SMT-based bounded model checking for embedded ANSI-C software by Cordeiro, Lucas et al.
2
that make use of bit-level, pointers, unions and ﬁxed-
point arithmetic. We also use three different SMT solvers
(Boolector [17], CVC3 [16], and Z3 [18]) in order to check
the effectiveness of our encoding techniques. We consid-
ered these solvers because they were the most efﬁcient
ones for the categories of QF AUFBV and QF AUFLIRA
in the last SMT competitions [10]. To the best of our
knowledge, this is the ﬁrst work that reasons accurately
about ANSI-C constructs commonly found in embedded
software and extensively applies SMT solvers to check
the VCs emerging from the BMC of industrial embedded
software applications. We implemented our ideas in the
ESBMC1 (Efﬁcient SMT-Based Bounded Model Checker)
tool that builds on the front-end of the C Bounded Model
Checker (CBMC) [11], [30]. ESBMC supports different
theories and SMT solvers in order to exploit high-level
information to simplify and to reduce the formula size.
Experimental results show that our approach scales sig-
niﬁcantly better than both the SAT-based and SMT-based
CBMC model checker [11], [30], [6] and SMT-CBMC [3],
a bounded model checker for C programs that is based
on the SMT solvers CVC3 and Yices.
This paper extends our previous work [7], [8]. The
version of ESBMC described and evaluated here has
been optimized and extended. It now includes checks
for memory leaks and a generic SMT-LIB backend, in
addition to the native backends for Boolector, CVC3,
and Z3. We have also signiﬁcantly expanded the exper-
imental basis and evaluate ESBMC with (resp. compare
it against) the most recent stable versions of the SMT
solvers and BMC tools. The remainder of the paper is
organized as follows. We ﬁrst give a brief introduction to
the CBMC model checker and describe the background
theories of the SMT solvers that we will refer throughout
the paper. In Section 3 we present an accurate translation
from ANSI-C programs into quantiﬁer-free formulae
using the SMT-LIB logics and explain our approach to
exploit the different background theories and solvers.
In Section 4 we present the results of our experiments
using several software model checking benchmarks and
embedded systems applications. In Section 5 we discuss
the related work and we conclude and describe future
work in Section 6.
2 BACKGROUND
ESBMC builds on the front-end of CBMC to generate
the VCs for a given ANSI-C program. However, instead
of passing the VCs to a propositional SAT solver, ES-
BMC converts them using different background theories
and passes them to an SMT solver. In this section, we
describe the main features of CBMC that we use, and
present the background theories used.
2.1 C Bounded Model Checker
CBMC implements BMC for ANSI-C/C++ programs
using SAT solvers [11]. It can process C/C++ code
1. Available at http://www.esbmc.org
using the goto-cc tool [12], which compiles the C/C++
code into equivalent GOTO-programs (i.e., control-
ﬂow graphs) using a gcc-compliant style. The GOTO-
programs can then be processed by the symbolic exe-
cution engine. Alternatively, CBMC uses its own, inter-
nal parser based on Flex/Bison, to process the C/C++
ﬁles and to build an abstract syntax tree (AST). The
typechecker of CBMC’s front-end annotates this AST
with types and generates a symbol table. CBMC’s IRep
class then converts the annotated AST into an internal,
language-independent format used by the remaining
phase of the front-end.
CBMC uses two recursive functions that compute the
constraints (i.e., assumptions and variable assignments)
and properties (i.e., safety conditions and user-deﬁned
assertions). In addition, CBMC automatically generates
safety conditions that check for arithmetic overﬂow and
underﬂow, array bounds violations, and NULL-pointer
dereferences, in the spirit of Site’s clean termination [13].
Both functions accumulate the control ﬂow predicates to
each program point and use these predicates to guard
both the constraints and the properties, so that they
properly reﬂect the program’s semantics. CBMC’s VC
generator (VCG) then derives the VCs from these.
Although CBMC implements several state-of-the-art
techniques for propositional BMC, it still has the follow-
ing well-known limitations [3], [4]: (i) large data-paths
involving complex expressions lead to large proposi-
tional formulae due to the number of variables and the
width of data types, (ii) the loss of high-level information
during the translation prevents potential optimizations
to prune the state space to be explored, and (iii) the size
of the encoding increases with the size of the arrays used
in the program.
2.2 Satisﬁability Modulo Theories
SMT decides the satisﬁability of ﬁrst-order formulae us-
ing a combination of different background theories and
thus generalizes propositional satisﬁability by support-
ing uninterpreted functions, linear and non-linear arith-
metic, bit-vectors, tuples, arrays, and other decidable
ﬁrst-order theories. Given a theory T and a quantiﬁer-
free formula ψ, we say that ψ is T -satisﬁable if and only
if there exists a structure that satisﬁes both the formula
and the sentences of T , or equivalently, if T ∪ {ψ} is
satisﬁable [14]. Given a set Γ ∪ {ψ} of formulae over T ,
we say that ψ is a T -consequence of Γ, and write Γ |=T ψ,
if and only if every model of T ∪Γ is also a model of ψ.
Checking Γ |=T ψ can be reduced in the usual way to
checking the T -satisﬁability of Γ ∪ {¬ψ}.
The SMT-LIB initiative [9] aims at establishing a
common standard for the speciﬁcation of background
theories, but most SMT solvers provide functions in
addition to those speciﬁed in the SMT-LIB. Therefore, we
describe here the fragments that we found in the SMT
solvers Boolector, CVC3, and Z3 for the theory of linear,
non-linear, and bit-vector arithmetic. We summarize the4
Given a transition system M, a property φ, and a
bound k, BMC unrolls the system k times and translates
it into a VC ψ such that ψ is satisﬁable if and only if
φ has a counter-example of length k or less. The VC
ψ is a quantiﬁer-free formula in a decidable subset of
ﬁrst-order logic, which is then checked for satisﬁability
by an SMT solver. In this work, we are interested in
checking safety properties of single-threaded programs.
The associated model checking problem is formulated
by constructing the following logical formula:
ψk = I(s0) ∧
k  
i=0
i−1  
j=0
γ(sj,sj+1) ∧ ¬φ(si) (1)
Here, φ is a safety property, I the set of initial states of
M and γ(sj,sj+1) the transition relation of M between
time steps j and j + 1. Hence, I(s0) ∧
 i−1
j=0 γ(sj,sj+1)
represents the executions of M of length i and (1) can
be satisﬁed if and only if for some i ≤ k there exists a
reachable state at time step i in which φ is violated. If (1)
is satisﬁable, then the SMT solver provides a satisfying
assignment, from which we can extract the values of
the program variables to construct a counter-example. A
counter-example for a property φ is a sequence of states
s0,s1,...,sk with s0 ∈ S0, sk ∈ S, and γ (si,si+1) for
0 ≤ i < k. If (1) is unsatisﬁable, we can conclude that no
error state is reachable in k steps or less.
It is important to note that this approach can be used
only to ﬁnd violations of the property up to the bound
k. In order to prove properties we need to compute the
completeness threshold (CT), which can be smaller than
or equal to the maximum number of loop-iterations
occurring in the program [1], [4], [23], [24]. However,
computing CT to stop the BMC procedure and to con-
clude that no counter-example can be found is as hard
as model checking. Moreover, complex programs involve
large data-paths and complex expressions. Consequently,
even if we knew CT, the resulting formulae would
quickly become too hard to solve and require too much
memory to build. In practice we can thus only ensure
that the property holds in M up to a given bound k. In
our work, we focus on embedded software because it
has characteristics that make it attractive for BMC, e.g.,
dynamic memory allocations and recursion are highly
discouraged, and that make the limitations of bounded
model checking less stringent.
