Light-Weight SMT-based Model Checking

Recently, the notion of an array-based system has been introduced as an abstraction of infinite state sys-tems (such as mutual exclusion protocols or sorting programs) which allows for model checking of invariant(safety) and recurrence (liveness) properties by Satisfiability Modulo Theories (SMT) techniques. Unfortu-nately, the use of quantified first-order formulae to describe sets of states makes fix-point checking extremelyexpensive. In this paper, we show how invariant properties for a sub-class of array-based systems can bemodel-checked by a backward reachability algorithm where the length of quantifier prefixes is efficientlycontrolled by suitable heuristics. We also present various refinements of the reachability algorithm thatallows it to be easily implemented in a client-server architecture, where a “light-weight” algorithm is theclient generating proof obligations for safety and fix-point checks and an SMT solver plays the role of theserver discharging the proof obligations. We also report on some encouraging preliminary experiments witha prototype implementation of our approach.