Results 1  10
of
25
Lazy Satisfiability Modulo Theories
 JOURNAL ON SATISFIABILITY, BOOLEAN MODELING AND COMPUTATION 3 (2007) 141Â224
, 2007
"... Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingl ..."
Abstract

Cited by 189 (50 self)
 Add to MetaCart
(Show Context)
Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingly important due to its applications in many domains in different communities, in particular in formal verification. An amount of papers with novel and very efficient techniques for SMT has been published in the last years, and some very efficient SMT tools are now available. Typical SMT (T) problems require testing the satisfiability of formulas which are Boolean combinations of atomic propositions and atomic expressions in T, so that heavy Boolean reasoning must be efficiently combined with expressive theoryspecific reasoning. The dominating approach to SMT (T), called lazy approach, is based on the integration of a SAT solver and of a decision procedure able to handle sets of atomic constraints in T (Tsolver), handling respectively the Boolean and the theoryspecific components of reasoning. Unfortunately, neither the problem of building an efficient SMT solver, nor even that
MCMT: A Model Checker Modulo Theories
 In Proc. of IJCAR 2010, LNCS
, 2010
"... Abstract. We describe mcmt, a fully declarative and deductive symbolic model checker for safety properties of infinite state systems whose state variables are arrays. Theories specify the properties of the indexes and the elements of the arrays. Sets of states and transitions of a system are descr ..."
Abstract

Cited by 20 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We describe mcmt, a fully declarative and deductive symbolic model checker for safety properties of infinite state systems whose state variables are arrays. Theories specify the properties of the indexes and the elements of the arrays. Sets of states and transitions of a system are described by quantified firstorder formulae. The core of the system is a backward reachability procedure which symbolically computes preimages of the set of unsafe states and checks for safety and fixpoints by solving Satisfiability Modulo Theories (SMT) problems. Besides standard SMT techniques, efficient heuristics for quantifier instantiation, specifically tailored to model checking, are at the very heart of the system. mcmt has been successfully applied to the verification of imperative programs, parametrised, timed, and distributed systems. 1
Automatic Verification of Integer Array Programs
, 2009
"... Abstract. We provide a verification technique for a class of programs working on integer arrays of finite, but not a priori bounded length. We use the logic of integer arrays SIL [13] to specify pre and postconditions of programs and their parts. Effects of nonlooping parts of code are computed s ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a verification technique for a class of programs working on integer arrays of finite, but not a priori bounded length. We use the logic of integer arrays SIL [13] to specify pre and postconditions of programs and their parts. Effects of nonlooping parts of code are computed syntactically on the level of SIL. Loop preconditions derived during the computation in SIL are converted into counter automata (CA). Loops are automatically translated— purely on the syntactical level—to transducers. Precondition CA and transducers are composed, and the composition overapproximated by flat automata with difference bound constraints, which are next converted back into SIL formulae, thus inferring postconditions of the loops. Finally, validity of postconditions specified by the user in SIL may be checked as entailment is decidable for SIL. 1
Goaldirected Invariant Synthesis for Model Checking Modulo Theories
, 2009
"... Abstract. We are interested in automatically proving safety properties of infinite state systems. We present a technique for invariant synthesis which can be incorporated in backward reachability analysis. The main theoretical result ensures that (under suitable hypotheses) our method is guaranteed ..."
Abstract

Cited by 9 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We are interested in automatically proving safety properties of infinite state systems. We present a technique for invariant synthesis which can be incorporated in backward reachability analysis. The main theoretical result ensures that (under suitable hypotheses) our method is guaranteed to find an invariant if one exists. We also discuss heuristics that allow us to derive an implementation of the technique showing remarkable speedups on a significant set of safety problems in parametrised systems. c©SpringerVerlag 2009 1
LightWeight SMTbased ModelChecking
 In AVOCS 0708, ENTCS
, 2008
"... Recently, the notion of an arraybased system has been introduced as an abstraction of infinite state systems (such as mutual exclusion protocols or sorting programs) which allows for model checking of invariant (safety) and recurrence (liveness) properties by Satisfiability Modulo Theories (SMT) t ..."
Abstract