3.2 Tool Architecture
Figure 1 shows the main software components of ES-
BMC. The white boxes (except for the SMT solver) rep-
resent the components that we reused from the CBMC
model checker without any modiﬁcation while the gray
boxes with dashed lines represent the components that
we modiﬁed in order to (i) generate VCs to check for
memory leaks (implemented in GOTO program, see Sub-
section 3.5.7), (ii) to simplify the unrolled formula (im-
plemented in GOTO symex, see Subsections 3.3 and 3.4)
and (iii) to perform an up-front analysis in the CFG of
the program to determine the best encoding and solver
for a particular program (implemented in GOTO symex,
see Subsection 3.5.8). The GOTO program component
converts the ANSI-C program into a GOTO-program,
which simpliﬁes the representation (e.g., replacement
of switch and while by if and goto statements), and
handles the unrolling of the loops and the elimination
of recursive functions. The GOTO symex component
performs a symbolic simulation of the program. The gray
boxes with solid lines represent new components that
we implemented to encode the given constraints and
properties of an ANSI-C program into a global logical
context, using the background theories supported by
the SMT solvers. We also implemented new components
to interpret the counter-example generated by the sup-
ported SMT solvers. These software components must
be implemented in the back-end to support each new
SMT solver.
In the back-end of ESBMC, we build two sets of
quantiﬁer-free formulae C (for the constraints) and P
(for the properties) so that C encodes the ﬁrst part of ψk
(more precisely, I (s0) ∧
 k
i=0
 i−1
j=0 γ (sj,sj+1)) and ¬P
encodes the second part (more precisely,
 k
i=0 ¬φ(si)).
After that, we check C |=T P using an SMT solver. If the
answer is satisﬁable, we have found a violation of the
property φ, which is encoded in ψk. If not, the property
holds up to the bound k.
3.3 Illustrative Example
We use the code shown in Figure 2 as a running example
to illustrate the process of transforming a given ANSI-C
program into SSA form and then into the quantiﬁer-free
formulae C and P shown in (2) and (3) respectively. This
code implements a simpliﬁed version of the character
stufﬁng technique, which avoids resynchronization after
a transmission error by enclosing each frame with the
ASCII character sequences DLE STX and DLE ETX [25].
Note that this syntactically valid ANSI-C program con-
tains two subtle errors. In line 28 it writes to an address
outside the allocated memory region of the array out.
Additionally, the assert macro in line 29 fails when the
ASCII character NUL is transmitted, i.e., when the con-
dition of the while loop (line 11) does not hold. To detect
this error, we use a non-deterministic input, i.e., we set
the third position of array in (line 6) using nd uchar(),
which can return any value in the range from zero to
255.
In reasoning about this C program, ESBMC checks 25
properties related to array bounds and overﬂow, and
the user-speciﬁed assertion in line 29. ESBMC originally
generates 63 VCs, but with the simpliﬁcations described
in Section 3.4, only 9 remain. The ﬁrst eight VCs check
the bounds of the array out in lines 15, 18 and 28 and
the last VC checks the user-speciﬁed assertion in line 29;
note that the VCs to check the bounds of the array out
are not simpliﬁed away due to the non-determinism in
the array in, which does not allow checking statically5
GOTO
symex
Select 
SMT solver
convert contraints
convert properties
Logical 
Context
Interpret
counter-example
SMT
solver
Property 
holds up to 
bound k
Property 
violation
Parse
tree
IRep
trees
GOTO
program
type
check
control-flow
graph C/C++
source
Scan
SSA 
form
symbolic
execution
OK
Fig. 1: Overview of the ESBMC architecture.
1 #define DLE 16
2 #define STX 2
3 #define ETX 3
4 uchar nd uchar ( ) ;
5 int main ( void ) {
6 uchar in [6] = {DLE, STX, nd uchar () ,
7 DLE, ETX, ’\0 ’ };
8 uchar out [6];
9 int i = 0;
10 int j = 0;
11 while ( in [ i ] != ’\0 ’ ) {
12 switch ( in [ i ]) {
13 case (DLE) :
14 if ( in [ i +1]==STX | | in [ i +1]==ETX) {
15 out [ j ] = in [ i ] ;
16 } else {
17 out [ j ] = in [ i ] ;
18 out[++ j ] = DLE;
19 };
20 break ;
21 default :
22 out [ j ] = in [ i ] ;
23 break ;
24 }
25 i ++;
26 j ++;
27 }
28 out [ j ] = ’\0 ’ ;
29 assert ( out[4]==ETX | | out[5]==ETX) ;
30 return 0;
31 }
Fig. 2: ANSI-C program with two violated properties.
whether the if statement in line 14 is true or false. In this
particular example, CBMC v3.8 generates 136 VCs out of
which 48 remain after simpliﬁcation. The limited static
analysis capability of CBMC thus leads to a substantially
higher overhead in the solver.
However, before actually checking the properties, ES-
BMC unrolls the program using the simpliﬁcation de-
scribed in Section 3.4 and converts it into SSA form, as
shown in Figure 3; note that the variable declarations
as well as the return-statement are not shown. The
SSA form only consists of conditional and unconditional
assignments, where the left-hand side variable of each
original assignment (e.g., i = 0), is replaced by a new
variable (e.g., i1), as well as assertions. removed. The
SSA notation uses WITH as symbolic representation of
the array store operator described in Section 2.2, i.e., a
WITH [i := v] is equivalent to store(a, i, v).
C :=

 
     
    
  

in1 = store(store(store(store(store(store(in0,
0,16),1,2),2,nd uchar1),3,16),4,3),5,0)
∧ i1 = 0 ∧ j1 = 0 ∧ out1 = store(out0,0,16)
∧ i2 = 1 ∧ j2 = 1 ∧ out2 = store(out1,1,2)
∧ g1 = nd uchar1  = 0
∧ g2 = ¬(nd uchar1 = 16)
∧ out3 = store(out2,2,nd uchar1)
∧ j4 = 3
∧ ...
∧ j10 = ite(¬g1,j3,j9)
∧ out11 = store(out10,j10,0)

 
     
    
  

(2)
P :=


j5 ≥ 0 ∧ j5 < 6 ∧ j7 ≥ 0 ∧ j7 < 6
∧ j8 ≥ 0 ∧ j8 < 6 ∧ j10 ≥ 0 ∧ j10 < 6
∧ (select(out11,4) = 3 ∨ select(out11,5) = 3)


(3)
After this transformation, we build the constraints and
properties as shown in formulae (2) and (3) using the
background theories of the SMT solvers. Furthermore,
we add Boolean variables (or deﬁnition literals) for each
clause of the formula P in such a way that the deﬁnition
literal is true iff a given clause of P is true. These
deﬁnition literals are used to identify the VCs. In the
example we add constraints as follows:
l0 ⇔ j5 ≥ 0
l1 ⇔ j5 < 6
   
l9 ⇔ ((select(out,4) = 3) ∨ (select(out,5) = 3))
and rewrite (3) as:
¬P := ¬l0 ∨ ¬l1 ∨ ... ∨ ¬l9 (4)6
1 in1 == {16 , 2 , nd uchar1 , 16 , 3 , 0}
2 i1 == 0
3 j1 == 0
4 out1 == ( out0 WITH [0:=16])
5 i2 == 1
6 j2 == 1
7 out2 == ( out1 WITH [1:=2])
8 i3 == 2
9 j3 == 2
10 g1 == ( nd uchar1 != 0)
11 g2 == !( nd uchar1 == 16)
12 out3 == ( out2 WITH [2:= nd uchar1 ])
13 j4 == 3
14 out4 == ( out3 WITH [3:=16])
15 out5 == out2
16 j5 == j3
17 out6 == ( out5 WITH [ j5 :=nd uchar1 ])
18 out7 == (! g2 ? out4 : out6 )
19 j6 == (! g2 ? j4 : j5 )
20 i4 == 3
21 j7 == 1 + j6
22 out8 == ( out7 WITH [ j7 :=16])
23 i5 == 4
24 j8 == 1 + j7
25 out9 == ( out8 WITH [ j8 :=3])
26 i6 == 5
27 j9 == 1 + j8
28 out10 == (! g1 ? out2 : out9 )
29 i7 == (! g1 ? i3 : i6 )
30 j10 == (! g1 ? j3 : j9 )
31 out11 == ( out10 WITH [ j10 :=0])
Fig. 3: The program of Figure 2 in SSA form.
Note that the language-speciﬁc safety properties (e.g.,
out-of-bounds array indexing) and the user-speciﬁed
properties that hold trivially in the code are already
simpliﬁed away (e.g., by keeping track of the size of the
array during the symbolic execution of the code). For
instance, there is no need to generate VCs that check
for array bounds violations on in, since i only takes the
values from 0 to 4 when it is used in indexing the array,
and the validity of the bounds checks can be evaluated
statically.
