## Model checking C programs using F-Soft (2005)

Venue: | IN PCI 2.1, PCI SIG POSTING |

Citations: | 25 - 11 self |

### BibTeX

@INPROCEEDINGS{Ivančić05modelchecking,

author = {Franjo Ivančić and Ilya Shlyakhter and Aarti Gupta and Malay K. Ganai and Vineet Kahlon and Chao Wang and Zijiang Yang},

title = {Model checking C programs using F-Soft},

booktitle = {IN PCI 2.1, PCI SIG POSTING},

year = {2005},

pages = {297--308},

publisher = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

With the success of formal verification techniques like equivalence checking and model checking for hardware designs, there has been growing interest in applying such techniques for formal analysis and automatic verification of software programs. This paper provides a brief tutorial on model checking of C programs. The essential approach is to model the semantics of C programs in the form of finite state systems by using suitable abstractions. The use of abstractions is key, both for modeling programs as finite state systems and for reducing the model sizes in order to manage verification complexity. We provide illustrative details of a verification platform called F-SOFT, which provides a range of abstractions for modeling software, and uses customized SAT-based and BDD-based model checking techniques targeted for software.

### Citations

2601 | Model Checking
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...stems. It has several advantages over simulation, testing, and deductive reasoning, and has been used successfully in practice to verify complex sequential circuit designs and communication protocols =-=[1]-=-. In particular, model checking is automatic, and, if the design contains an error, model checking produces a counterexample, i.e., a witness of the offending behavior of the system that can be used f... |

1983 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...end model checkers is described in Section IV. In terms of general abstraction techniques, predicate abstraction has emerged to be a popular technique for extracting verification models from software =-=[3]-=-, [4], [5], [6]. Details of predicate abstraction and refinement, along with recent improvements, are described in Section V. Basically, predicate abstraction is used to abstract out data, by keeping ... |

1335 | The model checker SPIN
- Holzmann
- 1997
(Show Context)
Citation Context ...tate models from C programs, as described in detail in Section III. These ideas also apply to extraction of pushdown models, such as Boolean programs [15]. Explicit state model checkers, such as SPIN =-=[16]-=-, use an explicit representation of states and transitions in the system, and enumerate all reachable states explicitly. They utilize many additional techniques such as state hashing for compaction of... |

1182 | Chaff: Engineering an efficient SAT solver
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ...an constraint propagation (making implications on other variables), and for performing conflict analysis and backtracking in case a conflict is found. Due to many recent advances in SAT solvers [22], =-=[23]-=-, verification techniques based on SAT have become very popular (see a recent survey [24] for useful pointers). In particular, SAT-based BMC is often successful in finding bugs in much larger hardware... |

652 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...rrect on the concrete model) or disproved (by demonstrating existence of a real counterexample on the concrete model). Such techniques are similar to counterexample-guided abstraction refinement [7], =-=[8]-=- demonstrated for hardware designs. We have developed a prototype software model checking tool called F-SOFT [9], which utilizes many of the ideas presented here. This is described in detail in Sectio... |

639 | Construction of abstract state graphs with PVS
- Graf, Säıdi
(Show Context)
Citation Context ...odel checkers is described in Section IV. In terms of general abstraction techniques, predicate abstraction has emerged to be a popular technique for extracting verification models from software [3], =-=[4]-=-, [5], [6]. Details of predicate abstraction and refinement, along with recent improvements, are described in Section V. Basically, predicate abstraction is used to abstract out data, by keeping track... |

596 | Bandera: Extracting Finite-State Models from Java Source Code
- Corbett, Dwyer, et al.
- 1999
(Show Context)
Citation Context ... [11], Proceedings of the 2005 International Conference on Computer Design (ICCD’05) 0-7695-2451-6/05 $20.00 © 2005 IEEE parameterized system verification [12], and software program verification [2], =-=[13]-=-. Furthermore, model checking techniques have also been extended to pushdown systems [14], [15], i.e. systems with a finite control but with an unbounded stack. Such systems allow a direct modeling of... |

