# Efficient Verification of Sequential and Concurrent C Programs

- 134 Downloads
- 28 Citations

## Abstract

There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. However, the state-space explosion problem in model checking remains the chief obstacle to the practical verification of real-world distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction effective is to use as few predicates as possible. This is because, in the worst case, the state-space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components.

We attempt to address these issues in the context of verifying concurrent (message-passing) C programs against safety specifications. More specifically, we present a fully automated compositional framework which combines two orthogonal abstraction techniques (predicate abstraction for data and *action-guided abstraction* for events) within a counterexample-guided abstraction refinement scheme. In this way, our algorithm incrementally increases the granularity of the abstractions until the specification is either established or refuted. Additionally, a key feature of our approach is that if a property can be proved to hold or not hold based on a given finite set of predicates \(\mathcal{P}\), the predicate refinement procedure we propose in this article finds automatically a minimal subset of \(\mathcal{P}\) that is sufficient for the proof. This, along with our explicit use of compositionality, delays the onset of state-space explosion for as long as possible. We describe our approach in detail, and report on some very encouraging experimental results obtained with our tool MAGIC.

## Preview

Unable to display preview. Download preview PDF.

## References

- 1."BLAST website," http://www–cad.eecs.berkeley.edu/~rupak/blast.Google Scholar
- 2."CIL website," http://manju.cs.berkeley.edu/cil.Google Scholar
- 3."ESC–Java website," http://www.research.compaq.com/SRC/esc.Google Scholar
- 4."Grammatech, Inc.," http://www.grammatech.com.Google Scholar
- 5."Java PathFinder website," http://ase.arc.nasa.gov/visser/jpf.Google Scholar
- 6."MAGIC website," http://www.cs.cmu.edu/~chaki/magic.Google Scholar
- 7."SLAM website," http://research.microsoft.com/slam.Google Scholar
- 8."SPIN website," http://spinroot.com/spin/whatispin.html.Google Scholar
- 9.F. Aloul, A. Ramani, I. Markov, and K. Sakallah, "PBS: A backtrack search pseudo Boolean solver," in
*Symposium on the Theory and Applications os Satisfiability Testing (SAT)*, 2002, pp. 346–353.Google Scholar - 10.L. Anderson, "Program analysis and specialization for the C programming language," Ph.D. thesis, Datalogisk Intitut, Univ. of Copenhagen, Copenhagen, Denmark, 1994.Google Scholar
- 11.T. Ball, R. Majumdar, T.D. Millstein, and S.K. Rajamani, "Automatic predicate abstraction of C programs," in
*SIGPLAN Conference on Programming Language Design and Implementation*, 2001, pp. 203–213.Google Scholar - 12.T. Ball and S.K. Rajamani, "Automatically validating temporal safety properties of interfaces," in
*Proceedings of SPIN*, Vol. 2057, 2001, pp. 103–122.Google Scholar - 13.T. Ball and S.K. Rajamani, "Generating abstract explanations of spurious counterexamples in C programs," Technical Report MSR–TR–2002–09, Microsoft Research, Redmond, 2002.Google Scholar
- 14.S. Bensalem, Y. Lakhnech, and S. Owre, "Computing abstractions of infinite state systems compositionally and automatically," in
*Proceedings of CAV*, Vol. 1427, 1998, pp. 319–331.Google Scholar - 15.S. Chaki, E. Clarke, A. Groce, and O. Strichman, "Predicate abstraction with minimum predicates," in
*Proceedings of CHARME*, 2003. To appear.Google Scholar - 16.S. Chaki, E.M. Clarke, A. Groce, S. Jha, and H. Veith, "Modular verification of software components in C," in
*Proceedings of ICSE*, 2003, pp. 385–395.Google Scholar - 17.S. Chaki, J. Ouaknine, K. Yorav, and E. Clarke, "Automated compositional abstraction refinement for concurrent C programs: A two–level approach," in
*Proceedings of SoftMC*, 2003.Google Scholar - 18.E. Clarke, O. Grumberg, and D. Peled,
*Model Checking*, MIT Press, 1999.Google Scholar - 19.E. Clarke, O. Grumberg, M. Talupur, and D. Wang, "Making predicate abstraction efficient: Eliminating redundant predicates," in
*Proceedings of Computer Aided Verification (CAV)*, 2003.Google Scholar - 20.E. Clarke, A. Gupta, J. Kukula, and O. Strichman, "SAT based abstraction–Refinement using ILP and machine learning techniques," in E. Brinksma and K. Larsen (Eds.),
*Proceedings of CAV*, VOl. 2404 of*LNCS*, Copenhagen, Denmark, Springer, 2002, pp. 265–279.Google Scholar - 21.E.M. Clarke and E.A. Emerson, "Synthesis of synchronization skeletons from branching time temporal logic," in
*Proceedings of the Workshop on Logics of Programs*, Vol. 131, 1982, pp. 52–71.Google Scholar - 22.E.M. Clarke, E.A. Emerson, and A.P. Sistla, "Automatic verification of finite–state concurrent systems using temporal logic specifications,"
