A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

Slides:



Advertisements
Similar presentations
Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.
Advertisements

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Advanced programming tools at Microsoft
Copyright © 2003 Pearson Education, Inc. Slide 1.
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CS4026 Formal Models of Computation Part II The Logic Model Lecture 1 – Programming in Logic.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
C++ Statements represent the lowest-level building blocks of a program and it may be like:. A simple statement is a computation terminated by a semicolon.
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars
Cs776 (Prasad)L4Poly1 Polymorphic Type System. cs776 (Prasad)L4Poly2 Goals Allow expression of “for all types T” fun I x = x I : ’a -> ’a Allow expression.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
CS 355 – Programming Languages
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Contracts, tools, verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Keynote, ASWEC 2010; Auckland, NZ;
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 1.
Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Describing Syntax and Semantics
Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Propositional Calculus CS 680: Formal Methods in Verification Computer Systems Jeremy Johnson.
Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
CS 363 Comparative Programming Languages Semantics.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
Chapter 3 Part II Describing Syntax and Semantics.
1 / 48 Formal a Language Theory and Describing Semantics Principles of Programming Languages 4.
1.6. DEFINITIONS  An equation is a statement that two expressions are equal.  Usually contains 1 or more variables  A variable is a symbol that represents.
Specifying and verifying programs in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Invited talk, PSI 2006 Novosibirsk, Russia 27 June 2006.
Semantics of Predicate Calculus For the propositional calculus, an interpretation was simply an assignment of truth values to the proposition letters of.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.
Weakest Precondition of Unstructured Programs
Propositional Calculus: Boolean Functions and Expressions
Selection (also known as Branching) Jumail Bin Taliba by
Reasoning About Code.
Reasoning about code CSE 331 University of Washington.
Propositional Calculus: Boolean Functions and Expressions
Syntax Questions 6. Define a left recursive grammar rule.
Over-Approximating Boolean Programs with Unbounded Thread Creation
Semantics In Text: Chapter 3.
Decisions, decisions, decisions
Predicate Abstraction
Presentation transcript:

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl, Germany

Motivation This program has performed an illegal operation. If the problem persists, please contact the vendor.

APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } The SLAM toolkit Tom Ball, Sriram Rajamani, et al., Microsoft Research Device driver (C program) Abstraction (boolean program) y := false; x := true; x := x y; assert x; Properties of interest: x resource is locked y t > 0 Predicate abstraction

APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } The SLAM toolkit Tom Ball, Sriram Rajamani, et al., Microsoft Research Device driver (C program) Abstraction (boolean program) y := false; x := true; x := x y; assert x; assert x

APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } The SLAM toolkit Tom Ball, Sriram Rajamani, et al., Microsoft Research Device driver (C program) Abstraction (boolean program) y := false; x := true; x := x y; assert x; assert x real error

APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } The SLAM toolkit Tom Ball, Sriram Rajamani, et al., Microsoft Research Device driver (C program) Abstraction (boolean program) y := false; x := true; x := x y; assert x; infeasible path

APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } APIERR DevGetStatus(LPSTATUS status) { unsigned int t; struct _Info info; for (i = 0; i result = t | 0x2055; return APIERR_Success; } APIERR W_GetStatus(struct _Info * pinfo) { APIERR err; bool fChanged = TRUE; do { err = DevRegisterColumn(pinfo, TRUE); if (err != APIERR_Success) { return err; } if (pinfo->huwMagi < 10) { fChanged = FALSE; } else { err = DevReleaseColumn(pinfo); } } while (fChanged); return DevReleaseColumn(pinfo); } The SLAM toolkit Tom Ball, Sriram Rajamani, et al., Microsoft Research Device driver (C program) Abstraction (boolean program) y := false; x := true; x := x y; assert x; Predicate abstraction Properties of interest: x resource is locked y t > 0 z p NULL z := true; if (z) … Predicate abstraction

Boolean programs Prog ::= var Id* ; Block* Prog ::= var Id* ; Block* Block ::= LabelId : Stmt* goto LabelId* Block ::= LabelId : Stmt* goto LabelId* Stmt ::=Id := Expr |assert Expr |assume Expr Stmt ::=Id := Expr |assert Expr |assume Expr Expr ::= false | true | Id | Expr |Expr Expr | Expr Expr Expr ::= false | true | Id | Expr |Expr Expr | Expr Expr

Example var x, y; A:x := true; goto B B:assert x; x := x y; goto B or C C: var x, y; A:x := true; goto B B:assert x; x := x y; goto B or C C: A:x := true B:assert x; x := x y C:

Semantics: Weakest preconditions For any statement S and postcondition Q, wp(S,Q) characterizes those pre-states from which execution is guaranteed: For any statement S and postcondition Q, wp(S,Q) characterizes those pre-states from which execution is guaranteed: not to go wrong, and not to go wrong, and either the execution doesnt terminate or it terminates in a state satisfying Q either the execution doesnt terminate or it terminates in a state satisfying Q S Q wp(S,Q)