530 |
Symbolic Model Checking: An Approach to the State Explosion Problem
- McMillan
- 1993
(Show Context)
Citation Context ...eration makes these checkers unsuitable for hardware designs, although they have found practical success in verification of controllers and software. In contrast, symbolic model checkers, such as SMV =-=[17]-=-, avoid an explicit enumeration of the state space by using symbolic representations of sets of states and transitions. They typically use Binary Decision Diagrams (BDDs) [18], which provide a canonic... |

498 | Model checking programs
- Visser, Havelund, et al.
(Show Context)
Citation Context ...zed modeling languages to capture program semantics. The capability of directly model checking source code programs written in popular programming languages, such as C/C++ and Java, is relatively new =-=[2]-=-. The general approach is to extract suitable verification models from the given source code programs, on which back-end model checking techniques are applied to perform verification. Given the popula... |

477 | Lazy abstraction
- Henzinger, Jhala, et al.
(Show Context)
Citation Context ... same predicates. In the SLAM toolkit, for example, such spurious behavior based on inexact predicate relationships is removed by a separate refinement algorithm called CONSTRAIN [43]. The BLAST tool =-=[44]-=- introduced the notion of lazy abstraction, where the abstraction refinement is completely demand-driven to remove spurious behaviors. In [32], a new refinement scheme based on interpolation [45] is d... |

444 | CIL: Intermediate language and tools for analysis and transformation of c programs
- Necula, McPeak, et al.
- 2002
(Show Context)
Citation Context ...nough to prove the correctness of the program. VI. F-SOFT TOOL OVERVIEW In this section we describe our prototype model checking tool F-SOFT [9], shown in Figure 6. In the front-end, we first use CIL =-=[46]-=- to make all expressions side-effect-free (adding temporary variables as needed), to make all identifiers globally unique, and to rewrite complex C constructs in terms of simpler ones (e.g. switch and... |

433 |
Computer-Aided Verification of Coordinating Processes
- Kurshan
- 1994
(Show Context)
Citation Context ...so correct on the concrete model) or disproved (by demonstrating existence of a real counterexample on the concrete model). Such techniques are similar to counterexample-guided abstraction refinement =-=[7]-=-, [8] demonstrated for hardware designs. We have developed a prototype software model checking tool called F-SOFT [9], which utilizes many of the ideas presented here. This is described in detail in S... |

419 | Automatic predicate abstraction of C programs
- Ball, Millstein, et al.
- 2001
(Show Context)
Citation Context ...ers is described in Section IV. In terms of general abstraction techniques, predicate abstraction has emerged to be a popular technique for extracting verification models from software [3], [4], [5], =-=[6]-=-. Details of predicate abstraction and refinement, along with recent improvements, are described in Section V. Basically, predicate abstraction is used to abstract out data, by keeping track of predic... |

395 | GRASP: A search algorithm for propositional satisfiability
- Marques-Silva, Sakallah
- 1999
(Show Context)
Citation Context ... Boolean constraint propagation (making implications on other variables), and for performing conflict analysis and backtracking in case a conflict is found. Due to many recent advances in SAT solvers =-=[22]-=-, [23], verification techniques based on SAT have become very popular (see a recent survey [24] for useful pointers). In particular, SAT-based BMC is often successful in finding bugs in much larger ha... |

315 | Reachability analysis of pushdown automata: Application to model-checking
- Bouajjani, Esparza, et al.
- 1997
(Show Context)
Citation Context ...95-2451-6/05 $20.00 © 2005 IEEE parameterized system verification [12], and software program verification [2], [13]. Furthermore, model checking techniques have also been extended to pushdown systems =-=[14]-=-, [15], i.e. systems with a finite control but with an unbounded stack. Such systems allow a direct modeling of recursion inherent in software programs. In this paper, we will focus on techniques for ... |

