Integration of Quantifier Eliminator with Model Checker and. Compositional Reasoner. Hao Ren1, Member, IEEE, Matthew Clark2, and Ratnesh Kumar1, Fellow, ...
Integration of Quantifier Eliminator with Model Checker and Compositional Reasoner 1
Hao Ren1 , Member, IEEE, Matthew Clark2 , and Ratnesh Kumar1 , Fellow, IEEE Department of Electrical and Computer Engineering, Iowa State University, Ames, IA, 50011 USA 2 Air Force Research Lab., Wright-Patterson AFB, Dayton, OH, 45433 USA
Abstract— We present our work on integration of quantifier elimination (QE) technique with model checking and compositional verification. We begin by showing how quantifier elimination problems arise in these applications. In a k-induction based model checking approach, the verification problems of the base and inductive steps can be reduced to the QE problems in which all the variables are existentially quantified. It follows that a k-induction based model checker can be extended with QE tools to provide back-end solver options. Our implementation of integrating the QE tool Redlog with the model-checker JKind showed the successful resolution of a non-linear computation (emanating from a fuzzy logic operation) that the SMT-solver supported JKind was unable to resolve. Thus the QE tool provides a parallel option to the model-checker. The integrations of the QE tool Redlog with the model-checker JKind has been completed by us, and relies on writing the SMT-to-Redlog translator. On the other hand, in compositional verification, the goal is to prove a system level assume-guarantee style contract from the given component level contracts. The existing compositional verification tool AGREE tries to sequentially prove that each component’s assumption is satisfied by the system assumption and other components’ guarantees, following which the conjunction of all component contracts and system assumption is used to verify the system guarantee. In contrast, we propose a QE-based approach to derive, in a single step, the strongest system contract, from which any postulated system contract can be verified by performing a simple implication verification from the former to the later. We show how the compositional reasoner AGREE can be strengthened through its integration with the QE tool Redlog. We implemented our above approaches in a new prototype tool called ReLIC (Reduced Logic Inference for Composition) and demonstrated it through an illustrative example.
I. I NTRODUCTION Quantifier elimination (QE) is a powerful technique for gaining insight, through simplification, into problems involving logic expressions in various theories. QE is essentially a projection problem where a formula is projected to a lower dimension over only the free variables. For example, over the field of reals, ∃x(y > x2 ) is equivalent to y > 0 (since x2 can only be non-negative). A theory admits quantifier elimination if and only if for every formula in this theory, there is an equivalent quantifier-free formula. It has been proved that the real closed field and an extension of Presburger arithmetic (a linear theory of integers) both admit QE [1] [2]. This makes QE applicable to many real world applications. While Tarski [1] showed that the first-order logic over the real closed field admits quantifier elimination, it was Collins who in 1975, introduced the first implementable quantifier
elimination procedure, based on cylindrical algebraic decomposition (CAD) [3]. Over the pass few decades, the QE techniques and tools have undergone many improvements. Numerous efforts made along the way have led to some general understanding and directions. On one hand, it has been understood that QE is inherently difficult or even impossible for general problems. On the other hand, attention, turned to special procedures for restricted problem classes, has resulted in some advanced QE procedures, documented in tools such as Mathematica, Redlog and Qecad. For example Redlog, implements virtual substitution [4] [5] and partial CAD [6] algorithms, that work for formulas where the degrees of the quantified variables are small. In this paper, we reduce a class of formal verification problems that arise in cyber-physical domain to QE problems. To start, we consider the bounded model checking and k-induction verification scheme [7] [8] [9], implemented as JKind [10] and used to verify invariant properties of programs written in the specification/modeling language Lustre [11]. Under this scheme, to prove a transition system S satisfies some invariant property φ, one needs to prove the base case and the inductive case for some k. If any state reachable from the initial states of S within k steps satisfies φ, as well as any transition of S preserves the property φ (meaning if φ holds in every state of a set of k-step reachable states, then it also holds among their one-step successors), then S is concluded to satisfy φ. Otherwise, k is incremented, and the process repeated. For each step, the verification of the base (or inductive) case can be reduced to an instance of an SMT (Satisfiability