We also simplify C and P by using local and recursive
transformations in order to remove functionally redun-
dant expressions and redundant literals as follows:
a ∧ true = a a ∧ false = false
a ∨ false = a a ∨ true = true
a ⊕ false = a a ⊕ true = ¬a
ite(true,a,b) = a ite(false,a,b) = b
ite(f,a,a) = a ite(f,f ∧ a,b) = ite(f,a,b)
Finally, the formula C∧¬P is passed to an SMT solver
to check satisﬁability. Our approach is slightly different
from that of Armando et al. [3], who transform the ANSI-
C code into conditional normal form as an intermediary
step to encode C and P while we encode them directly
from the SSA form.
3.4 Code Simpliﬁcation and Reduction
We observed during development that constant propa-
gation and forward substitution techniques [20] signiﬁ-
cantly improve the performance of ESBMC over a wide
range of embedded software applications. We exploit
the constant propagation technique to replace pointers
to objects that are constants by the respective constant
and to replace store operations that update the content
of arrays, structs, and unions with constant values by
these values.
1 . . .
2 void puts ( const char ∗s ) {
3 while( ∗s ) {
4 putc (∗ s ++);
5 }
6 }
7 . . .
8 puts (” blit : success” ) ;
Fig. 4: Code fragment of blit.
Figure 4 shows an example extracted from the Pow-
erstone benchmark [37] to illustrate how constant prop-
agation works for pointers in ESBMC. The function puts
deﬁned in line 2 is in line 8 called with a pointer to an
array of constants, but CBMC’s VCG still generates VCs
to check for the bounds of the pointer s, as explained
in Section 3.5.6. During the unrolling phase, we check
whether the last value assigned to a pointer is a constant,
and if so, we replace it by the constant and pass the
modiﬁed expression to a simpliﬁer, which is able to
perform simple deductions before generating a VC to
be encoded by the back-end.
We also propagate the store-operations for arrays,
structs, and unions up to a certain level. Figure 5 shows
an example extracted from the EUREKA benchmark [35]
to illustrate how constant propagation works for arrays.
In line 2, we initialize the ﬁrst position of array a with a
constant. In each iteration of the for loop, we add the
value of the loop counter i to the last value written
in array a and write the result to the next position
of a (see line 4). After the loop, we check whether
the assertion in line 6 holds. However, after unrolling
the loop we obtain a VC involving a large expression
store(...(store(store(store(a0,0,1),1,2),2,4),3,7),...) of
nested store operations for a. Since all arguments except
a0 are constants, we can in principle check statically
whether the assertion in line 6 holds. In practice, how-
ever, the model checker becomes slower than the SMT
solvers in propagating these constants if the expressions
become too large. In our benchmarks, we observed a
substantial improvement in performance if we propagate
the known constants up to six nested store operations
(note that the value six was the optimum value that we
obtained empirically with ESBMC using a large set of
benchmarks). We thus reduce substantially the number
of VCs, but we leave the harder cases for the SMT
solvers.7
1 . . .
2 a [0]=1;
3 for ( i =1; i< N; i ++){
4 a[ i ]= a[ i −1] + i ;
5 }
6 assert (a[ i −1]<2∗1000);
7 . . .
Fig. 5: Code fragment of SumArray.
We also observed that several applications repeat the
same expression at many different places, especially after
loop unrolling, in a way that the value of the operands
does not change in between the occurrences. This can be
detected easily in the SSA form and used for caching
and forward substitution. Figure 6 shows a fragment
of the Fast Fourier Transform (FFT) algorithm, extracted
again from the SNU-RT benchmark [27], as an example
of where the forward substitution technique can be
applied. This occurs because the SSA representations of
the two outermost for loops (in lines 6-15 and lines 8-14,
respectively) will eventually contain several copies of the
innermost for loop (lines 10-13), and thus the right-hand
side of the assignment in line 11 is repeated several times
in the SSA form, depending on the unwinding bound
used to model check this program. Note that constant
propagation means that the occurrence of i in line 11 is
replaced by constant values. In the different copies of
the unrolled outer loops we thus get multiple copies of
the right-hand side that are identical in the SSA form.
1 typedef struct {
2 float real , imag ;
3 } complex ;
4 int n=1024;
5 complex x[1024] , ∗xi ;
6 for ( le=n/2; le >0; le /=2) {
7 . . .
8 for ( j =0; j<le ; j ++) {
9 . . .
10 for ( i=j ; i<n; i=i+2∗le ) {
11 xi = x + i ;
12 . . .
13 }
14 }
15 }
Fig. 6: Code fragment of Fast Fourier Transformation.
For example, if we set the unwinding bound k to 1024
(which is required because the upper bound n of the
innermost for-loop is equal to 1024, see line 4), the for-
loop in lines 6-15 will contain nine copies of the for-
loop in lines 8-14, where the variable le will assume the
values 512, 256, 128, ..., 1. In combination with constant
propagation, the expression x + i that is assigned to the
pointer index xi is thus repeated up to nine times for
each (propagated) value that i takes in the for-loop in
lines 10-13. We thus include all expressions into a cache
so that when a given expression is processed again in
the program, we only retrieve it from the cache instead
of creating a new copy using a new set of variables.
3.5 Encodings
This section describes the encodings that we use to
convert the constraints and properties from the ANSI-
C program into the background theories of the SMT
solvers.
3.5.1 Scalar Data Types
We provide two approaches to model unsigned and
signed integer data types, either as integers provided
by the corresponding SMT-LIB theories or as bit-vectors
of a particular bit width. For the encodings, we use
the scalar datatypes supported by the front-end. The
ANSI-C datatypes int, long int, long long int, and char
are considered as signedbv with different bit widths (de-
pending on the machine architecture) and the unsigned
versions of these datatypes are considered as unsignedbv.
We also support the C enumeration declaration (which
is considered as c enum) and we encode it as an integer
type since the values of the enumeration are already
generated by the front-end and obey normal scoping
rules. For double and ﬂoat we currently only support
ﬁxed-point arithmetic using ﬁxedbv, but not full ﬂoating-
point arithmetic; see the following section for more
details.
The encoding of the relational (e.g., <, ≤, >, ≥) and
arithmetic operators (e.g., +, −, /, ∗, rem) depends on the
encoding of their operands. In the SAT-based version of
CBMC [11], [30], the relational and arithmetic operators
are transformed into propositional equations using a
carry chain adder, and the size of their encoding thus
depends on the size of the bit-vector representation
of the scalar data types. In the SMT-based version of
CBMC [6] only bit-vectors are used and the capabilities
of the SMT solvers to model program variables through
the corresponding numerical domains such as Z are not
exploited, while the SMT-based BMC approach proposed
by Armando et al. [3] does not support the encoding of
ﬁxed-point numbers.
We support all type casts, including conversion be-
tween integer and ﬁxed-point types. These conversions
are performed using the functions Extract, SignExt and
ZeroExt described in Section 2.2. Similarly, upon deref-
erencing, the object that a pointer points to is converted
using the same word-level functions. The datatype bool
is converted to signedbv and unsignedbv using ite. In
addition, signedbv and unsignedbv variables are converted
to bool by comparing them to constants whose values
represent zero in the corresponding types.
3.5.2 Fixed-Point Arithmetic
Embedded applications from domains such as discrete
control and telecommunications often require arithmetic
over non-integral numbers. However, an encoding of the
full ﬂoating-point arithmetic into the BMC framework8
leads to large formulae; instead, we over-approximate
it by ﬁxed-point arithmetic, which might introduce be-
haviour that is not present in a real implementation.
We use two different representations to encode non-
integral numbers, binary (when dealing with bit-vector
arithmetic) and decimal (when dealing with rational
arithmetic). In this way, we can explore the different
background theories of the SMT solvers and trade off
speed and accuracy as further described in Section 3.5.8.
We encode ﬁxed-point numbers using the integral and
fractional parts separately [28]. Given a rational number
that consists of an integral part I with m bits and a
fractional part F with n bits, we represent it by  I.F 
and interpret it as I + F/2n. For instance, the number
0.75 can be represented as  0000.11  in base 2 while 0.125
can represented as  0000.001 .
