Software Quality Journal manuscript No. (will be inserted by the editor) Accelerating Temporal Verification of Simulink Diagrams Using Satisfiability Modulo Theories Petr Bauch · Vojtˇ ech Havel · Jiˇ r´ı Barnat Received: date / Accepted: date Abstract Automatic verification of programs and computer systems with input variables represents a significant and well-motivated challenge. The case of Simulink diagrams is especially difficult, because there the inputs are read iteratively and the number of input variables is in theory unbounded. We apply the techniques of explicit model checking to account for the temporal (control) aspects of verification and use set-based representation of data, thus handling both sources of non-determinism present in the verification. Two different representations of sets are evaluated in scalability with respect to the range of input variables. Explicit (enumerating) sets are very fast for small ranges but fail to scale. Symbolic sets, represented as first-order formulas in the bit-vector theory and compared using satisfiability modulo theory solvers, scale well to arbitrary (though still bounded) range of input variables. To leverage the combined strengths of explicit and symbolic representations, we have designed a hybrid representation which we showed to outperform both pure representations. Thus the proposed method allows complete automatic verification without the need to limit the non-determinism of input. Moreover, the principle underlying the hybrid representation entails inferring knowledge about the system under verification, which the developers did not explicitly include in the system, and which can significantly accelerate the verification process. The research leading to these results has received funding from the European Union’s Seventh Framework Program (FP7/2007-2013) for CRYSTAL – Critical System Engineering Acceleration Joint Undertaking under grant agreement Number 332830 and from specific national programs and/or funding authorities. Petr Bauch, Vojtˇ ech Havel, and Jiˇr´ı Barnat Faculty of Informatics, Masaryk University, Botanick´ a 68a, Brno, Czech Republic Tel.: +420 549 491 869 E-mail: {xbauch,xhavel1,barnat}@fi.muni.cz 2 Petr Bauch et al. Keywords Formal verification · model checking · circuit analysis · satisfiability modulo theories 1 Introduction The primary motivation of this paper is the verification of Simulink diagrams against specifications given as linear temporal logic (LTL) formulas. The methodology we propose is more general and can accommodate a wider class of systems and models, but the research is guided by this concrete application. Consider the diagram in Figure 1. A Simulink diagram is an oriented graph, which can be interpreted as an abstract syntactic tree, except it may contain self-referencing cycles. The expression associated with a node is described by the tree underneath it, e.g. in our diagram the next value of the delay d1 is computed as the multiplication of the two subtrees of the node labeled by ∗ to the left of the d1 node1 . Other than the arithmetic and logical operators there are 4 types of nodes: delays (box), inports (circle), outports (ellipse), and constants (plain). Only delays are self-referential and the semantics is that of a single element memory storage: whenever referred to, the delay node provides the stored value. That stored value d is initiated to 0 and is replaced by d0 with every tick of the Simulink global clock. Since the inport nodes serve as inputs – providing a new, non-deterministic value after every tick – a Simulink diagram generates a transition system of the possible values stored in delays. Such a transition system represents the possible evolution of the diagram, describing its behavior as it changes in time. Similarly as with parallel and reactive programs, a developer may need to verify that the behavior of a system complies with the specification. Consider for example a specification requiring that: whenever the inport sv1 is negative in three consecutive ticks, the value of pm2 will eventually be positive. Such a specification cannot be expressed in terms of safety, i.e. as a reachability of bad states, because if the system were incorrect the violating run would be infinite. Consequently, verification procedures that do not allow temporal specification, such as most implementations of symbolic execution by King (1976), static analysis by Cousot and Cousot (1977) or deductive verification by Owicki and Gries (1976), cannot be used in this case. Model checking, initiated by Clarke et al (1986); Vardi and Wolper (1986), allows verification against temporal properties, yet Simulink diagrams and similar systems with input variables pose another obstacle in the form of data-flow non-determinism. In order to answer temporal verification queries automatically, an algorithm must allow evaluation of Peano arithmetic expressions that form subtrees in the diagram. At the same time the input variables may be evaluated to an arbitrary number (which in practice is bounded, e.g. by the number of bits used to express the value) and each of these evaluations must be considered for the 1 Translated into a full equation, the value of d 1 in the next tick equals d01 = min{c3 , (¬sv1 ∨ c1 > sd13 )?c4 : d1 } ∗ int(¬sv1 ∨ c1 > sd13 ). + ite Title Suppressed Due to Excessive Length pm1 ≥ min min c3 ≥ 3 pm3 sd inport + ite d delay ≥ pm2 min ite ∗ d1 pm c4 sm2 sv1 cnv ∨ ¬ sd13 > c1 outport Fig. 1: A partial Simulink diagram for the VoterCore system: the complete diagram was verified during the experimental evaluation (see Section 5.2). Delay nodes form the state space, inport nodes generate new evaluations with every tick, and outport nodes can be referred to in the specification requirements. verification to be exhaustive. Standard symbolic model checking approaches are either restricted to only a subset of Peano arithmetic, see Bultan et al (1997), or are concerned with Boolean input variables, as demonstrated by McMillan (1992). Standard explicit approaches to model checking already suffer from the state space explosion caused by the control-flow non-determinism and thus cannot scale to any considerable degree with the allowed ranges of input variables, as we showed in Barnat et al (2012). Hence the motivation for LTL verification of Simulink diagrams: it has the potential to replace testing in the design phase of software (or systems) development. In this sense, our work in Barnat et al (2012) succeeded only in part. In a tool-chain, and preceded by a tool to formalize pattern-based, human language requirements into LTL formulas, a model checker could provide similar results as testing for considerably smaller expenses. Yet the severely limited domains of input variables the standard model checking allows still enforce a test-like approach to correctness validation. Effectively, the developer still has to mechanically test (a smaller number of) instances of the same validation query with different (intervals of) input values. This paper meliorates the limitations of previous approaches by proposing a model checking technique that scales to arbitrarily large domains of input variables. Through the reduction of certain crucial operations required by the model checking process to Satisfiability Modulo Theories (SMT) queries, we have achieved a method for complete verification (for large but finite domains). Though the experiments were conducted on a relatively small Simulink model, they still convey the most important practical result: appropriately adapted model checking may be used to replace testing of safety-critical units as early as in the modeling phase of software development. 4 Petr Bauch et al. 2 Contribution We have first formalized the process of model checking of Simulink diagrams, building on the concept of set-based reduction of the underlying state space, proposed in Barnat and Bauch (2013). This reduction can significantly decrease the number of states, but does not lead to any reduction in the worst case. Also the representation used for the sets of variable evaluations determines the resulting complexity, which can differ exponentially for particular representations. We have implemented the set-based reduction using explicit sets as one representation and using bit-vector formulas as another representation. Explicit sets are exponential in both the number of variables represented and in their ranges, but allow simple implementation of state matching, i.e. deciding if two states represent the same evaluations. The representation using formulas is exponentially more succinct, but the state matching is a complex operation that requires deciding satisfiability (SAT) of quantified bit-vector formulas. Finally, the results of this paper show that (1) in the case of Simulink diagrams the set-based reduction is efficient, leading to exponentially smaller states spaces; (2) the representation using explicit sets allows fast verification but only for small ranges of variables; and (3) the representation using bit-vector formulas scales to arbitrary (bounded) ranges, though the state matching is resource expensive. In the terms of practical results, the proposed SAT-based verification is fully automated. Provided that the LTL specification and the Simulink model are available, the developer can demonstrate the correctness without any additional manual effort. This paper is an extended version of Barnat et al (2014) in the following aspects. We have expanded the related work section, comparing our work with the areas of module checking and symbolic transition graphs and we have also provided