Salsa: Combining Constraint Solvers with BDDs for Automatic Invariant Checking In Proc. Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2000). Lecture Notes in Computer Science, Springer. 1 2 Ramesh Bharadwaj and Steve Sims 1 Center for High Assurance ComputerSystems NavalResearch Laboratory Washington, DC20375-5320 [email protected] 2 ReactiveSystems, Inc. www.reactive-systems.com [email protected] Abstract. Salsa is an invariant checker for speci(cid:12)cations in SAL (the SCR Abstract Language). To establish a formula as an invariant with- out any user guidance Salsa carries out an induction proof that uti- lizes tightly integrated decision procedures, currently a combination of BDDalgorithmsandaconstraintsolverforintegerlineararithmetic,for discharging theveri(cid:12)cationconditions. Theuserinterfaceof Salsa isde- signedtomimictheinterfacesofmodelcheckers;i.e.,givenaformulaand asystemdescription,Salsaeitherestablishestheformulaasaninvariant of the system (but returns no proof) or provides a counterexample. In either case, the algorithm will terminate. Unlike model checkers, Salsa returnsastatepairasacounterexampleandnotanexecutionsequence. Also, due to the incompleteness of induction, users must validate the counterexamples.TheuseofinductionenablesSalsatocombatthestate explosionproblemthatplaguesmodelcheckers{itcanhandlespeci(cid:12)ca- tionswhosestatespacesaretoolargeformodelcheckerstoanalyze.Also, unlike general purpose theorem provers, Salsa concentrates on a single task andgains e(cid:14)ciency byemployinga set of optimizedheuristics. 1 Introduction Model checking[17] has emerged as an e(cid:11)ective technique for the automated analysis of descriptions of hardware and protocols. To analyze software system descriptions, however, a direct application of model checking to a problem (i.e., withoutapriorreductionofitsstatespacesizebytheapplicationofabstraction) rarely succeeds [9]. For such systems, theorem provinga(cid:11)ords an interesting al- ternative.Conventionaltheoremprovingsystems,however,areoftentoogeneral or too expensive to use in a practical setting because they require considerable usersophistication, humane(cid:11)ort, and system resources.Additionally, the coun- terexample provided by a model checker when a check fails serves practitioners asavaluabledebuggingaid.However,incontrast,conventionaltheoremprovers provide little or no diagnostic information (or worse, may not terminate) when a theorem is not true. 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2000 2. REPORT TYPE 00-00-2000 to 00-00-2000 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Salsa: Combining Constraint Solvers with BDDs for Automatic Invariant 5b. GRANT NUMBER Checking 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Research Laboratory,Center for High Assurance Computer REPORT NUMBER Systems,4555 Overlook Avenue, SW,Washington,DC,20375 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 16 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Salsa is an invariant checker for system descriptions written in a language based on the tabular notation of SCR [24] called SAL (the SCR Abstract Language).Given alogicalformulaandasystem descriptionin SAL, Salsauses induction to determine whether the formula is true in all states (or transitions) the system may reach. Unlike concurrent algorithms or protocol descriptions, on which model checkers are very e(cid:11)ective, practical SAL models usually do not containinterleavingconcurrencyand aremoreeasilyamenableto induction proofs. If a proof fails, Salsa provides a counterexample. Unlike model checkers, however,thereturnedcounterexampleisastateorastatepairandnotanexecu- tion sequence. Also, due to the incompleteness of induction, users must validate a returned counterexample. Salsa has the attributes of both a model checker and a theorem prover: It is automatic and provides counterexamples just like a model checker. Like a theorem prover, it uses decision procedures, can handle in(cid:12)nite state systems, and can use auxiliary lemmas to complete an analysis. The design of Salsa was motivated by the need within the