Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Invariant checking for infinite-state transition systems is a fundamental research area. Based on the recent improvements of SMT technologies, effective approaches have been developed for the case of transition systems with dynamics over Linear Real Arithmetic [4, 9, 18, 21]. However, many real-world industrial designs (e.g. aerospace, automotive) require modeling as transition systems over non-linear arithmetic (NRA). Although both problems are undecidable, proving properties of the NRA transition systems turns out to be much harder than the linear case, and has in fact received much less attention. Approaches based on BMC and k-induction [15, 29] are possible, so that non-linearity is handled at the SMT-level, by means of an SMT(NRA) solver (e.g. Z3 [13], nlSAT [20], Yices [14], SMT-RAT [1]). Their power is however limited. Consider the following simple transition system: initially, \(x \ge 2 \wedge y \ge 2 \wedge z = x*y\); the transition relation is defined by \(x'= x + 1 \wedge y' = y + 1 \wedge z' = x'*y'\). The property “it is always the case that \(z \ge x + y\)” is not k-inductive, not even for a very large value of k. Thus, the typical proving techniques that are based on k-induction using an SMT(NRA) solver will not be able to prove it. In principle, it is also possible to lift other approaches (e.g. interpolation, IC3 [9, 26]) to handle non-linearities at the level of the solver. However, this requires the SMT(NRA) solver to carry out interpolation or quantifier elimination, and to proceed incrementally. These extra functions are usually not available, or they have a very high computational cost.

In this paper, we propose a completely different approach to tackle invariant checking for NRA transition systems. Basically, we work with an abstract version of the transition system, expressed over LRA with EUF, for which we have effective verification tools [9]. In the abstract space, nonlinear multiplication is modeled as an uninterpreted function. When spurious counter-examples are found, the abstraction is tightened by the incremental introduction of linear constraints, including tangent planes resulting from differential calculus, and monotonicity constraints.

We implemented the approach on top of the nuXmv model checker [7], leveraging the IC3 engine with Implicit Abstraction [9] for invariant checking of transition systems over LRA with EUF. We compared it, on a wide set of benchmarks, against multiple approaches working at NRA level, including BMC and k-induction using SMT(NRA), the recent interpolation-based iSAT3 engine [24], and the static abstraction approach proposed in [8]. The results demonstrate substantial superiority of our approach, that is able to solve the highest number of benchmarks.

The effectiveness of our approach is possibly explained with the following insights. On the one hand, in contrast to LRA, NRA is a hard-to-solve theory: in practice, most available complete solvers rely on CAD techniques [12], which require double exponential time in worst case. Thus, we try to avoid NRA reasoning, trading it for LRA and EUF reasoning. On the other hand, proving properties of practical NRA transition systems may not require the full power of non-linear solving. In fact, some systems are “mostly-linear” (i.e. non-linear constraints are associated to a very small part of the system), an example being the Transport Class Model (TCM) for aircraft simulation from the Simulink model library [19]. Furthermore, even NRA transition systems with significant non-linear dynamics may admit a piecewise-linear invariant of the transition system that is strong enough to prove the property.

Structure. In Sect. 2 we discuss the related work, and in Sect. 3 introduce some background. In Sect. 4 we discuss the approach in the setting of SMT(NRA). In Sect. 5 we present the verification algorithm for NRA transition systems. In Sect. 6 we describe the results of the experimental evaluation. In Sect. 7 we conclude and outline the directions for future research.

2 Related Work

There are not many tools that deal with NRA transition systems. The most relevant is the recently proposed iSAT3 [28], that uses an interpolation-based [23, 24] approach to prove invariants. In addition to NRA, it also supports trascendental functions and some form of differential equations. iSAT3 is built on an SMT solver based on numeric techniques (interval arithmetic), and is able to provide results that are accurate up to the specified precision. In fact, in addition to “safe” and “unsafe” answers, iSAT3 may return “maybe unsafe” when it finds an envelope of given precision that may (but is not guaranteed to) contain a counterexample. Another relevant tool is dReach [22], a bounded model checker implemented on top of the dReal [16] SMT solver, that adopts numerical techniques similar to iSAT3. dReach has an expressiveness similar to iSAT3, but being a bounded model checker it is unable to prove properties.