an extensive list of other methods combining explicit and symbolic approaches. Preliminaries to the theory of automata-based model checking are now less dense, to ease understanding for wider audience. Similar reasons lead to the addition of a Simulink diagram to Example 2: the reader can now follow its formalization into bit-vector formulas. The proof of correctness of the equality computation was added in full length, and there are also two new paragraphs describing the complexity aspects of the proposed algorithm. In order to further improve repeatability of our experiments we have extended the section on implementation with two examples of the generation of SMT files: the first is more general and leads to a query assessing the satisfiability of the path condition, the second then demonstrated how state equality via a quantified query can be encoded. Section 6 was added completely and presents further insight into the SAT-based representation and suggests what is the cause for its high computational complexity. Most importantly, Section 4.3 contains detailed description of the hybrid representation and the methodology behind combining explicit and SAT-based representations, which was in no part included in the conference version. Consequently, Section 5.2.3 is also completely new, and describes the experimental evaluation of the hybrid representation. Also Section 5.1 describing implemen- Title Suppressed Due to Excessive Length 5 tation and the Conclusion have been extended to describe the aspects of the hybrid representation relevant for these sections. The hybrid representation incorporates both the explicit and the symbolic representations, thus allowing to utilize the hidden limits of input values if these are present but can also cope with systems without anyhow restricted inputs. We consider this novel methodology to be the most important added value of this publication. 3 Preliminaries We assume the theory of bit-vectors (BV), a first-order theory where a bit width q is associated with every term. The universe of this theory is that of natural numbers whose binary representation uses at most q bits; we will denote this domain as bvq. The signature of BV subsumes Peano arithmetic – all operations are computed modulo q, as is common in many programming languages – and it also contains bit-level operations. The ability to precisely reason about computer arithmetic and the existence of efficient decision procedures are the two main reasons why BV is popular in automating both hardware and software verification. In the following we will assume notation similar to that of Kroening and Strichman (2010), i.e. a first-order evaluation ν maps a predicate p to a Boolean value: ν |= p; a function f is evaluated to ν[f ]; finally, ν / {x 7→ y} is ν except the variable x is now mapped to y. Let X be a set of bvq variables. Then we can define the LTL recursively as follows: Ψ ::= pX | ¬Ψ | Ψ ∧ Ψ | X Ψ | Ψ U Ψ, where pX is a BV predicate over the variables from X . A parallel program with t threads and with inputs, bvq variables I, can be modeled as a transition system M = (S, →, s0 ). There the states S are triplets ((l1 , . . . , lt ), ν : X → bvq, pX ∪I ), li are program locations of individual threads, ν is a BV valuation of variables and pX ∪I a path condition, i.e. a predicate stating the condition that would lead the execution to this state. The transition relation →⊆ S × Act × Con × S, where Act = {(x0 , fX ∪I ) | x ∈ X } (denoting an update to x) and Con is the (x0 ,fX ∪I ) set of predicates over X , will be denoted as s −−−−−−→ s0 . pX Let πi be the standard projection functions, then a run of M is an in(x0 ,f ) finite sequence w = s0 , s1 , . . ., where for all i ∈ N: si −−−−→ si+1 and for p pˆ = p[x/π2 (si )(x)] it holds that π3 (si+1 ) = π3 (si ) ∧ pˆ is satisfiable; finally we need to change the valuation of x: π2 (si+1 ) = π2 (si )/{x 7→ π2 (si )[f ](π2 (si )(x))}. A run w satisfies an LTL formula Ψ , w |= Ψ : w w w w w |= p |= ¬Ψ |= Ψ1 ∧ Ψ2 |= X Ψ |= Ψ1 U Ψ2 iff iff iff iff iff π2 (w(0)) |= p, w 6|= Ψ, w |= Ψ1 and w |= Ψ2 , w1 |= Ψ, ∃i∀j < i : wj |= Ψ1 , wi |= Ψ2 . 6 Petr Bauch et al. Where w(i) is the i-th state of w and wi = si , si+1 , . . . the i-th suffix. Every LTL formula Ψ can be translated into a B¨ uchi automaton AΨ = (S, →, F ), where →⊆ S × Con × S and F ⊆ S is the set of accepting states. For AΨ it holds that a run w of M satisfies Ψ if there exists a run w0 = s01 , s02 , . . . in AΨ such that ∀i ∈ N, s0i − → s0i+1 we have π2 (si ) |= p and infinitely many states of p w0 are in F . One can construct a product of M and AΨ , where the only runs are those satisfying Ψ . (Then the states are still triples only the sequence of program locations is longer by one, lt+1 denoting the state of AΨ .) It follows that deciding whether M satisfies Ψ can be reduced to locating cycles with accepting states in such a product. Note that under this definition, which is very similar to that of Lin (1996), both sources of non-determinism that occur in parallel programs – the interleaving of threads and the evaluation of input variables – are represented explicitly. In symbolic execution, initiated by King (1976), the transition system is unfolded (acyclic and infinite), S is thus a multi-set and the second component of a state is a set of possible evaluations, represented symbolically (every x ∈ X is associated with a BV function over I). In Barnat and Bauch (2013) we have proposed a set-based reduction of M, where two states are equal if they have the same sequence of program locations and their sets of evaluations are the same. Hence the set-based reduction extends the approach of symbolic execution by allowing the detection of accepting cycles, and consequently, verification of LTL properties. Example 1 The figure bellow depicts a program with input on the left-hand 1:read a; 2:if(a>5) 3: a++; 4:else 5: a--; (0, (a, 0), >) (a0 , ι1 ) (1, (a, ι1 ), >) a≤5 a>5 (2, (a, ι1 ), ι1 > 5) (a , a + 1) (3, (a, ι1 + 1), ι1 > 5) 0 (4, (a, ι1 ), ι1 ≤ 5) (a , a − 1) (5, (a, ι1 − 1), ι1 ≤ 5) 0 side and its associated transition system on the right-hand side. The set of evaluations (of the one variable a) is represented symbolically, as a function over input symbols from I, here only ι1 . 4 4 Methods We start by formalizing the Simulink diagrams, presented in the introduction. There are several specific details of Simulink diagrams with respect to the general programs with inputs presented above, which may simplify the verification Title Suppressed Due to Excessive Length 7 and thus need to be pointed out in detail. Also, until specified otherwise, the logical system used in our description is the quantifier-free fragment of BV with the bit-width q, i.e. over sort bvq (although constants are written in the decimal system). A state of a Simulink system is described by the evaluation of delay variables, X = {d1 , . . . , dm }, where their values for the next iteration are given by a function fX ∪I , denoted as δi . There is a finite number of input variable templates, I = {i1 , . . . , in }, which can be read iteratively, but for each there are bit-vector constraints limiting its possible evaluation (represented by a predicate pI , denoted as ιi ). Finally, the complete description of a system also requires the outport functions O = {σ1 , . . . , σk } (each of which is fX ∪I ). On the side of the specification, we will abstract the given B¨ uchi automaton to only the predicates pX ∪I∪O labeling its transitions, Φ = {ϕ1 , . . . , ϕl }, and assume that the transition system, the order in which the predicates occur, is given implicitly. Hence the example below contains all the information needed for a Simulink diagram verification query Q = (X , I, O, Φ). Example 2 Let Q1 = (X , I, O, Φ), where X = {d1 , d2 } o2 δ1 : (i1 + d1 ) ∗ (i2 + d2 ) δ2 : d1 O = {σ1 , σ2 , σ3 } ite σ1 : max(i1 , i2 , i3 ) σ2 : ite (i1 > 7) d1 d2 σ3 : d1 + i3 d2 d1 > 7 I = {i1 , i2 , i3 } + ∗ + i1 i2 i3 max o1 ι1 : 1 ≤ i1 ≤ 20 ι2 : 3 ≤ i2 ≤ 5 ι3 : 5 ≤ i3 ≤ 10 Φ = {ϕ1 , ϕ2 } ϕ1 : σ2 > 3 ∨ i1 ≤ σ1 /2 ϕ2 : σ1 = σ2 ⇒ i2 ≤ 4 4 As mentioned above, the states of a Simulink transition system are sets of evaluations of the variables from X . The initial state consists of a single evaluation {di 7→ 0}. Let I = {x := {ij 7→ y} | x |= ιj } be the |I|-dimensional polyhedron of allowed inport evaluations, for Q1 it would be {1..20} × {3..5} × {5..10}. Then, computing every transition consists of three steps: 1. compute the Cartesian product (of this state) with I: results in a set of evaluations of variables from X ∪ I; 8 Petr Bauch et al. 2. create a new state, initialized with the above set of evaluations, for every available specification formula ϕ (there can be more that one, hence the transition system may branch at this point) and remove those evaluations that do not satisfy ϕ; 3. apply δ functions to compute the new evaluations of X . Assuming that the computation is in state s, represented as the evaluation of delay variables, and that the relevant transition is associated with a specification ϕ, then s0 = {x := {di 7→ v[δi ](v(d), v(i))} | v ∈ s × I ∧ x |= ϕ} is the resulting state. The system can reach a deadlock if there is no such v ∈ s × I for which {di 7→ v[δi ](v(d), v(i))} |= ϕ. The model checking process computes the graph of the Simulink computation, where identical states are unified, i.e. if a newly generated state s00 (as a successor of s) is found equal to an already existing state s0 , then s00 is discarded and s0 is acknowledged as a successor of s. For the purpose of providing the user with counterexample traces, the states also contain an |I|-long sequence of inport values that satisfies the specification condition. But that is easily implementable, and will only be mention if a significant change in the computation was necessary to incorporate the counterexample traces. Example 3 We continue with the query Q1 from Example 2 and simplify the notation by establishing two transformations. First, ϕei maps a set of evaluations of X ∪ I to that subset where every evaluation satisfies ϕi , formally e maps a set of the same A ⊆ bvqX ∪I 7→ {x ∈ A | x |= ϕi }. Second, ∆ evaluations to evaluations of X , after the δ functions have been applied, hence A ⊆ bvqX ∪I 7→ {{di 7→ x[δi ]} | x ∈ A}. Hence a part of the transition system of Q1 is as follows: e◦ϕ s01 = ∆ f1 (s0 × I) s0 = {di 7→ 0} e◦ϕ e◦ϕ s011 = ∆ f1 (∆ f1 (s0 × I) × I) e◦ϕ s02 = ∆ f2 (s0 × I) e◦ϕ s012 = ∆ f2 (s01 × I) Concretely, the set s0 × I has 360 elements. ϕ f1 (s0 × I) and ϕ f2 (s0 × I) have 63 and 315 elements, respectively; s01 has 12 elements and s02 has 45 elements. For example s01 = {(3, 0), (4, 0), (5, 0), (6, 0), (8, 0), (9, 0), (10, 0), (12, 0), (15, 0), (16, 0), (20, 0), (25, 0)}. 