Skip to main content
SpringerLink
Log in

Model checking LTL properties over ANSI-C programs with bounded traces

  • Special Section Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

Context-bounded model checking has been used successfully to verify safety properties in multi-threaded systems automatically, even if they are implemented in low-level programming languages such as C. In this paper, we describe and experiment with an approach to extend context-bounded software model checking to safety and liveness properties expressed in linear-time temporal logic (LTL). Our approach checks the actual C program, rather than an extracted abstract model. It converts the LTL formulas into Büchi automata for the corresponding never claims and then further into C monitor threads that are interleaved with the execution of the program under analysis. This combined system is then checked using the ESBMC model checker. We use an extended, four-valued LTL semantics to handle the finite traces that bounded model checking explores; we thus check the combined system several times with different acceptance criteria to derive the correct truth value. In order to mitigate the state space explosion, we use a dedicated scheduler that selects the monitor thread only after updates to global variables occurring in the LTL formula. We demonstrate our approach on the analysis of the sequential firmware of a medical device and a small multi-threaded control application.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. Here and throughout the paper we enclose the embedded C expressions in curly brackets and typeset them in typewriter font.

  2. Unstructured goto C code is also handled; every execution of a backward jump counts as a “loop iteration” associated with that goto.

  3. The classical definition of liveness properties [1] includes co-safety properties as well. Here we use the term true liveness property to exclude co-safety properties.

  4. 2.67 Ghz Intel Xeon, 12Gb of memory, running Fedora 16.

  5. Available from www.esbmc.org.

References

  1. Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985)

    Article  MATH  MathSciNet  Google Scholar 

  2. Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distrib. Comput. 2(3), 117–126 (1987)

    Google Scholar 

  3. Barnett, M., DeLine, R., Fähndrich, M., Jacobs, B., Leino, K.R.M., Schulte, W., Venter, H.: The Spec# programming system: challenges and directions. In: Meyer, B., Woodcock, J. (eds.) Proceedings of Conference on Verified Software: Theories, Tools, Experiments (VSTTE’05). Lecture Notes in Computer Science, vol. 4171, pp. 144–152. Springer (2008)

  4. Bauer, A., Haslum, P.: LTL goal specifications revisited. In: Coelho, H., Studer, R., Wooldridge, M. (eds.) Proceedings of European Conference on Artificial Intelligence (ECAI’10). Frontiers in Artificial Intelligence and Applications, vol. 215, pp. 881–886. IOS Press (2010)

  5. Bauer, A., Leucker, M., Schallhart, C.: The good, the bad, and the ugly, but how ugly is ugly?. In: Sokolsky, O., Tasiran, S. (eds.) Proceedings of the Workshop Runtime Verification (RV’07). Lecture Notes in Computer Science, vol. 4839, pp. 126–138. Springer (2007)

  6. Bauer, A., Leucker, M., Schallhart, C.: Comparing LTL semantics for runtime verification. J. Log. Comput. 20(3), 651–674 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  7. Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14 (2011)

    Google Scholar 

  8. Büchi, J.R.: Symposium on decision problems: On a decision method in restricted second order arithmetic. In: Ernest Nagel, P.S., Tarski, A. (eds.) Proceedings of the 1960 International Congress for Logic, Methodology and Philosophy of Science. Studies in Logic and the Foundations of Mathematics, vol. 44, pp. 1–11. Elsevier (1966)

  9. Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker Blast. STTT 9(5–6), 505–525 (2007)

    Article  Google Scholar 

  10. Biere, A., Heljanko, K., Junttila, T.A., Latvala, T., Schuppan, V.: Linear encodings of bounded LTL model checking. Log. Methods Comput. Sci. 2(5), 1–64 (2006)

    Google Scholar 

  11. Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04). Lecture Notes in Computer Science, vol. 2988, pp. 168–176. Springer (2004)

  12. Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: Predicate abstraction of ANSI-C programs using SAT. Formal Methods Syst. Des. 25(2–3), 105–127 (2004)

    Article  MATH  Google Scholar 

  13. Clarke, E.M., Lerda, F.: Model checking: software and beyond. J. UCS 13(5), 639–649 (2007)

    MathSciNet  Google Scholar 

  14. Cordeiro, L., Barreto, R.S., Barcelos, R., Oliveira, M.N., Lucena, V., Maciel, P.R.M.: Agile development methodology for embedded systems: a platform-based design approach. In: Leaney, J., Rozenblit, J.W., Peng, J. (eds.) Proceedings of the Conference on Engineering of Computer Based Systems (ECBS’07), pp. 195–202. IEEE Computer Society (2007)

