## Symbolic Bounded Model Checking of Abstract State Machines (2009)

### Cached

### Download Links

Citations: | 4 - 4 self |

### BibTeX

@MISC{Bjørner09symbolicbounded,

author = {Nikolaj Bjørner and Yuri Gurevich and Wolfram Schulte and Margus Veanes},

title = {Symbolic Bounded Model Checking of Abstract State Machines},

year = {2009}

}

### OpenURL

### Abstract

Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets or sequences. The availability of high-level data types allow state elements to be represented both abstractly and faithfully at the same time. AsmL is a rich ASM-based specification and programming language. In this paper we look at symbolic analysis of model programs written in AsmL with a background T of linear arithmetic, sets, tuples, and maps. We first provide a rigorous account for the update semantics of AsmL in terms of T, and formulate the problem of bounded path exploration of model programs, or the problem of Bounded Model Program Checking (BMPC) as a satisfiability modulo T problem. Then we investigate the boundaries of decidable and undecidable cases for BMPC. In a general setting, BMPC is shown to be highly undecidable, it is effectively equivalent to satisfiability in second-order Peano arithmetic with sets (Σ1 1-complete); and even when restricting to finite sets the problem is as hard as the halting problem of

### Citations

837 |
Theory of recursive functions and effective computability
- Rogers
- 1967
(Show Context)
Citation Context ...rd under these restrictions. 3.2 Σ 1 1-completeness of BMPC Here we consider the general case of BMPC. Intuitively, Σ1 1 corresponds to second-order Peano arithmetic with unary relations or sets. See =-=[28]-=- for a precise definition of the analytical hierarchy, including Σ1 1 . For Σ11 -hardness we can use the following theorem. 1 1 The problem in [20] is stated in terms of validity which is Π 1 1-comple... |

705 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...th uninterpreted function symbols and linear arithmetic is used in [24] for constructing interpolants for these theories. The technique of bounded model checking by using SAT solving was pioniered in =-=[4]-=- and the extension to SMT was introduced in [2]. Besides Z3 [11], other SMT solvers that support arrays and sets are described in [3, 30, 12]. Acknowledgments We thank Wolfgang Reisig for many valuabl... |

597 | Counterexample-Guided Abstraction Refinement
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...heme discussed in [35] is inspired by [9], and extends it by using model checking to implement an efficient incremental saturation procedure on top of Z3. The saturation procedure is similar to CEGAR =-=[10]-=-, the main difference is that we do not refine the level of abstraction, but instead lazily instantiate axioms in case their use has not been triggered during proof search. Implementation of the reduc... |

417 | Z3: An efficient SMT solver
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ...tements reduces to satisfiability in T ≺ . 26Chapter 5 Related work Preliminary versions of some of the results in this paper have appeared in [31, 33, 34]. We use the state of the art SMT solver Z3 =-=[11]-=- for our experiments. Our current experiments use a lazy quantifier instantiation scheme that is on one hand not limited to basic model programs, but is on the other hand also not complete for basic m... |

264 | The classical decision problems - Börger, Grädel, et al. - 1997 |

238 | A Really Temporal Logic
- Alur, Henzinger
- 1994
(Show Context)
Citation Context ...local to a single step, and do not carry over from one step to the next. Example 9 Let P be the Topsort model program, let ϕ be V = ∅ and let k be 2. Then BRF(P,ϕ,k) = true ∧ P0 ∧ P1 ∧ (V [0] = ∅ ∨ V =-=[1]-=- = ∅ ∨ V [2] = ∅), where Pi = action[i] = Step(v[i]) ∧ v[i] ∈ V [i] ∧ ¬(∃w (w ∈ V ∧ 〈w,v[i]〉 ∈ E[i])) ∧ V [i + 1] = V [i] \ {v[i]} ∧ E[i + 1] = E[i] \ {〈v[i],w〉 | w ∈ V [i]}. Some model programs may r... |

182 | A Fast Linear-Arithmetic Solver for DPLL(T - Dutertre, Moura - 2006 |

95 | Super-exponential complexity of Presburger arithmetic
- Fischer, Rabin
- 1974
(Show Context)
Citation Context ... is a valid well-founded order of all the set variables. Thus ψ is in T ≺ . Decidability follows from the reduction of T ≺ to linear or Presburger arithmetic and decidability of Presburger arithmetic =-=[13]-=-. ⊠ The following result follows from the proof of Theorem 4 and the construction of the canonical representation of an ASM as a model program (Definition 3). Bounded inconsistency checking of ASMs is... |

