Bounded reachability of model programs

Model programs represent labeled transition systems and are used to specify expected behavior of systems at a high level of abstraction. Such programs are common as high-level executable specifications of complex protocols. Model programs typically use abstract data types such as sets and maps, and comprehensions to express complex state updates. Such models are mainly used in model-based testing as inputs for test case generation and as oracles during conformance testing. Correctness assumptions about the model itself are usually expressed through state invariants. An important problem is to validate the model prior to its use in the above-mentioned contexts. We introduce a technique of using Satisfiability Modulo Theories or SMT to perform bounded reachability of a fragment of model programs. We analyze the bounded reachability problem and prove decidability and undecidability results of restricted cases of this problem. We use the Z3 solver for our implementation and benchmarks, and we use AsmL as the modeling language. The translation from a model program into a verification condition of Z3 is incremental and involves selective quantifier instantiation of quantifiers that result from set comprehensions and bag axioms. This report subsumes part of the material in [41]. Part of this work was done during an internship at Microsoft Research, Redmond.