BDD-based software verification

Applications to event-condition-action systems
  • Dirk Beyer
  • Andreas Stahlbauer


In software model checking, most successful symbolic approaches use predicates as representation of the state space, and SMT solvers for computations on the state space; BDDs are often used as auxiliary data structure. Although BDDs are applied with great success in hardware verification, BDD representations of software state spaces were not yet thoroughly investigated, mainly because not all operations that are needed in software verification are efficiently supported by BDDs. We evaluate the use of a pure BDD representation of integer values, and focus on a particular class of programs: event-condition-action (ECA) programs with limited operations. A symbolic representation using BDDs seems appropriate for ECA programs under certain conditions. We configure a program analysis based on BDDs and experimentally compare it to four approaches to verify reachability properties of ECA programs: an explicit-value analysis, a symbolic bounded-loops analysis, a predicate-abstraction analysis, and a predicate-impact analysis. The results show that BDDs are efficient for a restricted class of programs, which yields the insight that BDDs could be used selectively for variables that are restricted to certain program operations (according to the variable’s domain type), even in general software model checking. We show that even a naive portfolio approach, in which after a pre-analysis either a BDD-based analysis or a predicate-impact analysis is performed, outperforms all above-mentioned analyses.


Binary decision diagram BDD Symbolic model checking Software model checking Program analysis Event-condition-action system RERS challenge Configurable software verification CPA 