88 | What’s decidable about arrays
- Bradley, Manna, et al.
(Show Context)
Citation Context ...del programs, but is on the other hand also not complete for basic model programs, some of the implementation aspects are discussed in [35]. In particular, the scheme discussed in [35] is inspired by =-=[9]-=-, and extends it by using model checking to implement an efficient incremental saturation procedure on top of Z3. The saturation procedure is similar to CEGAR [10], the main difference is that we do n... |

74 | A decision procedure for an extensional theory of arrays - Stump, Barrett, et al. - 2001 |

73 | Lazy Theorem Proving for Bounded Model Checking over Infinite Domains
- Moura, Rueß, et al.
- 2002
(Show Context)
Citation Context ...ithmetic is used in [25] for constructing interpolants for these theories. The technique of bounded model checking by using SAT solving was pioniered in [4] and the extension to SMT was introduced in =-=[12]-=-, a related approach was proposed in [2]. Besides Z3 [11], other SMT solvers that support arrays and sets are described in [3, 31, 13]. Acknowledgments We thank Wolfgang Reisig for many valuable comme... |

68 | Generating finite state machines from abstract state machines
- GRIESKAMP, GUREVICH, et al.
(Show Context)
Citation Context ...explicit state model checking and search techniques [23, 32]. The unbounded reachability problem for model programs without comprehensions and with parameterless actions is shown to be undecidable in =-=[14]-=-, where it is called the hyperstate reachability problem. General reachability problems for transition systems are discussed in [29] where the main results are related to guarded assignment systems. T... |

67 | A rewriting approach to satisfiability procedures - Armando, Ranise, et al. |

33 | Semantic essence of AsmL
- Gurevich, Rossman, et al.
(Show Context)
Citation Context ...s high-level specifications in model-based testing tools such as Spec Explorer [32] and NModel [26]. In Spec Explorer, one of the supported input languages is the abstract state machine language AsmL =-=[16, 17]-=-. In that context, sanity checking or validation of model programs is usually achieved through simulation and explicit state model checking and search techniques [23, 32]. The unbounded reachability p... |

32 | Software Abstractions
- Jackson
- 2006
(Show Context)
Citation Context ...to deal with undefined values in specifications. In many of those formalisms, frame conditions need to be specified explicitly, and are not implicit as in the case of model programs or ASMs. In Alloy =-=[22]-=-, the analysis is reduced to SAT, by finitizing the data types. In our case the analysis is reduced to SMT, and rather than bounding the size of the data, the search depth is bounded. Traditional unty... |

29 |
Model-based Software Testing and Analysis with C#. CambridgeUnivPr,2008
- Jacky
(Show Context)
Citation Context ...t state machine language AsmL [16, 17]. In that context, sanity checking or validation of model programs is usually achieved through simulation and explicit state model checking and search techniques =-=[23, 32]-=-. The unbounded reachability problem for model programs without comprehensions and with parameterless actions is shown to be undecidable in [14], where it is called the hyperstate reachability problem... |

27 | Propositional dynamic logic of nonregular programs
- Harel, Pnueli, et al.
- 1983
(Show Context)
Citation Context ...sits its initial state infinitely often. The recurrence problem of Turing machines is the problem of deciding if a Turing machine recurs. The following result is also used in [20]. Harel-Pnueli-Stavi =-=[21]-=-. machines is Σ1 1-complete. The recurrence problem of Turing Harel-Pnueli-Stavi Theorem holds also for 2-register machines, since one can effectively transform a Turing machine T into a 2-register ma... |

26 | Bounded model checking of software using SMT solvers instead of SAT solvers
- Armando, Mantovani, et al.
(Show Context)
Citation Context ...ingle step, and do not carry over from one step to the next. Example 9 Let P be the Topsort model program, let ϕ be V = ∅ and let k be 2. Then BRF(P,ϕ,k) = true ∧ P0 ∧ P1 ∧ (V [0] = ∅ ∨ V [1] = ∅ ∨ V =-=[2]-=- = ∅), where Pi = action[i] = Step(v[i]) ∧ v[i] ∈ V [i] ∧ ¬(∃w (w ∈ V ∧ 〈w,v[i]〉 ∈ E[i])) ∧ V [i + 1] = V [i] \ {v[i]} ∧ E[i + 1] = E[i] \ {〈v[i],w〉 | w ∈ V [i]}. Some model programs may reach states ... |

