Skip to main content
SpringerLink
Log in

Certifying proofs for SAT-based model checking

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

In the context of formal verification, certifying proofs are evidences of the correctness of a model in a deduction system produced automatically as outcome of the verification. They are quite appealing for high-assurance systems because they can be verified independently by proof checkers, which are usually simpler to certify than the proof-generating tools. Model checking is one of the most prominent approaches to formal verification of temporal properties and is based on an algorithmic search of the system state space. Although modern algorithms integrate deductive methods, the generation of proofs is typically restricted to invariant properties only. Moreover, it assumes that the verification produces an inductive invariant of the original system, while model checkers usually involve a variety of complex pre-processing simplifications. In this paper we show how, exploiting the k-liveness algorithm, to extend proof generation capabilities for invariant checking to cover full linear-time temporal logic (LTL) properties, in a simple and efficient manner, with essentially no overhead for the model checker. Besides the basic k-liveness algorithm, we integrate in the proof generation a variety of widely used pre-processing techniques such as temporal decomposition, model simplification via computation of equivalences with ternary simulation, and the use of stabilizing constraints. These techniques are essential in many cases to prove that a property holds, both for invariant and for LTL model checking, and thus need to be considered within the proof. We implemented the proof generation techniques on top of IC3 engines, and show the feasibility of the approach on a variety of benchmarks taken from the literature and from the Hardware Model Checking Competition. Our results confirm that proof generation results in negligible overhead for the model checker.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. In general, in a hardware verification context, the input system is already in this functional form. Moreover, the technique can be extended to work also in the presence of further relational constraints on both X and Y, but this is omitted here for simplicity.

  2. This can be easily generalised to discover also XORs, i.e. cases in which \(x_i\) is equivalent to \(\lnot x_j\).

  3. Note that here \(\mathbf{F }\alpha \) and \(\mathbf{G }\alpha \) are just abbreviations for \(\top \mathbf{U }\alpha \) and \(\lnot (\top \mathbf{U }\lnot \alpha )\) respectively, as introduced in Sect. 3.3. In principle, we could have used a system with simpler rules defined for the primitive operators. We preferred to keep the rules defined in [26].

  4. Note that \((\phi \leftrightarrow Exp(\phi ))\) is an abbreviation for \(((\phi \rightarrow Exp(\phi )) \wedge (Exp(\phi )\leftrightarrow \phi ))\) so that we can apply the \(\textsc {and-el}\).

  5. This is the case e.g. for some proof obligations generated for components with a trivial assumption.

  6. For this comparison we restrict to the HWMCC LTL benchmarks set where the use of pre-processing has an impact.

References

  1. Barrett C, Fontaine P, Tinelli C (2017) The SMT-LIB standard: version 2.6. Tech. rep., Department of Computer Science, The University of Iowa. www.SMT-LIB.org

  2. Basin D, Bhatt BN, Traytel D (2018) Optimal proofs for linear temporal logic on lasso words . https://www21.in.tum.de/~traytel/papers/expl/expl.pdf

  3. Ben-Ari M (1993) Mathematical logic for computer science. Prentice Hall International series in computer science. Prentice Hall

  4. Bernasconi A, Menghi C, Spoletini P, Zuck LD, Ghezzi C (2017) From model checking to a temporal proof for partial models. In: SEFM, LNCS, vol. 10469, pp 54–69. Springer

  5. Biere A, Artho C, Schuppan V (2002) Liveness checking as safety checking. Electr Notes Theor Comput Sci 66(2):160–177. https://doi.org/10.1016/S1571-0661(04)80410-9

    Article  Google Scholar 

  6. Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:117–148. https://doi.org/10.1016/S0065-2458(03)58003-2(03)58003-2

    Article  Google Scholar 

  7. Biere A, van Dijk T, Heljanko K (2017) Hardware model checking competition 2017. In: Proceedings of the 17th conference on formal methods in computer-aided design, FMCAD ’17, pp 9. FMCAD Inc, Austin, TX . http://dl.acm.org/citation.cfm?id=3168451.3168458

  8. Biere A, Heljanko K, Wieringa S (2011) AIGER 1.9 and beyond. Tech. rep., FMV Reports Series, Institute for Formal Models and Verification, Johannes Kepler University, Altenbergerstr. 69, 4040 Linz, Austria

  9. Bjesse P, Kukula JH (2005) Automatic generalized phase abstraction for formal verification. In: ICCAD, pp 1076–1082. IEEE Computer Society

  10. Bozzano M, Cimatti A, Pires AF, Jones D, Kimberly G, Petri T, Robinson R, Tonetta S (2015) Formal design and safety analysis of AIR6110 wheel brake system. In: CAV (1), LNCS, vol 9206, pp 518–535. Springer

  11. Bradley A (2011) SAT-based model checking without unrolling. In: VMCAI, LNCS, vol 6538, pp 70–87. Springer

  12. Bradley AR, Somenzi F, Hassan Z, Zhang Y (2011) An incremental approach to model checking progress properties. In: FMCAD, pp 144–153. FMCAD Inc

