# **Getting Started with Uclid5**

Pramod Subramanyan, Sanjit A. Seshia \* {spramod, sseshia}@eecs.berkeley.edu

November 2021

<sup>\*</sup>with contributions from Demetris Christodoulou, Kevin Cheang, Federico Mora and Elizabeth Polgreen

## **Contents**

| 1. | Introduction                 |         |                                         |           |  |  |  |  |  |
|----|------------------------------|---------|-----------------------------------------|-----------|--|--|--|--|--|
|    | 1.1.                         | Gettin  | g Started: A Simple UCLID5 Model        | 5         |  |  |  |  |  |
|    | 1.2.                         | Install | ing Uclid5                              | 7         |  |  |  |  |  |
|    |                              | 1.2.1.  | Prerequisites                           | 7         |  |  |  |  |  |
|    |                              | 1.2.2.  | Detailed Installation Instructions      | 8         |  |  |  |  |  |
|    |                              | 1.2.3.  | Running UCLID5                          | 8         |  |  |  |  |  |
|    | 1.3.                         | Lookir  | ng Forward                              | 9         |  |  |  |  |  |
| 2. | Basics: Types and Statements |         |                                         |           |  |  |  |  |  |
|    | 2.1.                         |         |                                         | 10        |  |  |  |  |  |
|    | 2.2.                         | Staten  | nents in UCLID5                         | 12        |  |  |  |  |  |
|    |                              | 2.2.1.  | Parallel vs. Procedural Assignments     | 12        |  |  |  |  |  |
|    |                              | 2.2.2.  | Procedures                              | 13        |  |  |  |  |  |
|    |                              | 2.2.3.  | Macro Definitions                       | 14        |  |  |  |  |  |
|    |                              | 2.2.4.  | For Loops                               | 14        |  |  |  |  |  |
|    |                              | 2.2.5.  | If and Case Statements                  | 14        |  |  |  |  |  |
|    |                              | 2.2.6.  | •                                       | 15        |  |  |  |  |  |
|    |                              | 2.2.7.  | Quantifiers                             | 15        |  |  |  |  |  |
|    | 2.3.                         | An Illu | strative Example                        | 15        |  |  |  |  |  |
|    |                              | 2.3.1.  | Initialization                          | 15        |  |  |  |  |  |
|    |                              | 2.3.2.  | Next State Computation                  | 15        |  |  |  |  |  |
|    |                              | 2.3.3.  | Verification                            | 15        |  |  |  |  |  |
|    |                              | 2.3.4.  | Running UCLID5                          | 16        |  |  |  |  |  |
| 3. |                              |         | G G G G G G G G G G G G G G G G G G G   | <b>17</b> |  |  |  |  |  |
|    | 3.1.                         | Comm    | on Type Definitions Across Modules      | 17        |  |  |  |  |  |
|    | 3.2.                         | Uninte  | erpreted Functions and Types            | ۱7        |  |  |  |  |  |
|    |                              | 3.2.1.  | Uninterpreted Types                     | 20        |  |  |  |  |  |
|    |                              | 3.2.2.  | Uninterpreted Functions                 | 20        |  |  |  |  |  |
|    | 3.3.                         |         | 9                                       | 20        |  |  |  |  |  |
|    |                              | 3.3.1.  | Accessing Members of Instances          | 20        |  |  |  |  |  |
|    | 3.4.                         | Runni   | ng Uclid5                               | 20        |  |  |  |  |  |
| 4. | Verification Techniques 2    |         |                                         |           |  |  |  |  |  |
|    | 4.1.                         | Induct  | ive Proofs                              | 22        |  |  |  |  |  |
|    |                              | 4.1.1.  | Debugging Counterexamples               | 23        |  |  |  |  |  |
|    |                              | 4.1.2.  | Inductive Proof for the Fibonacci Model | 2.4       |  |  |  |  |  |

### Contents

|    |      | 4.1.3. Exercise: Inductive Proof of CPU model | 6 |
|----|------|-----------------------------------------------|---|
|    | 4.2. | Bounded Model Checking                        | б |
|    |      | 4.2.1. Embedded assume and assert statements  | б |
|    |      | 4.2.2. Running UCLID5                         | 8 |
|    | 4.3. | Specifications in Linear Temporal Logic       | 8 |
|    |      | 4.3.1. Running UCLID5                         | 8 |
|    | 4.4. | Correspondence/Simulation Checking            | O |
|    | 4.5. | Verifying Two-Safety Properties               | б |
|    | 4.6. | Synthesis                                     | 9 |
| Α. | Арр  | endix: Uclid5 Grammar 4/                      | 2 |
|    | A.1. | Grammar of Modules and Declarations           | 2 |
|    | A.2. | Statement Grammar                             | 4 |
|    | A.3. | Expression Grammar                            | б |
|    | A.4. | Types                                         | 7 |
|    | A.5. | Control Block                                 | 8 |
|    | A.6. | Miscellaneous Nonterminals                    | 8 |

# List of Uclid5 Examples

| 1.1. | A UCLID5 model that computes the Fibonacci sequence        | 6  |
|------|------------------------------------------------------------|----|
| 2.1. | Model of a simple ALU                                      | 11 |
| 3.1. | Module common of the CPU model                             | 17 |
| 3.2. | The cpu module in the CPU model                            | 18 |
| 3.3. | Module main in the CPU model                               | 19 |
| 4.1. | UCLID5 Fibonacci model using induction in the proof script | 22 |
| 4.2. | UCLID5 Fibonacci model with induction and print_cex        | 23 |
| 4.3. | Inductive proof for the Fibonacci model                    | 25 |
| 4.4. | Revisiting the Fibonacci model from Example 1.1            | 27 |
| 4.5. | Example of using LTL specifications in UCLID5              | 29 |
| 4.6. | UCLID5 Fibonacci model using synthesis function            | 40 |

## 1. Introduction

UCLID5 is a software toolkit for the formal modeling, specification, verification, and synthesis of computational systems. The UCLID5 toolchain aims to:

- 1. Enable compositional (modular) modeling of finite and infinite state transition systems across a range of concurrency models and background logical theories;
- 2. Verification of a range of properties, including assertions, invariants, and temporal properties, and
- 3. Integrate modeling and verification with algorithmic and inductive synthesis.

UCLID5 draws inspiration from the earlier UCLID system for modeling and verification of systems [1, 4], in particular the idea of modeling concurrent systems in first-order logic with a range of background theories, and the use of proof scripts within the model. However, the UCLID5 modeling language and verification capabilities go beyond the original modeling language, and the planned integration with synthesis is novel.

This document serves as introduction to the UCLID5 modeling language and toolchain. With the UCLID5 system under active development, we expect this document to undergo several changes as the system and its applications evolve.

## 1.1. Getting Started: A Simple Uclid5 Model

A simple UCLID5 module that computes the Fibonacci sequence is shown in Example 1.1. We will now walk through each line in this model to understand the basics of UCLID5.

The top-level syntactic structure in UCLID5 is a module. All modeling, verification and synthesis code in UCLID5 is contained within modules. In Example 1.1, we have defined one module named main. This module starts on line 1 and ends on line 18. The module can be conceptually split into three parts: a system model, a specification and proof script.

In the example, these three conceptual parts are also kept separate in the code.<sup>1</sup> The following subsections will describe each of these sections of the module.

<sup>&</sup>lt;sup>1</sup>This is not required by UCLID5 syntax, as invariant declarations and assumptions can be interleaved with init, next, var declarations as well other types of declarations. However, keeping these conceptually different parts separate is good design practice. UCLID5 does require that if a control block is specified, then it is the very last element of a module.

```
module main {
    // Part 1: System description.
    var a, b : integer;
    init {
      a = 0;
      b = 1;
9
    next {
10
      a', b' = b, a + b;
11
12
    // Part 2: System specification.
13
14
    invariant a_le_b: a <= b;</pre>
15
    // Part 3: Proof script.
16
    control {
      bmc (3);
18
19
       check;
20
       print_results;
21
22
```

Example 1.1.: A UCLID5 model that computes the Fibonacci sequence

### The System Model

This part of a UCLID5 module describes the functionality of the transition system that is being modeled: it tells us what the system does.

The first item of interest within the module main are *state variables*. These are declared using the var keyword. The module main declares two state variables: a and b on line 3. These are both of type integer, which corresponds to mathematical integers.<sup>2</sup>

The init block appears next and spans lines 5 to 8. It defines the initial values of the state variables in the module. The notation a' refers to the value of the state variable a at the end of the current "step", which in this case refers to initial state. The model is specifying that after the init block is executed, a and b have the values 0 and 1 respectively.

The next block appears after this and it defines the transition relation of the module. In the figure, the next statement spans from lines 9 to 11; a is assigned to the (old) value of b, while b is assigned to the value a + b.

### The System Specification

The specification answers the question: what is the system supposed to do?.

<sup>&</sup>lt;sup>2</sup>Mathematical integer types, as opposed to the machine integer types present in languages like C/C++ and Java, do not have a fixed bit-width and do not overflow.

#### 1. Introduction

In our example, we have a single invariant that comprises that entire specification. Line 14 defines this invariant. It is named a\_le\_b and as the name suggests, it states that a must be less than or equal to b for every reachable state of the system.

### The Proof Script

The third and final part of the UCLID5 module is a set of commands to the UCLID5 verification engine. These tell how we should go about proving<sup>3</sup> that the system satisfies its specification.

The proof script is contained within the control block. The commands here execute the system for 3 steps and check whether all of the systems properties (in this case, we only have one invariant: a le b) are satisfied for each of these steps.