We encode ﬁxed-point arithmetic using bit-vector
arithmetic as in the binary encoding, but we assume that
the operands have the same bitwidths both before and
after the radix point. If this is not the case, we pad the
shorter bit sequence and add zeros from the right (if
there are bits missing in the fractional part), e.g., 0.75
+ 0.125 =  0000.1100  +  0000.0010 ) or from the left (if
there are bits missing before the radix point).
We encode ﬁxed-point arithmetic using rational arith-
metic by rounding the ﬁxed-point numbers to rationals
in base 10. We extract the integral and fractional parts
and convert them to integers I and F, respectively;
we then divide F by 2n, round the result to a given
number of decimal places, and convert everything to a
rational number in base 10. For example, with m = 2,
n = 16, and six places decimal precision, the number
3.9 (11.1110011001100110) is converted to I = 3, and
F = 58982/216, and ﬁnally to 3899994/100000. As a
result, the arithmetic operations are performed in the
domain of Q instead of R and there is no need to add
missing bits to the integer and fractional parts.
In general, the drawback is that some numbers are not
precisely represented with ﬁxed-point arithmetic. As an
example, if m = 4 and n=4, then the closest numbers
to 0.7 are 0.6875 ( 0000.1011 ) and 0.75 ( 0000.1100 ).
As a result, the number needs to be rounded and the
deviation might eventually change the control ﬂow of
the program.
3.5.3 Arithmetic Overﬂow and Underﬂow
Arithmetic overﬂow and underﬂow are frequent sources
of bugs in embedded software. ANSI-C, like most pro-
gramming languages, provides basic data types that
have a bounded range deﬁned by the number of bits
allocated to them. Some model checkers treat program
variables either as unbounded integers (e.g., Blast [62])
or do not generate VCs related to arithmetic overﬂow
(e.g., SMT-CBMC [3], SMT-based CBMC [6] and F-
Soft [4]), and can consequently produce false positive
results. In our work, we generate VCs related to arith-
metic overﬂow and underﬂow following the ANSI-C
standard. This requires that, on arithmetic overﬂow of
unsigned integer types (e.g., unsigned int), the result must
be interpreted using modular arithmetic as r mod 2w,
where r is the expression that caused overﬂow and w
is the bit-width of the result type [5]. Hence, in this
encoding the result of the expression is one greater
than the largest value that can be represented by the
result type. This semantics can be encoded trivially
using the background theories of the SMT solvers. For
each unsigned integer expression, we generate a literal
lunsigned overﬂow to represent the validity of the unsigned
operation and add the constraint:
lunsigned overﬂow ⇔ (r − (r mod 2w)) < 2w
The ANSI-C standard does not deﬁne any behaviour
on arithmetic overﬂow of signed types (e.g., int, long
int), and only states that integer division-by-zero must
be detected. In addition to division-by-zero detection, we
consider arithmetic overﬂow of signed types on addi-
tion, subtraction, multiplication, division and negation
operations by deﬁning boundary conditions. For exam-
ple, we deﬁne a literal loverﬂow∗
x,y that is true iff the
multiplication of x and y exceeds LONG MAX (i.e.,
x ∗ y > LONG MAX) and another literal lunderﬂow∗
x,y
that is true iff the multiplication of x and y is below
LONG MIN. We use a literal lres op∗ to denote the
validity of the signed multiplication with the following
constraint:
lres op∗ ⇔ (¬loverﬂow∗
x,y ∧ ¬lunderﬂow∗
x,y)
The overﬂow and underﬂow checks on the remaining
operators are encoded in a similar way.
3.5.4 Arrays
Arrays are encoded in a straight-forward manner using
the SMT domain theories, since the WITH operator
and index operator [] can be mapped directly to the
functions store and select of the array theory presented
in Section 2.2 [11], [29]. For example, the assignment a′
= a WITH [i := v] is encoded with a store operation a′
= store(a,i,v) while x = a[i] is encoded with a select
operation x = select(a,i). In the array theory, the arrays
are unbounded, but in a program, if an array index is
out of bounds, the value selected is undeﬁned and an
out-of-bounds write can cause a crash. In order to check
for array bounds violations, we simply keep track of the
size of the array and generate VCs that are provable iff
the indexing expression is within the array’s bounds.
1 int i , a[N] ;
2 . . .
3 for ( i =0; i< N; i ++)
4 a[ i +1]=2∗ i ;
5 . . .
Fig. 7: Array out of bounds example.
As an example, consider the code fragment shown in
Figure 7. In order to check for the array bounds in line12
further development and experiments. In Section 4.3,
we evaluate the simpliﬁcation techniques proposed in
Section 3.4. In Section 4.4 we check the error detection
capability of ESBMC over a large set of both correct and
buggy ANSI-C programs. In the last two sections, we
evaluate ESBMC’s performance relative to that of two
other ANSI-C BMC tools. In Section 4.5, we compare ES-
BMC and SMT-CBMC, using SMT-CBMC’s own bench-
mark suite, while we compare ESBMC and CBMC in the
ﬁnal Section 4.6, using a variety of programs, including
embedded software used in telecommunications, control
systems, and medical devices.
4.1 Experimental Setup
We used benchmarks from a variety of sources to evalu-
ate ESBMC’s precision and performance, which include
embedded systems benchmark suites and applications as
well as other testsuites and applications, including the
SAT solver PicoSAT [42], the open-source applications
ﬂex [43] and git-remote [44], and a ﬂasher manager appli-
cation [45]. We also extracted one particular application
from the CBMC manual [11] that implements the multi-
plication of two numbers using bit-level operations.
The PowerStone [37] suite contains graphics appli-
cations, paging communication protocols and bit shift-
ing applications. The SNU-RT [27] suite consists of
matrix and signal processing functions such as matrix
multiplication and decomposition, quadratic equations
solving, cyclic redundancy check, fast fourier trans-
form, LMS adaptive signal enhancement, and JPEG en-
coding. We use the non-deterministic version of these
benchmarks where all inputs are replaced by non-
deterministic values. We also a cubic equation solver
from the MiBench [41] suite. The HLS suite [33] contains
programs that implement the encoder and decoder of the
adaptive differential pulse code modulation (ADPCM).
The NXP [40] benchmarks are taken from the set-top
box of NXP Semiconductors that is used in high deﬁni-
tion internet protocol and hybrid digital TV applications.
The embedded software of this platform relies on the
Linux operating system and makes use of different ap-
plications such as (i) LinuxDVB that is responsible for
controlling the front-end, tuners and multiplexers, (ii)
DirectFB that provides graphics applications and input
device handling and (iii) ALSA that is used to control
the audio applications.
The NECLA [36] and VERISEC [34] benchmarks are
not speciﬁcally related to embedded software, but they
allow us to check ESBMC’s error-detection capability
easily since they provide ANSI-C programs with and
without known bugs. Here, we use the sufﬁx “-bad”
to denote the subset with seeded errors, and “-ok”
to denote the supposedly correct (“golden”) versions.
The programs make use of dynamic memory allocation,
interprocedural dataﬂow, aliasing, pointers typecast and
string manipulation. In addition, we used some pro-
grams from the well-known Siemens [39] test suite,
including pattern matching and string processing, statis-
tics, and aerospace applications. The EUREKA [3] bench-
marks ﬁnally contain programs that allow us to assess
the scalability of the model checking tools on problems
of increasing complexity [3].
All experiments were conducted on an otherwise idle
Intel Xeon 5160, 3GHz server with 4 GB of RAM running
Linux OS. For all benchmarks, the time limit has been set
to 3600 seconds for each individual property. All times
given are wall clock time in seconds as measured by the
unix time command.
4.2 Comparison of SMT solvers
As a ﬁrst step, we compared to which extent the SMT
solvers support the domain theories that are required for
SMT-based BMC of ANSI-C programs. For this purpose,
we analyzed the SMT solvers Boolector (V1.4), CVC3
(V2.2), and Z3 (V2.11). In the theory of linear and non-linear
arithmetic, CVC3 and Z3 do not support the remainder
operator, but they allow us to use axioms to deﬁne it.
