# Formalizing the Soundness of the Encoding Methods of SAT-based Model Checking

One of the effective model checking methods is to utilize the efficient decision procedure of SAT (or SMT) solvers. In a SAT-based model checking, a system and its property are encoded into a set of logic formulas and the safety is checked based on the satisfiability of the formulas. As the encoding methods are improved and crafted (e.g., k-induction and IC3/PDR), verifying their correctness becomes more important. This research aims at a formal verification of the SMC methods using the Coq proof assistant. Our contributions are twofold: (1) We specify the basic encoding methods, k-induction and (a simplified version of) IC3/PDR in Coq as a set of simple and modular encoding predicates. (2) We provide a formal proof of the soundness of the encoding methods based on our formalized lemmas on state sequences and paths.

## Authors

• 6 publications
• 1 publication
• ### BPPChecker: An SMT-based Model Checker on Basic Parallel Processes(Full Version)

Program verification on concurrent programs is a big challenge due to ge...
10/15/2021 ∙ by Ying Zhao, et al. ∙ 0

• ### Unbounded Software Model Checking with Incremental SAT-Solving

This paper describes a novel unbounded software model checking approach ...
02/12/2018 ∙ by Marko Kleine Büning, et al. ∙ 0

• ### Linear-time Temporal Logic with Event Freezing Functions

Formal properties represent a cornerstone of the system-correctness proo...
09/07/2017 ∙ by Stefano Tonetta, et al. ∙ 0

• ### Software Verification with PDR: Implementation and Empirical Evaluation of the State of the Art

Property-directed reachability (PDR) is a SAT/SMT-based reachability alg...
08/17/2019 ∙ by Dirk Beyer, et al. ∙ 0

• ### Verifying High-Level Latency-Insensitive Designs with Formal Model Checking

Latency-insensitive design mitigates increasing interconnect delay and e...
02/12/2021 ∙ by Steve Dai, et al. ∙ 0

• ### "ReLIC: Reduced Logic Inference for Composition" for Quantifier Elimination based Compositional Reasoning and Verification

The paper presents our research on quantifier elimination (QE) for compo...
02/28/2021 ∙ by Hao Ren, et al. ∙ 0

• ### Formulog: Datalog for SMT-Based Static Analysis (Extended Version)

Satisfiability modulo theories (SMT) solving has become a critical part ...
09/17/2020 ∙ by Aaron Bembenek, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

SAT-based model checking (SMC, Sect. II) is a symbolic model checking method that delegates the main reasoning/search process to efficient SAT (or SMT) solvers. An essential process in SMC is to encode a property of a state transition system into a propositional (or predicate) logic formula. Checking the satisfiability of the encoded formula entails the safety of the target system. Various SMC methods have been proposed, e.g., [3, 13, 10, 6, 8, 7], each of which is carefully designed by e.g. unrolling of execution paths, inductions on paths, and over-approximation of states (Sect. II and III).

Formal verification is a way to provide a reliable SMC tool. To the authors’ knowledge, there does not exist a verified SMC tool. A verification involves proving the correctness of the encoding methods, which are based on various properties on states and execution paths of a transition system. Formalizing the correctness and the underlying properties using a proof assistant is not a trivial task.

This research aims at formal verification of the SMC methods using the Coq proof assistant. We first formalize the transition systems, properties and several SMC methods with Coq (Sect. IV). Then, we verify that the methods correctly encode the safety of the target system; in other words, we formalize the soundness proof of each SMC algorithm (Sect. V). We also investigate a formalization of the properties on states and paths of a system, which are considered explicitly in SMC. Our contributions are summarized as follows:

• We formalize the SMC methods in a simplified manner that adapts the existing methods into a generic scheme described in Sect. II and III; each SMC method is presented as an implementation of the encoding methods, which are then formalized by a shallow embedding into Coq (Sect. IV-B). Also, we demonstrate that our Coq specification works as a prototype SMC tool (Sect. IV-C).

