Static verification techniques leverage Boolean formula satisfiability solvers such as SAT and SMT solvers that operate on conjunctive normal form and first order logic formulae, respectively, to validate programs. They force bounds on variable ranges and execution time and translate the program and its specifications into a Boolean formula. They are limited to programs of relatively low complexity for the following reasons. (1) A small increase in the bounds can cause a large increase in the size of the translated formula. (2) Boolean satisfiability solvers are restricted to using optimizations that apply at the level of the formula. Finally, (3) the Boolean formulae often need to be regenerated with higher bounds to ensure the correctness of the translation.
INTRODUCTION
The work in [1] takes a declarative formula φ in first order logic (FOL) with transitive closure and a bound on the universe of discourse and translates it to a sequential circuit expressed in VHDL. A sequential circuit is a Boolean netlist with memory elements and a hierarchical structure. It then passes the sequential circuit to SixthSense [2] , an IBM internal sequential circuit verification framework, and decides the validity of φ within the bound. It scales to bounds larger than what is possible with Kodkod [3] which translates φ into a propositional Boolean formula in conjunctive normal form (CNF) and checks its validity using a Boolean satisfiability solver such as MiniSat [4] .
The work in [5] translates an imperative C program, with an assertion statement therein, and a bound on the input size, into a sequential circuit expressed in VHDL. It then passes the sequential circuit to SixthSense [2] and decides the validity of the assertion within the bound.
It scales to bounds larger than what is possible with CBMC [6] . CBMC unwinds loops and recursive functions up to the given bound, and translates the program into a CNF formula that asserts the properties. It then checks for correctness using a Boolean satisfiability solver.
In this work, we present our method that takes an imperative program S with a specification, FOL precondition and postcondition pair (P, Q), and checks whether S satisfies the specification within a bound b on the domain of the program and specification variables (S |= (P, Q)| b );
i.e. when the bounded inputs of S satisfy P , the outputs of S satisfy Q. The program is written in J , a subset of C++/Java that includes integers, arrays, loops, and recursion. Our method translates the problem S |= (P, Q)| b into a sequential circuit with a designated output therein that is true iff the program violates the specification within the bounded domain. Our method uses sequential circuit synthesis reduction and abstraction techniques embedded in the open source ABC [7] framework to reduce the generated sequential circuit. Then it uses ABC verification techniques to decide the satisfiability of the designated output. ABC either (1) proves the validity of the program, (2) generates a counterexample illustrating that the program violates the specifications, or (3) reports an inconclusive result as it exhausts computational resources.
Our method translates the counterexample back to the program domain and provides the user with a visual debugging tool (GTKWave [8] ) to trace the violation.
Our method significantly extends the work of both [1] , [5] in that
• it uses a program counter semantics to translate the program into an intermediary one loop program (Olp), where a program counter is an additional variable that encodes the control flow of the program. It encodes the data flow of the program into ternary conditional statements based on the value of the program counter. The work in [5] performs only a source to source translation to VHDL,
• it directly translates the Olp program into bit level representation using And-Inverter-Graphs (AIG) sequential circuits while [1] , [5] depend on the VHDL compiler and synthesis tools to do the translation to bit level,
• it supports imperative programs annotated with FOL specifications and also supports array boundary and overflow checks,
• it supports function calls including recursion,
• in case the original correctness check was not conclusive, it uses heuristics to guess a termination bound on the program execution time, it enables a termination guarantee check within the execution time bound, and it then uses the execution time bound with bounded model checking to decide correctness,
• it uses ABC [7] , an open source sequential circuit synthesis and verification framework, instead of SixthSense [2] an IBM internal sequential circuit solver. ABC is a transformationbased verification (TBV) [7] framework that operates on sequential circuits and iteratively and synergistically calls numerous reduction and abstraction algorithms such as retiming [9] , redundancy removal [10] - [13] , logic rewriting [14] , interpolation [15] , and localization [16] . These algorithms simplify and decompose complex problems until they become tractable for ABC verification techniques such as symbolic model checking, bounded model checking, induction, interpolation, circuit SAT solving, and target enlargement [2] , [17] - [20] ,
• our method is fully implemented as an open source tool ({P}S{Q}) available online 1 .