Currently, Boolector does not support the theory of linear
and non-linear arithmetic at all. In the theory of bit-vectors,
CVC3 does not support the division and remainder op-
erators for bit-vectors representing signed and unsigned
integers. However, in all cases, axioms can be used in
order to deﬁne the missing operators. Boolector and Z3
support all word-level, bit-level, relational, arithmetic
functions over unsigned and signed bit-vectors. In the
theories of arrays and tuples, the veriﬁcation problems
only involve selecting and storing elements from/into
arrays and tuples, respectively, and both domains thus
comprise only two operations. These operations are fully
supported by CVC3 and Z3; Boolector supports only the
theory of arrays but not that of tuples.
We then used 15 ANSI-C programs to compare the
performance of Boolector, CVC3, and Z3 as ESBMC back-
ends. The programs 1-8 allow us to assess the scalability
of the model checking tools on problems of increasing
complexity [3] and the programs 9-15 contain typical
ANSI-C constructs found in embedded software, i.e.,
they contain linear and non-linear arithmetic and make
heavy use of bit operations.
Table 1 shows the results of the comparison. Here, L
is the number of lines of code, B the unwinding bound,
and P the number of properties veriﬁed, for each ANSI-
C program. We checked for language-speciﬁc safety
properties (e.g., pointer safety, array bounds, division
by zero) as well as user-speciﬁed properties. For each
solver, we provide the total time (in seconds) to check
all properties of each program at the same time, using
the speciﬁed unwinding bound, as well as the solver
time itself. The difference between both times is spent
in the ESBMC front-end. In addition, we provide (in
brackets) the timings using the SMT-LIB interface instead
of the native API of the solver. The fastest time for each
program is shown in bold. We also indicate whether
ESBMC fails during the veriﬁcation process, either due13
CVC3 (v2.2) Boolector (v1.4) Z3 (v2.11)
Program L B P Solver Total Solver Total Solver Total
1 EUREKA.BubbleSort 43 35 17 14 (3) 17 (5) <1 (<1) 2 (2) <1 (<1) 2 (3)
43 70 17 Mb (16) Mb (33) 3 (1) 16 (17) 3 (1) 16 (17)
43 140 17 Mb (Mb) Mb (Mb) 85 (53) 282 (311) 65 (11) 265 (269)
2 EUREKA.SelectionSort 34 35 17 17 (2) 18 (3) <1 (<1) 1 (1) <1 (<1) 1 (1)
34 70 17 Mb (8) Mb (17) 1 (<1) 9 (10) 1 (1) 9 (11)
34 140 17 Mb (42) Mb (209) 10 (3) 161 (171) 12 (6) 165 (173)
3 EUREKA.InsertionSort 34 35 17 2 (3) 4 (5) <1 (<1) 3 (3) <1 (<1) 3 (3)
34 70 17 3 (11) 14 (24) 4 (<1) 15 (13) 2 (1) 12 (14)
34 140 17 21 (67) 194 (283) 193 (3) 350 (219) 42 (7) 212 (222)
4 EUREKA.BellmanFord 49 20 33 <1 (<1) <1 (<1) <1 (<1) <1 (<1) <1 (<1) <1 (<1)
5 EUREKA.Prim 79 8 30 <1 (1) 5 (2) <1 (<1) <1 (<1) <1 (<1) <1 (<1)
6 EUREKA.StrCmp 14 1000 6 4 (444) 11 (454) 192 (248) 195 (257) 32 (37) 35 (46)
7 EUREKA.SumArray 12 1000 7 <1 (106) 1 (107) <1 (<1) 1 (1) 9 (<1) 10 (1)
8 EUREKA.MinMax 19 1000 9 Tb (Mb) Tb (Mb) 38 (2) 42 (7) 2 (1) 6 (7)
9 SNU-RT.Fibonacci 40 30 4 <1 (<1) 39 (38) <1 (<1) 39 (38) <1 (<1) 39 (38)
10 SNU-RT.bs 95 15 7 <1 (<1) <1 (<1) <1 (<1) <1 (<1) <1 (<1) <1 (<1)
11 SNU-RT.lms 258 202 23 97 (17) 225 (324) <1 (<1) 303 (307) 3 (<1) 306 (307)
12 MiBench.Cubic 66 5 5 <1 (<1) <1 (<1) <1 (<1) <1 (<1) <1 (<1) <1 (<1)
13 CBMC.BitWise 18 8 1 3 (6) 3 (6) 7 (8) 7 (8) 30 (26) 30 (26)
14 HLS.adpcm encode 149 200 12 <1 (21) 6 (26) <1 (<1) 6 (6) <1 (<1) 6 (6)
15 HLS.adpcm decode 111 200 10 <1 (24) 3 (27) <1 (<1) 3 (3) <1 (<1) 3 (3)
TABLE 1: Results of the comparison between CVC3, Boolector and Z3. Time-outs are represented with T in the
Time column; Examples that exceed available memory are represented with M in the Time column.
to a time out (T) or due to memory overﬂow (M). All
failures occurred in the back-end (i.e., solver), which is
indicated by the subscript b.
As we can see in Table 1, if we use the native API of
the solvers, Z3 usually runs slightly faster than Boolector
and CVC3; however, both CVC3 and Boolector are faster
for some programs. Generally the difference between
the solvers (in particular between Boolector and Z3) are
small, although CVC3 fails for some examples. If we use
the SMT-LIB interface, the situation changes, and Boolec-
tor runs slightly faster than Z3 and CVC3. However,
similar to case of the native API, it is not always the
fastest solver; again, the differences are generally small,
and even smaller than when using the native API.
Generally, the native API is slightly faster than the
SMT-LIB interface, although the difference is small.
However, there are a few notable exceptions. Using the
SMT-LIB interface, CVC3 scales better for BubbleSort and
SelectionSort, but slows down substantially for StrCmp
and SumArray. We manually inspected the respective
VCs and found that their structure is essentially the
same. We conclude that the SMT-LIB interface of CVC3
lacks some optimization during the preprocessing. Sim-
ilarly, Boolector speeds up for InsertionSort using the
SMT-LIB API, but the structure of the VCs using both
APIs is also the same; similarly, we conclude that the
SMT-LIB interface enables some optimization during the
preprocessing.
We decided to continue the development with Z3 and
Boolector using both the native and SMT-LIB APIs since
CVC3 does not scale so well and fails to check the three
benchmarks BubbleSort, SelectionSort and MinMax.
4.3 Performance Improvement
We evaluate the effectiveness of the simpliﬁcation tech-
niques described in Section 3.4 using 174 programs,
with a total size of 70K lines of code, taken from
the benchmark suites Siemens, SNU-RT, PowerStone,
NECLA and NXP. With all optimizations enabled, ES-
BMC can check all 174 programs in 439 seconds, which
serves as our baseline. We then evaluate the effect of
the simpliﬁcations by disabling them one at a time as
follows: constant propagation of store operations for
arrays, structs and unions (CPstore); constant propaga-
tion for constant strings (CPString); forward substitution
(FS); and removal of functionally redundant literals and
variables (FRLV). We set the time out to 180 seconds
because it is longest time to check a given program with
all optimizations enabled.
