Handling loops in bounded model checking of C programs via k-induction

  • Mikhail Y. R. Gadelha
  • Hussama I. Ismail
  • Lucas C. Cordeiro
Regular Paper

Abstract

The first attempts to apply the k-induction method to software verification are only recent. In this paper, we present a novel proof by induction algorithm, which is built on the top of a symbolic context-bounded model checker and uses an iterative deepening approach to verify, for each step k up to a given maximum, whether a given safety property \(\phi \) holds in the program. The proposed k-induction algorithm consists of three different cases, called base case, forward condition, and inductive step. Intuitively, in the base case, we aim to find a counterexample with up to k loop unwindings; in the forward condition, we check whether loops have been fully unrolled and that \(\phi \) holds in all states reachable within k unwindings; and in the inductive step, we check that whenever \(\phi \) holds for k unwindings, it also holds after the next unwinding of the system. The algorithm was implemented in two different ways, a sequential and a parallel one, and the results were compared. Experimental results show that both forms of the algorithm can handle a wide variety of safety properties extracted from standard benchmarks, ranging from reachability to time constraints. And by comparison, the parallel algorithm solves more verification tasks in less time. This paper marks the first application of the k-induction algorithm to a broader range of C programs; in particular, we show that our k-induction method outperforms CPAChecker in terms of correct results, which is a state-of-the-art k-induction-based verification tool for C programs.