• We formally verify the soundness of the encoding methods; in particular, for the forward, backward, -induction, and IC3/PDR methods (Sect. V). In the formalization, we explicitly specify the execution paths of a system. To facilitate this task, we develop a small yet useful theory of state sequences and paths, which contains lemmas on various properties and operations. Sect. VI discusses some characteristics of our verification results.

We consider that our result will help to provide a reliable SMC tool and serve as a formal scheme in the development of new encoding methods.

## Ii SAT-based Model Checking

This section introduces basics of SMC (Sect. II-A) and an encoding process for bounded safety (Sect. II-B).

We consider a set of states

, each of which is typically encoded as a fixed-length bit vector or an integer;

denotes a set of states. A state transition system is specified by a pair of an initial condition and a transition relation . An initial path of a system is a sequence of states such that and for . In the following, we denote the path by and a path fragment by . We say a state is reachable iff there exists an initial path fragment . Given a property , we say a system is safe iff every reachable state satisfies ; the safety is defined as

 safety(I,T,P) :↔ ∀i∈N, ∀s[0..i], I(s0) → pathT(s[0..i]) → P(si), (1)

where

 pathT(s[o..i]):↔{⋀o≤j
###### Example 1

We can consider a flawed 3-bit shift register [3] as a simple state transition system with and , where bits are interpreted as decimal numbers. It is safe with the property . An example initial path is .

SAT-based model checking (SMC) [3, 4] is a formal verification method for transition systems, which exploits the efficient decision procedure of SAT (propositional satisfiability) or SMT (satisfiability modulo theories) solvers. In a model checking process, a bound is given to restrict the depth of the search space. As a result, either (R1) a safety proof of the system, (R2) partial safety proof within the depth or (R3) a counterexample of length or less will be obtained. Various SMC methods have been proposed, e.g. [13, 10, 6, 8, 7]. There exist a number of SMC tool implementations, e.g., nuXmv [5] and Kind 2 [11].

### Ii-a Generic Scheme of SMC

Given a target system , a property and a bound , an SMC procedure encodes the safety of the system into a logic formula and checks its satisfiability using a SAT/SMT solver. This procedure can be summarized as Alg. 1. Each SMC method provides their own encoding method; therefore, in the algorithm, it is parameterized as at Line 1. An encoding method generates a formula that describes a given system and a property by considering only a finite number (which depends on ) of states. As a result, multiple validity problems of the form are generated as sub-formulas in ; then, they are discharged using a SAT/SMT solver, and those sub-formulas are substituted with the results, i.e. true or false (Line 3). Here, we denote the substitution of a sub-formula in with by ; the validity problem is solved by checking the unsatisfiability of the negation of . An encoded formula can be an arbitrary logical combination of the sub-formulas, e.g., . At Line 5, the validity of is determined, typically with a case analysis.

### Ii-B Encoding Bounded Safety

As a basic encoding method, we consider to encode a bounded safety property. For SMC with the bound , we prepare state variables . Then, the following predicate formula states that every sequence , which represents an initial path fragment of length or less, reaches a safe state.

 (I,T,P,k) :↔ ⋀0≤i≤k+1(∀s[0..i], I(s0)→pathT(s[0..i])→P(si)). (3)

In the above, , and are predicates on states that specify the target system model and the property. By running Alg. 1 with , which is supported by a SAT or SMT solver, we are able to verify whether the system is safe within the bound (R2) or there exists a counterexample (R3).

To use a SAT solver as the procedure in Alg 1, the body of an encoded formula has to be (the negation of) a conjunction. Hence, the formula (3) should be modified as

 ⋀0≤i≤k+1(∀s[0..i], ¬( I(s0)∧pathT(s[0..i])∧¬P(si))), (4)

which is equivalent to (3) in classical logic.

## Iii Unbounded Model Checking

For a SAT-based unbounded model checking, which concerns a safety for arbitrary lenghs of path fragments (R1), we typically perform an iteration of encoding and satisfiability checking for . This process is illustrated as Alg. 2, which contains two calls for Alg. 1 (Lines 2 and 4) with different encoding methods for checking safety (R1) or unsafety (R3). Whenever the calls result in or , respectively, the process terminates. The termination depends on the completeness of the encoding methods.

This section describes the dedicated encoding processes, -induction (Sect. III-A) and IC3/PDR (Sect. III-B).

### Iii-a Encoding Unbounded Safety

Encoding methods for unbounded safety that assume a set of lasso-shaped paths and apply an induction have been proposed. Sheeran et al.[13] have proposed six algorithms for this purpose, which are intended for an efficient encoding and reasoning of lasso-shaped paths. Some of the algorithms also utilize the -induction principle for an efficient SMC.

First, we prepare a shorthand to describe that is a loop-free path.

 loopFT(s[o..k]) :↔ pathT(s[o..k])∧⋀o≤i

Then, a sufficient condition for the safety (R1) can be encoded in two ways.

 (I,T,P,k) :↔ (I,T,P,k) ∧(∀s[0..(k+1)], I(s0)→¬loopFT(s[0..(k+1)])) (6)
 (I,T,P,k) :↔ (I,T,P,k) ∧(∀s[0..(k+1)], loopFT(s[0..(k+1)])→P(sk+1)) (7)

Either of the encoding methods and considers a fixed point of the reachability analysis from the initial states or the unsafe states, respectively. The second quantified sub-formula of checks that all the initial paths of length contain a loop. The implication sub-formula of is equivalent to in classical logic; it checks that all paths of length from an unsafe state contain a loop. Since the safety within the bound is checked with , the safety R1 is inferred as a result. As for , we can modify the second parts of and as follows to have the sub-formulas of a conjunctive form.

 ∀s[0..(k+1)], ¬(I(s0)∧loopFT(s[0..(k+1)])) (8) ∀s[0..(k+1)], ¬(loopFT(s[0..(k+1)])∧¬P(sk+1)) (9)
###### Example 2

For the system in Ex. 1, holds iff since all initial paths are safe and they reach the invariant state before the fourth step. holds iff since the unsafe state does not have a predecessor state.

Sheeran et al.’s first algorithm [13] is a hybrid method of the two, whose encoding method is equivalent to . Sheeran et al.’s subsequent algorithms apply a -induction and encode the safety as follows.

 (I,T,P,k) :↔ (I,T,P,k) ∧ (10) (∀s[0..(k+1)],loopFT(s[0..(k+1)])→⋀0≤i≤kP(si)→P(sk+1))

To have an unbounded model checker using our scheme of Alg. 2, in can be implemented as either , , or , and it can be implemented as in .

### Iii-B IC3/PDR Method

Bradley [6] has proposed an SMC method called IC3 or PDR (property directed reachability) [8] (we refer to the method as PDR in the sequel); it handles a sequence of over-approximations that encloses path fragments with sets of clauses; also, it uses the inductive relative relation between states to refine an over-approximation. In this paper, we do not go into the details of the method but focus on the post-conditions of the PDR method, given an over-approximation. We again adapt the method into our scheme of Alg. 1 and Alg. 2.

Assume a sequence (denoted by below) of over-approximations of a set of reachable states in . Then, the post-condition of PDR for the true case is described as follows (we refer to the whole formula as (11) and to each sub-formula as (a)–(e)).

 (I,T,P,k) :↔ ∃R[0..],(∀i,∀s, I(s)→Ri(s))∧ (a) (∀i,∀s, Ri(s)→P(s)) ∧ (b) (∀i,∀s, Ri(s)→Ri+1(s)) ∧ (c) (∀i≤k, ∀s,s′, Ri(s)∧T(s,s′)→Ri+1(s′)) ∧ (d) (∀s, Rk(s)↔Rk+1(s))(e) (11)

The original algorithm initializes over-approximations as and for , and incrementally refines (for ). The algorithm repeatedly (i) detects a bad state such that , (ii) generalizes to a clause such that (for some ), and (iii) refines by adding into the over-approximations. Finally, the algorithm terminates when the sub-formula (e) holds; the resulting over-approximation is an inductive strengthening of , which is depicted in Fig. 1.

