1. On bounded model checking, abstract interpretation, interpolants, and induction K. Rustan M. Leino Microsoft Research, Redmond, WA, USA IFIP WG 2.3, meeting 43 10 Sep 2004 Prato, Italy

2. State transition system (I, T, R) where I—description of initial states T—total transition relation R—description of “good” states

3. Bounded model checking  Is ¬R reachable from I via a finite number of T steps?  BMC(I,T,R,k) = ¬R is reachable from I via at most k T steps

4. Relations  Id(σ,σ’) = σ=σ’  (R;S)(σ,σ’’) = ( σ’ R(σ,σ’)  S(σ’,σ’’))  R n = R;R;R;…;R  a predicate P can be used as a relation, with the meaning P(σ,σ’) = P(σ)  σ=σ’  R(σ’) = ( σ R(σ,σ’))  everywhere brackets on predicates: [P] = ( σ P(σ)) n times

5. Checking reachability Reach(I,T,F,k) = { returns (n | 0≤n≤k ¬[I;T n  ¬F]) } SAT(I(σ 0 )  ( i | 0≤i<k T(σ i, σ i+1 ))  ( i | 0≤i≤k F(σ i )) ) BMC(I,T,R,k) = Reach(I,T,¬R,k)

6. System diameter  The diameter of a system is the smallest number of steps that reaches all reachable states

7. Basic algorithm Main(I,T,R) = for k := 0 thru Diameter(I,T) do if Reach(I,T,¬R,k) then return Error end end; return Correct

8. Improved algorithm Main(I,T,R) = if SAT(I  ¬R) then return Error end; for k := 1 thru Diameter(I,T) do { (n | 0≤n<k [I;T n  R]) } case Check(I,T,R,k) of Correct:return Correct Error:return Error DontKnow:skip end end; return Correct

9. Procedure Check Check(I,T,R,k) = {requires 1≤k  (n | 0≤n<k [I;T n  R]); ensures Error  Reach(I,T,¬R,k); ensures Correct  (n | 0≤n [I;T n  R]); ensures DontKnow  (n | 0≤n≤k [I;T n  R]); } if Reach(I,T,¬R,k) then return Error else … return DontKnow end

10. System invariant Check(I,T,R,k) = var J := I; if Reach(J,T,¬R,k) then return Error else loop { [I  J]  (n | 0≤n≤k [J;T n  R]) } var J’ := …; { [J  J’]  [J;T  J’] } if [J’  J] then { (n | 0≤n [I;T n  R]) } return Correct else if Reach(J’,T,¬R,k) then return DontKnow end; J := J’ end

11. NextJ Check(I,T,R,k) = var J := I; if Reach(J,T,¬R,k) then return Error else loop { [I  J]  (n | 0≤n≤k [J;T n  R]) } var J’ := NextJ(J,T,R,k); { [J  J’]  (n | 1≤n≤k [J;T n  J’]) } if [J’  J] then { (n | 0≤n [I;T n  R]) } return Correct else if Reach(J’,T,¬R,k) then return DontKnow end; J := J’ end

12. Goal: Implement NextJ {1≤k  (n | 0≤n≤k [J;T n  R]) } J’ := NextJ(J,T,R,k) {[J  J’]  (n | 1≤n≤k [J;T n  J’]) }

13. NextJ: Widen [Cousot/Cousot 1977] NextJ(J,T,R,k) = var J’ := J  J;T ; { [J  J’]  [J;T  J’] } return J’

14. Interpolants [Craig 1957] For any formulas A and B such that [A  B], there exists an interpolant P such that  [A  P]  [P  B]  every free symbol in P is a free symbol in both A and B

15. NextJ: Interpolant [McMillan 2003] NextJ(J,T,R,k) = { (n | 0≤n≤k [J;T n  R]) } let σ 0,…,σ k be fresh symbols; let A =J(σ 0 )  T(σ 0,σ 1 ); let B =( i | 1≤i<k T(σ i,σ i+1 ))  ( i | 1≤i≤k R(σ i )); var P := Interpolant(A,B); { [J;T  P[σ/σ 1 ]] } return J  P[σ/σ 1 ]

16. NextJ: “Induction” [Sheeran/Singh/Stålmarck 2000] NextJ(J,T,R,k) = { (n | 0≤n≤k [J;T n  R]) } { J;T k = J;(R;T) k } var J’ := true;(R;T) k ; { [J;T k  J’] } return J  J’

17. Completeness  Widen no completeness guarantee (so still needs diameter in main loop)  Interpolant complete for boolean programs  “Induction” complete for boolean programs, under the additional constraint that there are no repeated states

18. What would make a good NextJ? For J’ := NextJ(J,T,R,k):  [J  J’]  (n | 1≤n≤k [J;T n  J’] (m | 0≤m≤k-n [J’;T m  R]) ) NextJ(J,T,R,k) = let n, P satisfy 1 ≤ n ≤ k [sp(T n, J)  P] [P  wp( (assert R; T) n-k, R)]; return J  P