Efficient SAT-based Bounded Model Checking for Software Verification

This paper discusses our methodology for formal analysis and automatic verification of software programs. It is currently applicable to a large subset of the C programming language that includes bounded recursion. We consider reachability properties, in particular whether certain assertions or basic blocks are reachable in the source code. We perform this analysis via a translation to a Boolean representation based on modeling basic blocks. The program is then analyzed by a back-end SAT-based bounded model checker, where each unrolling is mapped to one step in a block-wise execution of the program. The main contributions of this paper are as follows: 1) This paper is the first to use the block-based unrollings with SAT-based bounded model checking. This allows us to take advantage of SAT-based learning inherent to the best performing bounded model checkers. 2) We also present various heuristics used in the SAT-based bounded model checking customized for models automatically generated from software, allowing a more efficient analysis. 3) We have implemented our methodology into a prototype tool called F-Soft and applied it on various case studies. We present experimental results based on eight case studies including a C-based implementation of a network protocol, and compare the performance gains using the proposed heuristics.