Article

Integration of SMT-solvers in B and Event-B development environments

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

Software development in B and Event-B generates proof obligations that have to be discharged using theorem provers. The cost of such developments depends directly on the degree of automation and efficiency of theorem proving techniques for the logics in which these lemmas are expressed. This paper presents and formalizes an approach to transform a class of proof obligations essentially similar to those generated in the Rodin platform into the input language of a category of automatic theorem provers known as SMT-solvers. The work presented in the paper handles proof obligations with Booleans, integer arithmetics, basic sets and relations and has been implemented as a plug-in for Rodin.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... A ferramenta de Mentré et al. (2012) descarta as obrigações de prova usando múltiplos provadores de teoremas, mas essa ferramenta não é disponibilizada publicamente por fatores comerciais. O trabalho de Déharbe (2013) é público e demonstra ser uma alternativa interessante, porque amplia a capacidade de verificação para um formato comum para vários provadores de teoremas. Por outro lado, esse trabalho é compatível somente com Event-B e não suporta obrigações de prova do método B. Este trabalho avançou sobre a definição da tradução para código de montagem, definição de estratégias de verificação usando testes automatizados e métodos formais. ...
... As regras construídas, as técnicas de verificação empregadas, o desenvolvimento e a aplicação do BEval em Medeiros Jr. eDéharbe (2014) foram atividades fundamentais neste trabalho. Tais atividades colaboraram para acelerar o processo de verificação contribuindo na questão de pesquisa 3. Em resumo, as técnicas de verificação desenvolvidas e empregadas avançaram e automatizaram o processo de verificação. ...
... Diante dessas barreiras tecnológicas, o BEval foi desenvolvido e melhorou os resultados da verificação conforme apresentado por Medeiros Jr. eDéharbe (2014). Inclusive em vários modelos, houve ganhos excelentes na verificação automática das obrigações de provas. ...
Thesis
Full-text available
Assembly code synthesis is a process that requires rigorous care. Typically, this process in mature translators and compilers is relatively safe, though some errors have occasionally been identified. In a more restricted context, the translators used in the smaller communities and developed constantly have been more susceptible to these kind of errors. Considering this context, two translation and verification approaches using the B method have been presented. The first approach considers the B component translation to assembly code for a specific platform by using a formal model of the instruction set, which also allows to debug and to check program properties. This approach can formally ensure the semantic consistency of the translation, although the verification process is difficult and time-consuming. This verification effort was somewhat relieved by the development of BEval, a tool which has made better use of the verification techniques. After applying the automatic verification process using the Atelier B tool, BEval was still able to solve, in the certain models, many of the remaining proof obligations, reaching up to 88 \% of total obligations. However, the verification process of this translation approach is still complex, requiring several manual interactions. In order to make a translation more efficient and also safe, a second approach for the translating B to virtual machine code was developed. This second approach used the developed translator B2LLVM and applied the automatic generation of tests to check the consistency of the program specifications and their respective assembly code. This translator also supported the code coverage evaluation and the insertion of the traceability annotations. Thus, this study has significantly contributed to developing B translation to assembly code, providing rigorous support for the verification of the translation. Currently, the B2LLVM outweighs 20,9% the percentage of translatable test samples based on grammar compared to the C4B industrial translator. Furthermore, the generated code by B2LLVM has important advantages in the ample capacity of verification, integration and optimization.
... Существуют работы по комбинированию SMT-солверов [10][11] с Event-B моделями для их исполнения. SMT-солверы активно используются на отдельных частях модели в процессе дедуктивной верификации, но при исполнении всей модели целиком они сталкиваются со значительными трудностями. ...
Article
The article discusses the problem of applying runtime verification to large and complex systems such as general-purpose operating systems. When verifying the security mechanisms of operating systems, modern practices and standards require a formal security policy model (SPM). The SPM must be verified using formal model methods, and it must also be used to verify the completeness and consistency of the operating system’s security mechanisms by confirming compliance with the formal requirements of the SPM. In this case, it is convenient to have a single model suitable for both formal verification and implementation testing. For practical application, it is necessary, on the one hand, to select a subset of model language constructs suitable for both acts, and on the other hand, to develop special techniques for analyzing execution traces that allow to effectively perform thousands of test cases. The article addresses both of these issues. We present an analysis of language constructs that allow us to use the model for both verification and execution trace analysis. We also offer techniques that have been developed to optimize the runtime verification of Linux-based systems. We also implemented the proposed methods in the trace analysis tool prototype.
... Déharbe et al. [27,28,31] presented an integration of an SMT solver for B and Event-B by translating to SMT-LIB. bit-blasting and only supports finite domains. ...
