Skip to main content
SpringerLink
Log in

Handling loops in bounded model checking of C programs via k-induction

  • Regular Paper
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

The first attempts to apply the k-induction method to software verification are only recent. In this paper, we present a novel proof by induction algorithm, which is built on the top of a symbolic context-bounded model checker and uses an iterative deepening approach to verify, for each step k up to a given maximum, whether a given safety property \(\phi \) holds in the program. The proposed k-induction algorithm consists of three different cases, called base case, forward condition, and inductive step. Intuitively, in the base case, we aim to find a counterexample with up to k loop unwindings; in the forward condition, we check whether loops have been fully unrolled and that \(\phi \) holds in all states reachable within k unwindings; and in the inductive step, we check that whenever \(\phi \) holds for k unwindings, it also holds after the next unwinding of the system. The algorithm was implemented in two different ways, a sequential and a parallel one, and the results were compared. Experimental results show that both forms of the algorithm can handle a wide variety of safety properties extracted from standard benchmarks, ranging from reachability to time constraints. And by comparison, the parallel algorithm solves more verification tasks in less time. This paper marks the first application of the k-induction algorithm to a broader range of C programs; in particular, we show that our k-induction method outperforms CPAChecker in terms of correct results, which is a state-of-the-art k-induction-based verification tool for C programs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Notes

  1. Available at http://esbmc.org/.

  2. The benchmarks were verified using the command-line: esbmc file.c - - k-induction - - k-step 100 - - memlimit 15g - - timeout 900s.

  3. The benchmarks were verified using the command-line: esbmc file.c - - k-induction-parallel - - k-step 100 - - memlimit 15g - - timeout 900s.

  4. esbmc - - k-induction - - k-step 100 - - z3 - - no-unwinding-assertions - - timeout 15m - - memlimit 15g - - 64 -DLDV_ERROR= ERROR -Dassert= notassert -D_Bool= int - - no-assertions - - error-label ERROR.

  5. esbmc - - k-induction-parallel - - k-step 100 - - z3 - - no-unwinding-assertions - - timeout 15m - - memlimit 15g - - 64 -DLDV_ERROR= ERROR -Dassert= notassert -D_Bool= int - - no-assertions - - error-label ERROR.

  6. cpa.sh -bmc-induction -setprop cfa.useMultiEdges= true -setprop bmc.addInvariantsByInduction= false -spec PropertyERROR.prp.

  7. The benchmarks are verified using the command-line: esbmc file.c \(--\)k-induction \(--\)k-step 10.

References

  1. Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.): Handbook of Satisfiability. Frontiers in Artificial Intelligence and Applications, vol. 185. IOS Press, Amsterdam (2009)

  2. Barrett, C., Sebastiani, R., Seshia, S.A., Tinelli, C.: 26. In: Satisfiability Modulo Theories. Frontiers in Artificial Intelligence and Applications. IOS Press, Amsterdam, vol. 185, 825–885 (2009)

  3. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer, Berlin, Heidelberg (2004)

  4. Merz, F., Falke, S., Sinz, C.: LLBMC: Bounded model checking of C and C++ programs using a compiler IR. In: Proceedings of the 4th International Conference on Verified Software: Theories, Tools, Experiments. VSTTE’12, pp. 146–161. Springer-Verlag (2012)

  5. Cordeiro, L.: SMT-Based Bounded Model Checking of Multi-threaded Software in Embedded Systems. University of Southampton, Southampton (2011)

    Google Scholar 

  6. Ivanicic, F., Shlyakhter, I., Gupta, A., Ganai, M.K.: Model checking C programs using F-Soft. In: VLSI in Computers and Processors, 2005. ICCD 2005: Proceedings of the 2005 International Conference on Computer Design, Washington, pp. 297–308 (2005)

  7. Cordeiro, L.C., Fischer, B., Marques-Silva, J.: Smt-based bounded model checking for embedded ANSI-C software. IEEE Trans. Softw. Eng. 38(4), 957–974 (2012)

    Article  Google Scholar 

  8. Donaldson, A.F., Kroening, D., Rümmer, P.: SCRATCH: a tool for automatic analysis of dma races. In: Proceedings of the 16th ACM Symposium on Principles and Practice of Parallel Programming. PPoPP ’11, pp. 311–312. ACM (2011)

  9. Donaldson, A.F., Haller, L., Kroening, D., Rümmer, P.: Software verification using k-induction. In: Proceedings of the 18th International Conference on Static Analysis. SAS’11, pp. 351–368. Springer-Verlag (2011)