Note that the above post-condition is slightly modified from that of the original algorithm for the sake of simplicity of the verification process. First, although the original algorithm maintains a set of clauses for each , we do not distinguish the set and . Second, we weaken the sub-formula (e) from .

###### Example 3

For the system in Ex. 1, we can have a set of over-approximations specified as and for . It satisfies iff .

The post-condition for the false case, which is extracted from the PDR algorithm, is described below (the sub-formulas are referred to as (a)–(c)).

 (a) (∀s,s′, ¬(I(s)∧T(s,s′)∧¬P(s′)))) ∧ (b) (∀R[0..k],s[0..(k+1)], (12) ¬(I(s0)∧⋀0≤i≤k(Ri(si)∧T(si,si+1))∧¬P(si+1))) (c)

The sub-formulas (a) and (b) are for detecting length 0 and 1 counterexamples. The sub-formula (c) describes initial and bounded safe paths of length or less, which is related with .

## Iv Specification of SMC Encoding Methods

In this work, we have realized the SMC scheme in Fig. 1 in the Coq proof assistant (Sect. IV-A). We first explain how we specify MC problems and encoding methods in Coq (Sect. IV-B). Next, we show that an SMC is performed as a theorem proving in Coq (Sect. IV-C).

### Iv-a Coq Proof Assistant and coq2smt

Coq (version 8.6.1) is a proof assistant based on the typed lambda calculus, which supports predicate logic formulas, algebraic types, higher-order functions, etc. to describe theorems and proofs. Using the tactic mechanism, a proof can be described/performed efficiently and simply. In a part of the verification, we rely on the excluded middle axiom of the Classical_Prop module (see Sect. VI-C).

A plug-in software for Coq, coq2smt (commit 604f72a), has developed to invoke SMT solvers within a Coq proof via the tactic smt solve. The tactic handles goals of a quantifier-free form involving boolean connectives, equalities, values/variables of type Z, etc.; it discharges a goal using an SMT solver (e.g. CVC4 and Z3) and reflects the result in the proof context of Coq.

### Iv-B State Transition Systems and Encoding Predicates

To specify a state transition system , its property and an over-approximation , we assume the following types based on the definitions in Sect. II.

Definition state : Type := Z.
Definition prop: Type := state -> Prop.
Definition trans : Type := state -> state -> Prop.

We specify the type state as Z to demonstrate a model checking using SMT solvers. To pursue the proof tasks in Sect. V, any type with equality = can be used as state. , and are supposed to be typed as prop. For state sequences, we assume the following type.

Definition sseq : Type := nat -> Z.

Here, we have not drawn on existing abstract types (e.g. list) because, in our proof scheme for SMC (Sect. IV-C), we intend to expand a proof goal into a flat formula, instead of an inductive reduction. For instance, the predicate in Eq. (2), which requires a sequence to be a path fragment, is specified recursively as follows. Indeed, this enables an expansion with an unfold application given specific argument values.

Fixpoint path (T : trans) (ss : sseq) (o len : nat)
: Prop :=
match len with
| O => True
| S len => path T ss o len /\
T (ss (o+len’)) (ss (o+len))
end.

Based on these types, for example, the method is simply specified as the following predicate:

Definition forward_safety (I : prop) (T : trans)
(P : prop) (k : nat) : Prop :=
safety_k I T P (S k) /\ lasso_fwd I T (S k).

The predicates are defined separately for each sub-formula in Eq. (6); e.g., the predicate lasso_fwd is specified as

Definition lasso_fwd (I : prop) (T : trans) (k : nat)
: Prop :=
forall ss : sseq, ~ (I (ss 0) /\ loop_free T ss 0 k).

In this way, these predicates are able to be shared between different encoding methods. For example, a hybrid method of and is specified as follows.

Definition sheeran1_safety (I : prop) (T : trans)
(P : prop) (k : nat) : Prop :=
safety_k I T P (S k) /\
(lasso_fwd I T (S k) \/ lasso_bwd T P (S k)).

A set of over-approximations (i.e. a sequence of prop values) handled by PDR is typed as the type spseq.

