IC3 software model checking

  • Tim Lange
  • Martin R. Neuhäußer
  • Thomas Noll
  • Joost-Pieter KatoenEmail author
SPIN 2018


In recent years, the inductive, incremental verification algorithm IC3 had a major impact on hardware model checking. Also for software model checking, a number of adaptations of Boolean IC3 and combinations with CEGAR and ART-based techniques have been developed. However, most of them exploit the peculiarities of software programs, such as the explicit representation of control flow, only to a limited extent. In this paper, we present an approach that supports this explicit representation in the form of control-flow automata, and integrates it with symbolic reasoning about the data state space of the program. By maintaining reachability information specifically for each control location, we arrive at a “two-dimensional” extension of IC3, which provides a true lifting from hardware to software model checking. Moreover, we address the problem of generalization in this setting, an essential feature to ensure the scalability of IC3. We introduce several improvements that range from efficient caching of generalizations over variable reductions to syntax-oriented generalization by means of weakest preconditions. Using a prototypical implementation, we evaluate our approach on a number of case studies, including a significant subset of the SV-COMP 2018 benchmarks, and compare the outcomes with results obtained from other IC3 software model checkers.


Program verification Safety properties Software model checking IC3 



  1. 1.
    Albarghouthi, A., Gurfinkel, A., Chechik, M.: From under-approximations to over-approximations and back. In: TACAS, LNCS, vol. 7214, pp. 157–172. Springer (2012)Google Scholar
  2. 2.
    Backeman, P., Rümmer, P., Zeljić, A.: Bit-vector interpolation and quantifier elimination by lazy reduction. In: FMCAD18 (2018)Google Scholar
  3. 3.
    Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanovic, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: CAV, LNCS, vol. 6806, pp. 171–177. Springer (2011)Google Scholar
  4. 4.
    Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M.E., Sebastiani, R.: Software model checking via large-block encoding. In: FMCAD, pp. 25–32. IEEE (2009)Google Scholar
  5. 5.
    Beyer, D., Keremoglu, M.E., Wendler, P.: Predicate abstraction with adjustable-block encoding. In: FMCAD, pp. 189–197. IEEE (2010)Google Scholar
  6. 6.
    Beyer, D., Löwe, S., Wendler, P.: Benchmarking and resource measurement. In: SPIN, LNCS, vol. 9232, pp. 160–178. Springer (2015)Google Scholar
  7. 7.
    Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.): Handbook of Satisfiability, Frontiers in Artificial Intelligence and Applications, vol. 185. IOS Press (2009)Google Scholar
  8. 8.
    Birgmeier, J., Bradley, A.R., Weissenbacher, G.: Counterexample to induction-guided abstraction-refinement (CTIGAR). In: CAV, LNCS, vol. 8559, pp. 831–848. Springer (2014)Google Scholar
  9. 9.
    Bjørner, N., Janota, M.: Playing with quantified satisfaction. In: LPAR (short papers), EPiC Series in Computing, vol. 35, pp. 15–27. EasyChair (2015)Google Scholar
  10. 10.
    Bradley, A.R.: SAT-based model checking without unrolling. In: VMCAI, LNCS, vol. 6538, pp. 70–87. Springer (2011)Google Scholar
  11. 11.
    Bradley, A.R., Manna, Z.: The Calculus of Computation—Decision Procedures with Applications to Verification. Springer, Berlin (2007)zbMATHGoogle Scholar
  12. 12.
    Bradley, A.R., Manna, Z.: Checking safety by inductive generalization of counterexamples to induction. In: FMCAD, pp. 173–180. IEEE (2007)Google Scholar
  13. 13.
    Chockler, H., Ivrii, A., Matsliah, A., Moran, S., Nevo, Z.: Incremental formal verification of hardware. In: FMCAD, pp. 135–143. FMCAD Inc. (2011)Google Scholar
  14. 14.
    Cimatti, A., Griggio, A.: Software model checking via IC3. In: CAV, LNCS, vol. 7358, pp. 277–293. Springer (2012)Google Scholar
  15. 15.
    Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: IC3 modulo theories via implicit predicate abstraction. In: TACAS, LNCS, vol. 8413, pp. 46–61. Springer (2014)Google Scholar
  16. 16.
    Cimatti, A., Griggio, A., Schaafsma, B., Sebastiani, R.: The MathSAT5 SMT Solver. In: TACAS, LNCS, vol. 7795. Springer (2013)Google Scholar
  17. 17.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (2001)CrossRefGoogle Scholar
  18. 18.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  19. 19.
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Upper Saddle River (1976)zbMATHGoogle Scholar
  21. 21.
    Eén, N., Mishchenko, A., Brayton, R.K.: Efficient implementation of property directed reachability. In: FMCAD, pp. 125–134. FMCAD Inc. (2011)Google Scholar
  22. 22.
    Günther, H., Laarman, A., Weissenbacher, G.: Vienna verification tool: IC3 for parallel software (competition contribution). In: TACAS, LNCS, vol. 9636, pp. 954–957. Springer (2016)Google Scholar
  23. 23.
    Gurfinkel, A., Ivrii, A.: Pushing to the top. In: FMCAD, pp. 65–72. IEEE (2015)Google Scholar
  24. 24.
    Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The SeaHorn verification framework. In: CAV (1), LNCS, vol. 9206, pp. 343–361. Springer (2015)Google Scholar
  25. 25.
    Hassan, Z., Bradley, A.R., Somenzi, F.: Better generalization in IC3. In: FMCAD, pp. 157–164. IEEE (2013)Google Scholar
  26. 26.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL, pp. 58–70. ACM (2002)Google Scholar
  27. 27.
    Hoder, K., Bjørner, N.: Generalized property directed reachability. In: SAT, LNCS, vol. 7317, pp. 157–171. Springer (2012)Google Scholar
  28. 28.
    Komuravelli, A., Bjørner, N., Gurfinkel, A., McMillan, K.L.: Compositional verification of procedural programs using horn clauses over integers and arrays. In: FMCAD, pp. 89–96. IEEE (2015)Google Scholar
  29. 29.
    Komuravelli, A., Gurfinkel, A., Chaki, S.: SMT-based model checking for recursive programs. In: CAV, LNCS, vol. 8559, pp. 17–34. Springer (2014)Google Scholar
  30. 30.
    Kroening, D., Strichman, O.: Decision procedures–an algorithmic point of view: Texts in theoretical computer science: An EATCS Series. Springer, Berlin (2008)zbMATHGoogle Scholar
  31. 31.
    Lange, T., Neuhäußer, M.R., Noll, T.: Speeding up the safety verification of programmable logic controller code. In: HVC, LNCS, vol. 8244, pp. 44–60. Springer (2013)Google Scholar
  32. 32.
    Lange, T., Neuhäußer, M.R., Noll, T.: IC3 software model checking on control flow automata. In: FMCAD, pp. 97–104. IEEE (2015)Google Scholar
  33. 33.
    Lange, T., Prinz, F., Neuhäußer, M.R., Noll, T., Katoen, J.P.: Improving generalization in software IC3. In: SPIN, LNCS, vol. 10869, pp. 85–102. Springer (2018)Google Scholar
  34. 34.
    Mertens, T.: Efficient reuse of learnt information for control-flow oriented IC3 algorithms. Master thesis, RWTH Aachen University (2016)Google Scholar
  35. 35.
    de Moura, L.M., Bjørner, N.: Z3: an efficient SMT solver. In: TACAS, LNCS, vol. 4963, pp. 337–340. Springer (2008)Google Scholar
  36. 36.
    Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)CrossRefGoogle Scholar
  37. 37.
    Prinz, F.: Generalisation methods for control-flow oriented IC3 algorithms. Master thesis, RWTH Aachen University (2016)Google Scholar
  38. 38.
    Tonetta, S.: Abstract model checking without computing the abstraction. In: FM, LNCS, vol. 5850, pp. 89–105. Springer (2009)Google Scholar
  39. 39.
    Vojnar, T., Beyer, D.: Competition on software verification (SV-COMP). (2019)
  40. 40.
    Welp, T., Kuehlmann, A.: QF BV model checking with property directed reachability. In: DATE, pp. 791–796. EDA Consortium (2013)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  • Tim Lange
    • 1
  • Martin R. Neuhäußer
    • 2
  • Thomas Noll
    • 1
  • Joost-Pieter Katoen
    • 1
    Email author
  1. 1.RWTH Aachen UniversityAachenGermany
  2. 2.Siemens AGMunichGermany

Personalised recommendations