Skip to main content
SpringerLink
Log in

SMT-based model checking for recursive programs

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

We present an SMT-based symbolic model checking algorithm for safety verification of recursive programs. The algorithm is modular and analyzes procedures individually. Unlike other SMT-based approaches, it maintains both over- and under-approximations of procedure summaries. Under-approximations are used to analyze procedure calls without inlining. Over-approximations are used to block infeasible counterexamples and detect convergence to a proof. We show that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists. However, efficiency depends on an oracle for quantifier elimination (QE). For Boolean programs, the algorithm is a polynomial decision procedure, matching the worst-case bounds of the best BDD-based algorithms. For Linear Arithmetic (integers and rationals), we give an efficient instantiation of the algorithm by applying QE lazily. We use existing interpolation techniques to over-approximate QE and introduce Model Based Projection to under-approximate QE. Empirical evaluation on SV-COMP benchmarks shows that our algorithm improves significantly on the state-of-the-art.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21

Similar content being viewed by others

Notes

  1. We assume that all quantified variables are eliminated to obtain the complexity for Boolean Programs mentioned above.

  2. http://www.cs.cmu.edu/~akomurav/projects/spacer/home.html.

  3. https://svn.sosy-lab.org/software/sv-benchmarks/trunk/clauses/BOOL/slam.zip.

  4. https://svn.sosy-lab.org/software/sv-benchmarks/trunk/clauses/ALIA/sdv.

  5. Z3 first tries to eliminate existential quantifiers by using equalities with ground terms present in the input formula and resorts to model substitution otherwise.

References

  1. Ball T, Rajamani SK (2000) Bebop: a symbolic model checker for Boolean programs. In: SPIN, pp 113–130

  2. Ball T, Majumdar R, Millstein T, Rajamani SK (2001) Automatic predicate abstraction of C programs. SIGPLAN Not 36(5):203–213

    Article  Google Scholar 

  3. Clarke EM, Kroening D, Lerda F (2004) A tool for checking ANSI-C programs. In: TACAS

  4. Barnett M, Chang B-YE, DeLine R, Jacobs B, Leino KRM (2005) Boogie: a modular reusable verifier for object-oriented programs. In: FMCO, pp 364–387

  5. Albarghouthi A, Gurfinkel A, Chechik M (2012) From under-approximations to over-approximations and back. In: TACAS

  6. Grebenshchikov S, Lopes NP, Popeea C, Rybalchenko A (2012) Synthesizing software verifiers from proof rules. In: PLDI, pp 405–416

  7. Clarke EM (1979) Programming language constructs for which it is impossible to obtain good Hoare axiom systems. JACM 26(1):129–147

    Article  MathSciNet  MATH  Google Scholar 

  8. Reps TW, Horwitz S, Sagiv S (1995) Precise interprocedural dataflow analysis via graph reachability. In: POPL, pp 49–61

  9. Clarke EM (1979) Program invariants as fixed points. Computing 21(4):273–294

    Article  MathSciNet  MATH  Google Scholar 

  10. Sharir M, Pnueli A (1981) Program flow analysis: theory and applications. In: Two approaches to interprocedural data flow analysis. Prentice-Hall, pp 189–233

  11. Alur R, Benedikt M, Etessami K, Godefroid P, Reps T, Yannakakis M (2005) Analysis of recursive state machines. TOPLAS 27(4):786–818

    Article  Google Scholar 

  12. Esparza J, Hansel D, Rossmanith P, Schwoon S (2000) Efficient algorithms for model checking pushdown systems. In: CAV, pp 232–247

  13. Clarke EM, Grumberg O, Jha S, Lu Y, Veith H (2000) Counterexample-guided abstraction refinement. In: CAV

  14. Albarghouthi A, Gurfinkel A, Chechik M (2012) Whale: an interpolation-based algorithm for inter-procedural verification. In: VMCAI, pp 39–55

  15. Hoder K, Bjørner N (2012) Generalized property directed reachability. In: SAT

  16. Heizmann M, Christ J, Dietsch D, Ermis E, Hoenicke J, Lindenmann M, Nutz A, Schilling C, Podelski A (2013) Ultimate automizer with SMTInterpol—(competition contribution). In: Piterman N, Smolka SA (eds) TACAS, lecture notes in computer science, vol 7795. Springer, Heidelberg, pp 641–643

    Google Scholar 

  17. Heizmann M, Hoenicke J, Podelski A (2010) Nested interpolants. SIGPLAN Not 45(1):471–482 1

    Article  MATH  Google Scholar 

  18. McMillan KL, Rybalchenko A (2013) Solving constrained horn clauses using interpolation. Technical Report MSR-TR-2013-6, Microsoft Research

  19. Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:117–148

    Article  Google Scholar 

  20. Craig W (1957) Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory. Symb Logic 22(3):269–285

    Article  MathSciNet  MATH  Google Scholar 

  21. Alur R, Benedikt M, Etessami K, Godefroid P, Reps T, Yannakakis M (2005) Analysis of recursive state machines. ACM Trans Program Lang Syst 27(4):786–818

    Article  Google Scholar 

  22. Bradley AR (2011) SAT-based model checking without unrolling. In: VMCAI

  23. Loos R, Weispfenning V (1993) Applying linear quantifier elimination. Computing 36(5):450–462

    Article  MathSciNet  MATH  Google Scholar 

  24. Cooper DC (1972) Theorem proving in arithmetic without multiplication. Mach Intel 7(91—-100):300

    MATH  Google Scholar 

  25. Nieuwenhuis R, Oliveras A, Tinelli C (2006) Solving SAT and SAT modulo theories: from an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). J ACM 53(6):937–977

    Article  MathSciNet  MATH  Google Scholar 

  26. De Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: TACAS

  27. Ganai MK, Gupta A, Ashar P (2004) Efficient SAT-based unbounded symbolic model checking using circuit cofactoring. In: ICCAD, pp 510–517

  28. Nipkow T (2010) Linear quantifier elimination. J Autom Reason 45(2):189–212

    Article  MathSciNet  MATH  Google Scholar 

  29. Albarghouthi A, Gurfinkel A, Li Y, Chaki S, Chechik M (2013) UFO: verification with interpolants and abstract interpretation—(competition contribution). In: TACAS

  30. Software Verification Competition. TACAS, 2014. http://sv-comp.sosy-lab.org

  31. Komuravelli A, Gurfinkel A, Chaki S, Clarke EM (2013) Automated abstraction in SMT-based unbounded software model checking. In: CAV, pp 846–862

  32. Henzinger TA, Jhala R, Majumdar R, Sutre G (2002) Lazy abstraction. In: Proceedings of the POPL, pp 58–70

  33. Chaki S, Clarke EM, Groce A, Jha S, Veith H (2004) Modular verification of software components in C. IEEE Trans Softw Eng 30(6):388–402

    Article  Google Scholar 

  34. Godefroid P, Nori AV, Rajamani SK, Tetali S (2010) Compositional may-must program analysis: unleashing the power of alternation. In: POPL, pp 43–56

  35. Lal A, Qadeer S, Lahiri SK (2012) A solver for reachability modulo theories. In: Madhusudan P, Seshia SA (eds) CAV, lecture notes in computer science, vol 7358. Springer, Heidelberg, pp 427–443

    Google Scholar 

  36. Gupta A, Ganai MK, Yang Z, Ashar P (2003) Iterative abstraction using SAT-based BMC with proof analysis. In: ICCAD, pp 416–423

  37. McMillan KL, Amla N (2003) Automatic abstraction without counterexamples. In: TACAS

Download references

Acknowledgments

We thank Edmund M. Clarke and Nikolaj Bjørner for many helpful discussions. Our definition of MBP is based on the idea of projected implicants co-developed with Nikolaj. We thank Aarti Gupta, Cesare Tinelli, and the anonymous reviewers of both the CAV 2014 version of this paper and this FMSD special issue for insightful comments. This research was sponsored by the National Science Foundation grants no. DMS1068829, CNS0926181 and CNS0931985, the GSRC under contract no. 1041377, the Semiconductor Research Corporation under contract no. 2005TJ1366, the Office of Naval Research under award no. N000141010188 and the CMU-Portugal Program. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. This material has been approved for public release and unlimited distribution. DM-0000973.

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Anvesh Komuravelli, Arie Gurfinkel & Sagar Chaki

Authors
  1. Anvesh Komuravelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arie Gurfinkel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sagar Chaki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anvesh Komuravelli.

A divergence of GPDR for bounded call-stack

A divergence of GPDR for bounded call-stack

Consider the program \(\langle \langle M,L,G \rangle , M \rangle \) with procedures \(M = \langle y_0, y, \Sigma _{M}, \langle x, n \rangle , \beta _{M} \rangle \), \(L = \langle n, \langle x,y,i \rangle , \Sigma _{L}, \langle x_0,y_0,i_0 \rangle , \beta _{L} \rangle \), \(G = \langle x_0, x_1, \Sigma _{G}, \emptyset , \beta _{G} \rangle \) with the following bodies:

$$\begin{aligned} \beta _{M}&= \Sigma _{L}(x,y_0,n,n) \wedge \Sigma _{G}(x,y) \wedge n>0 \\ \beta _{L}&= \left( i=0 \wedge x=0 \wedge y=0 \right) \vee \\&\quad \left( \Sigma _{L}(x_0,y_0,i_0,n) \wedge x=x_0+1 \wedge y=y_0+1 \wedge i=i_0+1 \wedge i>0 \right) \\ \beta _{G}&= (x=x_0+1) \end{aligned}$$

The GPDR [15] algorithm can be shown to diverge when checking the bounded safety problem \(M \models _2 y_0 \le y\), for e.g., by inferring the diverging sequence of over-approximations of \(\llbracket {L} \rrbracket ^1\):

$$\begin{aligned} (x<2 \implies y\le 1), (x<3 \implies y\le 2), \dots \end{aligned}$$

We also observed this behavior experimentally (Z3 revision d548c51 at http://z3.codeplex.com). The Horn-SMT file for the example is available at http://www.cs.cmu.edu/~akomurav/projects/spacer/gpdr_diverging.smt2.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Komuravelli, A., Gurfinkel, A. & Chaki, S. SMT-based model checking for recursive programs. Form Methods Syst Des 48, 175–205 (2016). https://doi.org/10.1007/s10703-016-0249-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-016-0249-4

Keywords

Search

Navigation