Definition spseq : Type := nat -> prop.

Using this type, for instance the body of the sub-formula (c) is specified as

Fixpoint spseq_sseq (I : prop) (T : trans)
(r : spseq) (ss : sseq) (i : nat) :=
match i with
| O => I ss.[0]
| S i => spseq_sseq I T r ss i /\
r i ss.[i] /\ T ss.[i] ss.[i+1]
end.

### Iv-C SMC as a Coq Proof Process

In this section, we demonstrate that our specification works as a simple SMC tool (except for PDR as it requires to prepare an over-approximation). To do so, a user first specifies a verification problem by defining , and as objects of the types trans and prop, respectively. Then, an SMC is performed by describing a theorem and its proof using a template script configured for each . Type checking of this proof with Coq mimics an execution of the SMC procedure Alg. 1

For example, a template theorem and proof for SMC with forward_safety (Eq. (6)) is described as

Theorem smc_example : forward_safety    .
Proof.
unfold , ,.
unfold forward_safety; unfold
split.
intros; smt solve; apply by_smt.
repeat split; intros; smt solve; apply by_smt.
Qed.

Regarding Alg. 1, an method is implemented as a Coq predicate (e.g., forward_safety that implements ), corresponds to discharging a sub-goal with smt solve, and is represented as a proof template for each encoding method.

## V Formal Verification

We have verified the encoding methods in Sect. II and III. The correctness (including soundness, completeness and termination) is discussed rather informally in the original papers[13, 6]; our work aims at formalizing the soundness proofs with Coq, following the dissussions in [13, 6]. In this paper, we do not formalize the completeness and leave it as a future work (see Sect. VIII). This section explains the process of formalization and proving.

Each encoding method represents a sufficient or necessary condition of the safety. Here, we describe the verified properties regarding Alg. 2, which returns either or using two encoding methods. In the following theorems, we relate the post-condition for true or false case with the safety (Eq. (1)). When the algorithm returns true using , its soundness is described as follows.

###### Theorem 1 (Soundness of True Case with E∙)

.

Likewise, for the false case using , its soundness is described as follows.

###### Theorem 2 (Soundness of False Case with E∙)

.

Note that Theorem 2 does not ensure the completeness of the true case with ; cf. and are not logically equivalent.

Our verification is based on a shallow embedding of the transition systems and safety properties. The above theorems, which relate the safety (3) and the encoded formulas , are specified directly in the logic of Coq.

In the end, we have provided formal proofs for each of the following combinations. The proofs are explained in the following subsections.

• Theorem 1 with and with : Sect. V-B.

• Theorem 1 with (-induction): Sect. V-C.

• Theorem 2 with : Sect. V-D.

• Theorem 1 with (PDR): Sect. V-E.

• Theorem 2 with (PDR): Sect. V-F.

In the proof of Theorem 1 with , we restate the consequent safety into the form that considers only loop-free paths. The following lemma is used for this deduction.

###### Lemma 1

.

Its proof is explained in Sect. V-G.

### V-a A Theory of State Sequences and Paths

For the ease of proofs, we have developed vocabularies and lemmas on state sequences (of the type sseq) and paths (sseq values in which each pair of concatenated states satisfy ). Some of the lemmas utilized in the verification are shown in Fig. 2.

We introduce a suffix operation skipn for state sequences, which is defined as , and formalize the related properties. Using skipn, we have the lemmas such as Fig. 2 (ss&p 1–3).

Various split operations for paths, loop-free paths, etc. are useful in the verification. Therefore, we formalize those split relations as lemmas; for instance, we have lemmas Fig. 2 (ss&p 4–6).

### V-B True Cases with E(???) and with E(???)

Let be where is the parameter of the encoding method. To prove Theorem 1 for either or , we split either of the proof tasks into two cases and , where is that in Lemma 1. We prove that the hypothesis in Lemma 1 holds for each case.

For the case , we prove that the sub-formula implies the safety within the bound . We perform an induction on to show the correspondence between , in which path is specified recursively, and the consequent specified with a universal quantifier.

