Abstract
Context-bounded model checking has been used successfully to verify safety properties in multi-threaded systems automatically, even if they are implemented in low-level programming languages such as C. In this paper, we describe and experiment with an approach to extend context-bounded software model checking to safety and liveness properties expressed in linear-time temporal logic (LTL). Our approach checks the actual C program, rather than an extracted abstract model. It converts the LTL formulas into Büchi automata for the corresponding never claims and then further into C monitor threads that are interleaved with the execution of the program under analysis. This combined system is then checked using the ESBMC model checker. We use an extended, four-valued LTL semantics to handle the finite traces that bounded model checking explores; we thus check the combined system several times with different acceptance criteria to derive the correct truth value. In order to mitigate the state space explosion, we use a dedicated scheduler that selects the monitor thread only after updates to global variables occurring in the LTL formula. We demonstrate our approach on the analysis of the sequential firmware of a medical device and a small multi-threaded control application.
Similar content being viewed by others
Notes
Here and throughout the paper we enclose the embedded C expressions in curly brackets and typeset them in typewriter font.
Unstructured goto C code is also handled; every execution of a backward jump counts as a “loop iteration” associated with that goto.
The classical definition of liveness properties [1] includes co-safety properties as well. Here we use the term true liveness property to exclude co-safety properties.
2.67 Ghz Intel Xeon, 12Gb of memory, running Fedora 16.
Available from www.esbmc.org.
References
Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985)
Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distrib. Comput. 2(3), 117–126 (1987)
Barnett, M., DeLine, R., Fähndrich, M., Jacobs, B., Leino, K.R.M., Schulte, W., Venter, H.: The Spec# programming system: challenges and directions. In: Meyer, B., Woodcock, J. (eds.) Proceedings of Conference on Verified Software: Theories, Tools, Experiments (VSTTE’05). Lecture Notes in Computer Science, vol. 4171, pp. 144–152. Springer (2008)
Bauer, A., Haslum, P.: LTL goal specifications revisited. In: Coelho, H., Studer, R., Wooldridge, M. (eds.) Proceedings of European Conference on Artificial Intelligence (ECAI’10). Frontiers in Artificial Intelligence and Applications, vol. 215, pp. 881–886. IOS Press (2010)
Bauer, A., Leucker, M., Schallhart, C.: The good, the bad, and the ugly, but how ugly is ugly?. In: Sokolsky, O., Tasiran, S. (eds.) Proceedings of the Workshop Runtime Verification (RV’07). Lecture Notes in Computer Science, vol. 4839, pp. 126–138. Springer (2007)
Bauer, A., Leucker, M., Schallhart, C.: Comparing LTL semantics for runtime verification. J. Log. Comput. 20(3), 651–674 (2010)
Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14 (2011)
Büchi, J.R.: Symposium on decision problems: On a decision method in restricted second order arithmetic. In: Ernest Nagel, P.S., Tarski, A. (eds.) Proceedings of the 1960 International Congress for Logic, Methodology and Philosophy of Science. Studies in Logic and the Foundations of Mathematics, vol. 44, pp. 1–11. Elsevier (1966)
Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker Blast. STTT 9(5–6), 505–525 (2007)
Biere, A., Heljanko, K., Junttila, T.A., Latvala, T., Schuppan, V.: Linear encodings of bounded LTL model checking. Log. Methods Comput. Sci. 2(5), 1–64 (2006)
Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04). Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer (2004)
Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: Predicate abstraction of ANSI-C programs using SAT. Formal Methods Syst. Des. 25(2–3), 105–127 (2004)
Clarke, E.M., Lerda, F.: Model checking: software and beyond. J. UCS 13(5), 639–649 (2007)
Cordeiro, L., Barreto, R.S., Barcelos, R., Oliveira, M.N., Lucena, V., Maciel, P.R.M.: Agile development methodology for embedded systems: a platform-based design approach. In: Leaney, J., Rozenblit, J.W., Peng, J. (eds.) Proceedings of the Conference on Engineering of Computer Based Systems (ECBS’07), pp. 195–202. IEEE Computer Society (2007)
Cordeiro, L., Fischer, B.: Verifying multi-threaded software using SMT-based context-bounded model checking. In: Taylor, R.N., Gall, H., Medvidovic, N. (eds.) Proceedings of the International Conference on Software Engineering (ICSE’11), pp. 331–340. ACM (2011)
Cordeiro, L., Fischer, B., Chen, H., Marques-Silva, J.: Semiformal verification of embedded software in medical devices considering stringent hardware constraints. In: Chen, T., Serpanos, D.N., Taha, W. (eds.) Proceedings of International Conference on Embedded Software and Systems (ICESS’09), pp. 396–403. IEEE (2009)
Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. In: Grundy, J., Taentzer, G., Heimdahl, M. (eds.) Proceedings of the Conference on Automated Software Engineering (ASE’09), pp. 137–148. IEEE Computer Society (2009)
Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Boehm, B.W., Garlan, D., Kramer, J. (eds.) Proceedings of the International Conference on Software Engineering (ICSE’99), pp. 411–420. ACM (1999)
Eisner, C., Fisman, D., Havlicek, J., Lustig, Y., McIsaac, A., Campenhout, D.V.: Reasoning with temporal logic on truncated paths. In: Hunt, W.A., Somenzi, F. (eds.) Proceedings of the Conference on Computer Aided Verification (CAV’03). Lecture Notes in Computer Science, vol. 2725, pp. 27–39. Springer (2003)
Gastin, P., Oddoux, D.: Fast LTL to Büchi automata translation. In: Berry, G., Comon, H., Finkel, A. (eds.) Proceedings of the Conference on Computer Aided Verification (CAV’01). Lecture Notes in Computer Science, vol. 2102, pp. 53–65. Springer (2001)
Giannakopoulou, D., Havelund, K.: Automata-based verification of temporal properties on running programs. In: Richardson, D., Feather, M.S., Goedicke, M. (eds.) Proceedings of the 16th IEEE International Conference on Automated Software Engineering (ASE’01). pp. 412–416. IEEE Computer Society (2001)
He, A., Wu, J., Li, L.: An efficient algorithm for transforming LTL formula to Büchi automaton. In: Proceedings of Conference on Intelligent Computation Technology and Automation (ICICTA’08), vol. 01, pp. 1215–1219. IEEE Computer Society (2008)
Holzmann, G.J.: The model checker SPIN. IEEE Trans. Softw. Eng. 23(5), 279–295 (1997)
Holzmann, G.J.: The SPIN Model Checker—primer and reference manual. Addison-Wesley, Boston, USA (2004)
Huth, M., Ryan, M.D.: Logic in Computer Science: Modelling and Reasoning About Systems, 2nd edn. Cambridge University Press, Cambridge, New York, NY, USA (2004)
ISO: ISO/IEC/IEEE 9945:2009 Information Technology—Portable Operating System Interface (POSIX) Base Specifications, Issue 7. International Organization for Standardization, Geneva, Switzerland, December (2009)
ISO: ISO/IEC 9899:2011 Information Technology—Programming languages—C. International Organization for Standardization, Geneva, Switzerland, December (2011)
Jonsson, B., Tsay, Y.K.: Assumption/guarantee specifications in linear-time temporal logic. Theor. Comput. Sci. 167(1 &2), 47–72 (1996)
Kamp, H.W.: Tense logic and the theory of linear order. Ph.D thesis, Computer Science Department, University of California at Los Angeles, USA (1968)
Kupferman, O., Vardi, M.Y.: Model checking of safety properties. Formal Methods Syst. Des. 19(3), 291–314 (2001)
Lahiri, S.K., Qadeer, S., Rakamaric, Z.: Static and precise detection of concurrency errors in systems code using SMT solvers. In: Bouajjani, A., Maler, O. (eds.) Proceedings of Conference on Computer Aided Verification (CAV’09). Lecture Notes in Computer Science, vol. 5643, pp. 509–524. Springer (2009)
Lamport, L.: A new approach to proving the correctness of multiprocess programs. ACM Trans. Program. Lang. Syst. 1(1), 84–97 (1979)
Lamport, L.: What good is temporal logic? In: IFIP Congress, pp. 657–668 (1983)
Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Log. Algebr. Program. 78(5), 293–303 (2009)
Manna, Z., Pnueli, A.: Temporal verification of reactive systems: safety. Springer, New York (1995)
McMillan, K.L.: Symbolic model checking. Norwell, MA, USA (1993)
Morse, J., Cordeiro, L., Nicole, D., Fischer, B.: Context-bounded model checking of LTL properties for ANSI-C software. In: Barthe, G., Pardo, A., Schneider, G. (eds.) Proceedings of Conference on Software Engineering and Formal Methods (SEFM’11). Lecture Notes in Computer Science, vol. 7041, pp. 302–317. Springer (2011)
Nguyen, A.C., Khoo, S.C.: Towards automation of LTL verification for Java Pathfinder (2008). In: Proceedings of the 15th National Undergraduate Research Opportunities Programme Congress, Singapore (2010)
Pnueli, A.: The temporal logic of programs. In: Proceedings of Symposium on the Foundations of Computer Science (FOCS’77), pp. 46–57. IEEE Computer Society (1977)
Rabinovitz, I., Grumberg, O.: Bounded model checking of concurrent programs. In: Etessami, K., Rajamani, S.K. (eds.) Proceedings of Conference on Computer Aided Verification (CAV’05). Lecture Notes in Computer Science, vol. 3576, pp. 82–97. Springer (2005)
Rozier, K.Y.: Linear temporal logic symbolic model checking. Comput. Sci. Rev. 5(2), 163–203 (2011)
Rozier, K.Y., Vardi, M.Y.: LTL satisfiability checking. STTT 12(2), 123–137 (2010)
Staats, M., Heimdahl, M.P.E.: Partial translation verification for untrusted code-generators. In: Liu, S., Maibaum, T.S.E., Araki, K. (eds.) Proceedings of Conference on Formal Methods and Software Engineering (ICFEM’08). Lecture Notes in Computer Science, vol. 5256, pp. 226–237. Springer (2008)
Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G.M. (eds.) Logics for Concurrency—Structure versus Automata. Lecture Notes in Computer Science, vol. 1043, pp. 238–266. Springer (1996)
Vardi, M.Y., Wolper, P.: An automata-theoretic approach to automatic program verification (preliminary report). In: Proceedings of the Symposium on Logic in Computer Science (LICS’86), pp. 332–344. IEEE Computer Society (1986)
Visser, W., Havelund, K., Brat, G.P., Park, S., Lerda, F.: Model checking programs. Autom. Softw. Eng. 10(2), 203–232 (2003)
Acknowledgments
This work was supported by a Royal Society International Exchange Grant. The reviewers’ comments helped us to improve our presentation.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Dr. Gerardo Schneider, Gilles Barthe, and Alberto Pardo.
Appendix: Sample monitor
Appendix: Sample monitor
Rights and permissions
About this article
Cite this article
Morse, J., Cordeiro, L., Nicole, D. et al. Model checking LTL properties over ANSI-C programs with bounded traces. Softw Syst Model 14, 65–81 (2015). https://doi.org/10.1007/s10270-013-0366-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-013-0366-0