Article
Full-text available
ProB provides a constraint solver for the B-method written in Prolog and can make use of different backends based on SAT and SMT solving. One such backend translates B and Event-B operators to SMT-LIB using the Z3 solver. This translation uses quantifiers to axiomatize some operators, which are not well-handled by Z3. Several relational constraints such as the transitive closure are not supported by this translation. In this article, we substantially improve the translation to SMT-LIB by employing a more constructive rather than axiomatized style using Z3’s lambda function. Thereby, we are able both to translate more B and Event-B operators to SMT-LIB and improve the overall performance. We further extend ProB’s interface to Z3 to run different solver configurations in parallel. In addition, we present a direct implementation of SMT solving in Prolog using ProB’s constraint solver as a theory solver. We hereby aim to combine the strengths of conflict-driven clause learning for identifying contradictions with ProB’s constraint solver for finding solutions. We deem this implementation to be worthwhile since ProB’s constraint solver is tailored toward solving B and Event-B constraints, and we herewith avoid the dependency on an external SMT solver. Empirical results show that the new integration of Z3 has improved performance of constraint solving and enables to solve several constraints which cannot be solved by ProB’s constraint solver. Furthermore, the direct implementation of SMT solving in ProB shows benefits compared to ProB’s constraint solver and the integration of Z3.
... For other applications, such as the analysis of programming languages, there exist dedicated platforms using external automatic theorem provers (ATPs) or automatic tactics from interactive theorem provers (ITPs), to perform symbolic reasoning, and for example to discharge some subgoals in the proofs. Tools like Rodin [18,19] have already integrated several provers, like Z3, as modules for proving the proof obligations generated from a user model. The prover we use, which also happens to be Z3, is developed by Microsoft Research based on the satisfiability modulo theories framework (SMT), and is mainly applied in extended static checking, test case generation, and predicate abstraction. ...
Article
Full-text available
Open pNets are formal models that can express the behaviour of open systems, either synchronous, asynchronous, or heterogeneous. They are endowed with a symbolic operational semantics in terms of open automata, which allows us to check properties of such systems in a compositional manner. We present an algorithm computing these semantics, building predicates expressing the synchronisation conditions between the events of pNet sub-systems. Checking such predicates requires symbolic reasoning about first order logics and application-specific data. We use the Z3 SMT engine to check satisfiability of the predicates. We also propose and implement an optimised algorithm that performs part of the pruning on the fly, and show its correctness with respect to the original one. We illustrate the approach using two use-cases: the first one is a classical process-algebra operator for which we provide several encodings, and prove some basic properties. The second one is industry-oriented and based on the so-called “BIP architectures”, which have been used to specify the control software of a nanosatellite at the EPFL Space Engineering Center. We use pNets to encode a BIP architecture extended with explicit data, compute its semantics and discuss its properties, and then show how our algorithms scale up, using a composition of two such architectures.
... A later extension included polymorphic sorts, signatures and assertions. A successful application of these extensions has been to apply SMT solving to verify proof obligations stemming from set-based formalisms (namely, B and Event-B) using standard Smt-Lib logics (AUFLIA) [Dé10,DFGV12,Dé13]. ...
... A later extension included polymorphic sorts, signatures and assertions. A successful application of these extensions has been to apply SMT solving to verify proof obligations stemming from set-based formalisms (namely, B and Event-B) using standard Smt-Lib logics (AUFLIA) [Dé10,DFGV12,Dé13]. ...
... Mentre [24] and Deharbe [28] use SMT model checking tools to automate the proving process, and follow, with small differences, the process described above. Deharbe's approach connects SMT solvers with an SMT-LIB interface to an Event-B development tool and uses only the SMT solver veriT. ...
Article
Full-text available
The high degree of miniaturization in the electronics industry has been, for several years, a driver to push embedded systems to different fields and applications. One example is safety-critical systems, where the compactness in the form factor helps to reduce the costs and allows for the implementation of new techniques. The automotive industry is a great example of a safety-critical area with a great rise in the adoption of microelectronics. With it came the creation of the ISO 26262 standard with the goal of guaranteeing a high level of dependability in the designs. Other areas in the safety-critical applications domain have similar standards. However, these standards are mostly guidelines to make sure that designs reach the desired dependability level without explicit instructions. In the end, the success of the design to fulfill the standard is the result of a thorough verification process. Naturally, the goal of any verification team dealing with such important designs is complete coverage as well as standards conformity, but as these are complex hardware, complete functional verification is a difficult task. From the several techniques that exist to verify hardware, where each has its pros and cons, we studied six well-established in academia and in industry. We can divide them into two categories: simulation, which needs extremely large amounts of time, and formal verification, which needs unrealistic amounts of resources. Therefore, we conclude that a hybrid approach offers the best balance between simulation (time) and formal verification (resources).
