Theta: Modular Model Checker Built For Diverse Algorithm Configurations

Transcript

1. Theta Modular Model Checker Built For Diverse Algorithm Configurations FMF-AI'25

   Milán Mondok, Dániel Szekeres, Levente Bajczi, Dániel Kovács, Mihály Dobos-Kovács, Vince Molnár

2. FMF-AI'25 • Generic, modular and configurable model checking framework •

   Originally ARG-based CEGAR analysis • Current focus: STS-based architecture with diverse algorithm backends and chainable model transformations Theta github.com/ftsrg/theta 2

3. FMF-AI'25 3 Theta: Input Languages Statechart (SysML,Gamma) int x =

   0; int y = 5; while (y > 0) { x = x + 1; y = y – 1; } assert (x == 5); C program FUNCTION FuncAbs : INT VAR_INPUT in : INT; END_VAR BEGIN IF in >= 0 THEN FuncAbs := in; ELSE FuncAbs := -in; END_IF; END_FUNCTION PLC Structured Text (PLCverif) Petri net (PNML) HW circuit (AIGER) A(n) ⟸ 0 < n < 100 B(n) ⟸ A(n) ∧ n > 100 ⊥ ⟸ B(n) Constrained Horn Clauses (SMT2)

4. FMF-AI'25 4 • Safety: Is the error state reachable? •

   Termination, Overflow/Underflow • Liveness: Can we repeatedly enter a desired state? • Petri-net deadlocks and safety Theta: Supported Properties Model checker ✓ X / Model Property +

5. PLC ST C, CHC HW model Statechart Petri-net CFA XCFA

   XSTS STS BMC K-IND IC3 GSAT Reverse Abstract FMF-AI'25 Z3 native SMT-LIB2 JavaSMT 5 IC3/PDR Liveness-to-safety

6. FMF-AI'25 6 Theta: Internal Representations Control Flow Automaton (CFA) type

   Colour : {RED, GREEN, BLUE} var x: integer = 0 var col: Colour = RED trans { choice { [x < 5] col:=GREEN } or { x:=x-1 } } env { x:=x+1 } Extended Symbolic Transition System (XSTS) I: x = 0 ∧ y < 100 T: x’ = x + 1 ∧ y’ = y P: x < 50 Symbolic Transition System (STS) Extended Control Flow Automaton (XCFA) + functions, pointers, multithreading Different structural knowledge tailored to different domains Why?

7. PLC ST C, CHC HW model Statechart Petri-net CFA XCFA

   XSTS BMC K-IND IC3 GSAT Reverse Abstract FMF-AI'25 Z3 native SMT-LIB2 JavaSMT 7 IC3/PDR Liveness-to-safety STS

8. FMF-AI'25 8 • Reversal: Can we reach the initial state

   from the error states with reversed steps? Theta: STS-to-STS Transformations I: x = 0 ∧ y < 100 T: x’ = x + 1 ∧ y’ = y P: x < 50 STS I rev : ¬P T rev : x = x’ + 1 ∧ y = y’ P rev : ¬I Reversed STS Swap v with v’

9. FMF-AI'25 9 • Reversal • Liveness-to-safety: encode liveness property into

   the model Theta: STS-to-STS Transformations I: x = 0 ∧ y < 100 T: x’ = x + 1 ∧ y’ = y P: x < 50 STS I l2s : I ∧ (x s = x) ∧ (y s = y) ∧ ¬saved T l2s : T ∧ (saved’ ∧ x’ s = x ∧ y’ s = y ∨ saved’ = saved ∧ x’ s = x s ∧ y’ s = y s ) P l2s : P ∧ saved ∧ (x s = x) ∧ (y s = y) Liveness STS Liveness property + Optionally save variables Saved = Original → Loop

10. FMF-AI'25 10 • Reversal • Liveness-to-safety • Abstraction: Implicit predicate

    abstraction encoded into the model Theta: STS-to-STS Transformations I: x = 0 ∧ y < 100 T: x’ = x + 1 ∧ y’ = y P: x < 50 STS Precision + { (x < 2) } I abs : I ∧ (p 1 ⟺ (x < 2)) T abs : T ∧ (p 1 ⟺ (x < 2)) ∧ (p’ 1 ⟺ (x’ < 2)) P abs : ¬(¬P ∧ (p 1 ⟺ (x < 2))) Activation literals to track predicates Abstract STS

