SMT-based model checking for recursive programs

• Published in: Formal methods in system design Vol. 48; no. 3; pp. 175 - 205
• Main Authors: Komuravelli, Anvesh, Gurfinkel, Arie, Chaki, Sagar
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.06.2016; Springer Nature B.V
• Subjects: Algorithms; Arithmetic; Boolean algebra; CAE) and Design; Circuits and Systems; Computer-Aided Engineering (CAD; Electrical Engineering; Empirical analysis; Engineering; Formal method; Integers; Logic programming; Matching; Polynomials; Procedure calls; Program verification (computers); Software Engineering/Programming and Operating Systems; State of the art; Model checking; Quantifier elimination; Recursion; Satisfiability; Compositional; May-must
• ISSN: 0925-9856; 1572-8102
• DOI: 10.1007/s10703-016-0249-4

We present an SMT-based symbolic model checking algorithm for safety verification of recursive programs. The algorithm is modular and analyzes procedures individually. Unlike other SMT-based approaches, it maintains both over- and under-approximations of procedure summaries. Under-approximations are used to analyze procedure calls without inlining. Over-approximations are used to block infeasible counterexamples and detect convergence to a proof. We show that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists. However, efficiency depends on an oracle for quantifier elimination (QE). For Boolean programs, the algorithm is a polynomial decision procedure, matching the worst-case bounds of the best BDD-based algorithms. For Linear Arithmetic (integers and rationals), we give an efficient instantiation of the algorithm by applying QE lazily . We use existing interpolation techniques to over-approximate QE and introduce Model Based Projection to under-approximate QE. Empirical evaluation on SV-COMP benchmarks shows that our algorithm improves significantly on the state-of-the-art.