Surprisingly, ESBMC performs better when we dis-
able the removal of functionally redundant literals and
variables (FRLV) and checks all 174 programs in 423
seconds. We can thus conclude that the SMT solvers
already eliminate the functionally redundant literals and
variables during the preprocessing phase in a more
efﬁcient way. Fortunately, all other simpliﬁcations pay
off. Using CPstore, ESBMC checks 170 programs in 1059
seconds and times out in four programs. With CPString,
it checks 173 programs in 590s and times out in one16
SAT-based CBMC (v3.8) [11] ESBMC (v1.15)
Time Properties Time Properties
Module L B P
S
o
l
v
e
r
T
o
t
a
l
P
a
s
s
e
d
V
i
o
l
a
t
e
d
F
a
i
l
S
o
l
v
e
r
T
o
t
a
l
P
a
s
s
e
d
V
i
o
l
a
t
e
d
F
a
i
l
1 Siemens.print tokens2 510 81
∗ 135 <1 <1 135 0 0 <1 (<1) <1 (<1) 135 0 0
(get token) 51 82 76 Tb Tb 0 0 135 29 (35) 60 (65) 134 1 0
2 Siemens.replace 564 1
∗ 199 †f †f - - - <1 (<1) <1 (<1) 199 0 0
3 Siemens.tot info 406 30
∗ 73 †f †f - - - 32 (3) 98 (79) 73 0 0
4 Siemens.tcas 173 4 38 <1 <1 38 0 0 1 (<1) 2 (1) 38 0 0
5 Siemens.space 9125 126
∗ 2016 <1 4 2016 0 0 <1 (<1) 3 (3) 2016 0 0
6 WCET.statistics 157 ∞ 29 †f †f - - - 1 (<1) 53 (53) 27 2 0
7 WCET.statemate 1273 3 6 <1 <1 6 0 0 <1 (<1) <1 (<1) 6 0 0
8 SNU-RT.crc new 125 ∞ 13 <1 6 12 1 0 <1 (<1) 8 (8) 12 1 0
9 SNU-RT.fft1k new 158 ∞ 39 †b †b 35 0 4 <1 (1) 56 (57) 39 0 0
10 SNU-RT.ﬁbcall new 83 50
∗ 2 <1 <1 1 1 0 <1 (<1) <1 (<1) 1 1 0
11 SNU-RT.ﬁr new 316 ∞ 25 5 6 25 0 0 <1 (<1) 2 (2) 25 0 0
12 SNU-RT.insertsort new 94 13 20 †b †b 0 0 20 8 (<1) 8 (2) 14 6 0
13 SNU-RT.lms new 256 ∞ 35 †b †b 29 0 6 3 (<1) 24 (24) 35 0 0
14 SNU-RT.ludcmp new 142 ∞ 79 Tb Tb 84 0 4 Tb (Tb) Tb (Tb) 84 0 4
15 SNU-RT.qurt new 159 ∞ 8 Tb Tb 2 0 6 Tb (Tb) Tb (Tb) 7 0 1
16 PowerStone.bcnt 83 17 153 2 3 153 0 0 2 (2) 2 (2) 153 0 0
17 PowerStone.blit 95 1 133 <1 <1 133 0 0 <1 (<1) <1 (<1) 129 4 0
18 PowerStone.pocsag 521 42 187 Mf Mf - - - 4 (<30) 22 (48) 186 1 0
19 NECLA.ex30 45 101 16 <1 2 12 4 0 <1 (<1) 3 (3) 16 0 0
20 NECLA.ex33 35 100 13 <1 <1 6 7 0 <1 (<1) <1 (<1) 13 0 0
21 NXP.exStbKey 558 4 33 <1 4 33 0 0 <1 (<1) 1 (1) 33 0 0
22 NXP.exStbHDMI 1508 15
∗ 138 500 706 138 0 0 316 (†b) 429 (†b) 138 0 0
23 NXP.exStbLED 430 50
∗ 102 72 122 102 0 0 48 (68) 80 (79) 102 0 0
24 NXP.exStbHwAcc 1432 3 239 2 6 238 1 0 <1 (†b) 1 (†b) 238 1 0
25 NXP.exStbResolution 353 50 79 †b †b 0 0 70 26 (59) 59 (61) 70 0 0
26 NXP.exStbFb 689 10 218 484 825 167 0 0 52 (†b) 101 (†b) 167 0 0
27 NXP.exStbCc 331 3 21 <1 3 19 2 0 <1 (<1) <1 (<1) 19 2 0
28 picosat 8160 23
∗ 3142 Tf Tf - - - 27 (†b) 79 (†b) 3142 0 0
29 ﬂex 14192 2
∗ 10002 †f †f - - - 3492 (†b) 3526 (†b) 10002 0 0
30 git-remote-gitkrb5 6288 5
∗ 174 †b †b 0 0 174 196 (†b) 225 (†b) 174 0 0
31 ﬂasher manager 521 21 26 2 4 26 0 0 25 (22) 29 (27) 25 1 0
32 HLS.adpcm encode 150 100 25 Tb Tb 0 0 25 <1 (<1) 6 (6) 24 1 0
TABLE 4: Results of the comparison between CBMC and ESBMC. Internal errors in the respective tool are
represented with † in the Time column. The subscripts f and b indicate whether the errors occurred in the
front-end or back-end, respectively. We give the smallest unwinding bound that is sufﬁcient to prove or falsify the
properties (i.e., produces no unwinding violation); a superscript ∗ on the unwinding bound indicates that the
bound is insufﬁcient, but cannot be increased with the available memory.
cated SMT solvers built over efﬁcient SAT solvers [16],
[17], [18]. Previous work related to SMT-based BMC [4],
[48], [3] combined decision procedures for the theories
of uninterpreted functions, arrays and linear arithmetic
only, but did not encode key constructs of the ANSI-C
programming language such as bit operations, ﬂoating-
point arithmetic and pointers.
Ganai and Gupta describe a veriﬁcation framework for
BMC which extracts high-level design information from
an extended ﬁnite state machine (EFSM) and applies
several techniques to simplify the BMC problem [4], [24].
However, the authors ﬂatten structures and arrays into
scalar variables in such a way that they use only the
theory of integer and real arithmetic in order to solve
the VCs. Armando et al. also propose a BMC approach
using SMT solvers for C programs [3]. However, they
only make use of linear arithmetic (i.e., addition and
multiplication by constants), arrays, records and bit-
vectors in order to solve the VCs. As a consequence,
their SMT-CBMC prototype does not address important
constructs of the ANSI-C programming language such as
non-linear arithmetic and bit-shift operations. Kroening17
also encodes the VCs generated by the front-end of
CBMC by using the bit-vector arithmetic and does not
exploit other background theories of the SMT solvers
to improve scalability [6]. Donaldson et al. present an
approach to compute invariants in BMC of software by
means of k-induction [49]. Their method, however, is
highly customized for checking assertions representing
DMA operations in the Cell processor, which requires
only a small number of loop iterations and thus allows
k-induction to work well with a small value of k. Xu
proposes the use of SMT-based BMC to verify real-time
systems by using TCTL to specify the properties [48].
The author considers an informal speciﬁcation (written
in English) of the real-time system and then models the
variables using integers and reals and represents the
clock constraints using linear arithmetic expressions.
De Moura et al. present a bounded model checker
that combines propositional SAT solvers with domain-
speciﬁc theorem provers over inﬁnite domains [50]. Dif-
ferently from other related work, the authors abstract
the Boolean formula and then apply a lazy approach to
reﬁne it in an incremental way. This approach is applied
to verify timed automata and RTL level descriptions.
Jackson et al. [51] discharge several VCs from programs
written in the Spark language to the SMT solvers CVC3
and Yices as well as to the theorem prover Simplify. The
idea of this work is to replace the Praxis prover by CVC3,
Yices and Simplify in order to generate counter-example
witnesses to VCs that are not valid. In [52], Jackson
and Passmore extend [51] by implementing a tool to
automatically discharge VCs using SMT solvers. The
authors observed signiﬁcant performance improvement
of the SMT solvers when compared to the Praxis prover.
Jackson and Passmore, however, focus on translating
VCs into SMT from programs written in the SPARK
language (which is a subset of the Ada language) instead
of ANSI-C programs.
Software model checking is executed on an abstraction
of the actual program. Model checking the abstraction
of a program is sound, but necessarily incomplete. Ab-
straction reﬁnement is a general technique for proving
properties with software model checkers [60]. Thus,
abstraction reﬁnement allows extending the usual bug-
hunting uses of software model checkers. In practice, a
well-known approach is counterexample-guided abstrac-
tion reﬁnement (CEGAR) [64]. A number of approaches
have been developed for CEGAR [60], including in-
terpolation [63]. Examples of modern software model
checkers implementing CEGAR with interpolation in-
clude BLAST [62] and ARMC [61].
Recently, a number of static checkers have been de-
veloped in order to trade off scalability and precision.
Calysto is an automatic static checker that is able to
verify VCs related to arithmetic overﬂow, null-pointer
dereferences and assertions speciﬁed by the user [53].