4 The process described so far produces a transition system, where the states are evaluations of delay variables and a location of the B¨ uchi automaton, and the branching is given by that same automaton. Without going into details with respect to the product of program and its specification – where we went in the previous section – the answer to a verification query Q is equivalent to the presence of accepting cycles in the produced transition system. The efficiency Title Suppressed Due to Excessive Length 9 of answering a verification query, the complexity of Simulink model checking, is most noticeably influenced by the choice of how to represent the sets of evaluations. That is the biggest contributor to the state space explosion, since, unlike in parallel programs, the control-flow non-determinism is negligible in Simulink models. 4.1 Verification with Explicit Sets The first representation considered in this paper stores the allowed evaluations in an explicit set, enumerating all possible combinations of individual variable evaluations. This approach is closely related to the one we proposed in Barnat et al (2012) but improves on it in several aspects. Effectively, rather than repetitive executions for every evaluation of both inport and delay variables, we only represent the delay variables in an explicit evaluation; the inport variables are stored purely symbolically, only as their constructing predicates ιj , outside individual states. The above description of Simulink verification semantics justifies this optimisation, since the inports are only used for the evaluation of Φ predicates from the specification. They are discarded during e transformation, and can be recovered using an inverse transformation if the ∆ necessary, e.g. during counterexample generation. The implementation itself is then a relatively straightforward extension of the purely explicit approach. The states enumerate every allowed evaluation and thus a separate access to each of these evaluations is permitted. Computing the Cartesian product with I amounts to enumerating all combinations of e transformations, one delay and inport variable evaluations. For the ϕ e and ∆ iteratively considers individual evaluations and removes those not satisfying ϕ and applies the δ function, respectively. Most importantly, however, deciding equality of states is possible on the level of syntax: two states are the same if their representations in memory match. Verification with explicit sets clearly retains the biggest limitation of the purely explicit approach, i.e. the spacial complexity grows exponentially with the ranges of inport variables. We will postpone the discussion of the comparison between the explicit set approach and the purely explicit approach until Section 5.2 and only remark that while the improvement is considerable, it does not allow specification of ranges with respect to their bit-width. That ability appears to require a symbolic representation and we continue our analysis towards temporal verification of Simulink models with a method which uses BV formulas and the satisfiability modulo theories (SMT) procedures for this theory. 4.2 SAT-Based Verification The need to iteratively read from inputs via the inport variables complicates the otherwise relatively straightforward application of symbolic execution. Later we 10 Petr Bauch et al. will show that the execution-based approach, where current values of variables are represented as symbolic functions over input variables, entails another complication in deciding state equality. In standard symbolic execution, the variables are initialized to an arbitrary value only once, at the beginning. Thus reading from inports requires to strengthen the standard symbolic execution to allow computation with potentially infinite number of input variables. Henceforth, only the inport variables are considered as first-order variables, the delays and outports are only functions in the BV theory (over inport variables). The inports are history-dependent and thus one may label the symbols from I to stand for the inport variables, i.e. I 0 , I 1 , I 2 and so on. Given that the only branching in the transition system is caused by the particular choice of a specification transition, the states can be represented as l-long sequences of numbers ρ = (r1 , . . . , rl ), where l is the length of this computation. Each number in this sequence represents which specification formula was selected in the respective branching of the computation. Indeed, the functions representing delays δ l , outports σ l and the specification predicates ϕl are unambiguously defined for each l recursively as follows: δ 0 = δ[ij /i0j , dj /0], σ 0 = σ[ij /ilj , dj /0], ϕ0 = ϕ[σj /σj0 , ij /i0j , dj /0], l δ l+1 = δ[ij /il+1 j , dj /δj ]; l+1 l+1 σ = σ[ij /ij , dj /δjl ]; l ϕl+1 = ϕ[σj /σjl , ij /il+1 j , dj /δj ], (1) where f [x/y] is the formula f with every occurrence of x replaced by y. Hence every formula at any point of the verification computation uses only the inport variables decorated with history indices. As mentioned above, the system reaches a deadlock if no value satisfies the specification formula. Let the computation be in a state represented by ρ and the outgoing transition labeled with formula ϕp . Then checking whether this transition leads to a deadlock is equivalent to checking satisfiability of the following recursive path condition formula, where is an empty sequence: V pc() = 1≤j≤|I| ι0j , V |ρ|+1 |ρ|+1 pc(ρ.p) = pc(ρ) ∧ 1≤j≤|I| ιj ∧ ϕp . Also note that the model of this formula, the satisfying evaluation of inport variables, is a counterexample trace (one of them to be precise) which the SMT solver can generate while deciding the satisfiability. Finally, to complete the verification process, one needs to be able to decide if two states are the same. Let ρ and ρ0 be two states, of which it needs to be assessed whether they are identical, i.e. if the sets of possible evaluations of |ρ| the delay variables are the same. Then the function δj represents the possible 0 values of dj in ρ, provided that |= pc(ρ) ∧ pc(ρ ), i.e. both path conditions are satisfiable. However, the δ functions represent the current values of delays by the means of inport variables, describing to what evaluation of delays does a particular combination of inputs lead. The states ρ, ρ0 may not be of the same length and thus may differ in the number of inputs. Consequently, comparing two states amounts to comparing the images of the δ functions, i.e. comparing Title Suppressed Due to Excessive Length 11 Algorithm 1: Successor generation Input : storage of seen states S; state s; specification automaton AΦ Output : S0 where all successors of s have been correctly added ϕ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 foreach ϕi , b0 such that exp(s) →i b0 ∈ AΦ do ρ ← sym(s).i if SAT QFBV(pc(ρ)) then seen ← false foreach s0 ∈ S such that exp(s0 ) = b0 do ρ0 ← sym(s0 ) if SAT QBV(ψ(ρ, ρ0 )) then s0 is a successor of s seen ← true break if ¬seen then exp(s00 ), sym(s00 ) ← b0 , ρ S0 ← store(S, s00 ) s00 is a successor of s the sets of possible evaluations. We will continue this argument in Section 6 and for now simply state the quantified version of ψ(ρ, ρ0 ) := Ψρρ0 ∨ Ψρ0 ρ – a formula which is satisfiable iff ρ and ρ0 are two different states: Ψρρ0 : pc(ρ) ∧ (∀y1 , . . . , y|ρ0 |∗|I| )(pc(ρ0 )[i0b a /ya∗b ] ⇒ W|X | |ρ| |ρ0 | 0b δ = 6 δ [i /y ] . a∗b a j j=1 j Put together the SAT-based verification of Simulink works as shown in Algorithm 1 – we only describe generation of one successor of a state s, the rest is the same as in standard model checking. That is, a particular accepting cycle detection algorithm traverses the state space by the means of successor generation. Given that the states already visited are known, a property that has to be preserved by any implementation of successor generation, the model checking process is indeed similar to the standard explicit model checking, described for example by Vardi and Wolper (1986). The functions in the teletype font have their expected meaning, i.e. sym and exp return the symbolic and explicit part of the state given as their parameter. As described in Section 3, the symbolic part is the set of evaluations of input variables (here succinctly represented as the sequence of specification formulas indices) and the explicit part is the control state (here only the state of the B¨ uchi automaton is relevant). One interesting observation is that the search for