  15. Cordeiro, L., Fischer, B.: Verifying multi-threaded software using SMT-based context-bounded model checking. In: Taylor, R.N., Gall, H., Medvidovic, N. (eds.) Proceedings of the International Conference on Software Engineering (ICSE’11), pp. 331–340. ACM (2011)

  16. Cordeiro, L., Fischer, B., Chen, H., Marques-Silva, J.: Semiformal verification of embedded software in medical devices considering stringent hardware constraints. In: Chen, T., Serpanos, D.N., Taha, W. (eds.) Proceedings of International Conference on Embedded Software and Systems (ICESS’09), pp. 396–403. IEEE (2009)

  17. Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. In: Grundy, J., Taentzer, G., Heimdahl, M. (eds.) Proceedings of the Conference on Automated Software Engineering (ASE’09), pp. 137–148. IEEE Computer Society (2009)

  18. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Boehm, B.W., Garlan, D., Kramer, J. (eds.) Proceedings of the International Conference on Software Engineering (ICSE’99), pp. 411–420. ACM (1999)

  19. Eisner, C., Fisman, D., Havlicek, J., Lustig, Y., McIsaac, A., Campenhout, D.V.: Reasoning with temporal logic on truncated paths. In: Hunt, W.A., Somenzi, F. (eds.) Proceedings of the Conference on Computer Aided Verification (CAV’03). Lecture Notes in Computer Science, vol. 2725, pp. 27–39. Springer (2003)

  20. Gastin, P., Oddoux, D.: Fast LTL to Büchi automata translation. In: Berry, G., Comon, H., Finkel, A. (eds.) Proceedings of the Conference on Computer Aided Verification (CAV’01). Lecture Notes in Computer Science, vol. 2102, pp. 53–65. Springer (2001)

  21. Giannakopoulou, D., Havelund, K.: Automata-based verification of temporal properties on running programs. In: Richardson, D., Feather, M.S., Goedicke, M. (eds.) Proceedings of the 16th IEEE International Conference on Automated Software Engineering (ASE’01). pp. 412–416. IEEE Computer Society (2001)

  22. He, A., Wu, J., Li, L.: An efficient algorithm for transforming LTL formula to Büchi automaton. In: Proceedings of Conference on Intelligent Computation Technology and Automation (ICICTA’08), vol. 01, pp. 1215–1219. IEEE Computer Society (2008)

  23. Holzmann, G.J.: The model checker SPIN. IEEE Trans. Softw. Eng. 23(5), 279–295 (1997)

    Article  MathSciNet  Google Scholar 

  24. Holzmann, G.J.: The SPIN Model Checker—primer and reference manual. Addison-Wesley, Boston, USA (2004)

  25. Huth, M., Ryan, M.D.: Logic in Computer Science: Modelling and Reasoning About Systems, 2nd edn. Cambridge University Press, Cambridge, New York, NY, USA (2004)

  26. ISO: ISO/IEC/IEEE 9945:2009 Information Technology—Portable Operating System Interface (POSIX) Base Specifications, Issue 7. International Organization for Standardization, Geneva, Switzerland, December (2009)

  27. ISO: ISO/IEC 9899:2011 Information Technology—Programming languages—C. International Organization for Standardization, Geneva, Switzerland, December (2011)

  28. Jonsson, B., Tsay, Y.K.: Assumption/guarantee specifications in linear-time temporal logic. Theor. Comput. Sci. 167(1 &2), 47–72 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  29. Kamp, H.W.: Tense logic and the theory of linear order. Ph.D thesis, Computer Science Department, University of California at Los Angeles, USA (1968)

  30. Kupferman, O., Vardi, M.Y.: Model checking of safety properties. Formal Methods Syst. Des. 19(3), 291–314 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  31. Lahiri, S.K., Qadeer, S., Rakamaric, Z.: Static and precise detection of concurrency errors in systems code using SMT solvers. In: Bouajjani, A., Maler, O. (eds.) Proceedings of Conference on Computer Aided Verification (CAV’09). Lecture Notes in Computer Science, vol. 5643, pp. 509–524. Springer (2009)

