Formal Methods in System Design

, Volume 25, Issue 2–3, pp 129–166 | Cite as

Efficient Verification of Sequential and Concurrent C Programs

  • S. Chaki
  • E. Clarke
  • A. Groce
  • J. Ouaknine
  • O. Strichman
  • K. Yorav


There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. However, the state-space explosion problem in model checking remains the chief obstacle to the practical verification of real-world distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction effective is to use as few predicates as possible. This is because, in the worst case, the state-space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components.

We attempt to address these issues in the context of verifying concurrent (message-passing) C programs against safety specifications. More specifically, we present a fully automated compositional framework which combines two orthogonal abstraction techniques (predicate abstraction for data and action-guided abstraction for events) within a counterexample-guided abstraction refinement scheme. In this way, our algorithm incrementally increases the granularity of the abstractions until the specification is either established or refuted. Additionally, a key feature of our approach is that if a property can be proved to hold or not hold based on a given finite set of predicates \(\mathcal{P}\), the predicate refinement procedure we propose in this article finds automatically a minimal subset of \(\mathcal{P}\) that is sufficient for the proof. This, along with our explicit use of compositionality, delays the onset of state-space explosion for as long as possible. We describe our approach in detail, and report on some very encouraging experimental results obtained with our tool MAGIC.