For the case , we split the path constraint in the proof context in either way of the following:

 (13) I(s0)∧loopFT(s[0..(i−k′)])∧loopFT(s[(i−k′)..i])→P(si). (14)

The split paths are illustrated in Fig. 3. The first of Eq. (13) (resp. the second of Eq. (14)) matches with the last sub-formula of Eq. (6) (resp. Eq. (7)). For Eq. 14, we utilize the skipn operator in the unification of formulas ( is rewritten as ). With the modifications of the proof contexts, the goals are discharged by matching them with the premises.

### V-C True Case with k-Induction

We again assume . Theorem 1 with is also proved with an application of Lemma 1 and a case split into and .

The case is proved as in Sect. V-B.

For the case , we apply a complete induction on the step number in the predicate ; we are to prove that the -th state satisfies the property assuming and the safety within the depth . The proof is done in three steps. First, we split the constraint in the proof context in two, and , as in Eq. (13). Second, we modify the indices in the sub-formula of Eq. (10) with the lemma

 ∀i,k, k

Third, is inferred by applying the last sub-formula of Eq. (10) and the hypothesis of the complete induction.

### V-D False Case with E(???)

Theorem 2 with is proved by showing that always hold when assuming the safety of a system. It is simply proved by an induction on .

### V-E True Case with PDR

Theorem 1 with is proved by several case analyses and inductions as described below. At first, the proof goal is split into the two goals of the form

 ∀I,T,P,k, (I,T,P,k)→∀i,i∘k+1→∀s[0..i],I(s0)→path(s[0..i])→Ri(si), (15)

where is set as either or . The consequence is obtained by applying (b) to the term in .

For the case , we perform an induction on . The initial case is proved by (a). In the induction step where , the proof context consists of the consequence and a set of hypotheses. is transformed to by (c). As a result, the proof context matches the induction hypothesis and be discharged.

For Eq. (15) with , we again perform an induction on . The initial case (, where ) immediately holds. In the induction step (), the goal is transformed into . Then, we have by applying (d), and by rewriting with (e). Here, we consider two cases and separately. For the first case, the goal is proved by applying Eq. (15) with . For the case when , we are able to deduce the goal from the induction hypothesis; so it is discharged.

### V-F False Case with PDR

Theorem 2 with is proved by showing that each of the three sub-formulas of holds when assuming the safety of a system.

The sub-formulas (a) and (b) are easy to prove.

Before the proof of the sub-formula (c), we prepare the following lemma that states a necessary condition.

 ∀I,T,P,R[0..(k−1)],s[0..k],(I(s0)∧⋀0≤i

Note that the hypothesis is the negation of the body of (c). It is proved by an induction on ; in the induction step, we prove by a case split into the cases , and .

The proof context of the sub-formula (c) contains the hypothesis part of Eq. (16), so it is rewritten into the consequence part of Eq. (16). The proof goal is discharged by the assumption of the safety, but we need to show additionally that is a path of the system. Using the rewritten premise above, we are able to prove it.

### V-G Reduction to Loop Free Paths

Lemma 1 is proved by a complete induction on in . In the induction step, we have to show the safety of the arbitrary paths of length , assuming the safety within the lengths less than and the safety of the loop-free paths of length . It is proved based on the observation that the reachable states by looped paths can be reached by a shorter path.

To compare paths with or without a loop reaching a same state, we introduce the predicate defined as

 ∀i∈N, ((i≤k−o→sk−i=s′k−i) ∧ sk+d+i=s′k+i).

Fig. 4 (left) illustrates the definition. It represents the fact that a sequence is a shortened sequence of where the fragment is removed from ; thus, two fragments of each of the two sequences coincide as and .

With this predicate, we formalize the lemma

 (17)

Note that the consequent part can be transformed into the formula below in classical logic.

 ∃s′∈sseq, ∃k,d∈N,  k+d≤i ∧ d>0 ∧shorter\char 95ss(0,k,d,s,s′) ∧ si=s′i−d

Fig. 4 (right) illustrates this lemma. It states that, when a sequence contains a loop, there exists a shortened sequence and the same states are reachable with the two paths. The consequent holds by matching the variables as and .