Modulo Theory) [12] problem, namely a first-order logic formula. This in turn makes the technique of SMT solving essential for this scheme. Apart from the SMT solvers, QE tools are also capable of solving SMT problems since checking the satisfiability of a formula φ(x1 , . . . , xn ) in n-variables is equivalent to checking whether or not ∃x1 . . . ∃xn φ(x1 , . . . , xn ) = true. Thus in the SMT solving domain, the capability of SMT solvers and QE solvers overlap in general, yet vary depending on the algorithms they employ and the theories they support. The accumulated experimental data provided in [13] has shown that Redlog along with other QE tools can have advantage over SMT solvers like z3, iSAT, cvc3, specially for nonlinear arithmetics, with respect to the running times, and the range of problems they can solve. We have implemented the integration of Redlog with JKind [10], a model checker
that adopts k-induction and uses SMT solvers at the backend, to be able to provide an alternative option for SMTsolving and thereby enhance JKind’s ability of checking properties that may involve nonlinear dynamics. Another area where we successfully imported QE technique is compositional reasoning. Compositional verification techniques are used to cope with state-explosion in concurrent systems. The strategy of divide-and-conquer is essentially at work for example when one derives the global properties of a complex system from the properties of its components. Each component is annotated with an assumeguarantee (A-G) style contract established during its development process. Suppose a system S is composed of n components. The contract formula of the ith component can be expressed as Ai ⇒ Gi where Ai (the “assumption”), Gi (it’s guarantee) are both expressed by formulas over the set of component input/output variables. Then the set of all the system behaviors is constrained by the conjunction of Vn all the components’ contracts i=1 (Ai ⇒ Gi ). Under these contracts, the strongest property, that can be claimed that the system satisfies, can be obtained by applying the QE process on Vn a quantified formula obtained from the conjunction of i=1 (Ai ⇒ Gi ) with the additional constraints resulting from the connectivity of the components, and with all the variables internal to the system being existentially quantified. Then to check whether a system satisfies a postulated property, one only needs to check if the postulated property is implied by the aforementioned strongest system property. This in itself can be cast as a QE problem. We have realized this QE-based compositional verification approach via the integration of Redlog with AGREE [14] [15] [16] — a compositional, assume-guarantee style specifier and analyzer for a system and its components described in the modeling framework of AADL [19]. Section 2 describes the integration of Redlog with JKind. Section 3 describes our prototype tool ReLIC based on the integration of Redlog with AGREE. Both Sections 2 and 3 give application examples that show an improvement in the performance of the said tools due to the incorporation of the QE technique. Finally, the conclusion and future work are discussed in Section 4.
inductive conditions hold in L for some k ∈ Z≥1 and for any n ∈ Z≥0 : Vk−1 • I(x0 )∧T (x0 , x1 )∧· · ·∧T (xk−2 , xk−1 ) ⇒ i=0 φ(xi ); Vn+k−1 Vn+k−1 • T (x , x ) ∧ φ(x ) ⇒ φ(x i i+1 i n+k ). i=n i=n The first condition checks the base case that φ(x) is satisfied at each step from the initial state of S for k steps. Any violation of this condition suggests a concrete counterexample that falsifies the property φ. The second condition describes the inductive case, which asserts that if φ holds at each state along a k-step trace, then φ also holds at the state reached in k + 1 steps. A counterexample trace for the inductive step does not necessarily guarantee a concrete counterexample because it may start from an unreachable state of S. In order to prove the invariance of φ, the base and inductive cases must be true for some k. Hence a normal way of a k-induction proof starts with k = 0, and increments k as necessary to rule out any spurious counterexamples generated in an induction case. k-induction doesn’t guarantee termination for general cases (the problem in general is undecidable), so an a priori bound on k needs to be specified to prevent the proof from entering into an infinite loop. Fig. 1 illustrates the general architecture of JKind. It takes, as input, a Lustre based description, containing system model and properties to be checked, and spawns three processes, respectively for base case, inductive case and invariant generation case. The invariant generation case tries to prove some candidate invariants from pre-defined templates in parallel, that could be used to facilitate the inductive proof by strengthening their hypotheses. Each process interacts with its own copy of an SMT solver at the back end. All three processes are coordinated under a director, exchanging messages asynchronously. The SMT results are interpreted to produce the verification output.
