SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Cordeiro, Lucas C.; Fischer, Bernd; Marques-Silva, João

doi:10.1109/tse.2011.59

Cited by 135 publications

(79 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To the best of our knowledge, our analysis has a sound handling of all language features other than those listed above. 4 Further, JayHorn over-approximates variables of type double, float, and long and may over-approximate array usage (as discussed above). Other than that, completeness mostly depends on the selected back-end.…”

Section: Architecture Of Jayhornmentioning

confidence: 99%

JayHorn: A Framework for Verifying Java programs

Kahsai

Rümmer

Sanchez

et al. 2016

Computer Aided Verification

View full text Add to dashboard Cite

Abstract. Building a competitive program verifiers is becoming cheaper. On the front-end side, openly available compiler infrastructure and optimization frameworks take care of hairy problems such as alias analysis, and break down the subtleties of modern languages into a handful of simple instructions that need to be handled. On the back-end side, theorem provers start providing full-fledged model checking algorithms, such as PDR, that take care looping control-flow. In this spirit, we developed JayHorn, a verification framework for Java with the goal of having as few moving parts as possible. Most steps of the translation from Java into logic are implemented as bytecode transformations, with the implication that their soundness can be tested easily. From the transformed bytecode, we generate a set of constrained Horn clauses that are verified using state-of-the-art Horn solvers. We report on our implementation experience and evaluate JayHorn on benchmarks.

show abstract

Section: Architecture Of Jayhornmentioning

confidence: 99%

JayHorn: A Framework for Verifying Java programs

Kahsai

Rümmer

Sanchez

et al. 2016

Computer Aided Verification

View full text Add to dashboard Cite

show abstract

“…Portfolio solving has been explored in the past in the context of SAT solving [13,24], SMT solving [23], and bounded model checking [9], among others. As far as we know, this is the first paper that reports on how different SMT solvers compare and could be combined in a portfolio solver in the context of symbolic execution.…”

Section: Related Workmentioning

confidence: 99%

Multi-solver Support in Symbolic Execution

Palikareva

Cadar

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. One of the main challenges of dynamic symbolic executionan automated program analysis technique which has been successfully employed to test a variety of software-is constraint solving. A key decision in the design of a symbolic execution tool is the choice of a constraint solver. While different solvers have different strengths, for most queries, it is not possible to tell in advance which solver will perform better. In this paper, we argue that symbolic execution tools can, and should, make use of multiple constraint solvers. These solvers can be run competitively in parallel, with the symbolic execution engine using the result from the best-performing solver. We present empirical data obtained by running the symbolic execution engine KLEE on a set of real programs, and use it to highlight several important characteristics of the constraint solving queries generated during symbolic execution. In particular, we show the importance of constraint caching and counterexample values on the (relative) performance of KLEE configured to use different SMT solvers. We have implemented multi-solver support in KLEE, using the metaSMT framework, and explored how different state-of-the-art solvers compare on a large set of constraint-solving queries. We also report on our ongoing experience building a parallel portfolio solver in KLEE.

show abstract

“…Finally there are many examples of using SMT solvers in the realm of software model checking, e.g., as reasoning engine for bounded model checking [1,7].…”

Section: Related Workmentioning

confidence: 99%

SMT-Based False Positive Elimination in Static Program Analysis

Junker

Huuck

Fehnker

et al. 2012

Formal Methods and Software Engineering

View full text Add to dashboard Cite

Abstract. Static program analysis for bug detection in large C/C++ projects typically uses a high-level abstraction of the original program under investigation. As a result, so-called false positives are often inevitable, i.e., warnings that are not true bugs. In this work we present a novel abstraction refinement approach to automatically investigate and eliminate such false positives. Central to our approach is to view static analysis as a model checking problem, to iteratively compute infeasible sub-paths of infeasible paths using SMT solvers, and refine our models by adding observer automata to exclude such paths. Based on this new framework we present an implementation of the approach into the static analyzer Goanna and discuss a number of real-life experiments on larger C code projects, demonstrating that we were able to remove most false positives automatically.

show abstract

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Cited by 135 publications

References 39 publications

JayHorn: A Framework for Verifying Java programs

JayHorn: A Framework for Verifying Java programs

Multi-solver Support in Symbolic Execution

SMT-Based False Positive Elimination in Static Program Analysis

Contact Info

Product

Resources

About