SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Propositional bounded model checking has been applied successfully to verify embedded software, but remains limited by increasing propositional formula sizes and the loss of high-level information during the translation preventing potential optimizations to reduce the state space to be explored. These limitations can be overcome by encoding high-level information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we propose the application of different background theories and SMT solvers to the verification of embedded software written in ANSI-C in order to improve scalability and precision in a completely automatic way. We have modified and extended the encodings from previous SMT-based bounded model checkers to provide more accurate support for variables of finite bit width, bit-vector operations, arrays, structures, unions, and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC front-end and evaluated them using both standard software model checking benchmarks and typical embedded software applications from telecommunications, control systems, and medical devices. The experiments show that our ESBMC model checker can analyze larger problems than existing tools and substantially reduce the verification time.

[1]  John McCarthy,et al.  Towards a Mathematical Science of Computation , 1962, IFIP Congress.

[2]  Richard L. Sites Some thoughts on proving clean termination of programs. , 1974 .

[3]  David Gries,et al.  Assignment and Procedure Call Proof Rules , 1980, TOPL.

[4]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[5]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[6]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[7]  J. Saxe,et al.  Extended static checking for Java , 2002, PLDI '02.

[8]  Andrew S. Tanenbaum,et al.  Computer networks, 4th Edition , 2002 .

[9]  Harald Ruess,et al.  Lazy Theorem Proving for Bounded Model Checking over Infinite Domains , 2002, CADE.

[10]  Daniel Kroening,et al.  Behavioral consistency of C and Verilog programs using bounded model checking , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[11]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[12]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[13]  Joël Ouaknine,et al.  Computational challenges in bounded model checking , 2005, International Journal on Software Tools for Technology Transfer.

[14]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[15]  Daniel Kroening,et al.  Predicate Abstraction of ANSI-C Programs Using SAT , 2004, Formal Methods Syst. Des..

[16]  Joël Ouaknine,et al.  Completeness and Complexity of Bounded Model Checking , 2004, VMCAI.

[17]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[18]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[19]  Marco Bozzano,et al.  Encoding RTL Constructs for MathSAT: a Preliminary Report , 2006, Electron. Notes Theor. Comput. Sci..

[20]  M.K. Ganai,et al.  Accelerating High-level Bounded Model Checking , 2006, 2006 IEEE/ACM International Conference on Computer Aided Design.

[21]  Andreas Podelski,et al.  Terminator: Beyond Safety , 2006, CAV.

[22]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[23]  Daniel Kroening,et al.  Formal verification at higher levels of abstraction , 2007, 2007 IEEE/ACM International Conference on Computer-Aided Design.

[24]  Andreas Podelski,et al.  ARMC: The Logical Choice for Software Model Checking with Abstraction Refinement , 2007, PADL.

[25]  Zohar Manna,et al.  The calculus of computation - decision procedures with applications to verification , 2007 .

[26]  Paul B. Jackson,et al.  Using SMT solvers to verify high-integrity programs , 2007, AFM '07.

[27]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[28]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[29]  Alessandro Armando,et al.  Bounded model checking of software using SMT solvers instead of SAT solvers , 2006, International Journal on Software Tools for Technology Transfer.

[30]  Aarti Gupta,et al.  Completeness in SMT-based BMC for Software Programs , 2008, 2008 Design, Automation and Test in Europe.

[31]  Xu Liang smt-based bounded model checking for real-time systems , 2008 .

[32]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[33]  Alan J. Hu,et al.  Calysto: scalable and precise extended static checking , 2008, ICSE.

[34]  Armin Biere,et al.  PicoSAT Essentials , 2008, J. Satisf. Boolean Model. Comput..

[35]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[36]  Armin Biere,et al.  Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays , 2009, TACAS.

[37]  Paul B. Jackson,et al.  Proving SPARK Verification Conditions with SMT Solvers , 2009 .

[38]  Nikolaj Bjørner,et al.  Satisfiability Modulo Theories: An Appetizer , 2009, SBMF.

[39]  Jan Gustafsson,et al.  Deriving the Worst-Case Execution Time Input Values , 2009, 2009 21st Euromicro Conference on Real-Time Systems.

[40]  Toby Walsh,et al.  Handbook of satisfiability , 2009 .

[41]  Armin Biere,et al.  Bounded model checking , 2003, Adv. Comput..

[42]  Rupak Majumdar,et al.  Software model checking , 2009, CSUR.

[43]  Alessandro Orso,et al.  LEAKPOINT: pinpointing the causes of memory leaks , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[44]  Daniel Kroening,et al.  Automatic Analysis of Scratch-Pad Memory Code for Heterogeneous Multicore Processors , 2010, TACAS.

[45]  Lucas C. Cordeiro,et al.  SMT-based bounded model checking for multi-threaded software in embedded systems , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[46]  Bernd Fischer,et al.  Continuous Verification of Large Embedded Software Using SMT-Based Bounded Model Checking , 2010, 2010 17th IEEE International Conference and Workshops on Engineering of Computer Based Systems.

[47]  Lucas C. Cordeiro,et al.  Verifying multi-threaded software using smt-based context-bounded model checking , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[48]  W. Marsden I and J , 2012 .

[49]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Trans. Software Eng..

[50]  Clark Barrett,et al.  CVC 3 , 2013 .

[51]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[52]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.