Advertisement

Bounded model checking of software using SMT solvers instead of SAT solvers

  • Alessandro Armando
  • Jacopo MantovaniEmail author
  • Lorenzo Platania
SPECIAL SECTION ON SPIN

Abstract

C bounded model checking (cbmc) has proved to be a successful approach to automatic software analysis. The key idea is to (i) build a propositional formula whose models correspond to program traces (of bounded length) that violate some given property and (ii) use state-of-the-art SAT solvers to check the resulting formulae for satisfiability. In this paper, we propose a generalisation of the cbmc approach on the basis of an encoding into richer (but still decidable) theories than propositional logic. We show that our approach may lead to considerably more compact formulae than those obtained with cbmc. We have built a prototype implementation of our technique that uses a satisfiability modulo theories (SMT) solver to solve the resulting formulae. Computer experiments indicate that our approach compares favourably with—and on some significant problems outperforms—cbmc.

Keywords

Model Check Constraint Satisfaction Problem Execution Path Gray Code Propositional Formula 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Armando A., Ranise S., Rusinowitch M.: A rewriting approach to satisfiability procedures. Inform. Comput. 183(2), 140–164 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Armando A., Bonacina M.P., Ranise S., Schulz S.: On a rewriting approach to satisfiability procedures: extension, combination of theories and an experimental appraisal. In: Gramlich, B.(eds) Proceedings of FroCoS (Frontiers of Combining Systems). Lecture Notes in Computer Science, vol. 3717, pp. 65–80. Springer, Berlin (2005)Google Scholar
  3. 3.
    Ball T., Rajamani S.K.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B.(eds) Proceedings of SPIN (International SPIN Workshop). Lecture Notes in Computer Science, vol. 2057, pp. 103–122. Springer, Berlin (2001)Google Scholar
  4. 4.
    Barrett C., De Moura L., Stump A.: SMT-COMP: satisfiability modulo theories competition. In: Etessami, K., Rajamani, S.K.(eds) Proceedings of CAV (Computer Aided Verification). Lecture Notes in Computer Science, vol. 3576, pp. 20–23. Springer, Berlin (2005)Google Scholar
  5. 5.
    Barrett C., Berezin S.: CVC Lite: A new implementation of the cooperating validity checker. In: Alur, R., Peled, D.(eds) Proceedings of CAV (Computer Aided Verification). Lecture Notes in Computer Science, vol. 3114, pp. 515–518. Springer, Berlin (2004)Google Scholar
  6. 6.
    Barrett C.W., Dill D.L., Levitt J.R.: A decision procedure for bit-vector arithmetic. In: Irwin, M.J.(eds) Proceedings of DAC (Design Automation Conference), pp. 522–527. ACM, New York (1998)Google Scholar
  7. 7.
    Bellman R.E.: On a routing problem. Q. Appl. Math. 16, 87–90 (1958)zbMATHGoogle Scholar
  8. 8.
    Biere A., Cimatti A., Clarke E.M., Zhu Y.: Symbolic model checking without BDDs. In: Cleaveland, R.(eds) Proceedings of TACAS (Tools and Algorithms for Construction and Analysis of Systems). Lecture Notes in Computer Science, vol. 1579, pp. 193–207. Springer, Berlin (1999)Google Scholar
  9. 9.
    Bozzano, M., Bruttomesso, R., Cimatti, A., Franzen, A., Hanna, Z., Khasidashvili, Z., Palti, A., Sebastiani, R.: Encoding RTL Constructs for MATHSAT: a preliminary report. In: Armando, A., Cimatti, A. (eds.) Proceedings of PDPAR (International Workshop on Pragmatics of Decision Procedures in Automated Reasoning). Electronic Notes in Theoretical Computer Science, vol. 144 (2005)Google Scholar
  10. 10.
    Chaki, S., Clarke, E., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. In: Proceedings of ICSE (International Conference on Software Engineering), pp. 385–395. IEEE Computer Society, New York (2003)Google Scholar
  11. 11.
    Chen H., Wagner D.: Mops: an infrastructure for examining security properties of software. In: Atluri, V.(eds) Proceedings of CCS (ACM Conference on Computer and Communications Security), pp. 235–244. ACM, New York (2002)Google Scholar
  12. 12.
    Clarke E., Kroening D., Lerda F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A.(eds) Proceedings of TACAS (Tools and Algorithms for the Construction and Analysis of Systems), volume 2988 of LNCS, pp. 168–176. Springer, Berlin (2004)Google Scholar
  13. 13.
    Clarke, E., Kroening, D., Yorav, K.: Behavioral Consistency of C and Verilog Programs. Technical Report CMU-CS-03-126, Computer Science Department, School of Computer Science, Carnegie Mellon University, May 2003Google Scholar
  14. 14.
    Collavizza H., Rueher M.: Exploration of the capabilities of constraint programming for software verification. In: Hermanns, H., Palsberg, J.(eds) Proceedings of TACAS (Tools and Algorithms for the Construction and Analysis of Systems). Lecture Notes in Computer Science, vol. 3920, pp. 182–196. Springer, Berlin (2006)Google Scholar
  15. 15.
