Incremental bounded software model checking

Conventional Bounded Software Model Checking tools generate a symbolic representation of all feasible executions of a program up to a predetermined bound. An insufficiently large bound results in missed bugs, and a subsequent increase of the bound necessitates the complete reconstruction of the instance and a restart of the underlying solver. Conversely, exceedingly large bounds result in prohibitively large decision problems, causing the verifier to run out of resources before it can provide a result. We present an incremental approach to Bounded Software Model Checking, which enables increasing the bound without incurring the overhead of a restart. Further, we provide an LLVM-based open-source implementation which supports a wide range of incremental SMT solvers. We compare our implementation to other traditional non-incremental software model checkers and show the advantages of performing incremental verification by analyzing the overhead incurred on a common suite of benchmarks.

[1]  Matthew B. Dwyer,et al.  Green: reducing, reusing and recycling constraints in program analysis , 2012, SIGSOFT FSE.

[2]  Toby Walsh,et al.  Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications , 2009 .

[3]  Sarfraz Khurshid,et al.  Memoized symbolic execution , 2012, ISSTA 2012.

[4]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[5]  Alessandro Armando,et al.  Bounded model checking of software using SMT solvers instead of SAT solvers , 2006, International Journal on Software Tools for Technology Transfer.

[6]  Guodong Li,et al.  KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs , 2011, CAV.

[7]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[8]  Timo Latvala,et al.  Incremental and Complete Bounded Model Checking for Full PLTL , 2005, CAV.

[9]  Malay K. Ganai,et al.  Efficient SAT-based bounded model checking for software verification , 2008, Theor. Comput. Sci..

[10]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[11]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[12]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[13]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[14]  Dirk Beyer,et al.  Software model checking via large-block encoding , 2009, 2009 Formal Methods in Computer-Aided Design.

[15]  Peter Wegner,et al.  A technique for counting ones in a binary computer , 1960, CACM.

[16]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[17]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[18]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.

[19]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[20]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[21]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[22]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[23]  Viktor Kuncak,et al.  Development and Evaluation of LAV: An SMT-Based Error Finding Platform - System Description , 2012, VSTTE.

[24]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[25]  Carsten Sinz,et al.  LLBMC: Bounded Model Checking of C and C++ Programs Using a Compiler IR , 2012, VSTTE.