Keywords

Software engineering Formal methods Verification Model checking k-induction 

References

  1. 1.
    Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.): Handbook of Satisfiability. Frontiers in Artificial Intelligence and Applications, vol. 185. IOS Press, Amsterdam (2009)Google Scholar
  2. 2.
    Barrett, C., Sebastiani, R., Seshia, S.A., Tinelli, C.: 26. In: Satisfiability Modulo Theories. Frontiers in Artificial Intelligence and Applications. IOS Press, Amsterdam, vol. 185, 825–885 (2009)Google Scholar
  3. 3.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer, Berlin, Heidelberg (2004)Google Scholar
  4. 4.
    Merz, F., Falke, S., Sinz, C.: LLBMC: Bounded model checking of C and C++ programs using a compiler IR. In: Proceedings of the 4th International Conference on Verified Software: Theories, Tools, Experiments. VSTTE’12, pp. 146–161. Springer-Verlag (2012)Google Scholar
  5. 5.
    Cordeiro, L.: SMT-Based Bounded Model Checking of Multi-threaded Software in Embedded Systems. University of Southampton, Southampton (2011)Google Scholar
  6. 6.
    Ivanicic, F., Shlyakhter, I., Gupta, A., Ganai, M.K.: Model checking C programs using F-Soft. In: VLSI in Computers and Processors, 2005. ICCD 2005: Proceedings of the 2005 International Conference on Computer Design, Washington, pp. 297–308 (2005)Google Scholar
  7. 7.
    Cordeiro, L.C., Fischer, B., Marques-Silva, J.: Smt-based bounded model checking for embedded ANSI-C software. IEEE Trans. Softw. Eng. 38(4), 957–974 (2012)CrossRefGoogle Scholar
  8. 8.
    Donaldson, A.F., Kroening, D., Rümmer, P.: SCRATCH: a tool for automatic analysis of dma races. In: Proceedings of the 16th ACM Symposium on Principles and Practice of Parallel Programming. PPoPP ’11, pp. 311–312. ACM (2011)Google Scholar
  9. 9.
    Donaldson, A.F., Haller, L., Kroening, D., Rümmer, P.: Software verification using k-induction. In: Proceedings of the 18th International Conference on Static Analysis. SAS’11, pp. 351–368. Springer-Verlag (2011)Google Scholar
  10. 10.
    Eén, N., Sörensson, N.: Temporal induction by incremental SAT solving. Electr. Notes Theor. Comput. Sci. 89(4), 543–560 (2003)CrossRefMATHGoogle Scholar
  11. 11.
    Große, D., Le, H.M., Drechsler, R.: Induction-based formal verification of SystemC TLM designs. In: 2009 10th International Workshop on Microprocessor Test and Verification (MTV), pp. 101–106 (2009)Google Scholar
  12. 12.
    Sheeran, M., Singh, S., Stålmarck, G.: Checking safety properties using induction and a SAT-solver. In: Proceedings of the 3rd International Conference on Formal Methods in Computer-Aided Design. FMCAD ’00, pp. 108–125. Springer-Verlag (2000)Google Scholar
  13. 13.
    Holzmann, G.J., Joshi, R., Groce, A.: Swarm verification techniques. IEEE Trans. Softw. Eng. 37(6), 845–857 (2011)CrossRefGoogle Scholar
  14. 14.
    Kahsai, T., Tinelli, C.: PKind: a parallel k-induction based model checker. In: Proceedings 10th International Workshop on Parallel and Distributed Methods in verifiCation, PDMC 2011, pp. 55–62. Snowbird, Utah (2011)Google Scholar
  15. 15.
    de Moura, L.M., Bjørner, N.: Z3: An efficient smt solver. In: Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems. TACAS’08/ETAPS’08, pp. 337–340. Springer-Verlag (2008)Google Scholar
  16. 16.
    Brummayer, R., Biere, A.: Boolector: an efficient SMT solver for bit-vectors and arrays. In: Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, TACAS ’09, pp. 174–177. Springer-Verlag (2009)Google Scholar
  17. 17.
    Cordeiro, L.C., Fischer, B.: Verifying multi-threaded software using SMT-based context-bounded model checking. In: Proceedings of the 33rd International Conference on Software Engineering. ICSE ’11, ACM, pp. 331–340 (2011)Google Scholar
  18. 18.
    Cordeiro, L., Fischer, B., Marques-Silva, J.: Continuous verification of large embedded software using SMT-based bounded model checking. In: Proceedings of the 2010 17th IEEE International Conference and Workshops on the Engineering of Computer-Based Systems. ECBS ’10, pp. 160–169. IEEE Computer Society, Washington, DC (2010)Google Scholar
  19. 19.
    Beyer, D., Dangl, M., Wendler, P.: Combining k-induction with continuously-refined invariants. CoRR. arXiv:1502.00096 (2015)
  20. 20.
    Beyer, D.: Second competition on software verification. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 7795, pp. 594–609. Springer, Berlin, Heidelberg (2013)Google Scholar
  21. 21.
    Morse, J., Cordeiro, L.C., Nicole, D., Fischer, B.: Model checking LTL properties over ANSI-C programs with bounded traces. Softw. Syst. Model. 14(1), 65–81 (2015)CrossRefGoogle Scholar
  22. 22.
    Chaki, S., Clarke, E., Groce, A., Jha, S., Veith, H.: Modular verification of software components in c. In: Proceedings of the 25th International Conference on Software Engineering. ICSE ’03, pp. 385–395. IEEE Computer Society, Washington, DC (2003)Google Scholar
  23. 23.
    Muchnick, S.S.: Advanced Compiler Design and Implementation. Morgan Kaufmann, Burlington, MA (1997)Google Scholar
  24. 24.
    Kroening, D., Ouaknine, J., Strichman, O., Wahl, T., Worrell, J.: Linear completeness thresholds for bounded model checking. In: CAV. Lecture Notes in Computer Science, vol. 6806, pp. 557–572 (2011)Google Scholar