software verification concurrency predicate abstraction process algebra abstraction refinement 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    "BLAST website," http://www– Scholar
  2. 2.
    "CIL website," Scholar
  3. 3.
    "ESC–Java website," Scholar
  4. 4.
    "Grammatech, Inc.," Scholar
  5. 5.
    "Java PathFinder website," Scholar
  6. 6.
    "MAGIC website," Scholar
  7. 7.
    "SLAM website," Scholar
  8. 8.
    "SPIN website," Scholar
  9. 9.
    F. Aloul, A. Ramani, I. Markov, and K. Sakallah, "PBS: A backtrack search pseudo Boolean solver," in Symposium on the Theory and Applications os Satisfiability Testing (SAT), 2002, pp. 346–353.Google Scholar
  10. 10.
    L. Anderson, "Program analysis and specialization for the C programming language," Ph.D. thesis, Datalogisk Intitut, Univ. of Copenhagen, Copenhagen, Denmark, 1994.Google Scholar
  11. 11.
    T. Ball, R. Majumdar, T.D. Millstein, and S.K. Rajamani, "Automatic predicate abstraction of C programs," in SIGPLAN Conference on Programming Language Design and Implementation, 2001, pp. 203–213.Google Scholar
  12. 12.
    T. Ball and S.K. Rajamani, "Automatically validating temporal safety properties of interfaces," in Proceedings of SPIN, Vol. 2057, 2001, pp. 103–122.Google Scholar
  13. 13.
    T. Ball and S.K. Rajamani, "Generating abstract explanations of spurious counterexamples in C programs," Technical Report MSR–TR–2002–09, Microsoft Research, Redmond, 2002.Google Scholar
  14. 14.
    S. Bensalem, Y. Lakhnech, and S. Owre, "Computing abstractions of infinite state systems compositionally and automatically," in Proceedings of CAV, Vol. 1427, 1998, pp. 319–331.Google Scholar
  15. 15.
    S. Chaki, E. Clarke, A. Groce, and O. Strichman, "Predicate abstraction with minimum predicates," in Proceedings of CHARME, 2003. To appear.Google Scholar
  16. 16.
    S. Chaki, E.M. Clarke, A. Groce, S. Jha, and H. Veith, "Modular verification of software components in C," in Proceedings of ICSE, 2003, pp. 385–395.Google Scholar
  17. 17.
    S. Chaki, J. Ouaknine, K. Yorav, and E. Clarke, "Automated compositional abstraction refinement for concurrent C programs: A two–level approach," in Proceedings of SoftMC, 2003.Google Scholar
  18. 18.
    E. Clarke, O. Grumberg, and D. Peled, Model Checking, MIT Press, 1999.Google Scholar
  19. 19.
    E. Clarke, O. Grumberg, M. Talupur, and D. Wang, "Making predicate abstraction efficient: Eliminating redundant predicates," in Proceedings of Computer Aided Verification (CAV), 2003.Google Scholar
  20. 20.
    E. Clarke, A. Gupta, J. Kukula, and O. Strichman, "SAT based abstraction–Refinement using ILP and machine learning techniques," in E. Brinksma and K. Larsen (Eds.), Proceedings of CAV, VOl. 2404 of LNCS, Copenhagen, Denmark, Springer, 2002, pp. 265–279.Google Scholar
  21. 21.
    E.M. Clarke and E.A. Emerson, "Synthesis of synchronization skeletons from branching time temporal logic," in Proceedings of the Workshop on Logics of Programs, Vol. 131, 1982, pp. 52–71.Google Scholar
  22. 22.
    E.M. Clarke, E.A. Emerson, and A.P. Sistla, "Automatic verification of finite–state concurrent systems using temporal logic specifications," ACM Transactions on Programming Languages and System (TOPLAS), Vol. 8, No. 2, pp. 244–263, 1986.Google Scholar
  23. 23.
    E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, "Counterexample–guided abstraction refinement," in Proceedings of CAV, Vol. 1855, 2000, pp. 154–169.Google Scholar
  24. 24.
    E.M. Clarke, O. Grumberg, and D.E. Long, "Model checking and abstraction," in Proceedings of TOPLAS, 1994, pp. 1512–1542.Google Scholar
  25. 25.
    J.M. Cobleigh, D. Giannakopoulou, and C.S. Pasareanu, "Learning assumptions for compositional verification," in Proceedings of TACAS, Vol. 2619, 2003, pp. 331–346.Google Scholar
  26. 26.
    M. Colón and T.E. Uribe, "Generating finite–state abstractions of reactive systems using decision procedures," in Proceedings of CAV, 1998, pp. 293–304.Google Scholar
  27. 27.
    J.C. Corbett, M.B. Dwyer, J. Hatcliff, S. Laubach, C.S. Pasareanu, Robby, and H. Zheng, "Bandera: Extracting finite–state models from Java source code," in Proceedings of ICSE, 2000, pp. 439–448.Google Scholar
  28. 28.
    P. Cousot and R. Cousot, "Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints," in Proceedings of the SIGPLAN Conference on Programming Languages, 1977, pp. 238–252.Google Scholar
  29. 29.