II. I NTEGRATION OF R E D L O G WITH JK I N D A. Background on k-induction and JKind JKind [10], developed by Rockwell Collins, is an implementation based on a precursor tool Kind [9], a model checker developed at the University of Iowa, to make the later platform independent and easily integratable into Javabased tools. JKind supports bounded model checking using k-induction proofs on transition systems described in Lustre [11]. k-induction is defined as the following [7] [9]: Definition 1: Consider a logic L and transition system S specified in that logic by an initial state condition I(x) and transition relation T (x, x0 ), where x, x0 are state variable vectors. A state property φ(x) is invariant for S, i.e., satisfied by every reachable state of S, if the following base and
Fig. 1.
JKind architecture.
B. Reduce from SMT to QE Formally speaking, an SMT instance is a formula in a firstorder logic, where the function and predicate symbols have certain interpretations, and the problem is to check whether such a formula is satisfiable. A formula φ(x1 , . . . xn ), with x1 . . . xm as unquantified free variables, is satisfiable if and only if there exists an assignment of the free variables that makes the formula evaluate to true. In the QE domain, the
same can be expressed as ∃x0 . . . xm φ(x1 , . . . xn ): When all the variables in φ(x1 , . . . xn ) are quantified, the equivalent quantifier-free formula that QE process returns is simply true or f alse. In case of the former, a satisfiable assignment of (x1 , . . . , xn ) is also returned. State-of-art SMT solvers such as z3 [17] that are commonly used in the formal methods community, support linear/non-linear arithmetic in mixed integer/real domain and also support various data structures such as lists, arrays, bit vectors etc. Redlog, on the other hand, works with interpreted first-order logic in contrast to free first-order logic. Each first-order formula in Redlog must exclusively contain atoms from one particular Redlog-supported domain, which determines the choice of admissible functions and relations with specified semantics. Redlog-supported domains include non-linear real arithmetic (Tarski Algebra), Presburger arithmetic, parametric quantified Boolean formulas, and more. We have developed a translator, namely S2RTool, implemented using the front-end parser generated by Antlr v4 [18], and a back-end interpretor written in Java. S2RTool translates SMT-Lib 2.0 input format to Redlog input format, enabling the JKind director in Fig. 1 to be reprogrammed to redirect the input .smt2 files for SMT to Redlog in form of translated .txt or .red files, along each process, as shown in Fig. 2. The dotted arrows denote the redirected data flow after integration of JKind with Redlog, whereas the solid arrows denote the original flow.
Fig. 2.
Data redirection of each process in Redlog-integrated JKind.
