Scaling Bounded Model Checking by Transforming Programs with Arrays
نویسندگان
چکیده
Model checkers often face a state space explosion while verifying properties in programs with loops iterating over arrays. We present an abstraction which helps BMCs scale up and verify properties on arrays. Our technique transforms an array-manipulating C program to an array-free and loop-free program. The transformed program can then be verified by any bounded model checker without running into a state space explosion. Our technique is effective for programs with loops iterating over arrays by incrementing (or decrementing) the loop iteration variables, and accessing arrays by expressions whose values match the value of the loop iteration variable. Our technique can verify array invariants defined in terms of a single element of the array. It is sound in all cases including those that use other values because the values are over-approximated.
منابع مشابه
A Theory of Arrays with set and copy
The theory of arrays is widely used in order to model main memory in program analysis, software verification, bounded model checking, symbolic execution, etc. Nonetheless, the basic theory as introduced by McCarthy is not expressive enough for important practical cases, since it only supports array updates at single locations. In programs, memory is often modified using functions such as memset...
متن کاملSymbolic Execution with Abstract Subsumption Checking
We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking an...
متن کاملA Theory of Arrays with set and copy Operations
The theory of arrays is widely used in order to model main memory in program analysis, software verification, bounded model checking, symbolic execution, etc. Nonetheless, the basic theory as introduced by McCarthy is not expressive enough for important practical cases, since it only supports array updates at single locations. In programs, memory is often modified using functions such as memset...
متن کاملExtending the Theory of Arrays: memset, memcpy, and Beyond
The theory of arrays is widely used in program analysis, (deductive) software verification, bounded model checking, and symbolic execution to model arrays in programs or the computer’s main memory. Nonetheless, the theory as introduced by McCarthy is not expressive enough in many cases since it only supports array updates at single locations. In programs, memory is often modified at multiple lo...
متن کاملUnder-approximating loops in C programs for fast counterexample detection
Many software model checkers only detect counterexamples with deep loops after exploring numerous spurious and increasingly longer counterexamples. We propose a technique that aims at eliminating this weakness by constructing auxiliary paths that represent the effect of a range of loop iterations. Unlike acceleration, which captures the exact effect of arbitrarily many loop iterations, these au...
متن کامل