Top

Formal Methods in System Design

Published in:

25-08-2016

SMT-based model checking for recursive programs

Authors: Anvesh Komuravelli, Arie Gurfinkel, Sagar Chaki

Published in: Formal Methods in System Design | Issue 3/2016

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We present an SMT-based symbolic model checking algorithm for safety verification of recursive programs. The algorithm is modular and analyzes procedures individually. Unlike other SMT-based approaches, it maintains both over- and under-approximations of procedure summaries. Under-approximations are used to analyze procedure calls without inlining. Over-approximations are used to block infeasible counterexamples and detect convergence to a proof. We show that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists. However, efficiency depends on an oracle for quantifier elimination (QE). For Boolean programs, the algorithm is a polynomial decision procedure, matching the worst-case bounds of the best BDD-based algorithms. For Linear Arithmetic (integers and rationals), we give an efficient instantiation of the algorithm by applying QE lazily. We use existing interpolation techniques to over-approximate QE and introduce Model Based Projection to under-approximate QE. Empirical evaluation on SV-COMP benchmarks shows that our algorithm improves significantly on the state-of-the-art.

previous article The spirit of ghost code

next article An efficient SMT solver for string constraints

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

We assume that all quantified variables are eliminated to obtain the complexity for Boolean Programs mentioned above.

http://www.cs.cmu.edu/~akomurav/projects/spacer/home.html.

https://svn.sosy-lab.org/software/sv-benchmarks/trunk/clauses/BOOL/slam.zip.

https://svn.sosy-lab.org/software/sv-benchmarks/trunk/clauses/ALIA/sdv.

Z3 first tries to eliminate existential quantifiers by using equalities with ground terms present in the input formula and resorts to model substitution otherwise.

Ball T, Rajamani SK (2000) Bebop: a symbolic model checker for Boolean programs. In: SPIN, pp 113–130

Ball T, Majumdar R, Millstein T, Rajamani SK (2001) Automatic predicate abstraction of C programs. SIGPLAN Not 36(5):203–213CrossRef

Clarke EM, Kroening D, Lerda F (2004) A tool for checking ANSI-C programs. In: TACAS

Barnett M, Chang B-YE, DeLine R, Jacobs B, Leino KRM (2005) Boogie: a modular reusable verifier for object-oriented programs. In: FMCO, pp 364–387

Albarghouthi A, Gurfinkel A, Chechik M (2012) From under-approximations to over-approximations and back. In: TACAS

Grebenshchikov S, Lopes NP, Popeea C, Rybalchenko A (2012) Synthesizing software verifiers from proof rules. In: PLDI, pp 405–416

Clarke EM (1979) Programming language constructs for which it is impossible to obtain good Hoare axiom systems. JACM 26(1):129–147MathSciNetCrossRefMATH

Reps TW, Horwitz S, Sagiv S (1995) Precise interprocedural dataflow analysis via graph reachability. In: POPL, pp 49–61

Clarke EM (1979) Program invariants as fixed points. Computing 21(4):273–294MathSciNetCrossRefMATH

10.

Sharir M, Pnueli A (1981) Program flow analysis: theory and applications. In: Two approaches to interprocedural data flow analysis. Prentice-Hall, pp 189–233

11.

Alur R, Benedikt M, Etessami K, Godefroid P, Reps T, Yannakakis M (2005) Analysis of recursive state machines. TOPLAS 27(4):786–818CrossRef

12.

Esparza J, Hansel D, Rossmanith P, Schwoon S (2000) Efficient algorithms for model checking pushdown systems. In: CAV, pp 232–247

13.

Clarke EM, Grumberg O, Jha S, Lu Y, Veith H (2000) Counterexample-guided abstraction refinement. In: CAV

14.

Albarghouthi A, Gurfinkel A, Chechik M (2012) Whale: an interpolation-based algorithm for inter-procedural verification. In: VMCAI, pp 39–55

15.

Hoder K, Bjørner N (2012) Generalized property directed reachability. In: SAT

16.