... Furthermore, different Computer science applications which are based on planning, modeling, and generation of automated testing also consider this SMT solver as an important usable tool [25]. As trend has shifted from the verification done manually or by simulation using verification tools as mentioned in [26]. SPIN model checker was used to formally verify ad-hoc protocols. ...
Article
Full-text available
Fog computing, being an extension to cloud computing has addressed some issues found in cloud computing by providing additional features like location awareness, low latency, mobility support etc. Its unique features have also opened a way towards security challenges which need to be focused for making it bug-free for the users. Our paper is basically focusing on overcoming the security issues encountered during the data outsourcing from Fog Client to Fog Node. We have added Shibboleth also known as security and cross domain access control protocol between Fog Client and Fog Node for improved and secure communication between the fog client and fog node. Further to prove whether Shibboleth meets the security requirement needed to provide the secure outsourcing. We have also formally verified the protocol against basic security properties using High Level Petri Net (HLPN).
... Related work. In [52], David Déharbe presents an approach to translate Rodin platform proof-obligations to the input language of the SMT-solvers. The approach handles proof obligations that include boolean expressions, integer arithmetic expressions, and basic sets and relations. ...
Article
Full-text available
Stepwise refinement and Design-by-Contract are two formal approaches for modelling systems. These approaches are widely used in the development of systems. Both approaches have (dis-)advantages. This thesis aims to answer, is it possible to combine both approaches in the development of systems, providing the user with the benefits of both? We answer this question by translating the stepwise refinement method with Event-B to Design-by-Contract with Java and JML, so users can take full advantage of both formal approaches without losing their benefits. This thesis presents a set of syntactic rules that translates Event-B to JML-annotated Java code. It also presents the implementation of the syntactic rules as the EventB2Java tool. We used the tool to translate several Event-B models. It generated JML-annotated Java code for all the considered models that serve as initial implementation. We also used EventB2Java for the development of two software applications. Additionally, we compared EventB2Java against two other tools for Event-B code generation. EventB2Java enables users to start the software development process in Event-B, where users can model the system and prove its consistency, to then transition to JML-annotated Java code, where users can continue the development process.
... ProB's model-checking facilities include a Linear Temporal Logic feature. An SMT solver is available in a separate plugin [23]. Typically, ProB is used by technically-aware team members. ...
Conference Paper
Full-text available
In order to improve the development process of high-integrity systems, using formal methods, we consider how agile techniques may influence the Event-B formal method, and how Event-B may be used in a development that uses an agile approach. To examine the crossover between Event-B and agile methods we review the Disciplined Agile Delivery approach (DAD). The DAD approach is inspired by many state-of-the-art agile techniques, and we use it as a meta-analysis of current best-practice. In this paper, we propose an agile process for using Event-B and examine how agile techniques might influence the use of Event-B. We identify a number of areas in which Event-B could be improved and suggest that a different view of agile practices may be needed for an agile project involving formal development.
... In the framework of verification of B (or Event-B) proof obligations, and in addition to B dedicated provers, such as the main prover of Atelier B, some similar work has been done to use external provers, relying on either SMT (Satisfiability Modulo Theories) solvers like veriT [14], or proof assistants like Coq [10] or Isabelle/HOL [21]. However, veriT does not provide proof traces, and automation is poor in the considered proof assistants, even though dedicated tactics are offered. ...
... It is important to note that all the runs of the SMTsolver take a negligible amount of time. The remaining proof obligations shall be communicated to the community of researchers on SMT-solving techniques in the hope that use them as a direction for future extensions and improvements [13]. ...
Article
Full-text available
Event-B is a formal method for the system level modeling and analysis of dependable applications. It issupported by an open and extendable Eclipse-based tool set called Rodin. In this paper we proposed usingAutomatic theorem provers known as SMT-solvers with event-B pattern. The benefits of that are to reducethe proving effort, to reuse a model and to increase the degree of automation. The proposed approach hasbeen applied successfully on two different case studies.
... The SMT solver job is a decision problem to determine if a given logic formula is satisfiable with respect to a combination of theories expressed in first-order logic. There is yearly competition SMT-COMP [15]. ...
Article
Full-text available
In this paper, we propose a methodology to enhance the evaluation tools in semantic learning systems. Our proposal’s aim is to evaluate two types of open questions in hybrid exams. The proposed technique in the first type MOQ (Multi Operations Question) uses the matrix concept for fuzzy score. But POQ (Proof Open Question) is more complicated so we use direct connect to learning objects which saved as ontology based. Also take into consideration the dependence among learning objects so we merge the universal ontology with weight matrix. The proposed methodology has been applied to the case study of the mathematical multi operations question and the proof question on a logic course in a hybrid exam.