287 | Symbolic Model Checking using SAT Procedures instead of BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...hecking using BDDs, the basic verification approach of exhaustive analysis does not scale well in practice. An alternative is the use of falsification approaches, such as bounded model checking (BMC) =-=[19]-=-, which focus primarily on the search for finding bugs. In BMC, the problem of searching for a counterexample of length � is translated to a Boolean formula (by unrolling the transition relation of th... |

266 | Model checking in dense real-time
- Alur, Courcoubetis, et al.
- 1991
(Show Context)
Citation Context ...uitable abstractions, finite state models can also be extracted from infinite state systems, for subsequent verification using model checking. These applications include real-time system verification =-=[11]-=-, Proceedings of the 2005 International Conference on Computer Design (ICCD’05) 0-7695-2451-6/05 $20.00 © 2005 IEEE parameterized system verification [12], and software program verification [2], [13].... |

231 | Bebop: A symbolic model checker for boolean programs. Pages 113–130 of: SPIN
- Ball, Rajamani
- 2000
(Show Context)
Citation Context ...1-6/05 $20.00 © 2005 IEEE parameterized system verification [12], and software program verification [2], [13]. Furthermore, model checking techniques have also been extended to pushdown systems [14], =-=[15]-=-, i.e. systems with a finite control but with an unbounded stack. Such systems allow a direct modeling of recursion inherent in software programs. In this paper, we will focus on techniques for extrac... |

223 | Abstractions from proofs
- Henzinger, Jhala, et al.
- 2004
(Show Context)
Citation Context ...e sufficient for implying unsatisfiability. The unsatisfiable core has been used very effectively for proof-based abstraction [28], [29], refinement [30], and for interpolant-based verification [31], =-=[32]-=-. These methods allow SAT-based BMC to be combined effectively with other techniques to provide complete verification mtehods. There has also been growing interest in the use of SAT for unbounded mode... |

217 | Interpolation and SAT-based Model Checking
- Jhala, McMillan
(Show Context)
Citation Context ...hat are sufficient for implying unsatisfiability. The unsatisfiable core has been used very effectively for proof-based abstraction [28], [29], refinement [30], and for interpolant-based verification =-=[31]-=-, [32]. These methods allow SAT-based BMC to be combined effectively with other techniques to provide complete verification mtehods. There has also been growing interest in the use of SAT for unbounde... |

174 | Boolean and Cartesian abstraction for model checking C programs
- Ball, Podelski, et al.
(Show Context)
Citation Context ...roximate or coarse abstract models. In Microsoft’s SLAM [40], for example, coarse abstractions are generated using techniques such as Cartesian approximation and the maximum cube length approximation =-=[41]-=-. These techniques limit the number of predicates in each decision procedure call. As an illustrative example, consider the program given on the left hand side of Figure 3. The property to be analzyed... |

162 |
Checking safety properties using induction and a sat-solver
- Sheeran, Singh, et al.
- 1954
(Show Context)
Citation Context ...le of length �. In practice, � can be increased incrementally to find a shortest counterexample if one exists. Additional reasoning, in the form of completeness thresholds [19] or proofs by induction =-=[20]-=-, [21], can be combined with BMC to ensure completeness when desired. The Boolean satisfiability (SAT) check in the BMC approach is typically performed by a back-end SAT solver. Most modern SAT solver... |

137 | Experience with predicate abstraction
- Das, Dill, et al.
- 1999
(Show Context)
Citation Context ...checkers is described in Section IV. In terms of general abstraction techniques, predicate abstraction has emerged to be a popular technique for extracting verification models from software [3], [4], =-=[5]-=-, [6]. Details of predicate abstraction and refinement, along with recent improvements, are described in Section V. Basically, predicate abstraction is used to abstract out data, by keeping track of p... |

137 | Applying SAT methods in unbounded symbolic model checking
- McMillan
- 2002
(Show Context)
Citation Context ...llow SAT-based BMC to be combined effectively with other techniques to provide complete verification mtehods. There has also been growing interest in the use of SAT for unbounded model checking [33], =-=[34]-=-, [35]. However, these techniques are not as robust as SAT-based BMC techniques. III. SOFTWARE MODELING FOR C PROGRAMS Symbolic model checkers (both SAT- and BDD-based) work on a symbolic transition r... |

