Boolean and Cartesian abstraction for model checking C programs

We show how to attack the problem of model checking a C program with recursive procedures using an abstraction that we formally define as the composition of the Boolean and the Cartesian abstractions. It is implemented through a source-to-source transformation into a ‘Boolean’ C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worst-case complexity but feasible in practice.

[1]  Sorin Lerner,et al.  Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis , 2002, SAS.

[2]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[3]  Hassen Saïdi,et al.  Model Checking Guided Abstraction and Analysis , 2000, SAS.

[4]  Andreas Podelski Model Checking as Constraint Solving , 2000, SAS.

[5]  Edmund M. Clarke Synthesis of Resource Invariants for Concurrent Programs , 1980, TOPL.

[6]  Radha Jagadeesan,et al.  Modal Transition Systems: A Foundation for Three-Valued Program Analysis , 2001, ESOP.

[7]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[8]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[9]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[10]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[11]  Thomas W. Reps,et al.  Program analysis via graph reachability , 1997, Inf. Softw. Technol..

[12]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[13]  Orna Grumberg,et al.  Abstract Interpretation of Reactive Systems: Abstractions Preserving 'I1CTL *. 3CTL * and CTL * , 1994 .

[14]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[15]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[16]  Tevfik Bultan,et al.  A symbolic manipulator for automated verification of reactive systems with heterogeneous data types , 2003, International Journal on Software Tools for Technology Transfer.

[17]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[18]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[19]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[20]  Bernhard Steffen,et al.  Data Flow Analysis as Model Checking , 1990, TACS.

[21]  Patrick Cousot,et al.  Formal language, grammar and set-constraint-based program analysis by abstract interpretation , 1995, FPCA '95.

[22]  Thomas A. Henzinger,et al.  HYTECH: the next generation , 1995, Proceedings 16th IEEE Real-Time Systems Symposium.

[23]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[24]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[25]  Rance Cleaveland,et al.  Optimality in Abstractions of Model Checking , 1995, SAS.

[26]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[27]  Orna Grumberg,et al.  Abstract interpretation of reactive systems : abstractions preserving .. , 1994 .

[28]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[29]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[30]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[31]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[32]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[33]  David A. Schmidt Data flow analysis is model checking of abstract interpretations , 1998, POPL '98.