... Our Coq realization is similar to both Coq formalizations above. However our Coq model is only built for the purpose of showing the consistency, not for the purpose of performing proofs interactively with Coq.Déharbe made a work[14] very similar to ours. Namely, Déharbe interfaces SMT solvers having an SMT-LIB interface with the Rodin development tool for Event-B. ...
Conference Paper
We present a method to discharge proof obligations from Atelier B using multiple SMT solvers. It is based on a faithful modeling of B's set theory into polymorphic first-order logic. We report on two case studies demonstrating a significant improvement in the ratio of obligations that are automatically discharged.
... Some other efforts relate to the automated verification of B and Event-B proof obligations. David Déharbe presents an approach to translate a particular subclass of B and Event-B proof obligations into the input language of SMTsolvers [17]. We have implemented the EventB2Dafny Rodin plug-in [12] which translates Event-B proof obligations into Dafny, one of the front-end specification languages of the Boogie 2 tool [2]. ...
Article
Full-text available
We present a machine-checked soundness proof of a translation of Event-B to the Java Modeling Language (JML). The translation is based on an operator EventB2Jml that maps Evnet-B events to JML method specifications, and deterministic and non-deterministic assignments to JML method post-conditions. This translation has previously been implemented as the EventB2Jml tool. We adopted a taking our own medicine approach in the formalisation of our proof so that Event-B as well as JML are formalised in Event-B and the proof is discharged with the Rodin platform. Hence, for any Event-B substitution (whether an event or an assignment) and for the JML method specification obtained by applying EventB2Jml to the substitution, we prove that the semantics of the JML method specification is simulated by the semantics of the substitution. Therefore, the JML specification obtained as translation from the Event-B substitution is a refinement of the substitution. Our proof includes invariants and the standard Event-B initialising event, but it does not include full machines or Event-B contexts. We assume that the semantics of JML and Event-B operate both on the same initial and final states, and we justify our assumption.
... In [17], David Déharbe presents an approach to translate Rodin platform proof-obligations to the input language of the SMT-solvers. The approach handles proof obligations that include boolean expressions, integer arithmetic expressions, and basic sets and relations. ...
Article
Full-text available
This paper presents a translation of Rodin proof-obligations into the input language of Dafny, and the implementation of the translation as the EventB2Dafny Rodin plug-in. Rodin is a platform that provides support for Event-B. The paper uses a simplified Event-B model for social-networking to illustrate the translation and to describe the generated Dafny model. EventB2Dafny supports the full Event-B syntax and its full source code is available online.
... Consider the sequent A @BULLET @BULLET P(Z) A ∪ ∅ = A, the translator to this extended SMT-LIB language produces: where X denotes a sort variable. The function definitions union and emptyset are inserted by the translator and are part of a corpus of definitions for most of the set-theoretic constructs (see [10, 11] for details). They are divided into a list of sorted parameters, the sort of the result, and the body expressing the value of the result. ...
Conference Paper
Full-text available
Formal development in Event-B generally requires the validation of a large number of proof obligations. Some automatic tools exist to automatically discharge a significant part of them, thus augmenting the efficiency of the formal development. We here investigate the use of SMT (Satisfiability Modulo Theories) solvers in addition to the tradi- tional tools, and detail the techniques used for the cooperation between the Rodin platform and SMT solvers. Our contribution is the definition of two approaches to use SMT solvers, their implementation in a Rodin plug-in, and an experimental evaluation on a large sample of industrial and academic projects. Adding SMT solvers to Atelier B provers reduces to one fourth the number of sequents that need to be proved interactively.
Chapter
ProB provides a constraint solver for the B-method written in Prolog and optionally can make use of different backends based on SAT or SMT solving. One such solver integration translates B and Event-B operators to SMT-LIB using the C interface of the Z3 solver. This translation uses quantifiers to axiomatise operators when translating to SMT-LIB, which are not well-handled by Z3. Several relational constraints such as the transitive closure are not supported since their translations were too involved.
Article
Nuclear power plants are complex systems with many regulations, requirements, procedures, and operational constraints. The future autonomous safety monitoring and control system of nuclear plants require a constructive method in integrating and aggregating the accumulated knowledge database normally written in human language. For safety critical systems, formal methods such as model checking and theorem proving are used for verifying its conformance of safety requirements. However, formal specifications and implemented application codes are virtually unreadable for domain experts. To enhance this communication bottleneck and to boost productivity, we use semantic web technology to relate formal specifications with ontologies that are human‐readable and have formal semantics. We introduce a nuclear reactor ontology of controlled vocabulary to link elements in a physical system and its Event‐B model (a formal method for system‐level modeling and analysis). Controlled vocabulary provides several benefits. It is still construction of a spoken language and thus, human readable and transparent. Their formal semantics make it easy to integrate them to the counterparts in their specification. We can generate system logs those are both human and machine friendly. Practitioners can write ad hoc query using SPARQL Protocol and RDF Query Language (SPARQL). As a proof of concept of our methodology, we build a system for safety monitoring and control of a nuclear reactor. We prototype our monitoring system in Event‐B model and verify that it satisfies safety requirements and constraints. Then we build an OWL 2 ontology for the semantic web from the Event‐B model annotating all metrics and events of the system monitors.