The VCs are passed to the SMT solver SPEAR which sup-
ports boolean logic, bit-vector arithmetic and is highly
customized for the VCs generated by Calysto. However,
Calysto does not support ﬂoating-point operations and
unsoundly approximates loops by unrolling them only
once. As a consequence, soundness is relinquished for
performance. Saturn is another automatic static checker
that scales to larger systems, but with the drawback of
losing precision by supporting only the most common
integer operators and performing at most two unwind-
ings of each loop [54]. In contrast to [53], [54], the
extended static checker for Java (ESC/JAVA) is a semi-
automatic veriﬁcation tool, which requires the program-
mer to supply loop, function, and class invariants and
thus limits its acceptance in pratice [55]. In addition,
ECS/Java employs the Simplify theorem prover [56]
to verify user-supplied invariants and thus important
constructs of the programming language (e.g., bitwise
operation) are often encoded imprecisely using axioms
and uninterpreted functions.
6 CONCLUSIONS
In this work, we have investigated SMT-based veriﬁ-
cation of ANSI-C programs, with a focus on embed-
ded software. We have described a new set of en-
codings that allow us to reason accurately about bit
operations, unions, ﬁxed-point arithmetic, pointers and
pointer arithmetic and implemented it in the ESBMC
tool. Our experiments constitute, to the best of our
knowledge, the ﬁrst substantial evaluation of SMT-based
BMC on industrial applications. The results show that
ESBMC outperforms CBMC [11] and SMT-CBMC [3]
if we consider the veriﬁcation of embedded software.
ESBMC is able to model check ANSI-C programs that
involve tight interplay between non-linear arithmetic,
bit operations, pointers and array manipulations. In
addition, it was able to ﬁnd undiscovered bugs in the
NECLA, PowerStone, Siemens, SNU-RT, VERISEC and
WCET benchmarks related to arithmetic overﬂow, buffer
overﬂow, invalid pointers and pointer arithmetic.
SMT-CBMC still has limitations not only in the ver-
iﬁcation time (due to the lack of simpliﬁcation based
on high-level information), but also in the encodings of
important ANSI-C constructs used in embedded soft-
ware. CBMC is a SAT-based BMC tool for full ANSI-
C, but it has limitations due to the fact that the size of
the propositional formulae increases signiﬁcantly in the
presence of large data-paths and high-level information
is lost when the VCs are converted into propositional
logic (preventing potential optimizations to reduce the
state space to be explored). Its prototype SMT-based
back-end is still unstable and fails on a large fraction
of our benchmarks.
We are currently extending ESBMC to support the
veriﬁcation of multi-threaded software in embedded
systems [57], [58]. For future work, we also intend to
investigate the application of termination analysis [59]
and incorporate reduction methods to simplify the k-
model.18
Acknowledgments
We thank D. Kroening, C. Wintersteiger, and L. Platania for
many helpful discussions about the CBMC and SMT-CBMC
model checking tools, C. Barrett, R. Brummayer and L. de
Moura for analyzing the VCs, and F. Ivancic and M. Chechik
for checking the bugs discovered in the NECLA and VERISEC
suites. We also thank the anonymous reviewers for their com-
ments, which helped us to improve the draft version of this
paper.
This research was supported by EPSRC grants
EP/E012973/1 (NOTOS) and EP/F052669/1 (Cadged Code)
and by the EC FP7 grants ICT/217069 (COCONUT) and
IST/033709 (VERTIGO). Lucas Cordeiro was also supported
by an ORSAS studentship.
REFERENCES
[1] A. Biere. Bounded model checking. In Handbook of Satisﬁability,
pp. 457–481. 2009.
[2] A. Armando, J. Mantovani, and L. Platania, “Bounded model
checking of software using SMT solvers instead of SAT solvers,”
in SPIN, LNCS 3925, pp. 146–162, 2006.
[3] A. Armando, J. Mantovani, and L. Platania, “Bounded model
checking of software using SMT solvers instead of SAT solvers,”
in Int. J. Softw. Tools Technol. Transf., vol. 11, no. 1, pp. 69–83, 2009.
[4] M. K. Ganai and A. Gupta, “Accelerating high-level bounded
model checking,” in Intl. Conf. on Computer-Aided Design (ICCAD),
pp. 794–801, 2006.
[5] ISO, ISO/IEC 9899:1999: Programming languages C, International
Organization for Standardization, 1999.
[6] D. Kroening, CBMC 3.3 released – preliminary support for SMT
QF AUFBV. http://groups.google.co.uk/group/cprover: The
CProver Group, 2009.
[7] L. Cordeiro, B. Fischer, and J. Marques-Silva, “SMT-based
bounded model checking for embedded ANSI-C software,” in
Intl. Conf. on Automated Software Engineering (ASE), pp. 137–148,
2009.
[8] ——, “Continuous veriﬁcation of large embedded software using
SMT-based bounded model checking.” in Intl. Conf. and Workshops
on Engineering of Computer-Based Systems (ECBS), pp. 160–169,
2010.
[9] SMT-LIB, The Satisﬁability Modulo Theories Library,
http://combination.cs.uiowa.edu/smtlib, 2009.
[10] A. Stump and M. Deters, Satisﬁability Modulo Theories Competition,
http://www.smtcomp.org/, 2010.
[11] E. Clarke, D. Kroening, and F. Lerda, “A tool for checking ANSI-C
programs,” in Intl. Conf. on Tools and Algorithms for the Construction
and Analysis of Systems (TACAS), LNCS 2988, pp. 168–176, 2004.
[12] C. Wintersteiger, Compiling GOTO-Programs,
http://www.cprover.org/goto-cc/, 2009.
[13] R. L. Sites, “Some thoughts on proving clean termination of
programs.” Stanford, CA, USA, Tech. Rep., 1974.
[14] A. R. Bradley and Z. Manna, The Calculus of Computation: Decision
Procedures with Applications to Veriﬁcation. Springer, 2007.
[15] M. Bozzano and et al. “Encoding RTL constructs for MathSAT:
a preliminary report,” Electr. Notes Theor. Comput. Sci., vol. 144,
no. 2, pp. 3–14, 2006.
[16] C. Barrett and C. Tinelli, “CVC3,” in Intl. Conf. on Computer Aided
Veriﬁcation (CAV, LNCS 4590, pp. 298–302, 2007.
[17] R. Brummayer and A. Biere, “Boolector: An efﬁcient SMT solver
for bit-vectors and arrays,” in Intl. Conf. on Tools and Algorithms
for the Construction and Analysis of Systems (TACAS), LNCS 5505,
pp. 174–177, 2009.
[18] L. M. de Moura and N. Bjørner, “Z3: An efﬁcient SMT solver,” in
Intl. Conf. on Tools and Algorithms for the Construction and Analysis
of Systems (TACAS), LNCS 4963, pp. 337–340, 2008.
[19] J. Mccarthy, “Towards a mathematical science of computation,”
in IFIP Congress. North-Holland, pp. 21–28, 1962.
[20] S. S. Muchnick, Advanced compiler design and implementation. Mor-
gan Kaufmann Publishers Inc., 1997.
[21] E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman, “Compu-
tational challenges in bounded model checking,” Software Tools for
Technology Transfer (STTT), vol. 7, no. 2, pp. 174–183, 2005.
[22] L. M. de Moura and N. Bjørner, “Satisﬁability modulo theories:
An appetizer,” in Brazilian Symposium on Formal Methods (SBMF),
LNCS 5902, pp. 23–36, 2009.
[23] E. Clarke, D. Kroening, O. Strichman, and J. Ouaknine, “Com-
pleteness and complexity of bounded model checking,” in Intl.
Conf. on Veriﬁcation, Model Checking, and Abstract Interpretation
(VMCAI), LNCS 2937, pp. 85–96, 2004.
[24] M. K. Ganai and A. Gupta, “Completeness in SMT-based BMC
for software programs,” in Design, Automation, and Test in Europe
(DATE), IEEE, pp. 831–836, 2008.
[25] A. S. Tanenbaum, Computer networks: 4th edition. Upper Saddle
River, NJ, USA: Prentice-Hall, Inc., 2002.
[26] E. Clarke, D. Kroening, N. Sharygina, and K. Yorav, “Predicate
abstraction of ANSI–C programs using SAT,” in Formal Methods
in System Design (FMSD), vol. 25, pp. 105–127, 2004.
[27] S.-S. Lim, Seoul National University Real-Time Benchmarks Suite,
http://archi.snu.ac.kr/realtime/benchmark/, 2009.