We evaluated our method with the verification of standard algorithms, fundamental and complex data structures, real applications and programs from the software verification benchmarks and compared our method to CBMC and other tools ranking top in the software verification competition [21] . {P}S{Q} succeeded to find and report counterexamples for all defected programs. It found and reported defects that we were not aware of while developing the evaluation benchmarks. It scaled to verification bounds higher than those possible with the other tools, and proved specifications that were not possible by the other tools.
Limitations of translation to Boolean formulae: Recent advances in SAT enabled tools like
Kodkod Alloy Analyzer [3] , and CBMC [6] to check real programs. However, these programs often need to be partial, leaving out important functionality aspects, to enable the analysis to complete. Moreover, the analysis is typically bound to relatively small limits.
There are three limiting aspects of translating high-level programs to Boolean formulae.
Disadvantage 1
The translation to Boolean formulae depends on the bounds; a small increase in the bound on variable ranges can cause a large increase in the size of the translated formula due to unwinding loop and recursion structures in programs, or eliminating quantifiers in declarative first order logic.
Disadvantage 2 CNF SAT solvers are restricted to using optimizations, such as symmetry breaking [22] and observability don't cares (ODC) [23] , that apply at the level of CNF formulae. However these optimizations usually aim at increasing the speed of the solver and often result in larger formulae as they add literals and clauses to the CNF formula to encode symmetry and ODC optimizations [24] . Often times when the analyzer successfully generates a large CNF formula, the underlying solver requires intractable resources.
Disadvantage 3
Often times the formula needs to be regenerated with higher bounds in case the unwinding bounds were not large enough for the loops to complete as is the case with CBMC and ESBMC.
To extend the applicability of static analysis to a wider class of programs as well as to check more sophisticated specifications and gain more confidence in the results, we need to scale the analysis to significantly larger bounds.
Advantages of sequential circuits:
We formally define sequential circuits in Section 2.2; for now a sequential circuit can be viewed as a restricted C++ program, specifically a concurrent program in which all variables are either integers, whose range is statically bounded, or Booleanvalued, and dynamic allocation is forbidden [25] . There are two key advantages to compiling programs into sequential circuits rather than Boolean formulae: Other software verification techniques and tools exist that leverage predicate abstraction, interpolation, model checking, SMT, and other FOL and CNF solvers [26] - [32] . We discuss the tools and further compare our method to them in Section 7.
The rest of this paper is structured as follows. Section 2 reviews basic definitions and concepts related to Boolean formulae, and introduces the Jcore and J programs, sequential circuits, and the ABC framework. Section 3 provides an overview of the {P}S{Q}, introduces Olp programs, and illustrates the method with an array search example. Section 4 describes the translation of J programs into sequential circuits. Section 5 discusses the implementation. We discuss the results in Section 6, the related work in Section 7, and conclude with future work in Section 8.
BACKGROUND
In this section we define programs, sequential circuits, and introduce the ABC synthesis and verification framework. A reader well-versed in software verification may wish to skip this section, using it only as a reference.
J programs
The grammar on the left of Figure 1 defines Jcore, the core subset of J . A Jcore program is one or more declaration statements, followed by one or more statements. The directives a-un-op, a-bin-op, b-un-op, b-bin-op, and ba-bin-op denote arithmetic unary and binary operators, Boolean unary and binary operators, and Boolean arithmetic operators, respectively.
The variables matching the var and array-var rules in a program S form the sets of scalar variables V = {v 1 , v 2 , . . . , v m } and array variables A = {a 1 , a 2 , . . . , a n }, respectively. 
Definition 1 (terms):
A target term is either a variable v ∈ V , or an array access term of the form a[e] which denotes the e th element of a where a ∈ A and e is an expression. A term is either a target term, or a constant c ∈ Z.
Definition 2 (expressions):
An expression is a term, an arithmetic expression of the form −e, e 1 + e 2 , e 1 − e 2 , e 1 * e 2 , e 1 /e 2 , e 1 %e 2 where e, e 1 , e 2 are expressions and −, +, * , /, and % denote subtraction, addition, multiplication, division and remainder, respectively.
Definition 3 (Boolean expressions ):
A Boolean expression is either (1) a constant from the set B = {true, false}, (2) a binary Boolean arithmetic expression of the form e 1 < e 2 , e 1 e2, e 1 > e 2 , e 1 e 2 , e 1 == e 2 where e 1 , e 2 are expressions and <, , >, , and == denote smaller, less than or equal, bigger than, bigger than or equal, and equal, respectively, (3) a binary Boolean A specification (P, Q) is a pair of first order formulae where P is the precondition specifying constraints on the inputs of S and Q is a postcondition relating the outputs of S to its inputs.
AIG Sequential Circuit
Definition 6 (Sequential circuit): A sequential circuit is a tuple (U, E), G, O . The pair (U, E) is a directed graph on vertices U and edges E ⊆ U × U where E is a totally ordered relation.
The function G : U → types maps vertices to types. There are three disjoint types: primary inputs, bit-registers (which we often simply refer to as registers), and logical gates. Registers have designated initial value, as well as next-state functions. Gates describe logical functions such as the conjunction or disjunction of other vertices. A subset O of U specifies the primary outputs.
We denote the set of primary input variables by I, and the set of bit-register variables by R.
Definition 7 (Fanins):
We define the direct fanins of a gate u to be {v | (v, u) ∈ E} the set of source vertices connected to u in E. We call the support of
all source vertices in R or I that are connected to u with * E, the transitive closure of E.
For the sequential circuit to be syntactically well-formed, vertices in I should have no fanins, vertices in R should have 2 fanins (the next-state function and the initial-value function of that register), and every cycle in the sequential circuit should contain at least one vertex from R.
The initial-value functions of R shall have no registers in their support. All sequential circuits we consider will be well-formed.
The ABC analyzer reasons about AIG sequential circuits which are sequential circuits with only NAND gates restricted to have 2 fanins. Since NAND is functionally complete, this is not a limitation.
Semantics of sequential circuits:
Definition 8 (State): A state is a Boolean valuation to vertices in R.
Definition 9 (Trace): A trace is a mapping t : U × N → B that assigns a valuation to all vertices in U across time steps denoted as indexes from N. The mapping must be consistent with E and G as follows. Term u j denotes the source vertex of the j-th incoming edge to v, implying that CorrespondenceSignal correspondence (Scorr) computes a set of classes of sequentiallyequivalent nodes using k-step induction [34] .
scl -l
Rewriting AIG rewriting iteratively selects and replaces rooted subgraphs with smaller pre-computed subgraphs in order to reduce AIG size [35] .
rewrite
Refactoring
Refactoring is a variation of rewriting. It uses a heuristic to compute a large cut for selected AIG nodes, then replaces the sub-graph that corresponds to the cut with a refactored structure if an improvement is observed [36] .
refactor Retiming Retiming manipulates register boundaries and count in a given logic network, while maintaining output functionality and logic structure [37] .
retime Induction Temporal induction uses circuit SAT and BDD solvers to carry simple and k-step induction proofs over the time steps of the AIG [38] .
ind Interpolation Interpolation-based algorithms aim find interpolants and overapproximate the reachable states of the AIG with respect to the property [39] .
int Reachability Property directed reachability (Pdr) tries to prove that there is no transition from an initial state of the AIG to a bad state [40] .
The value of gate v at time i in trace t is denoted by t(v, i).
The semantics of a sequential circuit are defined with respect to semantic traces. Given an input valuation sequence and an initial state, the resulting trace is a sequence of Boolean valuations to all vertices in U which is consistent with the Boolean functions of the gates.
We will refer to the transition from one valuation to the next as a step. A node in the circuit is satisfiable if there is an input sequence which when applied to an initial state will result in that node taking value true. A node in the circuit is valid if its negation is not satisfiable. We will refer to targets and invariants in the circuit; these are vertices whose satisfiability and validity is of interest, respectively. A sequential circuit can naturally be associated with a finite state machine (FSM), which is a graph on the states. However, the circuit is different from its FSM; among other differences, it is exponentially more succinct in almost all cases of interest [33] .
ABC synthesis and verification framework
ABC is an open source synthesis and verification framework for sequential circuits. ABC operates on sequential circuits in AIG format and checks the satisfiability of a designated output gate Table 1 briefly summarizes some of the techniques supported by ABC. {P}S{Q} uses the ABC synthesis techniques to reduce the size and the complexity of the generated AIG circuit until it is amenable for verification. Once the AIG circuit is small enough, {P}S{Q} uses ABC verification algorithms to check the designated output. The verification technique may find a violation and return a counterexample, return a proof that the program is correct within the bound, or return an inconclusive result after exhausting computational limits.