Article
Full-text available
This research article proposes a novel approach called Distributed Reconfigurable B to specify and verify distributed reconfigurable control systems using B method. Reconfiguration signifies the dynamic adaptation of the system behavior to the evolution of its environment by applying a reconfiguration scenario. A multi-agent architecture is defined to affect a reconfiguration agent to ensure local reconfiguration for each subsystem and a coordination agent to manage the different subsystems to guarantee the coherence of the whole system. A reconfigurable system is a set of B operations where only a subset is executed by adding or removing operations after a well-defined reconfiguration scenario. Distributed Reconfigurable B defines two complementary steps to be applied in abstract model of B method: specification and verification. The first step models the agents according to Distributed Reconfigurable B formalism. The second verifies distributed reconfigurable control systems using Atelier B tool and avoids the redundant checking of different B machines by applying the implemented Check Reconfigurable B tool. We apply the contributions on the two benchmark production systems: FESTO and EnAS.
Article
The state-based formal methods B and TLA+ share the common base of predicate logic, arithmetic and set theory. However, there are still considerable differences, such as the way to specify state transitions, the different approaches to typing, and the available tool support. In this paper, we present a translation from B to TLA+ so as to validate B specifications using the model checker TLC. The translation includes many adaptations and optimizations to allow for efficient checking by TLC. Moreover, we present a way to validate liveness properties for B specifications under fairness conditions. Our implemented translator, Tlc4B, automatically translates a B specification to TLA+, invokes the model checker TLC, and translates the results back to B. We use ProB to double check the counter examples produced by TLC and replay them in the ProB animator. Tlc4B can also transmit constant values, precalculated by ProB, to TLC. This allows the user to combine the strength of both tools, i.e. ProB's constraint solving abilities and TLC's highly tuned model checking core. Furthermore, we demonstrate an approach to optimize the model checking process by encoding proof information in the translated TLA+ specification. We also present a series of case studies and benchmark tests comparing Tlc4B and ProB.
Article
This paper describes two syntactic extensions to SMT-LIB scripts: Lambda-expressions and polymorphism. After extending the syntax to allow these expressions, we show how to update the typing rules of the SMT-LIB to check the validity of these new terms and commands. Since most Smt-solvers only deal with many-sorted first-order formulas, we detail a monomorphization mechanism to allow to use polymorphism in SMT-LIB syntax while retaining a monomorphic solver core.
Conference Paper
tla + is a specification language, mainly intended for concurrent and distributed systems. Its non-temporal fragment is based on a variant of (untyped) zf set theory. Motivated by the integration of the tla + Proof System with smt solvers or similar tools based on multi-sorted first-order logic, we define a type system for tla + and we prove its soundness. The system includes refinement types, which fit naturally in set theory. Combined with dependent function types, we obtain type annotations on top of an untyped specification language, getting the best of both the typed and untyped approaches. After implementing the type inference algorithm, we show that the resulting typing discipline improves the verification capabilities of the proof system.
Article
Since distributed systems are inherently concurrent and asynchronous, it is a challenge for us to verify distributed systems. MSVL is a useful temporal logic programming language and its axiomatic system has been established. However, the axiomatic system of MSVL lacks mechanisms to manage asynchronous communication, which makes it cannot deal with distributed systems. Thus, to verify distributed systems with MSVL in a deductive way, this paper is motivated to extend the axiomatic system of MSVL with new axioms for asynchronous communication. To this end, firstly we formalize state axioms regarding asynchronous communication commands and then prove the soundness and completeness. Further, to demonstrate how the extended axiomatic system of MSVL works for distributed systems, we apply it to the well-known Ricart-Agrawala (RA) algorithm, which is a distributed mutual exclusion algorithm and has an infinite state space. To do this, we model the RA algorithm with MSVL, specify the desired properties and then verify an instance of the RA algorithm with respect to the first-come-first-served property.