Semantics: Weakest preconditions wp(x := E, Q) = Q[x:=E] wp(assert E, Q) = E Q wp(assume E, Q) = E Q wp(x := E, Q) = Q[x:=E] wp(assert E, Q) = E Q wp(assume E, Q) = E Q wp(skip, Q) = Q wp(S;T, Q) = wp(S, wp(T,Q)) wp(skip, Q) = Q wp(S;T, Q) = wp(S, wp(T,Q)) wp(goto labels, Q) = ( L labels :: wp(L,Q)) wp(goto labels, Q) = ( L labels :: wp(L,Q))

For any block: var w; … L: S; goto labels … introduce a boolean function L, such that: For any block: var w; … L: S; goto labels … introduce a boolean function L, such that: What I write: L(w) =wp(S, ( G labels :: G(w))) Semantics of blocks ( w ::L(w) =wp(S, ( G labels :: G(w))) ) L = (λw ::wp(S, ( G labels :: G(w))) ) What I really mean: or equivalently:

Example A(x,y) = wp(x := true, B(x,y)) B(x,y) = wp(assert x; x := x y, B(x,y) C(x,y)) C(x,y) = wp(skip, true) A(x,y) = wp(x := true, B(x,y)) B(x,y) = wp(assert x; x := x y, B(x,y) C(x,y)) C(x,y) = wp(skip, true) A:x := true B:assert x; x := x y C: A(x,y) = B(true,y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true A(x,y) = B(true,y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true

Equations with multiple solutions The unknowns Solution 0: A(x,y) = false B(x,y) = false C(x,y) = true Solution 1: A(x,y) = y B(x,y) = x y C(x,y) = true We want the weakest solution A, B, C :A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true

Weakest solution A,B,C :A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true

Weakest solution F(A,B,C)G(A,B,C)H(A,B,C) A,B,C :A = (λx,y :: B(true, y)) B = (λx,y :: x B(x y, y) C(x y, y)) C = (λx,y :: true)

F(A,B,C)G(A,B,C)H(A,B,C) A,B,C :A = F(A,B,C) B = G(A,B,C) C = H(A,B,C) where F = (λx,y :: B(true, y)) G = (λx,y :: x B(x y, y) C(x y, y)) H = (λx,y :: true) (λx,y :: x B(x y, y) C(x y, y)) (λx,y :: true) Weakest solution/fixpoint FGH Weakest solution of A,B,C (λx,y :: B(true, y)) Weakest fixpoint of F,G,H

Program correctness A program with variables w and start block A is correct iff: ( w :: A(w)) A program with variables w and start block A is correct iff: ( w :: A(w)) That is, the program has an error iff: A(w) is satisfiable. That is, the program has an error iff: A(w) is satisfiable. boolean equations, satisfiability functions, weakest solutions SAT

Equations over a closed set of terms Using the definitions: A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true Using the definitions: A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true We produce: We produce: A(x,y) = B(true, y) A(x,y) = B(true, y) B(true, y) = true B(true y, y) C(true y, y) B(true, y) = true B(true y, y) C(true y, y) B(true y, y) = true y B(true y y, y) C(true y y, y) B(true y, y) = true y B(true y y, y) C(true y y, y) C(true y, y) = true C(true y, y) = true

Point functions A function: f(w) = f(false) f(w) can be expressed as two point functions : f false = f false f false f true = f false f true A function: f(w) = f(false) f(w) can be expressed as two point functions : f false = f false f false f true = f false f true

Point-function equations A set of equations: f :f(w) = f(false) f(w) can be expressed as: f false, f true :f false = f false f false f true = f false f true A set of equations: f :f(w) = f(false) f(w) can be expressed as: f false, f true :f false = f false f false f true = f false f true

A fixpoint theorem Given a function F on a complete lattice, if F is continuous, then its weakest fixpoint exists and is given by: F k ( T ) for some natural number k. Given a function F on a complete lattice, if F is continuous, then its weakest fixpoint exists and is given by: F k ( T ) for some natural number k. k is the fixpoint depth of F k is the fixpoint depth of F fixpoint depth lattice height fixpoint depth lattice height T F k ( T ) lattice height

Computing fixpoints: outward T { apply F } F(T) F(T) { apply F } F(F(T)) F(F(T)) { apply F } F(F(F(T))) F(F(F(T))) { apply F } F(F(F(F(T)))) F(F(F(F(T)))) equal to each otherweakest fixpoint of F Suppose fixpoint depth of F is 3 produced in previous step

Computing fixpoints: inward { replace with F( ) } F( ) F( ) { replace with F( ) } F(F( )) F(F( )) { replace with F( ) } F(F(F( ))) F(F(F( ))) { replace with T } F(F(F(T))) F(F(F(T))) weakest fixpoint of F no need for further applications of F Suppose fixpoint depth of F is 3 produced in previous step

