Abstract
In the context of formal verification, certifying proofs are evidences of the correctness of a model in a deduction system produced automatically as outcome of the verification. They are quite appealing for high-assurance systems because they can be verified independently by proof checkers, which are usually simpler to certify than the proof-generating tools. Model checking is one of the most prominent approaches to formal verification of temporal properties and is based on an algorithmic search of the system state space. Although modern algorithms integrate deductive methods, the generation of proofs is typically restricted to invariant properties only. Moreover, it assumes that the verification produces an inductive invariant of the original system, while model checkers usually involve a variety of complex pre-processing simplifications. In this paper we show how, exploiting the k-liveness algorithm, to extend proof generation capabilities for invariant checking to cover full linear-time temporal logic (LTL) properties, in a simple and efficient manner, with essentially no overhead for the model checker. Besides the basic k-liveness algorithm, we integrate in the proof generation a variety of widely used pre-processing techniques such as temporal decomposition, model simplification via computation of equivalences with ternary simulation, and the use of stabilizing constraints. These techniques are essential in many cases to prove that a property holds, both for invariant and for LTL model checking, and thus need to be considered within the proof. We implemented the proof generation techniques on top of IC3 engines, and show the feasibility of the approach on a variety of benchmarks taken from the literature and from the Hardware Model Checking Competition. Our results confirm that proof generation results in negligible overhead for the model checker.
Similar content being viewed by others
Notes
In general, in a hardware verification context, the input system is already in this functional form. Moreover, the technique can be extended to work also in the presence of further relational constraints on both X and Y, but this is omitted here for simplicity.
This can be easily generalised to discover also XORs, i.e. cases in which \(x_i\) is equivalent to \(\lnot x_j\).
Note that here \(\mathbf{F }\alpha \) and \(\mathbf{G }\alpha \) are just abbreviations for \(\top \mathbf{U }\alpha \) and \(\lnot (\top \mathbf{U }\lnot \alpha )\) respectively, as introduced in Sect. 3.3. In principle, we could have used a system with simpler rules defined for the primitive operators. We preferred to keep the rules defined in [26].
Note that \((\phi \leftrightarrow Exp(\phi ))\) is an abbreviation for \(((\phi \rightarrow Exp(\phi )) \wedge (Exp(\phi )\leftrightarrow \phi ))\) so that we can apply the \(\textsc {and-el}\).
This is the case e.g. for some proof obligations generated for components with a trivial assumption.
For this comparison we restrict to the HWMCC LTL benchmarks set where the use of pre-processing has an impact.
References
Barrett C, Fontaine P, Tinelli C (2017) The SMT-LIB standard: version 2.6. Tech. rep., Department of Computer Science, The University of Iowa. www.SMT-LIB.org
Basin D, Bhatt BN, Traytel D (2018) Optimal proofs for linear temporal logic on lasso words . https://www21.in.tum.de/~traytel/papers/expl/expl.pdf
Ben-Ari M (1993) Mathematical logic for computer science. Prentice Hall International series in computer science. Prentice Hall
Bernasconi A, Menghi C, Spoletini P, Zuck LD, Ghezzi C (2017) From model checking to a temporal proof for partial models. In: SEFM, LNCS, vol. 10469, pp 54–69. Springer
Biere A, Artho C, Schuppan V (2002) Liveness checking as safety checking. Electr Notes Theor Comput Sci 66(2):160–177. https://doi.org/10.1016/S1571-0661(04)80410-9
Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:117–148. https://doi.org/10.1016/S0065-2458(03)58003-2(03)58003-2
Biere A, van Dijk T, Heljanko K (2017) Hardware model checking competition 2017. In: Proceedings of the 17th conference on formal methods in computer-aided design, FMCAD ’17, pp 9. FMCAD Inc, Austin, TX . http://dl.acm.org/citation.cfm?id=3168451.3168458
