Using Range Analysis for Software Verification

Verification is increasingly becoming a bottleneck in the design of embedded systems and system-on-chips. In order to ensure the correctness, verification has to be performed not only on hardware, but also on software. Model checking is a promising verification technique, but suffers from the state explosion problem, which is even further exacerbated in the context of software verification mainly due to large number of variables used in programs. Therefore, how to reduce the amount of variables during verification becomes a key challenge in making software model checking scalable. The main contributions of this paper are two lightweight range analysis techniques for determining lower and upper bounds for program variables, and their application in improving various software model checking techniques. We formulate each range analysis problem as a system of inequality constraints between symbolic bound polynomials, then reduce the constraint system to a linear program (LP) that can be analyzed by available LP solvers. For bounded model checking, we improve the bound tightness by exploiting the fact that the range information needs to be sound only for bounded traces. We have implemented the range analysis techniques in our software model checking framework. Experimental results demonstrate promising results in extending the power of stateof-the-art software verification techniques.