The work in [8] follows a reduction-based approach to check invariants of NRA transition systems. It over-approximates the non-linear terms with a coarse abstraction, encoding into LRA some weak properties of multiplication like identity and sign. Another reduction-based approach is presented in [25] in the context of program analysis. The idea is to find a (tighter) convex approximation of polynomials in form of polyhedra, thus obtaining a conservative linear transition system. The key differences of our approach with respect to [8, 25] are that we iteratively refine the abstraction, and we adopt a reduction to LRA+EUF. Furthermore, to the best of our knowledge, there is no available implementation of the approach [25] in a program analysis tool – it has been only shown to work on SMT problems.

The idea of approximating a univariate function (in particular the natural logarithm ln) with tangent lines is used in [30]. Here we abstract a bivariate function (multiplication), and use tangent planes for the refinement. We also exploit other properties (e.g. monotonicity) to derive additional axioms. The idea of using tangent planes (spaces) has been explored in [27], limited to the case of SMT solving. Another key differences is that the tangent planes area used to under-approximate predicates, while we use them to refine the over-approximation of the multiplication function.

Fig. 1.
figure 1

Multiplication function and tangent plane.

Full size image

3 Background

Properties of the Multiplication Function. Geometrically, the surface generated by the multiplication function is shown in Fig. 1a and b. This kind of surface is known in geometry as hyperbolic paraboloid. A hyperbolic paraboloid is a doubly-ruled surface, i.e. for every point on the surface, there are two distinct lines projected from the surface such that they pass through the point. In case of the multiplication surface, the projected lines basically lie on the surface.

Tangent Plane. The tangent plane to a surface at a point of interest (ab) is a plane that “just touches” the surface at the point. The tangent planes can be used to linearly approximate the surface at the point of interest. An important property of the tangent plane to a hyperbolic paraboliod is that the two projected lines from the surface are also in the tangent plane, and they define how the plane cuts the surface (see Fig. 1c and d). The tangent plane \(Tmul_{a,b}(x,y)\) to the multiplication function f(xy) at point (ab) is calculated as follows:

where \(\frac{d}{dx}f(x,y)_{\mid _{(a,b)}}\) and \(\frac{d}{dy}f(x,y)_{\mid _{(a,b)}}\) are the first-order partial derivatives of f(xy) w.r.t. x and y respectively, evaluated at (ab). \(Tmul_{a,b}(x,y)\) simplifies to:

(1)

Logic and Satisfiability. We assume the standard first-order quantifier-free logical setting and standard notions of theory, model, satisfiability, and logical consequence. If \(\varphi \) is a formula, we denote with \(\text {vars}(\varphi ) \) the set of its variables, and with \(\text {atoms}(\varphi ) \) the set of its atoms. We write \(\varphi (X)\) to denote that \(\text {vars}(\varphi ) \subseteq X\). If x and y are two variables, we denote with the formula obtained by replacing all the occurrences of x in \(\varphi \) with y. We extend this notation to ordered sequences of variables in the natural way. If \(\mu \) is a model and x is a variable, we write \(\mu [x]\) to denote the value of x in \(\mu \), and we extend this notation to terms in the usual way. If X is a set of variables, we denote with \(X'\) the set obtained by replacing each element \(x \in X\) with \(x'\), and with \(X^{\langle i\rangle }\) the set obtained by replacing x with \(x^{\langle i\rangle }\). If \(\varGamma \) is a set of formulas, we write \(\bigwedge \varGamma \) to denote the formula obtained by taking the conjunction of all its elements. If \(\bigwedge \varGamma \) is unsatisfiable (modulo some theory T), an unsatisfiable core is a set \(C \subseteq \varGamma \) such that \(\bigwedge C\) is still unsatisfiable.

Symbolic Transition Systems. A symbolic transition system is a tuple where X is a finite set of (state) variables, I(X) is a formula denoting the initial states of the system, and \(T(X,X')\) is a formula expressing its transition relation. A state \(s_i\) of \(\mathcal{S} \) is an assignment to the variables X. A path (execution trace) \(\pi = s_0,s_1,s_2,\ldots ,s_{k-1}\) of length k (possibly infinite) for \(\mathcal{S} \) is a sequence of states such that \(s_0 \models I\) and for all \(0 \le i < k-2\). We call an unrolling of \(\mathcal{S} \) of length k the formula .

