Scaling up the formal verification of Lustre programs with SMT-based techniques
Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design
Observable modified Condition/Decision coverage
Proceedings of the 2013 International Conference on Software Engineering
| Hi-index | 0.00 |
An important problem in hardware and software design is ensuring a designed system is error-free. Even small errors in a computer system can have disastrous consequences to a project, sometimes costing large amounts of money to correct, or even leading to unexpected and catastrophic system failure. There are a number of steps one can take to eliminate as many errors as possible. We focus on a set of techniques known as formal methods that are used in computer science to help ensure correct system behavior. In order to minimize the potential for human error and to reduce the time and expertise needed, we seek to use techniques that are highly automatable. We focus on one such approach, an inductive variation of model checking that can be used to verify formally the invariance of properties or produce counterexamples. One class of systems of particular interest for verification are reactive systems. This is a class of systems that continuously react to their environment in a timely manner. Reactive systems are pervasive in everyday life, ranging from simple thermostats to the controls of nuclear power plants. As a representative language to describe these systems, we look at an established specification and programming language, Lustre. We have developed a set of techniques based on inductive reasoning and Satisfiability Modulo Theories (SMT) that are automatically able to prove invariant properties of systems described in Lustre. These techniques involve the translation of a Lustre program and property into formulas of a suitable logic, and then the application of k-induction with improvements such as path compression and abstraction/refinement. This process can be used to prove a property invariant or to provide a concrete counterexample for it that can aid in correcting errors. While these techniques individually have been applied to solve similar problems, we refine and combine them in a novel way to deal effectively with Lustre-based systems with the aid of automated off-the-shelf SMT reasoners. We have implemented these techniques in a new system, Kind, and can experimentally show this is an improvement over the current state of the art.