A simple comparison example of z3 vs. Redlog inputs is shown in Fig. 3. The translator S2RTool is developed in Java, and has the following features/capabilities: • Identifying and existentially quantifying the unquantified variables from the SMT input. • Converting the prefix formatted SMT formulas into infix formated ones for Redlog, e.g., (≥ a b) ≡ (a ≥ b). • Interpreting the sub-formula containing the conditional operator ite (if-then-else) adopted by SMT, into equivalent logic formulas recognizable in Redlog without introducing extra variable, e.g., (ite a b c) ≡ (a ∧ b) ∧ (¬a ∧ c). • Dealing with mixed domain specifications to the extent possible. For the case of real/integer mixed variables, if the integer variables are in bounded ranges, e.g., Boolean, then the problem is mapped to real domain as follows: for each integer variable x, we append
Wn with the formula i=1 x = vi , where {v1 , . . . , vn } is the set of enumeration of the values of x. For the case of general real/integer mixed variables, where an integer variable cannot be finitely enumerated, we solve the over-approximation problem with the same variable but interpreted in real domain. Thus a f alse result of the over-approximation implies the f alse result of the original problem. On the other hand, in a true case, if the assignment of x happens to be an integer, this particular assignment is accepted for the original problem. Otherwise if the assignment of x is not an integer, we simply report unknown.
Fig. 3.
z3 vs. Redlog.
C. Experimental result We have successfully employed the Redlog-integrated JKind on many Lustre programs including a fuzzy logic model involving non-linear computations. The fuzzy logic model contains 54 different modes, and where a main program selects the correct mode depending on the conditions satisfied by 4 different inputs. Each mode invokes a call to a corresponding sub-program computing a specified 4th order non-linear polynomial to arrive at the result. The input/state/output variables are defined in real domain except the mode selection variable N is an integer that varies from 1 to 54. For example, if the input satisfies the condition for the mode N = 1, the following non-linear polynomial is executed: (−2.22222) ∗ x1in + (−2.00000) ∗ x2in + (−4.00000) ∗ x3in + (10.00000) ∗ x4in + (8.88889) ∗ x1in ∗ x2in + (7.40741) ∗ x1in ∗ x3in + (59.25926) ∗ x1in ∗ x4in + (12.00000) ∗ x2in ∗ x3in + (32.00000) ∗ x2in ∗ x4in + (40.00000) ∗ x3in ∗ x4in + (−59.25926) ∗ x1in ∗ x2in ∗ x3in + (−177.77778) ∗ x1in ∗ x2in ∗ x4in + (−74.07407) ∗ x1in ∗ x3in ∗ x4in + (−240.00000) ∗ x2in ∗ x3in ∗ x4in + (888.88889) ∗ x1in ∗ x2in ∗ x3in ∗ x4in + (1.00000). The Lustre program of the fuzzy logic model contains two properties to be verified, including checking whether the fuzzy logic output remains bounded by 1 in magnitude. SMTbased JKind is unable to resolve this problem for the fact that z3 fails to terminate. On the other hand, QE-integrated JKind proves one property as valid and the other property as invalid, reporting a concrete counterexample in less then 16 seconds on a standard laptop, during which each query to Redlog spends less than 1 second. The log of QE-integrated JKind execution is shown in Fig. 4.
The system level verification condition demonstrates that the system guarantees follow from the system assumptions and the guarantees of each subcomponent, which is essentially an expansion of the overall goal. AGREE uses JKind as its back-end model checker for proving these conditions, while it itself exists as a plug-in tool within the open-source Eclipse-based platform OSATE2 [23] that supports AADL v2. The architecture of AGREE within OSATE2 is shown in Fig. 5.
Fig. 4.
Verification of a fuzzy logic model using QE-integrated JKind. Fig. 5.
Architecture of AGREE plug-in within OSATE2 platform.