    Cyrluk D., Möller O., Rueß H.: An efficient decision procedure for the theory of fixed-sized bit-vectors. In: Grumberg, O.(eds) Proceedings of CAV (Computer Aided Verification), June 1997. Lecture Notes in Computer Science, vol. 1254, pp. 60–71. Springer, Berlin (1997)Google Scholar
  16. 16.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: An efficient method of computing static single assignment form. In: Proceedings of POPL (ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages), pp. 25–35. ACM, New York (1989)Google Scholar
  17. 17.
    Detlefs, D.L., Nelson, G., Saxe, J.B.: Simplify: A Theorem Prover for Program Checking. Technical Report 148, HP Labs (2003)Google Scholar
  18. 18.
    Eén N., Sörensson N.: An extensible sat-solver. In: Giunchiglia, E., Tacchella, A.(eds) Proceedings of SAT (Theory and Applications of Satisfiability Testing). Lecture Notes in Computer Science, vol. 2919, pp. 502–518. Springer, Berlin (2003)Google Scholar
  19. 19.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for java. In: Proceedings of PLDI (ACM SIGPLAN Conference on Programming language design and implementation), pp. 234–245, ACM Press, New York (2002)Google Scholar
  20. 20.
    Ford L.R., Fulkerson D.R.: Flows in Networks. Princeton University Press, Princeton (1962)zbMATHGoogle Scholar
  21. 21.
    Gray, F.: Pulse code communication. United States Patent and Trademark Office, 1953. Patent Number 2632058Google Scholar
  22. 22.
    Guan, D.-J.: Generalized gray codes with applications. In: Proceedings of the National Science Council, Taiwan, ROC(A) 22, 6, 1998, pp. 841–848. http://www.nist.gov/dads/HTML/graycode.html
  23. 23.
    Henzinger T., Jhala R., Majumdar R., Sutre G.: Software Verification with Blast. In: Ball, T., Rajamani, S.K.(eds) Proceedings of SPIN (International SPIN Workshop). Lecture Notes in Computer Science, vol. 2648, pp. 235–239. Springer, Berlin (2003)Google Scholar
  24. 24.
    Hoffmann, J., Gomes, C.P., Selman, B., Kautz, H.A.: SAT encodings of state-space reachability problems in numeric domains. In: Veloso, M.M. (ed.) Proceedings of IJCAI (International Joint Conference on Artificial Intelligence), pp. 1918–1923 (2007)Google Scholar
  25. 25.
    ILOG SA.: The ILOG constraint solver. http://www/ilog.com/products/solver (2006)
  26. 26.
    Kautz, H.A., Selman, B.: Planning as satisfiability. In: Proceedings of ECAI (European Conference on Artificial Intelligence), pp. 359–363. Wiley, New York (1992)Google Scholar
  27. 27.
    Kautz H.A., Selman B.: Pushing the envelope: planning, propositional logic and stochastic search. In: Shrobe, H., Senator, T.(eds) Proceedings of AAAO/IAAI (US National Conference on Artificial Intelligence and Innovative Applications of Artificial Intelligence Conference), pp. 1194–1201. AAAI Press, Menlo Park (1996)Google Scholar
  28. 28.
    Knuth, D.: The Art of Computer Programming: Sorting and Searching, volume 3. Addison-Wesley, Reading (1997)Google Scholar
  29. 29.
    Kroening, D., Clarke, E., Yorav, K.: Behavioral consistency of C and Verilog programs using bounded model checking. In: Proceedings of DAC03, pp. 368–371. ACM Press, New York (2003)Google Scholar
  30. 30.
    Leino K.R.M., Millstein T.D., Saxe J.B.: Generating error traces from verification-condition counterexamples. Sci. Comput. Program. 55(1–3), 209–226 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    Möller O., Rueß H.: Solving bit-vector equations. In: Gopalakrishnan, G., Windley, P.(eds) Formal Methods in Computer-Aided Design (FMCAD ’98), November 1998. Lecture Notes in Computer Science, pp. 36–48. Springer, Palo Alto (1998)Google Scholar
  32. 32.
    Nelson G., Oppen D.: Simplification by cooperating decision procedures. ACM Trans. Program. Lang. Syst. 1, 245–257 (1979)zbMATHCrossRefGoogle Scholar
  33. 33.
    Prim R.C.: Shortest connection networks and some generalisations. Bell Syst. Tech. J. 36, 1389–1401 (1957)Google Scholar
  34. 34.
    Shostak R.E.: Deciding combinations of theories. J. ACM 31(1), 1–12 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    Stump A., Barrett C.W., Dill D.L.: CVC: a cooperating validity checker. In: Brinksma, Ed., Larsen, K.G.(eds) Proceedings of CAV (Computer Aided Verification). Lecture Notes in Computer Science, vol. 2404. Springer, Berlin (2002)Google Scholar
  36. 36.
    Stump, A., Barrett, C.W., Dill, D.L., Levitt, J.: A decision procedure for an extensional theory of arrays. In: Proceedings of LICS (Symposium on Logic in Computer Science), pp. 29–37. IEEE, New York (2001)Google Scholar
  37. 37.
    Xie Y., Aiken A.: error detection using boolean satisfiability. In: Palsberg, J., Abadi, M.(eds) Proceedings of POPL (ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages), pp. 351–363. ACM Press, New York (2005)Google Scholar

Copyright information

© Springer-Verlag 2008

Authors and Affiliations

  • Alessandro Armando
    • 1
  • Jacopo Mantovani
    • 1
    Email author
  • Lorenzo Platania
    • 1
  1. 1.Artificial Intelligence Laboratory, DISTUniversità degli Studi di GenovaGenoaItaly

Personalised recommendations