Toward Unbounded Model Checking for Region Automata

The large number of program variables in a software verification model often makes model checkers ineffective. Since the performance of BDD’s is very sensitive to the number of variables, BDD-based model checking is deficient in this regard. SAT-based model checking shows some promise because the performance of SAT-solvers is less dependent on the number of variables. As a result, SAT-based techniques often outperform BDD-based techniques in discrete systems with a lot of variables. Timed systems, however, have not been as thoroughly investigated as discrete systems. The performance of SAT-based model checking in analyzing timing behavior – an essential task for verifying real-time systems – is not so clear. Moreover, although SAT-based model checking may be useful in bug hunting, their capability in proving properties has often been criticized. To address these issues, we propose a new bounded model checker, xBMC, to solve the reachability problem of dense-time systems. In xBMC, regions and transition relations are represented as Boolean formulae via discrete interpretations. To support both property refutation and verification, a complete inductive algorithm is deployed, in addition to the requirement of reaching an intrinsic threshold, i.e. the number of regions. In an experiment to verify the client authentication protocol of Cornell Single Sign-on systems, xBMC outperforms the efficient model checker, RED [35], even if no bugs exist. We believe that xBMC may provide an effective and practical method for timing behavior verification of large systems.