OVERVIEW
When an ABC verification returns a counterexample, {P}S{Q} translates the counterexample from the AIG circuit level to traces of variable values in the original program and provides the user with a visual debugging view using GTKWave [8] .
We describe the termination guarantee bound technique, the Olp programs, relate them to AIG circuits, and then illustrate the translation to Olp using an array search example.
Termination guarantee bound
In case the ABC prove techniques do not reach a conclusive result, {P}S{Q} uses heuristics to compute a termination upper bound θ in terms of execution time, and calls ABC twice.
The first call is to verify that the program is guaranteed to terminate within the termination bound (ψ ≡ time >= θ → pc = last(S)). The second call uses θ as a bound with the ABC bounded model checking technique to prove that the program does not violate the specification within the termination bound. Intuitively, checking S |= (P, Ψ)| b is often easier than checking S |= (P, Q)| b , and once θ is confirmed as an upper bound for termination, bounded model checking is decidable. Intuitively, the structure of an Olp is similar to that of a sequential circuit where the variables 1 i n t ArraySearch( i n t [] a, i n t d, i n t s , i n t e, i n t n) { correspond to registers, the init-list and next-list correspond to the initial and next state value functions, respectively.
One loop programs

Array search example
The Array search program in Figure 4 takes as input an array a, a start index s, an end index e, a data value d, and the number of elements in the array n. The precondition states that s and e are within array bounds and that n is within the bound of array sizes. The postcondition makes use of a variable rv denoting the return value. It states that if rv is valid between s and e inclusive, then a[rv] must be equal to d, otherwise, rv must be invalid (-1) and all entries in a between s and e inclusive are not equal to d. 
TRANSFORMATION
In this section we present source to source transformation algorithms to translate a program S written in Jcore into a Olp program. We then present algorithms that preprocess a J program with functions and specifications and translates it into Jcore. Finally, we present algorithms for translating the generated Olp program into an AIG circuit. The algorithms follow the execution semantics of J and the correctness of the translation holds by construction. We first present helper functions and terms that are used in the algorithms. 2) is a while-block of a loop l, next returns the label of the loop statement label(l).
Helper functions
3) is a then-block or an else-block of a conditional s 1 , next returns the label of the statement next to s 1 (next(s 1 )). 
Preprocessing J programs
{P}S{Q} resolves function declarations, return statements, functions calls, pre and post conditions, and quantifiers by translating S into S' that is restricted to Jcore.
Non recursive functions:
Algorithm resolveNonRecursiveFunction in Figure 7 considers the declaration and function calls of a function f name. It declares two additional variables in the function. Variable return-pc is added to arg-decl-list and it holds the label that pc should return to after the function is done. Variable retvar is added to func-decl-list and it holds the value of the return expression when the function is done. The func-return-statement is then replaced by func-return-list that sets retvar and pc to expr(func-return-statement) and return-pc, respectively. For each statement s containing an f name function call, resolveNonRecursiveFunction constructs a list of assignment statements that marshal the arguments and set the return-pc to Figure 7 and declares additional variables to hold the return, and return program counter values.
resolveNonRecursiveFunction(f name,S) l e t S be of the form d e c l − l i s t s t a t e m e n t − l i s t l e t type fname(arg−decl−list)
t − s t a t e m e n t ); pc = label(f irst(func−body)); t o f u n c − c a l l − l i s t // declare a unique function call return variable l e t i be a unique number append type f call-retvar-i; t o d e c l − l i s t // create a statement that reads the return value from the function l e t f c a l l − r e t − s t a t e m e n t be f call-retvar-i = retvar; // place the return point from the function append f c a l l − r e t − s t a t e m e n t t o f u n c − c a l l − l i s t // fix the statement to use the returned value s = s u b s t i t u t e fname( a r g − c a l l − l i s t ) by f call-retvar-i in
Algorithm resolveRecursiveFunctionCalls of Figure 9 works similarly to resolving function calls in Figure 7 with additional attention to the stack pointer sp-i. Variable sp-i is used to appropriately marshal the arguments and the return program counter to the current frame of the recursive function.