Biere A, Heljanko K, Wieringa S (2011) AIGER 1.9 and beyond. Tech. rep., FMV Reports Series, Institute for Formal Models and Verification, Johannes Kepler University, Altenbergerstr. 69, 4040 Linz, Austria
Bjesse P, Kukula JH (2005) Automatic generalized phase abstraction for formal verification. In: ICCAD, pp 1076–1082. IEEE Computer Society
Bozzano M, Cimatti A, Pires AF, Jones D, Kimberly G, Petri T, Robinson R, Tonetta S (2015) Formal design and safety analysis of AIR6110 wheel brake system. In: CAV (1), LNCS, vol 9206, pp 518–535. Springer
Bradley A (2011) SAT-based model checking without unrolling. In: VMCAI, LNCS, vol 6538, pp 70–87. Springer
Bradley AR, Somenzi F, Hassan Z, Zhang Y (2011) An incremental approach to model checking progress properties. In: FMCAD, pp 144–153. FMCAD Inc
Case ML, Baumgartner J, Mony H, Kanzelman R (2011).Optimal redundancy removal without fixedpoint computation. In: Bjesse P, Slobodová A (eds) international conference on formal methods in computer-aided design, FMCAD ’11, Austin, TX, USA, October 30–November 02, 2011, pp 101–108. FMCAD Inc. http://dl.acm.org/citation.cfm?id=2157672
Case ML, Mony H, Baumgartner J, Kanzelman R (2009) Enhanced verification by temporal decomposition. In: FMCAD. IEEE
Cavada R, Cimatti A, Dorigatti M, Griggio A, Mariotti A, Micheli A, Mover S, Roveri M, Tonetta S (2014) The nuXmv symbolic model checker. In: CAV, LNCS, vol 8559, pp 334–342. Springer
Cimatti A, Griggio A, Schaafsma BJ, Sebastiani R (2013) The MathSAT5 SMT solver. In: TACAS, LNCS, vol 7795. Springer
Cini C, Francalanza A (2015) An LTL proof system for runtime verification. In: TACAS, LNCS, vol 9035, pp 581–595. Springer
Claessen K, Sörensson N (2012) A liveness checking algorithm that counts. In: Cabodi G, Singh S (eds) FMCAD, pp 52–59. IEEE
Clarke EM, Grumberg O, Hamaguchi K (1997) Another look at LTL model checking. Formal Methods Syst Des 10(1):47–71
Daniel J, Cimatti A, Griggio A, Tonetta S, Mover S (2016) Infinite-state liveness-to-safety via implicit abstraction and well-founded relations. In: CAV (1), LNCS, vol 9779. Springer
Dax C, Hofmann M, Lange M (2006) A proof system for the linear time \(\rm \mu \)-calculus. In: FSTTCS, LNCS, vol 4337, pp 273–284. Springer
Eén N, Sörensson N (2003) An extensible sat-solver. In: Giunchiglia E, Tacchella A (eds) Theory and applications of satisfiability testing, 6th international conference, SAT 2003. Santa Margherita Ligure, Italy, May 5–8, 2003 Selected Revised Papers, Lecture Notes in Computer Science, vol 2919, pp 502–518. Springer . https://doi.org/10.1007/978-3-540-24605-3_37
Emerson EA, Jutla CS, Sistla AP (2001) On model checking for the \(\rm \mu \)-calculus and its fragments. Theor Comput Sci 258(1–2):491–522. https://doi.org/10.1016/S0304-3975(00)00034-7
Esparza J, Lammich P, Neumann R, Nipkow T, Schimpf A, Smaus J (2014) A fully verified executable LTL model checker. Arch Formal Proofs 2014
Fisler K, Kurshan RP (1997) Verifying VHDL designs with COSPAN. In: FHV, LNCS, vol 1287, pp 206–247. Springer
Gabbay DM, Pnueli A, Shelah S, Stavi J (1980) On the temporal basis of fairness. In: Conference record of the seventh annual ACM symposium on principles of programming languages, Las Vegas, Nevada, USA, January 1980, pp 163–173 . https://doi.org/10.1145/567446.567462
Griggio A, Roveri M (2016) Comparing different variants of the ic3 algorithm for hardware model checking. IEEE Trans CAD Integrated Circuits Syst 35(6), 1026–1039 . https://doi.org/10.1109/TCAD.2015.2481869
Griggio A, Roveri M, Tonetta S (2018) Certifying proofs for LTL model checking. In: 2018 formal methods in computer aided design, FMCAD 2018, Austin, TX, USA, October 30–November 2, 2018, pp 1–9. https://doi.org/10.23919/FMCAD.2018.8603022
Hustadt U, Konev B (2003) TRP++2.0: a temporal resolution prover. In: CADE-19, LNCS, vol 2741. Springer
Hustadt U, Konev B, Riazanov A, Voronkov A (2004) Temp: a temporal monodic prover. In: IJCAR, LNCS, vol 3097. Springer
Kuismin T, Heljanko K (2013) Increasing confidence in liveness model checking results with proofs. In: Bertacco V, Legay A (eds) Hardware and software: verification and testing - 9th international haifa verification conference, HVC 2013, Haifa, Israel, November 5–7, 2013, Proceedings, Lecture Notes in Computer Science, vol 8244, pp 32–43. Springer. https://doi.org/10.1007/978-3-319-03077-7_3