The command bmc executes the system for 3 steps. This execution generates four proof obligations. These proof obligations ask whether the system satisfies the invariant a\_le\_b in the initial state and in each of the 3 states reached next. The check command checks whether these proof obligations are satisfied and the print\_results prints out the results of these checks.

### 1.2. Installing Uclid5

Public releases of the UCLID5 can be obtained at: https://github.com/uclid-org/uclid/releases. For the impatient, the short version of the installation instructions is: download the archive with the latest release, unzip the archive and add the 'bin/' subdirectory to your PATH.

More detailed instructions for installation are as follows.

### 1.2.1. Prerequisites

UCLID5 has two prerequisites.

- UCLID5 requires that the Java<sup>™</sup> Runtime Environment be installed on your machine. You can download the latest Java Runtime Environment for your platform from https://www.java.com.
- 2. UCLID5 uses the Z3 SMT solver. You can install Z3 from: https://github.com/Z3Prover/z3/releases. Make sure the 'z3' or 'z3.exe' binary is in your path after Z3 installed. Also make sure, the shared libraries for libz3 and libz3java are in the dynamic library load path (LD\_LIBRARY\_PATH on Unix-like systems).

UCLID5 has been tested with Java<sup>TM</sup> SE Runtime Environment version 1.8.0 and Z3 versions 4.5.1 and 4.6.0.

<sup>&</sup>lt;sup>3</sup>We are using a broad definition of the word "prove" here to refer to any systematic method that gives us assurance that the specification is satisfied.

### 1.2.2. Detailed Installation Instructions

First, down the platform independent package from https://github.com/uclid-org/uclid/releases.

Next, follow these instructions which are provided for the bash shell running on a Unix-like platform. Operations for Micosoft Windows, or a different shell should be similar.

• Unzip the archive.

```
$ unzip uclid-0.9.5.zip.
```

• Add the uclid binary to your path.

```
$ export PATH=$PATH:$PWD/uclid-0.9.5/bin/
```

• Check that the uclid works.

```
$ uclid
```

This should produce output similar to the following.

```
$ uclid

Usage: uclid [options] filename [filenames]
Options:
    -h/--help : This message.
    -m/--main : Set the main module.
    -d/--debug : Debug options.

Error : Unable to find main module.
```

### 1.2.3. Running Uclid5

Invoke UCLID5 on a model is easy. Just run the uclid binary and provide a list of files containing the model as a command-line argument. When invoked, UCLID5 will parse each of these files and look for a module named main among them. It will execute the commands in the main module's control block. The --main command line argument can be used to specify a different name for the "main" module. Note only the main module's control blocks will be executed, even if the main module instantiates other modules with control blocks. If no main module is found, UCLID5 will exit with an error, as we saw in the previous section when uclid was invoked without arguments.

Example 1.1 is part of the UCLID5 distribution in the examples/tutorial/ sub-directory. You can run UCLID5 on this model as:

```
$ uclid examples/tutorial/ex1.1-fib-model.ucl
```

This should produce the following output.

### 1. Introduction

```
Successfully parsed 1 and instantiated 1 module(s).
4 assertions passed.
0 assertions failed.
0 assertions indeterminate.
Finished execution for module: main.
```

## 1.3. Looking Forward

This chapter has provided an brief overview of UCLID5's features and toolchain. The rest of this tutorial will take a more detailed looked at more of UCLID5's features.

## 2. Basics: Types and Statements

This chapter will provide an overview of UCLID5's type system and modelling features. Let us start with Example 2.1, a model of a simple arithmetic logic unit (ALU).

## 2.1. Types in Uclid5

Types supported by UCLID5 are of the following kinds:

- 1. integer: the type of mathematical integers.
- 2. boolean: the Boolean type. This type has two values: true and false.
- 3. by W: The family of bit-vector types parameterized by their width (W).
- 4. enum: enumerated types.
- 5. Float types: Support fp(a)\_(b), which is defined as float numbers with an a bit exponent and b bit significant and 1 sign bit. Also, half,single,double are supported.
- 6. Tuples and records.
- 7. Array types.
- 8. Uninterpreted types.
- 9. Groups: A finite group of variables of a single type. Groups are not modifiable once declared, i.e., they are a static size.

An enumerated type is used in line 2 of Example 2.1. This declares a *type synonym*: cmd\_t is an alias for the enumerated type consisting of three values: add, sub and mov imm. The input cmd is then declared to be of type cmd t on line 6.

The input valid is of type boolean. Register indices r1 and r2 are bit-vectors of width 3 (bv3), while immed, r1val and r2val are bit-vectors of width 8 (bv8).

Line 3 declares a type synonym for a record. It declares result\_t as consisting of two fields: a Boolean field valid and a bit-vector field value. The output result is declared to be of type result\_t on Line 9.

The final point of interest in this example, type-wise, is line 10. The state variable regs is declared to be of type array: indices to the array are of type bv3 and elements of the array are of type bv8. This is used to model an 8-entry register file, where each register is a bit-vector of width 8.

### 2. Basics: Types and Statements

```
1 module main {
    type cmd_t = enum { add, sub, mov_imm };
    type result_t = record { valid : boolean, value : bv8 };
    input valid : boolean;
5
    input cmd : cmd_t;
6
    input r1, r2 : bv3;
    input immed : bv8;
9
    output result : result_t;
10
         regs : [bv3]bv8;
11
    var
           cnt
                 : bv8;
12
    init {
13
      for i in range(0bv3, 7bv3) {
14
        regs[i] = 1bv8;
16
      cnt, result.value = 1bv8, 1bv8;
17
18
    define double(arg : bv8) : bv8 = (arg + arg);
20
21
22
    procedure exec_cmd()
23
     returns (r : result_t)
24
      modifies regs;
25
      var r1val, r2val : bv8;
26
      if (valid) {
27
        r1val, r2val = regs[r1], regs[r2];
28
29
                         : { regs[r1] = r1val + r2val; }
: { regs[r1] = r1val - r2val; }
           (cmd == add)
30
31
           (cmd == sub)
          (cmd == mov_imm) : { regs[r1] = immed; }
32
33
        r.valid, r.value = true, regs[r1];
34
      } else { r.valid = false; }
35
36
37
    next {
38
     call (result') = exec_cmd();
39
      cnt' = double(cnt);
40
41
42
    assume regindex_zero : (r1 == 0bv3 && r2 == 0bv3);
    assume cmd_is_add : (cmd == add) && valid;
    invariant result_eq_cnt : (cnt == result.value);
46
    control {
47
     f = bmc (5);
48
      check;
49
50
      print_results;
51
    }
52 }
```

Example 2.1.: Model of a simple ALU

### 2. Basics: Types and Statements

Uninterpreted functions can be declared in UCLID5 using the function declaration. These functions are typed, mapping a tuple of typed arguments to a return type. For example, the following uninterpreted function models the mapping of an instruction to an opcode in a simple CPU model given later in this tutorial as Example 3.2.

```
function inst2op (i : word_t) : op_t;
```

Two further types of functions without definitions can be declared in UCLID5 using the function declaration. First a synthesis function, declared using the synthesis keyword. Given a SyGuS solver using the command line option -y "solver path", UCLID5 will construct a SyGuS-IF file that synthesises bodies for any synthesis function in the UCLID5 file

```
synthesis function inst2op (i : word_t) : op_t;
```

The second function extension is an oracle function, declared using the oracle keyword. An oracle function is declared along with the name of an external executable binary which implements the function. Given an Satisfiability Modulo Theories and Oracles (SMTO) solver using the command line option -s "solver path", or a Synthesis Modulo Oracles (SyMO) solver using the command line option -y "solver path", UCLID5 will construct an SMTO/SyMO file for the verification/synthesis query including the oracle function. For more details on Synthesis and Satisfiability Modulo Oracles see https://arxiv.org/abs/2107.13477.

```
oracle function inst2op [binaryName] (i : word_t) : op_t;
```

Symbolic constants can be declared using a const declaration, as follows:

```
const w0 : word_t;
```

Finally, a useful feature of UCLID is groups. Groups are declared using the keyword group. All members of a group must have the same type, but they can be literals or variables that are already declared and in scope at the point of the group declaration.

```
group MyGroup: integer = {0, 1, 2, 3};
group AnotherGroup: integer = {a, b, c, 7};
```

### 2.2. Statements in Uclid5

Computation in UCLID5 can be either procedural (sequential) or parallel (concurrent). Procedural computation is performed by defining a procedure (and in the init block) while parallel computation occurs in the next block.

#### 2.2.1. Parallel vs. Procedural Assignments

Assignments inside procedures and the init block are called **procedural assignments** and must be of the form variable = expression; Assignments inside next block

are parallel assignments and must be of the form variable' = expression;. Mathematically, parallel assignments compute the next state of the transition system described by the model.

An example showing the use of sequential assignments is the following:

In this example, x is assigned sequentially. Recall that these procedural assignments must appear inside a procedure or in the init block. Executing these three statements will result x having the value 6.

In contrast, the following sequence of parallel assignments is **not** allowed and will result in a compiler error.

```
// Error, will not compile.

x' = 1;

x' = x + 2;

x' = x + 3;
```

Only a single parallel assignment to a state/output variable is allowed in a code block. Furthermore, since parallel assignments are computed in data-flow order, the order in which they are specified does not matter. This means that the following two snippets of code are equivalent:

```
next {
    x' = x + 1;
    y' = x' + 1;
}

next {
    x' = x + 1;
    y' = x' + 1;
```

```
next {
    y' = x' + 1;
    x' = x + 1;
}

next {
    x' = x + 1;
}
```

UCLID5 will determine that since y' depends on the value of x', x' has to be computed first. This value is then used in the computation of y'. This is regardless of the order in which these assignments appear in the next block.

