SMT-based model checking for recursive programs
Anvesh Komuravelli,Arie Gurfinkel,Sagar Chaki +2 more
- 01 Jun 2016
- Vol. 48, Iss: 3, pp 175-205
119
TL;DR: An SMT-based symbolic model checking algorithm for safety verification of recursive programs and shows that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists.
read more
Abstract: We present an SMT-based symbolic model checking algorithm for safety verification of recursive programs. The algorithm is modular and analyzes procedures individually. Unlike other SMT-based approaches, it maintains both over- and under-approximations of procedure summaries. Under-approximations are used to analyze procedure calls without inlining. Over-approximations are used to block infeasible counterexamples and detect convergence to a proof. We show that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists. However, efficiency depends on an oracle for quantifier elimination (QE). For Boolean programs, the algorithm is a polynomial decision procedure, matching the worst-case bounds of the best BDD-based algorithms. For Linear Arithmetic (integers and rationals), we give an efficient instantiation of the algorithm by applying QE lazily. We use existing interpolation techniques to over-approximate QE and introduce Model Based Projection to under-approximate QE. Empirical evaluation on SV-COMP benchmarks shows that our algorithm improves significantly on the state-of-the-art.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
ZEUS: Analyzing Safety of Smart Contracts.
Sukrit Kalra,Seep Goel,Mohan Dhawan,Subodh Sharma +3 more
- 01 Jan 2018
TL;DR: This work presents ZEUS—a framework to verify the correctness and validate the fairness of smart contracts, which leverages both abstract interpretation and symbolic model checking, along with the power of constrained horn clauses to quickly verify contracts for safety.
Incremental Linearization for Satisfiability and Verification Modulo Nonlinear Arithmetic and Transcendental Functions
TL;DR: A new abstraction-refinement approach for SMT and VMT on NRA or NTA, called Incremental Linearization, which is to abstract nonlinear multiplication and transcendental functions as uninterpreted functions in an abstract space limited to linear arithmetic on the rationals with un interpreted functions.
60
Code2Inv: A Deep Learning Framework for Program Verification
Xujie Si,Aaditya Naik,Hanjun Dai,Mayur Naik,Le Song +4 more
- 21 Jul 2020
TL;DR: A general end-to-end deep learning framework Code2Inv is proposed, which takes a verification task and a proof checker as input, and automatically learns a valid proof for the verification task by interacting with the given checker.
SolCMC: Solidity Compiler's Model Checker
Leonardo Alt,Martin Blicha,A. Hyvärinen,Natasha Sharygina +3 more
- 01 Jan 2022
TL;DR: In this paper , the authors describe SolCMC, a model checker for verifying smart contracts, and show how to analyze nontrivial properties of real life contracts in a fully automated manner.
Analysis and Transformation of Constrained Horn Clauses for Program Verification
Emanuele De Angelis,Fabio Fioravanti,John P. Gallagher,Manuel V. Hermenegildo,Alberto Pettorossi,Maurizio Proietti +5 more
TL;DR: In this article, the authors present a survey of techniques for translating verification problems for different programming languages, and in general software systems, into satisfiability problems for constrained Horn clauses (CHCs), a term that has become popular in the verification field to refer to CLP programs.
28
References
Z3: an efficient SMT solver
Leonardo de Moura,Nikolaj Bjørner +1 more
- 29 Mar 2008
TL;DR: Z3 is a new and efficient SMT Solver freely available from Microsoft Research that is used in various software verification and analysis applications.
8.2K
Counterexample-guided abstraction refinement
Edmund M. Clarke
- 08 Jul 2003
TL;DR: Counterexample-guided abstraction refinement is an automatic abstraction method where the key step is to extract information from false negatives ("spurious counterexamples") due to over-approximation.
A Tool for Checking ANSI-C Programs
Edmund M. Clarke,Daniel Kroening,Flavio Lerda +2 more
- 29 Mar 2004
TL;DR: The tool supports almost all ANSI-C language features, including pointer constructs, dynamic memory allocation, recursion, and the float and double data types, and is integrated into a graphical user interface.
Lazy abstraction
Thomas A. Henzinger,Ranjit Jhala,Rupak Majumdar,Grégoire Sutre +3 more
- 01 Jan 2002
TL;DR: This work presents an algorithm for model checking safety properties using lazy abstraction and describes an implementation of the algorithm applied to C programs and provides sufficient conditions for the termination of the method.
1.3K
Precise interprocedural dataflow analysis via graph reachability
Thomas Reps,Susan Horwitz,Mooly Sagiv +2 more
- 25 Jan 1995
TL;DR: The paper shows how a large class of interprocedural dataflow-analysis problems can be solved precisely in polynomial time by transforming them into a special kind of graph-reachability problem.
Related Papers (5)
Leonardo de Moura,Nikolaj Bjørner +1 more
- 29 Mar 2008
Anvesh Komuravelli,Arie Gurfinkel,Sagar Chaki +2 more
- 18 Jul 2014
Kryštof Hoder,Nikolaj Bjørner +1 more
- 17 Jun 2012