ABSTRACT. We describe synergies between symbolic solving and cloud infrastructures. In one direction, verification methods have important uses in running a reliable and secure cloud. Conversely, scalable cloud infrastructure may enable solving hard combinatorial problems.

Cloud providers are increasingly embracing network verification for managing complex datacenter network infrastructure. Microsoft's Azure cloud infrastructure integrates the SecGuru tool, which leverages the Z3 SMT solver, for assuring that the network is configured to preserve desired intent over hundreds of thousands of network devices. We describe our experiences building and running SecGuru for network verification in Azure.

We then describe a distributed version of Z3 that scales with Azure's elastic cloud. It integrates recent advances in lookahead and distributed SAT solving for Z3's engines for SMT. A multi-threaded version of the Cube & Conquer solver is also available parallelizing SAT and SMT queries.

ABSTRACT. We investigate means of efficient computation of the simulation relation over symbolic finite automata (SFAs), i.e., finite automata with transitions labeled by predicates over alphabet symbols. In one approach, we build on the algorithm by Ilie, Navaro, and Yu proposed originally for classical finite automata, modifying it using the so-called mintermisation of the transition predicates. This solution, however, generates all Boolean combinations of the predicates, which easily causes an exponential blowup in the number of transitions. Therefore, we propose two more advanced solutions. The first one still applies mintermisation but in a local way, mitigating the size of the exponential blowup. The other one focuses on a novel symbolic way of dealing with transitions, for which we need to sacrifice the counting technique of the original algorithm (counting is used to decrease the dependency of the running time on the number of transitions from quadratic to linear). We perform a thorough experimental evaluation of all the algorithms, together with several further alternatives, showing that all of them have their merits in practice, but with the clear indication that in most of the cases, efficient treatment of symbolic transitions is more beneficial than counting.

Efficient Symbolic Representation of Convex Polyhedra in High-Dimensional Spaces

ABSTRACT. This work is aimed at developing an efficient data structure for
representing symbolically convex polyhedra. We introduce an original
data structure, the Decomposed Convex Polyhedron (DCP), that is
closed under intersection and linear transformations, and allows to
check inclusion, equality, and emptiness. The main feature of DCPs
lies in their ability to represent concisely polyhedra that can be
expressed as combinations of simpler sets, which can overcome
combinatorial explosion in high dimensional spaces. DCPs also have
the advantage of being reducible into a canonical form, which makes
them efficient for representing simple sets constructed by long
sequences of manipulations, such as those handled by state-space
exploration tools. Their practical efficiency has been evaluated with
the help of a prototype implementation, with promising results.

Ranking and Repulsing Supermartingales for Approximating Reachability

ABSTRACT. Computing reachability probabilities is a fundamental problem in the
analysis of probabilistic programs. This paper aims at a comprehensive and comparative account on various \emph{martingale-based methods} for over- and under-approximating reachability probabilities. Based on the existing works that stretch across different communities (formal verification, control theory, etc.), we offer a unifying account. In particular, we emphasize the role of order-theoretic fixed points---a classic topic in computer science---in the analysis of probabilistic programs. This leads us to two new martingale-based techniques, too. We give rigorous proofs for their soundness and completeness. We also make experimental comparison using our implementation of template-based synthesis algorithms for those martingales.

Quadratic Word Equations with Length Constraints, Counter Systems, and Presburger Arithmetic with Divisibility

ABSTRACT. Word equations are a crucial element in the theoretical foundation of
constraint solving over strings, which have received a lot of attention in
recent years.
A word equation relates two words over string variables and constants.
Its solution amounts to a function mapping variables to constant strings that
equate the left and right hand sides of the equation.
While the problem of solving word equations is decidable,
the decidability of the problem of solving a word equation
with a length constraint (i.e., a constraint relating the lengths of
words in the word equation) has remained a long-standing open problem.
In this paper, we focus on the subclass of quadratic word equations, i.e.,
in which each variable occurs at most twice.
We first show that the length abstractions of solutions to quadratic
word equations are in general not Presburger-definable.
We then describe a class of counter systems with Presburger transition relations
which capture the length abstraction of a quadratic word equation with regular
constraints.
We provide an encoding of the effect of a simple loop of the counter systems
in the theory of existential Presburger Arithmetic with divisibility (PAD).
Since PAD is decidable, we get a decision procedure for quadratic words equations with
length constraints for which the associated counter system is flat (i.e.,
all nodes belong to at most one cycle).
We show a decidability result (in fact, also an NP algorithm with a PAD oracle)
for a recently proposed NP-complete fragment of word equations called regular-oriented word equations,
together with length constraints.
Decidability holds when the constraints are additionally extended with regular constraints
with a 1-weak control structure.