Note also that the assignment to x' uses the value of the variable x at the beginning of the current step of the transition system (i.e., the "old" value of x). In contrast the assignment to y' uses the "new" value of x, which is the value of x at the end of this step of the transition system. It is important to think carefully about which version of a variable (var or var') must be used in a particular assignment.

### 2.2.2. Procedures

Example 2.1 demonstrates how sequential computation is used in concert with parallel computation. In Example 2.1, consider procedure exec\_cmd which executes a single ALU command and returns (line 23) a single value of type result\_t. The procedure

is invoked on line 39 in the next block, and its return value is assigned to the output variable result. Note we are again using the notation result' to refer to parallel assignment. Since this procedure updates the reg state variable, a modifies clause must be used to declare this fact (line 24).

We emphasize that assignments inside procedures do not assign primed variables. However, if a state variable is defined to be modified by a procedure (mentioned in its modifies clause), then its next-state value is the value that variable has upon return from that procedure. Put another way, the post-state of the procedure determines the next-state assignment of all state variables modified by it. In our example, procedure exec cmd modifies the state variable regs, and thus determines its next-state value.

### 2.2.3. Macro Definitions

UCLID5 also supports the definition of macro expressions using the define statement. Line 20 of Example 2.1 illustrates this construct. Macro definitions are useful, as in C, to define expressions over arguments that are instantiated in multiple places, or which help make the code more readable.

### 2.2.4. For Loops

The procedure set\_init\_state uses a for loop to initialize each value in the array regs to the bit-vector value 1.<sup>1</sup> The loop iterates over the values between 0 and 7 (both-inclusive).

The range over which a for loop iterates must be defined by two numeric literals.

Alternatively, the loop iterates may be defined by two macro definitions whose expressions are numeric literals. However, this requires the for statement to be declared with a typed iterator.

For example, if the following macro definitions are at the module level,

```
define begin() : bv3 = 0bv3;
define end() : bv3 = 7bv3;
```

we may alternatively write the for loop in set init state in the following way:

```
for (i : bv3) in (begin(), end()) { regs[i] = 1bv8; }
```

#### 2.2.5. If and Case Statements

Also worth pointing out are the if statement that appears on line 27, and the case statement that appears on line 29. Syntax for if statements should be familiar.

case statements are delimited by case and esac and contain within them a list of boolean expressions and associated statement blocks. These expressions are evaluated in the order in which appear, and if any of them evaluate to true, the corresponding block is executed. If none of the case-expressions evaluate to true, nothing is executed. The keyword default can be used as a "catch-all" case like in C/C++.

<sup>&</sup>lt;sup>1</sup>1bv8 here refers to the bit-vector value 1 of width 8.

### 2.2.6. Expressions

The syntax for expressions in UCLID5 is similar to languages like C/C++/Java. Index i of array regs is accessed using the syntax regs[i]. Field value in the record result is accessed as result.value.

### 2.2.7. Quantifiers

UCLID5 supports universal and existential quantifiers, which can be used in any place where a predicate would be permitted, for instance, in assumptions:

```
assume (forall (ri : robind_t) :: ops[ri] == no_op);
assume (exists (i : integer) :: (i > 0) && (i < 11) && numbers[i] !=
some_int);</pre>
```

UCLID5 Also supports finite universal quantification, where we universally quantify over a finite group type. These quantifiers are expanded to a conjunction before being passed to the underlying SMT solver.

```
group myGroup : integer = {0, 1, 2, 3};
property test : finite_forall (int : integer) in myGroup :: int < 4;
```

### 2.3. An Illustrative Example

This section briefly describes the execution semantics of Example 2.1.

#### 2.3.1. Initialization

Execution of the model in Example 2.1 starts with the init block. This block invokes set\_init\_state and assigns initial values to regs, cnt and result.value. The other variables (e.g. rlval and r2val) are not assigned to in the init block and will be initialized non-deterministically.

### 2.3.2. Next State Computation

The next state of each state variable in the model is computed according to the next block. Any variables not assigned to in the next block retain their "old" values.

The input variables of the model are assigned (possibly different) non-deterministic values for each step of the transition system. These values can be controlled by using assumptions. Indeed, the model uses the two assumptions on lines 43–44 to constrain the input to the ALU to always be an add operation, where both operands refer to register index 0.

### 2.3.3. Verification

As in Example 1.1, the verification script in Example 2.1 unrolls the transition system for 5 steps and checks if the invariant on line 45 is violated in any of these steps.

### 2.3.4. Running Uclid5

Running UCLID5 on Example 2.1 produces the following output.

```
$ uclid examples/tutorial/ex2.1-alu.ucl
Successfully parsed 1 and instantiated 1 module(s).
6 assertions passed.
0 assertions failed.
0 assertions indeterminate.
Finished execution for module: main.
```

UCLID5 is able to prove that the invariant on line 45 holds for all states reachable within 5 steps of the initial state, under the assumptions specified in lines 43–44.

## 3. Compositional Modeling and Abstraction

This chapter describes UCLID5's features for compositional and modular verification, and the use of abstraction.

We will use a running example of a CPU model constructed in UCLID5 and use bounded unrolling of the model's transition relation to prove that the execution of this CPU is deterministic: i.e. we show that given two identical instruction memories, the state updates performed by this CPU will be identical.

## 3.1. Common Type Definitions Across Modules

Example 3.1 shows a module that defines only type synonyms. Such a module can be used to share type definitions across other modules. The types declared in Example 3.1 are *imported* in lines 2-5 of module cpu declared in Example 3.2.

```
// This module declares types that are used in the rest of the model.
module common {
   // addresses are uninterpreted types.
   type addr_t = bv8;
   type word_t = bv8;
   // memory
   type mem_t = [addr_t]word_t;
   // CPU operation.
   type op_t = enum { op_mov, op_add, op_sub, op_load, op_store };
}
```

Example 3.1.: Module common of the CPU model

Isolating commonly used types into a single module in this manner allows the construction of large models parameterized by this types. These common types can be changed and the ramifications of these changes on the model's behavior can be studied easily.

## 3.2. Uninterpreted Functions and Types

A convenient mechanism for abstraction in UCLID5 is through the use of uninterpreted functions and types. This is one of the novel modeling aspects for transition systems introduced by the original UCLID system [1].

### 3. Compositional Modeling and Abstraction

```
1 module cpu {
    type addr_t = common.addr_t;
    type mem_t = common.mem_t;
    type word_t = common.word_t;
    type op_t = common.op_t;
5
    type regindex_t; // type of register file.
6
    type regs_t = [regindex_t]word_t;
    input imem
                       : mem_t; // program memory.
10
    var dmem
                       : mem_t; // data memory.
11
    var regs
                       : regs_t;
12
    var pc
                       : addr_t;
    var inst, result : word_t;
13
14
    function inst2op (i : word_t) : op_t;
    function inst2reg0 (i : word_t) : regindex_t;
16
    function inst2reg1 (i : word_t) : regindex_t;
17
    function inst2imm (i : word_t) : word_t;
18
    function inst2addr (i : word_t) : addr_t;
20
    procedure exec_inst(inst : word_t, pc : addr_t)
21
22
     returns (result : word_t, pc_next : addr_t)
23
      modifies regs, dmem;
24
25
      var op
                       : op_t;
      var r0ind, r1ind : regindex_t;
26
      var r0, r1 : word_t;
27
28
29
      op = inst2op(inst);
      r0ind, rlind = inst2reg0(inst), inst2reg1(inst);
30
      r0, r1 = regs[r0ind], regs[r1ind];
31
      case
32
33
        (op == op_mov)
                          : { result = inst2imm(inst); }
                           : { result = r0 + r1; }
34
        (op == op\_add)
                           : { result = r0 - r1; }
35
        (op == op\_sub)
                         : { result = dmem[inst2addr(inst)]; }
        (op == op_load)
36
        (op == op_store) : { result = r0; dmem[inst2addr(inst)] = r0; }
37
38
     esac
      pc_next = pc + 1bv8;
39
40
      regs[r0ind] = result;
41
42
    init {
     assume (forall (r : regindex_t) :: regs[r] == 0bv8);
     assume (forall (a : addr_t) :: dmem[a] == 0bv8);
     pc, inst = 0bv8, 0bv8;
46
    }
47
48
    next {
49
50
     inst' = imem[pc];
      call (result', pc') = exec_inst(inst, pc);
51
52
    }
53 }
```

Example 3.2.: The cpu module in the CPU model

```
1 module main {
    // Import types
    type addr_t = common.addr_t;
    type mem_t
                   = common.mem_t;
    type word_t
                   = common.word_t;
    type op_t = common.op_t;
    type regindex_t = cpu.regindex_t;
    // instruction memory is the same for both CPUs.
    var imem : mem_t;
11
12
    // Create two instances of the CPU module.
13
14
    instance cpu_i_1 : cpu(imem : (imem));
15
    instance cpu_i_2 : cpu(imem : (imem));
16
17
    init {
18
19
    next {
20
     // Invoke CPU 1 and CPU 2.
21
     next (cpu_i_1);
22
     next (cpu_i_2);
23
24
25
    // These are our properties.
26
    invariant eq_regs :
      (forall (ri : regindex_t) :: cpu_i_1.regs[ri] == cpu_i_2.regs[ri]);
29
    invariant eq_mem :
30
     (forall (a : addr_t) :: cpu_i_1.dmem[a] == cpu_i_2.dmem[a]);
    invariant eq_pc : (cpu_i_1.pc == cpu_i_2.pc);
31
    invariant eq_inst : (cpu_i_1.inst == cpu_i_2.inst);
32
33
    // Proof script.
34
    control {
35
      bmc(3);
36
      check;
37
38
      print_results;
39
40
```

Example 3.3.: Module main in the CPU model

### 3.2.1. Uninterpreted Types

Example 3.2 shows the use of the uninterpreted type: regindex\_t on line 6. The index type to the register is an abstract type, as opposed to a specific type (e.g. bv3). This allows us to reason about an abstract register file that has an undefined (and unbounded) number of entries, as opposed to proving facts about some specific register file implementation, potentially enabling more general proofs about system behavior.