  32. Lamport, L.: A new approach to proving the correctness of multiprocess programs. ACM Trans. Program. Lang. Syst. 1(1), 84–97 (1979)

    Article  MATH  Google Scholar 

  33. Lamport, L.: What good is temporal logic? In: IFIP Congress, pp. 657–668 (1983)

  34. Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Log. Algebr. Program. 78(5), 293–303 (2009)

    Article  MATH  Google Scholar 

  35. Manna, Z., Pnueli, A.: Temporal verification of reactive systems: safety. Springer, New York (1995)

    Book  Google Scholar 

  36. McMillan, K.L.: Symbolic model checking. Norwell, MA, USA (1993)

  37. Morse, J., Cordeiro, L., Nicole, D., Fischer, B.: Context-bounded model checking of LTL properties for ANSI-C software. In: Barthe, G., Pardo, A., Schneider, G. (eds.) Proceedings of Conference on Software Engineering and Formal Methods (SEFM’11). Lecture Notes in Computer Science, vol. 7041, pp. 302–317. Springer (2011)

  38. Nguyen, A.C., Khoo, S.C.: Towards automation of LTL verification for Java Pathfinder (2008). In: Proceedings of the 15th National Undergraduate Research Opportunities Programme Congress, Singapore (2010)

  39. Pnueli, A.: The temporal logic of programs. In: Proceedings of Symposium on the Foundations of Computer Science (FOCS’77), pp. 46–57. IEEE Computer Society (1977)

  40. Rabinovitz, I., Grumberg, O.: Bounded model checking of concurrent programs. In: Etessami, K., Rajamani, S.K. (eds.) Proceedings of Conference on Computer Aided Verification (CAV’05). Lecture Notes in Computer Science, vol. 3576, pp. 82–97. Springer (2005)

  41. Rozier, K.Y.: Linear temporal logic symbolic model checking. Comput. Sci. Rev. 5(2), 163–203 (2011)

    Article  MATH  Google Scholar 

  42. Rozier, K.Y., Vardi, M.Y.: LTL satisfiability checking. STTT 12(2), 123–137 (2010)

    Article  Google Scholar 

  43. Staats, M., Heimdahl, M.P.E.: Partial translation verification for untrusted code-generators. In: Liu, S., Maibaum, T.S.E., Araki, K. (eds.) Proceedings of Conference on Formal Methods and Software Engineering (ICFEM’08). Lecture Notes in Computer Science, vol. 5256, pp. 226–237. Springer (2008)

  44. Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G.M. (eds.) Logics for Concurrency—Structure versus Automata. Lecture Notes in Computer Science, vol. 1043, pp. 238–266. Springer (1996)

  45. Vardi, M.Y., Wolper, P.: An automata-theoretic approach to automatic program verification (preliminary report). In: Proceedings of the Symposium on Logic in Computer Science (LICS’86), pp. 332–344. IEEE Computer Society (1986)

  46. Visser, W., Havelund, K., Brat, G.P., Park, S., Lerda, F.: Model checking programs. Autom. Softw. Eng. 10(2), 203–232 (2003)

    Article  Google Scholar 

Download references

Acknowledgments

This work was supported by a Royal Society International Exchange Grant. The reviewers’ comments helped us to improve our presentation.

Author information

Authors and Affiliations

  1. Electronics and Computer Science, University of Southampton, Southampton, UK

    Jeremy Morse, Denis Nicole & Bernd Fischer

  2. Electronic and Information Research Center, Federal University of Amazonas, Manaus, Brazil

    Lucas Cordeiro

  3. Division of Computer Science, Stellenbosch University, Stellenbosch, South Africa

    Bernd Fischer

Authors
  1. Jeremy Morse
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lucas Cordeiro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Denis Nicole
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bernd Fischer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jeremy Morse.

Additional information

Communicated by Dr. Gerardo Schneider, Gilles Barthe, and Alberto Pardo.

Appendix: Sample monitor

Appendix: Sample monitor

figure h
figure i

Rights and permissions

Reprints and permissions

About this article

Cite this article

Morse, J., Cordeiro, L., Nicole, D. et al. Model checking LTL properties over ANSI-C programs with bounded traces. Softw Syst Model 14, 65–81 (2015). https://doi.org/10.1007/s10270-013-0366-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-013-0366-0

Keywords

Search

Navigation