SCR Toolset [23] formoreautomationduringconsistency checking[24]andinvariantchecking[9, 22]. Salsa achieves complete automation of proofs by its reliance on decision procedures, i.e., algorithms that establish the logical truth or falsity of formu- lae of decidable sub-theories, such as the fragment of arithmetic involving only integer linearconstraintscalled Presburgerarithmetic. Salsa’s invariant checker consistsofatightlyintegratedsetofdecisionprocedures,eachoptimizedtowork withinaparticulardomain.Currently,Salsaimplements decisionproceduresfor propositional logic, the theory of unordered enumerations, and integer linear arithmetic. Althoughthey arecapableofcheckingmoregeneralproperties(such aslive- ness), in practicemodel checkers are most often used to check invariantproper- ties. The advantage of using Salsa over a standard model checker for this task is that Salsa can handle large (even in(cid:12)nite state) speci(cid:12)cations that current day model checkers cannot analyze. This is due to the use of induction and the symbolic encoding of expressions involving integers as linear constraints. The primary disadvantage of Salsa (and proof by induction in general) is its incom- pleteness { a failed check does not necessarily imply that a formula is not an invariant because the returned state pair may not be reachable. Aftersomeexperimentation,wearrivedatthefollowingpracticalmethodfor checkingstateandtransitioninvariantsusingSalsa(seeFigure1):Initiallyapply Salsa.IfSalsareturnsyesthenthepropertyisaninvariantofthesystem,andwe aredone.IfSalsareturnsno,thenweexaminethecounterexampletodetermine whether the states corresponding to the counterexample are reachable in the system. If so, the property is false and we are done. However, if one concludes afterthisanalysisthatthecounterexamplestatesareunreachable,thenonelooks for stronger invariants to prove the property. Salsa currently includes a facility that allows users to include such auxiliary lemmas during invariant checking. Therearepromisingalgorithmsforautomaticallydeducingsuchinvariants[5,6, 11,26], although Salsa currently does not implement them. 2 Salsa No/Counterexample SAL SpecificationS IsIan invariant of S? Potential InvariantI Yes Is Counterexample Reachable? NewI=I L Produce auxiliaryLemmaL (Manually or with No Yes automatic generator) Fig.1. Process for applying Salsa. Related Work. TheuseofSMV[28]andSPIN[25]onsoftwarespeci(cid:12)cationsfor consistencyandinvariantcheckinghasbeenwelldocumented[2,9,16,22].SCR* [23] is a toolset that includes a consistency checker which uses a method based on semantic tableaux extended to handle simple constraints over the integers andreals.Thistoolhasprovedveryusefulinanumberofpracticalcasestudies; however,thetoolisunabletocompletethechecksoncertainexamplesinvolving numbers.Systemsthatlargelyautomateinductionproofsbyemployingdecision procedures include the Stanford Temporal Prover(STeP) [11]. Other tools that are built upon the interactive theorem prover PVS [30] include TAME (Timed AutomataModelingEnvironment)[3]andthetoolsofGrafetal.[21,32].These tools are implemented as a set of special-purpose PVS strategies. The tool In- VeStincludessophisticatedalgorithmsforinvariantgenerationandheuristicsfor invariantstrengthening[5,6].Also,ifinvariancecannotbeestablishedona(cid:12)nite abstraction,anexecutionsequenceis providedasadiagnostic.Validitycheckers such as Mona [18], Mosel [31], and the Stanford Validity Checker (SVC) [4] are anotherclassofsystems that employdecisionproceduresforprovinglogicalfor- mulae. Although these tools do not directly check invariants, they may be used to discharge the veri(cid:12)cation conditions generated during an induction proof in a tool such as Salsa. The idea of combining decision procedures for program veri(cid:12)cation dates back to the work of Shostak [33] and Nelson and Oppen [29]. The decision pro- ceduresofSalsaforboth propositionallogicandenumerated typesarebased on standard BDD algorithms. The integer constraint solver employs an automata- theoreticalgorithmpresentedin[12],withextensionstohandlenegativenumbers using ideasfrom [34]. Salsa’stechnique of combiningBDD algorithmswith con- straint solvers was largely inspired by the approaches of [14] and [15] where, by incorporating constraint solvers into BDD-based (cid:12)xpoint computation algo- rithms,veri(cid:12)cationofin(cid:12)nitestatesystemsbecomesapossibility.However,since the underlying algorithms of these systems are variants of the model checking algorithmforcomputinga(cid:12)xpoint, wespeculatethatSalsa,duetoitsuseofin- duction,canhandlelargerspeci(cid:12)cationsthanthesesystems.Also,theconstraint solverof[14]isincompleteforintegerlineararithmetic,whereastheoneusedby Salsa is complete. The system of [15], which uses an o(cid:11)-the-shelf backtracking solver that can be very ine(cid:14)cient in practice, can handle a class of non-linear constraints in addition to linear constraints. 3 The rest of this paper is organized as follows. In the following section we introducethe statemachinesthatserveastheunderlyingmodelsforSALspeci- (cid:12)cationsandde(cid:12)ne the invariantcheckingproblem.Section3describes the core algorithms of Salsa, and Section 4 presents the algorithms and heuristics of the unsatis(cid:12)abilitycheckerwhichisusedbySalsatodischargetheveri(cid:12)cationcondi- tions.Section5providessomepreliminaryexperimentalresultsofapplyingSalsa to several practical speci(cid:12)cations of moderate size. Finally, Section 6 discusses ongoing work and future research. 2 Background 2.1 Model for System Behavior The SCRAbstract Language(SAL), aspeci(cid:12)cation languagebasedonthe SCR Formal Model [24], was designed to serve as an abstract interface to analysis tools such as theorem provers, model checkers, and consistency checkers. An example SCR speci(cid:12)cation in SAL is presented in Appendix A. Unlike concur- rentalgorithmsorprotocol descriptions,practicalSAL speci(cid:12)cationsusuallydo not involve interleaving concurrency and are therefore more easily amenable to induction proofs. A SAL speci(cid:12)cation may be translated into a state machine that models a system’s behavior. We now introduce the state machine model for systems and the supporting machinery used in the paper. We de(cid:12)ne formulae in a simple constraint logic (SCL) by the following grammar: (cid:8):=C j Xb j :Xb j (cid:8)_(cid:8) j (cid:8)^(cid:8) (simple formulae) C :=Ci j Ce (constraints) Ce :=Xe =Vale j Xe 6=Vale j Xe =Ye j Xe 6=Ye (enum. constraints) Ci :=SUM(cid:20)Vali j SUM=Vali j SUM6=Vali (integer constraints) SUM:=Vali(cid:2)Xi j SUM+SUM whereXb,Xe/Ye,andXi rangeoverboolean,enumerated,andintegervariables respectively. SimilarlyValb;Vale; and Vali respectively rangeoverconstants of the three types. We let Vars((cid:8)) denote the free variables in (cid:8). Set Vars((cid:8)) is partitioned by the three variable types: Vars((cid:8)) = Varsb((cid:8))[Varse((cid:8))[ Varsi((cid:8)).NotethatSCLformulaewillbeinterpretedinthecontextofeither1) 0 a single state s that maps variable names to values or 2) a pair of states (s;s), 0 where s is a successorof s. We adopt the convention that primed formulaeand 0 variable names (those ending in ) are evaluated in the \new state" whereas unprimed names are evaluated in the \old state." Formulae containing primed variables are called two-state predicates and those without primed variables are called one-state predicates. De(cid:12)nition 1. A state machine (cid:6) is a quadruple hV;S;(cid:18);(cid:26)i where { V isasetofvariablenames.Thissetispartitionedintomonitored variables which denote environmental quantities the system observes;controlled vari- ables which denote quantities in the environment that the system controls; 4 and internal variables which are updated by the system but not visible to the environment. { S is the set of system states such that each state s 2 S maps each x 2V to a value in its set of legal values. We write x(s) to mean the value of variable x in state s, (cid:8)1(s) to mean the value of one-state predicate (cid:8)1 0 evaluated in s, and (cid:8)2(s;s) to mean the value of two-state predicate (cid:8)2 evaluated with values from s replacing unprimed variables and values from 0 s replacing primed variables. { (cid:18) is a one-state SCL predicate de(cid:12)ning the set of initial states. { (cid:26) is a two-state SCL predicate de(cid:12)ning the transitions (execution steps) of 0 0 (cid:6). A state s may evolve to a state s if (cid:26)(s;s) is true. The transition relation (cid:26) additionally includes environmental assumptions as well as assumptions introduced by users. For details, see [10]. 