Article

LLBMC: bounded model checking of C and C++ programs using a compiler IR

Authors:

Carsten SinzAuthors Info & Claims

VSTTE'12: Proceedings of the 4th international conference on Verified Software: theories, tools, experiments

Pages 146 - 161

https://doi.org/10.1007/978-3-642-27705-4_12

Published: 28 January 2012 Publication History

Abstract

Bounded model checking (BMC) of C and C++ programs is challenging due to the complex and intricate syntax and semantics of these programming languages. The BMC tool LLBMC presented in this paper thus uses the LLVM compiler framework in order to translate C and C++ programs into LLVM's intermediate representation. The resulting code is then converted into a logical representation and simplified using rewrite rules. The simplified formula is finally passed to an SMT solver. In contrast to many other tools, LLBMC uses a flat, bit-precise memory model. It can thus precisely model, e.g., memory-based re-interpret casts as used in C and static/dynamic casts as used in C++. An empirical evaluation shows that LLBMC compares favorable to the related BMC tools CBMC and ESBMC.

References

[1]

Armando, A., Mantovani, J., Platania, L.: Bounded model checking of software using SMT solvers instead of SAT solvers. STTT 11(1), 69-83 (2009).

Digital Library

[2]

Babic, D., Hu, A.J.: Calysto: Scalable and precise extended static checking. In: Proc. ICSE 2008, pp. 211-220 (2008).

Digital Library

[3]

Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic Model Checking without BDDs. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 193-207. Springer, Heidelberg (1999).

Digital Library

[4]

Brummayer, R., Biere, A.: Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 174-177. Springer, Heidelberg (2009).

Digital Library

[5]

Brummayer, R.D.: Efficient SMT Solving for Bit-Vectors and the Extensional Theory of Arrays. Ph.D. thesis, Johannes Kepler Universität, Linz, Austria (2009).

[6]

Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: 10²⁰ states and beyond. IC 98(2), 142-170 (1992).

Digital Library

[7]

Cadar, C., Dunbar, D., Engler, D.R.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proc. OSDI 2008, pp. 209-224 (2008).

Digital Library

[8]

Clarke, E.M., Kroening, D., Lerda, F.: A Tool for Checking ANSI-C Programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168-176. Springer, Heidelberg (2004).

[9]

Cohen, E., Moskal, M., Tobies, S., Schulte, W.: A precise yet efficient memory model for C. ENTCS 254, 85-103 (2009).

Digital Library

[10]

Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. In: Proc. ASE 2009, pp. 137-148 (2009).

Digital Library

[11]

Donaldson, A.F., Haller, L., Kroening, D., Rümmer, P.: Software Verification using k-Induction. In: Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 351-368. Springer, Heidelberg (2011).

Digital Library

[12]

Falke, S., Merz, F., Sinz, C.: A theory of C-style memory allocation. In: Proc. SMT 2011, pp. 71-80 (2011).

[13]

Ganesh, V., Dill, D.L.: A Decision Procedure for Bit-Vectors and Arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519-531. Springer, Heidelberg (2007).

Digital Library

[14]

Gustafsson, J., Betts, A., Ermedahl, A., Lisper, B.: The Mälardalen WCET benchmarks - past, present and future. In: Proc. WCET 2010, pp. 137-147 (2010).

[15]

Ivančic, F., Yang, Z., Ganai, M.K., Gupta, A., Ashar, P.: Efficient SAT-based bounded model checking for software verification. TCS 404(3), 256-274 (2008).

Digital Library

[16]

Kim, M., Kim, Y., Kim, H.: Unit testing of flash memory device driver through a SAT-based model checker. In: Proc. ASE 2008, 198-207 (2008).

Digital Library

[17]

Kröning, D.: CBMC release 3.9 announcement on (December 19, 2010), cprovergooglegroups.com

[18]

Lattner, C., Adve, V.S.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Proc. CGO 2004, pp. 75-88 (2004).

Digital Library

[19]

Li, G., Ghosh, I., Rajan, S.: KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 609-615. Springer, Heidelberg (2011).

Digital Library

[20]

Maric, F., Janicic, P.: URBiVA: Uniform Reduction to Bit-Vector Arithmetic. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 346-352. Springer, Heidelberg (2010).

Digital Library

[21]

Milicevic, A., Kugler, H.: Model Checking using SMT and Theory of Lists. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 282-297. Springer, Heidelberg (2011).

Digital Library

[22]

de Moura, L., Bjørner, N.S.: Z3: An Efficient SMT Solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337-340. Springer, Heidelberg (2008).

Digital Library

[23]

Post, H., Sinz, C., Küchlin, W.: Towards automatic software model checking of thousands of Linux modules--A case study with Avinux. STVR 19(2), 155-172 (2009).

Digital Library

[24]

Rakamaric, Z., Hu, A.J.: A Scalable Memory Model for Low-Level Code. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 290-304. Springer, Heidelberg (2009).

Digital Library

[25]

Sinha, N.: Symbolic program analysis using term rewriting and generalization. In: Proc. FMCAD 2008, pp. 1-9 (2008).

