Synthesizing Safe Bit-Precise Invariants

Bit-precise software verification is an important and difficult problem. While there has been an amazing progress in SAT solving, Satisfiability Modulo Theory of Bit Vectors, and bit-precise Bounded Model Checking, proving bit-precise safety, i.e. synthesizing a safe inductive invariant, remains a challenge. Although the problem is decidable and is reducible to propositional safety by bit-blasting, the approach does not scale in practice. The alternative approach of lifting propositional algorithms to bit-vectors is difficult. In this paper, we propose a novel technique that uses unsound approximations (i.e., neither over- nor under-) for synthesizing sound bit-precise invariants. We prototyped the technique using Z3/PDR engine and applied it to bit-precise verification of benchmarks from SVCOMP’13. Even with our preliminary implementation we were able to demonstrate significant (orders of magnitude) performance improvements with respect to bit-precise verificaton using Z3/PDR directy.

[1]  Inês Lynce,et al.  Towards efficient MUS extraction , 2012, AI Commun..

[2]  Mikolás Janota,et al.  Minimal Sets over Monotone Predicates in Boolean Formulae , 2013, CAV.

[3]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[4]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.

[5]  Mohamed Nassim Seghir,et al.  A Lightweight Approach for Loop Summarization , 2011, ATVA.

[6]  Sagar Chaki,et al.  Automatic Abstraction in SMT-Based Unbounded Software Model Checking , 2013, CAV.

[7]  José Nuno Oliveira,et al.  FME 2001: Formal Methods for Increasing Software Productivity , 2001, Lecture Notes in Computer Science.

[8]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[9]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[10]  Alexander Nadel Boosting minimal unsatisfiable core extraction , 2010, Formal Methods in Computer Aided Design.

[11]  Ofer Strichman,et al.  Efficient MUS extraction with resolution , 2013, 2013 Formal Methods in Computer-Aided Design.

[12]  Daniel Kroening,et al.  Lifting Propositional Interpolants to the Word-Level , 2007 .

[13]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[14]  Arie Gurfinkel,et al.  FrankenBit: Bit-Precise Verification with Many Bits - (Competition Contribution) , 2014, TACAS.

[15]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[16]  Armin Biere,et al.  Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays , 2009, TACAS.

[17]  Joao Marques-Silva,et al.  MUSer2: An Efficient MUS Extractor , 2012, J. Satisf. Boolean Model. Comput..

[18]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[19]  Niklas Sörensson,et al.  Temporal induction by incremental SAT solving , 2003, BMC@CAV.

[20]  Hana Chockler,et al.  Incremental formal verification of hardware , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[21]  Dirk Beyer,et al.  Precision reuse for efficient regression verification , 2013, ESEC/FSE 2013.

[22]  Arie Gurfinkel,et al.  Interpolation Properties and SAT-Based Model Checking , 2012, ATVA.

[23]  Grigory Fedyukovich,et al.  Function Summaries in Software Upgrade Checking , 2011, Haifa Verification Conference.

[24]  Alberto Griggio Effective word-level interpolation for software verification , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[25]  Marsha Chechik,et al.  From Under-Approximations to Over-Approximations and Back , 2012, TACAS.

[26]  Alessandro Cimatti,et al.  Theory and Applications of Satisfiability Testing – SAT 2012 , 2012, Lecture Notes in Computer Science.

[27]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[28]  Daniel Kroening,et al.  Interpolation-Based Software Verification with Wolverine , 2011, CAV.

[29]  Ofer Strichman,et al.  Regression verification , 2009, 2009 46th ACM/IEEE Design Automation Conference.

[30]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[31]  Shuvendu K. Lahiri,et al.  SYMDIFF: A Language-Agnostic Semantic Diff Tool for Imperative Programs , 2012, CAV.

[32]  Kim G. Larsen,et al.  Memory Efficient Data Structures for Explicit Verification of Timed Systems , 2014, NASA Formal Methods.

[33]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[34]  Nikolaj Bjørner,et al.  Generalized Property Directed Reachability , 2012, SAT.

[35]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[36]  Joël Ouaknine,et al.  Deciding Bit-Vector Arithmetic with Abstraction , 2007, TACAS.

[37]  Cesare Tinelli,et al.  Instantiation-Based Invariant Discovery , 2011, NASA Formal Methods.

[38]  Carsten Sinz,et al.  LLBMC: Bounded Model Checking of C and C++ Programs Using a Compiler IR , 2012, VSTTE.