### 3.2.2. Uninterpreted Functions

Values belonging to an uninterpreted type can be created using uninterpreted functions. The functions inst2op, inst2reg0, inst2reg1, inst2imm and inst2addr on lines 15-19 of Example 3.2 are all examples of uninterpreted functions. An uninterpreted function f is a symbol about which we know nothing, except that it is a function; i.e.  $\forall x_1, x_2. \ x_1 = x_2 \implies f(x_1) = f(x_2).$ 

As an example, in the context of processor verification, uninterpreted functions allow us to reason about an abstract CPU model without considering specific instruction encodings or decoder models. This could potentially lead to more general proofs as well as more scalable automated proofs.

### 3.3. Module Instantiation and Scheduling

Modules are instantiated using the instance keyword. Lines 14 and 15 of Example 3.3 show two instantiations of the module cpu. For each instance, the module input imem is mapped to the state variable imem of module main.

Scheduling of instantiated modules is explicit and synchronous. The two next statements on lines 22 and 23 of Example 3.3 invoke the next state transitions of the two instances of the cpu module.

Asynchronous and partially synchronous composition can be modeled by explicitly encoding a scheduler into the UCLID5 model that specifies when the next block of each module is executed.

### 3.3.1. Accessing Members of Instances

The state variables, types, etc. of an instantiated module are accessed using the . operator. The four invariants on lines 27-32 of Example 3.3, refer to the registers, memory, pc and instruction variables of the two instantiated modules. These invariants state that both instances must have identical values for these state variables.

## 3.4. Running Uclid5

Executing UCLID5 on the complete CPU model shows that CPU is in fact deterministic.

### 3. Compositional Modeling and Abstraction

```
$ uclid ex3.1-cpu.ucl ex3.2-cpu.ucl ex3.3-cpu.ucl Successfully parsed 3 and instantiated 1 module(s).
16 assertions passed.
0 assertions failed.
0 assertions indeterminate.
Finished execution for module: main.
```

Note the files ex3.1-cpu.ucl, ex3.2-cpu.ucl and ex3.3-cpu.ucl contains three modules. Each of these modules could potentially have control blocks. Which UCLID5 is invoked on this model, it executes only the control block of the main module. If we had included a control block for the alu module and wished to verify properties of this module, we would have to invoke UCLID5 on this specific module using the --main command-line option.

In the examples covered thus far, we have only used UCLID5 for bounded model checking of invariants. It can also be used to perform bounded model checking of linear temporal logic properties. In addition, UCLID5 can be used to do unbounded inductive proofs and also provides support for debugging counterexamples. It can be used for checking simulation (refinement) between two transition systems, such as the technique of correspondence checking between two processor models. Finally, UCLID5 can be used to check certain hyperproperties, such as two-safety properties, by the technique of self-composition. This chapter will describe these features of UCLID5. Further features are being implemented and will be described in a future version of this document.

### 4.1. Inductive Proofs

Let us revisit the model from Example 1.1. This is now shown again in Example 4.1, but with a different proof script. Instead of using the bmc command for bounded model checking, we are using the induction command to attempt an inductive proof.

```
module main {
    // Part 1: System description.
    var a, b : integer;
    init {
      a = 0;
      b = 1;
    next. {
      a', b' = b, a + b;
12
    // Part 2: System specification.
    invariant a_le_b: a <= b;</pre>
14
16
    // Part 3: Proof script.
17
    control {
18
       induction;
      check;
19
      print_results;
20
21
```

Example 4.1.: UCLID5 Fibonacci model using induction in the proof script

### 4.1.1. Debugging Counterexamples

Let us try running UCLID5 on Example 4.1 with the new proof script.

```
$ uclid examples/tutorial/ex4.1-fib-induction.ucl
Successfully parsed 1 and instantiated 1 module(s).
1 assertions passed.
1 assertions failed.
0 assertions indeterminate.
  FAILED -> induction (step) [Step #1]
  property a_le_b @ ex4.1-fib-induction.ucl, line 14
Finished execution for module: main.
```

Uh oh, we seem to have a problem! UCLID5 is telling us that the inductive proof failed. We can try to examine why the proof failed by using the print\_cex command to examine the counterexample to the proof.

```
module main {
    // Part 1: System description.
    var a, b : integer;
    init {
      a = 0;
      b = 1;
    next {
      a', b' = b, a + b;
10
13
    // Part 2: System specification.
    invariant a_le_b: a <= b;</pre>
    // Part 3: Proof script.
16
    control {
17
      vobj = induction;
18
19
      check;
20
      print_results;
21
      vobj.print_cex(a, b);
22
23
```

Example 4.2.: UCLID5 Fibonacci model with induction and print cex

The only changes between Example 4.1 and Example 4.2 are on lines 18 and 21. vobj on line 18 is a reference to the verification conditions generated by the induction command. On line 21, we pass this reference to the print\_cex command which prints out the values of a and b for the counterexample.

Running UCLID5 on Example 4.2 produces the following.

```
Successfully parsed 1 and instantiated 1 module(s).
1 assertions passed.
1 assertions failed.
O assertions indeterminate.
 FAILED -> vobj: induction (step) [Step #1]
 property a_le_b @ ex4.2-fib-induction-cex.ucl, line 14
CEX for vobj: induction (step) [Step #1]
property a_le_b @ ex4.2-fib-induction-cex.ucl, line 14
_____
Step #0
 a : -1
 b : 0
Step #1
 a : 0
 b : -1
Finished execution for module: main.
```

To understand the counterexample, it is helpful to review how the inductive proof engine works. When inductively proving the invariant a\_le\_b, UCLID5 considers some arbitrary state that satisfies this property, executes the next block, and checks whether a le b holds on the resultant state.

The counterexample shows us that we do start in a state where  $a \le b$  with a = -1 and b = 0. We execute the next block and now a gets the value of b, becoming 0 and b gets the value a + b, becoming -1. This new state does not satisfy the invariant!

What is the real problem here? Taking a closer look at Example 4.2, we see that this specific counterexample can never occur in our model because a and b are always  $\geq 0$ . But UCLID5 does not know this when attempting the inductive proof. Therefore, we have to strengthen the inductive argument with this information in order to help UCLID5's proof.

### 4.1.2. Inductive Proof for the Fibonacci Model

Example 4.3 shows the same model as Example 4.2, but with a stronger induction hypothesis. UCLID5's inductive engine will now start in an arbitrary state that assumes that both invariants a\_le\_b and a\_b\_ge\_0 hold and attempt to prove that both of these still hold after the next block is executed.

Let us now run UCLID5 on this new model.

```
1 module main {
    // Part 1: System description.
    var a, b : integer;
    init {
      a = 0;
      b = 1;
    next {
     a', b' = b, a + b;
10
11
12
    // Part 2: System specification.
13
    invariant a_le_b: a <= b;</pre>
14
    invariant a_b_ge_0: (a >= 0 \&\& b >= 0);
15
16
    // Part 3: Proof script.
18
    control {
19
      vobj = induction;
      check;
      print_results;
22
      vobj.print_cex(a, b);
23
24 }
```

Example 4.3.: Inductive proof for the Fibonacci model

```
Successfully parsed 1 and instantiated 1 module(s).
$ uclid examples/tutorial/ex4.3-fib-induction-proof.ucl
4 assertions passed.
0 assertions failed.
0 assertions indeterminate.
Finished execution for module: main.
```

Success! We have shown that our system model satisfies its specification.

#### 4.1.3. Exercise: Inductive Proof of CPU model

Prove determinism of the CPU model in Examples 3.2 and 3.3 using induction rather than bounded model checking. You will need to add strengthening inductive invariants relating the two CPU instances.

### 4.2. Bounded Model Checking

Let us return to the model of Example 1.1 which is reproduced as Example 4.4 with a few changes. We used the bmc command for verification. This command performs bounded model checking and takes a single argument – the number of steps to unroll the model for. In Example 4.4, we are unrolling the model for 3 steps. The bmc command will check all properties (LTL and non-LTL), and supercedes the deprecated unroll command. To check only the non-LTL properties, use bmc\_nolTL. We have introduced the constant flag on line 4. A constant holds a symbolic value that does not change during computation. The initial value of the constant is assigned non-deterministically and can be controlled using assumptions.

#### 4.2.1. Embedded assume and assert statements

A second difference with between Example 1.1 and Example 4.4 is on lines 12–14, 24 and 25. Instead of using a module-level assumption declarations as in Example 1.1, we have three embedded assumptions in the set\_init procedure on lines 12–14, and two embedded assertions in the next block on lines 23 and 25. A module-level assumption is assumed to hold for the solver at every step of execution, while an embedded assumption is assumed "instantaneously." In particular, the assumptions on lines 12–14 tells the solver to assume that  $a \le b$ , a >= 0 and b >= 0 at the end of the set\_init procedure. Notice that we are not assigning specific values to a and b, instead we are asking UCLID5 to consider potential values of a and b such that  $a \le b$ ,  $a \ge 0$  and  $b \ge 0$ .