Specifications and quantifiers:
Algorithm resolveQuantifier of Figure 10 takes a quantifier expression q and the statement s that contains it. It declares a Boolean variable q-i in the scope of the quantifier to hold the value of the quantifier. It initializes q-i to true when q is a universal Algorithm resolveArrayAccess calls traverse again on the generated expression to produce the corresponding AIG.
resolveRecursiveFunctionCalls(fname, S) l e t S be of the form d e c l − l i s t s t a t e m e n t − l i s t l e t type fname(arg−decl−list)
If the expression is a logical, conditional, or arithmetic expression, then the library routine looks it up in a complete table of AIG circuits with the adequate bit width. For example, if the expression is a ternary conditional statement of the form b ? e 1 : e 2 , then library instantiates a multiplexer, connects its two data fanins to the nodes corresponding to e 1 and e 2 , connects its control fanins to the nodes corresponding to b, and returns its fanouts. Alternatively, users have the choice to abstract multiplication, division, and remainder by non-constant factors with non-deterministic variables (uninterpreted functions). 
Connections and array access target terms:
IMPLEMENTATION
We fully implemented {P}S{Q} using C++ and ANTLR [41] and integrated our implementation with the ABC synthesis and verification framework [7] and the GTKWave visualization tool [8] .
The frontend supports the J syntax under C, C++, and Java. Figure 13 shows a trace that highlights the defect of the array search program of Figure 4 where d is not in a and rv is not −1. {P}S{Q} provides a fully automated verification path of execution where it executes a well selected sequence of synthesis reduction and verification techniques that work well for software verification tasks. {P}S{Q} also supports an interactive shell with parser, synthesis, verification, and debugging commands where the user can save and use intermediary results, try different synthesis and verification strategies, and inspect counterexamples. Table 2 
RESULTS
We evaluated {P}S{Q} by verifying software artifacts including library algorithms and data structures with complete sophisticated specifications from the Calculus of Computation book [42] , an array based implementation of the red black balanced binary search tree (RBBST)with specifications formalized from [43] , and a memory allocation model (MMAN) with complete specifications provided from the Frama-C ANSI C Specification Language (ACSL) [44] . Table 3 reports 
print-time
Prints the runtime time of the last command and the total run time. prove-scheme1 Performs a predefined scheme of sequential synthesis and proof strategies. prove-scheme2 Performs a predefined scheme of sequential synthesis and proof strategies. 
sim-variable
Runs the simulator helper tool to generate and display values for specific variables.
start-prove
Configures the prove engine with parameters such as variable bit width, array size bounds, and recursion depth bounds, as well as overflow check, out of bound access check, and quantifier unrolling.
the results with several bounds and compares against CBMC [6] . The results show that {P}S{Q} scales to bounds larger than CBMC by at least one order of magnitude.
We also evaluated {P}S{Q} with benchmark verification tasks from the 2014 software verification competition [21] each with memory safety, termination, and error label reachability checks. Some of the tasks are true where a proof is expected, and some are false where a counterexample is expected. We ran our experiments on a machine with similar settings to the server machine reported in [21] (3.4 GHz 64-bit Quad Core CPU, a 64 bit GNU/Linux operating system, and 32 GB of RAM). We compare our results to the leading tools in the competition. Table 4 reports the results where some of the leading tools in the competition (CBMC [6] , ESBMC [45] , BLAST [46] , and CPAChecker [47] ) successfully completed the verification task and compares against them in terms of running time. The results show that {P}S{Q} succeeded to verify all the tasks and ranked either first or second in terms of running time in comparison with the leading tools. Table 5 reports the results of verifying benchmarks from [21] where the leading tools reported a timeout and failed to complete the verification task. According to the wrapper scripts provided from [21] , CBMC and ESBMC report a true result by default when they reach their timeout while the SAT or SMT solver are running, they report an unknown result when the timeout passes before they generate the first CNF or SMT instance to pass to the underlying solver. This is probably reasonable as CBMC and ESBMC consider the inability of the solvers to find counterexamples within the timeout period as an indication of the rarity or absence of such results. Thus we consider a true result with a timeout time from CBMC and ESBMC as a timeout result for comparison purposes. The results show that {P}S{Q} succeeded to complete verification tasks that were not completed by the leading tools.