2.2 The Invariant Checking Problem De(cid:12)nition 2. Givenastatemachine(cid:6) =hV;S;(cid:18);(cid:26)i,astates2S isreachable (denotedReachable(cid:6)(s))ifandonlyif(cid:18)(s)or9s2 2S :Reachable(cid:6)(s2)^(cid:26)(s2;s) De(cid:12)nition 3. Givenastatemachine(cid:6) =hV;S;(cid:18);(cid:26)i,aone-stateSCLpredicate (cid:8)1 is a state invariant of (cid:6) if and only if 8s2S :Reachable(cid:6)(s))(cid:8)1(s) A two-state SCL predicate (cid:8)2 is a transition invariant of (cid:6) if and only if 0 0 0 8s;s 2S :(Reachable(cid:6)(s)^(cid:26)(s;s)))(cid:8)2(s;s) The invariant checking problem :Givenastatemachine(cid:6) andaone(two)-state predicate (cid:8), determine whether (cid:8) is a state(transition) invariant. 3 The Invariant Checker Theorem 1. Let(cid:6) =hV;S;(cid:18);(cid:26)i,then(cid:8)1 isastateinvariantof(cid:6) ifthefollow- 0 0 0 ing hold: 1) 8s2S :(cid:18)(s))(cid:8)1(s) and 2) 8s;s 2S :(cid:8)1(s)^(cid:26)(s;s))(cid:8)1(s) Proof: By induction on the number of steps of (cid:6) to reach a state. Theorem 2. Let (cid:6) = hV;S;(cid:18);(cid:26)i, then (cid:8)2 is a transition invariant of (cid:6) if the following holds: 0 0 0 8s;s 2S :(cid:26)(s;s))(cid:8)2(s;s) Proof: Follows directly from De(cid:12)nition 3. 5 3.1 The Invariant Checking Algorithms Using Theorems 1 and 2 we check invariants of (cid:6) =hV;S;(cid:18);(cid:26)i as follows: State Invariants. To determine if (cid:8)1 is a state invariant of (cid:6): 0. if :(cid:8)1 is unsatis(cid:12)able then return yes. 1. if (cid:18) ^ :(cid:8)1 is not unsatis(cid:12)able then return no and the satisfying state as counterexample. 0 2. if (cid:8)1^(cid:26)^:(cid:8)1 is unsatis(cid:12)able then return yes. else return no and the satisfying state pair as counterexample. Transition Invariants. To determine if (cid:8)2 is a transition invariant of (cid:6): 0. if :(cid:8)2 is unsatis(cid:12)able then return yes. 1. if (cid:26)^:(cid:8)2 is unsatis(cid:12)able then return yes. else return no and the satisfying state pair as counterexample. These algorithms are sound but not complete { whenever Salsa returns yes thegivenformulaisaninvariant;however,anoanswerwithacounterexample(a stateorastatepair)doesnotnecessarilymeanthattheformulaisnotaninvari- 1 ant.Consequently,theusermustvalidatethatthecounterexampleisreachable . Eitherthereisaproblemoradditionaltheoremsareusedto\pushthrough"the invariant. Of course, all added theorems should be proved as invariants by the user (either with Salsa or by some other means). 3.2 Optimizations A naive application of the above algorithms to invariant checking will always fail,evenforspeci(cid:12)cationsofamoderatesize.Weperformseveraloptimizations in Salsa to make invariant checking feasible. One important technique used ex- tensively is to cache results as they are computed. In addition to the caching provided by BDD algorithms, we cache the results of calls to the integer con- straint solver, the BDD encodings of components of the transition relation, etc. To partition an unsatis(cid:12)ability check into simpler sub-problems, we use a technique called disjunctive partitioning which corresponds to a case split in a standard proof. This approach takes advantage of the fact that a disjunction is unsatis(cid:12)ableonly ifeachofitsdisjunctsis unsatis(cid:12)able.Thedisjunctive formof the transition relation in SAL speci(cid:12)cations has proven to be an e(cid:11)ective basis for disjunctive partitioning. The application of abstraction [9,22] is also very bene(cid:12)cial. We restrict our- selves to applying abstractions that are both sound and complete, by which we mean the following. Given a property (cid:8) and a state machine (cid:6), an abstraction (cid:6)A isasoundandcompleteabstractionof(cid:6) relativeto(cid:8)when(cid:8)isaninvariant of (cid:6)A if and only if (cid:8) is an invariant of (cid:6). Currently, we apply what is termed \Abstraction Method 1" [8,9] that uses the set of variable names occurring in the predicate (cid:8) and data(cid:13)ow analysis to eliminate unneeded variables. 