Multiple unknowns a,b :a = F(a,b) b = G(a,b) a,b :a = F(a,b) b = G(a,b) Suppose fixpoint depths of F,G are 2,1 Suppose fixpoint depths of F,G are 2,1 Weakest solution for a is: Weakest solution for a is: a 00 a 00 F(a 10, b 10 ) F(a 10, b 10 ) F(F(a 20, b 20 ), G(a 11, b 11 )) F(F(a 20, b 20 ), G(a 11, b 11 )) F(F(T, G(a 21, b 21 )), G(F(a 21, b 21 ), T )) F(F(T, G(a 21, b 21 )), G(F(a 21, b 21 ), T )) F(F(T, G(T, T )), G(F(T, T ), T )) F(F(T, G(T, T )), G(F(T, T ), T )) Number of enclosing applications of G Number of enclosing applications of F

Special instance Lattice of booleans has height 1 Lattice of booleans has height 1 If F returns a boolean, then Fs fixpoint depth is at most 1 If F returns a boolean, then Fs fixpoint depth is at most 1 and so Fs weakest fixpoint is F(T) and so Fs weakest fixpoint is F(T)

Back to our problem Using the definitions: A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true Using the definitions: A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true We produce: We produce: A x,y = B true,y A x,y = B true,y B true,y = true B true y,y C true y,y B true,y = true B true y,y C true y,y B y,y = y B y y,y C y y,y B y,y = y B y y,y C y y,y true

Using the definitions: A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true Using the definitions: A(x,y) = B(true, y) B(x,y) = x B(x y, y) C(x y, y) C(x,y) = true We produce: We produce: A x,y = B true,y A x,y = B true,y B true,y = true B true y,y C true y,y B true,y = true B true y,y C true y,y B y,y = y true C y y,y B y,y = y true C y y,y C y,y = true C y,y = true Back to our problem

Leibniz constraints Being a function means, for any f: ( w,w :: (w=w) (f(w)=f(w))) Leibnizs rule Being a function means, for any f: ( w,w :: (w=w) (f(w)=f(w))) Leibnizs rule So when we have: B true,y = … B y,y = … we also generate the following Leibniz constraint : (true=y) (y=y) (B true,y = B y,y ) So when we have: B true,y = … B y,y = … we also generate the following Leibniz constraint : (true=y) (y=y) (B true,y = B y,y )

SAT formula From the closed set of terms: A x,y = B true,y B true,y = true B true y,y C true y,y B y,y = y true C y y,y C y,y = true From the closed set of terms: A x,y = B true,y B true,y = true B true y,y C true y,y B y,y = y true C y y,y C y,y = true we produce the following SAT equations: a a = b b = true b c b = y true c c = true y (b=b) Leibniz constraint negated start symbol: A(x,y) abbcabbc

Summary Boolean program, whose semantics is defined by weakest solution of weakest-precondition equations Boolean program, whose semantics is defined by weakest solution of weakest-precondition equations Translate to SAT problem: Translate to SAT problem: Instantiate equations to get a closed set of terms Instantiate equations to get a closed set of terms Replace nested recursive instantiations by true Replace nested recursive instantiations by true Conjoin negated start symbol and Leibniz constraints Conjoin negated start symbol and Leibniz constraints Write point functions as propositional variables Write point functions as propositional variables Check for satisfiability Check for satisfiability Performance? Heuristics? Performance? Heuristics? Are Leibniz constraints really needed? Are Leibniz constraints really needed? Better encoding of procedures? Better encoding of procedures?

Complexity With N blocks and K variables: With N blocks and K variables: each boolean function has K arguments, each a boolean expression each boolean function has K arguments, each a boolean expression there are 2 2 K different boolean expressions there are 2 2 K different boolean expressions So, there are N·2 K · 2 K different terms So, there are N·2 K · 2 K different terms Suppose each of the 2 K initial states were considered individually: Suppose each of the 2 K initial states were considered individually: each boolean-function argument can then be folded into one of the 2 boolean constants each boolean-function argument can then be folded into one of the 2 boolean constants Then, there are only 2 K ·N·2 K different terms Then, there are only 2 K ·N·2 K different terms E x p l i c i t - s t a t e c h e c k i n g : S y m b o l i c c h e c k i n g :

Symbolic vs. explicit-state checking The following equality (and others?) can be exploited heuristically to try to get a good balance: The following equality (and others?) can be exploited heuristically to try to get a good balance: f(P, Q, R) = (P f(true, Q, R)) ( P f(false, Q, R))

Summary Boolean program, whose semantics is defined by weakest solution of weakest-precondition equations Boolean program, whose semantics is defined by weakest solution of weakest-precondition equations Translate to SAT problem: Translate to SAT problem: Instantiate equations to get a closed set of terms Instantiate equations to get a closed set of terms Replace nested recursive instantiations by true Replace nested recursive instantiations by true Conjoin negated start symbol and Leibniz constraints Conjoin negated start symbol and Leibniz constraints Write point functions as propositional variables Write point functions as propositional variables Check for satisfiability Check for satisfiability Performance heuristics: symbolic vs. explicit-state Performance heuristics: symbolic vs. explicit-state Other heuristics? Other heuristics? Are Leibniz constraints really needed? Are Leibniz constraints really needed? Better encoding of procedures? Better encoding of procedures?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.