III. I NTEGRATION OF R E D L O G WITH AGREE A. Background on compositional verification and AGREE The component-based compositional design paradigm emphasizes the separation of concerns with respect to the system design through a modular and reuse based paradigm for defining, implementing and composing components into systems. Under the assume-guarantee compositional paradigm [20] [21] [22], a module (component/system) contract is specified by a pair (A, G), where A and G are first-order logic formulas: G describes the guaranteed behavior of the module while A describes the assumed behavior of the environment with which the module interacts. The contract expresses the property (A ⇒ G). One aspect of compositional verification aims to derive the system contract from the contracts of the components together with their interactions through shared variables or event-synchronizations, and without reference to any of the component models. For example, in a simple case where two components connect in a cascade composition, where their input/output properties are described by formulas [u1 ≥ 0] ⇒ [y1 ≥ 0] and [u2 ≥ 0] ⇒ [y2 ≥ 0], respectively, where "u and y" denote input and output variables, and where owing to cascade, u2 = y1 , then it is easy to see that the cascaded system satisfies the property [u1 ≥ 0] ⇒ [y2 ≥ 0]. AGREE is a compositional reasoning tool for component and system architecture described in AADL [19]. While the architecture is described in AADL, the properties in assumeguarantee style are specified within the AGREE annex. In [16], the authors of AGREE mention that for a system with n components there are n + 1 verification conditions: one for each component and one for the system as a whole. The component verification conditions establish that the assumptions of each component are implied by the system level assumptions and the guarantees of its parent components.
B. QE-based compositional verification Consider a system S composed of N components. Let X := {x1 , . . . , xn } be the set of all the variables in S, Xint := {x1 , . . . , xm }, m ≤ n be the set of internal variables, Xsys := {xm+1 , . . . , xn } be the set of system level variables, and C := {(p, q) | xp and xq are variables of connected ports in S} be the set of connectivity relation. Suppose the ith component’s property is described by contract (Ai , Gi ) in first-order logic. We next define the strongest system property and present a proposition regarding. Definition 2: The strongest system property is the system property that implies any other system properties established upon the given constraints of component properties and their connectivity. Proposition 1: The strongest system property, established upon the component contracts and connectivity relation of system S described above is ∃x1 . . . ∃xm
N �^
(Ai ⇒ Gi ) ∧
i=1
^
� (xp = xq ) .
(1)
(p,q)∈C
Proof: We prove this proposition by proving (1) is a system property and it implies any other system property. First, let V denote the valid signal (input or output) values over X, Vsys denote the set of valid signal values over Xsys . By definition, Vsys is the projection of V from n to n − m dimensions. For any system level signal value ~vsys = {vm+1 , . . . , vn } ∈ Vsys , it must correspond to a component level signal value ~v = {v1 , . . . , vn } ∈ V . Meanwhile, ~v ∈ V must satisfy: N �^
(Ai ⇒ Gi ) ∧
i=1
^ (p,q)∈C
� (xp = xq )
~ x=~ v
= true,
(2)
where (2) simply states that a valid signal value must comply with the components contracts and the connectivity relation. Therefore when ~xsys = ~vsys , we have ~vint = {v1 , . . . , vm } that makes the following formula true: N �^
^
(Ai ⇒ Gi ) ∧
i=1
� (xp = xq )
(p,q)∈C
.
~ xsys =~ vsys
(3)
As a result, we have: ~vsys |= ∃x1 . . . ∃xm
N �^
(Ai ⇒ Gi ) ∧
i=1
^
� (xp = xq ) .
C. Experimental result Fig. 7 shows an illustrative model example [24], that we denote as system S. It is composed of three components, the architecture (components and connectivity) of which is specified in an .aadl file. The assume-guarantee style component contracts for the components A, B, C and postulated system S contract are listed as follows: • ContractA : (InA < 20) ⇒ (OutA < 2 ∗ InA ); • ContractB : (InB < 20) ⇒ (OutB < InB + 15); • ContractC : true ⇒ (OutC = InC _1 + InC _2); • ContractS : (InS < 10) ⇒ (OutS < 50).
