A survey of automated techniques for formal software verification

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Volumn 27, Issue 7, 2008, Pages 1165-1178

  D'Silva, Vijay ^a   Kroening, Daniel ^a   Weissenbacher, Georg ^a  

^a UNIVERSITY OF OXFORD   (United Kingdom)

Author keywords

Bounded model checking (BMC); Model checking; Predicate abstraction; Software verification; Static analysis

Indexed keywords

AUTOMATIC PROGRAMMING; COMPUTER AIDED SOFTWARE ENGINEERING; ERROR ANALYSIS; MODAL ANALYSIS; MODEL CHECKING; STATIC ANALYSIS; SURVEYS; VERIFICATION;

ABSTRACT DOMAINS; APPLIED (CO); AUTOMATED TECHNIQUES; AUTOMATIC STATIC ANALYSIS; BOUNDED MODEL CHECKING (BMC); ELECTRONIC SYSTEMS (ES); FORMAL VERIFICATION TOOLS; PRACTICAL PROBLEMS; PROGRAMMING ERRORS; SOFTWARE VERIFICATIONS;

COMPUTER SOFTWARE SELECTION AND EVALUATION;

EID: 45849085781     PISSN: 02780070     EISSN: None     Source Type: Journal    
DOI: 10.1109/TCAD.2008.923410     Document Type: Article

References (110)

