SMT-Based Bounded Model Checking for Embedded ANSI-C Software

TL;DR

This paper explores the use of SMT solvers for bounded model checking of embedded ANSI-C software, improving scalability and efficiency over traditional propositional methods.

Contribution

It extends SMT-based encodings to better support complex C language features and integrates multiple SMT solvers with a verification tool for embedded software.

Findings

Enhanced ability to analyze larger problems

Significant reduction in verification time

Effective support for complex data structures

Abstract

Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced by encoding word-level information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we investigate the application of different SMT solvers to the verification of embedded software written in ANSI-C. We have extended the encodings from previous SMT-based bounded model checkers to provide more accurate support for finite variables, bit-vector operations, arrays, structures, unions and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC front-end and evaluated them using both standard software model checking benchmarks and typical embedded applications from telecommunications, control systems and medical devices. The experiments show that our approach can analyze larger problems and substantially reduce the verification time.