Article
Formal development in Event-B generally requires the validation of a large number of proof obligations. Some tools automatically discharge a significant part of them, thus augmenting the efficiency of the formal development. We here investigate the use of SMT (Satisfiability Modulo Theories) solvers in addition to the traditional tools, and detail the techniques used for the cooperation between the Rodin platform and SMT solvers. Our contribution is the definition of a translation of Event-B proof obligations to the language of SMT solvers, its implementation in a Rodin plug-in, and an experimental evaluation on a large sample of industrial and academic projects. On this domain, adding SMT solvers to Atelier B provers reduces significantly the number of sequents that need to be proved interactively.
Article
Full-text available
Based on our experience with the development of Alt-Ergo, we show the small number of modifications needed to bring parametric polymorphism to our SMT solver. The first one occurs in the typing module where unification is now necessary for solving polymorphic constraints over types. The second one consists in extending triggers' definition in order to deal with both term and type variables. Last, the matching module must be modified to account for the instantiation of type variables. We hope that this experience is convincing enough to raise interest for polymorphism in the SMT community.
Article
Full-text available
Proof reconstruction is a technique that combines an interactive theorem prover and an automatic one in a sound way, so that users benefit from the expressiveness of the first tool and the automation of the latter. We present an implementation of proof reconstruction for first-order logic and set-theoretical constructions between the interactive theorem prover Isabelle and the automatic SMT prover haRVey.
Article
Full-text available
PROB is a model checker for high-level B and Event-B models based on constraint-solving. In this paper we investigate alternate approaches for validating high-level B models using alternative techniques and tools based on using BDDs, SAT-solving and SMT-solving. In particular, we examine whether PROB can be comple-mented or even supplanted by using one of the tools BDDBDDB, Kodkod or SAL.
Conference Paper
Full-text available
Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in various software verification and analysis applications.
Conference Paper
Full-text available
Catching bugs in programs is difficult and time-consuming. The effort of debugging and proving correct even small units of code can surpass the effort of programming. Bugs inserted while “programming in the small” can have dramatic consequences for the consistency of a whole software system as shown, e.g., by viruses which can spread by exploiting buffer overflows, a bug which typically arises while coding a small portion of code. To detect this kind of errors, many verification techniques have been put forward such as static analysis and model checking.
Conference Paper
Full-text available
Solvers for satisfiability modulo theories (SMT) check the satisfiability of first-order formulas containing operations from various theories such as the Booleans, bit-vectors, arithmetic, arrays, and recursive datatypes. SMT solvers are extensions of Boolean satisfiability solvers (SAT solvers) that check the satisfiability of formulas built from Boolean variables and operations. SMT solvers have a wide range of applications in hardware and software verification, extended static checking, constraint solving, planning, scheduling, test case generation, and computer security. We briefly survey the theory of SAT and SMT solving, and present some of the key algorithms in the form of pseudocode. This tutorial presentation is primarily directed at those who wish to build satisfiability solvers or to use existing solvers more effectively.
Conference Paper
Full-text available
This is the first system description of the Barcelogic SMT solver, which implements all techniques that our group has been developing over the last four years as well as state-of-the-art features developed by other research groups. We pay special attention to the theory solvers and to functionalities that are not common in SMT solvers.
Conference Paper
Full-text available
At CAV’04 we presented the DPLL(T) approach for satisfiability modulo theories T. It is based on a general DPLL(X) engine whose X can be instantiated with different theory solvers Solver T for conjunctions of literals. Here we go one important step further: we require Solver T to be able to detect all input literals that are T-consequences of the partial model that is being explored by DPLL(X). Although at first sight this may seem too expensive, we show that for difference logic the benefits compensate by far the costs. Here we describe and discuss this new version of DPLL(T), the DPLL(X) engine, and our Solver T for difference logic. The resulting very simple DPLL(T) system importantly outperforms the existing techniques for this logic. Moreover, it has very good scaling properties: especially on the larger problems it gives improvements of orders of magnitude w.r.t. the existing state-of-the-art tools.
Conference Paper
Full-text available
This article describes the first public version of the satisfiability modulo theory (SMT) solver veriT. It is open-source, proof-producing, and complete for quantifier-free formulas with uninterpreted functions and difference logic on real numbers and integers.
Article
Full-text available
We present a technique to prove invariants of model-based specications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their characteristic function which, in turn, is encoded by an array of Booleans indexed on the elements of the set. A theorem proving procedure automating the verication of the proof obligations obtained by the translation is described. Furthermore, we discuss how a sub-formula can be extracted from a failed proof attempt and used by a model finder to build a counter-example. To be concrete, we use a B specification of a simple process scheduler on which we illustrate our technique.
Article
Sets, lists, and maps are elementary data structures used in most programs. Program analysis tools therefore need to decide verication conditions containing variables of such types. We propose a new theory for the SMT-Lib standard as the standard format for such formulae.
