Bounded Model Checking of Software Using SMT Solvers Instead of SAT Solvers

C Bounded Model Checking (CBMC) has proven to be a successful approach to automatic software analysis. The key idea is to (i) build a propositional formula whose models correspond to program traces (of bounded length) that violate some given property and (ii) use state-of-the-art SAT solvers to check the resulting formulae for satisfiability. In this paper we propose a generalisation of the CBMC approach based on an encoding into richer (but still decidable) theories than propositional logic. We show that our approach may lead to considerably more compact formulae than those obtained with CBMC. We have built a prototype implementation of our technique that uses a Satisfiability Modulo Theories (SMT) solver to solve the resulting formulae. Computer experiments indicate that our approach compares favourably with and on some significant problems outperforms CBMC.

[1]  David L. Dill,et al.  CVC: A Cooperating Validity Checker , 2002, CAV.

[2]  Harald Ruess,et al.  An Efficient Decision Procedure for the Theory of Fixed-Sized Bit-Vectors , 1997, CAV.

[3]  Michaël Rusinowitch,et al.  A rewriting approach to satisfiability procedures , 2003, Inf. Comput..

[4]  Robert E. Shostak,et al.  Deciding Combinations of Theories , 1982, JACM.

[5]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[6]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[7]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[8]  R. Prim Shortest connection networks and some generalizations , 1957 .

[9]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[10]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[11]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[12]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[13]  Maria Paola Bonacina,et al.  On a Rewriting Approach to Satisfiability Procedures: Extension, Combination of Theories and an Experimental Appraisal , 2005, FroCoS.

[14]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[15]  Marco Bozzano,et al.  Encoding RTL Constructs for MathSAT: a Preliminary Report , 2006, Electron. Notes Theor. Comput. Sci..

[16]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[17]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[18]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[19]  Donald E. Knuth,et al.  The Art of Computer Programming: Volume 3: Sorting and Searching , 1998 .

[20]  Richard Bellman,et al.  ON A ROUTING PROBLEM , 1958 .

[21]  Todd D. Millstein,et al.  Generating error traces from verification-condition counterexamples , 2005, Sci. Comput. Program..

[22]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[23]  Donald E. Knuth,et al.  The art of computer programming, volume 3: (2nd ed.) sorting and searching , 1998 .

[24]  D. R. Fulkerson,et al.  Flows in Networks. , 1964 .

[25]  Aaron Stump,et al.  SMT-COMP: Satisfiability Modulo Theories Competition , 2005, CAV.

[26]  Harald Ruess,et al.  Solving Bit-Vector Equations , 1998, FMCAD.

[27]  David L. Dill,et al.  A decision procedure for bit-vector arithmetic , 1998, Proceedings 1998 Design and Automation Conference. 35th DAC. (Cat. No.98CH36175).

[28]  Sergey Berezin,et al.  CVC Lite: A New Implementation of the Cooperating Validity Checker Category B , 2004, CAV.

[29]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[30]  David L. Dill,et al.  A decision procedure for an extensional theory of arrays , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.