Digital Library

[26]

Sinz, C., Falke, S., Merz, F.: A precise memory model for low-level bounded model checking. In: Proc. SSV 2010 (2010).

Digital Library

[27]

Vujosevic-Janicic, M., Kuncak, V.: Development and Evaluation of LAV: an SMT-Based Error Finding Platform. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSSTE 2012. LNCS, vol. 7152, pp. 98-113. Springer, Heidelberg (2012).

Digital Library

Cited By

Li TBai JSui YHu S(2024)SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate AnalysisACM Transactions on Computer Systems10.1145/369525042:3-4(1-40)Online publication date: 6-Sep-2024
https://dl.acm.org/doi/10.1145/3695250
Vishwanathan HShachnai MNarayana SNagarakatte S(2023)Verifying the Verifier: eBPF Range Analysis VerificationComputer Aided Verification10.1007/978-3-031-37709-9_12(226-251)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-37709-9_12
Li TBai JSui YHu SFalsafi BFerdman MLu SWenisch T(2022)Path-sensitive and alias-aware typestate analysis for detecting OS bugsProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507770(859-872)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507770
Show More Cited By

LLBMC: bounded model checking of C and C++ programs using a compiler IR
1. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning

Recommendations

LLBMC: a bounded model checker for LLVM's intermediate representation
TACAS'12: Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems

We present LLBMC, a bounded model checker for C programs. LLBMC uses the LLVM compiler framework in order to translate C programs into LLVM's intermediate representation (IR). The resulting code is then converted into a logical representation and ...
LLBMC: improved bounded model checking of c programs using LLVM
TACAS'13: Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems

LLBMC is a tool for detecting bugs and runtime errors in C and C++ programs. It is based on bounded model checking using an SMT solver and thus achieves bit-accurate precision. A distinguishing feature of LLBMC in contrast to other bounded model ...
The bounded model checker LLBMC
ASE '13: Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering

This paper presents LLBMC, a tool for finding bugs and runtime errors in sequential C/C++ programs. LLBMC employs bounded model checking using an SMT-solver for the theory of bitvectors and arrays and thus achieves precision down to the level of single ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

VSTTE'12: Proceedings of the 4th international conference on Verified Software: theories, tools, experiments

January 2012

326 pages

ISBN:9783642277047

Editors:
Rajeev Joshi
MS 301-285, 4800 Oak Grove Drive, Pasadena, CA
,
Peter Müller
ETH Zürich, Universitätstr. 6, Zürich, CA, Switzerland
,
Andreas Podelski
Department of Computer Science, University of Freiburg, Georges-Köhler-Allee 52, Freiburg, CA, Germany

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 28 January 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

44
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li TBai JSui YHu S(2024)SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate AnalysisACM Transactions on Computer Systems10.1145/369525042:3-4(1-40)Online publication date: 6-Sep-2024
https://dl.acm.org/doi/10.1145/3695250
Vishwanathan HShachnai MNarayana SNagarakatte S(2023)Verifying the Verifier: eBPF Range Analysis VerificationComputer Aided Verification10.1007/978-3-031-37709-9_12(226-251)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-37709-9_12
Li TBai JSui YHu SFalsafi BFerdman MLu SWenisch T(2022)Path-sensitive and alias-aware typestate analysis for detecting OS bugsProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507770(859-872)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507770
Kleine Büning MMeuer JSinz C(2022)Refined Modularization for Bounded Model Checking Through Precondition GenerationFormal Methods and Software Engineering10.1007/978-3-031-17244-1_13(209-226)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1007/978-3-031-17244-1_13
Inverso OTomasco EFischer BLa Torre SParlato G(2021)Bounded Verification of Multi-threaded Programs via Lazy SequentializationACM Transactions on Programming Languages and Systems10.1145/347853644:1(1-50)Online publication date: 9-Dec-2021
https://dl.acm.org/doi/10.1145/3478536
Alhawi ORocha HGadelha MCordeiro LBatista E(2021)Verification and refutation of C programs based on k-induction and invariant inferenceInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-020-00564-123:2(115-135)Online publication date: 1-Apr-2021
https://dl.acm.org/doi/10.1007/s10009-020-00564-1
Molina FGrundy JLe Goues CLo D(2020)Applying learning techniques to oracle synthesisProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3415287(1153-1157)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3415287
Kleine Büning MSinz CFaragó D(2020)QPR Verify: A Static Analysis Tool for Embedded Software Based on Bounded Model CheckingSoftware Verification10.1007/978-3-030-63618-0_2(21-32)Online publication date: 19-Jul-2020
https://dl.acm.org/doi/10.1007/978-3-030-63618-0_2
Fichte JManthey NStecklina JSchidler A(2020)Towards Faster Reasoners by Using Transparent Huge PagesPrinciples and Practice of Constraint Programming10.1007/978-3-030-58475-7_18(304-322)Online publication date: 7-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-58475-7_18
Garzella JBaranowski MHe SRakamarić Z(2020)Leveraging Compiler Intermediate Representation for Multi- and Cross-Language VerificationVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-39322-9_5(90-111)Online publication date: 16-Jan-2020
https://dl.acm.org/doi/10.1007/978-3-030-39322-9_5
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten