# Selected Methods of Model Checking using SAT and SMT-solvers \* Agnieszka M. Zbrzezny IMCS, Jan Długosz University. Al. Armii Krajowej 13/15, 42-200 Częstochowa, Poland. agnieszka.zbrzezny@ajd.czest.pl Abstract. The objectives of this research are to further investigate the foundations for novel SMT and SAT-based bounded model checking (BMC) algorithms for real-time and multi-agent systems. A major part of the research will involve the development of SMT-based BMC methods for standard Kripke structures, extended Kripke structures, and for different kinds of interpreted systems for different kinds of temporal languages, each of which will be augmented to include the standard epistemic and deontic operators. The algorithms will be implemented into several modules of the model checker VerICS (http://verics.ipipan.waw.pl/). **Keywords:** Bounded model checking, SMT, SAT, Temporal Logic, PhD thesis extended abstract #### 1 Introduction Model checking [2] provides algorithmic means of determining whether an abstract model M - representing, for example, a hardware or software project - satisfies a formal specification expressed as a temporal logic formula F. Moreover, if the property does not hold, the method identifies a counterexample execution that shows the source of the problem. Model checking problem has been proposed independently by Quielle and Sifakis [7], and by Clarke and Emerson [5] as a method for automatic and algorithmic verification of finite state concurrent systems, and impressive strides have been made on this problem over the past thirty years. Model checking of real-time [1] and multi-agent systems [6] is a very active field for both theoretical research and practical applications. The practical applicability of model checking in real-time, and multi-agent settings has required the development of sophisticated means of coping with what is known as the state explosion problem. It means that the number of model states grows exponentially in the size of the system representation. To avoid this problem a number of state reduction techniques and symbolic model checking approaches have been developed. <sup>\*</sup> Partly supported by National Science Centre under the grant No. 2014/15/N/ST6/05079. Automated verification of real-time systems (RTS) and multi-agent systems (MAS), performed by the analysis of their models is a very important subject of research. This is highly motivated by an increasing demand to verify safety critical systems, i.e., time-dependent systems, failure of which could cause dramatic consequences for both people and hardware. MAS are open, distributed software systems, in which the individual processes, or agents are rational and autonomous entities engaged in social activities such as communication, coordination, negotiation, cooperation, etc. These systems include robotic surgery machines, nuclear reactor control systems, railway signalling, breaking systems, air traffic control systems, flight planning systems, rocket range launch safety systems, and many others. Humans already benefit a lot from a variety of RTS and MAS, being often unaware of this. Model checking of RTS and MAS is known to be a difficult problem and its practical applicability is strongly limited by the state explosion problem. There is still a lack of efficient methods for RTS and MAS. In view of this, there is an obvious need to develop efficient SMT/SAT-based verification methods which could be used in practice. ## 2 SAT and SMT SAT-based BMC [3] uses a reduction of the problem of truth of a modal formula in a model (transition system) to the problem of satisfiability of formulae of the classical propositional calculus, i.e. SAT-problem. The reduction is achieved by a translation of the transition relation and a translation of a given property to formulae of classical propositional calculus. It should be emphasised that for a given temporal logic, BMC is mainly used to disprove safety properties and to prove liveness properties. The SMT problem [4] is a generalisation of the SAT problem, where Boolean variables are replaced by predicates from various background theories. SMT generalises SAT by adding equality reasoning, arithmetic, fixed-size bit-vectors, arrays, quantifiers, and other useful first-order theories. Using SMT to express different problems has important advantages over SAT. If one uses SAT, then, for example, data must be encoded into a Boolean representation: a bit-vector must be represented as just its individual bits. In contrast, an SMT encoding can represent the bit-vector directly, and may be able to reason more efficiently at the bit-vector level of abstraction, without resorting to bit-level reasoning. The main aim is to compare the existing SAT-based BMC algorithms with our new SMT-based BMC