Cited by 8 (8 self)
 Add to MetaCart
(Show Context)
Recently, the notion of an arraybased system has been introduced as an abstraction of infinite state systems (such as mutual exclusion protocols or sorting programs) which allows for model checking of invariant (safety) and recurrence (liveness) properties by Satisfiability Modulo Theories (SMT) techniques. Unfortunately, the use of quantified firstorder formulae to describe sets of states makes fixpoint checking extremely expensive. In this paper, we show how invariant properties for a subclass of arraybased systems can be modelchecked by a backward reachability algorithm where the length of quantifier prefixes is efficiently controlled by suitable heuristics. We also present various refinements of the reachability algorithm that allows it to be easily implemented in a clientserver architecture, where a “lightweight ” algorithm is the client generating proof obligations for safety and fixpoint checks and an SMT solver plays the role of the server discharging the proof obligations. We also report on some encouraging preliminary experiments with a prototype implementation of our approach.
Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies
 In ASIACCS
, 2011
"... Automated techniques for the security analysis of RoleBased Access Control (RBAC) access control policies are crucial for their design and maintenance. The definition of administrative domains by means of attributes attached to users makes the RBAC model easier to use in real scenarios but complica ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Automated techniques for the security analysis of RoleBased Access Control (RBAC) access control policies are crucial for their design and maintenance. The definition of administrative domains by means of attributes attached to users makes the RBAC model easier to use in real scenarios but complicates the development of security analysis techniques, that should be able to modularly reason about a wide range of attribute domains. In this paper, we describe an automated symbolic security analysis technique for administrative attributebased RBAC policies. A class of formulae of firstorder logic is used as an adequate symbolic representation for the policies and their administrative actions. Stateoftheart automated theorem proving techniques are used (offtheshelf) to mechanize the security analysis procedure. Besides discussing the assumptions for the effectiveness and termination of the procedure, we demonstrate its efficiency through an extensive empirical evaluation.
Model Checking Modulo Theory at work: the intergration
 of Yices in MCMT. In AFM (colocated with CAV09
, 2009
"... Recently, the notion of an arraybased system has been introduced as an abstraction of infinite state systems (such as parametrised systems) which allows for model checking safety properties by SMT solving. Unfortunately, the use of quantified firstorder formulae to describe sets of states makes c ..."
Abstract

Cited by 7 (7 self)
 Add to MetaCart
(Show Context)
Recently, the notion of an arraybased system has been introduced as an abstraction of infinite state systems (such as parametrised systems) which allows for model checking safety properties by SMT solving. Unfortunately, the use of quantified firstorder formulae to describe sets of states makes checking for fixpoint and unsafety extremely expensive. In this paper, we describe (static and dynamic) techniques to overcome this problem which have been implemented in the (declarative) model checker mcmt. We describe how such techniques have been combined with Yices (the backend SMT solver) and discuss some interesting experimental results.
What’s Decidable About Sequences?
, 2010
"... We present a firstorder theory of sequences with integer elements, Presburger arithmetic, and regular constraints, which can model significant properties of data structures such as arrays and lists. We give a decision procedure for the quantifierfree fragment, based on an encoding into the firsto ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
We present a firstorder theory of sequences with integer elements, Presburger arithmetic, and regular constraints, which can model significant properties of data structures such as arrays and lists. We give a decision procedure for the quantifierfree fragment, based on an encoding into the firstorder theory of concatenation; the procedure has PSPACE complexity. The quantifierfree fragment of the theory of sequences can express properties such as sortedness and injectivity, as well as Boolean combinations of periodic and arithmetic facts relating the elements of the sequence and their positions (e.g., “for all even i’s, the element at position i has value i + 3 or 2i”). The resulting expressive power is orthogonal to that of the most expressive decidable logics for arrays. Some examples demonstrate that the fragment is also suitable to reason about sequencemanipulating programs within the standard framework of axiomatic
MCMT in the land of parameterized timed automata
 in In Proc. of VERIFY 2010
, 2010
"... Timed networks are parametrised systems of timed automata. Solving reachability problems for this class of systems allows one to prove safety properties regardless of the number of processes in the network. Usually, these problems are attacked in the following way: the number n of processes in the n ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Timed networks are parametrised systems of timed automata. Solving reachability problems for this class of systems allows one to prove safety properties regardless of the number of processes in the network. Usually, these problems are attacked in the following way: the number n of processes in the network is fixed and a tool for timed automata (like Uppaal) is used to check the desired property for increasing values of n. In this paper, we explain how to deal with fully parametric reachability problems for timed networks by translation into the declarative input language of MCMT, a model checker for infinite state systems based on Satisfiability Modulo Theories techniques. We show the success of our approach on a number of standard algorithms, such as the Fischer protocol. Preliminary experiments show that fully parametric problems can be more easily solved by MCMT than their instances for a fixed (and large) number of processes by other systems. 1
Cubicle: A Parallel SMTbased Model Checker for Parameterized Systems Tool Paper
"... Abstract. Cubicle is a new model checker for verifying safety properties of parameterized systems. It implements a parallel symbolic backward reachability procedure using Satisfiabilty Modulo Theories. Experiments done on classic and challenging mutual exclusion algorithms and cache coherence protoc ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Cubicle is a new model checker for verifying safety properties of parameterized systems. It implements a parallel symbolic backward reachability procedure using Satisfiabilty Modulo Theories. Experiments done on classic and challenging mutual exclusion algorithms and cache coherence protocols show that Cubicle is effective and competitive with stateoftheart model checkers. 1 Tool Overview Cubicle is used to verify safety properties of arraybased systems. This is a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes [10]. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems. Cubicle modelchecks by a symbolic backward reachability analysis on infinite sets of states represented by specific simple formulas, called cubes. Cubicle is an open source software based on theoretical work in [1] and [11]. It is inspired by and closely related to the model checker MCMT [12], from which, in addition to revealing the implementation details, it mainly differs in a more friendly input language and concurrent architecture. Cubicle is written in OCaml. Its SMT solver is a tightly integrated, lightweight and enhanced version of AltErgo [7]; and its parallel implementation relies on the Functory library [9]. Cubicle is available at