Similarly the assertions on lines 23 and 25 are evaluated at that specific location in the code. In particular the assertion on line 23 is only checked when flag is true, while the assertion one line 25 is checked when flag is false. Since flag is always true in our model, the assertion on line 25 will never fire. In contrast, note that a module-level

```
1 module main {
    // System description.
    var a, b
               : integer;
    const flag : boolean;
    procedure set_init()
7
      modifies a, b;
      havoc a;
9
      havoc b;
10
      // embedded assumptions.
11
      assume (a <= b);</pre>
12
13
      assume (a >= 0 \&\& b >= 0);
14
      assume (flag);
15
16
    init {
17
      call set_init();
18
    next {
20
      a', b' = b, a + b;
21
      if (flag) {
22
23
        assert (a' <= b');</pre>
      } else {
         assert (false);
      }
26
    }
27
28
    // Proof script.
29
    control {
30
      bmc (3);
31
      check;
32
33
      print_results;
34
35
```

Example 4.4.: Revisiting the Fibonacci model from Example 1.1.

assertion would be evaluated after the init block and after each execution of the next block.

### 4.2.2. Running Uclid5

Running UCLID5 on Example 4.4 shows that the embedded assertions do indeed hold for all states reachable within 3 steps of the initial state.

```
$ uclid examples/tutorial/ex4.4-fib-model-revisted.ucl
Successfully parsed 1 and instantiated 1 module(s).
6 assertions passed.
0 assertions failed.
0 assertions indeterminate.
Finished execution for module: main.
```

## 4.3. Specifications in Linear Temporal Logic

UCLID5 supports the specification of module behavior using linear temporal logic (LTL). Example 4.5 shows a UCLID5 model of an intersection with two traffic lights. Lines 3–39 define the functionality of the traffic light; this part of the model should be familiar. The current state of the lights are stored in the variables light1 and light2, and these switch from red to green to yellow and back to red. The variables step1 and step2 can be thought of timers, and ensure that each light stays red for three transitions, green for two transitions and stays yellow for a single transition.

The LTL properties are on lines 41, 42 and 43. The property always\_one\_red specifies a safety property which states that at least one of the two lights must be red in every particular cycle. The notation  $G(\phi)$  refers to the LTL globally operator, while the notation  $F(\phi)$  refers to the LTL eventually (future) operator. Other supported operators include next-time:  $X(\phi)$ , (strong-)until:  $U(\phi_1, \phi_2)$  and weak-until:  $W(\phi_1, \phi_2)$ . always\_one\_red is a safety property. The property eventually\_green is an example of liveness property, and specifies that both lights become green infinitely often.

The command bmc performs bounded verification of all properties, including LTL properties. This is invoked on line 46 and specifies which properties must be checked within the square brackets. (If no properties are specified, and the square brackets are omitted bmc checks all properties in the module.) To check only the LTL properties use the bmc\_LTL command.

### 4.3.1. Running Uclid5

Running UCLID5 on Example 4.5 produces the following output.

```
1 module main
2 {
    type light_t = enum { red, yellow, green };
    var step1, step2 : integer;
    var light1, light2 : light_t;
5
6
    init {
      light1, step1 = red,
9
      light2, step2 = green, 1;
10
11
12
    next {
      call (light1', step1') = next_light(light1, step1);
13
      call (light2', step2') = next_light(light2, step2);
14
15
16
    procedure next_light(light : light_t, step : integer)
17
     returns (lightP : light_t, stepP: integer)
18
       if (step == 0) {
20
21
22
         (light == green) : {
23
          lightP = yellow;
24
          stepP = step;
25
         (light == yellow) : {
26
          lightP = red;
27
          stepP = 2;
28
29
        (light == red) : {
30
           lightP = green;
31
          stepP = 1;
32
33
34
        esac
35
       } else {
        lightP = light;
36
         stepP = step - 1;
37
38
      }
39
40
    property[LTL] always_one_red: G(light1 == red || light2 == red);
41
    property[LTL] eventually_green:
42
      G(F(light1 == green)) \&\& G(F(light2 == green));
45
    control {
      v = bmc[properties=[always_one_red, eventually_green]](10);
46
      check;
47
      print_results;
48
      v.print_cex(light1, step1, light2, step2);
49
50
    }
51
```

Example 4.5.: Example of using LTL specifications in UCLID5.

```
$ uclid run examples/traffic-light.ucl
Running (fork) uclid.UclidMain examples/traffic-light.ucl
Successfully parsed 1 and instantiated 1 module(s).
44 assertions passed.
0 assertions failed.
0 assertions indeterminate.
Finished execution for module: main.
```

The output shows that all properties are verified.

#### **Exercises**

- 1. Does the property always\_one\_red hold if the assignment to step2 on line 9 is changed to 2 (from 1)? Why or why not? Make this change, print-out and understand the counterexample if one exists.
- 2. Find a way to modify the model so that the property eventually\_green is violated. Examine and understand the counter-example generated by UCLID5 when this happens.

## 4.4. Correspondence/Simulation Checking

UCLID5 provides constructs to check whether one transition system simulates another, where both are modeled as UCLID5 modules. In other words, we can check whether one module can simulate steps of another. Correspondence checking, a special case of simulation checking, is based on constructing a commutative diagram (see Fig. 4.4) via symbolic simulation and checking the validity of a property of interest at the end [2].

Thus, the outline of the verification task, as specified in the control section of a module, involves simulating the two sides of the commutative (simulation) diagram and checking an assertion at the end. An example of correspondence checking, the verification of a simple pipelined datapath, is illustrated in detail in the code included below (also in the distribution in examples/simple-datapath.ucl). This example is drawn from the original UCLID system [4, 1].

```
// Simple pipelined datapath, based on old uclid model in the old UCLID user
manual

module common {
   // Types
   // Words -- Addresses, Data, etc.
   type word_t = bv32;
   // Registers
   type reg_t = bv8; // arbit choice
   // Register file
   type rf_t = [reg_t]word_t;
   // OpCode
```



Figure 4.1.: Commutative diagram to check an implementation (pipelined processor) is simulated by its specification.

```
type op_t = bv8; // arbit choice
    // Uninterpreted functions
14
    function newPC(a: word_t) : word_t;
15
    const pc0 : word_t;
16
    function rf0 (r : reg_t) : word_t;
17
    function src1 (i : word_t) : reg_t;
18
    function src2 (i : word_t) : reg_t;
19
    function dest (i : word_t) : reg_t;
20
    function op (i : word_t) : op_t;
21
    function alu (op : op_t, arg1: word_t, arg2 : word_t) : word_t;
22
23
24
25
  // Specification/ISA model
  module spec {
27
28
29
    input proj_impl : boolean;
    input impl_RF : common.rf_t;
30
    input impl_PC : common.word_t;
31
32
    var sPC : common.word_t;
33
    var sRF : common.rf_t;
34
35
    procedure update_sRF()
36
37
      modifies sRF;
    {
38
         sRF[common.dest(sPC)] = common.alu(common.op(sPC),
39
40
                           sRF[common.src1(sPC)],
              sRF[common.src2(sPC)]);
41
42
43
```

```
init {
     sPC = common.pc0;
46
     assume (forall (i : common.reg_t) :: (sRF[i] == common.rf0(i)));
47
48
    next {
49
    if (proj_impl) {
50
      sPC' = impl_PC;
51
        sRF' = impl_RF;
54
     else {
55
       sPC' = common.newPC(sPC);
56
        call update_sRF();
57
58
    }
59
60
61 // Pipeline model
62 module impl {
63
    input flush : boolean;
64
   input reinit : boolean;
65
66
    var pPC : common.word_t;
   var pRF : common.rf_t;
69
    var eOP : common.op_t;
70
    var eSRC2 : common.reg_t;
71
    var eDEST : common.reg_t;
    var eARG1 : common.word_t;
72
    var eARG2 : common.word_t;
73
    var eWRT : boolean;
74
    var wVAL : common.word_t;
75
76
    var wDEST : common.reg_t;
77
    var wWRT : boolean;
78
    const op0 : common.op_t;
79
    const s0, d0, d1 : common.reg_t;
80
    const a1, a2, x0 : common.word_t;
81
    const w0, w1 : boolean;
82
83
    procedure update_pRF()
84
    modifies pRF;
85
    {
86
     if (wWRT) { pRF[wDEST] = wVAL; }
87
89
    define stall() : boolean = eWRT && (common.src1(pPC) == eDEST);
90
91
    init {
92
     // initialize PC and RF same as spec module
93
      pPC = common.pc0;
94
      assume (forall (i : common.reg_t) :: (pRF[i] == common.rf0(i)));
95
      // all other state variables get arbit symbolic initialization
96
      eOP = op0;
```

```
eSRC2 = s0;
       eARG1 = a1;
100
       eARG2 = a2;
       eDEST = d0;
       eWRT = w0;
102
       wVAL = x0;
103
       wDEST = d1;
104
       wWRT = w1;
105
     }
106
107
108
109
     next {
110
      if (reinit) {
       pPC' = common.pc0;
111
112
       havoc pRF;
       assume (forall (i : common.reg_t) :: (pRF'[i] == common.rf0(i)));
113
       // all other state variables get same arbit symbolic initialization as
114
       before
       eOP' = op0;
115
       eSRC2' = s0;
116
       eARG1' = a1;
117
       eARG2' = a2;
118
       eDEST' = d0;
119
       eWRT' = w0;
       wVAL' = x0;
       wDEST' = d1;
       wWRT' = w1;
123
      }
      else {
125
       // updates to PC and RF
126
       if ((!flush) && (! stall())) { pPC' = common.newPC(pPC); }
       call update_pRF();
128
       // Execute stage
129
       eOP' = common.op(pPC);
130
       eSRC2' = common.src2(pPC);
131
       eARG1' = pRF'[common.src1(pPC)];
132
       eARG2' = pRF'[common.src2(pPC)];
133
       eDEST' = common.dest(pPC);
134
       eWRT' = (!stall()) \&\& (!flush);
135
       // Writeback stage
136
       wDEST' = eDEST;
137
       wWRT' = eWRT;
138
       if (wWRT && (wDEST == eSRC2)) // fwding logic
139
140
         wVAL' = common.alu(eOP, eARG1, wVAL);
142
       }
143
       else {
         wVAL' = common.alu(eOP, eARG1, eARG2);
144
       }
145
146
      }
     }
147
148
149
150
```

```
151 // Main module
152 module main {
153
     var flush_pipeline : boolean;
154
     var reinit : boolean;
155
     var project_impl : boolean;
156
     var step : integer;
158
159
     // Variables to store impl state
160
161
     var I_pc : common.word_t;
162
     var I_rf : common.rf_t;
163
     // Variables to store spec state
     var S_pc0 : common.word_t; // after 0 steps
165
     var S_rf0 : common.rf_t;
     var S_pc1 : common.word_t; // after 1 step
166
     var S_rf1 : common.rf_t;
167
168
     // instantiate spec and impl modules
169
     instance impl_i : impl(flush : (flush_pipeline), reinit : (reinit));
170
     instance spec_i : spec(proj_impl : (project_impl), impl_RF : (impl_i.pRF),
171
       impl_PC : (impl_i.pPC));
172
     init {
174
       step = 0;
175
       flush_pipeline = false;
176
       project_impl = false;
       reinit = false;
177
178
179
     next {
180
       step' = step + 1;
181
182
          (step == 0) : {
183
            flush_pipeline' = true;
184
            next(impl_i); // step impl module, normal step
185
186
         (step == 1) : {
187
            flush_pipeline' = true;
188
            next(impl_i); // step impl module, flush
189
190
         (step == 2) : {
191
            flush_pipeline' = false;
192
            reinit' = true;
193
            next(impl_i); // step impl module, flush
195
          (step == 3) : {
196
            flush_pipeline' = true;
197
            reinit' = false;
198
            I_pc' = impl_i.pPC; // store impl state after pipeline flushed for 2
199
        steps
            I_rf' = impl_i.pRF;
200
            next(impl_i); // step impl module, reinitialize
201
202
```

```
(step == 4) : {
203
            flush_pipeline' = true;
            next(impl_i); // step impl module, flush
205
          (step == 5) : {
207
            flush_pipeline' = false;
208
            project_impl' = true;
209
            next(impl_i); // step impl module, flush
210
211
         (step == 6) : {
212
213
            project_impl' = false;
214
            next(spec_i); // step spec to project impl state onto spec
215
         (step == 7) : { // step spec module
216
            S_pc0' = spec_i.sPC; // initial state of spec
217
            S_rf0' = spec_i.sRF;
218
            next(spec_i); // step
219
220
         (step == 8) : { // store spec state after one step}
221
            S_pc1' = spec_i.sPC;
222
            S_rf1' = spec_i.sRF;
223
224
         }
         (step == 9) : {
225
            // assert(false); // sanity check to make sure execution can get
       here
227
            // correspondence check
228
            assert(((S_pc1 == I_pc) && (S_rf1 == I_rf)) || ((S_pc0 == I_pc) && (
       S_rf0 == I_rf)));
229
         }
       esac;
230
231
232
233
234
235
     control {
236
       vobj = unroll(10);
237
       check;
       print_results;
238
       vobj.print_cex(step, flush_pipeline, reinit, project_impl, I_pc, I_rf,
239
       S_pc0, S_rf0, S_pc1, S_rf1, impl_i.pPC, impl_i.pRF, spec_i.sPC, spec_i.
       sRF, impl_i.wVAL);
240
241
242
```