  1. 1.
    Anderson, R.J., Beame, P., Burns, S., Chan, W., Modugno, F., Notkin, D., Reese, J.D.: Model checking large software specifications. In: Proc. FSE, pp. 156–166. ACM (1996)Google Scholar
  2. 2.
    Apel, S., Beyer, D., Friedberger, K., Raimondi, F., Rhein, A.V.: Domain types: Abstract-domain selection based on variable usage. In: Proc. HVC, LNCS 8244, pp. 262–278. Springer, Berlin (2013)Google Scholar
  3. 3.
    Ball, T., Podelski, A., Rajamani, S.K.: Boolean and cartesian abstractions for model checking C programs. In: Proc. TACAS, LNCS 2031, pp. 268–283. Springer, Berlin (2001)Google Scholar
  4. 4.
    Berndl, M., Lhoták, O., Qian, F., Hendren, L., Umanee, N.: Points-to analysis using BDDs. In: Proc. PLDI, pp. 103–114. ACM (2003)Google Scholar
  5. 5.
    Beyer, D.: Improvements in BDD-based reachability analysis of timed automata. In: Proc. FME, LNCS 2021, pp. 318–343. Springer, Berlin (2001)Google Scholar
  6. 6.
    Beyer, D.: Relational programming with CrocoPat. In: Proc. ICSE, pp. 807–810. ACM (2006)Google Scholar
  7. 7.
    Beyer, D.: Second competition on software verification. In: Proc. TACAS, LNCS 7795, pp. 594–609. Springer, Berlin (2013)Google Scholar
  8. 8.
    Beyer, D.: Status report on software verification. In: Proc. TACAS, LNCS 8413, pp. 373–388. Springer, Berlin (2014)Google Scholar
  9. 9.
    Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software model checking via large-block encoding. In: Proc. FMCAD, pp. 25–32. IEEE (2009)Google Scholar
  10. 10.
    Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker Blast. Int. J. Softw. Tools Technol. Transfer 9(5–6), 505–525 (2007)CrossRefGoogle Scholar
  11. 11.
    Beyer, D., Henzinger, T. A., Théoduloz, G.: Configurable software verification: Concretizing the convergence of model checking and program analysis. In: Proc. CAV, LNCS 4590, pp. 504–518. Springer, Berlin (2007)Google Scholar
  12. 12.
    Beyer, D., Henzinger, T. A., Théoduloz, G.: Program analysis with dynamic precision adjustment. In: Proc. ASE, pp. 29–38. IEEE (2008)Google Scholar
  13. 13.
    Beyer, D., Keremoglu, M. E.: CPAchecker: A tool for configurable software verification. In: Proc. CAV, LNCS 6806, pp. 184–190. Springer, Berlin (2011)Google Scholar
  14. 14.
    Beyer, D., Keremoglu, M.E., Wendler, P.: Predicate abstraction with adjustable-block encoding. In: Proc. FMCAD, pp. 189–197. FMCAD (2010)Google Scholar
  15. 15.
    Beyer, D., Lewerentz, C., Noack, A.: Rabbit: A tool for BDD-based verification of real-time systems. In: Proc. CAV, LNCS 2725, pp. 122–125. Springer, Berlin (2003)Google Scholar
  16. 16.
    Beyer, D., Löwe, S.: Explicit-state software model checking based on CEGAR and interpolation. In: Proc. FASE, LNCS 7793, pp. 146–162. Springer, Berlin (2013)Google Scholar
  17. 17.
    Beyer, D., Noack, A.: Can decision diagrams overcome state space explosion in real-time verification? In: Proc. FORTE, LNCS 2767, pp. 193–208. Springer, Berlin (2003)Google Scholar
  18. 18.
    Beyer, D., Stahlbauer, A.: BDD-based software model checking with CPAchecker. In: Proc. MEMICS, LNCS 7721, pp. 1–11. Springer, Berlin (2013)Google Scholar
  19. 19.
    Beyer, D., Wendler, P.: Algorithms for software model checking: Predicate abstraction vs. Impact. In: Proc. FMCAD, pp. 106–113. FMCAD (2012)Google Scholar
  20. 20.
    Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: Proc. TACAS, LNCS 1579, pp. 193–207. Springer, Berlin (1999)Google Scholar
  21. 21.
    Blom, S., van de Pol, J., Weber, M.: LTSmin: Distributed and symbolic reachability. In: Proc. CAV, LNCS 6174, pp. 354–359. Springer, Berlin (2010)Google Scholar
  22. 22.
    Bollig, B., Wegener, I.: Improving the variable ordering of OBDDs is NP-complete. IEEE Trans. Comput. 45(9), 993–1002 (1996)CrossRefzbMATHGoogle Scholar
  23. 23.
    Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S., Yovine. S.: Kronos: A model-checking tool for real-time systems. In: Proc. CAV, LNCS 1427, pp. 546–550. Springer, Berlin (1998)Google Scholar
  24. 24.
    Bryant, R.E.: Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. C-35(8):677–691 (1986)Google Scholar
  25. 25.
    Bryant, R.E.: On the complexity of VLSI implementations and graph representations of boolean functions with application to integer multiplication. IEEE Trans. Comput. 40(2), 205–213 (1991)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L.: Sequential circuit verification using symbolic model checking. In: Proc. DAC, pp. 46–51. ACM (1990)Google Scholar
  27. 27.
    Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: \(10^{20}\) states and beyond. In: Proc. LICS, pp. 428–439. IEEE (1990)Google Scholar
  28. 28.
    Campos, S.V.A., Clarke, E.M.: The Verus language: representing time efficiently with BDDs. In: Proc. ARTS, LNCS 1231, pp. 64–78. Springer, Berlin (1997) Google Scholar
  29. 29.
    Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: An open-source tool for symbolic model checking. In: Proc. CAV, LNCS 2404, pp. 359–364. Springer, Berlin (2002)Google Scholar
  30. 30.
    Cimatti, A., Clarke, E.M., Giunchiglia, F., Roveri, M.: NuSMV: a new symbolic model verifier. In: Proc. CAV, LNCS 1633, pp. 495–499. Springer, Berlin (1999)Google Scholar
  31. 31.
    Cimatti, A., Griggio, A., Micheli, A., Narasamdya, I., Roveri, M.: Kratos: A software model checker for SystemC. In: Proc. CAV, LNCS 6806, pp. 310–316. Springer, Berlin (2011)Google Scholar
  32. 32.
    Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Proc. TACAS, LNCS 7795, pp. 93–107. Springer, Berlin (2013)Google Scholar
  33. 33.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003)CrossRefMathSciNetGoogle Scholar
  34. 34.
    Craig, W.: Linear reasoning. A new form of the Herbrand–Gentzen theorem. J. Symb. Log. 22(3), 250–268 (1957)CrossRefzbMATHMathSciNetGoogle Scholar
  35. 35.
    Esparza, J.: Building a software model checker. In: Proc. Formal logical methods for system security and correctness, pp. 53–87. IOS Press (2008)Google Scholar
  36. 36.
    Esparza, J., Kiefer, S., Schwoon, S.: Abstraction refinement with Craig interpolation and symbolic pushdown systems. In: Proc. TACAS, LNCS 3920, pp. 489–503. Springer, Berlin (2006)Google Scholar
  37. 37.
    Henzinger, T. A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. POPL, pp. 232–244. ACM (2004)Google Scholar
  38. 38.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proc. POPL, pp. 58–70. ACM (2002)Google Scholar
  39. 39.
    Howar, F., Isberner, M., Merten, M., Steffen, B., Beyer, D.: The RERS grey-box challenge 2012: Analysis of event–condition–action systems. In: Proc. ISoLA, LNCS 7609, pp. 608–614. Springer, Berlin (2012)Google Scholar
  40. 40.
    Howar, F., Isberner, M., Merten, M., Steffen, B., Beyer, D., Păsăreanu, C.S.: Rigorous examination of reactive systems. The RERS challenges 2012 and 2013. Int. J. Softw. Tools Technol. Transfer. doi: 10.1007/s10009-014-0337-y (2014)
  41. 41.
    Ivanc̆ić, F., Shlyakhter, I., Gupta, A., Ganai, M.K., Kahlon, V., Wang, C., Yang, Z.: Model checking C programs using F-Soft. In: Proc. ICCD, pp. 297–308. IEEE (2005)Google Scholar
  42. 42.
    Lerda, F., Sinha, N., Theobald, M.: Symbolic model checking of software. Electr. Notes Theor. Comput. Sci. 89(3), 480–498 (2003)CrossRefGoogle Scholar
  43. 43.
    McMillan, K.L.: The SMV system. Technical Report CMU-CS-92-131. Carnegie Mellon University (1992)Google Scholar
  44. 44.
    McMillan, K.L.: Lazy abstraction with interpolants. In: Proc. CAV, LNCS 4144, pp. 123–136. Springer, Berlin (2006)Google Scholar
  45. 45.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: Cil: Intermediate language and tools for analysis and transformation of C programs. In: Proc. CC, LNCS 2304, pp. 213–228. Springer, Berlin (2002)Google Scholar
  46. 46.
    Steffen, B., Isberner, M., Naujokat, S., Margaria, T., Geske, M.: Property-driven benchmark generation. In: Proc. SPIN, LNCS 7976, pp. 341–357. Springer, Berlin (2013)Google Scholar
  47. 47.
    Steffen, B., Isberner, M., Naujokat, S., Margaria, T., Geske, M.: Property-driven benchmark generation: Synthesizing programs of realistic structure. Int. J. Softw. Tools Technol. Transfer. doi: 10.1007/s10009-014-0336-z (2014)
  48. 48.
    von Rhein, A., Apel, S., Raimondi, F.: Introducing binary decision diagrams in the explicit-state verification of Java code. In: Proceedings of Java Pathfinder Workshop (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Dirk Beyer
    • 1
  • Andreas Stahlbauer
    • 1
  1. 1.University of PassauPassauGermany

Personalised recommendations