Let P(X) be a formula whose assignments represent a property (good states) over the state variables X. The invariant verification problem, denoted with \(S\,\models \,P\), is the problem of checking if for all the finite paths \(s_0,s_1,\ldots ,s_k\) of \(\mathcal{S} \), for all i, \(0\le i\le k\), \(s_i\,\models \, P\). Its dual formulation in terms of reachability of \(\lnot P\) is the problem of finding a path \(s_0,s_1,\ldots ,s_k\) of \(\mathcal{S} \) such that \(s_k\models \lnot P\). P represents the “good” states, while \(\lnot P\) represents the “bad” states.

4 Solving SMT(NRA) via SMT(LRA+EUF)

Top-Level Algorithm. The main idea of this paper is that of solving an SMT formula containing non-linear polynomial constraints (i.e., expressed in the NRA theory) by overapproximating it with a formula over the combined theory of linear arithmetic and uninterpreted functions (LRA+EUF). Our main SMT solving procedure follows a classic abstraction refinement loop, in which at each iteration the current overapproximation of the input SMT formula is refined by adding new constraints that rule out one (or possibly more) spurious solutions, until one of the following occurs: (i) the SMT formula becomes unsatisfiable in the LRA+EUF theory; or (ii) the LRA+EUF model for the current overapproximation can be lifted to an NRA model for the original SMT formula; or (iii) the resource budget (e.g. time, memory, number of iterations) is exhausted.

The pseudocode for the top-level algorithm is shown in Fig. 2. We provide more details about its main components in the rest of this section.

Fig. 2.
figure 2

Solving SMT(NRA) via abstraction to SMT(LRA+EUF).

Full size image

Initial Abstraction. The function takes as input an SMT(NRA) formula \(\varphi \) and returns an overapproximation \(\widehat{\varphi }\) of it in the LRA+EUF theory.

First, each multiplication expression \(x * y\) between two variablesFootnote 1 occurring in \(\varphi \) is replaced by \(fmul(x,y)\), where \(fmul()\) is a binary uninterpreted function returning a real. We remark that this happens only for non-linear multiplications: expressions like \(c * x\) or \(x * c\) in which c is a constant are not rewritten.

Then, some simple axioms about multiplication are added to \(\widehat{\varphi }\) via static learning. For each \(fmul(x,y) \in \widehat{\varphi }\), we add the following axioms:

$$\begin{aligned} \mathbf{Commutativity}{} \mathbf :&fmul(x,y) = fmul(y,x)\\ \mathbf{Sign}{} \mathbf :&fmul(x,y) = fmul(-x,-y) \wedge fmul(x,y) = -fmul(-x,y) ~\wedge \\&fmul(x,y) = -fmul(x,-y)\\ \mathbf{Zero}{} \mathbf :&((x = 0 \vee y = 0) \leftrightarrow fmul(x,y)=0) ~\wedge \\&(((x> 0 \wedge y> 0) \vee (x< 0 \wedge y< 0)) \rightarrow fmul(x,y)> 0) ~\wedge \\&(((x< 0 \wedge y> 0) \vee (x< 0 \wedge y > 0)) \rightarrow fmul(x,y) < 0) \end{aligned}$$

Abstraction Refinement. If the SMT check on the LRA+EUF abstraction returns false (line 7 of Fig. 2), we can conclude that the input formula is unsatisfiable. In this case, \(\varGamma \) contains all the lemmas (discussed later in this section) that were added in the earlier refinements (line 11 of Fig. 2).

Otherwise, we have to check whether the model \(\widehat{\mu }\) found for \(\widehat{\varphi }\) is also a model for the original NRA formula \(\varphi \). Let Fmuls be the set of all \(fmul(x,y)\) terms occurring in \(\widehat{\varphi }\). In its simplest version, the function checks whether, for all \(fmul(x,y)\) in Fmuls, \(\widehat{\mu }[fmul(x,y)] = \widehat{\mu }[x] * \widehat{\mu }[y]\). If this is the case, then \(\widehat{\mu }\) is also a model for the original formula, and returns true. (We present more sophisticated versions of below.) Otherwise, let CFmuls be the set of all \(fmul(x,y)\) terms whose value in \(\widehat{\mu }\) is different from \(\widehat{\mu }[x] * \widehat{\mu }[y]\). The function generates a set of axioms \(\varGamma '\) such that there exists at least one element \(fmul(x,y)\) of CFmuls such that the formula \(\widehat{\varphi } \wedge \bigwedge \varGamma '\) has no model \(\widehat{\mu '}\) that agrees with \(\widehat{\mu }\) on the values of xy and \(fmul(x,y)\) (i.e. such that \(\widehat{\mu '}[fmul(x,y)] = \widehat{\mu }[fmul(x,y)]\), \(\widehat{\mu '}[x] = \widehat{\mu }[x]\) and \(\widehat{\mu '}[y] = \widehat{\mu }[y]\)). Intuitively, the axioms \(\varGamma '\) block the bad model values for \(fmul(x,y)\), making the abstraction more precise by restricting the set of spurious solutions.