Running UCLID5 on the file given above produces the following output.

```
$ uclid examples/simple-datapath.ucl
Successfully parsed 4 and instantiated 1 module(s).

10 assertions passed.

0 assertions failed.

0 assertions indeterminate.
Finished execution for module: main.
```

## 4.5. Verifying Two-Safety Properties

Certain security properties involve reasoning about a system that is composed of modules modeling multiple interacting agents, some of whom can be malicious. For confidentiality properties, the goal is to ensure that secret data is not revealed to a malicious agent. For integrity properties, the goal is that actions of a malicious agent should not be able to influence the values of certain high-integrity variables. Such properties form a special class of the general category of *hyperproperties* [3] known as 2-safety properties. The name arises from the way in which such properties are checked, by formulating them as a safety property on a "self-composed" model of the system — a model obtained by composing two copies of the system together synchronously.

With UCLID5, we verify 2-safety properties via self-composition and inductive invariant checking. Counterexamples comprise two traces and are found by bounded model checking. The code included below shows an illustrative UCLID5 model drawn from the chapter on Security from the textbook on embedded (cyber-physical) systems by Lee and Seshia [5].

```
* Based on an example from Lee & Seshia, "Introduction to Embedded Systems",
       Chapter 17 on Security
  module process1
5
  {
    type pc_t = enum { A };
    var pc : pc_t;
    input s : boolean; // secret input
9
    input x : boolean; // public input
10
    output z: boolean; // public output
    init {
     pc = A;
14
      z = false;
16
17
    next {
      z' = !x;
20
21
22 }
```

```
24 module process2
   type pc_t = enum { B, C };
   var pc : pc_t;
28
    input s : boolean; // secret input
29
    input x : boolean; // public input
30
    output z: boolean; // public output
31
32
33
   procedure next_state()
34
     modifies z;
35
      modifies pc;
36
37
       (pc == B) && s && !x : { pc = C; z = true; }
38
        (pc == C) && s && !x : { pc = B; z = false; }
39
40
     esac
    }
41
42
    init {
43
    pc = B;
44
45
     z = false;
46
    next {
49
    call next_state();
50
51 }
52
53
54 module main
55 {
56
    type t1pc_t = process1.pc_t;
57
    type t2pc_t = process2.pc_t;
58
   var x1,x2 : boolean;
59
   var s1,s2 : boolean;
60
    var z1,z2 : boolean;
61
62
63 / *
instance pl1 : process1(z: (z1), s : (s1), x : (x1));
   instance p12: process1(z: (z2), s: (s2), x: (x2));
65
67
68 / *
69 */
70 instance p21 : process2(z: (z1), s : (s1), x : (x1));
   instance p22 : process2(z: (z2), s : (s2), x : (x2));
71
72
73
    init {
    havoc x1; havoc x2;
74
     havoc s1; havoc s2;
75
      assume (x1 == x2);
```

```
77
     }
78
79
     next {
       havoc x1; havoc x2;
       havoc s1; havoc s2;
       assume (x1' == x2');
82
       // next(p11); next(p12);
83
       next (p21); next (p22);
84
85
86
87
     invariant same_output_z : (z1 == z2);
88
89
90
     control {
       // *** BASIC ASSERTIONS/INVARIANT
91
92
93
       v = unroll(5);
94
       check;
95
       print_results;
96
       //v.print_cex(x1,x2,s1,s2,z1,z2,p11.pc,p12.pc);
97
       v.print_cex(x1,x2,s1,s2,z1,z2,p21.pc,p22.pc);
98
99
100
101
       // *** INDUCTION
102
       v = induction(1);
103
       check;
       print_results;
       v.print_cex(x1,x2,s1,s2,z1,z2,p11.pc,p12.pc);
105
106
107
108
```

## 4.6. Synthesis

UCLID5 has full support for Syntax-Guided Synthesis across all verification modes. If a synthesis function is inserted into the UCLID5 model, and the control block contains a verification command as per usual, UCLID5 will construct a synthesis query that searches for a body to any synthesis functions in the model.

The example in Figure ?? uses synthesis to strengthen the invariant for the Fibonacci example we have seen before. When run with the command line option -y "cvc4 --lang sygus" (or another SyGuS solver), UCLID5 will return the correct body for the synthesis function so that the verification condition passes.

```
1 module fib
      var a, b : integer;
      init {
        assume (a >= 0);
          assume (b > 0);
          assume (a <= b);</pre>
10
11
      next {
       a' = b;
          b' = a + b;
13
14
15 }
16
17
  module main
18 {
      synthesis function h(a: integer, b: integer, c: integer, d: integer)
19
      : boolean;
20
      instance fib1 : fib();
      instance fib2 : fib();
21
22
23
          assume (fib1.a == fib2.a && fib1.b == fib2.b);
24
      }
25
26
      next {
27
         next (fib1);
28
          next (fib2);
29
30
31
      property hole: h(fib1.a, fib1.b, fib2.a, fib2.b);
32
33 // property b_are_eq : fib1.b == fib2.b;
      property a_are_eq : fib1.a == fib2.a;
34
      property b_gt_0 : fib1.b > 0 && fib2.b > 0;
35
      property a_ge_0 : fib1.a >= 0 && fib2.a >= 0;
36
      property a_le_b : fib1.a <= fib1.b && fib2.a <= fib2.b;</pre>
37
38
39
      control {
40
          //v = unroll(5);
          v = induction;
42
          check;
43
          print_results;
          v.print_cex(fib1.a, fib1.b, fib2.a, fib2.b);
44
      }
45
46 }
```

Example 4.6.: UCLID5 Fibonacci model using synthesis function

## **Bibliography**

- [1] Randal E. Bryant, Shuvendu K. Lahiri, and Sanjit A. Seshia. Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions. In E. Brinksma and K. G. Larsen, editors, *Proc. Computer-Aided Verification (CAV'02)*, LNCS 2404, pages 78–92, July 2002.
- [2] J. R. Burch and D. L. Dill. Automated verification of pipelined microprocessor control. In D. L. Dill, editor, Computer-Aided Verification (CAV '94), LNCS 818, pages 68–80. Springer-Verlag, June 1994.
- [3] Michael R Clarkson and Fred B Schneider. Hyperproperties. *Journal of Computer Security*, 18(6):1157–1210, 2010.
- [4] Shuvendu K. Lahiri and Sanjit A. Seshia. The UCLID decision procedure. In Rajeev Alur and Doron A. Peled, editors, Computer Aided Verification, 16th International Conference, CAV 2004, Boston, MA, USA, July 13-17, 2004, Proceedings, volume 3114 of Lecture Notes in Computer Science, pages 475–478. Springer, 2004.
- [5] Edward A. Lee and Sanjit A. Seshia. *Introduction to Embedded Systems: A Cyber-Physical Systems Approach*. MIT Press, second edition, 2016.