Heizmann M, Christ J, Dietsch D, Ermis E, Hoenicke J, Lindenmann M, Nutz A, Schilling C, Podelski A (2013) Ultimate automizer with SMTInterpol—(competition contribution). In: Piterman N, Smolka SA (eds) TACAS, lecture notes in computer science, vol 7795. Springer, Heidelberg, pp 641–643

17.

Heizmann M, Hoenicke J, Podelski A (2010) Nested interpolants. SIGPLAN Not 45(1):471–482 1CrossRefMATH

18.

McMillan KL, Rybalchenko A (2013) Solving constrained horn clauses using interpolation. Technical Report MSR-TR-2013-6, Microsoft Research

19.

Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:117–148CrossRef

20.

Craig W (1957) Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory. Symb Logic 22(3):269–285MathSciNetCrossRefMATH

21.

Alur R, Benedikt M, Etessami K, Godefroid P, Reps T, Yannakakis M (2005) Analysis of recursive state machines. ACM Trans Program Lang Syst 27(4):786–818CrossRef

22.

Bradley AR (2011) SAT-based model checking without unrolling. In: VMCAI

23.

Loos R, Weispfenning V (1993) Applying linear quantifier elimination. Computing 36(5):450–462MathSciNetCrossRefMATH

24.

Cooper DC (1972) Theorem proving in arithmetic without multiplication. Mach Intel 7(91—-100):300MATH

25.

Nieuwenhuis R, Oliveras A, Tinelli C (2006) Solving SAT and SAT modulo theories: from an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). J ACM 53(6):937–977MathSciNetCrossRefMATH

26.

De Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: TACAS

27.

Ganai MK, Gupta A, Ashar P (2004) Efficient SAT-based unbounded symbolic model checking using circuit cofactoring. In: ICCAD, pp 510–517

28.

Nipkow T (2010) Linear quantifier elimination. J Autom Reason 45(2):189–212MathSciNetCrossRefMATH

29.

Albarghouthi A, Gurfinkel A, Li Y, Chaki S, Chechik M (2013) UFO: verification with interpolants and abstract interpretation—(competition contribution). In: TACAS

30.

Software Verification Competition. TACAS, 2014. http://sv-comp.sosy-lab.org

31.

Komuravelli A, Gurfinkel A, Chaki S, Clarke EM (2013) Automated abstraction in SMT-based unbounded software model checking. In: CAV, pp 846–862

32.

Henzinger TA, Jhala R, Majumdar R, Sutre G (2002) Lazy abstraction. In: Proceedings of the POPL, pp 58–70

33.

Chaki S, Clarke EM, Groce A, Jha S, Veith H (2004) Modular verification of software components in C. IEEE Trans Softw Eng 30(6):388–402CrossRef

34.

Godefroid P, Nori AV, Rajamani SK, Tetali S (2010) Compositional may-must program analysis: unleashing the power of alternation. In: POPL, pp 43–56

35.

Lal A, Qadeer S, Lahiri SK (2012) A solver for reachability modulo theories. In: Madhusudan P, Seshia SA (eds) CAV, lecture notes in computer science, vol 7358. Springer, Heidelberg, pp 427–443

36.

Gupta A, Ganai MK, Yang Z, Ashar P (2003) Iterative abstraction using SAT-based BMC with proof analysis. In: ICCAD, pp 416–423

37.

McMillan KL, Amla N (2003) Automatic abstraction without counterexamples. In: TACAS

Title: SMT-based model checking for recursive programs
Authors: Anvesh Komuravelli
Arie Gurfinkel
Sagar Chaki
Publication date: 25-08-2016
Publisher: Springer US
Published in: Formal Methods in System Design / Issue 3/2016
Print ISSN: 0925-9856
Electronic ISSN: 1572-8102
DOI: https://doi.org/10.1007/s10703-016-0249-4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Other articles of this Issue 3/2016

2014 CAV award announcement

An efficient SMT solver for string constraints

Efficient GPU algorithms for parallel decomposition of graphs into strongly connected and maximal end components

From invariant checking to invariant inference using randomized search

A search-based procedure for nonlinear real arithmetic

The spirit of ghost code

Premium Partner