To prove Lemma 1, we perform a proof by contradiction; we assume that an unsafe path of length exists when the safety is checked for loop-free paths of length . Such path should be looped; thus, we can show that there are unsafe shorter paths, which contradicts the induction hypothesis.

## Vi Review on the Verification Result

This section describes the statistical data (Sect. VI-A) and discussions (Sect. VI-B and VI-C) regarding the overall results of the verification with Coq described in Sect. V.

### Vi-a Statistics

The LOC for each proof is shown in Table I; the third and sixth columns show the LOC of the proofs related to state sequences and paths described in Sect. V-A and V-G. For instance, the overall proof script for Theorem 1 with consisted of 459 LOC, which involved the proof script for Lemma 1, three lemmas for the cases analyzed and 11 “ss&p” lemmas. Note that, many of the “ss&p” lemmas were shared between the different verification tasks.

The proof of Lemma 1 was formalized with 352 LOC, in which we reduced the lemma twice into other proof goals; the resulting goal was proved with nine “ss&p” lemmas.

### Vi-B Discussions

We have successfully formalized the soundness proofs following the discussions in the original papers [13, 6]. In the formalization, we used the lemmas in Sect. V-A and V-G and they were reused in several proof tasks.

In the proofs, a number of inductions were performed based on the recursive definitions of the encoding predicates and the path lengths under consideration. In each induction step, proof context was carefully modified to apply prepared lemmas; in some proofs, rewriting with the skipn expression and applying path splitting lemmas were useful.

A fair amount of LOCs were devoted to Lemma 1 as it required to perform a proof by contradiction and translation between loop paths and shorter paths (Sect. V-G).

The proofs for PDR (Sect. V-E and V-F) consisted of a number of case analyses and inductions; the split goals were discharged by applying sub-formulas of and . It was less often to describe paths explicitly in the proof contexts than the other methods and thus the resulting proofs became relatively small.

### Vi-C Use of Classical Logic

In the proof, we used several lemmas of the Classical_prop module. On the other hand, we tried to minimize the proofs that require those lemmas. As a result, we identified the two parts in the proofs: (i) the transformation into conjunctions at the front-end of each encoding method (e.g. from (3) to (4), from (6) to (8), etc.). (ii) the proof of Lemma 1. The other proofs were formalized without the use of classical logic.

We conjecture that the use of the law of excluded middle is essential in the parts (i) and (ii). In (ii), it was used to apply the law of double negation to perform a proof by contradiction, to obtain the contraposition of Eq. (17), and to decompose the negation of the loop_free clause.

## Vii Related Work

As far as we know, there has been no formally verified SMC tool. Issues in the SMC tools include the possibility of flaws in encoding methods and their implementations. Our tool demonstrates that a reliable SMC is possible by directly using a verified implementation. On the other hand, lack of certification for (especially “safe”) verification results becomes another issue [12, 11].

For generic model checking, there exist several verified tools. Sprenger [14] has formalized the modal -calculus and a dedicated model checker in Coq. Amjad [1] has proposed to embed a symbolic model checker with its underlying BDD within the HOL tool. More recently, Esparza et al. [9] have developed more practical and verified LTL model checker, which has been specified and verified in Isabelle/HOL and then extracted as an ML implementation. Wimmer and Lammich [15] have proposed a verified model checker based on timed automata, in which model checking with abstraction of continuous states has been formalized and verified. In those verification tasks, the correctness of model checking algorithms was verified by relating the outputs of algorithms and the semantics of properties. When compared to our work, formalization with state sequences and paths that considers lengths/shifting/splitting seems specific in our work. In the previous work except [9], the formalizations were based on the set of states and paths were not considered explicitly. In [9], paths were considered but operations seemed simpler than ours.

As a slightly different line of work, there have been methods that generate proof certifications from provers e.g. SAT/SMT solvers [2, 11] and model checkers [12]. They propose to verify a result computed by the provers by verifying the generated certificates on a theorem prover. Our purpose is different from those works but integration of our work with certification might enable constructive combined SMC and deduction.