1. J.-R. Abrial, The B-book: Assigning Programs to Meanings. Cambridge, U.K.: Cambridge Univ. Press, 1996.
2. B. Alpern, M. N. Wegman, and F. K. Zadeck, "Detecting equality of variables in programs," in Proc. POPL, 1988, pp. 1-11.
3. N. Amla and K. L. McMillan, "A hybrid of counterexample-based and proof-based abstraction," in Formal Methods in Computer-Aided Design (FMCAD), vol. 3312, Berlin. Germany: Springer-Verlag, 2004, pp. 260-274.
4. L. O. Andersen, "Program analysis and specialization for the C Programming Language," Ph.D. dissertation. DIKU, Univ. of Copenhagen, Copenhagen, Denmark, May 1994.
5. T. Andrews, S. Qadeer, S. K. Rajamani, and Y. Xie, "Zing: Exploiting program structure for model checking concurrent software," in Concurrency Theory (CONCUR), Berlin, Germany: Springer-Verlag, Aug. 2004, pp. 1-15.
6. A. Armando, J. Mantovani, and L. Platania, "Bounded model checking of software using SMT solvers instead of SAT solvers," in Model Checking and Software Verification (SPIN), vol. 3925, Berlin. Germany: Springer-Verlag, 2006, pp. 146-162.
7. F. Balarin and A. L. Sangiovanni-Vincentelli, "An iterative approach to language containment," in Computer Aided Verification (CAV), vol. 697, Berlin, Germany: Springer-Verlag, 1993.
8. T. Ball, B. Cook, S. Das, and S. K. Rajamani, "Refining approximations in software predicate abstraction," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 2988. Berlin, Germany: Springer-Verlag, 2004.
9. T. Ball, B. Cook, S. K. Lahiri, and L. Zhang, "Zapato: Automatic theorem proving for predicate abstraction refinement," in Computer Aided Verification (CAV), vol. 3114. Berlin, Germany: Springer-Verlag, 2004.
10. T. Ball, B. Cook, V. Levin, and S. K. Rajamani, "SLAM and static driver verifier: Technology transfer of formal methods inside Microsoft," in Integrated Formal Methods (IFM), vol. 2999. Berlin. Germany: Springer-Verlag, 2004.
11. T. Ball, R. Majumdar, T. Millstein, and S. K. Rajamani, "Automatic predicate abstraction of C programs," in Proc. PLDI. 2001, pp. 203-213.
12. T. Ball, A. Podelski, and S. K. Rajamani, "Boolean and Cartesian abstraction for model checking C programs," Int. J. Softw. Tools Technol. Transf., vol. 5, no. 1, pp. 49-58, Nov. 2003.
13. T. Ball and S. Rajamani, "Generating abstract explanations of spurious counterexamples in C programs." Microsoft Res., Redmond. WA, Tech. Rep. MSR-TR-2002-09, Jan. 2002.
14. T. Ball and S. K. Rajamani, "Bebop: A symbolic model checker for Boolean programs," in Model Checking and Software Verification (SPIN), vol. 1885. Berlin, Germany: Springer-Verlag, 2000, pp. 113-130.
15. T. Ball and S. K. Rajamani, "Boolean programs: A model and process for software analysis," Microsoft Res., Redmond. WA. Tech. Rep. 2000-14, Feb. 2000.
16. J. Barnes, High Integrity Software: The SPARK Approach to Safety and Security. Reading, MA: Addison-Wesley, 2003.
17. M. Barnett, K. R. M. Leino, and W. Schulte, "The Spec# programming system: An overview," in Construction and Analysis of Safe, Secure, and Interoperable Smart Devices, vol. 3362. Berlin, Germany: Springer-Verlag, 2004, pp. 49-69.
18. C. W. Barrett, D. L. Dill, and J. R. Levitt, "A decision procedure for bit-vector arithmetic," in Proc. DAC, Jun. 1998, pp. 522-527.
19. R. E. Bellman, Dynamic Programming. Princeton, NJ: Princeton Univ. Press, 1957.
20. S. Berezin, V. Ganesh, and D. Dill, "A decision procedure for fixed-width bit-vectors," Comput. Sci. Dept., Stanford Univ., Palo Alto, CA. Tech. Rep. CSTR 2007-06, 2005.
21. D. Beyer, T. A. Henzinger. R. Majumdar, and A. Rybalchenko, "Invariant synthesis for combined theories," in Verification, Model Checking and Abstract Interpretation (VMCAI), vol. 4349. Berlin. Germany: Springer-Verlag, 2007, pp. 378-394.
22. D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko, "Path invariants," in Proc. PLDI, 2007, pp. 300-309.
23. D. Beyer, T. A. Henzinger, and G. Thèoduloz, "Configurable software verification: Concretizing the convergence of model checking and program analysis," in Computer Aided Verification (CAV), vol. 4590. Berlin, Germany: Springer-Verlag, 2007, pp. 504-518.
24. A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, "Symbolic model checking without BDDs," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 1579. Berlin, Germany: Springer-Verlag, 1999, pp. 193-207.
25. B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival, "Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software," in The Essence of Computation: Complexity, Analysis, Transformation. Essays Dedicated to Neil D. Jones, vol. 2566. New York: Springer-Verlag, Oct. 2002, pp. 85-108.