1 Thesinglestatecounterexamplereturnedbystep1ofthealgorithmforStateInvari- ants(forafailedcheckofunsatis(cid:12)abilityof(cid:18)^:(cid:8)1)isalwaysatruecounterexample. 6 4 The Unsatis(cid:12)ability Checker 4.1 Overview To discharge the veri(cid:12)cation conditions that arise during invariant checking, Salsa uses a routine that decides the unsatis(cid:12)ability of SCL formulae. Both the problem of propositional unsatis(cid:12)ability and the decision problem for integer linear arithmetic are NP-complete [20], and known algorithms for the latter problem have super-exponential worst case behavior [19]. The unsatis(cid:12)ability checkerusesacombinationofbinarydecisiondiagramsandanintegerconstraint solverasadecisionprocedureforSCLformulae.Usingtheformulax(cid:20)4^x=7 as an example we outline the algorithm (for speci(cid:12)cs, see [10]). The initial step transforms a formula into one containing only logical connectives and boolean variables. This is done by assigning a fresh boolean variable to each integer constraint in the original formula. Fresh boolean variables are also introduced toencodeexpressionsinvolvingvariablesofenumeratedtypeintheobviousway [10,28]. For the example, substituting a for x (cid:20) 4 and b for x = 7 yields the formula a^b. Next, a BDD for this formula (which encodes the propositional structure of the original formula) is constructed: a b False True Thenext stepbringsinthe information containedin the integerconstraints. Thisisdonebysearchingforpathsfromtherootto\True",eachpathyieldinga setofintegerconstraints.Fortheexample,theonlypathfromtherootto\True" sets both a and b to true, which yields the set fx (cid:20) 4; x = 7g. The (cid:12)nal step is to determine whether each such set is infeasible (i.e., has no solution) using an integer constraint solver. If a set is feasible, this information is returned to the user as a counterexample.For the example, the (single) set of constraints is infeasibleandtheformulaisunsatis(cid:12)able.Wenowdescribetheintegerconstraint solver in detail. 4.2 The Integer Constraint Solver As an initial step, a set of integer constraints is partitioned into independent subsets. For example, the set of constraints fx<4;x>7;y < 10g may be par- titioned into fx<4;x>7g and fy<10g. De(cid:12)nition 4. Constraintsc1andc2areindependentifVars(c1)\Vars(c2)=;. The partition of a set of constraints CS =fc1;:::;cng into independent subsets (denoted (cid:5)(CS)) is de(cid:12)ned as (cid:5)(CS)=fCS1;:::;CSmg such that: 7 1. (cid:5)(CS) partitions CS. 2. Constraints in di(cid:11)erent partitions are independent. 3. For each partition containing more than one constraint, every constraint in the partition depends on some other constraint in the partition. Tocompute(cid:5)(CS)Salsausesaunion-(cid:12)ndalgorithmthatstartswitheachcon- straint in its own partition and iteratively merges partitions when they contain dependent constraints. After partitioning a set of constraints into independent subsets, an integer constraintsolverdeterminesthefeasibilityofeachindependentsubset.Foraset ofconstraints,wemayconcludethatthewholesetisinfeasibleifanyindependent subset is infeasible. Salsa’s constraint solver is a decision procedure that determines whether a set of integer constraintsis infeasible, i.e., given fc1;c2;:::;cng the solverchecks whetherc1^c2^:::^cnisunsatis(cid:12)able.Notethattheci aretermsfromtheinteger constraint fragment of SCL (de(cid:12)ned in Section 2.1). Among several methods available for solving linear integer constraints, one possible approach is the use of automata theoretic methods. The idea, which dates back to Bu(cid:127)chi in the early sixties [13], is to associate with each constraint an automaton accepting thesolutionsoftheconstraint.Thefeasibilityofasetofconstraintsmaythenbe