26 | An algorithm for deciding BAPA: Boolean Algebra with Presburger Arithmetic
- Kuncak, Nguyen, et al.
- 2005
(Show Context)
Citation Context ...perstate reachability problem. General reachability problems for transition systems are discussed in [29] where the main results are related to guarded assignment systems. The decidable fragment BAPA =-=[25]-=- is an extension of Boolean algebra 27with Presburger arithmetic. The sets in BAPA are finite and bounded by a maximum size and the cardinality operator is allowed. Comprehensions are not possible an... |

22 | Interpolation for data structures
- Kapur, Majumdar, et al.
- 2006
(Show Context)
Citation Context ...rdness of the satisfiability problem for T . The reduction of the theories of arrays, sets and multisets to the theory of equality with uninterpreted function symbols and linear arithmetic is used in =-=[24]-=- for constructing interpolants for these theories. The technique of bounded model checking by using SAT solving was pioniered in [4] and the extension to SMT was introduced in [2]. Besides Z3 [11], ot... |

21 | Using first-order theorem provers in the Jahob data structure verification system
- Bouillaguet, Kuncak, et al.
- 2007
(Show Context)
Citation Context ...ps, and there is a specific Undef element in the universe to deal with partial functions (for Booleans the Undef value is false). The data structures that are allowed in the Jahob verification system =-=[8]-=- also allow sets and set operations. The algorithm described in Section 4 is similar, in some parts, to the translation scheme described in [8, Appendix B]. Their translation leads to a first-order fo... |

19 | Model-Based Quality Assurance of Windows Protocol Documentation
- Grieskamp, Kicillof, et al.
- 2008
(Show Context)
Citation Context ...Such specifications are used to describe protocol-like behavior of software systems. In particular, at Microsoft, model programs are used as an integral part of the protocol quality assurance process =-=[15]-=- for model-based testing of public application-level network protocols. Correctness assumptions about a model can be expressed through (state) invariants. A state where an invariant is violated is uns... |

19 | ModelBased Testing of Object-Oriented Reactive Systems with SpecExplorer,”Formal Methods and Testing
- Veanes, Campbell, et al.
- 2008
(Show Context)
Citation Context ... procedure of T ≺ , but can take advantage of built-in support for Ite terms, sets, and tuples. Model programs are used as high-level specifications in model-based testing tools such as Spec Explorer =-=[33]-=- and NModel [27]. In Spec Explorer, one of the supported input languages is the abstract state machine language AsmL [17, 18]. In that context, sanity checking or validation of model programs is usual... |

17 | Presburger arithmetic with unary predicates is Π 1 1 complete
- Halpern
- 1991
(Show Context)
Citation Context ...r Peano arithmetic with unary relations or sets. See [29] for a precise definition of the analytical hierarchy, including Σ1 1 . For Σ11 -hardness we can use the following theorem. 1 1 The problem in =-=[21]-=- is stated in terms of validity which is Π 1 1-complete. 20X = x0 ⊢M y0 x1 ⊢M y1 x2 ⊢M · · · π1 π1 π1 x0 x1 x2 · · · = π2 = π2 = 〈1,0,0〉 y0 y1 · · · Figure 3.2: Infinite shifted pairing; used in the ... |

15 |
Gandy Machines
- “Background
- 2000
(Show Context)
Citation Context ...itizing the data types. In our case the analysis is reduced to SMT, and rather than bounding the size of the data, the search depth is bounded. Traditional untyped ASMs often assume a rich background =-=[6]-=- that includes hereditarily finite sets and maps, and there is a specific Undef element in the universe to deal with partial functions (for Booleans the Undef value is false). The data structures that... |

13 |
Specification and Validation Methods, chapter Evolving Algebras 1993: Lipari Guide
- Gurevich
(Show Context)
Citation Context ... programs 23 5 Related work 27 1Chapter 1 Introduction We look at behavioral specifications given by a finite set of model programs. Here model programs are used to represent abstract state machines =-=[16]-=- (ASMs). Such specifications are used to describe protocol-like behavior of software systems. In particular, at Microsoft, model programs are used as an integral part of the protocol quality assurance... |

12 |
An SMT Approach to Bounded Reachability Analysis of Model Programs
- Veanes, Bjørner, et al.
- 2008
(Show Context)
Citation Context ...on of elements in a single atomic step, rather than one element at a time, in a loop. The satisfiability modulo theories (SMT) based symbolic bounded model checking of model programs is introduced in =-=[31]-=-. The problem is shown to be undecidable in [33] provided that set-valued action parameters are allowed, and decidable for basic model programs, where set-valued action parameters are disallowed. Here... |

