Results 1  10
of
64
Lazy Satisfiability Modulo Theories
 JOURNAL ON SATISFIABILITY, BOOLEAN MODELING AND COMPUTATION 3 (2007) 141Â224
, 2007
"... Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingl ..."
Abstract

Cited by 189 (50 self)
 Add to MetaCart
(Show Context)
Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingly important due to its applications in many domains in different communities, in particular in formal verification. An amount of papers with novel and very efficient techniques for SMT has been published in the last years, and some very efficient SMT tools are now available. Typical SMT (T) problems require testing the satisfiability of formulas which are Boolean combinations of atomic propositions and atomic expressions in T, so that heavy Boolean reasoning must be efficiently combined with expressive theoryspecific reasoning. The dominating approach to SMT (T), called lazy approach, is based on the integration of a SAT solver and of a decision procedure able to handle sets of atomic constraints in T (Tsolver), handling respectively the Boolean and the theoryspecific components of reasoning. Unfortunately, neither the problem of building an efficient SMT solver, nor even that
Modeling and Verifying Systems using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions
, 2002
"... In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to mod ..."
Abstract

Cited by 154 (42 self)
 Add to MetaCart
In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to modeling pipelined processors that EUF has proved useful for, CLU can be used to model many infinitestate systems including those with infinite memories, finite and infinite queues including lossy channels, and networks of identical processes. Even with this richer expressive power, the validity of a CLU formula can be efficiently decided by translating it to a propositional formula, and then using Boolean methods to check validity. We give theoretical and empirical evidence for the efficiency of our decision procedure. We also describe verification techniques that we have used on a variety of systems, including an outoforder execution unit and the loadstore unit of an industrial microprocessor.
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over pr ..."
Abstract

Cited by 91 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
A Symbolic Approach to Predicate Abstraction
 COMPUTERAIDED VERIFICATION (CAV 2003), LNCS 2725
, 2003
"... Predicate abstraction is a useful form of abstraction for the verification of transition systems with large or infinite state spaces. One of the main bottlenecks of this approach is the extremely large number of decision procedures calls that are required to construct the abstract state space. I ..."
Abstract

Cited by 62 (12 self)
 Add to MetaCart
(Show Context)
Predicate abstraction is a useful form of abstraction for the verification of transition systems with large or infinite state spaces. One of the main bottlenecks of this approach is the extremely large number of decision procedures calls that are required to construct the abstract state space. In this paper we propose the use of a symbolic decision procedure and its application for predicate abstraction. The advantage of the approach is that it reduces the number of calls to the decision procedure exponentially and also provides for reducing the recomputations inherent in the current approaches. We provide two implementations of the symbolic decision procedure: one based on BDDs which leverages the current advances in early quantification algorithms, and the other based on SATsolvers. We also demonstrate our approach with quantified predicates for verifying parameterized systems. We illustrate the effectiveness of this approach on benchmarks from the verification of microprocessors, communication protocols, parameterized systems, and Microsoft Windows device drivers.
Deciding Equality Formulas by Small Domains Instantiations
 ComputerAided Verification
, 1999
"... . We introduce an efficient decision procedure for the theory of equality based on finite instantiations. When using the finite instantiations method, it is a common practice to take a range of [1::n] (where n is the number of input nonBoolean variables) as the range for all nonBoolean variables ..."
Abstract

Cited by 55 (8 self)
 Add to MetaCart
(Show Context)
. We introduce an efficient decision procedure for the theory of equality based on finite instantiations. When using the finite instantiations method, it is a common practice to take a range of [1::n] (where n is the number of input nonBoolean variables) as the range for all nonBoolean variables, resulting in a statespace of n n . Although various attempts to minimize this range were made, typically they either required various restrictions on the investigated formulas or were not very effective. In many cases, the n n statespace cannot be handled by BDDbased tools within a reasonable amount of time. In this paper we show that significantly smaller domains can be algorithmically found, by analyzing the structure of the formula. We also show an upper bound for the statespace based on this analysis. This method enabled us to verify formulas containing hundreds of integer and floating point variables. Keywords: Finite Instantiation, equality logic, uninterpreted functio...
Modeling and Verification of OutofOrder Microprocessors in UCLID
, 2002
"... In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda express ..."
Abstract

