The University of Southampton
University of Southampton Institutional Repository

Scalable and precise verification based on k-induction, symbolic execution and floating-point theory

Scalable and precise verification based on k-induction, symbolic execution and floating-point theory
Scalable and precise verification based on k-induction, symbolic execution and floating-point theory
In this thesis, we describe and evaluate approaches for the efficient reasoning of realworld C programs using either Bounded Model Checking (BMC) or symbolic execution. We present three main contributions.

First, we describe three new technologies developed in a software verification tool to handle real-world programs: (1) a frontend based on a state-of-the-art compiler, (2) a new SMT backend with support for floating-point arithmetic and (3) an incremental bounded model checking algorithm. These technologies are implemented in ESBMC, an SMT-based bounded model checker for C programs; results show that these technologies enable the verification of a large number of programs.

Second, we formalise and evaluate the bkind algorithm: a novel extension to the kinduction algorithm that improves its bug-finding capabilities by performing backward searches in the state space. The bkind algorithm is the main scientific contribution of this thesis. It was implemented in ESBMC, and we show that it uses fewer resources compared to the original k-induction algorithm to verify the same programs without impacting the results.

Third, we evaluate the use of SMT solvers in a state-of-the-art symbolic execution tool to reduce the number of false bugs reported to the user. Our SMT-based refutation of false bugs algorithm was implemented in the clang static analyser and evaluated on a large set of real-world projects, including the MacOS kernel. Results show that our refutation algorithm cannot only remove false bugs but also speed up the analysis when bugs are refuted. The algorithm does not remove any true bug and only introduces a 1% slowdown if it is unable to remove any bugs
University of Southampton
Ramalho Gadelha, Mikhail, Yasha
61c56e79-5115-4277-b1be-f479d40959a4
Ramalho Gadelha, Mikhail, Yasha
61c56e79-5115-4277-b1be-f479d40959a4
Nicole, Denis
0aca6dd1-833f-4544-b7a4-58fb91c7395a

Ramalho Gadelha, Mikhail, Yasha (2019) Scalable and precise verification based on k-induction, symbolic execution and floating-point theory. University of Southampton, Doctoral Thesis, 158pp.

Record type: Thesis (Doctoral)

Abstract

In this thesis, we describe and evaluate approaches for the efficient reasoning of realworld C programs using either Bounded Model Checking (BMC) or symbolic execution. We present three main contributions.

First, we describe three new technologies developed in a software verification tool to handle real-world programs: (1) a frontend based on a state-of-the-art compiler, (2) a new SMT backend with support for floating-point arithmetic and (3) an incremental bounded model checking algorithm. These technologies are implemented in ESBMC, an SMT-based bounded model checker for C programs; results show that these technologies enable the verification of a large number of programs.

Second, we formalise and evaluate the bkind algorithm: a novel extension to the kinduction algorithm that improves its bug-finding capabilities by performing backward searches in the state space. The bkind algorithm is the main scientific contribution of this thesis. It was implemented in ESBMC, and we show that it uses fewer resources compared to the original k-induction algorithm to verify the same programs without impacting the results.

Third, we evaluate the use of SMT solvers in a state-of-the-art symbolic execution tool to reduce the number of false bugs reported to the user. Our SMT-based refutation of false bugs algorithm was implemented in the clang static analyser and evaluated on a large set of real-world projects, including the MacOS kernel. Results show that our refutation algorithm cannot only remove false bugs but also speed up the analysis when bugs are refuted. The algorithm does not remove any true bug and only introduces a 1% slowdown if it is unable to remove any bugs

Text
Final Thesis - Version of Record
Available under License University of Southampton Thesis Licence.
Download (1MB)

More information

Published date: June 2019

Identifiers

Local EPrints ID: 433530
URI: http://eprints.soton.ac.uk/id/eprint/433530
PURE UUID: 4af81d36-dfd8-4493-bcbd-03cd99d629d4

Catalogue record

Date deposited: 27 Aug 2019 16:30
Last modified: 27 Aug 2019 16:30

Export record

Contributors

Author: Mikhail, Yasha Ramalho Gadelha
Thesis advisor: Denis Nicole

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×