[28] D. Kroening and O. Strichman, Decision Procedures: An Algorithmic
Point of View. Springer, 2008.
[29] D. Gries and G. Levin, “Assignment and procedure call proof
rules,” ACM Trans. Program. Lang. Syst., vol. 2, no. 4, pp. 564–579,
1980.
[30] D. Kroening, E. Clarke, and K. Yorav, “Behavioral consistency
of C and Verilog programs using bounded model checking,” in
Technical Report, CMU-CS-03-126, 2003.
[31] J. A. Clause and A. Orso, “Leakpoint: pinpointing the causes of
memory leaks,” in Intl. Conf. on Software Engineering (ICSE) (1),
pp. 515–524, 2010.
[32] D. Kroening and S. A. Seshia, “Formal veriﬁcation at higher levels
of abstraction,” in Intl. Conf. on Computer-Aided Design (ICCAD),
pp. 572–578, 2007.
[33] S. Gupta, High Level Synthesis Benchmarks Suite,
http://mesl.ucsd.edu/spark/benchmarks.shtml, 2009.
[34] K. Ku, T. E. Hart, M. Chechik, and D. Lie, “A buffer overﬂow
benchmark for software model checkers,” in Intl. Conf. on Auto-
mated Software Engineering (ASE), pp. 389–392, 2007.
[35] L. Platania, Eureka Benchmark Suite, http://www.ai-
lab.it/eureka/bmc.html, 2009.
[36] S. Sankaranarayanan, NECLA Static Analysis Benchmarks.
http://www.nec-labs.com/research/system/, 2009.
[37] J. Scott, L. H. Lee, A. Chin, J. Arends, and B. Moyer, “Designing
the low-power m*core architecture,” in Intl. Symp. Computer Archi-
tecture Power Driven Microarchitecture Workshop, IEEE, pp. 145–150,
1998.
[38] A. Ermedahl and J. Gustafsson, Worst-case execution time project /
Benchmarks, http://www.mrtc.mdh.se/projects/wcet/, 2009.
[39] T. Ostrand, Siemens Corporate Research, http://sir.unl.edu/portal/,
2010.
[40] NXP, High deﬁnition IP and hybrid DTV set-top box STB225.
http://www.nxp.com/, 2009.
[41] MiBench Version 1.0, http://www.eecs.umich.edu/mibench/,
2009.
[42] A. Biere, “Picosat essentials,” Journal on Satisﬁability, Boolean Mod-
eling and Computation (JSAT), vol. 4, no. 2-4, pp. 75–97, 2008.
[43] M. Ramanathan, ﬂex, http://sir.unl.edu/portal/, 2010.
[44] J. Morse, Kerberos Git, https://www.studentrobotics.org/trac/wiki
/Kerberos/Git, 2011.
[45] N. L. Vinh, The Flasher Manager Application,
http://users.polytech.unice.fr/ rueher/Benchs/FM/, 2010.
[46] F. Ivancic, Personal communication, 2011.
[47] M. Chechik, Personal communication, 2011.
[48] L. Xu, “SMT-based bounded model checking for real-time sys-
tems,” in Intl. Conf. on Quality Software (QSIC), IEEE, pp. 120–125,
2008.
[49] A. Donaldson, D. Kroening, and P. R¨ ummer, “Automatic analysis
of scratch-pad memory code for heterogeneous multicore proces-
sors,” in Intl. Conf. on Tools and Algorithms for the Construction and
Analysis of Systems (TACAS), LNCS 6015, pp. 280–295, 2010.
[50] L. M. de Moura, H. Rueß, and M. Sorea, “Lazy theorem proving
for bounded model checking over inﬁnite domains,” in Intl. Conf.
on Automated Deduction (CADE), LNCS 2392, pp. 438–455, 2002.
[51] P. B. Jackson, B. J. Ellis, and K. Sharp, “Using SMT solvers to
verify high-integrity programs,” in 2nd Workshop on Automated
Formal Methods, pp. 60–68, 2007.
[52] P. B. Jackson and G. O. Passmore, Proving SPARK Veriﬁcation
Conditions with SMT solvers. Technical Report, University19
of Edinburgh, http://homepages.inf.ed.ac.uk/pbj/papers/vct-
dec09-draft.pdf, 2009.
[53] D. Babi´ c and A. J. Hu, “Calysto: Scalable and Precise Extended
Static Checking,” in Intl. Conf. on Software Engineering (ICSE), pp.
211–220, 2008.
[54] Y. Xie and A. Aiken, “Scalable error detection using Boolean
satisﬁability,” Special Interest Group on Programming Languages
(SIGPLAN) Not., pp. 351–363, 2005.
[55] C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe,
and R. Stata, “Extended static checking for Java,” in Programming
Language Design and Implementation (PLDI), pp. 234–245, 2002.
[56] D. Detlefs, G. Nelson, and J. B. Saxe, “Simplify: a theorem prover
for program checking,” J. ACM, vol. 52, no. 3, pp. 365–473, 2005.
[57] L. Cordeiro, “SMT-based bounded model checking for multi-
threaded software in embedded systems.” in Intl. Conf. on Software
Engineering (ICSE), Doctoral Symposium, pp. 373–376, 2010.
[58] L. Cordeiro and B. Fischer, “Verifying multi-threaded software
using SMT-based context-bounded model checking,” To appear in
33rd Intl. Conf. on Software Engineering (ICSE), 2011.
[59] R. C. Andreas, B. Cook, A. Podelski, and A. Rybalchenko, “Termi-
nator: Beyond safety,” in Intl. Conf. on Computer Aided Veriﬁcation
(CAV), LNCS 4144, pp. 415–418, 2006.
[60] R. Jhala, R. Majumdar, “Software model checking,” in ACM
Comput. Surv., vol. 41, no. 4, pp. 1–54, 2009.
[61] A. Podelski, A. Rybalchenko, “ARMC: The Logical Choice for
Software Model Checking with Abstraction Reﬁnement,” in Prac-
tical Aspects of Declarative Languages (PADL), pp. 245–259, 2007.
[62] D. Beyer, T. Henzinger, R. Jhala, R. Majumdar, “The software
model checker Blast,” in Int. J. Softw. Tools Technol. Transf. vol. 9,
no. 5-6, pp. 505-525, 2007.
[63] K. McMillan. Interpolation and sat-based model checking. in Intl.
Conf. on Computer Aided Veriﬁcation (CAV), LNCS 2725, pages 1–13,
2003.
[64] E. Clarke, O. Grumberg, S. Jha, Y. Lu, H. Veith, “Counterexample-
Guided Abstraction Reﬁnement,” in Intl. Conf. on Computer Aided
Veriﬁcation (CAV), LNCS 1855, pp. 154-169
Lucas Cordeiro received the B.Sc. degree in
electrical engineering and the M.Sc. degree in
computer engineering from the Federal Univer-
sity of Amazonas (UFAM), in 2005 and 2007,
respectively. He received the Ph.D. degree in
computer science from University of Southamp-
ton in 2011. Currently, he is an assistant profes-
sor in the Electronic and Information Research
Center at UFAM. His work focuses on software
veriﬁcation, bounded (and unbounded) model
checking, satisﬁability modulo theories and em-
bedded systems.
Bernd Fischer received his PhD degree in
Computer Science in 2001 from the University of
Passau, Germany. From 1998 to 2006, he was
a research scientist with USRA/RIACS at the
NASA Ames Research Center. Since 2006 he
is a Senior Lecturer for computer science at the
University of Southampton. His current research
interests include code generation, programming
languages, formal methods, software reliability,
and software veriﬁcation.
Joao Marques-Silva (M’95-SM’03) received a
Ph.D. degree from the University of Michigan,
Ann Arbor, USA, in 1995, and the Habilitation
degree in computer science from the Technical
University of Lisbon in 2004. He is currently
Stokes Professor of Computer Science and In-
formatics, University College Dublin (UCD), Ire-
land. He is also Professor of Computer Science
at Instituto Superior Tecnico (IST), Portugal. His
research interests include algorithms for con-
straint solving and optimization, and applications
in formal methods, artiﬁcial intelligence, operations research, and bioin-
formatics.