11. PLC ST C, CHC HW model Statechart Petri-net CFA XCFA

    XSTS BMC K-IND IC3 GSAT Reverse Abstract FMF-AI'25 Z3 native SMT-LIB2 JavaSMT 11 IC3/PDR STS Liveness-to-safety

12. FMF-AI'25 12 • Bounded model checking (BMC) + K-induction (KIND)

    + Interpolation-based model checking (IMC) • Property-directed reachability (IC3/PDR) • (Generalized) saturation (GSAT) – Substitution diagrams: Top-down emulation of decision-diagram structure from SMT formulas Theta: Verification Algorithms Asynchronous systems Hardware focus Simple systems

13. FMF-AI'25 13 Safe verdict Theta: Verification Results Unsafe verdict For

    liveness: lasso path ✓ X Inductive invariant: overapproximation of reachable states Error is not reachable Counterexample: path to violation Conform to common witness formats (SV-COMP, CHC-COMP) Goal:

14. PLC ST C, CHC HW model Statechart Petri-net CFA XCFA

    XSTS BMC K-IND IMC GSAT Reverse Abstract FMF-AI'25 Z3 native SMT-LIB2 JavaSMT 14 IC3/PDR STS Liveness-to-safety

15. FMF-AI'25 15 • Used by almost all algorithms • Satisfiability

    (+ Model generation, UNSAT cores, Interpolation) • Unified access through a common interface – Native Z3 (best performance, strong interpolation) – SMT-LIB2: cvc5, MathSat, Princess, SMTInterpol, Bitwuzla, Boolector,… – JavaSMT: common Java API over several 3rd party solvers Theta: SMT Solvers

16. PLC ST C, CHC HW model Statechart Petri-net CFA XCFA

    XSTS BMC K-IND IC3 GSAT Reverse Abstract FMF-AI'25 Z3 native SMT-LIB2 JavaSMT 16 IC3/PDR STS Liveness-to-safety

17. C, CHC HW model Statechart Petri-net XCFA XSTS BMC K-IND

    GSAT Reverse Abstract FMF-AI'25 SMT-LIB2 JavaSMT 17 IC3/PDR Liveness-to-safety PLC ST CFA IC3 Z3 native STS A possible configuration: PLC with IC3 using Z3

18. C, CHC HW model Petri-net XCFA BMC K-IND JavaSMT IC3/PDR

    Liveness-to-safety PLC ST CFA IC3 Z3 native FMF-AI'25 18 Statechart XSTS GSAT Reverse Abstract SMT-LIB2 STS A different configuration: Statechart with reversed, abstract GSAT using cvc5 through SMT-LIB

19. FMF-AI'25 Theta: Evaluation 19 Algorithm BMC K-IND IMC GSAT IC3

    IC3 IC3 IMC IMC Transformation – Reverse Abstr. Rev, Abs Solver Z3 Z3 M.S. cvc5 Z3 models Hardware 18 74 89 3 42 37 29 22 80 317 Statechart 68 70 51 49 16 16 10 10 39 82 Petri net 19 53 46 60 46 49 46 38 47 111 CHC 53 61 82 25 29 45 24 39 43 1650 PLC 19 16 28 20 0 3 0 4 3 32 Software 748 1191 330 220 132 195 92 134 125 1560 Sw-termination 78 77 115 19 5 1 5 2 5 233 Multiple competitive algorithms, performance varies among model categories On models from SV-COMP, CHC-COMP, HWMCC, MCC, and industrial partners # models solved

20. FMF-AI'25 • Example: SV-COMP’25 portfolio: • Example: CHC-COMP’25 portfolio: Sequential

    portfolios 20 GSAT Z3, 180s BMC Z3, M.S., cvc5, 30s K-IND Z3, M.S, cvc5, 300s IMC rev, abs, Z3, rest BMC Z3, 450s K-IND Z3, 20s EXPL Z3, 650s BMC cvc5, 550s IMC Z3, 10s BOOL Z3, 15s CART Z3, 15s K-IND cvc5, 70s CART cvc5, 550s GSAT rest

21. FMF-AI'25 21 Summary github.com/ftsrg/theta Modular Model Checker For Diverse Algorithm

    Configurations Theta • Wide range of input languages – C, CHC, Statechart, PN, Hardware, PLC • Chainable model transformations • Modular architecture for fast prototyping of verification algorithms • Sequential algorithm portfolios