Graph-Based Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers
Reasoning about networks with many identical finite state processes
Information and Computation
Model-checking in dense real-time
Information and Computation - Special issue: selections from 1990 IEEE symposium on logic in computer science
Computer-aided verification of coordinating processes: the automata-theoretic approach
Computer-aided verification of coordinating processes: the automata-theoretic approach
IEEE Transactions on Software Engineering - Special issue on formal methods in software practice
SpC: synthesis of pointers in C: application of pointer analysis to the behavioral synthesis from C
Proceedings of the 1998 IEEE/ACM international conference on Computer-aided design
GRASP: A Search Algorithm for Propositional Satisfiability
IEEE Transactions on Computers
Symbolic model checking using SAT procedures instead of BDDs
Proceedings of the 36th annual ACM/IEEE Design Automation Conference
Bandera: extracting finite-state models from Java source code
Proceedings of the 22nd international conference on Software engineering
Symbolic bounds analysis of pointers, array indices, and accessed memory regions
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Automatic predicate abstraction of C programs
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Chaff: engineering an efficient SAT solver
Proceedings of the 38th annual Design Automation Conference
Pointer analysis: haven't we solved this problem yet?
PASTE '01 Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
JMOCHA: a model checking tool that exploits design structure
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Automatic discovery of linear restraints among variables of a program
POPL '78 Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Symbolic Model Checking
Bebop: A Symbolic Model Checker for Boolean Programs
Proceedings of the 7th International SPIN Workshop on SPIN Model Checking and Software Verification
SAT-Based Image Computation with Application in Reachability Analysis
FMCAD '00 Proceedings of the Third International Conference on Formal Methods in Computer-Aided Design
Checking Safety Properties Using Induction and a SAT-Solver
FMCAD '00 Proceedings of the Third International Conference on Formal Methods in Computer-Aided Design
FMCAD '02 Proceedings of the 4th International Conference on Formal Methods in Computer-Aided Design
Reachability Analysis of Pushdown Automata: Application to Model-Checking
CONCUR '97 Proceedings of the 8th International Conference on Concurrency Theory
VeriSoft: A Tool for the Automatic Analysis of Concurrent Reactive Software
CAV '97 Proceedings of the 9th International Conference on Computer Aided Verification
Construction of Abstract State Graphs with PVS
CAV '97 Proceedings of the 9th International Conference on Computer Aided Verification
Counterexample-Guided Abstraction Refinement
CAV '00 Proceedings of the 12th International Conference on Computer Aided Verification
Applying SAT Methods in Unbounded Symbolic Model Checking
CAV '02 Proceedings of the 14th International Conference on Computer Aided Verification
CADP - A Protocol Validation and Verification Toolbox
CAV '96 Proceedings of the 8th International Conference on Computer Aided Verification
Behavioral consistency of C and verilog programs using bounded model checking
Proceedings of the 40th annual Design Automation Conference
CSSV: towards a realistic tool for statically detecting all buffer overflows in C
PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
ASE '00 Proceedings of the 15th IEEE international conference on Automated software engineering
WCRE '01 Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01)
Context-sensitive slicing of concurrent programs
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Bogor: an extensible and highly-modular software model checking framework
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Iterative Abstraction using SAT-based BMC with Proof Analysis
Proceedings of the 2003 IEEE/ACM international conference on Computer-aided design
DATE '03 Proceedings of the conference on Design, Automation and Test in Europe - Volume 1
Verification of Proofs of Unsatisfiability for CNF Formulas
DATE '03 Proceedings of the conference on Design, Automation and Test in Europe - Volume 1
Model Checking C Programs Using F-SOFT
ICCD '05 Proceedings of the 2005 International Conference on Computer Design
Disjunctive image computation for embedded software verification
Proceedings of the conference on Design, automation and test in Europe: Proceedings
Static analysis in disjunctive numerical domains
SAS'06 Proceedings of the 13th international conference on Static Analysis
Static analysis of numerical algorithms
SAS'06 Proceedings of the 13th international conference on Static Analysis
Using statically computed invariants inside the predicate abstraction and refinement loop
CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Localization and register sharing for predicate abstraction
TACAS'05 Proceedings of the 11th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Program analysis using symbolic ranges
SAS'07 Proceedings of the 14th international conference on Static Analysis
Model checking sequential software programs via mixed symbolic analysis
ACM Transactions on Design Automation of Electronic Systems (TODAES)
Dynamic Path Reduction for Software Model Checking
IFM '09 Proceedings of the 7th International Conference on Integrated Formal Methods
ACM Computing Surveys (CSUR)
A precise memory model for low-level bounded model checking
SSV'10 Proceedings of the 5th international conference on Systems software verification
A decade of software model checking with SLAM
Communications of the ACM
The edge of graph transformation: graphs for behavioural specification
Graph transformations and model-driven engineering
SAT solving with reference points
SAT'10 Proceedings of the 13th international conference on Theory and Applications of Satisfiability Testing
LLBMC: bounded model checking of C and C++ programs using a compiler IR
VSTTE'12 Proceedings of the 4th international conference on Verified Software: theories, tools, experiments
LLBMC: a bounded model checker for LLVM's intermediate representation
TACAS'12 Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Predicate analysis with block-abstraction memoization
ICFEM'12 Proceedings of the 14th international conference on Formal Engineering Methods: formal methods and software engineering
LLBMC: improved bounded model checking of c programs using LLVM
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Behavioral modeling and formal verification of a resource discovery approach in Grid computing
Expert Systems with Applications: An International Journal
LLVMVF: A Generic Approach for Verification of Multicore Software
Journal of Electronic Testing: Theory and Applications
| Hi-index | 5.24 |
This paper discusses our methodology for formal analysis and automatic verification of software programs. It is applicable to a large subset of the C programming language that includes pointer arithmetic and bounded recursion. We consider reachability properties, in particular whether certain assertions or basic blocks are reachable in the source code, or whether certain standard property violations can occur. We perform this analysis via a translation to a Boolean circuit representation based on modeling basic blocks. The program is then analyzed by a back-end SAT-based bounded model checker, where each unrolling is mapped to one step in a block-wise execution of the program. The main contributions of this paper are as follows: (1) Use of basic block-based unrollings with SAT-based bounded model checking of software programs. This allows us to take advantage of SAT-based learning inherent to the best performing bounded model checkers. (2) Various heuristics customized for models automatically generated from software, allowing a more efficient SAT-based analysis. (3) A prototype tool called F-Soft has been implemented using our methodology. We present experimental results based on multiple case studies including a C-based implementation of a network protocol, and compare the performance gains using the proposed heuristics.