  13. Case ML, Baumgartner J, Mony H, Kanzelman R (2011).Optimal redundancy removal without fixedpoint computation. In: Bjesse P, Slobodová A (eds) international conference on formal methods in computer-aided design, FMCAD ’11, Austin, TX, USA, October 30–November 02, 2011, pp 101–108. FMCAD Inc. http://dl.acm.org/citation.cfm?id=2157672

  14. Case ML, Mony H, Baumgartner J, Kanzelman R (2009) Enhanced verification by temporal decomposition. In: FMCAD. IEEE

  15. Cavada R, Cimatti A, Dorigatti M, Griggio A, Mariotti A, Micheli A, Mover S, Roveri M, Tonetta S (2014) The nuXmv symbolic model checker. In: CAV, LNCS, vol 8559, pp 334–342. Springer

  16. Cimatti A, Griggio A, Schaafsma BJ, Sebastiani R (2013) The MathSAT5 SMT solver. In: TACAS, LNCS, vol 7795. Springer

  17. Cini C, Francalanza A (2015) An LTL proof system for runtime verification. In: TACAS, LNCS, vol 9035, pp 581–595. Springer

  18. Claessen K, Sörensson N (2012) A liveness checking algorithm that counts. In: Cabodi G, Singh S (eds) FMCAD, pp 52–59. IEEE

  19. Clarke EM, Grumberg O, Hamaguchi K (1997) Another look at LTL model checking. Formal Methods Syst Des 10(1):47–71

    Article  Google Scholar 

  20. Daniel J, Cimatti A, Griggio A, Tonetta S, Mover S (2016) Infinite-state liveness-to-safety via implicit abstraction and well-founded relations. In: CAV (1), LNCS, vol 9779. Springer

  21. Dax C, Hofmann M, Lange M (2006) A proof system for the linear time \(\rm \mu \)-calculus. In: FSTTCS, LNCS, vol 4337, pp 273–284. Springer

  22. Eén N, Sörensson N (2003) An extensible sat-solver. In: Giunchiglia E, Tacchella A (eds) Theory and applications of satisfiability testing, 6th international conference, SAT 2003. Santa Margherita Ligure, Italy, May 5–8, 2003 Selected Revised Papers, Lecture Notes in Computer Science, vol 2919, pp 502–518. Springer . https://doi.org/10.1007/978-3-540-24605-3_37

  23. Emerson EA, Jutla CS, Sistla AP (2001) On model checking for the \(\rm \mu \)-calculus and its fragments. Theor Comput Sci 258(1–2):491–522. https://doi.org/10.1016/S0304-3975(00)00034-7

    Article  MathSciNet  MATH  Google Scholar 

  24. Esparza J, Lammich P, Neumann R, Nipkow T, Schimpf A, Smaus J (2014) A fully verified executable LTL model checker. Arch Formal Proofs 2014

  25. Fisler K, Kurshan RP (1997) Verifying VHDL designs with COSPAN. In: FHV, LNCS, vol 1287, pp 206–247. Springer

  26. Gabbay DM, Pnueli A, Shelah S, Stavi J (1980) On the temporal basis of fairness. In: Conference record of the seventh annual ACM symposium on principles of programming languages, Las Vegas, Nevada, USA, January 1980, pp 163–173 . https://doi.org/10.1145/567446.567462

  27. Griggio A, Roveri M (2016) Comparing different variants of the ic3 algorithm for hardware model checking. IEEE Trans CAD Integrated Circuits Syst 35(6), 1026–1039 . https://doi.org/10.1109/TCAD.2015.2481869

  28. Griggio A, Roveri M, Tonetta S (2018) Certifying proofs for LTL model checking. In: 2018 formal methods in computer aided design, FMCAD 2018, Austin, TX, USA, October 30–November 2, 2018, pp 1–9. https://doi.org/10.23919/FMCAD.2018.8603022

  29. Hustadt U, Konev B (2003) TRP++2.0: a temporal resolution prover. In: CADE-19, LNCS, vol 2741. Springer

  30. Hustadt U, Konev B, Riazanov A, Voronkov A (2004) Temp: a temporal monodic prover. In: IJCAR, LNCS, vol 3097. Springer

  31. Kuismin T, Heljanko K (2013) Increasing confidence in liveness model checking results with proofs. In: Bertacco V, Legay A (eds) Hardware and software: verification and testing - 9th international haifa verification conference, HVC 2013, Haifa, Israel, November 5–7, 2013, Proceedings, Lecture Notes in Computer Science, vol 8244, pp 32–43. Springer. https://doi.org/10.1007/978-3-319-03077-7_3

  32. Kupferman O, Vardi MY (2005) From complementation to certification. Theor Comput Sci 345(1):83–100. https://doi.org/10.1016/j.tcs.2005.07.021

    Article  MathSciNet  MATH  Google Scholar 

  33. Mebsout A, Tinelli C (2016) Proof certificates for SMT-based model checkers for infinite-state systems. In: 2016 formal methods in computer-aided design, FMCAD 2016, Mountain View, CA, USA, October 3-6, 2016, pp 117–124 . https://doi.org/10.1109/FMCAD.2016.7886669

  34. de Moura LM, Bjørner N (2008) Proofs and refutations, and Z3. In: LPAR workshops, CEUR workshop proceedings, vol 418. CEUR-WS.org

  35. Namjoshi KS (2001) Certifying model checkers. In: CAV, LNCS, vol 2102. Springer

  36. Peled DA, Pnueli A, Zuck LD (2001) From falsification to verification. In: Hariharan R, Mukund M, Vinay V (eds.) FST TCS 2001, LNCS, vol 2245, pp 292–304. Springer

  37. Peled DA, Zuck LD (2001) From model checking to a temporal proof. In: SPIN, LNCS, vol 2057. Springer

  38. Pnueli A (1977) The temporal logic of programs. In: FOCS, pp 46–57. 10.1109/SFCS.1977.32

  39. Prawitz D (2006) Natural deduction: a proof-theoretical study. Dover Books on Mathematics, Dover Publications

    MATH  Google Scholar 

  40. RTCA DO-333: Formal Methods Supplement to DO-178C and DO-278A (2011)

  41. Schuppan V, Darmawan L (2011) Evaluating LTL satisfiability solvers. In: ATVA, LNCS, vol 6996. Springer

  42. Seger CH, Bryant RE (1995) Formal verification by symbolic evaluation of partially-ordered trajectories. Formal Methods Syst Des 6(2):147–189. https://doi.org/10.1007/BF01383966

    Article  Google Scholar 

  43. Vardi MY (1995) An automata-theoretic approach to linear temporal logic. In: Banff Higher Order Workshop, LNCS, vol 1043, pp 238–266. Springer

  44. Wagner LG, Mebsout A, Tinelli C, Cofer DD, Slind K (2017) qualification of a model checker for avionics software verification. In: NASA formal methods - 9th international symposium, NFM 2017, Moffett Field, CA, USA, May 16–18, 2017, Proceedings, pp 404–419 . https://doi.org/10.1007/978-3-319-57288-8_29

Download references

Author information

Authors and Affiliations

  1. Fondazione Bruno Kessler, Bruno Kessler, Via Sommarive 18, 38123, Povo, Trento, Italy

    Alberto Griggio & Stefano Tonetta

  2. University of Trento Via Sommarive 9, 38123, Povo, Trento, Italy

    Marco Roveri

Authors
  1. Alberto Griggio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Roveri
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefano Tonetta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alberto Griggio.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A Derivation proofs

A Derivation proofs

In this section we detail the derivation of the rules derived from the system defined in [26] and used in the proof generated as described in the previous sections. Each derived rule corresponds to a valid formula, which has been proved valid also with the nuXmv model checker. However, to avoid circularity in the proof generation, we cannot exploit the model checker result and we given an explicit version of the deduction proofs.

1.1 A.1 Basic lemmas

(4)
(5)
(6)
(7)

1.2 A.2 Proofs for k-liveness

The main step to prove the k-liveness derivation is the following deduction:

which is derived as follows:

Combining the \(\textsc {klb}\) in a chain, we obtain a full derivation of a proof for the \(\textsc {kl}[k]\) rule:

1.3 A.3 Proofs for stabilizing constraints

The following derived rules are used in the proofs exploiting stabilizing constraints:

These rules are derived as follows:

(8)
(9)
(10)

1.4 A.4 Proof for simplified transition relation

The following derived rule is used to simplify T with some invariant \(\xi \):

which is derived as follows:

1.5 A.5 Proof for temporal decomposition

The derived rule used with temporal decomposition for liveness properties is the following:

which is derived as follows.

(11)

Similarly for invariant properties, we have the following derived rule:

which is derived as follows.

(12)

1.6 A.6 Proofs for LTL encoding

Here we use the equivalence \((\phi \leftrightarrow Exp(\phi )) \leftrightarrow ((\phi \rightarrow Exp(\phi )) \wedge (Exp(\phi )\leftrightarrow \phi ))\) to match the structure of the \(\textsc {and-el}\). Moreover, given the specific construction of \(M_{\lnot \phi }\), \(Enc^{-1}(T_{\lnot \phi }) \) and \(\mathbf{G }\mathbf{F }Enc^{-1}(f_i) \) are always valid formulae. Moreover, we leverage that \(Enc^{-1}(I_{\lnot \phi }) =Exp(\lnot \phi )=\lnot Exp(\phi )\), and the fact that \(Enc^{-1}(T_{\lnot \phi }) \) is in the form \(\bigwedge _\beta \mathbf{X }\beta \leftrightarrow Next(Exp(\beta ))\).

(13)
(14)
(15)
(16)

1.7 A.7 Overall proof for LTL

1.8 A.8 Overall proof for invariant

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Griggio, A., Roveri, M. & Tonetta, S. Certifying proofs for SAT-based model checking. Form Methods Syst Des 57, 178–210 (2021). https://doi.org/10.1007/s10703-021-00369-1

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-021-00369-1

Keywords

Search

Navigation