Motivation Approach Software Model Checking Evaluation Summary Model Checking Using SMT and Theory of Lists Aleksandar Milicevic 1 Hillel Kugler 2 1 Massachusetts Institute of Technology Cambridge, MA 2 Microsoft Research Cambridge, UK Third NASA Formal Methods Symposium, April 18, 2011 Model Checking Using SMT and Theory of Lists Milicevic, Kugler 1
Motivation Approach Software Model Checking Evaluation Summary Solving Planning Problems Rush Hour puzzle Goal: drive the red car out of the jam Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2
Motivation Approach Software Model Checking Evaluation Summary Solving Planning Problems Rush Hour puzzle Goal: drive the red car out of the jam solve using a satisfiability solver Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2
Motivation Approach Software Model Checking Evaluation Summary Solving Planning Problems Rush Hour puzzle Goal: drive the red car out of the jam solve using a satisfiability solver problem: number of necessary steps is not known Model Checking Using SMT and Theory of Lists Milicevic, Kugler 2
Motivation Approach Software Model Checking Evaluation Summary Software Model Checking without Loop Unrolling int N) { void selectSort ( int [ ] a , for ( int j =0; j < N − 1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) Selection Sort algorithm i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; Goal: verify for all int arrays a [ j ] = a [ min ] ; of size up to N a [ min ] = t ; } for ( int j =0; j < N − 1; j ++) assert a [ j ] < = a [ j +1]; } Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
Motivation Approach Software Model Checking Evaluation Summary Software Model Checking without Loop Unrolling int N) { void selectSort ( int [ ] a , for ( int j =0; j < N − 1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) Selection Sort algorithm i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; Goal: verify for all int arrays a [ j ] = a [ min ] ; of size up to N a [ min ] = t ; } for ( int j =0; j < N − 1; j ++) assert a [ j ] < = a [ j +1]; } verify using model checking with satisfiability solving Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
Motivation Approach Software Model Checking Evaluation Summary Software Model Checking without Loop Unrolling int N) { void selectSort ( int [ ] a , for ( int j =0; j < N − 1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) Selection Sort algorithm i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; Goal: verify for all int arrays a [ j ] = a [ min ] ; of size up to N a [ min ] = t ; } for ( int j =0; j < N − 1; j ++) assert a [ j ] < = a [ j +1]; } verify using model checking with satisfiability solving problem: number of necessary loop unrollings is not known Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
Motivation Approach Software Model Checking Evaluation Summary Software Model Checking without Loop Unrolling int N) { void selectSort ( int [ ] a , for ( int j =0; j < N − 1; j ++) { int min = j ; for ( int i = j +1; i < N; i ++) Selection Sort algorithm i f ( a [ min ] > a [ i ] ) min = i ; int t = a [ j ] ; Goal: verify for all int arrays a [ j ] = a [ min ] ; of size up to N a [ min ] = t ; } for ( int j =0; j < N − 1; j ++) assert a [ j ] < = a [ j +1]; } verify using model checking with satisfiability solving problem: number of necessary loop unrollings is not known moreover, the number of loop unrollings is not independent of N Model Checking Using SMT and Theory of Lists Milicevic, Kugler 3
Motivation Approach Software Model Checking Evaluation Summary Use Lists to Model State Transitions cons states tail ... head nil Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
Motivation Approach Software Model Checking Evaluation Summary Use Lists to Model State Transitions cons states tail ... head nil The length of the list is not explicitly bounded Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
Motivation Approach Software Model Checking Evaluation Summary Use Lists to Model State Transitions cons states tail ... head nil The length of the list is not explicitly bounded Specify what the list should look like, not how long it should be. Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
Motivation Approach Software Model Checking Evaluation Summary Use Lists to Model State Transitions cons states tail ... head nil The length of the list is not explicitly bounded Specify what the list should look like, not how long it should be. To solve the rush hour puzzle: use a list to model a sequence of car movements don’t have to specify the number of steps Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
Motivation Approach Software Model Checking Evaluation Summary Use Lists to Model State Transitions cons states tail ... head nil The length of the list is not explicitly bounded Specify what the list should look like, not how long it should be. To solve the rush hour puzzle: use a list to model a sequence of car movements don’t have to specify the number of steps To solve a software model-checking problem: use a list to model a program trace don’t have to specify the number of loop unrollings Model Checking Using SMT and Theory of Lists Milicevic, Kugler 4
Motivation Approach Software Model Checking Evaluation Summary Background: Bounded Model Checking ... s 1 s 2 s k Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
Motivation Approach Software Model Checking Evaluation Summary Background: Bounded Model Checking θ ( s 1 ) ... s 1 s 1 s 2 s k Initial state constraint: θ ( s 1 ) Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
Motivation Approach Software Model Checking Evaluation Summary Background: Bounded Model Checking θ ( s 1 ) ρ ( s 1 , s 2 ) ρ ( s 2 , s 3 ) ρ ( s k − 1 , s k ) ... s 1 s 1 s 2 s k Initial state constraint: θ ( s 1 ) Transition constraint: ρ ( s 1 , s 2 ) ∧ ρ ( s 2 , s 3 ) ∧···∧ ρ ( s k − 1 , s k ) Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
Motivation Approach Software Model Checking Evaluation Summary Background: Bounded Model Checking P ( s 1 ) P ( s 2 ) ¬ P ( s k ) θ ( s 1 ) ρ ( s 1 , s 2 ) ρ ( s 2 , s 3 ) ρ ( s k − 1 , s k ) ... ... s 1 s 1 s 1 s 2 s 2 s k s k Initial state constraint: θ ( s 1 ) Transition constraint: ρ ( s 1 , s 2 ) ∧ ρ ( s 2 , s 3 ) ∧···∧ ρ ( s k − 1 , s k ) Safety Property constraint: P ( s 1 ) ∧ P ( s 2 ) ∧···∧ P ( s k − 1 ) ∧¬ P ( s k ) Model Checking Using SMT and Theory of Lists Milicevic, Kugler 5
Motivation Approach Software Model Checking Evaluation Summary Translation to SMT cons states tail ... head nil Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
Motivation Approach Software Model Checking Evaluation Summary Translation to SMT Available operations : cons states - is nil(lst) tail - is cons(lst) ... head nil - head(lst) - tail(lst) Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
Motivation Approach Software Model Checking Evaluation Summary Translation to SMT Available operations : cons states - is nil(lst) tail - is cons(lst) ... head nil - head(lst) - tail(lst) tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
Motivation Approach Software Model Checking Evaluation Summary Translation to SMT Available operations : cons states - is nil(lst) tail - is cons(lst) ... head nil - head(lst) - tail(lst) tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
Motivation Approach Software Model Checking Evaluation Summary Translation to SMT Available operations : cons states - is nil(lst) tail - is cons(lst) ... head nil - head(lst) - tail(lst) tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ (head(lst), head(tail(lst))) and check tr(tail(lst)) and Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
Motivation Approach Software Model Checking Evaluation Summary Translation to SMT Available operations : cons states - is nil(lst) tail - is cons(lst) ... head nil - head(lst) - tail(lst) tupletype State = [v1: INT, v2: INT, ...] datatype StateList = nil | cons(head: State, tail: StateList) def states: StateList def check tr: StateList → bool assert forall lst: StateList if (is cons(lst) and is cons(tail(lst))) then ρ (head(lst), head(tail(lst))) and check tr(tail(lst)) and if ( not P (tail(lst))) then is nil(tail(tail(lst))) else is cons(tail(tail(lst))) Model Checking Using SMT and Theory of Lists Milicevic, Kugler 6
Recommend
More recommend