(p,q)∈C
(4) (4) suggests that any system level signal value satisfies (1), i.e., (1) is indeed a system property. Secondly, to show that (1) is also the strongest system property, assume φ0 is some given system property of S. For any ~vsys that does not satisfies φ0 , ~vsys ∈ / Vsys by definition. We need to show that ~vsys 6|= (1). Otherwise, we can find v1 , . . . , vm that together with ~vsys forms a valid signal value in V . Since Vsys is the projection on xm+1 , . . . , xn , we can conclude that ~vsys ∈ Vsys arriving at a contradiction. In summary, any signal value that violates φ0 , also violates (1), alternatively speaking, (1) ⇒ φ0 , as desired. Through the Proposition 1, we have shown that property composition, in a component-based compositional design paradigm, is essentially a problem of quantifier elimination. Based on this insight, we have enhanced AGREE with a two-step QE-based compositional verification functionality. The first step is to generate the strongest system property, through a QE process of the form (1), obtained from component contracts and connectivity relation. The strongest system property upon quantifier elimination, denoted φ∗ , contains only the system level externally observable variables (signals). The second step is to check if φ∗ implies any postulated property φ0 that also contains only system level observable variables. We can employ yet another QE process to reduce ∀xm+1 . . . ∀xn (φ∗ ⇒ φ0 ) to true or f alse. In our prototype tool ReLIC (Reduced Logic Inference for Composition) based on Redlog-integrated AGREE, the AADL architecture description and the contracts specified in the AGREE annex are abstracted and further formulated into a QE problem in the Redlog input format. Redlog acts as a back-end solver and interacts with AGREE as shown in Fig. 6. This figure also shows that the data flow of ReLIC completely bypasses JKind, removing the multi-step proof required under the AGREE’s model-checking based scheme.
Fig. 6. Data flow of compositional verification in ReLIC through Redlog.
Fig. 7.
A toy model graphical architecture, modified from [24].
ReLIC can be executed by the AGREE menu button “Verify Composed Contract” as in Fig. 8. Fig. 9(a) shows the verification result of the example interpreted in real domain, where the strongest system property is output to the OSATE2 console as in Fig. 9(b). The strongest property corresponds to (InS ≤ 10) ⇒ (OutS < 4 ∗ InS + 15), and is easily seen to not imply the postulated property ContractS , e.g., when (InS , OutS ) is assigned the values (9, 50). A counterexample reported by Redlog is shown in Fig. 9(c). Note that the Redlog counterexample may contain constants named infinity or epsilon, each indexed by a number: All infinity’s are positive infinite, and all epsilon’s are positive infinitesimal with respect to the underlying field.
Fig. 8.
Execute AGREE command in OSATE2.
On the other hand, the verification in integer domain returns a true result and the corresponding strongest system property is shown in the Fig. 9(d)-(e). Here cong(p1 , p2 , p3 ) is a Redlog representation of congruences with the nonparametric modulus given by the third argument. In contrast to the real domain, the strongest system property in the integer domain is more stringent and corresponds to InS ≤ 10) ⇒ (Outs ≤ 4∗Ins +12), which is easily shown to imply the postulated property. In both cases, the entire verification process is performed within 1 second on a standard laptop.
(a) Verification result in real domain.
compositional reasoner AGREE), thus improving the efficiency of compositional reasoning. Apart form the integration of QE to enhance the existing formal verification tools, in future we will also work towards extending the scope of the QE techniques, thereby broadening their class of formal analysis applications. ACKNOWLEDGEMENT
(b) The strongest system property derived in real domain.
(c) Counterexample in real domain.
The authors would like to acknowledge the helpful inputs from the Rockwell Collins developers Andrew Gacek, John Backes, and Lucas Wagner on their tools JKind and AGREE. Andrew also suggested using Antlr for generating a parser for SMT Lib 2.0. We would also like to thank the developers of Redlog — that tool was obtained from their site: http://www.redlog.eu/get-redlog/. The fuzzy logic example of Section 2 was provided by Timothy Arnett of Univ. of Cincinnati. The research was supported in part by the National Science Foundation under the grants NSF-CCF-1331390, NSFECCS1509420, and NSF-IIP-1602089. R EFERENCES
(d) Verification result in integer domain.
(e) The strongest system property derived in integer domain. Fig. 9.
ReLIC verification results on the toy model.