In our current implementation, two kinds of lemmas are generated during refinement: tangent lemmas and monotonicity lemmas.

Tangent Lemmas. We use the model values \(\widehat{\mu }[fmul(x,y)]\), \(\widehat{\mu }[x]\) and \(\widehat{\mu }[y]\) and (1) to generate tangent plane lemmas for \(fmul(x,y)\):

$$\begin{aligned} \begin{aligned}&fmul(a,y) = a * y ~~\wedge ~~ fmul(x,b) = b * x ~~\wedge \\&(((x> a \wedge y< b) \vee (x< a \wedge y> b)) \rightarrow fmul(x,y)< Tmul_{a,b}(x,y)) ~~\wedge \\&(((x< a \wedge y < b) \vee (x> a \wedge y> b)) \rightarrow fmul(x,y) > Tmul_{a,b}(x,y))\\ \end{aligned} \end{aligned}$$
(2)

where we can choose a and b as:

(3)
(4)
(5)

Basically the equalities in the tangent lemma are providing multiplication lines that enforce the correct value of \(fmul(x,y)\) when \(x=a\) or \(y=b\). Moreover, the inequalities of the tangent lemma are providing bounds for \(fmul(x,y)\) when x and y are not on the multiplication lines.

Monotonicity Lemmas. Let \(fmul(x,y)\) and \(fmul(w,z)\) be two terms in \(\widehat{\varphi }\), such that \(|{\widehat{\mu }[x]}| \le |{\widehat{\mu }[w]}|\), \(|{\widehat{\mu }[y]}| \le |{\widehat{\mu }[z]}|\), and \(|{\widehat{\mu }[fmul(x,y)]}| > |{\widehat{\mu }[fmul(w,z)]}|\). Then, we add the monotonicity lemma

$$\begin{aligned} (abs(x) \le abs(w) \wedge abs(y) \le abs(z)) \rightarrow abs(fmul(x,y)) \le abs(fmul(w,z)), \end{aligned}$$
(6)

where abs(t) stands for .

Finding Models. It is easy to see that our algorithm is expected to perform much better for unsatisfiable instances than for satisfiable ones. The algorithm can return true (meaning that the formula is satisfiable) only if the LRA+EUF solver “guesses” a model that is consistent with all the nonlinear multiplications. In an infinite and dense domain like the reals, the chances that this will happen are close to zero in general.

Moreover, our approach is inherently limited, because it can only find models over the rationals. If the input formula is satisfiable, but all its models contain some irrational values, then our algorithm will always abort (or never terminate, if there is no resource budget set). In practice, it is very likely that the same will happen even for formulas admitting a rational solution.

One possibility for addressing this limitation would be to couple our procedure with a complete solver for NRA, to be used for detecting satisfiable cases, in order to implement a more effective version of . One such possibility is shown in Fig. 3, where we extract the truth assignment \(\widehat{\psi }\) induced by the LRA+EUF model \(\widehat{\mu }\) on the atoms of \(\widehat{\varphi }\):

(7)

We concretize it by replacing each \(fmul(x,y)\) in \(\widehat{\psi }\) with \(x*y\), and invoke the complete NRA theory solver on the resulting conjunction of NRA-literals \(\psi \), to check whether it contains at least one solution. Although in general the problem is expected to be simpler than the original input formula because the Boolean structure of \(\varphi \) is disregarded, invoking a complete NRA theory solver at each loop iteration of could be very expensive. Moreover, this would still require a complete NRA theory solver, which might not always be available.

Fig. 3.
figure 3

A complete procedure using an NRA solver.

Full size image
Fig. 4.
figure 4

An incomplete procedure using an SMT(LRA+EUF) solver.

