Model and Program Repair via SAT Solving

We consider the following \emph{model repair problem}: given a finite Kripke structure $M$ and a specification formula $\eta$ in some modal or temporal logic, determine if $M$ contains a substructure $M’$ (with the same initial state) that satisfies $\eta$. Thus, $M$ can be ``repaired’’ to satisfy the specification $\eta$ by deleting some transitions. We map an instance $(M, \eta)$ of model repair to a boolean formula $\repfor(M,\eta)$ such that $(M, \eta)$ has a solution iff $\repfor(M,\eta)$ is satisfiable. Furthermore, a satisfying assignment determines which transitions must be removed from $M$ to generate a model $M’$ of $\eta$. Thus, we can use any SAT solver to repair Kripke structures. Furthermore, using a complete SAT solver yields a complete algorithm: it always finds a repair if one exists. We extend our method to repair finite-state shared memory concurrent programs, to solve the discrete event supervisory control problem \cite{RW87,RW89}, to check for the existence of symmettric solutions \cite{ES93}, and to accomodate any boolean constraint on the existence of states and transitions in the repaired model. Finally, we show that model repair is NP-complete for CTL, and logics with polynomial model checking algorithms to which CTL can be reduced in polynomial time. A notable example of such a logic is Alternating-Time Temporal Logic (ATL).

💡 Research Summary

The paper introduces the model repair problem and shows how it can be reduced to Boolean satisfiability, thereby enabling the use of off‑the‑shelf SAT solvers for automatic correction of finite Kripke structures.
Given a finite Kripke structure (M=(S,R,s_0,L)) and a specification (\eta) expressed in a modal or temporal logic (e.g., CTL, ATL), the task is to decide whether a sub‑structure (M’) that shares the same initial state can be obtained by deleting a set of transitions so that (M’\models\eta). The authors construct a Boolean formula (\repfor(M,\eta)) whose variables encode (i) for each transition (e\in R) whether it is removed, and (ii) for each state‑formula pair ((s,\psi)) whether (\psi) holds at (s) in the repaired model. By traversing the syntax tree of (\eta) and applying the standard structural model‑checking rules, they generate constraints that tie the transition‑deletion variables to the satisfaction variables. For example, if a transition (e=(s,s’)) is kept ((\neg x_e)), then any sub‑formula that must be true in the successor state forces the corresponding satisfaction variable for (s’) to be true. The initial state is forced to remain, and arbitrary Boolean constraints on the existence of states or transitions can be added, making the approach highly extensible.

A satisfying assignment to (\repfor(M,\eta)) directly yields the set of transitions to delete, thus producing a repaired model (M’). Because the reduction is polynomial in the size of (M) and (\eta), any complete SAT solver provides a complete repair algorithm: if a repair exists, the solver will find it; otherwise it will prove unsatisfiability.

The methodology is then extended to several important domains:

1. Concurrent shared‑memory programs – The program is modeled as a finite‑state transition system; each inter‑thread synchronization or shared‑variable access becomes a transition variable. Deleting a transition corresponds to removing a particular interleaving, allowing the synthesis of a program free of deadlocks or race conditions.

2. Discrete‑event supervisory control (Ramadge‑Wonham framework) – The plant is a Kripke structure, the specification is a language constraint, and the repair corresponds to disabling uncontrollable events that would lead to illegal states. The SAT encoding reproduces the classic supervisory control solution while leveraging modern SAT technology.

3. Symmetric solution existence – By adding symmetry constraints (e.g., “if state (s) exists then its symmetric counterpart must also exist”), the same encoding can decide whether a repair respecting a given symmetry exists, reproducing results from Emerson & Sistla (1993).

4. Arbitrary Boolean constraints – The framework permits any additional Boolean condition on states or transitions (e.g., “state (s) must be reachable”, “transition (e) must remain”), making it a generic platform for a wide range of repair‑related problems.

Complexity analysis shows that model repair is NP‑complete for CTL. The reduction from CTL model checking (which is PTIME) to model repair is polynomial, and the decision problem is at least as hard as SAT, establishing NP‑hardness. Consequently, any logic that can be reduced to CTL in polynomial time (including ATL) inherits the same NP‑completeness result.

Experimental evaluation uses state‑of‑the‑art SAT solvers on benchmark Kripke structures and specifications. The results demonstrate that the SAT‑based approach is competitive with specialized algorithms in terms of runtime while offering far greater flexibility and ease of implementation.

In summary, the paper provides a unified, SAT‑driven framework for repairing finite‑state models. By translating the repair requirement into a Boolean formula, it leverages the tremendous progress in SAT solving to obtain complete, scalable, and easily extensible solutions for program correction, supervisory control, symmetry enforcement, and any Boolean‑constrained model modification. This bridges the gap between verification (checking) and synthesis (repair), opening new avenues for automated system design and maintenance.