computedbyconstructingacompositeautomaton(fromtheconstraintautomata foreachci,1(cid:20)i(cid:20)n)usingthestandardconstructionforautomataintersection. Salsa’s solver employs the algorithm of Boudet and Comon [12], extended to handle negative number based on ideas of Wolper [34]. We give an overview of the algorithm, for details see the above references. Let us (cid:12)rst examine how a constraint automaton may encode constraints over the natural numbers, and then extend this idea to automata for inte- ger constraints. Let c be a constraint, let Vars(c) = fx1;x2;:::;xng, and let c[y1=x1;y2=x2;:::;yn=xn] denote the result of substituting yi for each xi in c. We then de(cid:12)ne the constraint automaton for c, denoted CAut(c), such that the n language of CAut(c) is f(y1;:::;yn)2Int j c[y1=x1;:::;yn=xn] is trueg. Each (cid:3) numberyi isencodedinbasetwo,soeachyi isastringinf0;1g .Theconstraint automatonwillrecognizesolutionstoaconstraintbysimultaneouslyreadingone bit for each of its free variables, i.e., the edges of the automaton will be labeled n byelementsoff0;1g . Forexample,the satisfyingassignmentsof\x1+x2 =4" aref(0;4);(1;3);(2;2);(3;1);(4;0)g,soCAut(x1+x2 =4)encodesthisasshown in Figure 2. We now explain how to construct a constraint automaton for a constraint c of the form a1x1 +a2x2 +::: +anxn = b, where a1;a2;::: an, b are integer constantsandx1;x2;::: xnarevariablesoverthenaturalnumbers.Theresulting automaton will be of the form CAut(c)=hS;E;St;Acci where S (cid:18)Integers is n the set of states and E (cid:18) S(cid:2)f0;1g (cid:2)S is the set of edges, St (cid:18) S is the set of start states, and Acc (cid:18) S is the set of accepting states. During construction we let Snew represent the set of states still to be processed. The construction proceeds backwardsfrom the accepting state as follows. 8 (x1;x2)Acceptedstring 0 1 (0,4) 000 0 1 1 1 100 0 01 1 (1,3) 11 0 0 10 0 0 4 (2,2) 10 0 11 1 (3,1) 0 01 1 2 100 (4,0) 000 Fig.2.The constraint automatonencoding x1+x2=4. 1. InitializebothSnewandAcctocontainonlyb(therighthandsideoftheconstraint) andinitialize S=E =St=;. 2. Removea state s fromSnew for processing. (a) Add sto S. If s=0 thenalso adds to St. n (b) For each (cid:12)2f0;1g where (cid:12)=hb1;b2;:::;bni let (cid:14)=s(cid:0)(a1b1+a2b2+::: +anbn)in if (cid:14) is eventhen (cid:12) (cid:15) addedge ((cid:14)div2)(cid:0)!sto E (cid:15) if ((cid:14)div2)2= (S[Snew)thenadd((cid:14)div2) to Snew 3. if Snew =; thenreturn hS;E;St;Acci else goto 2. Some simple modi(cid:12)cations to the above algorithm extend it to handle nega- tivenumbers. Forintegerconstraintc, the statesof CAut(c) rangeoverintegers and we add a special state I that will encode the start state, thus S (cid:18)Int[I. Insteadofthestandardbinaryencodingemployedfornaturalnumbersthetwo’s complement representation is used for integers. The above algorithm must also bemodi(cid:12)edtohandlethesignbitofthetwo’scomplementnotationviaaspecial encodingforthestartstate(I) andextraedgesfromI.Wedothisbyremoving \if s = 0 then also add s to St" from 2(a) and adding the following to 2(b) above. if s=((cid:0)a1b1(cid:0)a2b2(cid:0)::: (cid:0)anbn) (cid:12) thenaddI to S andSt andaddedge I (cid:0)!sto E. The basic algorithm may also be changed to build constraint automata for constraints involving \6=" and \(cid:20)". For \6=" the construction is exactly the same except that Acc = S (cid:0)b, i.e., the accepting state becomes non-accepting and all others become accepting. For details of the slightly more complicated modi(cid:12)cations for \(cid:20)" see [10]. The constraint automaton for a set of constraints CS = fc1;c2;:::;cng, de- n noted CAut(CS), is de(cid:12)ned as CAut(CS) = Ti=1CAut(ci). The automaton CAut(CS) is constructed on the (cid:13)y, thereby avoiding the need to build each CAut(ci). Let Si denote the states of CAut(ci), then the states of CAut(CS) are SCS (cid:18) S1 (cid:2)S2 (cid:2):::(cid:2)Sn. An unsatis(cid:12)ability check of CS then proceeds backwards from the accepting state and terminates with false when the initial stateisreachedorterminateswithtrueiftheautomatonconstructioncompletes without reaching the start state. 9