116 | Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions
- Rugina, Rinard
- 2000
(Show Context)
Citation Context ...11111 Register Sharing 000 111 000000 111111 reachable time 000000 111111 out not reachable Testbench NO Spurious? 01 01 unknown property correct Fig. 6. F-SOFT tool overview applications [47], [48], =-=[49]-=-, [50], we believe we are the first to use them for software model checking. Our main method is based on the framework suggested in [49] which formulates each range analysis problem as a system of ine... |

115 | Automatic abstraction without counterexamples
- KL, Amla
- 2003
(Show Context)
Citation Context ... clauses from the original problem, called the unsatisfiable core, that are sufficient for implying unsatisfiability. The unsatisfiable core has been used very effectively for proof-based abstraction =-=[28]-=-, [29], refinement [30], and for interpolant-based verification [31], [32]. These methods allow SAT-based BMC to be combined effectively with other techniques to provide complete verification mtehods.... |

108 | Validating SAT solvers using an independent resolution-based checker: Practical implementations and other applications
- Zhang, Malik
- 2003
(Show Context)
Citation Context ...esigns than BDDbased approaches, and has also been used successfully forsverifying C programs [25], [9]. A related important development has been the use of resolution-based proof-analysis techniques =-=[26]-=-, [27] for SAT-solvers. These techniques were developed in order to independently check the unsatisfiability result of a SAT-solver. In addition, these techniques can also identify a set of clauses fr... |

100 | Bidwidth analysis with application to silicon compilation
- Stephenson, Babb, et al.
- 2000
(Show Context)
Citation Context ...Register Sharing 000 111 000000 111111 reachable time 000000 111111 out not reachable Testbench NO Spurious? 01 01 unknown property correct Fig. 6. F-SOFT tool overview applications [47], [48], [49], =-=[50]-=-, we believe we are the first to use them for software model checking. Our main method is based on the framework suggested in [49] which formulates each range analysis problem as a system of inequalit... |

99 | Reasoning about networks with many identical finite-state processes
- Clarke, Grumberg, et al.
- 1986
(Show Context)
Citation Context ...cations include real-time system verification [11], Proceedings of the 2005 International Conference on Computer Design (ICCD’05) 0-7695-2451-6/05 $20.00 © 2005 IEEE parameterized system verification =-=[12]-=-, and software program verification [2], [13]. Furthermore, model checking techniques have also been extended to pushdown systems [14], [15], i.e. systems with a finite control but with an unbounded s... |

90 | Analysis: Haven’t We Solved This Problem Yet
- Hind, “Pointer
- 2001
(Show Context)
Citation Context ...e modeling of pointer arithmetic. Pointers are modeled as integers: pointer variable p points to simple variable x by storing the integer memory address assigned to x. We perform a points-to analysis =-=[38]-=- to determine, for each indirect memory access, the set of variables that may be accessed (called the points-to set). If we determine that pointer p can point to variables a,b,...,z at a given program... |

70 | Automated abstraction refinement for model checking large state spaces using sat based conflict analysis
- Chauhan, Clarke, et al.
- 2002
(Show Context)
Citation Context ...nal problem, called the unsatisfiable core, that are sufficient for implying unsatisfiability. The unsatisfiable core has been used very effectively for proof-based abstraction [28], [29], refinement =-=[30]-=-, and for interpolant-based verification [31], [32]. These methods allow SAT-based BMC to be combined effectively with other techniques to provide complete verification mtehods. There has also been gr... |

59 | Symbolic range propagation
- Blume, Eigenmann
- 1995
(Show Context)
Citation Context ...sis 000000 111111 Register Sharing 000 111 000000 111111 reachable time 000000 111111 out not reachable Testbench NO Spurious? 01 01 unknown property correct Fig. 6. F-SOFT tool overview applications =-=[47]-=-, [48], [49], [50], we believe we are the first to use them for software model checking. Our main method is based on the framework suggested in [49] which formulates each range analysis problem as a s... |

48 | A survey of recent advances in SAT-based formal verification
- Prasad, Biere, et al.
- 2005
(Show Context)
Citation Context ...nflict analysis and backtracking in case a conflict is found. Due to many recent advances in SAT solvers [22], [23], verification techniques based on SAT have become very popular (see a recent survey =-=[24]-=- for useful pointers). In particular, SAT-based BMC is often successful in finding bugs in much larger hardware designs than BDDbased approaches, and has also been used successfully forsverifying C pr... |

45 | Verification of proofs of unsatisfiability for CNF formulas
- Goldberg, Novikov
- 2003
(Show Context)
Citation Context ... than BDDbased approaches, and has also been used successfully forsverifying C programs [25], [9]. A related important development has been the use of resolution-based proof-analysis techniques [26], =-=[27]-=- for SAT-solvers. These techniques were developed in order to independently check the unsatisfiability result of a SAT-solver. In addition, these techniques can also identify a set of clauses from the... |

36 |
Automatic discovery of linear constraints among variables of a program
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ...0000 111111 Register Sharing 000 111 000000 111111 reachable time 000000 111111 out not reachable Testbench NO Spurious? 01 01 unknown property correct Fig. 6. F-SOFT tool overview applications [47], =-=[48]-=-, [49], [50], we believe we are the first to use them for software model checking. Our main method is based on the framework suggested in [49] which formulates each range analysis problem as a system ... |

33 | SpC: synthesis of pointers in C, application of pointer analysis to the behavioral synthesis from C
- Semeria, Micheli
- 1998
(Show Context)
Citation Context ...stems, i.e., systems that synthesize RTL hardware descriptions from high-level C specifications also face this task, although they need to handle only a subset of C sufficient for describing hardware =-=[36]-=-, [37]. We begin with full-fledged C and apply a series of source-tosource transformations into smaller subsets of C, until program state is represented as a collection of simple scalar variables and ... |

33 | Refining approximations in software predicate abstraction - Ball, Cook, et al. - 2004 |

32 |
Graph-based algorithms for Boolean-function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...el checkers, such as SMV [17], avoid an explicit enumeration of the state space by using symbolic representations of sets of states and transitions. They typically use Binary Decision Diagrams (BDDs) =-=[18]-=-, which provide a canonical symbolic representation of Boolean formulas and efficient graph-based algorithms for symbolic manipulation. For hardware designs, where these symbolic representations effec... |

28 |
Iterative Abstraction using SAT-based BMC with Proof Analysis
- Gupta, Ganai, et al.
- 2003
(Show Context)
Citation Context ...es from the original problem, called the unsatisfiable core, that are sufficient for implying unsatisfiability. The unsatisfiable core has been used very effectively for proof-based abstraction [28], =-=[29]-=-, refinement [30], and for interpolant-based verification [31], [32]. These methods allow SAT-based BMC to be combined effectively with other techniques to provide complete verification mtehods. There... |

26 | SAT-based image computation with application in reachability analysis - Gupta, Yang, et al. - 2000 |

25 |
A Tool for Checking ANSI-C Programs, Tools and Algorithms for the Construction and Analysis
- Clarke, Kroening, et al.
- 2004
(Show Context)
Citation Context ...eful pointers). In particular, SAT-based BMC is often successful in finding bugs in much larger hardware designs than BDDbased approaches, and has also been used successfully forsverifying C programs =-=[25]-=-, [9]. A related important development has been the use of resolution-based proof-analysis techniques [26], [27] for SAT-solvers. These techniques were developed in order to independently check the un... |

23 | Efficient SAT-based bounded model checking for software verification
- IVANCIC, YANG, et al.
- 2008
(Show Context)
Citation Context ...CAS (Traffic Alert and Collision Avoidance System) case study, for which we used the predicate abstraction framework in F-SOFT˙(More details on these case studies can be found in related publications =-=[52]-=-, [42].) PPP Case Study: We followed a previous attempt [53] to verify a part of the PPP protocol with respect to its specification defined in a Request for Comment (RFC) document. RFC 1661 [54] speci... |