Full size image

As an alternative, we propose the procedure outlined in Fig. 4, where we extract the truth assignment \(\widehat{\psi }\) induced by the LRA+EUF model \(\widehat{\mu }\) on the atoms of \(\widehat{\varphi }\), and we conjoin to it the multiplication lines:

$$\begin{aligned} \widehat{\psi }^*= & {} \widehat{\psi }\ \wedge \ \mathop {\bigwedge }\limits _{fmul(x,y) \in Fmuls} \left( \begin{array}{ll} (x = \widehat{\mu }[x] \wedge fmul(x,y) = \widehat{\mu }[x] * y)\ \vee \\ (y = \widehat{\mu }[y] \wedge fmul(x,y) = \widehat{\mu }[y] * x) \end{array}\right) , \end{aligned}$$
(8)

Fmuls being the usual set of all \(fmul(x,y)\) terms occurring in \(\widehat{\varphi }\).

The main idea is to build an LRA+EUF underapproximation \(\widehat{\psi }^*\) of the NRA formula \(\psi \) of Fig. 3, in which all multiplications are forced to be linear. Compared to the previous solution, this has the advantage of requiring a complete SMT(LRA+EUF) solver rather than a (much more expensive) complete NRA solver. Moreover, given the simplicity of the Boolean structure of the underapproximated formula, the check should in general be very cheap. The drawback is that this is (clearly) still an incomplete procedure. However, in our experiments (for which we refer to Sect. 6) we have found it to be surprisingly effective for many problems.

Unlike with the basic implementation of which considers only one single candidate model at a time, the implementations in Figs. 3 and 4 consider an infinite amount of them, drastically increasing the chances of finding a model.

Correctness and Progress. We notice that the procedure in Fig. 2 is correct. In fact, it returns false only if \(\varphi \) is NRA-unsatisfiable because by construction \(\widehat{\varphi }\) is an over-approximation of \(\varphi \), and all axioms in \(\varGamma \) are valid in any theory interpreting \(fmul(x,y)\) as \(x * y\). Also, it returns true only if \(\varphi \) is NRA-satisfiable:

  • if is based only on evaluation, then by construction \(\mu \) is an LRA+EUF-model for \(\widehat{\varphi }\) s.t. each \(fmul(x,y)\) equals \(x*y\) in \(\mu \), so that \(\mu \) is also a model for \(\varphi \);

  • if is as in Fig. 3, then \(\mu \) is an NRA-model of a conjunction of literals \(\psi \) which tautologically entails \(\varphi \), so that \(\mu \) is a model for \(\varphi \);

  • if is as in Fig. 4, then \(\mu \) is an LRA+EUF-model of a conjunction of literals \(\widehat{\psi }^*\) which tautologically entails \(\widehat{\varphi }\) and it is s.t. each \(fmul(x,y)\) equals \(x*y\) in \(\mu \), so that \(\mu \) is a also model for \(\varphi \).

We also notice that the progress of the procedure in Fig. 2 is guaranteed by the refinement step, which rules out significant parts of the search space at every loop by means of the added lemmas.

Important Heuristics for Refinement. The description of provided above leaves some flexibility in deciding what axioms to add (and how many of them) at each iteration. It is possible to conceive strategies with an increasing degree of eagerness, from very lazy (e.g. adding only a single axiom per iteration) to more aggressive ones. In our current implementation, we eagerly add all the axioms (2)–(6) that are violated by the current abstract solution \(\widehat{\mu }\), leaving the investigation of alternative strategies as future work. However, we found the following two strategies to be crucial for performance.

Fig. 5.
figure 5

Illustration of the tangent lemma frontier strategy.

Full size image

Tangent Lemma Frontiers. The tangent lemmas of (2) for a given point (ab) are based on the fact that the multiplication function \({x}*{y}\) is a hyperbolic paraboloid surface, and a tangent plane to such surface cuts the surface into four regions such that in two of the regions the tangent plane is above the surface, whereas in the other two regions the tangent plane is below the surface (see Fig. 1). Each instantiation of (2) for a given point, therefore, can only provide either a lower or an upper bound for a given region. In some cases, this might lead to an infinite refinement loop in which at each iteration the “wrong” bound is refined. In order to address the problem, we use the following strategy. For each \(fmul(x,y)\) in the input formula, we maintain a frontier \(\langle l_x, u_x, l_y, u_y\rangle \) with the invariant that whenever x is in the interval \([l_x, u_x]\) or y is in the interval \([l_y, u_y]\), then \(fmul(x,y)\) has both an upper and a lower bound. Initially, the frontiers are set to \(\langle 0,0,0,0\rangle \). Whenever a lemma (2) for \(fmul(x,y)\) is instantiated on a point (ab), we generate further instantiations of (2) and update the frontier as follows:

  • case \(a < l_x\) and \(b < l_y\) : instantiate (2) on \((a, u_y)\) and on \((u_x, b)\), and set the frontier to \(\langle a, u_x, b, u_y\rangle \);

  • case \(a < l_x\) and \(b > u_y\) : instantiate (2) on \((a, l_y)\) and on \((u_x, b)\), and set the frontier to \(\langle a, u_x, l_y, b\rangle \);

  • case \(a > u_x\) and \(b > u_y\) : instantiate (2) on \((a, l_y)\) and on \((l_x, b)\), and set the frontier to \(\langle l_x, a, l_y, b\rangle \);

  • case \(a > u_x\) and \(b < l_y\) : instantiate (2) on \((a, u_y)\) and on \((l_x, b)\), and set the frontier to \(\langle l_x, a, b, u_y\rangle \).

Figure 5 shows a graphical illustration of the strategy.

Tangent Lemma Rounding. The instantiation of a tangent lemma at the point (ab) has the side-effect of adding the rational constants a, b and \(a*b\) to the formula that is solved by the LRA+EUF solver. If such values have large numerators and/or denominators, they might be a source of a significant slow-down for the LRA solver (which works on exact, arbitrary-precision rational arithmetic). We address this issue by observing that, in order to block a bad model \(\widehat{\mu }\) such that \(\widehat{\mu }[fmul(x,y)] \ne \widehat{\mu }[x] * \widehat{\mu }[y]\), it is sufficient to add one of the two equalities of (2); therefore, instead of instantiating a tangent lemma at (ab), we can instantiate it at either \((a+\delta , b)\) or at \((a, b+\delta )\), for any value of \(\delta \). In practice, if a (resp. b) is a rational constant with a very large numerator or denominator, instead of instantiating a tangent lemma at (ab), we instantiate two tangent lemmas at \((\lfloor a \rfloor , b)\) and \((\lceil a \rceil , b)\).

5 From Satisfiability to Verification

We now move from satisfiability checking to verification.

Overview. In principle, the solver described in the previous section could be integrated as a “black box” in any off-the-shelf SMT-based verification algorithm, such as BMC, k-induction, or one of the many extensions of IC3 to the SMT case (e.g. [4, 9, 18, 21]). In practice, however, such black-box integration would hardly be effective, especially in the case of state-of-the-art algorithms like IC3. IC3 requires a very incremental interaction with the underlying SMT engine, which is asked to solve a large number of relatively-cheap queries. The procedure of Sect. 4, however, can be very expensive, especially for satisfiable queries, which are very common in an IC3-like algorithm.Footnote 2 Moreover, some of the IC3 extensions mentioned above require the ability of performing (approximated) quantifier eliminations, a functionality not provided by the algorithm of Fig. 2.

We propose therefore a white-box integration, in which we lift the abstraction refinement approach of Sect. 4 at the transition system level. We generate an abstract LRA+EUF version of the input NRA transition system, which is then checked with the IC3-based procedure of [9]. In case a counterexample is produced, we use the algorithm of Fig. 2 to check whether it is spurious. If so, the axioms generated by are then used to refine the abstraction of the transition system. The pseudo-code of this algorithm is reported in Fig. 6. Similarly to the satisfiability checking case, the function replaces every non-linear multiplication \(x*y\) in the input transition system and property with a \(fmul(x,y)\) term, and adds some simple axioms about the behaviour of multiplication to the initial-state and transition-relation formulas of the transition system (see Sect. 4). In the rest of this section, we describe the abstraction refinement algorithm in more detail.

Fig. 6.
figure 6

Verification of NRA transition systems via abstraction to LRA+EUF.