## A. Appendix: Uclid5 Grammar

This appendix describes UCLID5's grammar.

### A.1. Grammar of Modules and Declarations

**A model** consist of a list of modules. Each module consists of a list of declarations followed by an optional control block.

```
 \langle Model \rangle & ::= \langle Module \rangle^* \\ \langle Module \rangle & ::= module \langle Id \rangle \quad `` \{' \langle Decl \rangle^* \langle ControlBlock \rangle? \; `` \}'
```

**Declarations** can be of the following types.

```
\langle Decl \rangle
                                               ::= \langle TypeDecl \rangle
                                                      \langle InputsDecl \rangle
                                                        \langle OutputsDecl \rangle
                                                        \langle VarsDecl \rangle
                                                        \langle SharedVarsDecl \rangle
                                                        \langle DefineDecl \rangle
                                                        \langle ConstsDecl \rangle
                                                        \langle ConstLitDecl \rangle
                                                        \langle FuncDecl \rangle
                                                        \langle ProcedureDecl \rangle
                                                        \langle InstanceDecl \rangle
                                                        \langle InitDecl \rangle
                                                        \langle NextDecl \rangle
                                                        \langle AxiomDecl \rangle
                                                        \langle SpecDecl \rangle
```

**Type declarations** declare either a type synonym or an uninterpreted type.

```
 \langle \mathit{TypeDecl} \rangle \qquad ::= \mathsf{type} \ \langle \mathit{Id} \rangle \ \text{`='} \ \langle \mathit{Type} \rangle \ \text{`;'} \\ | \ \mathsf{type} \ \langle \mathit{Id} \rangle \ \text{`;'}
```

**Variable declarations** can refer to inputs, outputs, state variables, symbolic constants, named constant literals, shared variables, group declarations, or define declarations.

```
\langle InputsDecl \rangle ::= input \langle IdList \rangle ':' \langle Type \rangle ';' \langle OutputsDecl \rangle ::= output \langle IdList \rangle ':' \langle Type \rangle ';'
```

```
 \langle VarsDecl \rangle & ::= \text{var} \langle IdList \rangle \text{ ':'} \langle Type \rangle \text{ ';'} 
 \langle ConstsDecl \rangle & ::= \text{const} \langle IdList \rangle \text{ ':'} \langle Type \rangle \text{ ';'} 
 \langle ConstLitDecl \rangle & ::= \text{const} \langle Id \rangle \text{ ':'} \langle Type \rangle = \langle Number \rangle \text{ ';'} 
 \langle SharedVarsDecl \rangle & ::= \text{sharedvar} \langle IdList \rangle \text{ ':'} \langle Type \rangle \text{ ';'} 
 \langle DefineDecl \rangle & ::= \text{define} \langle Id \rangle \text{ '('} \langle IdTypeList \rangle \text{ ')'} \text{ ':'} \langle Type \rangle \text{ '='} \langle Expr \rangle \text{ ';'} 
 \langle GroupDecl \rangle & ::= \text{group} \langle Id \rangle \text{ ':'} \langle Type \rangle \text{ '='} \langle IdList \rangle \text{ ';'}
```

**Function declarations** refer to uninterpreted functions, synthesis functions or oracle functions.

```
 \langle FuncDecl \rangle & ::= \text{ function } \langle Id \rangle \text{ `('} \langle IdTypeList \rangle \text{ `)'} \text{ `:'} \langle Type \rangle \text{ `;'}   \langle SynthFuncDecl \rangle & ::= \text{ synthesis function } \langle Id \rangle \text{ `('} \langle IdTypeList \rangle \text{ `)'} \text{ `:'} \langle Type \rangle \text{ `;'}   \langle OracleFuncDecl \rangle & ::= \text{ oracle function } \langle Id \rangle \langle AnnotationList \rangle \text{ `('} \langle IdTypeList \rangle \text{ `)''} \text{ `:'} \langle Type \rangle \text{ `;'}
```

**Procedure declarations** consist of a formal parameter list, a list of return values and types, followed by optional pre-/post-conditions and the list of state variables modified by procedure.

```
 \langle ProcedureDecl \rangle & ::= \operatorname{procedure} \langle Id \rangle \; (\langle AnnotationList \rangle)^* \; `(' \; \langle IdTypeList \rangle \; ')' \\ \langle ProcReturnArg \rangle ? \\ \langle RequireExprs \rangle \; \langle EnsureExprs \rangle \; \langle ModifiesExprs \rangle \\ \langle BlkStmt \rangle \\ \langle ProcReturnArg \rangle & ::= \operatorname{returns} \; `(' \; \langle IdTypeList \rangle \; `)' \\ \langle RequireExprs \rangle & ::= (\operatorname{requires} \; \langle Expr \rangle \; `;' \; )^* \\ \langle EnsureExprs \rangle & ::= (\operatorname{ensures} \; \langle Expr \rangle \; `;' \; )^* \\ \langle ModifiesExprs \rangle & ::= (\operatorname{modifies} \; \langle IdList \rangle \; `;' \; )^* \\ \end{aligned}
```

**Instance declarations** allow the instantiation (duh!) of other modules. They consist of the instance name, the name of the module being instantiated and the list of mappings for the instances' inputs, output and shared variables.

```
 \langle InstanceDecl\rangle \qquad ::= instance \langle Id\rangle \text{ `:' } \langle Id\rangle \langle ArgMapList\rangle \text{ `;'}   \langle ArgMapList\rangle \qquad ::= \text{`('')'}   | \text{`('} \langle ArgMap\rangle \text{`,'} \langle ArgMapList\rangle \text{`)'}
```

**Axioms** refer to assumptions while a **specification declaration** refers to design invariants. Note axiom and assume are synonyms, as are property and invariant.

```
 \langle AxiomDecl\rangle & ::= \langle AxiomKW\rangle \langle Id\rangle \text{ ':' } \langle Expr\rangle \text{ ';' } \\  \langle AxiomKW\rangle \langle Expr\rangle \text{ ';' } \\  \langle AxiomKW\rangle & ::= \text{axiom } | \text{assume} \\  \langle SpecDecl\rangle & ::= \langle PropertyKW\rangle \langle Id\rangle \text{ ':' } \langle Expr\rangle \text{ ';' } \\  \langle PropertyKW\rangle \langle Expr\rangle \text{ ';' } \\  \langle PropertyKW\rangle & ::= \text{property} | \text{invariant}
```

**Init** and **next** blocks consist of lists of statements.

```
\langle InitDecl \rangle ::= init \langle BlkStmt \rangle
\langle NextDecl \rangle ::= next \langle BlkStmt \rangle
```

Assignment statements in the next block declaration must assign primed variables only, and are concurrently evaluated.

### A.2. Statement Grammar

**Statements** are the following types, most of which should be familiar. Note the support for simultaneous assignment à la Python. The keyword next allows for synchronous scheduling of instantiated modules.

```
 \langle Statement \rangle & ::= \text{skip';'} \\ & | \text{assert } \langle Expr \rangle \text{';'} \\ & | \text{assume } \langle Expr \rangle \text{';'} \\ & | \text{havoc } \langle Id \rangle \text{';'} \\ & | \langle LhsList \rangle \text{'='} \langle ExprList \rangle \text{';'} \\ & | \text{call '('} \langle LhsList \rangle \text{')''='} \langle Id \rangle \langle ExprList \rangle \text{';'} \\ & | \text{call } \langle Id \rangle \text{'('} \langle ExprList \rangle \text{')'';'} \\ & | \text{next '('} \langle Id \rangle \text{')'';'} \\ & | \langle IfStmt \rangle \\ & | \langle CaseStmt \rangle \\ & | \langle ForLoop \rangle \\ & | \langle WhileLoop \rangle \\ & | \langle BlkStmt \rangle
```

**Block statements** are a list of variables with local scope, and a list of statements.

$$\langle BlkStmt \rangle$$
 ::= '{'  $\langle BlockVarDecl \rangle^* \langle Statement \rangle^*$  '}'
 $\langle BlockVarDecl \rangle$  ::=  $var \langle IdList \rangle$  ':'  $\langle Type \rangle$  ';'

**Assignments** and **call** statements refer to the nonterminal  $\langle LhsList \rangle$ . As the name suggests, this is a list of syntactic forms that can appear on the left hand side of an assignment.  $\langle Lhs \rangle$  are of four types: (i) identifiers, bitvector slices within identifiers, (iii) array indices, and (iv) fields within records.

$$\langle LhsList \rangle \qquad ::= \langle Lhs \rangle \ (`,` \langle Lhs \rangle)^*$$

$$\langle Lhs \rangle \qquad ::= \langle Id \rangle$$

$$| \langle Id \rangle \ `` | \langle Id \rangle \ `` | \langle Expr \rangle \ `:` \langle Expr \rangle \ `] \ `$$

$$| \langle Id \rangle \ `[` \langle ExprList \rangle \ `]'$$

$$| \langle Id \rangle \ (`.` \langle Id \rangle) +$$

If statements are as per usual. "Braceless" if statements are not permitted.