  25. 25.
    Große, D., Le, H.M., Drechsler, R.: A semantics-based translation method for automated verification of SystemC TLM designs, vol. 29, pp. 685–695. Kluwer Academic Publishers, Norwell, MA (2013)Google Scholar
  26. 26.
    Hagen, G., Tinelli, C.: Scaling up the formal verification of lustre programs with smt-based techniques. In: Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design. FMCAD ’08, pp. 15:1–15:9. IEEE Press, Piscataway, NJ (2008)Google Scholar
  27. 27.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)CrossRefMATHGoogle Scholar
  28. 28.
    Ramalho, M., Lopes, M., Sousa, F., Marques, H., Cordeiro, L., Fischer, B.: SMT-based bounded model checking of C++ programs. In: Proceedings of ECBS 13, pp. 147–156 (2013)Google Scholar
  29. 29.
    Mitchell, M., Samuel, A.: Advanced Linux Programming. New Riders Publishing, Thousand Oaks, CA (2001)Google Scholar
  30. 30.
    Beyer, D., Petrenko, A.K.: Linux driver verification. In: Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies. Volume 7610 of Lecture Notes in Computer Science, pp. 1–6. Springer, Berlin, Heidelberg (2012)Google Scholar
  31. 31.
    Cimatti, A., Micheli, A., Narasamdya, I., Roveri, M.: Verifying systemc: a software model checking approach. In: Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design. FMCAD ’10, pp. 51–60. FMCAD Inc., Austin, TX (2010)Google Scholar
  32. 32.
    Franz, A.: Efficient solving of the satisfiability modulo bit-vectors problem and some extensions to SMT. PhD thesis, University of Trento (2010)Google Scholar
  33. 33.
    Morse, J., Cordeiro, L.C., Nicole, D., Fischer, B.: Handling unbounded loops with ESBMC 1.20. In: Tools and Algorithms for the Construction and Analysis of Systems. Volume 7795 of Lecture Notes in Computer Science, pp. 619–622. Springer, Berlin, Heidelberg (2013)Google Scholar
  34. 34.
    Beyer, D.: Software verification and verifiable witnesses. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 9035, pp. 401–416. Springer, Berlin, Heidelberg (2015)Google Scholar
  35. 35.
    Morse, J., Ramalho, M., Cordeiro, L.C., Nicole, D., Fischer, B.: ESBMC 1.22. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 8413, pp. 405–407. Springer, Berlin, Heidelberg (2014)Google Scholar
  36. 36.
    Kiepert, J.: Creating a Raspberry pi-based Beowuf Cluster, pp. 1–7. Boise State University, Boise (2013)Google Scholar
  37. 37.
    ARM: Arm1176jzf-s technical reference manual (2009)Google Scholar
  38. 38.
    Patterson, D.A., Hennessy, J.L.: Computer Organization and Design: the Hardware/Software Interface, 4th edn. Morgan Kaufmann Publishers Inc., San Francisco, CA (2007)MATHGoogle Scholar
  39. 39.
    Bradley, A.: IC3 and beyond: incremental, inductive verification. In: Computer Aided Verification. Lecture Notes in Computer Science, vol. 7358, p. 4. Springer, Berlin, Heidelberg (2012)Google Scholar
  40. 40.
    Hassan, Z., Bradley, A.R., Somenzi, F.: Better generalization in IC3. In: Formal Methods in Computer-Aided Design, FMCAD 2013, pp. 157–164. Portland, OR (2013)Google Scholar
  41. 41.
    Kahsai, T., Ge, Y., Tinelli, C.: Instantiation-based invariant discovery. In: Proceedings of the 3rd International Conference on NASA Formal Methods, NFM’11, pp. 192–206. Springer-Verlag (2011)Google Scholar
  42. 42.
    Sharma, R., Dillig, I., Dillig, T., Aiken, A.: Simplifying loop invariant generation using splitter predicates. In: Proceedings of the 23rd International Conference on Computer Aided Verification, CAV’11, pp. 703–719. Springer-Verlag, Berlin, Heidelberg (2011)Google Scholar
  43. 43.
    Ancourt, C., Coelho, F., Irigoin, F.: A modular static analysis approach to affine loop invariants detection. Electr. Notes Theor. Comput. Sci. 267(1), 3–16 (2010)CrossRefMATHGoogle Scholar
  44. 44.
    Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Non-linear loop invariant generation using gröbner bases. In: Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’04, pp. 318–329. ACM, New York, NY (2004)Google Scholar
  45. 45.
    Hoder, K., Kovács, L., Voronkov, A.: Interpolation and symbol elimination in vampire. In: Proceedings of the 5th International Conference on Automated Reasoning. Lecture Notes in Computer Science, vol. 6173, pp. 188–195. Springer-Verlag, Berlin, Heidelberg (2010)Google Scholar
  46. 46.
    Yang, J., Mok, A.K., Wang, F.: Symbolic model checking for event-driven real-time systems. ACM Trans. Program. Lang. Syst. 19(2), 386–412 (1997)Google Scholar
  47. 47.
    Pacheco, P.S.: Parallel Programming with MPI. Morgan Kaufmann Publishers Inc., San Francisco, CA (1996)MATHGoogle Scholar
  48. 48.
    Visser, W., Geldenhuys, J., Dwyer, M.B.: Green: reducing, reusing and recycling constraints in program analysis. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pp. 58:1–58:11. ACM New York, NY (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Mikhail Y. R. Gadelha
    • 1
  • Hussama I. Ismail
    • 1
  • Lucas C. Cordeiro
    • 1
  1. 1.Electronic and Information Research CenterFederal University of AmazonasManausBrazil

Personalised recommendations