Playing wiht Program Verification with EFMC
This tutorial provides a step-by-step guide to program verification using EFMC.
1. Setup and Installation
First, ensure you have EFMC installed:
# Create and activate a virtual environment (recommended)
python -m venv venv
source venv/bin/activate # On Unix/macOS
# or
.\venv\Scripts\activate # On Windows
# Install EFMC
pip install -e .
2. Understanding Input Formats
EFMC supports two main input formats:
CHC (Constrained Horn Clauses)
SyGuS (Syntax-Guided Synthesis)
Example CHC File
Here’s a simple example (fib04_32u.smt2):
(set-logic HORN)
(declare-fun inv ((_ BitVec 32) (_ BitVec 32) ) Bool)
(assert (forall ((x (_ BitVec 32)) (y (_ BitVec 32)))
(=> ( = x ( bvadd (_ bv1 32) ( bvnot (_ bv50 32) ) ) ) (inv x y))))
(assert (forall ((x (_ BitVec 32)) (y (_ BitVec 32)) (x! (_ BitVec 32)) (y! (_ BitVec 32)))
(=> (and (inv x y) ( or ( and ( bvult x (_ bv0 32) ) ( = x! ( bvadd x y ) ) ( = y! ( bvadd y (_ bv1 32) ) ) ) ( and ( bvuge x (_ bv0 32) ) ( = x! x ) ( = y! y ) ) )) (inv x! y!))))
(assert (forall ((x (_ BitVec 32)) (y (_ BitVec 32)))
(=> (inv x y) ( => ( not ( bvult x (_ bv0 32) ) ) ( bvuge y (_ bv0 32) ) ))))
(check-sat)
This example represents:
Program with two variables:
xandyInitial condition:
x = -50Property to verify: When
x ≥ 0, theny ≥ 0
3. Basic Verification
Running Verification
You can verify programs using different engines:
Template-based Verification:
efmc --engine ef --template bv_interval --lang chc --file your_file.smt2
PDR (Property-Directed Reachability):
efmc --engine pdr --lang chc --file your_file.smt2
K-Induction:
efmc --engine kind --lang chc --file your_file.smt2
LLM4Inv (LLM-guided Invariant Synthesis):
efmc --engine llm4inv --lang chc --file your_file.smt2
Understanding Results
The verifier outputs one of these results:
safe: Property is verified (program is safe)unsafe: A bug is foundunknown: Verifier cannot determine the result
4. Advanced Verification Techniques
K-Induction
K-induction extends basic inductive verification by considering k consecutive states:
efmc --engine kind --k 3 --lang chc --file your_file.smt2
Template-Based Verification
Supports different templates:
Integer/Real Templates:
- interval, power_interval: Interval constraints
- zone, power_zone: Zone constraints
- octagon, power_octagon: Octagonal constraints
- affine, power_affine: Affine constraints
- poly, power_poly: Polyhedral constraints
Bitvector Templates:
- bv_interval, power_bv_interval: Bit-vector intervals
- bv_zone, power_bv_zone: Bit-vector zones
- bv_octagon, power_bv_octagon: Bit-vector octagons
- bv_poly, power_bv_poly: Bit-vector polyhedra
- knownbits: Known bits analysis
- bitpredabs: Bit-level predicate abstraction
- bv_pattern, power_bv_pattern: Pattern-based templates
- bv_xor_parity, power_bv_xor_parity: XOR parity templates
- bv_rotation, power_bv_rotation: Rotation templates
Floating-Point Templates:
- fp_interval: Floating-point intervals
- fp_poly: Floating-point polyhedra
Example:
efmc --engine ef --template bv_poly --lang chc --file your_file.smt2
Property-Directed Reachability (PDR)
Uses Z3’s Spacer engine for incremental invariant building:
efmc --engine pdr --lang chc --file your_file.smt2
5. Best Practices
Input Format Guidelines
Use clear variable naming
Specify precise pre and post-conditions
6. Example Workflow
Try different engines:
# Try PDR efmc –engine pdr –lang chc –file your_file.smt2
# Try k-induction efmc –engine kind –kind-k 30 –lang chc –file your_file.smt2
# Try template-based approach efmc –engine ef –template bv_interval –lang chc –file your_file.smt2
# Try LLM4Inv with remote model efmc –engine llm4inv –llm4inv-provider remote –llm4inv-remote-model deepseek-v3 –lang chc –file your_file.smt2
# Try LLM4Inv with local model efmc –engine llm4inv –llm4inv-provider local –llm4inv-local-model qwen/qwen3-coder-30b –lang chc –file your_file.smt2
7. References
Clarke, E. M., Grumberg, O., & Peled, D. A. (1999). Model checking. MIT press.
Bradley, A. R., & Manna, Z. (2007). The Calculus of Computation: Decision Procedures with Applications to Verification.
Sheeran, M., Singh, S., & Stålmarck, G. (2000). Checking safety properties using induction and a SAT-solver.