$$\langle \mathit{IfStmt} \rangle \qquad ::= \text{if `('} \langle \mathit{CondExpr} \rangle \text{ `)'} \langle \mathit{BlkStmt} \rangle$$

$$= \text{lse } \langle \mathit{BlkStmt} \rangle$$

$$= \text{if `('} \langle \mathit{CondExpr} \rangle \text{ `)'} \langle \mathit{BlkStmt} \rangle$$

$$\langle \mathit{IfExpr} \rangle \qquad ::= \langle \mathit{Expr} \rangle \mid *$$

**Case** statements are as follows.

```
\langle CaseStmt \rangle ::= case \langle CaseBlock \rangle^* esac \langle CaseBlock \rangle ::= \langle Expr \rangle ':' \langle BlkStmt \rangle | default ':' \langle BlkStmt \rangle
```

**For loops** allow iteration over a statically defined range of values.

```
 \langle ForLoop \rangle \qquad ::= \text{for} \langle Id \rangle \text{ in range `('} \langle Number \rangle ', ' \langle Number \rangle ')' \\ \langle BlkStmt \rangle
```

While loops allow unbounded iteration.

```
\langle \mathit{WhileLoop} \rangle ::= while '(' \langle \mathit{CondExpr} \rangle ')' \langle \mathit{InvariantClause} \rangle^*  \langle \mathit{BlkStmt} \rangle 
\langle \mathit{InvariantClause} \rangle ::= invariant \langle \mathit{Expr} \rangle ';'
```

## A.3. Expression Grammar

Let us turn to **expressions**, which may be quantified (include finite forall quantifiers, which expand to a disjunction and quantify over a finite group).

$$\langle Expr \rangle$$
 ::=  $\langle E1 \rangle$ 

$$\langle E1 \rangle \\ \hspace*{0.2cm} ::= \langle E2 \rangle \\ \hspace*{0.2cm} | \text{ `('forall `('}\langle \mathit{IdTypeList}\rangle \text{ `)''}::'E1')' \\ \hspace*{0.2cm} | \text{ `('exists `('}\langle \mathit{IdTypeList}\rangle \text{ `)''}::'E1')' \\ \hspace*{0.2cm} | \text{ `('finite\_forall `('}\langle \mathit{GroupDecl}\rangle \text{ `)''}::'E1')' \\ \end{aligned}$$

The usual logical and bitwise operators are allowed.

$$\langle E2 \rangle$$
 ::=  $\langle E3 \rangle$  '<==>'  $\langle E2 \rangle \mid \langle E3 \rangle$ 

$$\langle E3 \rangle$$
 ::=  $\langle E4 \rangle$  '==>'  $\langle E3 \rangle \mid \langle E4 \rangle$ 

$$\langle E4 \rangle \qquad ::= \langle E5 \rangle \text{ `&& & `} \langle E4 \rangle \mid \langle E5 \rangle \text{ `| | '} \langle E4 \rangle \mid \\ \mid \langle E5 \rangle \text{ `& `} \langle E4 \rangle \mid \langle E5 \rangle \text{ `| '} \langle E4 \rangle \mid \langle E5 \rangle \text{ `\ ^\choose '} \langle E4 \rangle \\ \mid \langle E5 \rangle$$

As are relational operators, bitvector concatentation (++) and arithmetic.

$$\langle E5 \rangle$$
 ::=  $\langle E6 \rangle \langle RelOp \rangle \langle E6 \rangle \mid \langle E6 \rangle$ 

$$\langle RelOp \rangle$$
 ::= '>' | '<' | '=' | '!=' | '>=' | '<='

$$\langle E6 \rangle$$
 ::=  $\langle E7 \rangle$  '++'  $\langle E6 \rangle$  |  $\langle E7 \rangle$ 

$$\langle E7 \rangle$$
 ::=  $\langle E8 \rangle$  '+'  $\langle E7 \rangle$  |  $\langle E8 \rangle$ 

$$\langle E8 \rangle$$
 ::=  $\langle E8 \rangle$  '-'  $\langle E9 \rangle \mid \langle E9 \rangle$ 

$$\langle E9 \rangle \qquad ::= \langle E9 \rangle \, '\star' \, \langle E10 \rangle \mid \langle E9 \rangle \, '/' \, \langle E10 \rangle \mid \langle E10 \rangle$$

The unary operators are arithmetic negation (unary minus), logical negation and bitwise negation of bitvectors.

$$\langle E10 \rangle$$
 ::=  $\langle UnOp \rangle \langle E11 \rangle \mid \langle E11 \rangle$ 

$$\langle UnOp \rangle$$
 ::= '-' | '!' | '~'

Array select, update and bitvector select operators are defined as follows.

$$\langle E11 \rangle \qquad ::= \langle E12 \rangle \text{ `['} \langle Expr \rangle \text{ (','} \langle Expr \rangle) * \text{`]'} \\ | \langle E12 \rangle \text{ `['} \langle Expr \rangle \text{ (','} \langle Expr \rangle) * \text{`->'} \langle Expr \rangle \text{']'} \\ | \langle E12 \rangle \text{ `['} \langle Expr \rangle \text{ ':'} \langle Expr \rangle \text{']'} \\ | \langle E12 \rangle \qquad | \langle E12 \rangle \qquad | \langle E12 \rangle$$

Function invocation, record selection, and access to variables in instantiated modules is as follows.

```
\langle E12 \rangle ::= \langle E13 \rangle '(' \langle ExprList \rangle ')' 
 | \langle E13 \rangle ('.' \langle Id \rangle)+
```

And finally, we have the terminal symbols, identifiers, record field access, tuples and the if-then-else operator.

```
 \langle E12 \rangle \qquad ::= \texttt{false} \mid \texttt{true} \mid \langle Number \rangle \mid \langle String \rangle \\ \mid \langle Id \rangle \mid \langle Id \rangle \text{ `.' } \langle Id \rangle \\ \mid \text{`` {' }} \langle Expr \rangle \text{ (',' } \langle Expr \rangle) \text{* '} \text{'} \\ \mid \text{if ` (' } \langle Expr \rangle \text{ ') ' } \text{then } \langle Expr \rangle \text{ else } \langle Expr \rangle
```

Strings can only be used as arguments to the print command in the control block.

## A.4. Types

```
\langle \mathit{Type} \rangle \qquad ::= \langle \mathit{PrimitiveType} \rangle \\ | \langle \mathit{EnumType} \rangle \\ | \langle \mathit{TupleType} \rangle | \langle \mathit{RecordType} \rangle \\ | \langle \mathit{ArrayType} \rangle \\ | \langle \mathit{SynonymType} \rangle \\ | \langle \mathit{ExternalType} \rangle
```

Supported primitive types are Booleans, integers, floats and bit-vectors. Bit-vector types are defined according the regular expression 'bv[0-9]+' and the number following 'bv' is the width of the bit-vector.

```
\langle PrimitiveType \rangle ::= boolean | integer | \langle FloatType \rangle | \langle BitVectorType \rangle
```

Enumerated types are defined using the enum keyword.

```
\langle EnumType \rangle ::= enum '{' \langle IdList \rangle '}'
```

Tuple types are declared using curly brace notation.

```
\langle Tuple Type \rangle ::= `\{` \langle Type \rangle (`, ` \langle Type \rangle)^* `\}`
```

Record types use the keyword record.

```
\langle Record type \rangle ::= record '{' \langle IdTypeList \rangle '}'
```

Array types are defined using square brackets. The list of types within square brackets defined the array's index type.

```
\langle Array Type \rangle ::= '[' \langle Type \rangle (', ' \langle Type \rangle)* ']' \langle Type \rangle
```

Type synonyms are just identifiers, while external types refer to synonym types defined in a different module.

```
\langle SynonymType \rangle ::= \langle Id \rangle
\langle ExternalType \rangle ::= \langle Id \rangle '.' \langle Id \rangle
```

### A.5. Control Block

**The control block** consists of a list of commands. A command can have an optional result object, an optional argument object, an optional list of command parameters and finally an optional list of argument expressions.

The following is a list of currently accepted commands.

```
⟨CmdName⟩

::= 'bmc'
| 'bmc_LTL'
| 'bmc_noLTL'
| 'check'
| 'clear_context'
| 'induction'
| 'print'
| 'print_cex'
| 'print_module'
| 'print_results'
| 'print_smt2' 'unroll'
| 'verify'
```

### A.6. Miscellaneous Nonterminals

 $\langle IdList \rangle$ ,  $\langle IdTypeList \rangle$  and  $\langle ExprList \rangle$  are non-empty, comma-separated list of identifiers, identifier/type tuples and expressions respectively.  $\langle AnnotationList \rangle$  is a non-empty comma-separated list of strings, used as annotations to indicate, for example, whether a procedure should be inline or not.

```
\langle IdList \rangle \qquad ::= \langle Id \rangle \\ | \langle Id \rangle \text{ ', '} \langle IdList \rangle \\
\langle IdTypeList \rangle \qquad ::= \langle Id \rangle \text{ (', '} \langle Id \rangle) * \text{ ': '} \langle Type \rangle \\ | \langle Id \rangle \text{ (', '} \langle Id \rangle) * \text{ ': '} \langle Type \rangle \text{ ', '} \langle IdTypeList \rangle }
\langle ExprList \rangle \qquad ::= \langle Expr \rangle \\ | \langle Expr \rangle \text{ ', '} \langle ExprList \rangle \\
\langle AnnotationList \rangle \qquad ::= \text{ '['} \langle String \rangle \text{ (', '} \langle String \rangle) * ']'}
```