techniques for the same models. #### 3 BMC algorithm For a given modal logic ML the application of the BMC method requires proving the theorem which provides the basis for the verification of formulae of this logic in a given model using finite prefixes of paths. A finite prefix of the length $k \geqslant 0$ is called a k-paths. The aforementioned theorem says that a formula $\varphi$ of a modal logic ML is true in a transition system $\mathcal{M}$ if and only if there exists a natural number k, such that the propositional formula (for SAT-based BMC) or the quantifier-free first-order formula (for SMT-BMC) $[\mathcal{M}, \varphi]_k$ being a conjunction of a formula encoding a finite set of k-paths of cardinality $f_k(\varphi)$ and a formula being a translation of the formula $\varphi$ , is satisfiable. The function $f_k$ , whose form depends on the particular modal logic, sets a minimum number of k-paths sufficient, regardless of the transition system, for the verification of the formula $\varphi$ . The aforementioned theorem justifies the correctness of the standard BMC algorithm. Starting with k=0, the algorithm creates, for a given transition system $\mathcal{M}$ and a given formula $\varphi$ , a propositional formula $[\mathcal{M}, \varphi]_k$ . Then the formula $[\mathcal{M}, \varphi]_k$ is converted to a satisfiability-equivalent propositional formula in conjunctive normal form and forwarded to a SAT-solver or it is converted to a quantifier-free first-order formula and forwarded to a SMT-solver. If the tested formula is unsatisfiable, then k is increased (usually by 1) and the process is repeated. The BMC algorithm terminates if either the formula $[\mathcal{M}, \varphi]_k$ turns out to be satisfiable for some k, or k becomes greater than a certain, $\mathcal{M}$ -dependent threshold (e.g. the number of states of $\mathcal{M}$ ). Exceeding this threshold means that the formula $\varphi$ is not true in the transition system $\mathcal{M}$ . On the other hand, satisfiability of $[\mathcal{M}, \varphi]_k$ , for some k means that the formula $\varphi$ is true in the transition system $\mathcal{M}$ . Moreover, the valuation found by the SAT-solver or SMT-solver allows to determine a set of k-paths, which is a witness for $\varphi$ . Note that the BMC algorithm also terminates when, for some k, the available resources (memory or time) are either insufficient to generate the formula $[\mathcal{M}, \varphi]_k$ or are insufficient for the SATor SMT-solver. In such a case, it means that the BMC algorithm is not able to check whether the property expressed by the formula $\varphi$ holds in the transition system $\mathcal{M}$ due to limited resources available. # 4 Methodology The main aim is to compare the existing SAT-based bounded model checking algorithms for standard Kripke structures, extended Kripke structures, and weighted interpreted systems with our new SMT-based bounded model checking techniques for the same models. Implementations The implementations are written in C++ programming language. Scenarios and benchmarks In the area of formal verification it is customary to use scalable benchmarks in order to demonstrate the effectiveness of verification tools. These benchmarks are usually theoretical devices, used to compare the efficiency of used algorithms. There exists a number of such standard, typical benchmarks, e.g. several types of Mutual Exclusion Protocol, Bit Transmission Problem, General Pipeline Paradigm, etc. On the other hand, restricting only to a few standard benchmarks makes it difficult to predict the performance on real- life systems, which prompts for use of the models originating from the practical applications. We plan to use both the types of benchmarks. ## 5 Results We proposed, implemented, and experimentally evaluated some SAT-based and SMT-based BMC approaches. | Logic | System | SAT-based BMC | SMT-based BMC | |---------|--------|---------------|---------------| | WECTLK | WIS | [9] | [13] | | WLTLK | WIS | [8] | [16] | | WECTLK | | to be done | [15] | | WELTLK | | [19] | [19] | | RTECTLK | TWIS | to be done | [17] | | | STS | [11] | [18] | | ECTL* | TS | [12] | [14] | | RTECTLK | IIS | [10] | to be done | Table 1: The comparison of two methods We have compared our SMT-based BMC methods with the corresponding SAT-based BMC methods. The experimental results show that the approaches are complementary. Also an observation of experimental results leads to the conclusion that the SAT-based BMC for uses less memory comparing to the SMT-based BMC. This is a novel and interesting result, which shows that the choice of the BMC method should depend on the considered system. #### References - 1. R. Alur, C. Courcoubetis, and D. Dill. Model checking for real-time systems. In *Proceedings of the 5th Symp. on Logic in Computer Science (LICS'90)*, pages 414–425. IEEE Computer Society, 1990. - 2. C. Baier and J.