Abstract
Property-directed reachability (PDR) is a SAT/SMT-based reachability algorithm that incrementally constructs inductive invariants. After it was successfully applied to hardware model checking, several adaptations to software model checking have been proposed. We contribute a replicable and thorough comparative evaluation of the state of the art: We (1) implemented a standalone PDR algorithm and, as improvement, a PDR-based auxiliary-invariant generator for k-induction, and (2) performed an experimental study on the largest publicly available benchmark set of C verification tasks, in which we explore the effectiveness and efficiency of software verification with PDR. The main contribution of our work is to establish a reproducible baseline for ongoing research in the area by providing a well-engineered reference implementation and an experimental evaluation of the existing techniques.
Highlights
Automatic software verification [24] is a broad research area with many success stories and large impact on technology that is applied in industry [2, 14, 27]
Property-directed reachability (PDR) maintains a list of k frames, where a frame Fi is a predicate that represents an overapproximation of all states reachable within at most 0 ≤ i ≤ k steps, and a queue of proof obligations, which guide invariant discovery towards invariants 2 The implementation of the approach of property-directed k -induction combines two SMT solvers, because neither of them supports all features required by the technique
The algorithm maintains the following invariants: 1. F0(s) = I(s), i.e., the first frame represents precisely the initial states. 2. ∀i ∈ {0, . . . , k} : Fi(s) ⇒ P (s), i.e., every frame contains only states that satisfy the safety property. 3. ∀i ∈ {0, . . . , k − 1} : Fi(s) ⇒ Fi+1(s), i.e., a frame Fi+1 represents in addition such states that are reachable with i + 1 steps. 4. ∀i ∈ {0, . . . , k − 1} : Fi(s) ∧ T (s, s ) ⇒ Fi+1(s ), i.e., each frame is inductive relative to its predecessor
Summary
Automatic software verification [24] is a broad research area with many success stories and large impact on technology that is applied in industry [2, 14, 27]. It has been proposed to improve this approach by tracking control-flow locations explicitly instead of symbolically [28], thereby avoiding the problem that many iterations of the algorithm are spent only to learn the control flow, and this idea has later been extended by several improvements to the generalization step of PDR [29] Another approach is to model the program using a Boolean abstraction, which has the advantage that it requires only few changes to the original algorithm, but the disadvantage that a refinement procedure is necessary to handle the spurious paths introduced by the abstraction: One such approach uses infeasible error paths (i.e., counterexampleguided abstraction refinement (CEGAR) [17]) to refine the abstraction [16], while another (CTIGAR) uses counterexamples to induction [11]; both of these refinement techniques use interpolation to obtain abstraction predicates; the latter of the two techniques is used in two of the configurations we compare in our evaluation (CPAchecker-CTIGAR and Vvt-CTIGAR [20]). The only available software verifiers applicable to actual C programs and implement PDR-based techniques are CPAchecker [7], SeaHorn [23], and Vvt [20]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