Full size image

Counterexample Checking and Refinement. When returns a counterexample trace \(\widehat{\pi }\) for the abstract system \(\widehat{\mathcal{S}}\), we use to check for its spuriousness. The function builds a formula \(\psi \) to feed to , whose unsatisfiability implies that \(\widehat{\pi }\) is spurious. The formula \(\psi \) is built by unrolling the transition relation of \(\widehat{\mathcal{S}}\), and optionally adding constraints that restrict the allowed transitions to be compatible with the states in \(\widehat{\pi }\). Various heuristics are possible, trading generality for complexity: \(\psi \) could be fully constrained by the states in \(\widehat{\pi }\) (thus checking only one abstract counterexample path per iteration); it could be only partially constrained (e.g. by considering only the Boolean variables and/or the state variables occurring only in linear constraints); or it could be left unconstrained, considering only the length of the abstract counterexample. In our current implementation (see Sect. 6), we use the last option, i.e. we only consider the length of \(\widehat{\pi }\) to build a BMC formula that checks for any counterexample of the given length, leaving the investigation of alternative strategies to future work.

If returns true, the property is violated. In this case, we can use the model found by to build a counterexample trace for the input system and property.

If returns false, we use the axioms \(\varGamma \) produced during search to refine the transition system \(\widehat{\mathcal{S}}\), using the procedure shown in Fig. 7. Essentially, translates back the axioms from their unrolled version (i.e. on variables \(X^{\langle 0\rangle }, X^{\langle 1\rangle }, \ldots \)) to their “single step” version (on variables X and \(X'\)), adding each of them either to the initial-states formula or to the transition relation formula. In case an axiom \(\gamma \) spans more than a single transition step (lines 9–10 of Fig. 7), we arbitrarily choose to map the variables with the lowest index as current state variables X, and all the others as next-state variables \(X'\). Notice that this might cause some refinement failure, as discussed in the next paragraph.

Fig. 7.
figure 7

Refinement of the LRA+EUF transition system.

Full size image

Reducing the Number of Axioms to Add. In general, not all the axioms generated during a call to are needed to successfully block a counterexample, especially if eager strategies like those described in Sect. 4 are used. In the long run, having a large number of redundant axioms can be quite harmful for performance. In order to mitigate this problem, we apply a filtering strategy (based on unsatisfiable cores) to the set of axioms, before adding them to the transition system. Instead of adding \(\varGamma _I\) and \(\varGamma _T\) directly to \(\widehat{\mathcal{S}}\), we invoke the function shown in Fig. 8. Note that due to the flattening of multi-step axioms described above (lines 9–10 of Fig. 7), the refinement might fail. In this case, our current implementation simply aborts the execution.Footnote 3

Fig. 8.
figure 8

Reducing the axioms needed for refinement.

Full size image

6 Experimental Analysis

Implementation and Comparisons. We have implemented a prototype of the procedure using the IC3 engine of nuXmv  [7] for . The code is written in Python, using the PySMT library [17]. Our implementation, benchmarks, and experimental data are available at https://es-static.fbk.eu/people/griggio/papers/tacas17-ic3-nra.tar.gz. We have used the following tools for our evaluation.

nuXmv -LRA-static: we apply the upfront abstraction of NRA to LRA proposed in [8], running the IC3 engine of nuXmv on the resulting transition system.

NRA-BMC-{z3, dReal} and NRA-K-induction-{z3, dReal}: we have implemented the BMC  [3] and k-induction  [29] algorithms in Python (using PySMT), using either z3 (NRA) or dReal (NRA) as back-end SMT solver.

iSAT3[1e-1] and iSAT3[1e-9]: we have used the latest version of the iSAT3 solver [24], which combines an SMT solver integrating CDCL and interval constraint propagation techniques with an interpolation-based abstraction/refinement algorithm for verification. iSAT3 supports both transition systems and software programs encoded as control flow graphs. Similarly to dReal, iSAT3 may return a “maybe unsafe” answer and provide a candidate solution identifying the upper and lower bounds on the variables. In the experiments, iSAT3[1e-1] is the configuration suggested by the iSAT3 authorsFootnote 4 and iSAT3[1e-9] is the same except that the minimum splitting width (msw) parameter is set to \(10^{-9}\). We have used a smaller value for the msw to get more precise answers, i.e. “safe” or “unsafe”, as suggested in the iSAT3 user manual.

Benchmarks. We have collected a total of 114 NRA benchmarks from various sources.

Handcrafted. This set contains 14 hand-written instances, 13 safe and 1 unsafe.

HyComp. The second set contains 7 benchmarks (3 safe, 4 unsafe) which are taken from [11] and converted to NRA transition systems using HyComp  [10].

