Harnessing SMT-Based Bounded Model Checking through Stateless Explicit-State Exploration

We propose a hybrid approach to improving the verification performance of SMT-based bounded model checking for LTL properties. In this approach, stateless explicit-state exploration is utilized to traverse, under the constraints of bounded context switches, the state space of a system design and memorize legal execution paths. These paths are classified according to certain predicates into path clusters, which are then encoded into propositional formulas representing, together with the encoded formula for an LTL property, independent BMC instances. Such BMC instances are solved with SMT solvers running on mutilcores in parallel. Once a counterexample is found for one of the instances, the entire model checking terminates. This hybrid checking procedure progresses in an incremental fashion until either a counterexample is found or the user-specified bound is reached. We have implemented this proposed hybrid approach in a tool called Garakabu2 with CVC4 as its backend solver. The experimental results show that Garakabu2 often outperforms the state-of-the-art pure BMC methods implemented in SAL infinite bounded model checker for both safety and liveness properties.

[1]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[2]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[3]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[4]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[5]  Robert P. Kurshan,et al.  Experimental Analysis of Different Techniques for Bounded Model Checking , 2003, TACAS.

[6]  Armin Biere,et al.  Simple Bounded LTL Model Checking , 2004, FMCAD.

[7]  Bruno Dutertre,et al.  Timed Systems in SAL , 2004 .

[8]  Ashish Tiwari,et al.  Sal 2 , 2004, CAV.

[9]  Jakob Rehof,et al.  Context-Bounded Model Checking of Concurrent Software , 2005, TACAS.

[10]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[11]  Daniel Kroening,et al.  ExpliSAT: Guiding SAT-Based Software Verification with Explicit States , 2006, Haifa Verification Conference.

[12]  Ahmed Bouajjani,et al.  Context-Bounded Analysis of Multithreaded Programs with Dynamic Linked Structures , 2007, CAV.

[13]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[14]  Aarti Gupta,et al.  Tunneling and slicing: Towards scalable BMC , 2008, 2008 45th ACM/IEEE Design Automation Conference.

[15]  Gerard J. Holzmann,et al.  Model checking with bounded context switching , 2010, Formal Aspects of Computing.

[16]  Chao Wang,et al.  Efficient state space exploration: Interleaving stateless and state-based model checking , 2010, 2010 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[17]  Tomohiro Shiraishi,et al.  An SMT-Based Approach to Bounded Model Checking of Designs in State Transition Matrix , 2011, IEICE Trans. Inf. Syst..

[18]  Lucas C. Cordeiro,et al.  Verifying multi-threaded software using smt-based context-bounded model checking , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[19]  Christopher L. Conway,et al.  Cvc4 , 2011, CAV.

[20]  Akira Fukuda,et al.  Formal Verification of Software Designs in Hierarchical State Transition Matrix with SMT-based Bounded Model Checking , 2011, 2011 18th Asia-Pacific Software Engineering Conference.

[21]  Jun Sun,et al.  PAT 3: An Extensible Architecture for Building Multi-domain Model Checkers , 2011, 2011 IEEE 22nd International Symposium on Software Reliability Engineering.

[22]  Abhishek Udupa,et al.  Depth Bounded Explicit-State Model Checking , 2011, SPIN.

[23]  Akira Fukuda,et al.  On Accelerating SMT-based Bounded Model Checking of HSTM Designs , 2012, 2012 19th Asia-Pacific Software Engineering Conference.

[24]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.