11 | Decision procedures for multisets with cardinality constraints
- Piskac, Kuncak
- 2008
(Show Context)
Citation Context ...n is not allowed, i.e. integers and sets can only be related through the cardinality operator. A decidable fragment of bag (multiset) constraints combined with summation constraints are considered in =-=[27]-=- where summation constraints can be used to express set cardinality. Sets and maps are used as foundational data structures in many modeling and analysis methods such as RAISE, Z, TLA+, B, see [5]. Th... |

8 |
A logical reconstruction of reachability
- Rybina, Voronkov
- 2003
(Show Context)
Citation Context ...nsions and with parameterless actions is shown to be undecidable in [14], where it is called the hyperstate reachability problem. General reachability problems for transition systems are discussed in =-=[29]-=- where the main results are related to guarded assignment systems. The decidable fragment BAPA [25] is an extension of Boolean algebra 27with Presburger arithmetic. The sets in BAPA are finite and bo... |

5 |
Logic with equality: Partisan corroboration, and shifted pairing
- Gurevich, Veanes
- 1999
(Show Context)
Citation Context ...altsM be the following formula (where X is a variable with the sort S(Z × (Z × Z × Z) × (Z × Z × Z)) and l is a variable of sort Z). The construction of haltsM is based on the idea of shifted pairing =-=[19]-=-, see Figure 3.1. haltsM(m,n) def = X = {〈j,x,y〉 | 〈j,x,y〉 ∈ X ∧ STEPM(x,y) ∧ 0 ≤ j < l} ∧ {〈π0(z),π1(z)〉 | z ∈ X} ∪ {〈l, 〈k,0,0〉〉} = {〈0, 〈1,m,n〉〉} ∪ {〈π0(z) + 1,π2(z)〉 | z ∈ X} Theorem 2 Given M, m ... |

4 |
public version released
- comNModel
- 2008
(Show Context)
Citation Context ...≺ , but can take advantage of built-in support for Ite terms, sets, and tuples. Model programs are used as high-level specifications in model-based testing tools such as Spec Explorer [32] and NModel =-=[26]-=-. In Spec Explorer, one of the supported input languages is the abstract state machine language AsmL [16, 17]. In that context, sanity checking or validation of model programs is usually achieved thro... |

4 | Bounded reachability of model programs
- Veanes, Saabas, et al.
- 2008
(Show Context)
Citation Context ...n in practice. Recall the definition of a basic model program (Definition 2). In most common situations, actions only use parameters that have basic sorts, see for example the Credits model sample in =-=[35]-=-. Moreover, the initial state is usually required to have fixed initial values for all state variables. We may assume, without loss of generality, that there is a special additional “initialization” a... |

4 | Partial Updates
- Gurevich, Tillmann
- 2005
(Show Context)
Citation Context ...tency checking and we can think of such AsmL models as direct representations of model programs. AsmL allows also a mixture of both modeling styles. This is supported by the theory of partial updates =-=[19]-=-, which is outside the scope of this paper. Typically, in a model program written in AsmL the initial state is given by the initializers of the state variables. In the model program in Example 1, howe... |

3 |
On bounded reachability of programs with set comprehensions. LPAR’08, volume 5330 of LNAI
- Veanes, Saabas
- 2008
(Show Context)
Citation Context ...han one element at a time, in a loop. The satisfiability modulo theories (SMT) based symbolic bounded model checking of model programs is introduced in [31]. The problem is shown to be undecidable in =-=[33]-=- provided that set-valued action parameters are allowed, and decidable for basic model programs, where set-valued action parameters are disallowed. Here we provide a detailed proof of the undecidabili... |

2 | Using satisfiability modulo theories to analyze abstract state machines (abstract
- Veanes, Saabas
- 2008
(Show Context)
Citation Context ...not allow nesting of choose statements within forall statements reduces to satisfiability in T ≺ . 26Chapter 5 Related work Preliminary versions of some of the results in this paper have appeared in =-=[31, 33, 34]-=-. We use the state of the art SMT solver Z3 [11] for our experiments. Our current experiments use a lazy quantifier instantiation scheme that is on one hand not limited to basic model programs, but is... |

1 |
Partial updates
- Gurevich, Tillmann
- 1999
(Show Context)
Citation Context ...tency checking and we can think of such AsmL models as direct representations of model programs. AsmL allows also a mixture of both modeling styles. This is supported by the theory of partial updates =-=[18]-=-, which is outside the scope of this paper. Typically, in a model program written in AsmL the initial state is given by the initializers of the state variables. In the model program in Example 1, howe... |