In the experiments, we used an automated script that ran reduction algorithms first with a timeout of 10 minutes with Table 4 and three minutes for Tables 4 and 5 , followed by three instances of verification using the pdr, dprove, and ind ABC commands with proper timeout, number of frames, and BDD size configurations.
Algorithms and data structures
Table3 shows that {P}S{Q} was able to verify programs with sophisticated specifications faster than CBMC and for array sizes that CBMC could not verify. The table shows the number of memory elements (registers), gates, and logic levels before and after the ABC reductions. It also shows the total time taken and the time taken to verify the programs. The CBMC columns show the size of the generated CNF formulae in terms of the number of CNF variables and clauses.
We developed the programs and the specifications and called {P}S{Q} and CBMC to verify their correctness incrementally. Both {P}S{Q} and CBMC returned counterexamples that we used to correct the programs and the specifications. benchmarks in the 2014 software verification competition [21] , {P}S{Q} performed better than CBMC as follows.
• Most of the times where both {P}S{Q} and CBMC succeeded to verify the programs, {P}S{Q} took less time to complete the verification task.
• {P}S{Q} succeeded to verify the programs for bounds larger than what CBMC could verify within the three hours seconds timeout.
• CBMC failed to generate the CNF formula for some programs with relatively larger array sizes while {P}S{Q} succeeded to verify some of them and generated AIG circuits but timed out while verifying the rest. This is significant since model checking typically returns counterexamples fast when they exist, and takes long time to report a proof for unsatisfiable (correct) claims. That is, {P}S{Q} succeeded to perform model checking for a significant time length, even when it timed out, as compared to CBMC that failed to generate the CNF formula, thus did not really test the program for correctness.
For the array search program, the precondition checks that the indexes are in range and the postcondition checks whether the return value is consistent. For the binary search program both the precondition and the postcondition specify the sortedness property for the array. For the bubble and selection sort programs, the precondition checks the sanity of the size of the array, and the postcondition specifies that the resulting array holds the same elements of the original array in order. For the array partition program, the precondition specifies the sanity of the indexes and the size of the array, and the postcondition specifies that the resulting array holds the same elements of the original array partitioned in order left and right of the cursor.
The linked list insert and remove precondition specifies a non circular, in order, list of elements, and the postconditions reassert the same specification with an additional cardinality condition.
The RBBBST insert and remove precondition specifies the full characteristics of an RBBBST and that the index arrays involved all hold valid indexes. The postconditions reassert the same specification with an additional cardinality condition. The RBBBST insert also checks the sanity of the newly allocated node in the tree. The memory manager unit has several multidimensional arrays to bookkeep the use of memory chucks and the precondition and the postcondition assert the sanity of the arrays, and the consistency of the module. We made use of the assume statement __CPROVER_assume and loops to implement the preconditions and the quantifiers in CBMC.
The reduction algorithms used by {P}S{Q} were able to reduce the original problems on average to 64.5% of their memory elements, and to 51.2%, and 44.7% of their logic gate and level counts in often insignificant time. Without these reductions {P}S{Q} timed out on several benchmarks. These reductions have no counterparts in CBMC. Tables 4 and 5 show the results of {P}S{Q} compared against the results reported in [21] for the leading participating software verification tools. We selected the benchmarks that required {P}S{Q} succeeded to complete the verification tasks in Table 4 and ranked first or second in terms of running time. {P}S{Q} succeeded to complete the verification tasks in Table 5 where the leading tools either timed out, reported runtime errors, or reported a wrong result (produced a counterexample when the benchmark is correct, or produced a claim of correctness when the benchmark had a known defect).
SV-COMP 2014 benchmarks
For the last five verification tasks in Table 5 {P}S{Q} timed out without producing a conclusive result while some of the leading tools returned the correct result, reported a timeout, or reported an inconclusive result.
Interactive sessions:
We inspected the results of the benchmarks where the automated {P}S{Q} script did not return a conclusive result. We were able to verify several of them interactively via trying ABC synthesis reduction and verification commands and techniques with different configurations and settings. This is not possible with the tools we compared to.
RELATED WORK
ESBMC [45] uses SMT solvers to verify multi-threaded C programs by forcing bounds on the number of context switches, loop iterations, and recursive calls. It also uses an aligned memory model that resolves pointers. We differ in that we use AIG solvers, where we do not need to have bounds for loop iterations, and we plan in the future to extend our approach to concurrent programs by encoding each execution thread as a separate program counter and limiting the number of program counters.