equivalent states (cycle on lines 5–10) is in standard model checking a constant time operation, using a hashing function. But our approach prohibits hashing because a representation using BV function is not canonical, leading to identical states with different hashes. The explicit part, which is canonical, is used (line 5) for a partial hashbased search, thus the body of the cycle only considers states with the same 12 Petr Bauch et al. explicit part. Hence the inner cycle computes the linear search among states with a common explicit part, where each comparison requires calling the state matching procedures (line 7), i.e. deciding satisfiability of the quantified formula ψ. Correctness and Complexity : One thing that may not be obvious, and which is crucial when arguing correctness is that the proposed equality of states using the function ψ is correct with respect to the semantics of Simulink diagrams, i.e. ∀ρ, ρ0 : ψ(ρ, ρ0 ) ⇔ sρ 6= sρ0 . This can be easily reduced to Ψρρ0 ⇔ sρ 6⊆ sρ0 and similarly for the other inclusion. Furthermore, Ψρρ0 ⇔ ∃x.x ∈ sρ ∧ x ∈ / sρ0 and |κ| 1 x ∈ sκ ⇔ ∃j11 , . . . , j|I| , j12 , . . . , j|I| .x = d(κ, J1 , . . . , J|κ| ), l where Jl unrolls to j1l , . . . , j|I| and |X | e◦ϕ e g d(<a1 , . . . , an>, J1 , . . . , Jn ) = ∆ g , J1 }) . . . × {Jn }). an (. . . ∆ ◦ ϕ a1 ({0 |κ| 1 One then only needs to show that ∀j11 , . . . , j|I| , j12 , . . . , j|I| if pc(κ)[iab /jba ] then |κ| |κ| <ν[δ1 [iab /jba ]], . . . , ν[δ|I| [iab /jba ]]>= d(κ, J1 , . . . , J|κ| ). That can be done by induction on the length of κ. For the base case we have n+1 that for arbitrary interpretation ν, ν[δi0 ] = 0 = πi (d()). Assume j1n+1 , . . . , j|I| are in some ν evaluated such that ϕk [ia /jan+1 ]. Then ∀1 ≤ l ≤ |X | it holds that e◦ϕ ν[δl [ia /jan+1 , da /πl (d(κ, J1 , . . . , Jn ))]] = πl (∆ fk (d(κ, J1 , . . . , Jn ) × {Jn+1 })), which finally equals πl (d(κ.k, J1 , . . . , Jn+1 )). Having established the correctness of the ψ function, i.e. equivalence among states that represent sets of variable evaluations, the rest follows from the correctness of the set-based reduction, which we proved in Barnat and Bauch (2013). The complexity of the process is much more difficult to establish. On the one hand, the set-based reduction may, in the worst case, lead to no reduction at all. This closely relates to computation of the fix points of operations on program cycles, which is discussed in detail by Lin (1996); Hungar et al (1995) among others. The reader should note, however, that in the case of the Simulink diagram and the verified properties used in our experiments this phenomenon did not occur. In fact the transition systems were exponentially smaller than in the case when no reduction was used. On the other hand, even with exponentially smaller state spaces, every instance of state matching requires decision of satisfiability in the quantified BV theory. That is asymptotically equivalent to satisfiability of quantified Boolean formulas, and thus NEXPTIME-complete, as proved by Wintersteiger et al (2013). Given the results of our experiments (Section 5.2), this high complexity does not prevent from practical use, since many of these decision instances are in fact trivial. Title Suppressed Due to Excessive Length 13 4.3 Hybrid Representation Although the SAT-based representation already achieves viable results for the real-world Simulink model we have experimented on, there is still space for further improvement. In some sense, both explicit and SAT-based representations carried out an excessive amount of work in testing all possible input values. There may be a large number of values that the Simulink engineers did not intend to use, yet this information was not included into the model: either intentionally or because the language does not permit other than interval constraints. Such tacit knowledge may be inferred and utilized to accelerate the verification process. Assume that we want to generate the successor ρ0 of a state ρ, represented V|X | |ρ| as a conjunction of BV terms j=1 δj and the accumulated path condition pc(ρ), using a transition guarded by ϕ. A single evaluation of delay variables belonging to the successor can be obtained by reading the satisfiability model of the formula |X | ^ |ρ| dj = δj ∧ pc(ρ.ϕ). j=1 A satisfiability model is an evaluation of all free variables that satisfies the formula. The input variables can be ignored but we will store the evaluation of delay variables as a sequence d1 =<d11 , . . . , d1|X |>. Now we can extend the above formula to |X | ^ j=1 |X | dj = |ρ| δj ∧ pc(ρ.ϕ) ∧ _ dj 6= d1j , j=1 whose satisfiability model (provided the formula is still satisfiable) contains evaluation of delay variables d2 different from d1 . This processes can be repeated until the resulting formula η (Formula 2 below) becomes unsatisfiable, at which point we have all satisfying evaluation, and thus the explicit representation of the successor ρ0 . There are several notes to be made regarding the above procedure. It is clearly impractical in cases when there are many evaluations forming ρ0 . Yet in many cases the Simulink design permits only a very small number of evaluations. The procedure is intended to be a heuristic: detecting that only few evaluations are admissible or reverting to the classical, symbolic representation. Such detection can be implemented by setting a user-specified threshold thr on the number of evaluations. It immediately follows that using this heuristic will require the ability to switch from symbolic to hybrid representation and vice versa. In the general case, the hybrid state comprises of a pair: the accumulated path condition pc and a non-empty set of delay evaluations D = {d}i . We can assume D to be non-empty because, initially, D = {<0, . . . , 0>} and with every computation step the evaluations in D are either replaced with new evaluations D0 or the path condition is extended (in which case D remains unmodified). The 14 Petr Bauch et al. first case occurs when the successor contains less than thr values, |D0 | < thr and η is unsatisfiable, and the hybrid successor state is < true, D0 >. The second case occurs when |D0 | ≥ thr, the successor is <pc.ϕ, D>, where ϕ is the transition guard. We are now ready to formulate the formula η, employed in the generation of successor evaluations: |D 0 | |X | |X | η: ^ dj = |ρ| δj ∧ pc(ρ.ϕ) ∧ j=1 ^ _ dj 6= dkj . (2) k=1 j=1 The hybrid representation thus maintains invariant the property that a state is formed by a certain concrete evaluation of delay variables D and a symbolic path condition, consisting of n formulas. This state, however, represents the result of a computation of n + m steps, where the effect of the first m steps is precisely represented and stored in D. The only modification of the preceding SAT-based verification required to incorporate hybrid representation is an additional set of formulas restricting the initial delay evaluations. More precisely, the set of recursive equations from Definition 1 has to be preceded by |D| |X | _ ^ d0 = dkj . k=1 j=1 The size of D is initially 1 and never grows above thr: if the successor state contains more than thr values of delays – a fact which is automatically deduced – the verification proceeds with the symbolic representation. Yet whenever the successor contains at most thr values, our hybrid representation becomes fully explicit, succinctly representing the complete information about the system’s computation up to this point. 5 Results We report the results of the verification of the VoterCore diagram, which was partly presented in Section 1: the figure shows one third of the whole diagram, the other two thirds are connected via the c3 constant. This diagram was selected for two reasons: (1) the operations that must be computed during state space traversal are sufficiently complex to demonstrate the strength of SMT, (2) the diagram itself is reasonably simple so that scalability compared to other approaches can be demonstrated. Note that even though this diagram comes from a real-world development, it does not represent the full model used in the design phase. It was identified as a crucial unit and extracted manually for verification purposes. The above mentioned diagram was verified against three LTL specifications: φ1 : G (sd23 > 1 ∧ ¬sv1 ) ⇒ sm1 ; φ2 : G(pm1 ⇒ G pm1 ); φ3 : G(sm1 ∧ Xsm1 ∧ XXsm1 ∧ XXXsm1 ⇒ XXXpm1 ), Title Suppressed Due to Excessive Length 15 where the model satisfied φ1 , and φ2 , but was incorrect with respect to φ3 . The previous, purely explicit solution, which we described in Barnat et al (2012) and refer to it here as expl, is compared with the two solutions proposed in this paper: verification using explicit sets (set) and the SAT-based verification (sat). Finally, the hybrid representation (hyb) is compared to sat on a set of experiments using the same model but focusing also on a collection of extreme cases, where sat behaved poorly. 