On bounded model checking, abstract interpretation, interpolants, and induction K. Rustan M. Leino Microsoft Research, Redmond, WA, USA IFIP WG 2.3, meeting Sep 2004 Prato, Italy

State transition system (I, T, R) where I—description of initial states T—total transition relation R—description of “good” states

Bounded model checking  Is ¬R reachable from I via a finite number of T steps?  BMC(I,T,R,k) = ¬R is reachable from I via at most k T steps

Relations  Id(σ,σ’) = σ=σ’  (R;S)(σ,σ’’) = ( σ’ R(σ,σ’)  S(σ’,σ’’))  R n = R;R;R;…;R  a predicate P can be used as a relation, with the meaning P(σ,σ’) = P(σ)  σ=σ’  R(σ’) = ( σ R(σ,σ’))  everywhere brackets on predicates: [P] = ( σ P(σ)) n times

Checking reachability Reach(I,T,F,k) = { returns (n | 0≤n≤k ¬[I;T n  ¬F]) } SAT(I(σ 0 )  ( i | 0≤i<k T(σ i, σ i+1 ))  ( i | 0≤i≤k F(σ i )) ) BMC(I,T,R,k) = Reach(I,T,¬R,k)

System diameter  The diameter of a system is the smallest number of steps that reaches all reachable states

Basic algorithm Main(I,T,R) = for k := 0 thru Diameter(I,T) do if Reach(I,T,¬R,k) then return Error end end; return Correct

Improved algorithm Main(I,T,R) = if SAT(I  ¬R) then return Error end; for k := 1 thru Diameter(I,T) do { (n | 0≤n<k [I;T n  R]) } case Check(I,T,R,k) of Correct:return Correct Error:return Error DontKnow:skip end end; return Correct

Procedure Check Check(I,T,R,k) = {requires 1≤k  (n | 0≤n<k [I;T n  R]); ensures Error  Reach(I,T,¬R,k); ensures Correct  (n | 0≤n [I;T n  R]); ensures DontKnow  (n | 0≤n≤k [I;T n  R]); } if Reach(I,T,¬R,k) then return Error else … return DontKnow end

System invariant Check(I,T,R,k) = var J := I; if Reach(J,T,¬R,k) then return Error else loop { [I  J]  (n | 0≤n≤k [J;T n  R]) } var J’ := …; { [J  J’]  [J;T  J’] } if [J’  J] then { (n | 0≤n [I;T n  R]) } return Correct else if Reach(J’,T,¬R,k) then return DontKnow end; J := J’ end

NextJ Check(I,T,R,k) = var J := I; if Reach(J,T,¬R,k) then return Error else loop { [I  J]  (n | 0≤n≤k [J;T n  R]) } var J’ := NextJ(J,T,R,k); { [J  J’]  (n | 1≤n≤k [J;T n  J’]) } if [J’  J] then { (n | 0≤n [I;T n  R]) } return Correct else if Reach(J’,T,¬R,k) then return DontKnow end; J := J’ end

Goal: Implement NextJ {1≤k  (n | 0≤n≤k [J;T n  R]) } J’ := NextJ(J,T,R,k) {[J  J’]  (n | 1≤n≤k [J;T n  J’]) }

NextJ: Widen [Cousot/Cousot 1977] NextJ(J,T,R,k) = var J’ := J  J;T ; { [J  J’]  [J;T  J’] } return J’

Interpolants [Craig 1957] For any formulas A and B such that [A  B], there exists an interpolant P such that  [A  P]  [P  B]  every free symbol in P is a free symbol in both A and B

NextJ: Interpolant [McMillan 2003] NextJ(J,T,R,k) = { (n | 0≤n≤k [J;T n  R]) } let σ 0,…,σ k be fresh symbols; let A =J(σ 0 )  T(σ 0,σ 1 ); let B =( i | 1≤i<k T(σ i,σ i+1 ))  ( i | 1≤i≤k R(σ i )); var P := Interpolant(A,B); { [J;T  P[σ/σ 1 ]] } return J  P[σ/σ 1 ]

NextJ: “Induction” [Sheeran/Singh/Stålmarck 2000] NextJ(J,T,R,k) = { (n | 0≤n≤k [J;T n  R]) } { J;T k = J;(R;T) k } var J’ := true;(R;T) k ; { [J;T k  J’] } return J  J’

Completeness  Widen no completeness guarantee (so still needs diameter in main loop)  Interpolant complete for boolean programs  “Induction” complete for boolean programs, under the additional constraint that there are no repeated states

What would make a good NextJ? For J’ := NextJ(J,T,R,k):  [J  J’]  (n | 1≤n≤k [J;T n  J’] (m | 0≤m≤k-n [J’;T m  R]) ) NextJ(J,T,R,k) = let n, P satisfy 1 ≤ n ≤ k [sp(T n, J)  P] [P  wp( (assert R; T) n-k, R)]; return J  P