26. A. Bouajjani, J. Esparza, and O. Maler, "Reachability analysis of pushdown automata: Application to model-checking," in Concurrency Theory (CONCUR), vol. 1243. Berlin, Germany: Springer-Verlag, 1997, pp. 135-150.
27. R. E. Bryant, "Graph-based algorithms for Boolean function manipulation," IEEE Trans. Comput., vol. C-35, no. 8, pp. 677-691, Aug. 1986.
28. R. E. Bryant, D. Kroening, J. Ouaknine, S. A. Seshia. O. Strichman, and B. Brady, "Deciding bit-vector arithmetic with abstraction," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 4424. Berlin, Germany: Springer-Verlag, 2007.
29. J. R. Büchi, "Regular canonical systems," Arch. Math. Log., vol. 6, no. 3/4, pp. 91-111, Apr. 1964.
30. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, "EXE: Automatically generating inputs of death," in Proc. CCS, 2006, pp. 322-335.
31. S. Chaki, E. M. Clarke, A. Groce, S. Jha, and H. Veith, "Modular verification of software components in C," IEEE Trans. Softw. Eng., vol. 30, no. 6, pp. 388-402, Jun. 2004.
32. D. R. Chase, M. Wegman, and F. K. Zadeck, "Analysis of pointers and structures," in Proc. PLDI, 1990, pp. 296-310.
33. R. Clarisó and J. Cortadella, "The octahedron abstract domain," in Proc. SAS, 2004, pp. 312-327.
34. E. Clarke, O. Grumberg, and D. Long, "Model checking and abstraction," ACM Trans. Program. Lang. Syst., vol. 16. no. 5, pp. 1512-1542, Sep. 1994.
35. E. Clarke and H. Veith, "Counterexamples revisited: Principles, algorithms, applications," in Verification: Theory and Practice, vol. 2772. Berlin, Germany: Springer-Verlag, 2003, pp. 208-224.
36. E. M. Clarke and E. A. Emerson, "Design and synthesis of synchronization skeletons using branching time temporal logic," in Logic of Programs, vol. 131. Berlin, Germany: Springer-Verlag, 1981, pp. 52-71.
37. E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, "Counter example-guided abstraction refinement," in Computer Aided Verification (CAV), vol. 1855, Berlin, Germany: Springer-Verlag, 2000, pp. 154-169.
38. E. M. Clarke, D. Kroening, and F. Lerda, "A tool for checking ANSI-C programs," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 2988. Berlin, Germany: Springer-Verlag, 2004, pp. 168-176.
39. E. M. Clarke, D. Kroening, N. Sharygina, and K. Yorav, "Predicate abstraction of ANSI-C programs using SAT," Form. Methods Syst. Des. (FMSD), vol. 25, no. 2/3, pp. 105-127, Sep.-Nov. 2004.
40. H. Collavizza and M. Rueher, "Exploration of the capabilities of constraint programming for software verification," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 3920. Berlin, Germany: Springer-Verlag, 2006, pp. 182-196.
41. M. Colón and H. Sipma, "Synthesis of linear ranking functions," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 2031, Berlin, Germany: Springer-Verlag, 2001, pp. 67-81.
42. B. Cook, D. Kroening, and N. Sharygina, "Cogent: Accurate theorem proving for program verification." in Computer Aided Verification (CAV), vol. 3576. Berlin, Germany: Springer-Verlag, 2005, pp. 296-300.
43. B. Cook, D. Kroening, and N. Sharygina, "Symbolic model checking for asynchronous Boolean programs," in Model Checking and Software Verification (SPIN), vol. 3639. Berlin, Germany: Springer-Verlag. 2005, pp. 75-90.
44. B. Cook, D. Kroening, and N. Sharygina, "Over-approximating Boolean programs with unbounded thread creation," in Proc. FMCAD, 2006, pp. 53-59.
45. B. Cook, A. Podelski, and A. Rybalchenko, "Abstraction refinement for termination," in Static Analysis, vol. 3672. Berlin, Germany: Springer-Verlag, 2005, pp. 87-101.
46. P. Cousot and R. Cousot, "Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints," in Proc. POPL, 1977, pp. 238-252.
47. P. Cousot and R. Cousot, "Systematic design of program analysis frameworks," in Proc. POPL, 1979, pp. 269-282.
48. P. Cousot and N. Halbwachs, "Automatic discovery of linear restraints among variables of a program," in Proc. POPL, 1978, pp. 84-96.
49. D. W. Currie, A. J. Hu, and S. P. Rajan, "Automatic formal verification of DSP software," in Proc. DAC, 2000, pp. 130-135.
50. D. Cyrluk, O. Möller, and H. Rueâ, "An efficient decision procedure for the theory of fixed-sized bit-vectors," in Computer Aided Verification (CAV), Berlin, Germany: Springer-Verlag, 1997, pp. 60-71.
51. S. Demri, F. Laroussinie, and P. Schnoebelen, "A parametric analysis of the state-explosion problem in model checking," J. Comput. Syst. Sci., vol. 72, no. 4, pp. 547-575, Jun. 2006.