5.1 Implementation Both explicit-set and SAT-based approaches to verification of Simulink diagrams were implemented2 in a clone of the DiVinE verification environment, which already supported these diagrams as input, in the form of CESMI intermediate language (see Barnat et al (2013) for details). The implementation of set is a relatively straightforward extension of expl: instead of keeping the evaluations in separate states there are fewer multi-states for every explicit control state. Furthermore, only the delay variables are represented; the inport variables are stored separately only once for the whole diagram. The implementation of sat first needed the expressions represented by Simulink blocks to be translated into BV formulas. Algorithm 1 demonstrates how to implement the model checking process, with a function for generating successors, using syntactic substitution. Initially, the state matching was implemented exactly as described, where only the inport variables were quantified. But the experiments revealed that much better verification times can be achieved when all variables are quantified and the substitution is not recursive, but uses only the previous history version of a particular variable. At least for the Z3 de Moura and Bjørner (2008) solver, this leads to better results. Communication with the SMT solver is facilitated by the SMT2 Barrett et al (2010) format, and thus any solver of quantified BV theory could have been used; to the best of our knowledge, however, Z3 Wintersteiger et al (2013) is the only one at this time. As mentioned in Section 3, the states comprise of two parts: explicit and symbolic. The explicit part contains, most importantly, the state of the B¨ uchi automaton and the model checker uses hashing on this part of a state to partially solve the state matching. The symbolic part contains the path condition vector and must be excluded from hashing. During successor generation, the path condition of the original state (in a conjunction with a formula labeling the B¨ uchi automaton transition) is tested for satisfiability. The resulting formula does not contain quantifiers, and thus a decision procedure for quantifier-free BV is sufficient: line 3 of Algorithm 1. The SMT2 file communicating the request would then be as follows: (set-option :produce-models true) (set-logic QF BV) 2 Code available at http://anna.fi.muni.cz/~xbauch/code.html#simulink. 16 Petr Bauch et al. (declare-fun a0x0 () ( BitVec 4)) (declare-fun a1x1 () ( BitVec 4)) (declare-fun a12x1 () ( BitVec 4)) ... (assert (= a0x0 #x0)) (assert (and (bvuge a1x1 #x0)(bvule a1x1 #x3))) (assert (= a12x1 (ite (bvuge (bvadd (ite (or (bvugt a1x1 #x1) (not (= a2x1 #x1))) #x1 #x0) (ite (bvult (ite (or (bvugt a1x1 #x1) (not (= a2x1 #x1))) a0x0 #x0) #3) (ite (or (bvugt a1x1 #x1) (not (= a2x1 #x1))) a0x0 #x0) #x3)) #x3) #x1 #x0))) ... (assert (and(= a12x1 #x1)(= a12x1 #x0))) (check-sat) (get-value (a1x1 a2x1 a4x1 a5x1 a7x1 a8x1)) where the variables a0x0, a1x1, and a12x1 are examples of delay, inport, and outport variables, respectively; also the xi suffix denotes the history index. The third line from the end is the current path condition: the algorithm is generating successors of the first state, thus only one specification formula is present. Finally, the last line requests the model of the system of formulas: the inport variables evaluation for counterexample generation. State matching, on the other hand, leads to a formula in quantified BV, see line 7 of Algorithm 1, and adequately powerful solver needs to be used. The following fragment shows the interesting part of the communicated SMT2 file: (assert (forall ((b0x0 Full)(b3x0 Full)(b6x0 Full)) (=> (and (= b0x0 #x0) (= b3x0 #x0) (= b6x0 #x0)) (or (distinct a0x1 b0x0) (distinct a3x1 b3x0) (distinct a6x1 b6x0))))) where Full is the domain of delay variables (ai and bi refer to the same variables in different states). Note also that the algorithm allows comparison between delay variables with different history indices, i.e. those from states represented by path conditions of unequal length. Hybrid Representation Implementation: With regards to the hybrid representation of Section 4.3, there are two interesting implementation details: the generation of delay values using SMT queries and the modification of searching among known states. Other than these two changes, both path condition satisfiability and state matching have to be extended with the enumeration of initial delay values: (assert (or (and (= a6x0 #x0) (= a7x0 #x0) (= a8x0 #x0)) (and (= a6x0 #x0) (= a7x0 #x0) (= a8x0 #x1)) (and (= a6x0 #x0) (= a7x0 #x0) (= a8x0 #x2)) )) which are then referenced in expressions for other Simulink variables (and possibly delays with higher history index). These initial delays are the only variables with history index zero and they retain it throughout the computation. This is justified because the length of the computation represented symbolically is equal to the length of the pc sequence, thus we can always label the Simulink variables with the correct index. The generation of delay values is an extension of the path condition satisfiability checking: there as well has to be the enumeration of initial delay values but instead of collecting the values of input variables from the satisfiability Title Suppressed Due to Excessive Length 17 model, we are interested in the values of delays. These values are stored and later used in subsequent queries so that the enumeration could be exhaustive. The interesting part of the query would thus have the following structure: (assert (and (or (distinct a6x2 #x0) (distinct a7x2 #x2) (distinct a8x2 #x7)) (or (distinct a6x2 #x3) (distinct a7x2 #x0) (distinct a8x2 #x0)) )) (check-sat) (get-value (a6x2) (a7x2) (a8x2)) which instruments the SMT solver to check satisfiability of the path condition using only such inputs whose evaluation leads to any value of delays different from those explicitly enumerated. Storing delay evaluations explicitly in the hybrid representation provides a very important property for model checking and that the representation is canonical. Hence the slow linear search on lines 5–10 of Algorithm 1 may be replaced with an effectively constant time hash-based search. Given that the states are completely represented by the delay evaluations, moving these evaluations into the explicit part of the state suffices to implement such hashbased search. Only those states with path conditions consisting of at least one formula would need to be distinguished using the above SMT queries and only among themselves. Two states <pc, D > and <pc0 , D0 > can only be equal if |pc| = 0 ⇔ |pc0 | = 0, i.e. if either both have been exhaustively concretized in the previous step or neither of them. Since two equal states must contain the same number of possible delay evaluations, it follows that the generating procedure would either report that there are more than thr values or successfully enumerate both states. 5.2 Experiments Similar execution conditions were chosen for the comparison between the purely explicit approach (unmodified DiVinE) and the new hybrid approaches: the codes were compiled with optimisation option -O2 using GCC version 4.7.2 and ran on a dedicated Linux workstation with quad core Intel Xeon 5130 @ 2GHz and 16GB RAM. Given that DiVinE uses on-the-fly verification – the traversal terminates when an accepting cycle is detected – the progression of the verification process is prone to vary. Furthermore, parallel algorithms tend to differ in the runtime between individual executions, hence we have executed every experiment 10 times and report the average of those. 5.2.1 Purely Explicit versus Explicit Sets The 6 plots in Figure 2 contain all the measured experiments: the left-hand side reports time results and the right-hand side reports space results; each row refers to experiments against different temporal specification φ1 , φ2 , and φ3 described above. Each plot has the range of inport variables placed on the linear x-axis and either time or space on the logarithmic y-axis. The crucial observation to be made from the figures is that the set experiments scale 18 Petr Bauch et al. 1000 Space (kB) 100 Time (s) 1e+07 expl-seq expl-par set-seq set-par 10 1 0.1 1 2 3 4 5 6 7 8 expl-seq expl-par set-seq set-par 1e+06 100000 10000 9 1 2 3 Range of variables 4 5 6 7 8 9 7 8 9 7 8 9 Range of variables (a) Verification complexity for property φ1 1000 Space (kB) 100 Time (s) 1e+07 expl-seq expl-par set-seq set-par 10 1 0.1 1 2 3 4 5 6 7 8 expl-seq expl-par set-seq set-par 1e+06 100000 10000 9 1 2 3 Range of variables 4 5 6 Range of variables (b) Verification complexity for property φ2 1000 Space (kB) 100 Time (s) 1e+07 expl-seq expl-par set-seq set-par 10 1 expl-seq expl-par set-seq set-par 1e+06 100000 0.1 0.01 1 2 3 4 5 6 7 8 9 Range of variables 10000 1 2 3 4 5 6 Range of variables (c) Verification complexity for property φ3 Fig. 2: Plots that report the results of the VoterCore Simulink diagram verification, comparing the purely explicit approach (expl) with the approach that uses explicit sets of variable evaluations (set). The sequential verification (-seq) is compared with the parallel verification (-par) which used four processor cores. The range z of input variables on the x-axis corresponds to the domain {0 . . . z}. The expl experiments had a time-out limit of 1000 seconds and a memory limit of 10GB. For example the unreduced state space of range 5 has 375000 states and 500 million transitions. with the range of variables much more effectively than expl experiments. This observation, however, is obfuscated by two phenomena: the difference between parallel and sequential algorithms (treated in the next paragraph) and the results for property φ3 . The VoterCore system is not a model of φ3 and hence Title Suppressed Due to Excessive Length 19 there is an accepting cycle in the system. On-the-fly verification enables very fast detection in some cases (when the cycle is near the initial state) and thus the expl experiments are better on smaller ranges (though the time and space are negligible for both approaches), because for set experiments the generation of every successor involves nontrivial amount of computation. The difference between parallel and sequential algorithms used in the experiments deserves placing under closer scrutiny. Parallel algorithms (expl-par and set-par in the plots) employ breadth-first search unlike sequential algorithms (expl-seq and set-seq) that employ depth-first search. Given that the resulting transition system is very shallow (the longest paths have approx. 