Indexed Predicate Discovery for Unbounded System Verification
 IN CAV’04
, 2004
Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic verification scheme. For systems with unbounded integer state variables (e.g. software), counterexample guided predicate discovery has been successful in identifying the necessary predicates. For
A Hybrid SATBased Decision Procedure for Separation Logic with Uninterpreted Functions
 In Proc. DAC’03
, 2003
SATbased decision procedures for quantifierfree fragments of firstorder logic have proved to be useful in formal verification. These decision procedures are either based on encoding atomic subformulas with Boolean variables, or by encoding integer variables as bitvectors. Based on evaluating these two encoding methods on a diverse set of hardware and software benchmarks, we conclude that neither method is robust to variations in formula characteristics. We therefore propose a new hybrid technique that combines the two methods. We give experimental results showing that the hybrid method can significantly outperform either approach as well as other decision procedures.
The UCLID Decision Procedure
 In CAV’04
, 2004
UCLID is a tool for termlevel modeling and verification of infinitestate systems expressible in the logic of counter arithmetic with lambda expressions and uninterpreted functions (CLU). In this paper, we describe a key component of the tool, the decision procedure for CLU.
Answer set programming based on propositional satisfiability
 JOURNAL OF AUTOMATED REASONING
, 2006
Answer Set Programming (ASP) emerged in the late 1990s as a new logic programming paradigm which has been successfully applied in various application domains. Also motivated by the availability of efficient solvers for propositional satisfiability (SAT), various reductions from logic programs to SAT were introduced in the past. All these reductions either are limited to a subclass of logic programs, or introduce new variables, or may produce exponentially bigger propositional formulas. In this paper, we present a SATbased procedure, called ASPSAT, that (i) deals with any (non disjunctive) logic program, (ii) works on a propositional formula without additional variables (except for those possibly introduced by the clause form transformation), and (iii) is guaranteed to work in polynomial space. From a theoretical perspective, we prove soundness and completeness of ASPSAT. From a practical perspective, we have (i) implemented ASPSAT in Cmodels, (ii) extended the basic procedures in order to incorporate the most popular SAT reasoning strategies, and (iii) conducted an extensive comparative analysis involving also other stateoftheart answer set solvers. The experimental analysis shows that our solver is competitive with the other solvers we considered, and that the reasoning strategies that work best on “small but hard” problems are ineffective on “big but easy” problems and vice versa.
Constructing Quantified Invariants via Predicate Abstraction
 CONFERENCE ON VERIFICATION, MODEL CHECKING AND ABSTRACT INTERPRETATION (VMCAI ’04), LNCS 2937
, 2004
Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models where the system state contains mutable function and predicate state variables. Such a model can describe systems containing arbitrarily large memories, buffers, and arrays of identical processes. We describe a form of predicate abstraction that constructs a formula over a set of universally quantified variables to describe invariant properties of the function state variables. We provide a formal justification of the soundness of our approach and describe how it has been used to verify several hardware and software designs, including a directorybased cache coherence protocol with unbounded FIFO channels.
Automatic Verification of Safety and Liveness for XScaleLike Processor Models Using WEBRefinements
 In Design Automation and Test in Europe, DATE’04
, 2003
We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation to a formula in the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). We use UCLID to transform the resulting CLU formula into a CNF formula, which is then checked with a SAT solver. We define several XScalelike models with out of order completion, including models with precise exceptions, branch prediction, and interrupts. We use two types of refinement maps. In one, flushing is used to map pipelined machine states to instruction set architecture states; in the other, we use the commitment approach, which is the dual of flushing, since partially completed instructions are invalidated. We present experimental results for all the machines modeled, including verification times. For our application, we found that the SAT solver Siege provides superior performance over Chaff and that the amount of time spent proving liveness when using the commitment approach is less than 1% of the overall verification time, whereas when flushing is employed, the liveness proof accounts for about 10% of the verification time.
Predicate Abstraction with Indexed Predicates
, 2007
Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models containing firstorder state variables, where the system state includes mutable functions and predicates. Such a model can describe systems containing arbitrarily large memories, buffers, and arrays of identical processes. We describe a form of predicate abstraction that constructs a formula over a set of universally quantified variables to describe invariant properties of the firstorder state variables. We provide a formal justification of the soundness of our approach and describe how it has been used to verify several hardware and software designs, including a directorybased cache coherence protocol.
Refinement strategies for verification methods based on datapath abstraction
 In Asia South Pacific Design Automation Conference (ASPDAC
, 2006
Abstract—In this paper we explore the application of CounterexampleGuided
Refinement Maps for Efficient Verification of Processor Models
 In Design Automation and Test in Europe, DATE’05
, 2005
While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification, and using the stateoftheart verification tools UCLID and Siege we show that one can attain several orders of magnitude improvements in verification times over the standard flushingbased refinement maps, even enabling the verification of machines that are too complex to otherwise automatically verify. 1.
A complete compositional reasoning framework for the efficient verification of pipelined machines
 In ICCAD2005, International Conference on ComputerAided Design
, 2005
We present a compositional reasoning framework based on refinement for verifying that pipelined machines satisfy the same safety and liveness properties as their instruction set architectures. Our framework consists of a set of convenient, easilyapplicable, and complete compositional proof rules. We show that our framework greatly extends the applicability of decision procedures by verifying a complex, deeply pipelined machine that stateoftheart tools cannot currently handle. We discuss how our framework can be added to the design cycle and highlight what arguably is the most important benefit of our approach over current methods, that the counterexamples generated are much simpler, as bugs are isolated to a particular step in the composition proof. I.