Recursive Online Enumeration of All Minimal Unsatisfiable Subsets

ABSTRACT. In various areas of computer science, we deal with a set of constraints to be satisfied. If the constraints cannot be satisfied simultaneously, it is desirable to identify the core problems among them. Such cores are called minimal unsatisfiable subsets (MUSes). The more MUSes are identified, the more information about the conflicts among the constraints is obtained. However, a full enumeration of all MUSes is in general intractable due to the large number (even exponential) of possible conflicts. Moreover, to identify MUSes, algorithms have to test sets of constraints for their simultaneous satisfiability. The type of the test depends on the application domains. The complexity of the tests can be extremely high especially for domains like temporal logics, model checking, or SMT. In this paper, we propose a recursive algorithm that identifies MUSes in an online manner (i.e., one by one) and can be terminated at any time. The key feature of our algorithm is that it minimises the number of satisfiability tests and thus speeds up the computation. The algorithm is applicable to an arbitrary constraint domain and proves to be efficient especially in domains with expensive satisfiability checks. We benchmark our algorithm against the state-of-the-art algorithm Marco on the Boolean and SMT constraint domains and demonstrate that our algorithm really
requires less satisfiability tests and consequently finds more MUSes in the given time limits.

Modular Verification of Concurrent Programs via Sequential Model Checking

ABSTRACT. This work utilizes the plethora of work on verification of sequential programs for the purpose of verifying concurrent programs. We reduce the verification of a concurrent program to a series of verification tasks of sequential programs.
Our approach is modular in the sense that each sequential verification task roughly corresponds to the verification of a single thread, with some additional information about the environment in which it operates. Information regarding the environment is gathered during the run of the algorithm, by need.

While our approach is general, it specializes on concurrent programs where the threads are structured hierarchically. The idea is to exploit the hierarchy in order to minimize the amount of information that needs to be transferred between threads. To that end, we verify one of the threads, considered ``main'', as a sequential program. Its verification process initiates queries to its ``environment'' (which may contain multiple threads). Those queries are answered by sequential verification, if the environment consists of a single thread, or, otherwise, by applying the same hierarchical algorithm on the environment.

Our technique is fully automatic, and allows us to use any off-the-shelf sequential model checker. We implemented our technique in a tool called CoMuS and evaluated it against established tools for concurrent verification.
Our experiments show that it works particularly well on hierarchically structured programs.

Continuous-Time Markov Decisions based on Partial Exploration

ABSTRACT. We provide a framework for speeding up algorithms for time-bounded reachability analysis of continuous-time Markov decision processes. The principle is to find a small, but almost equivalent subsystem of the original system and only analyse the subsystem. Candidates for the subsystem are identified through simulations and iteratively enlarged until runs are represented in the subsystem with high enough probability. The framework is thus dual to that of abstraction refinement. We instantiate the framework in several ways with several traditional algorithms and experimentally confirm orders-of-magnitude speed ups in many cases.

Temporal Logic Verification of Stochastic Systems Using Barrier Certificates

ABSTRACT. This paper presents a methodology for temporal logic verification of discrete-time stochastic systems. Our goal is to find a lower bound on the probability that a complex temporal property is satisfied by finite traces of the system. Desired temporal properties of the system are expressed using a fragment of linear temporal logic, called safe LTL over finite traces. Any specification in this fragment admits a finite automaton that has the same accepting language as the negation of the specification. We propose to use barrier certificates for computations of those lower bounds which are computationally much more efficient than the existing discretization-based approaches. The new approach is discretization-free and does not suffer from the curse of dimensionality caused by discretizing state sets. The proposed approach relies on decomposing the negation of the specification into a union of sequential reachabilities and then using barrier certificates to compute upper bounds for these reachability probabilities. We demonstrate the effectiveness of the proposed approach on case studies with linear and polynomial dynamics.

Owl: A Library for \omega-Words, Automata, and LTL

ABSTRACT. We present the library Owl (*O*mega-*W*ords, automata, and *L*TL) for omega-automata and linear temporal logic. It forms a backbone of several translations from LTL to automata and related tools by different authors. We describe the functionality of the library and the recent experience, which has already shown the library is apt for easy prototyping of new tools in this area.

Accelerated Model Checking of Parametric Markov Chains

ABSTRACT. Parametric Markov chains occur quite naturally in various applications: they can be used for a conservative analysis of probabilistic systems (no matter how the parameter is chosen, the system works to specification); they can be used to find optimal settings for a parameter; they can be used to visualise the influence of system parameters; and they can be used to make it easy to adjust the analysis for the case that parameters change. Unfortunately, these advancements come at a cost: parametric model checking is---or rather was---painstakingly slow. To make the analysis of parametric Markov models scale, we need three ingredients: clever algorithms, the right data structure, and good engineering. Clever algorithms are often the main (or sole) selling point; and we face the trouble that this paper focuses on the latter ingredients to efficient model checking. Consequently, our easiest claim to fame is in the speed-up we have realised: around 1.5 to 2 orders of magnitude.

SBIP 2.0: Statistical Model Checking Stochastic Real-time Systems

ABSTRACT. This paper presents a major new release of SBIP, an extensible statistical model checker for Metric (MTL) and Linear-time Temporal Logic (LTL) properties on respectively Generalized Semi-Markov Processes (GSMP), Continuous-Time (CTMC) and Discrete-Time Markov Chain (DTMC) models. The newly added support for MTL, GSMPs,
CTMCs and rare events allows to capture both real-time and stochastic aspects, allowing faithful specification, modeling and analysis of real-life systems. SBIP is redesigned as an IDE providing project management,model edition, compilation, simulation, and statistical analysis.