## Viii Conclusions

We specified the SMC methods and formalized their soundness proofs on Coq. We consider that our result provides an example formal proof, which is not trivial to perform on a proof assistant like Coq. The specification of the SMC methods and the soundness proofs are available at https://github.com/dsksh/coq-smc/.

There are several future work directions. First, we can continue the verification task to obtain the formal correctness proof. A difficulty in the proof of completeness will be the formalization of properties such as “an infinite sequence of finite states should contain a loop.” We consider that it requires another effort in the development of the theory of paths. Second direction is to consider other SMC methods (including newly improved methods), target systems and properties, e.g. liveness properties and the -Liveness method (e.g. [7]). Otherwise, formalization of the encoding methods based on the bounded semantics [3] will be interesting. Third, a verification and extraction of a practical SMC tool will be valuable.

Acknowledgment. This work was partially funded by JSPS (KAKENHI 18K11240).

## References

• [1] H. Amjad (2003) Programming a Symbolic Model Checker in a Fully Expansive Theorem Prover. In TPHOLs, LNCS 2758, pp. 171–187. Cited by: §VII.
• [2] M. Armand, G. Faure, B. Grégoire, C. Keller, and B. Werner (2011) A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses. In CPP, LNCS 7086, pp. 135–150. Cited by: §VII.
• [3] A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu (1999) Symbolic Model Checking without BDDs. In TACAS, LNCS 1579, pp. 193–207. Cited by: §I, §II, §VIII, Example 1.
• [4] A. Biere and D. Kröning (2018) SAT-Based Model Checking. In Handbook of Model Checking, pp. 277–303. Cited by: §II.
• [5] M. Bozzano, R. Cavada, A. Cimatti, M. Dorigatti, A. Griggio, A. Mariotti, A. Micheli, S. Mover, M. Roveri, and S. Tonetta (2019) nuXmv 2.0.0 User Manual. Cited by: §II.
• [6] A. R. Bradley (2011) SAT-Based Model Checking Without Unrolling. In VMCAI, pp. 70–87. Cited by: §I, §II, §III-B, §V, §VI-B.
• [7] K. Claessen and N. Sorensson (2012) A liveness checking algorithm that counts. In FMCAD, pp. 52–59. Cited by: §I, §II, §VIII.
• [8] N. Een, A. Mishchenko, and R. Brayton (2011) Efficient implementation of property directed reachability. In FMCAD, pp. 125–134. External Links: ISBN 9781467308960 Cited by: §I, §II, §III-B.
• [9] J. Esparza, P. Lammich, R. Neumann, T. Nipkow, A. Schimpf, and J. Smaus (2013) A Fully Verified Executable LTL Model Checker. In CAV, LNCS 8044, pp. 463–478. Cited by: §VII.
• [10] K. L. McMillan (2003) Interpolation and SAT-Based Model Checking. In CAV, LNCS 2725, pp. 1–13. Cited by: §I, §II.
• [11] A. Mebsout and C. Tinelli (2016) Proof Certificates for SMT-based Model Checkers for Infinite-state Systems. In FMCAD, pp. 117–124. External Links: ISBN 9780983567868 Cited by: §II, §VII, §VII.
• [12] K. S. Namjoshi (2001) Certifying Model Checkers. In CAV, LNCS 2102, pp. 2–13. Cited by: §VII, §VII.
• [13] M. Sheeran, S. Singh, and G. Stålmarck (2000) Checking safety properties using induction and a SAT-solver. In FMCAD, LNCS 1954, pp. 127–144. Cited by: §I, §II, §III-A, §III-A, §V, §VI-B.
• [14] C. Sprenger (1998) A Verified Model Checker for the Modal mu-calculus in Coq. In TACAS, LNCS 1384, pp. 167–183. Cited by: §VII.
• [15] S. Wimmer and P. Lammich (2018) Verified Model Checking of Timed Automata. In TACAS, LNCS 10805, pp. 61–78. Cited by: §VII.