Model Checking Embedded C Software Using k-Induction and Invariants

  • Herbert Rocha
  • Hussama Ismail
  • Lucas Cordeiro
  • Raimundo Barreto
Chapter
Part of the Embedded Systems book series (EMSY)

Abstract

We present a novel proof by induction algorithm, which combines k-induction with invariants to model check embedded C software with bounded and unbounded loops. The k-induction algorithm consists of three cases: in the base case, we aim to find a counterexample with up to k loop unwindings; in the forward condition, we check whether loops have been fully unrolled and that the safety property P holds in all states reachable within k unwindings; and in the inductive step, we check that whenever P holds for k unwindings, it also holds after the next unwinding of the system. For each step of the k-induction algorithm, we infer invariants using affine constraints (i.e., polyhedral) to specify pre and postconditions. The algorithm was implemented in two different ways, with and without invariants using polyhedral, and the results were compared. Experimental results show that both forms can handle a wide variety of safety properties in typical embedded software applications from telecommunications, control systems, and medical devices domains; however, the k-induction algorithm adopting polyhedral solves more verification tasks, which demonstrate an improvement of the induction algorithm effectiveness.

Keywords

Prefix Suffix Havoc 

References

  1. 1.
    Ancourt C, Coelho F, Irigoin F (2010) A modular static analysis approach to affine loop invariants detection. In: Electronic notes in theoretical computer science (ENTCS). Elsevier Science Publishers B. V, pp 3–16Google Scholar
  2. 2.
    Barrett CW, Sebastiani R, Seshia SA, Tinelli C (2009) Satisfiability modulo theories. In: Handbook of satisfiability. IOS Press, pp 825–885Google Scholar
  3. 3.
    Beyer D (2013) Second competition on software verification—(Summary of SV-COMP 2013). In: Conference on tools and algorithms for the construction and analysis of systems (TACAS). Springer, pp 594–609Google Scholar
  4. 4.
    Beyer D (2015) Software verification and verifiable witnesses—(Report on SV-COMP 2015). In: Conference on tools and algorithms for the construction and analysis of systems (TACAS), pp 401–416Google Scholar
  5. 5.
    Beyer D, Dangl M, Wendler P (2015) Boosting k-Induction with continuously-refined invariants. http://www.sosy-lab.org/~dbeyer/cpa-k-induction/
  6. 6.
    Beyer D, Dangl M, Wendler P (2015) Combining k-Induction with continuously-refined invariants. CoRR abs/1502.00096. http://arxiv.org/abs/1502.00096
  7. 7.
    Beyer D, Keremoglu ME (2011) CPAchecker: a tool for configurable software verification. In: Conference on computer-aided verification (CAV), pp 184–190Google Scholar
  8. 8.
    Biere A (2009) Bounded model checking. In: Handbook of satisfiability. IOS Press, pp 457–481Google Scholar
  9. 9.
    Bradley AR (2012) IC3 and beyond: incremental, inductive verification. In: Computer aided verification (CAV). Springer, p 4Google Scholar
  10. 10.
    Brummayer R, Biere A (2009) Boolector: an efficient SMT solver for bit-vectors and arrays. In: Proceedings of the 15th international conference on tools and algorithms for the construction and analysis of systems: held as part of the joint European conferences on theory and practice of software (ETAPS). Springer, pp 174–177Google Scholar
  11. 11.
    Clarke E, Kroening D, Lerda F (2004) A tool for checking ANSI-C programs. In: Tools and algorithms for the construction and analysis of systems (TACAS). Springer, pp 168–176Google Scholar
  12. 12.
    Cordeiro L, Fischer B, Marques-Silva J (2012) SMT-based bounded model checking for embedded ANSI-C software. IEEE Trans Softw Eng (TSE):957–974Google Scholar
  13. 13.
    De Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: Tools and algorithms for the construction and analysis of systems (TACAS). Springer, pp 337–340Google Scholar
  14. 14.
    Donaldson AF, Haller L, Kroening D, Rümmer P (2011) Software verification using k-induction. In: Proceedings of the 18th international static analysis symposium (SAS). Springer, pp 351–368Google Scholar