Cited by 54 (14 self)
 Add to MetaCart
(Show Context)
In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda expressions, and counter arithmetic. UCLID is a tool for specifying and verifying systems expressed in this logic. The paper makes two main contributions. First, we show that the logic is expressive enough to model components found in most modern microprocessors, independent of their actual sizes. Second, we demonstrate UCLID's verification capabilities, ranging from full automation for bounded property checking to a high degree of automation in proving restricted classes of invariants. These techniques, coupled with a counterexample generation facility, are useful in establishing correctness of processor designs. We demonstrate UCLID's methods using a case study of a synthetic model of an outoforder processor where all the invariants were proved automatically.
Formal Verification of Superscalar Microprocessors with Multicycle Functional Units, Exceptions, and Branch Prediction
, 2000
"... . We extend the Burch and Dill flushing technique [9] for formal verification of highlevel microprocessors, based on the logic of Equality with Uninterpreted Functions and Memories (EUFM), to be applicable in an automatic fashion to designs where the functional units and memories have multicycle ..."
Abstract

Cited by 51 (19 self)
 Add to MetaCart
(Show Context)
. We extend the Burch and Dill flushing technique [9] for formal verification of highlevel microprocessors, based on the logic of Equality with Uninterpreted Functions and Memories (EUFM), to be applicable in an automatic fashion to designs where the functional units and memories have multicycle and possibly arbitrary latency. We also show ways to incorporate exceptions and branch prediction by effectively exploiting the properties of Positive Equality [5][6]. We study the modeling of the above features in different versions of dualissue superscalar microprocessors. Keywords. Formal verification, microprocessor verification, uninterpreted functions, logic of equality. 1 Introduction In order for formal methods to scale for verification of modern microprocessors, they need to be applicable easily and with a high degree of automation to designs with multicycle functional units, multicycle memories, exceptions, and branch prediction. Burch and Dill's verification methodology has...
Lemmas on Demand for Satisfiability Solvers
, 2002
"... We investigate the combination of propositional SAT checkers with constraint solvers for domainspecific theories such as linear arithmetic, arrays, lists and the combination thereof. Our procedure realizes a lazy approach to satisfiability checking of propositional constraint formulas by iterativel ..."
Abstract

Cited by 42 (5 self)
 Add to MetaCart
We investigate the combination of propositional SAT checkers with constraint solvers for domainspecific theories such as linear arithmetic, arrays, lists and the combination thereof. Our procedure realizes a lazy approach to satisfiability checking of propositional constraint formulas by iteratively refining Boolean formulas based on lemmas generated on demand by constraint solvers.
Boolean Satisfiability with Transitivity Constraints
 ACM Transactions on Computational Logic (TOCL
, 2000
"... . We consider a variant of the Boolean satisfiability problem where a subset E of the propositional variables appearing in formula F sat encode a symmetric, transitive, binary relation over N elements. Each of these relational variables, e i;j , for 1 i ! j N , expresses whether or not the rel ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
. We consider a variant of the Boolean satisfiability problem where a subset E of the propositional variables appearing in formula F sat encode a symmetric, transitive, binary relation over N elements. Each of these relational variables, e i;j , for 1 i ! j N , expresses whether or not the relation holds between elements i and j. The task is to either find a satisfying assignment to F sat that also satisfies all transitivity constraints over the relational variables (e.g., e1;2 e2;3 ) e1;3 ), or to prove that no such assignment exists. Solving this satisfiability problem is the final and most difficult step in our decision procedure for a logic of equality with uninterpreted functions. This procedure forms the core of our tool for verifying pipelined microprocessors. To use a conventional Boolean satisfiability checker, we augment the set of clauses expressing F sat with clauses expressing the transitivity constraints. We consider methods to reduce the number of such cla...
Correctness of Pipelined Machines
 Formal Methods in ComputerAided Design–FMCAD 2000, volume 1954 of LNCS
"... The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness ..."
Abstract

Cited by 32 (13 self)
 Add to MetaCart
(Show Context)
The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Wellfounded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (MicroArchitecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...