ExpliSAT: Guiding SAT-Based Software Verification with Explicit States

  • Sharon Barner
  • Cindy Eisner
  • Ziv Glazberg
  • Daniel Kroening
  • Ishai Rabinovitz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4383)


We present a hybrid method for software model checking that combines explicit-state and symbolic techniques. Our method traverses the control flow graph of the program explicitly, and encodes the data values in a CNF formula, which we solve using a SAT solver. In order to avoid traversing control flow paths that do not correspond to a valid execution of the program we introduce the idea of a representative of a control path. We present favorable experimental results, which show that our method scales well both with regards to the non-deterministic data and the number of threads.


Model Check Explicit State Kripke Structure Satisfying Assignment Symbolic Model Check 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andrews, T., et al.: Zing: Exploiting program structure for model checking concurrent software. In: CONCUR (2004)Google Scholar
  2. 2.
    Ball, T., Rajamani, S.K.: Bebop: A symbolic model checker for boolean programs. In: Havelund, K., Penix, J., Visser, W. (eds.) SPIN Model Checking and Software Verification. LNCS, vol. 1885, pp. 113–130. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Barner, S., Glazberg, Z., Rabinovitz, I.: Wolf - bug hunter for concurrent software using formal methods. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 153–157. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Barner, S., Rabinovitz, I.: Effcient symbolic model checking of software using partial disjunctive partitioning. In: Geist, D., Tronci, E. (eds.) CHARME 2003. LNCS, vol. 2860, pp. 35–50. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Chockler, H., et al.: Formal verification of concurrent software: two case studies. In: Proceedings of 4th International Workshop on Parallel and Distributed Systems: Testing and Debugging (PADTAD) (2006)Google Scholar
  6. 6.
    Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (1999)Google Scholar
  7. 7.
    Cytron, R., et al.: An efficient method of computing static single assignment form. In: POPL, pp. 25–35. ACM Press, New York (1989)Google Scholar
  8. 8.
    Eisner, C.: Model checking the garbage collection mechanism of SMV. ENTCS 55(3) (2001)Google Scholar
  9. 9.
    Eisner, C.: Formal verification of software source code through semi-automatic modeling. Software and Systems Modeling 4(1), 14–31 (2005)CrossRefGoogle Scholar
  10. 10.
    Farchi, E., Nir, Y., Ur, S.: Concurrent Bug Patterns and How to Test Them. In: IPDPS, p. 286b. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  11. 11.
    Godefroid, P.: VeriSoft: A tool for the automatic analysis of concurrent reactive software. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 476–479. Springer, Heidelberg (1997)Google Scholar
  12. 12.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI, pp. 213–223. ACM Press, New York (2005), doi:10.1145/1065010.1065036CrossRefGoogle Scholar
  13. 13.
    Holzmann, G.: The model checker SPIN. IEEE Trans. on Software Engineering 23(5), 279–295 (1997)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Holzmann, G., Peled, D.: An improvement in formal verification. In: Proc. Formal Description Techniques, FORTE94, pp. 197–211. Chapman & Hall, Boca Raton (1994)Google Scholar
  15. 15.
    Ivancic, F., et al.: Efficient SAT-based bounded model checking for software verification (2004)Google Scholar
  16. 16.
    Khurshid, S., Pasareanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) ETAPS 2003 and TACAS 2003. LNCS, vol. 2619, pp. 553–568. Springer, Heidelberg (2003)Google Scholar
  17. 17.
    Kroening, D., Clarke, E., Yorav, K.: Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking. In: DAC, pp. 368–371. ACM Press, New York (2003)Google Scholar
  18. 18.
    Rabinovitz, I., Grumberg, O.: Bounded Model Checking of Concurrent Programs. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 82–97. Springer, Heidelberg (2005)Google Scholar
  19. 19.
    Sen, K., Agha, G.: Cute and jcute: Concolic unit testing and explicit path model-checking tools (Tool Paper). In: Computer Aided Verification. LNCS, vol. 4144, Springer, Heidelberg (2006)Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Sharon Barner
    • 1
  • Cindy Eisner
    • 1
  • Ziv Glazberg
    • 1
  • Daniel Kroening
    • 2
  • Ishai Rabinovitz
    • 3
  1. 1.IBM Haifa Research Lab 
  2. 2.ETH Zürich 
  3. 3.Mellanox Technologies 

Personalised recommendations