  15. 15.
    Donaldson AF, Kroening D, Ruemmer P (2010) Automatic analysis of scratch-pad memory code for heterogeneous multicore processors. In: Proceedings of the 16th international conference on tools and algorithms for the construction and analysis of systems (TACAS). Springer, pp 280–295Google Scholar
  16. 16.
    Eén N, Sörensson N (2003) Temporal induction by incremental SAT solving. Electronic notes in theoretical computer science (ENTCS), pp 543–560Google Scholar
  17. 17.
    Gadelha M, Ismail H, Cordeiro L (2015) andling loops in bounded model checking of c programs via k-induction. Int J Softw Tools Technol Transf (to appear) (2015)Google Scholar
  18. 18.
    Große D, Le HM, Drechsler R (2009) Induction-based formal verification of SystemC TLM designs. In: 10th International workshop on microprocessor test and verification (MTV), pp 101–106Google Scholar
  19. 19.
    Hagen G, Tinelli C (2008) Scaling up the formal verification of Lustre programs with SMT-based techniques. In: Proceedings of the 8th international conference on formal methods in computer-aided design (FMCAD). IEEE, pp 109–117Google Scholar
  20. 20.
    Hassan Z, Bradley AR, Somenzi F (2013) Better generalization in IC3. In: Formal methods in computer-aided design (FMCAD). IEEE, pp 157–164Google Scholar
  21. 21.
    Ivancic F, Shlyakhter I, Gupta A, Ganai MK (2005) Model checking C programs using F-SOFT. In: 23rd international conference on computer design (ICCD). IEEE Computer Society, pp 297–308Google Scholar
  22. 22.
    Kahsai T, Tinelli C (2011) Pkind: A parallel k-induction based model checker. In: Proceedings 10th international workshop on parallel and distributed methods in verification (PDMC), pp 55–62Google Scholar
  23. 23.
    Kroening D, Tautschnig M (2014) CBMC—C Bounded model checker—(Competition Contribution). In: Conference on tools and algorithms for the construction and analysis of systems (TACAS), pp 389–391Google Scholar
  24. 24.
    Maisonneuve V, Hermant O, Irigoin F (2014) Computing invariants with transformers: experimental scalability and accuracy. In: 5th International workshop on numerical and symbolic abstract domains (NSAD). Electronic notes in theoretical computer science (ENTCS). Elsevier, pp 17–31Google Scholar
  25. 25.
    Merz F, Falke S, Sinz C (2012) LLBMC: bounded model checking of C and C++ programs using a compiler IR. In: Proceedings of the 4th international conference on verified software: theories, tools, experiments (VSTTE). Springer, pp 146–161Google Scholar
  26. 26.
    MRTC: WCET Benchmarks (2012) Mälardalen Real-Time Research Center. http://www.mrtc.mdh.se/projects/wcet/benchmarks.html
  27. 27.
    Muchnick SS (1997) Advanced compiler design and implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USAGoogle Scholar
  28. 28.
    ParisTech M (2013) PIPS: Automatic parallelizer and code transformation framework. http://pips4u.org
  29. 29.
    Rocha H, Ismail H, Cordeiro LC, Barreto RS (2015) Model checking embedded C software using k-induction and invariants. In: Brazilian symposium on computing systems engineering (SBESC). IEEE, pp 90–95Google Scholar
  30. 30.
    Scott J, Lee LH, Arends J, Moyer B (1998) Designing the Low-Power M*CORE Architecture. In: Power driven microarchitecture workshop, pp 145–150Google Scholar
  31. 31.
    Sharma R, Dillig I, Dillig T, Aiken A (2011) Simplifying loop invariant generation using splitter predicates. In: Proceedings of the 23rd international conference on computer aided verification (CAV). Springer, pp 703–719Google Scholar
  32. 32.
    Sheeran M, Singh S, Stålmarck G (2000) Checking safety properties using induction and a SAT-solver. In: Formal methods in computer-aided design (FMCAD), pp 108–125Google Scholar
  33. 33.
    SNU (2012) SNU real-time benchmarks. http://www.cprover.org/goto-cc/examples/snu.html

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  • Herbert Rocha
    • 1
  • Hussama Ismail
    • 2
  • Lucas Cordeiro
    • 2
  • Raimundo Barreto
    • 2
  1. 1.Federal University of RoraimaBoa VistaBrazil
  2. 2.Federal University of AmazonasManausBrazil

Personalised recommendations