  10. Eén, N., Sörensson, N.: Temporal induction by incremental SAT solving. Electr. Notes Theor. Comput. Sci. 89(4), 543–560 (2003)

    Article  MATH  Google Scholar 

  11. Große, D., Le, H.M., Drechsler, R.: Induction-based formal verification of SystemC TLM designs. In: 2009 10th International Workshop on Microprocessor Test and Verification (MTV), pp. 101–106 (2009)

  12. Sheeran, M., Singh, S., Stålmarck, G.: Checking safety properties using induction and a SAT-solver. In: Proceedings of the 3rd International Conference on Formal Methods in Computer-Aided Design. FMCAD ’00, pp. 108–125. Springer-Verlag (2000)

  13. Holzmann, G.J., Joshi, R., Groce, A.: Swarm verification techniques. IEEE Trans. Softw. Eng. 37(6), 845–857 (2011)

    Article  Google Scholar 

  14. Kahsai, T., Tinelli, C.: PKind: a parallel k-induction based model checker. In: Proceedings 10th International Workshop on Parallel and Distributed Methods in verifiCation, PDMC 2011, pp. 55–62. Snowbird, Utah (2011)

  15. de Moura, L.M., Bjørner, N.: Z3: An efficient smt solver. In: Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems. TACAS’08/ETAPS’08, pp. 337–340. Springer-Verlag (2008)

  16. Brummayer, R., Biere, A.: Boolector: an efficient SMT solver for bit-vectors and arrays. In: Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, TACAS ’09, pp. 174–177. Springer-Verlag (2009)

  17. Cordeiro, L.C., Fischer, B.: Verifying multi-threaded software using SMT-based context-bounded model checking. In: Proceedings of the 33rd International Conference on Software Engineering. ICSE ’11, ACM, pp. 331–340 (2011)

  18. Cordeiro, L., Fischer, B., Marques-Silva, J.: Continuous verification of large embedded software using SMT-based bounded model checking. In: Proceedings of the 2010 17th IEEE International Conference and Workshops on the Engineering of Computer-Based Systems. ECBS ’10, pp. 160–169. IEEE Computer Society, Washington, DC (2010)

  19. Beyer, D., Dangl, M., Wendler, P.: Combining k-induction with continuously-refined invariants. CoRR. arXiv:1502.00096 (2015)

  20. Beyer, D.: Second competition on software verification. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 7795, pp. 594–609. Springer, Berlin, Heidelberg (2013)

  21. Morse, J., Cordeiro, L.C., Nicole, D., Fischer, B.: Model checking LTL properties over ANSI-C programs with bounded traces. Softw. Syst. Model. 14(1), 65–81 (2015)

    Article  Google Scholar 

  22. Chaki, S., Clarke, E., Groce, A., Jha, S., Veith, H.: Modular verification of software components in c. In: Proceedings of the 25th International Conference on Software Engineering. ICSE ’03, pp. 385–395. IEEE Computer Society, Washington, DC (2003)

  23. Muchnick, S.S.: Advanced Compiler Design and Implementation. Morgan Kaufmann, Burlington, MA (1997)

    Google Scholar 

  24. Kroening, D., Ouaknine, J., Strichman, O., Wahl, T., Worrell, J.: Linear completeness thresholds for bounded model checking. In: CAV. Lecture Notes in Computer Science, vol. 6806, pp. 557–572 (2011)

  25. Große, D., Le, H.M., Drechsler, R.: A semantics-based translation method for automated verification of SystemC TLM designs, vol. 29, pp. 685–695. Kluwer Academic Publishers, Norwell, MA (2013)

  26. Hagen, G., Tinelli, C.: Scaling up the formal verification of lustre programs with smt-based techniques. In: Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design. FMCAD ’08, pp. 15:1–15:9. IEEE Press, Piscataway, NJ (2008)

  27. Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)

    Article  MATH  Google Scholar 

  28. Ramalho, M., Lopes, M., Sousa, F., Marques, H., Cordeiro, L., Fischer, B.: SMT-based bounded model checking of C++ programs. In: Proceedings of ECBS 13, pp. 147–156 (2013)

  29. Mitchell, M., Samuel, A.: Advanced Linux Programming. New Riders Publishing, Thousand Oaks, CA (2001)

    Google Scholar 

  30. Beyer, D., Petrenko, A.K.: Linux driver verification. In: Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies. Volume 7610 of Lecture Notes in Computer Science, pp. 1–6. Springer, Berlin, Heidelberg (2012)

  31. Cimatti, A., Micheli, A., Narasamdya, I., Roveri, M.: Verifying systemc: a software model checking approach. In: Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design. FMCAD ’10, pp. 51–60. FMCAD Inc., Austin, TX (2010)

  32. Franz, A.: Efficient solving of the satisfiability modulo bit-vectors problem and some extensions to SMT. PhD thesis, University of Trento (2010)

  33. Morse, J., Cordeiro, L.C., Nicole, D., Fischer, B.: Handling unbounded loops with ESBMC 1.20. In: Tools and Algorithms for the Construction and Analysis of Systems. Volume 7795 of Lecture Notes in Computer Science, pp. 619–622. Springer, Berlin, Heidelberg (2013)

  34. Beyer, D.: Software verification and verifiable witnesses. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 9035, pp. 401–416. Springer, Berlin, Heidelberg (2015)

  35. Morse, J., Ramalho, M., Cordeiro, L.C., Nicole, D., Fischer, B.: ESBMC 1.22. In: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 8413, pp. 405–407. Springer, Berlin, Heidelberg (2014)

  36. Kiepert, J.: Creating a Raspberry pi-based Beowuf Cluster, pp. 1–7. Boise State University, Boise (2013)

    Google Scholar 

  37. ARM: Arm1176jzf-s technical reference manual (2009)

  38. Patterson, D.A., Hennessy, J.L.: Computer Organization and Design: the Hardware/Software Interface, 4th edn. Morgan Kaufmann Publishers Inc., San Francisco, CA (2007)

    MATH  Google Scholar 

  39. Bradley, A.: IC3 and beyond: incremental, inductive verification. In: Computer Aided Verification. Lecture Notes in Computer Science, vol. 7358, p. 4. Springer, Berlin, Heidelberg (2012)

  40. Hassan, Z., Bradley, A.R., Somenzi, F.: Better generalization in IC3. In: Formal Methods in Computer-Aided Design, FMCAD 2013, pp. 157–164. Portland, OR (2013)

  41. Kahsai, T., Ge, Y., Tinelli, C.: Instantiation-based invariant discovery. In: Proceedings of the 3rd International Conference on NASA Formal Methods, NFM’11, pp. 192–206. Springer-Verlag (2011)

  42. Sharma, R., Dillig, I., Dillig, T., Aiken, A.: Simplifying loop invariant generation using splitter predicates. In: Proceedings of the 23rd International Conference on Computer Aided Verification, CAV’11, pp. 703–719. Springer-Verlag, Berlin, Heidelberg (2011)

  43. Ancourt, C., Coelho, F., Irigoin, F.: A modular static analysis approach to affine loop invariants detection. Electr. Notes Theor. Comput. Sci. 267(1), 3–16 (2010)

    Article  MATH  Google Scholar 

  44. Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Non-linear loop invariant generation using gröbner bases. In: Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’04, pp. 318–329. ACM, New York, NY (2004)

  45. Hoder, K., Kovács, L., Voronkov, A.: Interpolation and symbol elimination in vampire. In: Proceedings of the 5th International Conference on Automated Reasoning. Lecture Notes in Computer Science, vol. 6173, pp. 188–195. Springer-Verlag, Berlin, Heidelberg (2010)

  46. Yang, J., Mok, A.K., Wang, F.: Symbolic model checking for event-driven real-time systems. ACM Trans. Program. Lang. Syst. 19(2), 386–412 (1997)

  47. Pacheco, P.S.: Parallel Programming with MPI. Morgan Kaufmann Publishers Inc., San Francisco, CA (1996)

    MATH  Google Scholar 

  48. Visser, W., Geldenhuys, J., Dwyer, M.B.: Green: reducing, reusing and recycling constraints in program analysis. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pp. 58:1–58:11. ACM New York, NY (2012)

Download references

Author information

Authors and Affiliations

  1. Electronic and Information Research Center, Federal University of Amazonas, Manaus, Brazil

    Mikhail Y. R. Gadelha, Hussama I. Ismail & Lucas C. Cordeiro

Authors
  1. Mikhail Y. R. Gadelha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hussama I. Ismail
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lucas C. Cordeiro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lucas C. Cordeiro.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gadelha, M.Y.R., Ismail, H.I. & Cordeiro, L.C. Handling loops in bounded model checking of C programs via k-induction. Int J Softw Tools Technol Transfer 19, 97–114 (2017). https://doi.org/10.1007/s10009-015-0407-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-015-0407-9

Keywords

Search

Navigation