VCC [28] is an industrial strength verification framework for for concurrent low level C programs. It has a ghost type state system that tracks the validity of memory objects; i.e., references to memory objects do not overlap type states. It generates verification conditions that can be checked by Boogie; i.e. a high order logic analyzer. Boogie in turn uses the Z3 SMT solver [48] for automatic verification and Isabelle [49] for interactive verification. LLBMC [51] is a bit precise bounded model checker for low level C programs that works on an intermediate assembly representation of the program using an SMT solver. Ultimate
Automizer [52] computes appropriate abstractions of programs based on statements as alphabet atoms in an automata framework. The work in [53] is implemented within the CPACheker [47] platform to verify event condition action (ECA) systems using BDDs. Our method allows the use of symbolic model checking through ABC that makes use of BDD without the need to restrict ourselves to ECA systems. The CPAChecker [47] framework passes a program S and an invariant Ψ to model checkers for verification. In case a model checker returns an inconclusive result, CPAChecker uses partial results to formulate a state predicate formula Φ where the invariant holds. This incrementally reduces the work of the next model checker to check ¬Φ.
In the future, we plan to extend the same idea to the ABC model checker. BLAST [46] is the predecessor of CPAChecker and it uses abstraction and refinement techniques to model check temporal properties of C programs. Similar to CPAChecker is UFO [54] that provides a framework for exploring abstraction and interpolation techniques for software verification and uses SMT solvers as a backend.
CBMC [55] is a bounded model checker for ANSI-C programs that checks for properties such as pointer safety, array bounds and user assert statements. Given an ANSI-C program and a bound on the range of variables, CBMC produces a Boolean formula in CNF and checks the formula with SAT solvers. CBMC relies mostly on the power and speed of SAT solvers. SAT solvers often face an exponential blow up in the number of possible assignments to the atomic propositions. This problem, known as the state explosion, and the large number of variables and clauses used in the CNF encoding, limit the CBMC analysis to relatively small bounds.
The work in [26] uses an encoding similar to that of CBMC, but instead of producing a CNF formula it produces an SMT formula. The SMT formula allows for variables with no range bounds. The loops are still unrolled up to a finite bound and loop completion assertions fire in case the bound imposed on the number of loop iterations was small and the loop guard was still satisfiable. The higher level solver may now decide to reproduce a new SMT formula with bigger loop unrolling bounds and call the SMT solver on the new formula. We differ in that our encoding to AIG circuits requires no bounds on loop iterations. This allows for more succinct representation of programs than with SMT.
Java PathFinder [29] (JPF), is a popular explicit-state model checker for Java programs. It implements a customized Java virtual machine (JVM) that supports state backtracking and allows programs to check properties of a wide range of Java programs without the need to respecify the programs in specialized languages. JPF does not apply any program transformations. JPF also does not scale well in the presence of loops and branches with long running time. JPF operates at the word level, however, it does not make use of program specific properties and exhaustively searches the tree of possible executions. We differ in that we operate at the bit level and we apply reduction techniques that allow backtracking algorithms to run faster as they operate on a smaller state space.
The work of Xie et al [32] translates software artifacts into equivalent semantics that are modelcheckable. It applies compositional rules to the translated system to build its formal semantics in the context of message passing systems. We differ in that we use a specific program counter based semantics with a finitization rule to translate the software artifacts to an AIG, a model checkable formalization, where reductions, including compositional ones, can be used.
CONCLUSION
We presented {P}S{Q} that takes a program and a pair of specifications, translates it into an AIG circuit, reduces the circuit using the ABC synthesis reduction techniques, and then check the circuit for correctness using the ABC verification techniques. {P}S{Q} scales to bounds larger than that possible with existing tools, and solves verification tasks from the software verification competition benchmarks that leading tools at the competition did not solve within the specified timeout. In the future, we plan to extend {P}S{Q} to verify concurrent programs using several program counters to represent multi-threaded executions. We also plan to integrate {P}S{Q} with existing frameworks that benefit from word level optimizations and techniques such as CPAChecker to leverage both word level and bit level techniques as well as cover an extended syntax set through existing front ends.
