Efficient SAT-based bounded model checking for software verification

This paper discusses our methodology for formal analysis and automatic verification of software programs. It is applicable to a large subset of the C programming language that includes pointer arithmetic and bounded recursion. We consider reachability properties, in particular whether certain assertions or basic blocks are reachable in the source code, or whether certain standard property violations can occur. We perform this analysis via a translation to a Boolean circuit representation based on modeling basic blocks. The program is then analyzed by a back-end SAT-based bounded model checker, where each unrolling is mapped to one step in a block-wise execution of the program. The main contributions of this paper are as follows: (1) Use of basic block-based unrollings with SAT-based bounded model checking of software programs. This allows us to take advantage of SAT-based learning inherent to the best performing bounded model checkers. (2) Various heuristics customized for models automatically generated from software, allowing a more efficient SAT-based analysis. (3) A prototype tool called F-Soft has been implemented using our methodology. We present experimental results based on multiple case studies including a C-based implementation of a network protocol, and compare the performance gains using the proposed heuristics.

[1]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[2]  Eugene Goldberg,et al.  BerkMin: A Fast and Robust Sat-Solver , 2002, Discret. Appl. Math..

[3]  Richard Gerber,et al.  Model-checking concurrent systems with unbounded integer variables: symbolic representations, approximations, and experimental results , 1999, TOPL.

[4]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[5]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[6]  Jason R. C. Patterson,et al.  Accurate static branch prediction by value range propagation , 1995, PLDI '95.

[7]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[8]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[9]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[10]  G. De Micheli,et al.  SpC: synthesis of pointers in C application of pointer analysis to the behavioral synthesis from C , 1998, 1998 IEEE/ACM International Conference on Computer-Aided Design. Digest of Technical Papers (IEEE Cat. No.98CB36287).

[11]  Zijiang Yang,et al.  Efficient distributed SAT and SAT-based distributed Bounded Model Checking , 2003, International Journal on Software Tools for Technology Transfer.

[12]  Joao Marques-Silva,et al.  GRASP: A Search Algorithm for Propositional Satisfiability , 1999, IEEE Trans. Computers.

[13]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[14]  Henny B. Sipma,et al.  Efficient Strongly Relational Polyhedral Analysis , 2006, VMCAI.

[15]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[16]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[17]  Eric Goubault,et al.  Static Analysis of Numerical Algorithms , 2006, SAS.

[18]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[19]  Chao Wang,et al.  Disjunctive image computation for software verification , 2007, TODE.

[20]  Sharad Malik,et al.  Validating SAT solvers using an independent resolution-based checker: practical implementations and other applications , 2003, 2003 Design, Automation and Test in Europe Conference and Exhibition.

[21]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[22]  Masahiro Fujita,et al.  Program slicing for VHDL , 2002 .

[23]  Rajeev Alur,et al.  Verifying Network Protocol Implementations by Symbolic Refinement Checking , 2001, CAV.

[24]  Masahiro Fujita,et al.  Symbolic model checking using SAT procedures instead of BDDs , 1999, DAC '99.

[25]  Kenneth L. McMillan,et al.  Applying SAT Methods in Unbounded Symbolic Model Checking , 2002, CAV.

[26]  Zijiang Yang,et al.  Iterative Abstraction using SAT-based BMC with Proof Analysis , 2003, ICCAD 2003.

[27]  Thomas A. Henzinger,et al.  jMocha: a model checking tool that exploits design structure , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[28]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[29]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[30]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[31]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[32]  Kenneth L. McMillan,et al.  Automatic Abstraction without Counterexamples , 2003, TACAS.

[33]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[34]  Edmund M. Clarke,et al.  Reasoning about Networks with Many Identical Finite State Processes , 1989, Inf. Comput..

[35]  Armin Biere,et al.  A survey of recent advances in SAT-based formal verification , 2005, International Journal on Software Tools for Technology Transfer.

[36]  Matthew B. Dwyer,et al.  Bogor: an extensible and highly-modular software model checking framework , 2003, ESEC/FSE-11.

[37]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[38]  Antoine Miné,et al.  A New Numerical Abstract Domain Based on Difference-Bound Matrices , 2001, PADO.

[39]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[40]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[41]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[42]  Rajeev Alur,et al.  Model-Checking in Dense Real-time , 1993, Inf. Comput..

[43]  Aarti Gupta,et al.  Localization and Register Sharing for Predicate Abstraction , 2005, TACAS.

[44]  Daniel Kroening,et al.  Efficient Computation of Recurrence Diameters , 2003, VMCAI.

[45]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[46]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[47]  Aarti Gupta,et al.  DiVer: SAT-Based Model Checking Platform for Verifying Large Scale Systems , 2005, TACAS.

[48]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[49]  Eugene Goldberg,et al.  Verification of proofs of unsatisfiability for CNF formulas , 2003, 2003 Design, Automation and Test in Europe Conference and Exhibition.

[50]  Alain Kerbrat,et al.  CADP - A Protocol Validation and Verification Toolbox , 1996, CAV.

[51]  Daniel Kroening,et al.  Predicate Abstraction of ANSI-C Programs Using SAT , 2004, Formal Methods Syst. Des..

[52]  Chao Wang,et al.  Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop , 2006, CAV.

[53]  Antoine Mid The Octagon Abstract Domain , 2001 .

[54]  Patrice Godefroid,et al.  VeriSoft: A Tool for the Automatic Analysis of Concurrent Reactive Software , 1997, CAV.

[55]  Helmut Veith,et al.  Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT Based Conflict Analysis , 2002, FMCAD.

[56]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[57]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[58]  Jens Krinke,et al.  Context-sensitive slicing of concurrent programs , 2003, ESEC/FSE-11.

[59]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[60]  Shuvendu K. Lahiri,et al.  A Symbolic Approach to Predicate Abstraction , 2003, CAV.

[61]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[62]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[63]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[64]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[65]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[66]  Zijiang Yang,et al.  SAT-Based Image Computation with Application in Reachability Analysis , 2000, FMCAD.

[67]  Sriram Sankaranarayanan,et al.  Program Analysis Using Symbolic Ranges , 2007, SAS.

[68]  Chao Wang,et al.  Disjunctive Image Computation for Embedded Software Verification , 2006, Proceedings of the Design Automation & Test in Europe Conference.

[69]  Chao Wang,et al.  Mixed symbolic representations for model checking software programs , 2006, Fourth ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2006. MEMOCODE '06. Proceedings..

[70]  Acm Sigsoft,et al.  Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering : PASTE '01, Snowbird, Utah, USA, June 18-19, 2001 , 2001 .

[71]  Jordi Cortadella,et al.  The Octahedron Abstract Domain , 2004, SAS.

[72]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[73]  Chao Wang,et al.  Abstraction and BDDs Complement SAT-Based BMC in DiVer , 2003, CAV.

[74]  Chao Wang,et al.  Model checking C programs using F-Soft , 2005, 2005 International Conference on Computer Design.

[75]  Martin C. Rinard,et al.  Symbolic bounds analysis of pointers, array indices, and accessed memory regions , 2005, TOPL.