Lecture Notes on Software Model Checking

So far we’ve focused on model checking algorithms that assume a computation structure is given. It should come as no surprise that our goal is to perform model checking of programs given as code, so today we’ll describe techniques that allow us to apply model checking in this setting. There are several challenges to doing so, foremost among them the fact that the statespace of programs may be infinite. We’ll describe two approaches for dealing with this: bounded model checking and predicate abstraction. Each of these techniques addresses the problem by computing an approximation. Bounded model checking computes an underapproximation of the reachable statespace by assuming a fixed computation depth in advance, and treating paths within this depth limit symbolically to explore all possible states. Predicate abstraction computes an overapproximation of reachable states by constructing a transition structure that treats distinct program states identically, in a way that makes it possible to reason over a finite number of states. While either approach has its limitations, both are used effectively in practice, and are the core techniques that make software model checking possible.