*ACM Transactions on Programming Languages and System (TOPLAS)*, Vol. 8, No. 2, pp. 244–263, 1986.Google Scholar - 23.E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, "Counterexample–guided abstraction refinement," in
*Proceedings of CAV*, Vol. 1855, 2000, pp. 154–169.Google Scholar - 24.E.M. Clarke, O. Grumberg, and D.E. Long, "Model checking and abstraction," in
*Proceedings of TOPLAS*, 1994, pp. 1512–1542.Google Scholar - 25.J.M. Cobleigh, D. Giannakopoulou, and C.S. Pasareanu, "Learning assumptions for compositional verification," in
*Proceedings of TACAS*, Vol. 2619, 2003, pp. 331–346.Google Scholar - 26.M. Colón and T.E. Uribe, "Generating finite–state abstractions of reactive systems using decision procedures," in
*Proceedings of CAV*, 1998, pp. 293–304.Google Scholar - 27.J.C. Corbett, M.B. Dwyer, J. Hatcliff, S. Laubach, C.S. Pasareanu, Robby, and H. Zheng, "Bandera: Extracting finite–state models from Java source code," in
*Proceedings of ICSE*, 2000, pp. 439–448.Google Scholar - 28.P. Cousot and R. Cousot, "Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints," in
*Proceedings of the SIGPLAN Conference on Programming Languages*, 1977, pp. 238–252.Google Scholar - 29.D. Dams and K.S. Namjoshi, "Shape analysis through predicate abstraction and model checking," in
*Proceedings of VMCAI*, Vol. 2575, 2003.Google Scholar - 30.S. Das, D.L. Dill, and S. Park, "Experience with predicate abstraction," in
*Computer Aided Verification*, 1999, pp. 160–171.Google Scholar - 31.E.W. Dijkstra, "A simple axiomatic basis for programming language constructs," Lecture notes from the International Summer School on Structured Programming and Programmed Structures, 1973.Google Scholar
- 32.M.B. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C.S. Pasareanu, H. Zheng, and W. Visser, "Tool–supported program abstraction for finite–state verification," in
*International Conference on Software Engineering*, 2001, pp. 177–187.Google Scholar - 33.D. Engler, B. Chelf, A. Chou, and S. Hallem, "Checking system rules using system–specific, programmerwritten compiler extensions," in
*Symposium on Operating Systems Design and Implementation*, 2000.Google Scholar - 34.S. Graf and H. Saidi, "Construction of abstract state graphs with PVS," in O. Grumberg (Ed.),
*Computer Aided Verification*, Vol. 1254, 1997, pp. 72–83.Google Scholar - 35.K. Havelund and T. Pressburger, "Model checking JAVA programs using JAVA pathfinder,"
*International Journal on Software Tools for Technology Transfer*, Vol. 2, No.4, pp. 366–381, 2000.Google Scholar - 36.T.A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer, "Thread–modular abstraction refinement," in
*Proceedings of CAV*, 2003 (to appear).Google Scholar - 37.T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, "Lazy abstraction," in
*Proceedings of POPL*, 2002, pp. 58–70.Google Scholar - 38.T.A. Henzinger, S. Qadeer, and S.K. Rajamani, "Decomposing refinement proofs using assume–guarantee reasoning," in
*Proceedings of ICCAD*, 2000, pp. 245–252.Google Scholar - 39.C.A.R. Hoare, "An axiomatic basis for computer programming,"
*Communications of the ACM*, Vol. 12, No. 10, pp. 576–580, 1969.Google Scholar - 40.C.A.R. Hoare,
*Communicating Sequential Processes*, Prentice Hall, 1985.Google Scholar - 41.R.P. Kurshan, "Analysis of discrete event coordination," in
*Proceedings REX Workshop 89*, Vol. 430, 1989, pp. 414–453.Google Scholar - 42.R.P. Kurshan,
*Computer–Aided Verification of Coordinating Processes: The Automata–Theoretic Approach*. Princeton University Press, 1994.Google Scholar - 43.Y. Lakhnech, S. Bensalem, S. Berezin, and S. Owre, "Incremental verification by abstraction," in
*Proceedings of TACAS*, Vol. 2031, 2001, pp. 98–112.Google Scholar - 44.K.L. McMillan, "A compositional rule for hardware design refinement," in
*Proceedings of CAV*, Vol. 1254, 1997, pp. 24–35.Google Scholar - 45.R. Milner,
*Communication and Concurrency*. Prentice–Hall International, London, 1989.Google Scholar - 46.K.S. Namjoshi and R.P. Kurshan, "Syntactic program transformations for automatic abstraction," in
*Proceedings of CAV*, Vol. 1855, 2000, pp. 435–449.Google Scholar - 47.G. Naumovich, L.A. Clarke, L.J. Osterweil, and M.B. Dwyer, "Verification of concurrent software with FLAVERS," in
*Proceedings of ICSE*, 1997, pp. 594–595.Google Scholar - 48.G. Nelson,
*Techniques for Program Verification*. Ph.D. thesis, Stanford University, 1980.Google Scholar - 49.R. Paige and R.E. Tarjan, "Three partition refinement algorithms,"
*SIAM Journal of Computing*, Vol. 16, No. 6, pp. 973–989, 1987.Google Scholar - 50.C.S. Pasareanu, M.B. Dwyer, and W. Visser, "Finding feasible counter–examples when model checking abstracted Java programs." in
*Proceedings of TACAS*, Vol. 2031, 2001, pp. 284–298.Google Scholar - 51.A.W. Roscoe,
*The Theory and Practice of Concurrency*. Prentice–Hall International, London, 1997.Google Scholar - 52.S.D. Stoller, "Model–checking multi–threaded distributed Java programs,"
*International Journal on Software Tools for Technology Transfer*, Vol. 4, No. 1, pp. 71–91, 2002.Google Scholar