52. N. Dershowitz, Software horror stories. [Online]. Available: http://www.cs.tau.ac.il/nachumd/verify/horror.html
53. D. Detlefs, G. Nelson, and J. B. Saxe, "Simplify: A theorem prover for program checking," HP Labs, Palo Alto, CA, Tech. Rep. HPL-2003-148, Jan. 2003.
54. A. Deutsch, "Interprocedural may-alias analysis for pointers: Beyond k-limiting," in Proc. PLDI, 1994, pp. 230-241.
55. N. Dor, M. Rodeh, and S. Sagiv, "Cleanness checking of string manipulations in C programs via integer analysis," in Static Analysis. Berlin, Germany: Springer-Verlag, 2001, pp. 194-212.
56. B. Dutertre and L. de Moura, (2006, Sep.). The Yices SMT Solver. [Online]. Available: http://yices.csl.sri.com/tool-paper.pdf
57. M. B. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C. S. Pãsãreanu, H. Zheng, and W. Visser, "Tool-supported program abstraction for finite-state verification," in Proc. ICSE, 2001, pp. 177-187.
58. J. Esparza and S. Schwoon, "A BDD-based model checker for recursive programs," in Computer Aided Verification (CAV), vol. 2102. Berlin, Germany: Springer-Verlag, 2001, pp. 324-336.
59. J. Feret, "Static analysis of digital filters," in Programming Languages and Systems, vol. 2986. Berlin, Germany: Springer-Verlag, 2004.
60. A. Finkel, B. Willems, and P. Wolper, "A direct symbolic approach to model checking pushdown systems," Verification of Infinite State Systems (INFINITY), vol. 9, 1997, Elsevier. ENTCS.
61. C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata, "Extended static checking for Java," in Proc. PLDI, 2002, pp. 234-245.
62. P. Godefroid, Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem, vol. 1032. New York: Springer-Verlag, 1996.
63. P. Godefroid, "Model checking for programming languages using VeriSoft," in Proc. POPL, 1997, pp. 174-186.
64. S. Graf and H. Saïdi, "Construction of abstract state graphs with PVS," in Computer Aided Verification (CAV), vol. 1254. New York: Springer-Verlag, 1997, pp. 72-83.
65. B. S. Gulavani and S. K. Rajamani, "Counterexample driven refinement for abstract interpretation," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 3920. Berlin, Germany: Springer-Verlag, 2006, pp. 474-488.
66. A. Gurfinkel and M. Chechik, "Why waste a perfectly good abstraction?" in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 3920. Berlin, Germany: Springer-Verlag, 2006, pp. 212-226.
67. N. Halbwachs, Y.-E. Proy, and P. Roumanoff, "Verification of realtime systems using linear relation analysis," Form. Methods Syst. Des. (FMSD), vol. 11, no. 2, pp. 157-185, Aug. 1997.
68. T. A. Henzinger, R. Jhala, R. Majumdar, and K. L. McMillan, "Abstractions from proofs," in Proc. POPL, 2004, pp. 232-244.
69. T. A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer, "Thread-modular abstraction refinement," in Computer Aided Verification (CAV), vol. 2725. Berlin, Germany: Springer-Verlag, 2003, pp. 262-274.
70. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, "Lazy abstraction," in Proc. POPL, 2002, pp. 58-70.
71. M. Hind, "Pointer analysis: Haven't we solved this problem yet?" in Proc. Prog. Anal. Softw. Tools Eng., 2001, pp. 54-61.
72. M. Hind, M. Burke, P. Carini, and J.-D. Choi, "Interprocedural pointer alias analysis," ACM Trans. Program. Lang. Syst. (TOPLAS), vol. 21, no. 4, pp. 848-894, Jul. 1999.
73. G. J. Holzmann, "The model checker SPIN," IEEE Trans. Softw. Eng., vol. 23, no. 5, pp. 279-295, May 1997.
74. G. J. Holzmann, "State compression in SPIN: Recursive indexing and compression training runs," in Proc. SPIN, 1997, pp. 1-10.
75. G. J. Holzmann, "Software model checking with SPIN," Adv. Comput., vol. 65, pp. 78-109, 2005.
76. F. Ivancic, I. Shlyakhter, A. Gupta, and M. K. Ganai, "Model checking C programs using F-SOFT," in Proc. ICCD. 2005, pp. 297-308.
77. H. Jain, F. Ivancic, A. Gupta, I. Shlyakhter, and C Wang, "Using statically computed invariants inside the predicate abstraction and refinement loop," in Computer Aided Verification (CAV), vol. 4144. Berlin, Germany: Springer-Verlag, 2006, pp. 137-151.
78. R. Jhala and R. Majumdar, "Path slicing," in Proc. PLDI, 2005, pp. 38-47.
79. R. Jhala and K. L. McMillan, "A practical and complete approach to predicate refinement," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 3920. Berlin, Germany: Springer-Verlag, 2006, pp. 459-473.
80. C. B. Jones, "Specification and design of (parallel) programs," in Proc. IFIP Congr., 1983, pp. 321-332.