20 edges) and at the same time extremely wide (the data-flow explosion causes each state to have many successors), the depth-first approach has a considerable advantage with respect to the space complexity. This can be observed on all the right-hand side figures for expl experiments, yet the set experiments cannot profit from the same phenomenon: the data-flow explosion of the number of successors was transformed into the complexity of their generation, which is common to both parallel and sequential approaches. Hence while retaining the parallel scalability (par experiments use all four processor cores) in time, in space the set experiments demonstrate superiority only compared to par experiments. (φ1 experiments are anomalous because the property transition system has no branching and thus set experiments traverse a linear system and cannot scale in parallel even in theory.) 5.2.2 Explicit Sets versus SAT-Based Verification The next 6 plots in Figure 3 compare the two approaches proposed in this paper. The setting is exactly the same as before, except this time we do not include the results of parallel verification not to obfuscate the main message. Most importantly, for the VoterCore diagram and for domains of input variables larger than approximately 40, the SAT-based representation surpasses the one using explicit sets. The plots only report a part of the experiments, the limit on the x-axis is artificial so that the phenomena before the range of 40 remain clear. In fact the sat experiments continued to a range corresponding to the domain 0 − 232 of standard unsigned integers, which degraded the time performance at most twice compared to, for example, the range 10. Furthermore, the spacial requirements of such verification were almost negligible for arbitrary range, rarely higher than 500 MB. For very small ranges of variables, strictly smaller than 40, the spacial requirements of the set approach are tolerable and the time complexity is better than that of the sat approach. The outstanding spikes in the complexity of sat also deserve further explanation. They correspond to ranges 2n − 1 for some n. We postulate that this relates to the specific procedure that Z3 uses to decide satisfiability of quantified BV formulas. The precise explanation would probably require a detailed exposition of the functioning of the particular decision procedure employed in Z3, and we encourage the interested readers to follow it in Wintersteiger et al (2013). The high level process in fact incorporates a model 20 Petr Bauch et al. 10000 1e+07 sat set sat set Space (kB) Time (s) 1000 100 10 1 100 101 102 103 104 105 106 107 108 109 Range of variables 1e+06 100000 10000 100 101 102 103 104 105 106 107 108 109 Range of variables (a) Verification complexity for property φ1 10000 1e+07 sat set sat set Space (kB) Time (s) 1000 100 10 1 100 101 102 103 104 105 106 107 108 109 Range of variables 1e+06 100000 10000 100 101 102 103 104 105 106 107 108 109 Range of variables (b) Verification complexity for property φ2 10000 1e+07 sat set sat set 100 10 1 100 101 102 103 104 105 106 107 108 109 Range of variables Space (kB) Time (s) 1000 1e+06 100000 10000 100 101 102 103 104 105 106 107 108 109 Range of variables (c) Verification complexity for property φ3 Fig. 3: Plots that report the results of VoterCore Simulink diagram verification, comparing the representations based on explicit sets (set) and BV formulas (sat). The range z of input variables on the x-axis corresponds to the domain {0 . . . z}. The set experiments had a memory limit of 10GB. checking of quantifier instantiations, guided by previously tried unsuccessful counterexamples. It appears that limiting the range to a value very close to 2n forces a larger number of wrong instantiations. Title Suppressed Due to Excessive Length 21 5.2.3 Evaluation of the Hybrid Representation As will become clear once the results pertaining to the verification using hybrid representation (hyb) are presented, there is no need to compare it with the explicit verification. Both time and space requirements of hyb are lower than the respective requirements of expl, except on the most trivial instances. Yet the theoretical comparison of the two approaches is particularly interesting because the states themselves have exactly the same representation, i.e. explicit enumeration of delay variable evaluations. The only difference is in the process by which these evaluations were generated. Unlike in expl where we have to test all evaluations of inputs to see which delay evaluations they produce, in hyb we only employ those combinations of inputs for which we know that they will produce different delays. This knowledge about the Simulink system is obtained using further SMT queries, and may by itself help the designer in validation that the modeled system is the one intended. The plots in Figure 4 compare the purely symbolic and the hybrid representations with respect to the verification time. (We are not comparing the spacial requirements because they were negligible in sat already and in hyb the peak memory consumption never surpassed 6MB.) The timing results for sat are exactly the same as in Figure 3, only here we intentionally pinpoint the difficult domain sizes, i.e. the cases when input ranges are 0 − (2n − 1). The SMT solver struggles in these cases if it must produce a proof of unsatisfiability for a quantified query. We hypothesize that this phenomenon is caused by the model-based instantiation of quantified variables, used as one of the techniques in Z3. Setting the upper bound of input range this close to the limit posed by the fixed bit width seems to force the instantiation to choose from a larger set of values, before the solver can deduce unsatisfiability. It may thus be possible to modify the solver to achieve better results, and we are presently investigating this possibility. What these plots immediate show is that the undesirable behavior on difficult domain sizes was completely eliminated with the employment of hyb. Even though it occurred in a logarithmic number of cases, it would still be very unpleasant if the system designer chose such a case. Disregarding these extreme cases, with hyb we have achieved 2.4, 6.7, and 2.5 speedup for the three verified properties respectively. With the new representation, the verification process scales even better and the complexity is in fact only dependent on the number of steps needed to resolve the verification query. On the other hand, the complexity of individual SMT queries in hyb does not grow with the number of steps. It is not the case for sat, where the number of quantified variables is directly related to the length of the current path condition. Hence the difference in speedups for the three verified properties: checking ϕ2 required building a state state space with the longest path twice the length as for the other properties. We thus conclude that for more complex systems and in cases when hyb is applicable, as discussed in Section 4.3, it would produce even better speedup when compared to sat. 22 Petr Bauch et al. Time (s) 1000 sat hyb 100 10 1 20 22 24 28 216 Range of variables 232 (a) Verification complexity for property φ1 Time (s) 10000 sat hyb 1000 100 10 20 22 24 28 216 Range of variables 232 (b) Verification complexity for property φ2 Time (s) 10000 sat hyb 1000 100 10 20 22 24 28 216 Range of variables 232 (c) Verification complexity for property φ3 Fig. 4: Plots that report the results of VoterCore Simulink diagram verification, comparing the representation based on BV formulas (sat) and the hybrid representation (hyb). The range z of input variables on the x-axis corresponds to the domain {0 . . . z}. 6 Discussion By reducing deadlock checking and state matching to SMT queries we have managed to accelerate the model checking process to a point when the developer Title Suppressed Due to Excessive Length 23 can omit specifying the unit testing input and verify that the design is correct for all possible values. Given that the process still requires large amounts of computational resources, the newly proposed hybrid representation accelerates the method further, thus rendering it even more applicable for verifying critical units in Simulink designs. To summarize the findings of our experiments with verification of Simulink diagrams, we propose a combination of the set and sat/hyb approaches. Such a combining verification is possible, because the two approaches allow identical models as the input. The result would correspond to the composition of (the better of) the solid and dotted lines of Figure 3. The developer could decide which representation to use, based on the range of variables they need to verify against. Or – better yet, and fully automatically – the two approaches can be run in parallel, the one finishing first reporting the results of the verification. Arguably, the experimental results and the achieved empirical findings remain largely academic. Even though the VoterCore model used in our experiments comes from a real-world design, it is only a part of a larger Simulink model. Industrial application of the proposed method would equally require manually selecting a safety-critical part of the verified model and verifying that this part has the desired properties. Our experiments already show the limits of using SMT solvers for LTL verification, even when the new hybrid representation is employed. More importantly, however, the experiments also show that if the input model is sufficiently small for the verification to finish in reasonable time, then a complete coverage across all possible input values is provided. Which is a quality that the established techniques based on testing cannot provide. 