be reached from the program variables. The inferred invariants can be used to verify the absence of failed assertions and other run-time errors.

[1]  Armando Tacchella,et al.  QUBE: A System for Deciding Quantified Boolean Formulas Satisfiability , 2001, IJCAR.

[2]  Christoph Scholl,et al.  Exploiting structure in an AIG based QBF solver , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.

[3]  Mikolás Janota,et al.  Solving QBF with Counterexample Guided Refinement , 2012, SAT.

[4]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[5]  Toby Walsh,et al.  Solving Non-clausal Formulas with DPLL search , 2004, SAT.

[6]  David A. Basin,et al.  QUBOS: Deciding Quantified Boolean Logic Using Propositional Satisfiability Solvers , 2002, FMCAD.

[7]  Soonho Kong,et al.  Automatically Inferring Quantified Loop Invariants by Algorithmic Learning from Simple Templates , 2010, APLAS.

[8]  Bart Selman,et al.  The Achilles' Heel of QBF , 2005, AAAI.

[9]  Fahiem Bacchus,et al.  Dynamically Partitioning for Solving QBF , 2007, SAT.

[10]  Kenneth L. McMillan,et al.  Quantified Invariant Generation Using an Interpolating Saturation Prover , 2008, TACAS.

[11]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[12]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[13]  Joao Marques-Silva,et al.  GRASP-A new search algorithm for satisfiability , 1996, Proceedings of International Conference on Computer Aided Design.

[14]  U. Egly,et al.  A Solver for QBFs in Nonprenex Form , 2006, ECAI.

[15]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[16]  Sumit Gulwani,et al.  Program verification using templates over predicate abstraction , 2009, PLDI '09.

[17]  Fahiem Bacchus,et al.  Beyond CNF: A Circuit-Based QBF Solver , 2009, SAT.

[18]  Sharad Malik,et al.  Towards a Symmetric Treatment of Satisfaction and Conflicts in Quantified Boolean Formula Evaluation , 2002, CP.

[19]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[20]  Peter Thiemann,et al.  Interprocedural Analysis with Lazy Propagation , 2010, SAS.

[21]  Armin Biere,et al.  Blocked Clause Elimination for QBF , 2011, CADE.

[22]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[23]  Edmund M. Clarke,et al.  Satisfiability Checking of Non-clausal Formulas Using General Matings , 2006, SAT.

[24]  Kwangkeun Yi,et al.  Predicate Generation for Learning-Based Quantifier-Free Loop Invariant Inference , 2012, Log. Methods Comput. Sci..

[25]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[26]  Marco Benedetti,et al.  Evaluating QBFs via Symbolic Skolemization , 2005, LPAR.

[27]  Armin Biere,et al.  Resolve and Expand , 2004, SAT.

[28]  Mikolás Janota,et al.  Abstraction-Based Algorithm for 2QBF , 2011, SAT.

[29]  Thomas W. Reps,et al.  Revamping TVLA: Making Parametric Shape Analysis Competitive , 2007, CAV.

[30]  Edmund M. Clarke,et al.  A Non-prenex, Non-clausal QBF Solver with Game-State Learning , 2010, SAT.

[31]  Armando Tacchella,et al.  Quantifier structure in search based procedures for QBFs , 2006 .

[32]  Bart Selman,et al.  QBF Modeling: Exploiting Player Symmetry for Simplicity and Efficiency , 2006, SAT.

[33]  Lintao Zhang,et al.  Solving QBF by Combining Conjunctive and Disjunctive Normal Forms , 2006, AAAI.

[34]  Armin Biere,et al.  Nenofex: Expanding NNF for QBF Solving , 2008, SAT.

[35]  Sharad Malik,et al.  Combining strengths of circuit-based and CNF-based algorithms for a high-performance SAT solver , 2002, DAC '02.

[36]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[37]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[38]  Thomas W. Reps,et al.  Automated Verification of the Deutsch-Schorr-Waite Tree-Traversal Algorithm , 2006, SAS.

[39]  Sharad Malik,et al.  Conflict driven learning in a quantified Boolean satisfiability solver , 2002, IEEE/ACM International Conference on Computer Aided Design, 2002. ICCAD 2002..