IV. C ONCLUSION Quantifier elimination techniques and tools have undergone steady improvement in the past decades. We showed that a class of formal verification problems can be reduced to QE problems. Thereby, the QE tools provide options to extend the existing verification tools. In order to take advantage of the QE process’s ability of solving the satisfiability problem over first-order logic, we integrated a QE solver Redlog as a back-end solver, in parallel with the SMT solvers, for the k-induction based model checker JKind, enhancing the later’s capability to handle nonlinear dynamics and properties. Our QE-integrated JKind was able to solve a fuzzy logic problem involving non-linear computation efficiently, whereas the SMT-integrated version failed to terminate. We also imported the QE techniques and tools into compositional verification, that yielded a QE-integrated compositional reasoner ReLIC. The QE process is used to derive the strongest system property from components contracts and their connectivity in the assume-guarantee paradigm. This simplifies the compositional verification over first-order logic into two fixed steps (independent of the number of components, which was the case with the current
[1] A. Tarski. A decision method for elementary algebra and geometry. Springer, Vienna, 1998. [2] H. B. Enderton. A mathematical introduction to logic, second edition. Academic Press, 2001, page 188. [3] G. E. Collins. Quantifier elimination for the elementary theory of real closed fields by cylindrical algebraic decomposition. Automata Theory and Formal Languages, Berlin, Heidelberg, May 1975, pages 134-183. [4] V. Weispfenning. The complexity of linear problems in fields. Journal of Symbolic Computation, 5(1), Feb., 1988, pages 3–27. [5] V. Weispfenning. The complexity of almost linear diophantine problems. Journal of Symbolic Computation, 10(5), Nov., 1990. [6] G. E. Collins, H. Hong. Partial cylindrical algebraic decomposition for quantifier elimination. Journal of Symbolic Computation, 12(3), Sep., 1991, pages 299-328. [7] M. Sheeran, S. Singh, G. Stålmarck. Checking safety properties using induction and a SAT-solver. FMCAD, 2000. [8] N. Eén, N. Sörensson. Temporal induction by incremental SAT solving. Electr. Notes Theor. Comput. Sci. 89, 2003. [9] T. Kahsai, C. Tinelli. PKind: A parallel k-induction based model checker. ArXiv, 2011. [10] http://loonwerks.com/tools/jkind.html [11] N. Halbwachs, P. Caspi, P. Raymond, D. Pilaud. The synchronous dataflow programming language Lustre. Proceedings of the IEEE 79(9), 1991, pages 1305–1320. [12] C. W. Barrett, R. Sebastiani, S. A. Seshia, C. Tinelli. Satisfiability modulo theories. Handbook of Satisfiability, 2009, pages 825–885. [13] D. Jovanovic, L. de Moura. Solving non-linear arithmetic.CADE, 2012. [14] http://loonwerks.com/tools/agree.html [15] A. Gacek, A. Katis, M. Whalen, J. Backes, D. Cofer. Towards realizability checking of contracts using theories. NFM, 2015. [16] D. Cofer, A. Gacek, S. Miller, M. Whalen, B. LaValley, L. Sha. Compositional verification of architectural models. NFM, 2012. [17] https://github.com/Z3Prover/z3 [18] http://www.antlr.org/ [19] SAE-AS5506: Architecture Analysis and Design Language. SAE, 2004. [20] T. A. Henzinger, M. Minea, V. Prabhu. Assume-guarantee reasoning for hierarchical hybrid systems. HYBRID, 2001. [21] M. Emmi, D. Giannakopoulou, C. S. Pasareanu. Assume-guarantee verification for interface automata. FM, 2008. [22] S. Quinton, S. Graf. Contract-based verification of hierarchical systems of components. SEFM, 2008. [23] http://osate.github.io/ [24] A. Gacek, J. Backes, M. Whalen, D. Cofer. AGREE users guide, v0.4, 2013.