6.1 Theoretical Limitations Given that the proposed verification technique reduces the problem of LTL model checking to a sequence of SMT-queries, the limitations of the technique derives from the state-of-the-art of the SMT solvers. It follows that improvements in the efficiency of SMT solvers will also improve our technique and this improvement will require no further modifications. On the other hand, solving quantified SMT queries is a computationally demanding task. We will thus discuss the state matching – the part of our technique that seems to require solving quantified queries – in a greater detail. The Figure 5 below shows a part of the verification process, where the x-axis lists the individual instances of state matching as they appeared in time. The y-axis represents the number of quantifier instantiations the solver needed to employ before finding a counterexample or a proof. Finding counterexamples, i.e. evaluations of delay variables that exist in one state but not in the other, appears to be a considerably simpler task, in the figure corresponding to steps of less than 40 instantiations. Finding proof of equality between the two states was much more difficult, often requiring more than 400 instantiations with Petr Bauch et al. Instantiations 24 1000 100 10 1 10 20 30 40 50 60 70 80 90 100 Fig. 5: Time progression of the complexity of individual state matching instances. equivalently higher time and space complexity. These higher spikes occur in consecutive pairs, one for each subset inclusion. 6.2 State Matching by Comparing Function Images Returning back to the claimed necessity of resorting to quantified formulas 0 for state matching, note that computing the equivalence between δ |ρ| and δ |ρ | would be sufficient for state matching, if the inputs were read only once at the beginning. The state space would be larger as some states with the same sets of values would have semantically different representing functions. In Simulink, where inputs are read iteratively, however, such an approach would lead to infinite transition systems in all nontrivial instances. Computing equivalence between the two δ functions does not yield a correct result with respect to image comparison. For example on the Boolean domain the functions negation and identity are not equivalent, yet their images are the same. Consequently, stating the comparison as satisfiability in the BV theory must be different than simple equality. Assume that the formula Ψρρ0 is satisfiable iff ρ and ρ0 are two different states. Then the model of Ψρρ0 must encode an element, current evaluation of delay variables, of either ρ or ρ0 that is not in the other state. But Ψρρ0 can only refer to the domains of δ functions, the input variables, because in symbolic execution the current values are represented as functions on input variables. It follows that the satisfying evaluation of input variables in ρ must be such that for any evaluation of the inputs in ρ0 the δ functions evaluate to different values. It appears that stating functional image comparison within symbolic execution as a satisfiability decision requires the use of quantifiers. That much seems to hold if it is the input variables that are free in Ψρρ0 as argued above. The more general question, whether for bit-vector functions f : bvqn → bvq, f 0 : bvqm → bvq, there is a quantifier-free bit-vector formula ψ such that n m |ψ| ∈ poly(n + m) and ψ is satisfiable iff f (2bvq ) = f 0 (2bvq ), is outside the scope of this work and we leave it open for future research. The more interesting question, at least from the practical point of view, is how to implement the state matching in set-based reduced transition system, regardless of how the sets are represented. Consider for example that one can represent the sets of evaluations using their characteristic functions, i.e. Title Suppressed Due to Excessive Length 25 functions over state-forming variables that, when provided with an evaluation of those variables, return either 1 or 0, whether or not this evaluation is part of the set. (In other words representing evaluations of variables as the collected post-conditions.) Then the state matching would reduce to deciding semantic equivalence of these characteristic functions, or, if a canonical representation was available, even to syntactic equivalence. 7 Related Work Firstly, there are three practical papers, that we are aware of, describing LTL verification of Simulink diagrams. Miller et al (2005) translate Simulink models into the synchronous data-flow language Lustre, created by Halbwachs et al (1991), and then into the native language of the symbolic model checker NuSMV, created by Cimatti et al (2002). NuSMV was then used to verify correctness of the model with respect to a set of specifications (mostly in CTL, but NuSMV can verify full LTL as well) using BDD-based (Binary Decision Diagrams: see McMillan (1992), for a classical approach) representation of the state space. Although it was not a limitation in the input diagrams they used, BDDs are not readily able to support complex data types with Peano arithmetic, at least not while preserving their efficiency, as we will discuss later in this subsection. Similarly, Meenakshi et al (2006) translate Simulink diagrams for the verification using NuSMV, but in this case the translation is direct, without an intermediate language. This work is more relevant because the diagrams used contained integer data types and full Peano arithmetic (NuSMV flattens integer types into Boolean types, but represents the stored values precisely). The authors do not mention explicitly if they used the BDD-based branch or SAT-based branch of verification. Unfortunately, we could not compare that approach with the one proposed in this paper, since the implementation is not available. Its efficiency can be only assumed from the reported results: when input variables were not bounded explicitly, i.e. allowed values between 0 and 232 , the verification time was almost a week; the bounds for reasonably fast verification had to be relatively small: between 0 and 60. Explicit model checking was also used for verification of Simulink diagrams by Barnat et al (2012), but there the data-flow non-determinism in the form of input variables had even greater detrimental effect. This is the only comparable implementation presently available and we provide detailed comparison between this purely explicit approach and the hybrid, control explicit—data symbolic approaches described in this paper in Section 5. From a theoretical point of view, the method proposed in this paper is effectively equivalent to symbolic execution extended with LTL verification. This combination was attempted before by Braione et al (2008), but classical symbolic execution does not allow state matching and thus only a small subset (safety properties) of LTL was supported. Without state matching, an infinite violating run would cause the tool to diverge, never yielding an answer. On the 26 Petr Bauch et al. other hand it is possible to implement state subsumption (a state represents more heap configurations than another state) in symbolic execution, as shown by Xie et al (2005), but subsumption is not correct with respect to LTL even though it can significantly reduce the state space (and make it finite). A considerable amount of work pertained to allowing symbolic model checking to use more complex data types than Booleans. The problem is that BDDs grow exponentially in the presence of integer multiplication, as proved by Bryant (1991). Other symbolic representations were designed that represent variables on the word level rather than binary level, such as Binary Moment Diagrams, used by Bryant and Chen (1995), or Boolean Expression Diagrams, used by Williams et al (2000), even though these are no longer canonical. Similarly to our approach, symbolic model checking can also use first-order formulas directly, leading to SAT-based and SMT-based approaches, invented by Biere et al (1999) and Armando et al (2006), respectively, provided that the procedure is bounded in depth, and consequently incomplete. Various approaches to unbounding have been proposed, most recently the IC3 method of Bradley (2011), but these are rather theoretical, without implementation, or limited to weaker arithmetics, see e.g. the model checker Kind based on k-induction and created by Hagen and Tinelli (2008). Module checking, introduced by Kupferman and Vardi (1996) and detailed by Godefroid (2003), allows verification of open systems. A system is open in the sense that the environment may restrict the non-determinism and the verification has to be robust with respect to arbitrary restrictions. Consequently, the approach to verifying open systems also differs since only branching time logics can distinguish open from closed systems, in the module checking sense. For linear time logics, every path has to satisfy the property and thus open and closed systems collapse into one source of non-determinism. Much closer to our separation between control and data is the work initiated by Lin (1996). Lin’s Symbolic Transition Graphs with Assignments represent precisely parallel programs with input variables using a combination of