-P. Katoen. Principles of Model Checking. MIT Press, 2008. - A. Biere, A. Cimatti, E. Clarke, M. Fujita, and Y. Zhu. Symbolic Model Checking Using SAT Procedures instead of BDDs. In Proceedings of the ACM/IEEE Design Automation Conference (DAC'99), pages 317–320, 1999. - 4. Armin Biere, Marijn Heule, Hans van Maaren, and Toby Walsh, editors. *Handbook of Satisfiability*, volume 185 of *Frontiers in Artificial Intelligence and Applications*. IOS Press, 2009. - Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla. Automatic verification of finite state concurrent systems using temporal logic specifications: A practical approach. In Conference Record of the Tenth Annual ACM Symposium on Principles of Programming Languages, Austin, Texas, USA, January 1983, pages 117–126. ACM Press, 1983. - Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. Reasoning About Knowledge. MIT Press, 1995. - 7. J. P. Quielle and J. Sifakis. Specification and verification of concurrent systems in CESAR. In *Proceedings of the 5th International Symp. on Programming*, volume 131 of *LNCS*, pages 337–351. Springer-Verlag, 1981. - 8. B. Woźna-Szcześniak, A. M. Zbrzezny, and A. Zbrzezny. SAT-based Bounded Model Checking for Weighted Interpreted Systems and Weighted Linear Temporal Logic. In *Proceedings of the 16th International Conference on Principles and Practice of Multi-Agent Systems (PRIMA 2013)*, volume 8291 of *LNAI*, pages 355–371. Springer-Verlag, 2013. - 9. B. Woźna-Szcześniak, A. M. Zbrzezny, and A. Zbrzezny. Bounded model checking for weighted interpreted systems and for flat weighted epistemic computation tree logic. In *Proceedings of the 17th International Conference on Principles and Practice of Multi-Agent Systems (PRIMA'2014)*, volume 8861 of *LNAI*, pages 107–115. Springer-Verlag, 2014. - Bozena Wozna-Szczesniak, Agnieszka Zbrzezny, and Andrzej Zbrzezny. The BMC method for the existential part of RTCTLK and interleaved interpreted systems. In Progress in Artificial Intelligence, 15th Portuguese Conference on Artificial Intelligence, EPIA 2011, Lisbon, Portugal, October 10-13, 2011. Proceedings, pages 551–565, 2011. - 11. Boena Wona-Szczeniak, Agnieszka Zbrzezny, and Andrzej Zbrzezny. SAT-based bounded model checking for RTECTL and simply-timed systems. In *EPEW*, pages 337–349, 2013. - A. Zbrzezny. A New Translation from ECTL\* to SAT. Fundamenta Informaticae, 120(3-4):377-397, 2012. - 13. A. M. Zbrzezny, B. Woźna-Szcześniak, and A. Zbrzezny. SMT-based bounded model checking for for weighted epistemic ECTL (short paper). In Progress in Artificial Intelligence 17th Portuguese Conference on Artificial Intelligence, EPIA 2015, Coimbra, Portugal, September 8-11, 2015. Proceedings, volume 9273 of Lecture Notes in Computer Science, pages 651-657. Springer, 2015. - 14. A. M. Zbrzezny and A. Zbrzezny. A comparison of SAT-based and SMT-based bounded model checking methods for ECTL\*. In *Proceedings of the 23th International Workshop on Concurrency, Specification and Programming (CS&P'2014)*, volume 1269 of *CEUR Workshop Proceedings*, pages 293–300, 2014. - A. M. Zbrzezny and A. Zbrzezny. Checking WECTLK properties of timed real-weighted interpreted systems via SMT-based bounded model checking. In Progress in Artificial Intelligence 17th Portuguese Conference on Artificial Intelligence, EPIA 2015, Coimbra, Portugal, September 8-11, 2015. Proceedings, volume 9273 of Lecture Notes in Computer Science, pages 638-650. Springer, 2015. - A. M. Zbrzezny and A. Zbrzezny. Checking WELTLK properties of weighted interpreted systems via SMT-based bounded model checking. In PRIMA 2015: Principles and Practice of Multi-Agent Systems 18th International Conference, Bertinoro, Italy, October 26-30, 2015, Proceedings, volume 9387 of Lecture Notes in Computer Science, pages 660-669. Springer, 2015. - 17. A. M. Zbrzezny and A. Zbrzezny. Verifying real-time properties of multi-agent systems via SMT-based bounded model checking. In *PRIMA 2016: Principles and Practice of Multi-Agent Systems 19th International Conference, Phuket, Thailand, August 22-26, 2016, Proceedings*, volume to appear of *Lecture Notes in Computer Science*, page to appear. Springer, 2016. - 18. Agnieszka M. Zbrzezny and Andrzej Zbrzezny. Checking RTECTL properties of stss via smt-based bounded model checking. *IJIMAI*, 3(5):28–35, 2015. 19. Agnieszka M. Zbrzezny, Andrzej Zbrzezny, and Franco Raimondi. Efficient model checking timed and weighted interpreted systems using SMT and SAT solvers. In Smart Innovation, Systems and Technologies. Agent and Multi- Agent Systems -Technology and Applications: 2016, KES AMSTA International Conference, Tenerife, Spain, June 15-17, 2016, Proceedings, pages 45-55, 2016.