HYST. This is the biggest set, consisting of 65 benchmarks. These are generated from the Hybrid examples that come with the HYST  [2] distribution, by approximating the continuous time by sampling at a fixed time interval. This process is done automatically using an extended version of HYST. Since the generated benchmarks are approximations, we do not know their safety status. The benchmarks contain mostly non-linear behaviour.

iSAT3 and iSAT3-CFG. The 11 benchmarks in this set (7 safe, 4 unsafe) are taken from [24] and the iSAT3 examples available online.

nuXmv. In this set, we have 2 safe benchmarks which we collected from the nuXmv users’ mailing list. These benchmarks have complex boolean structure.

SAS13. These 13 benchmarks are generated from the C programs used in [5], but interpreted over NRA instead of the theory of IEEE floating-point numbers. This makes some of the instances unsafe.

TCM. We have generated 2 safe benchmarks from the Simulink models (taken from the case study [6]) by first generating the C code using the Embedded CoderFootnote 5 and then encoding the program into a symbolic transition system.

Results. We ran our experiments on a cluster of machines with 2.67 GHz Xeon X5650 CPUs and 96 GB of RAM, running Scientific Linux 6.7. We used 6 GB memory limit and 3600 s CPU timeout.

Fig. 9.
figure 9

Plots of SAFE and UNSAFE results.

Full size image
Table 1. Summary of experimental results.
Full size table
Table 2. Comparitive summary of total solved benchmarks.
Full size table

The results are summarized in Tables 1 and 2 and in Fig. 9. The plots show the time to solve an instance on the x-axis and the total number of solved instances on the y-axis. Table 1 reports a summary of the solved instances by family, whereas Table 2 shows a comparitive analysis by reporting for each tool the number of uniquely solved instances and the difference of solved instances w.r.t IC3-NRA-prove. We can make the following observations from the experimental results:

  • IC3-NRA-prove is the best performer overall, and it significantly outperforms all the other approaches on safe instances (where it can solve 9 problems that are out of reach for all the other tools). Interestingly, despite its simplicity, our model finding approach (as outlined in Sect. 4) is surprisingly effective, allowing IC3-NRA-prove to find 15 counterexample traces.

  • The simple abstraction proposed in [8] is quite effective for many families, allowing nuXmv-LRA-static to verify more properties than the approaches based on K-induction with an NRA solver. However, IC3-NRA-prove results in a clear and very significant improvement, solving more than twice as many instances than nuXmv-LRA-static (and losing only 1).

  • None of the other tools (with the exception of nuXmv-LRA-static) is able to solve any safe benchmark in the HyComp and nuXmv families. These benchmarks have a non-trivial Boolean structure and a significant linear component. Both IC3-NRA-prove and nuXmv-LRA-static are able to fully exploit the effectiveness of the underlying IC3 engine of nuXmv, outperforming the competitors. However, IC3-NRA-prove is very competitive also on the HYST family, whose instances are mostly non-linear and have very little Boolean structure.

  • Increasing the default precision of iSAT3 significantly reduces the number of “maybe unsafe” answers, but it doesn’t seem to help in solving more benchmarks. In fact, we remark that even with the increased precision iSAT3[1e-9] classifies 2 safe instances as “maybe unsafe” (whereas in the default configuration, 6 safe instances are classified as “maybe unsafe”).

7 Conclusions and Future Work

We presented a novel abstraction-refinement approach to the verification of transition systems with nonlinear dynamics expressed in the NRA theory. We abstract non-linear multiplication as an uninterpreted function, leveraging efficient invariant checkers for transition systems over LRA and EUF to solve the problem in the abstract space. In case of spurious counterexample, the abstraction of multiplication is incrementally refined by introducing suitable axioms, based on the idea of tangent planes. An extensive experimental evaluation demonstrates that the proposed approach is significantly more effective than approaches directly based on SMT(NRA) solving.

This work opens up several important directions. First, we are going to improve the implementation, by integrating all the steps within the nuXmv  [7] model checker, and to perform a thorough analysis of the various heuristic choices. Second, we will investigate the potential of the approach for SMT, both for other theories (e.g. NIA) and for extended functionalities (e.g. interpolation). We will also extend the scope of the approach to deal with transcendental functions, look-up tables, and partially axiomatized functions (e.g. gain functions known to be monotonic and of restricted co-domain).

Finally, we are going to investigate the generalization of the approach from transition systems to continuous-time hybrid systems with nonlinear characteristic functions.