Bounded Program Verification Using an SMT Solver: A Case Study

We present a novel approach to bounded program verification that exploits recent advances of SMT solvers in modular checking of object-oriented code against its full specification. Bounded program verification techniques exhaustively check the specifications of a bounded program with respect to a bounded domain. To our knowledge, however, those techniques that target data-structure-rich programs reduce the problem to propositional logic directly, and use a SAT solver as the backend engine. Scalability, therefore, becomes a major issue due to bit blasting problems. In this paper, we present a novel approach that translates bounded Java programs and their JML specifications to quantified bit-vector formulas (QBVF) with arrays, and solves them using an SMT solver. QBVF allows logical constraints that are structurally closer to the original program and specification, and can be significantly simplified via high-level reasonings before being flattened in a basic logic. We also present a case study on a large-scale implementation of Dijkstra's shortest path algorithm. The results indicate that our approach provides significant speedups over a SAT-based approach.

[1]  Alessandro Armando,et al.  Bounded Model Checking of Software Using SMT Solvers Instead of SAT Solvers , 2006, SPIN.

[2]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[3]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[4]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[5]  Viktor Kuncak,et al.  Development and Evaluation of LAV: An SMT-Based Error Finding Platform - System Description , 2012, VSTTE.

[6]  M.K. Ganai,et al.  Accelerating High-level Bounded Model Checking , 2006, 2006 IEEE/ACM International Conference on Computer Aided Design.

[7]  Sarfraz Khurshid,et al.  TestEra: a novel framework for automated testing of Java programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[8]  Emina Torlak,et al.  MemSAT: checking axiomatic specifications of memory models , 2010, PLDI '10.

[9]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[10]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[11]  Frank Tip,et al.  Finding bugs efficiently with a SAT solver , 2007, ESEC-FSE '07.

[12]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[13]  Sarfraz Khurshid,et al.  An Incremental Approach to Scope-Bounded Checking Using a Lightweight Formal Method , 2009, FM.

[14]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[15]  Sarfraz Khurshid,et al.  Optimizing Incremental Scope-Bounded Checking with Data-Flow Analysis , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[16]  D. Knuth,et al.  Simple Word Problems in Universal Algebras , 1983 .

[17]  Felix Sheng-Ho Chang,et al.  Modular verification of code with SAT , 2006, ISSTA '06.

[18]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[19]  Carsten Sinz,et al.  A Precise Memory Model for Low-Level Bounded Model Checking , 2010, SSV.

[20]  John Harrison,et al.  Handbook of Practical Logic and Automated Reasoning , 2009 .

[21]  Daniel Delling,et al.  Engineering and Augmenting Route Planning Algorithms , 2009 .

[22]  Mandana Vaziri-Farahani,et al.  Finding bugs in software with a constraint solver , 2004 .

[23]  Neil Immerman,et al.  Simulating Reachability Using First-Order Logic with Applications to Verification of Linked Data Structures , 2005, CADE.

[24]  Robin Mange,et al.  Verifying Dijkstra ’ s algorithm in Jahob , 2007 .

[25]  Youssef Hamadi,et al.  Efficiently solving quantified bit-vector formulas , 2010, Formal Methods in Computer Aided Design.

[26]  Volker Klasen Verifying Dijkstra's Algorithm with KeY , 2010 .

[27]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[28]  Bernhard Beckert,et al.  Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[29]  Bart Jacobs,et al.  The LOOP Compiler for Java and JML , 2001, TACAS.

[30]  Mana Taghdiri,et al.  Automating modular program verification by refining specifications , 2008 .

[31]  Alessandro Armando,et al.  Bounded model checking of software using SMT solvers instead of SAT solvers , 2006, International Journal on Software Tools for Technology Transfer.

[32]  Kuat T Yessenov A Lightweight Specification Language for Bounded Program Verification , 2009 .

[33]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[34]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML Progress and Issues in Building and Using ESC/Java2, Including a Case Study Involving the Use of the Tool to Verify Portions of an Internet Voting Tally System , 2005 .

[35]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[36]  Marcelo F. Frias,et al.  A Dataflow Analysis to Improve SAT-Based Bounded Program Verification , 2011, SEFM.

[37]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[38]  Nikolaj Bjørner,et al.  Efficient E-Matching for SMT Solvers , 2007, CADE.