Verification of software and embedded systems using AIG solvers -

Abstract

It is critical for software and hardware developers to design correct and reliable systems. In particular, safety critical systems such as medical equipment, navigation control and targeting devices do not tolerate defects in their logical components. Static analysis techniques are used to check and prove correctness of logic components with respect to formal specifications. In particular, ABC is a model checker that takes an And-Inverter-Graph (AIG) circuit, a directed acyclic graph with two input AND gates, inverters and memory elements, reduces it using synthesis algorithms, and checks it for correctness using proof algorithms. Existing techniques transform software programs and embedded system design components into Conjunctive Normal Form (CNF) formulae and Symbolic Model Verifier (SMV) code, and use satisfiability (SAT) solvers and symbolic model checkers, respectively, to check their validity within a user specified finite domain. These techniques often fail to scale well with the increasing size of systems and with larger finite domains. In this work, we explore the use of AIG solvers to address the verification of software and embedded systems subject to bounds on the data width of their variables. [P]S[Q] translates imperative logic systems, written in a C-like language, into AIG. BIP[I] translates an embedded system, written within the Behavior-Interaction-Priority (BIP) framework, into AIG. Both methods use the ABC AIG solver to reduce the generated AIG circuits using sequential synthesis algorithms, and then check them for validity. The solver either (1) proves the specifications valid within the finite domain, (2) generates a counter example and reports it to the developer for debugging, or (3) reaches its computational bounds before making a decision. We evaluated [P]S[Q] against a set of array and list manipulation algorithms, and various benchmarks obtained from the second competition on software verification (SVComp'13). Results show that [P]S[Q] reaches bounds higher than those possible with t