81. N. D. Jones and S. S. Muchnick, "Flow analysis and optimization of LISP-like structures," in Proc. POPL, 1979, pp. 244-256.
82. Y. Kesten, O. Maler, M. Marcus, A. Pnueli, and E. Shahar, "Symbolic model checking with rich assertional languages," in Computer Aided Verification (CAV), vol. 1254. Berlin, Germany: Springer-Verlag, 1997, pp. 424-435.
83. D. Kroening, E. M. Clarke, and K. Yorav, "Behavioral consistency of C and Verilog programs using bounded model checking," in Proc. DAC, 2003, pp. 368-371.
84. D. Kroening and O. Strichman, "Efficient computation of recurrence diameters," in Verification, Model Checking and Abstract Interpretation (VMCAI), vol. 2575. Berlin, Germany: Springer-Verlag, 2003, pp. 298-309.
85. D. Kroening and O. Strichman, Decision Procedures. New York: Springer-Verlag, 2008.
86. D. Kroening and G. Weissenbacher, "Counterexamples with loops for predicate abstraction," in Computer Aided Verification (CAV), vol. 4144. Berlin, Germany: Springer-Verlag, 2006, pp. 152-165.
87. R. P. Kurshan, Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach. Princeton, NJ: Princeton Univ. Press, 1994.
88. P. Lacan, J. N. Monfort, L. V. Q. Ribal, A. Deutsch, and G. Gonthier, "ARIANE 5 - The software reliability verification process," in Proc. ESA SP-422: DASIA, 1998, pp. 201-205.
89. J. R. Larus, T. Ball, M. Das, R. DeLine, M. Fahndrich, J. Pincus, S. K. Rajamani, and R. Venkatapathy, "Righting software," IEEE Softw., vol. 21, no. 3, pp. 92-100, May/Jun. 2004.
90. K. L. McMillan, Symbolic Model Checking. Norwell, MA: Kluwer, 1993.
91. M. Menasche and B. Berthomieu, "Time petri nets for analyzing and verifying time dependent communication protocols." in Proc. Protoc. Specif., Test., Verif., 1983, pp. 161-172.
92. A. Miné, "The octagon abstract domain," High-Order Symb. Comput., vol. 19, no. 1, pp. 31-100, Mar. 2006.
93. M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik, "Chaff: Engineering an efficient SAT solver," in Proc. DAC, 2001, pp. 530-535.
94. M. Musuvathi, D. Y. W. Park, A. Chou, D. R. Engler, and D. L. Dill, "CMC: A pragmatic approach to model checking real code," SIGOPS Oper. Syst. Rev., vol. 36, no. SI, pp. 75-88, 2002.
95. P. Naur, "Checking of operand types in ALGOL compilers," in Proc. NordSAM 64, 1965, pp. 151-163, BIT 5.
96. S. Qadeer and J. Rehof, "Context-bounded model checking of concurrent software," in Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 3440. Berlin, Germany: Springer-Verlag, 2005, pp. 93-107.
97. J.-P. Queille and J. Sifakis, "Specification and verification of concurrent systems in CESAR," in Proc. 5th Int. Symp. Program., 1982, pp. 337-351.
98. I. Rabinovitz and O. Grumberg, "Bounded model checking of concurrent programs," in Computer Aided Verification (CAV), vol. 3576. Berlin, Germany: Springer-Verlag, 2005, pp. 82-97.
99. G. Ramalingam, "Context-sensitive synchronization-sensitive analysis is undecidable," ACM Trans. Program. Lang. Syst., vol. 22, no. 2, pp. 416-430, Mar. 2000.
100. J. C. Reynolds, "Automatic computation of data set definitions," in Proc. IFIP Congr., 1968, vol. 1, pp. 456-461.
101. M. Sagiv, T. Reps, and R. Wilhelm, "Parametric shape analysis via 3-valued logic," ACM Trans. Program. Lang. Syst. (TOPLAS), vol. 24, no. 3, pp. 217-298, May 2002.
102. D. A. Schmidt, "Data flow analysis is model checking of abstract interpretations," in Proc. POPL, 1998, pp. 38-48.
103. B. Steensgaard, "Points-to analysis in almost linear time," in Proc. POPL, 1996, pp. 32-41.
104. B. Steffen, "Data flow analysis as model checking," in Theoretical Aspects of Computer Software. London, U.K.: Springer-Verlag, 1991, pp. 346-365.
105. W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda, "Model checking programs," Autom. Softw. Eng. (ASE), vol. 10, no. 2, pp. 203-232, Apr. 2003.
106. M. Wedler, D. Stoffel, and W. Kunz, "Normalization at the arithmetic bit level," in Proc. DAC. 2005, pp. 457-462.
107. T. Witkowski, N. Blanc, G. Weissenbacher, and D. Kroening, "Model checking concurrent Linux device drivers," in Proc. ASE, 2007, pp. 501-504.
108. Y. Xie and A. Aiken, "Scalable error detection using Boolean satisfiability," in Proc. POPL, 2005, pp. 351-363.
109. J. Yang, C. Sar, P. Twohey, C. Cadar, and D. R. Engler, "Automatically generating malicious disks using symbolic execution," in Proc. IEEE Symp. S&P, 2006, pp. 243-257.
110. S. Yovine, "Model checking timed automata," in European Educational Forum: School on Embedded Systems, vol. 1494. Berlin, Germany: Springer-Verlag, 1996, pp. 114-152.