Article
This paper describes how Yices, a SAT Modulo theories solver, can be used to analyze the address-book problem ex-pressed in Alloy, a first-order relational logic with transitive closure. Current analysis of Alloy models – as performed by the Alloy Analyzer – is based on SAT solving and thus, is done only with respect to finitized types. Our analysis gener-alizes this approach by taking advantage of the background theories available in Yices, and avoiding type finitization when possible. Consequently, it is potentially capable of proving that an assertion is a tautology – a capability com-pletely missing from the Alloy Analyzer. This paper also reports on our experimental results that compare the per-formance of our analysis to that of the Alloy Analyzer for various versions of the address book problem.
Article
The SMT-LIB initiative is an international effort, coordinated by these authors and supported by several research groups world-wide, with the main goal of producing an extensive on-line library of benchmarks for satisfiability modulo theories. This paper defines syntax and semantics of the language used by SMT-LIB for writing theory specifications and benchmarks.
Article
SMT stands for Satisfiability Modulo Theories. An SMT solver decides the satisfiability of propositionally complex formulas in theories such as arithmetic and uninterpreted functions with equality. SMT solving has numerous applications in auto-mated theorem proving, in hardware and software verification, and in scheduling and planning problems. This paper describes Yices, an efficient SMT solver developed at SRI International. Yices supports a rich combination of first-order theories that occur frequently in soft-ware and hardware modeling: arithmetic, uninterpreted functions, bit vectors, arrays, recursive datatypes, and more. Beyond pure SMT solving, Yices can solve weighted MAX-SMT problems, compute unsatisfiable cores, and construct models. Yices is the main decision procedure used by the SAL model checking environment, and it is be-ing integrated to the PVS theorem prover. As a MAX-SMT solver, Yices is the main component of the probabilistic consistency engine used in SRI's CALO system.
Conference Paper
Software development in B and Event-B generates proof obligations that have to be discharged using theorem provers. The cost of such developments therefore depends directly on the degree of automation and efficiency of theorem proving techniques for the logics in which these lemmas are expressed. This paper presents and formalizes an approach to transform a class of proof obligations generated in the Rodin platform in a language that can be addressed by state-of-the-art SMT solvers. The work presented in the paper handles proof obligations with Booleans, integer arithmetics and basic sets.
Conference Paper
CVC3, a joint project of NYU and U Iowa, is the new and latest version of the Cooperating Validity Checker. CVC3 extends and builds on the functionality of its predecessors and includes many new features such as support for additional theories, an abstract architecture for Boolean reasoning, and SMT-LIB compliance. We describe the system and discuss some applications and continuing work.
Conference Paper
The design of decision procedures for first-order theories and their combinations has been a very active research subject for thirty years; it has gained practical importance through the development of SMT (satisfiability modulo theories) solvers. Most results concentrate on combining decision procedures for data structures such as theories for arrays, bitvectors, fragments of arithmetic, and uninterpreted functions. In particular, the well-known Nelson-Oppen scheme for the combination of decision procedures requires the signatures to be disjoint and each theory to be stably infinite; every satisfiable set of literals in a stably infinite theory has an infinite model. In this paper we consider some of the best-known decidable fragments of first-order logic with equality, including the Löwenheim class (monadic FOL with equality, but without functions), Bernays-Schönfinkel-Ramsey theories (finite sets of formulas of the form ∃ * ∀ *ϕ, where ϕ is a function-free and quantifier-free FOL formula), and the two-variable fragment of FOL. In general, these are not stably infinite, and the Nelson-Oppen scheme cannot be used to integrate them into SMT solvers. Noticing some elementary results about the cardinalities of the models of these theories, we show that they can nevertheless be combined with almost any other decidable theory.
Conference Paper
Satisfiability Modulo Theories (SMT) is about checking the satis- fiability of logical formulas over one or more theories. The problem draws on a combination of some of the most fundamental areas in computer science. It combines the problem of Boolean satisfiability with domains, such as, those studied in convex optimization and term- manipulating symbolic systems. It also draws on the most prolific problems in the past century of symbolic logic: the decision problem, completeness and incompleteness of logical theories, and finally com- plexity theory. The problem of modularly combining special purpose algorithms for each domain is as deep and intriguing as finding new algorithms that work particularly well in the context of a combina- tion. SMT also enjoys a very useful role in software engineering. Mod- ern software, hardware analysis and model-based tools are increasingly complex and multi-faceted software systems. However, at their core is invariably a component using symbolic logic for describing states and transformations between them. A well tuned SMT solver that takes into account the state-of-the-art breakthroughs usually scales orders of magnitude beyond custom ad-hoc solvers.