Kupferman O, Vardi MY (2005) From complementation to certification. Theor Comput Sci 345(1):83–100. https://doi.org/10.1016/j.tcs.2005.07.021
Mebsout A, Tinelli C (2016) Proof certificates for SMT-based model checkers for infinite-state systems. In: 2016 formal methods in computer-aided design, FMCAD 2016, Mountain View, CA, USA, October 3-6, 2016, pp 117–124 . https://doi.org/10.1109/FMCAD.2016.7886669
de Moura LM, Bjørner N (2008) Proofs and refutations, and Z3. In: LPAR workshops, CEUR workshop proceedings, vol 418. CEUR-WS.org
Namjoshi KS (2001) Certifying model checkers. In: CAV, LNCS, vol 2102. Springer
Peled DA, Pnueli A, Zuck LD (2001) From falsification to verification. In: Hariharan R, Mukund M, Vinay V (eds.) FST TCS 2001, LNCS, vol 2245, pp 292–304. Springer
Peled DA, Zuck LD (2001) From model checking to a temporal proof. In: SPIN, LNCS, vol 2057. Springer
Pnueli A (1977) The temporal logic of programs. In: FOCS, pp 46–57. 10.1109/SFCS.1977.32
Prawitz D (2006) Natural deduction: a proof-theoretical study. Dover Books on Mathematics, Dover Publications
RTCA DO-333: Formal Methods Supplement to DO-178C and DO-278A (2011)
Schuppan V, Darmawan L (2011) Evaluating LTL satisfiability solvers. In: ATVA, LNCS, vol 6996. Springer
Seger CH, Bryant RE (1995) Formal verification by symbolic evaluation of partially-ordered trajectories. Formal Methods Syst Des 6(2):147–189. https://doi.org/10.1007/BF01383966
Vardi MY (1995) An automata-theoretic approach to linear temporal logic. In: Banff Higher Order Workshop, LNCS, vol 1043, pp 238–266. Springer
Wagner LG, Mebsout A, Tinelli C, Cofer DD, Slind K (2017) qualification of a model checker for avionics software verification. In: NASA formal methods - 9th international symposium, NFM 2017, Moffett Field, CA, USA, May 16–18, 2017, Proceedings, pp 404–419 . https://doi.org/10.1007/978-3-319-57288-8_29
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A Derivation proofs
A Derivation proofs
In this section we detail the derivation of the rules derived from the system defined in [26] and used in the proof generated as described in the previous sections. Each derived rule corresponds to a valid formula, which has been proved valid also with the nuXmv model checker. However, to avoid circularity in the proof generation, we cannot exploit the model checker result and we given an explicit version of the deduction proofs.
1.1 A.1 Basic lemmas
1.2 A.2 Proofs for k-liveness
The main step to prove the k-liveness derivation is the following deduction:
which is derived as follows:
Combining the \(\textsc {klb}\) in a chain, we obtain a full derivation of a proof for the \(\textsc {kl}[k]\) rule:
1.3 A.3 Proofs for stabilizing constraints
The following derived rules are used in the proofs exploiting stabilizing constraints:
These rules are derived as follows:
1.4 A.4 Proof for simplified transition relation
The following derived rule is used to simplify T with some invariant \(\xi \):
which is derived as follows:
1.5 A.5 Proof for temporal decomposition
The derived rule used with temporal decomposition for liveness properties is the following:
which is derived as follows.
Similarly for invariant properties, we have the following derived rule:
which is derived as follows.
1.6 A.6 Proofs for LTL encoding
Here we use the equivalence \((\phi \leftrightarrow Exp(\phi )) \leftrightarrow ((\phi \rightarrow Exp(\phi )) \wedge (Exp(\phi )\leftrightarrow \phi ))\) to match the structure of the \(\textsc {and-el}\). Moreover, given the specific construction of \(M_{\lnot \phi }\), \(Enc^{-1}(T_{\lnot \phi }) \) and \(\mathbf{G }\mathbf{F }Enc^{-1}(f_i) \) are always valid formulae. Moreover, we leverage that \(Enc^{-1}(I_{\lnot \phi }) =Exp(\lnot \phi )=\lnot Exp(\phi )\), and the fact that \(Enc^{-1}(T_{\lnot \phi }) \) is in the form \(\bigwedge _\beta \mathbf{X }\beta \leftrightarrow Next(Exp(\beta ))\).
1.7 A.7 Overall proof for LTL
1.8 A.8 Overall proof for invariant
Rights and permissions
About this article
Cite this article
Griggio, A., Roveri, M. & Tonetta, S. Certifying proofs for SAT-based model checking. Form Methods Syst Des 57, 178–210 (2021). https://doi.org/10.1007/s10703-021-00369-1
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-021-00369-1