Over-approximating loops to prove properties using bounded model checking

Bounded Model Checkers (BMCs) are widely used to detect violations of program properties up to a bounded execution length of the program. However when it comes to proving the properties, BMCs are unable to provide a sound result for programs with loops of large or unknown bounds. To address this limitation, we developed a new loop over-approximation technique LA. LA replaces a given loop in a program with an abstract loop having a smaller known bound by combining the techniques of output abstraction and a novel abstract acceleration, suitably augmented with a new application of induction. The resulting transformed program can then be fed to any bounded model checker to provide a sound proof of the desired properties. We call this approach, of LA followed by BMC, as LABMC. We evaluated the effectiveness of LABMC on some of the SV-COMP14 loop benchmarks, each with a property encoded into it. Well known BMCs failed to prove most of these properties due to loops of large, infinite or unknown bounds while LABMC obtained promising results. We also performed experiments on a real world automotive application on which the well known BMCs were able to prove only one of the 186 array accesses to be within array bounds. LABMC was able to successfully prove 131 of those array accesses to be within array bounds.

[1]  Thomas A. Henzinger,et al.  ABC: Algebraic Bound Computation for Loops , 2010, LPAR.

[2]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[3]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[4]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[5]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[6]  Daniel Kroening,et al.  Software Verification Using k-Induction , 2011, SAS.

[7]  Priyanka Darke,et al.  Precise Analysis of Large Industry Code , 2012, 2012 19th Asia-Pacific Software Engineering Conference.

[8]  Nicolas Halbwachs,et al.  Combining Widening and Acceleration in Linear Relation Analysis , 2006, SAS.

[9]  Bertrand Jeannet,et al.  Applying abstract acceleration to (co-)reachability analysis of reactive programs , 2012, J. Symb. Comput..

[10]  Viktor Kuncak,et al.  Development and Evaluation of LAV: An SMT-Based Error Finding Platform - System Description , 2012, VSTTE.

[11]  Daniel Kroening,et al.  Under-Approximating Loops in C Programs for Fast Counterexample Detection , 2013, CAV.

[12]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[13]  Carsten Sinz,et al.  LLBMC: Improved Bounded Model Checking of C Programs Using LLVM - (Competition Contribution) , 2013, TACAS.

[14]  Joël Ouaknine,et al.  Verifying multi-threaded software with impact , 2013, 2013 Formal Methods in Computer-Aided Design.