Article
A method for combining decision procedures for several theories into a single decision procedure for their combination is described, and a simplifier based on this method is discussed. The simplifier finds a normal form for any expression formed from individual variables, the usual Boolean connectives, the equality predicate =, the conditional function if-then-else, the integers, the arithmetic functions and predicates +, -, and ≤, the Lisp functions and predicates car, cdr, cons, and atom, the functions store and select for storing into and selecting from arrays, and uninterpreted function symbols. If the expression is a theorem it is simplified to the constant true, so the simplifier can be used as a decision procedure for the quantifier-free theory containing these functions and predicates. The simplifier is currently used in the Stanford Pascal Verifier.
Article
The notion of the congruence closure of a relation on a graph is defined and several algorithms for computing it are surveyed. A simple proof is given that the congruence closure algorithm provides a decision procedure for the quantifier-free theory of equality. A decision procedure is then given for the quantifier-free theory of LISP list structure based on the congruence closure algorithm. Both decision procedures determine the satisfiability of a conjunction of literals of length n in average time O(n log n) using the fastest known congruence closure algorithm. It is also shown that if the axiomatization of the theory of list structure is changed slightly, the problem of determining the satisfiability of a conjunction of literals becomes NP-complete. The decision procedures have been implemented in the authors' simplifier for the Stanford Pascal Verifier.
Article
We present ProB, a validation toolset for the B method. ProB's automated animation facilities allow users to gain confidence in their specifications. ProB also contains a model checker and a refinement checker, both of which can be used to detect various errors in B specifications. We describe the underlying methodology of ProB, and present the important aspects of the implementation. We also present empirical evaluations as well as several case studies, highlighting that ProB enables users to uncover errors that are not easily discovered by existing tools.
Satisfiability modulo theories: an appetizer Formal Methods: Foundations and Applications
  • L De Moura
  • N Bjørner
L. de Moura, N. Bjørner, Satisfiability modulo theories: an appetizer, in: M.V.M. Oliveira, J. Woodcock (Eds.), Formal Methods: Foundations and Applications, in: Lecture Notes in Computer Science, vol. 5902, Springer, Berlin, Heidelberg, 2009, pp. 23–36. URL: http://www.springerlink.com/ index/10.1007/978-3-642-10452-7.
Combinations of theories for decidable fragments of first-order logic, in: 7th International Symposium on Frontiers of Combining Systems, FroCoS'09
  • P Fontaine
P. Fontaine, Combinations of theories for decidable fragments of first-order logic, in: 7th International Symposium on Frontiers of Combining Systems, FroCoS'09, in: Lecture Notes in Computer Science, vol. 5749, Springer, 2009, pp. 263–278.
User Manual Version 4.0. Clearsy System Engineering
  • Clearsy
  • Atelier
ClearSy, Atelier B User Manual Version 4.0. Clearsy System Engineering, 2009. URL: http://www.atelierb.eu.
{RODIN} (Rigorous open Development Environment for Complex Systems), in: Fifth European Dependable Computing Conference: EDCC-5 supplementary volume
  • J Coleman
  • C Jones
  • I Oliver
  • A Romanovsky
  • E Troubitsyna
J. Coleman, C. Jones, I. Oliver, A. Romanovsky, E. Troubitsyna, {RODIN} (Rigorous open Development Environment for Complex Systems), in: Fifth European Dependable Computing Conference: EDCC-5 supplementary volume, 2005, pp. 23–26.
Abstract State Machines, Alloy, B and Z, Second International Conference
  • D Déharbe
D. Déharbe, Automatic verification for a class of proof obligations with SMT-solvers, in: M. Frappier, G. Uwe, K. Sarfraz, R. Laleau, S. Reeves (Eds.), Abstract State Machines, Alloy, B and Z, Second International Conference, ABZ 2010, Orford, QC, Canada, February 22–25, 2010. Proceedings, in: Lecture Notes in Computer Science, vol. 1, Springer Verlag, 2010, pp. 217–230. URL: http://dx.doi.org/10.1007/978-3-642-11811-1 17.
The SMT-LIB Standard Version 2
  • C Barrett
  • A Stump
  • C Tinelli
C. Barrett, A. Stump, C. Tinelli, The SMT-LIB Standard Version 2.0, 2010. URL: http://goedel.cs.uiowa.edu/smtlib/papers/smt-lib-reference-v2.0-r10.03.30.pdf.
A formal definition of {VDM-SL}, Tech. Rep
  • H Bruun
  • F Damm
  • J Dawes
  • B Hansen
  • P Larsen
  • G Parkin
  • N Plat
BDDs for validation of B models. lessons and outlook
  • D Plagge
  • M Leuschel
  • I Lopatkin
  • A Romanovsky
  • Sal
  • Kodkod