firstorder logic and process algebra for communicating systems. Similarly as for symbolic execution, the most complicated aspect of this representation is the handling of loops. Lin’s solution computes the greatest fix point of a predicate system representing the first-order term for each loop. Then two transition graphs are bisimilar if the predicate systems representing their loops are equivalent. The set-based reduction of transition systems used in this paper effectively compute the fix points explicitly, represented as sets of variable evaluations. Finally, various combinations of different approaches and representations have been devised and experimented with. When multiple representations were combined, it was mostly to improve on weak aspects of either of the representations, for example by Yang et al (2006) multiple symbolic representations for Boolean and integer variables were employed in combination. Presburger constraints were combined with BDDs by Bultan et al (1998) to allow, with some restrictions, the verification of infinite state spaces. Finally, the two approaches to model checking, explicit and symbolic, were combined Title Suppressed Due to Excessive Length 27 to improve solely upon control-flow non-determinism. Some improvement was achieved by storing multiple explicit states in a single symbolic state, implemented by Duret-Lutz et al (2011), or by storing explicitly the property and symbolically the system description, implemented by Sebastiani et al (2005). The approach described by Hungar et al (1995) represents control using symbolic model checking and data by purely symbolic manipulation of first-order formulas. There the symbolic data are limited in the sense that they cannot influence the control flow. 8 Conclusion This paper combines explicit model checking with a representation of data variables based on sets of possible evaluations. The resulting verification method allows temporal verification of systems that read from non-deterministic inputs. When the sets of evaluations are represented symbolically – as bit-vector formulas – the major obstacle that we faced and solved is the solution of state matching. The state matching procedure proposed here requires deciding satisfiability of quantified bit-vector formulas, which is a resource-intensive process, but the experimental evaluation on Simulink diagrams indicates that for such systems is the cost acceptable. Still, in order to improve the effectivity of design supported by verification, we have proposed, implemented and evaluated a combing approach using a hybrid representation of data. This representation leverages the positive aspects of both the concrete and symbolic representations while employing some knowledge about the Simulink diagram which was not explicitly stated by the developer. We have demonstrated how SMT solvers can be used to infer this tacit knowledge, which can subsequently enable the hybrid representation to achieve considerably better performance. For the use in verification of parallel programs or at least safety critical segments of programs, the cost would probably be prohibitive. We discuss ideas that could lead to expressing the state matching problem without the use of quantifiers, but leave that direction of research to future work. Yet in the case of Simulink diagrams, our approach scales with the ranges of input variables and thus allows the developer to use the range limit of the used data type, e.g. 32 bits integers, where before the developers had to test for ranges that were exponentially smaller. This improvement effectively automates the verification process, replacing completely any manual testing, since the resulting confidence in the correctness of the system with model checking is at least as high as it was with classical testing. References Armando A, Mantovani J, Platania L (2006) Bounded Model Checking of Software Using SMT Solvers Instead of SAT Solvers. In: SPIN, LNCS, vol 3925, Springer, pp 146–162, DOI 10.1007/11691617 9 Barnat J, Bauch P (2013) Control Explicit—Data Symbolic Model Checking: An Introduction. Tech. rep., Masaryk University, http://arxiv.org/abs/1303.7379 28 Petr Bauch et al. Barnat J, Beran J, Brim L, Kratochv´ıla T, Roˇ ckai P (2012) Tool Chain to Support Automated Formal Verification of Avionics Simulink Designs. In: FMICS, LNCS, vol 7437, Springer, pp 78–92, DOI 10.1007/978-3-642-32469-7 6 ˇ Barnat J, Brim L, Havel V, Havl´ıˇ cek J, Kriho J, Lenˇ co M, Roˇ ckai P, Still V, Weiser J (2013) DiVinE 3.0 – Explicit-state Model-checker for Multithreaded C/C++ Programs. In: CAV, pp 863–868, DOI 10.1007/978-3-642-39799-8 60 Barnat J, Bauch P, Havel V (2014) Temporal Verification of Simulink Diagrams. In: Proc. of HASE, pp 81–88, DOI http://dx.doi.org/10.1109/HASE.2014.20 Barrett C, Stump A, Tinelli C (2010) The SMT-LIB Standard: Version 2.0. Tech. rep., The University of Iowa Biere A, Cimatti A, Clarke E, Fujita M, Zhu Y (1999) Symbolic Model Checking Using SAT Procedures instead of BDDs. In: Proc. of DAC, ACM, pp 317–320, DOI 10.1145/309847. 309942 Bradley A (2011) SAT-Based Model Checking without Unrolling. In: VMCAI, pp 70–87, DOI 10.1007/978-3-642-18275-4 7 Braione P, Denaro G, Kˇrena B, Pezz` e M (2008) Verifying LTL Properties of Bytecode with Symbolic Execution. In: Proc. of Bytecode, Elsevier Science, pp 1–14 Bryant R (1991) On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication. IEEE Trans Comput 40(2):205–213, DOI 10.1109/12.73590 Bryant R, Chen YA (1995) Verification of Arithmetic Circuits with Binary Moment Diagrams. In: Proc. of DAC, pp 535–541, DOI 10.1145/217474.217583 Bultan T, Gerber R, Pugh W (1997) Symbolic Model Checking of Infinite State Systems Using Presburger Arithmetic. In: CAV, LNCS, vol 1254, Springer, pp 400–411, DOI 10.1007/3-540-63166-6 39 Bultan T, Gerber R, League C (1998) Verifying Systems with Integer Constraints and Boolean Predicates: A Composite Approach. In: Proc. of ISSTA, pp 113–123, DOI 10.1145/271771.271799 Cimatti A, Clarke E, Giunchiglia E, Giunchiglia F, Pistore M, Roveri M, Sebastiani R, Tacchella A (2002) NuSMV 2: An OpenSource Tool for Symbolic Model Checking. In: CAV, pp 241–268, DOI 10.1007/3-540-45657-0 29 Clarke E, Emerson E, Sistla A (1986) Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications. ACM T Progr Lang Sys 8(2):244–263, DOI 10.1145/5397.5399 Cousot P, Cousot R (1977) Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In: Proc. of POPL, ACM, pp 238–252, DOI 10.1145/512950.512973 Duret-Lutz A, Klai K, Poitrenaud D, Thierry-Mieg Y (2011) Self-Loop Aggregation Product — A New Hybrid Approach to On-the-Fly LTL Model Checking. In: ATVA, LNCS, vol 6996, Springer, pp 336–350, DOI 10.1007/978-3-642-24372-1 24 Godefroid P (2003) Reasoning about Abstract Open Systems with Generalized Module Checking. In: EMSOFT, LNCS, vol 2855, Springer, pp 223–240, DOI 10.1007/ 978-3-540-45212-6 15 Hagen G, Tinelli C (2008) Scaling Up the Formal Verification of Lustre Programs with SMTBased Techniques. In: Proc. of FMCAD, pp 1–9, DOI 10.1109/FMCAD.2008.ECP.19 Halbwachs N, Caspi P, Raymond P, Pilaud D (1991) The Synchronous Data Flow Programming Language LUSTRE. Proc IEEE 79(9):1305–1320, DOI 10.1109/5.97300 Hungar H, Grumberg O, Damm W (1995) What if Model Checking Must Be Truly Symbolic. In: CHARME, LNCS, vol 987, Springer, pp 1–20, DOI 10.1007/3-540-60385-9 1 King J (1976) Symbolic Execution and Program Testing. Commun ACM 19(7):385–394, DOI 10.1145/360248.360252 Kroening D, Strichman O (2010) Decision Procedures: An Algorithmic Point of View. Springer Kupferman O, Vardi M (1996) Module Checking. In: CAV, LNCS, vol 1102, Springer, pp 75–86, DOI 10.1007/3-540-61474-5 59 Lin H (1996) Symbolic Transition Graph with Assignment. In: CONCUR, LNCS, vol 1119, Springer, pp 50–65, DOI 10.1007/3-540-61604-7 47 McMillan K (1992) Symbolic Model Checking. PhD thesis, Carnegie Mellon University Title Suppressed Due to Excessive Length 29 Meenakshi B, Bhatnagar A, Roy S (2006) Tool for Translating Simulink Models into Input Language of a Model Checker. In: ICFEM, LNCS, vol 4260, Springer, pp 606–620, DOI 10.1007/11901433 33 Miller S, Anderson E, Wagner L, Whalen M, Heimdahl M (2005) Formal Verification of Flight Critical Software. In: Proc. of GNC, pp 1–16 de Moura L, Bjørner N (2008) Z3: An Efficient SMT Solver. In: TACAS, LNCS, vol 4963, Springer, pp 337–340, DOI 10.1007/978-3-540-78800-3 24 Owicki S, Gries D (1976) An Axiomatic Proof Technique for Parallel Programs I. Acta Inform 6:319–340, DOI 10.1007/BF00268134 Sebastiani R, Tonetta S, Vardi M (2005) Symbolic Systems, Explicit Properties: On Hybrid Approaches for LTL Symbolic Model Checking. In: CAV, LNCS, vol 3576, Springer, pp 100–246, DOI 10.1007/11513988 35 Vardi M, Wolper P (1986) An Automata-Theoretic Approach to Automatic Program Verification. In: Proc. of LICS, IEEE Computer Society Press, pp 332–344 Williams P, Biere A, Clarke E, Gupta A (2000) Combining Decision Diagrams and SAT Procedures for Efficient Symbolic Model Checking. In: CAV, LNCS, vol 1855, Springer, pp 124–138, DOI 10.1007/10722167 13 Wintersteiger C, Hamadi Y, de Moura L (2013) Efficiently Solving Quantified Bit-Vector Formulas. Form Method Syst Des 42(1):3–23, DOI 10.1007/s10703-012-0156-2 Xie T, Marinov D, Schulte W, Notkin D (2005) Symstra: A Framework for Generating Object-Oriented Unit Tests Using Symbolic Execution. In: TACAS, LNCS, vol 3440, Springer, pp 365–381, DOI 10.1007/978-3-540-31980-1 24 Yang Z, Wang C, Gupta A, Ivanˇ ci´ c F (2006) Mixed Symbolic Representations for Model Checking Software Programs. In: Proc. of MEMOCODE, pp 17–26, DOI 10.1109/ MEMCOD.2006.1695896
© Copyright 2024