19 | Verifying network protocol implementations by symbolic refinement checking
- Alur, Wang
- 2001
(Show Context)
Citation Context ...y, for which we used the predicate abstraction framework in F-SOFT˙(More details on these case studies can be found in related publications [52], [42].) PPP Case Study: We followed a previous attempt =-=[53]-=- to verify a part of the PPP protocol with respect to its specification defined in a Request for Comment (RFC) document. RFC 1661 [54] specifies the state transition table of an automaton with 10 stat... |

16 |
The Point-to-Point
- Simpson
- 1994
(Show Context)
Citation Context ...tions [52], [42].) PPP Case Study: We followed a previous attempt [53] to verify a part of the PPP protocol with respect to its specification defined in a Request for Comment (RFC) document. RFC 1661 =-=[54]-=- specifies the state transition table of an automaton with 10 states, which reacts to 15 events. The automaton can switch states when receiving an event, and also perform other actions, such as sendin... |

16 | Mocha: a model checking tool that exploits design structure
- Alfaro, Alur, et al.
(Show Context)
Citation Context ...ify that the public implementation adheres to the specification as given in RFC 1661. In [53], the Cprogram as described here, was manually translated to the input language of the model checker MOCHA =-=[55]-=-. Their analysis showed that the public implementation does not fully adhere to the specification given by RFC 1661. In particular, when a peer receives a packet RTA, it is supposed to send back a con... |

14 | Localization and register sharing for predicate abstraction
- Ivancic, Jain, et al.
- 2005
(Show Context)
Citation Context ...articular, note that the two if-conditions in lines (3) and (4) are translated to simple checks on b1 and b2, respectively, as shown in the abstract model on the right in Fig. 3. Recent efforts [32], =-=[42]-=- describe improved approaches, where predicates can be added locally to certain basic blocks, but not to others, which we will call henceforth localization of predicates. On average the number of pred... |

12 | Abstraction and Bdds Complement SAT-Based BMC in DiVer
- Gupta, Ganai, et al.
- 2003
(Show Context)
Citation Context ...length �. In practice, � can be increased incrementally to find a shortest counterexample if one exists. Additional reasoning, in the form of completeness thresholds [19] or proofs by induction [20], =-=[21]-=-, can be combined with BMC to ensure completeness when desired. The Boolean satisfiability (SAT) check in the BMC approach is typically performed by a back-end SAT solver. Most modern SAT solvers use ... |

10 | Efficient symbolic model checking of software using partial disjunctive partitioning
- Barner, Rabinovitz
- 2003
(Show Context)
Citation Context ... variables (Section VI-A); and use of register sharing techniques to reduce the number of control variables (Section V-B). Other improvements include use of disjunctivelypartitioned image computation =-=[39]-=-, which works better for software models than the conjunctively-partitioned technique used typically for hardware designs. V. PREDICATE ABSTRACTION AND REFINEMENT Model checking suffers from the state... |

8 | Ashar P.: DiVer: SAT-Based Model Checking Platform for Verifying Large Scale Systems
- Ganai, Gupta
- 2005
(Show Context)
Citation Context ...unded data and bounded recursion). Optionally, predicate abstraction is supported by a fully automated abstraction refinement framework. The back-end model checking is perfomed by a tool called DiVer =-=[10]-=-, which includes several state-of-the-art symbolic model checking techniques. The outline of the paper is as follows. We start by providing a brief background on model checking in Section II. In Secti... |

6 |
Linear reasoning
- Craig
- 1957
(Show Context)
Citation Context ...tool [44] introduced the notion of lazy abstraction, where the abstraction refinement is completely demand-driven to remove spurious behaviors. In [32], a new refinement scheme based on interpolation =-=[45]-=- is described, which exploits the unsatisfiable core generated from a proof of unsatisfiability, to add new predicates to some program locations only. Our contribution in F-SOFT [42] is inspired by th... |