    D. Dams and K.S. Namjoshi, "Shape analysis through predicate abstraction and model checking," in Proceedings of VMCAI, Vol. 2575, 2003.Google Scholar
  30. 30.
    S. Das, D.L. Dill, and S. Park, "Experience with predicate abstraction," in Computer Aided Verification, 1999, pp. 160–171.Google Scholar
  31. 31.
    E.W. Dijkstra, "A simple axiomatic basis for programming language constructs," Lecture notes from the International Summer School on Structured Programming and Programmed Structures, 1973.Google Scholar
  32. 32.
    M.B. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C.S. Pasareanu, H. Zheng, and W. Visser, "Tool–supported program abstraction for finite–state verification," in International Conference on Software Engineering, 2001, pp. 177–187.Google Scholar
  33. 33.
    D. Engler, B. Chelf, A. Chou, and S. Hallem, "Checking system rules using system–specific, programmerwritten compiler extensions," in Symposium on Operating Systems Design and Implementation, 2000.Google Scholar
  34. 34.
    S. Graf and H. Saidi, "Construction of abstract state graphs with PVS," in O. Grumberg (Ed.), Computer Aided Verification, Vol. 1254, 1997, pp. 72–83.Google Scholar
  35. 35.
    K. Havelund and T. Pressburger, "Model checking JAVA programs using JAVA pathfinder," International Journal on Software Tools for Technology Transfer, Vol. 2, No.4, pp. 366–381, 2000.Google Scholar
  36. 36.
    T.A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer, "Thread–modular abstraction refinement," in Proceedings of CAV, 2003 (to appear).Google Scholar
  37. 37.
    T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, "Lazy abstraction," in Proceedings of POPL, 2002, pp. 58–70.Google Scholar
  38. 38.
    T.A. Henzinger, S. Qadeer, and S.K. Rajamani, "Decomposing refinement proofs using assume–guarantee reasoning," in Proceedings of ICCAD, 2000, pp. 245–252.Google Scholar
  39. 39.
    C.A.R. Hoare, "An axiomatic basis for computer programming," Communications of the ACM, Vol. 12, No. 10, pp. 576–580, 1969.Google Scholar
  40. 40.
    C.A.R. Hoare, Communicating Sequential Processes, Prentice Hall, 1985.Google Scholar
  41. 41.
    R.P. Kurshan, "Analysis of discrete event coordination," in Proceedings REX Workshop 89, Vol. 430, 1989, pp. 414–453.Google Scholar
  42. 42.
    R.P. Kurshan, Computer–Aided Verification of Coordinating Processes: The Automata–Theoretic Approach. Princeton University Press, 1994.Google Scholar
  43. 43.
    Y. Lakhnech, S. Bensalem, S. Berezin, and S. Owre, "Incremental verification by abstraction," in Proceedings of TACAS, Vol. 2031, 2001, pp. 98–112.Google Scholar
  44. 44.
    K.L. McMillan, "A compositional rule for hardware design refinement," in Proceedings of CAV, Vol. 1254, 1997, pp. 24–35.Google Scholar
  45. 45.
    R. Milner, Communication and Concurrency. Prentice–Hall International, London, 1989.Google Scholar
  46. 46.
    K.S. Namjoshi and R.P. Kurshan, "Syntactic program transformations for automatic abstraction," in Proceedings of CAV, Vol. 1855, 2000, pp. 435–449.Google Scholar
  47. 47.
    G. Naumovich, L.A. Clarke, L.J. Osterweil, and M.B. Dwyer, "Verification of concurrent software with FLAVERS," in Proceedings of ICSE, 1997, pp. 594–595.Google Scholar
  48. 48.
    G. Nelson, Techniques for Program Verification. Ph.D. thesis, Stanford University, 1980.Google Scholar
  49. 49.
    R. Paige and R.E. Tarjan, "Three partition refinement algorithms," SIAM Journal of Computing, Vol. 16, No. 6, pp. 973–989, 1987.Google Scholar
  50. 50.
    C.S. Pasareanu, M.B. Dwyer, and W. Visser, "Finding feasible counter–examples when model checking abstracted Java programs." in Proceedings of TACAS, Vol. 2031, 2001, pp. 284–298.Google Scholar
  51. 51.
    A.W. Roscoe, The Theory and Practice of Concurrency. Prentice–Hall International, London, 1997.Google Scholar
  52. 52.
    S.D. Stoller, "Model–checking multi–threaded distributed Java programs," International Journal on Software Tools for Technology Transfer, Vol. 4, No. 1, pp. 71–91, 2002.Google Scholar

Copyright information

© Kluwer Academic Publishers 2004

Authors and Affiliations

  • S. Chaki
    • 1
  • E. Clarke
    • 2
  • A. Groce
    • 3
  • J. Ouaknine
    • 4
  • O. Strichman
    • 5
  • K. Yorav
    • 6
  1. 1.Carnegie Mellon UniversityPittsburghUSA
  2. 2.Carnegie Mellon UniversityPittsburghUSA
  3. 3.Carnegie Mellon UniversityPittsburghUSA
  4. 4.Carnegie Mellon UniversityPittsburghUSA
  5. 5.TechnionHaifaIsrael
  6. 6.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations