Bounded model checking of software using SMT solvers instead of SAT solvers

C bounded model checking (cbmc) has proved to be a successful approach to automatic software analysis. The key idea is to (i) build a propositional formula whose models correspond to program traces (of bounded length) that violate some given property and (ii) use state-of-the-art SAT solvers to check the resulting formulae for satisfiability. In this paper, we propose a generalisation of the cbmc approach on the basis of an encoding into richer (but still decidable) theories than propositional logic. We show that our approach may lead to considerably more compact formulae than those obtained with cbmc. We have built a prototype implementation of our technique that uses a satisfiability modulo theories (SMT) solver to solve the resulting formulae. Computer experiments indicate that our approach compares favourably with—and on some significant problems outperforms—cbmc.

[1]  Bernhard Gramlich Frontiers of Combining Systems, 5th International Workshop, FroCoS 2005, Vienna, Austria, September 19-21, 2005, Proceedings , 2005, FroCoS.

[2]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[3]  D. R. Fulkerson,et al.  Flows in Networks. , 1964 .

[4]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[5]  Hélène Collavizza,et al.  Exploration of the Capabilities of Constraint Programming for Software Verification , 2006, TACAS.

[6]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[7]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[8]  David L. Dill,et al.  CVC: A Cooperating Validity Checker , 2002, CAV.

[9]  Harald Ruess,et al.  An Efficient Decision Procedure for the Theory of Fixed-Sized Bit-Vectors , 1997, CAV.

[10]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[11]  D.-J. Guan,et al.  GENERALIZED GRAY CODES WITH APPLICATIONS , 1998 .

[12]  Aaron Stump,et al.  SMT-COMP: Satisfiability Modulo Theories Competition , 2005, CAV.

[13]  Michaël Rusinowitch,et al.  A rewriting approach to satisfiability procedures , 2003, Inf. Comput..

[14]  Robert E. Shostak,et al.  Deciding Combinations of Theories , 1982, JACM.

[15]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[16]  Bart Selman,et al.  Pushing the Envelope: Planning, Propositional Logic and Stochastic Search , 1996, AAAI/IAAI, Vol. 2.

[17]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[18]  Kousha Etessami,et al.  Computer aided verification : 17th International Conference, CAV 2005, Edinburgh, Scotland, UK, July 6-10, 2005 : proceedings , 2005, CAV 2005.

[19]  Harald Ruess,et al.  Solving Bit-Vector Equations , 1998, FMCAD.

[20]  David L. Dill,et al.  A decision procedure for bit-vector arithmetic , 1998, Proceedings 1998 Design and Automation Conference. 35th DAC. (Cat. No.98CH36175).

[21]  Sergey Berezin,et al.  CVC Lite: A New Implementation of the Cooperating Validity Checker Category B , 2004, CAV.

[22]  Maria Paola Bonacina,et al.  On a Rewriting Approach to Satisfiability Procedures: Extension, Combination of Theories and an Experimental Appraisal , 2005, FroCoS.

[23]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[24]  Nicolas Halbwachs,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2005, Lecture Notes in Computer Science.

[25]  Bart Selman,et al.  Planning as Satisfiability , 1992, ECAI.

[26]  Armando Tacchella,et al.  Theory and Applications of Satisfiability Testing , 2003, Lecture Notes in Computer Science.

[27]  Orna Grumberg Computer aided verification : 9th International Conference, CAV '97, Haifa, Israel, June 22-25, 1997 : proceedings , 1997 .

[28]  David L. Dill,et al.  A decision procedure for an extensional theory of arrays , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[29]  Todd D. Millstein,et al.  Generating error traces from verification-condition counterexamples , 2005, Sci. Comput. Program..

[30]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[31]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[32]  Donald E. Knuth,et al.  The Art of Computer Programming: Volume 3: Sorting and Searching , 1998 .

[33]  Richard Bellman,et al.  ON A ROUTING PROBLEM , 1958 .

[34]  R. Prim Shortest connection networks and some generalizations , 1957 .

[35]  Jörg Hoffmann,et al.  SAT Encodings of State-Space Reachability Problems in Numeric Domains , 2007, IJCAI.

[36]  Rance Cleaveland,et al.  Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems , 1999 .

[37]  Donald E. Knuth,et al.  The art of computer programming: sorting and searching (volume 3) , 1973 .

[38]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[39]  M. V. Wilkes,et al.  The Art of Computer Programming, Volume 3, Sorting and Searching , 1974 .

[40]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[41]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[42]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[43]  Marco Bozzano,et al.  Encoding RTL Constructs for MathSAT: a Preliminary Report , 2006, Electron. Notes Theor. Comput. Sci..

[44]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[45]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).