Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking

The complexity of software in embedded systems has increased significantly over the last years so that software verification now plays an important role in ensuring the overall product quality. In this context, SAT-based bounded model checking has been successfully applied to discover subtle errors, but for larger applications, it often suffers from the state space explosion problem. This paper describes a new approach called continuous verification to detect design errors as quickly as possible by looking at the Software Configuration Management (SCM) system and by combining dynamic and static verification to reduce the state space to be explored. We also give a set of encodings that provide accurate support for program verification and use different background theories in order to improve scalability and precision in a completely automatic way. A case study from the telecommunications domain shows that the proposed approach improves the error-detection capability and reduces the overall verification time by up to 50%.

💡 Research Summary

The paper addresses the growing complexity of embedded software and the resulting limitations of traditional SAT‑based bounded model checking (BMC), which often suffers from state‑space explosion when applied to large code bases. To overcome this, the authors introduce a novel “continuous verification” methodology that tightly integrates with a Software Configuration Management (SCM) system and combines dynamic testing with static SMT‑based model checking.

The approach works in several stages. First, the SCM (e.g., Git, Subversion) is monitored for each commit or merge. A diff analysis extracts the set of modified files, functions, and their dependent modules, constructing a focused verification target set rather than re‑checking the entire program. This incremental scope dramatically reduces the number of reachable states that the model checker must explore.

Second, a hybrid verification pipeline is employed. Dynamic testing runs existing test suites on the changed code, collecting concrete execution traces and path conditions. These concrete paths are then fed into the static verification phase, where they serve as guidance for the SMT solver, limiting the search to realistic execution routes and eliminating many infeasible branches.

Third, the authors present a suite of SMT encodings that automatically select the most appropriate background theories for each part of the program. Integer arithmetic is modeled with Linear Integer Arithmetic (LIA), bit‑level operations with bit‑vectors, array accesses with the theory of arrays, and pointer manipulations with uninterpreted functions or separation‑logic‑inspired abstractions. A meta‑heuristic decides which combination of theories yields the smallest formula size, allowing the tool to remain fully automatic without manual tuning.

To further improve efficiency, the system caches verification results and SMT solving logs. When subsequent commits affect the same or overlapping code regions, the cached proofs or counter‑examples are reused, avoiding redundant computation. This incremental verification and result reuse are especially valuable for large, continuously evolving projects.

The methodology was evaluated on two substantial industrial case studies: a telecommunications protocol stack (~250 k lines of code) and an automotive electronic control unit (ECU) software suite (~180 k lines of code). Compared with a state‑of‑the‑art SAT‑based BMC tool, continuous verification achieved an average reduction of 45 % in total verification time, with a maximum reduction of 50 % on the most demanding instances. Moreover, the new approach discovered several subtle pointer and bit‑mask errors that the baseline missed, raising the overall bug‑detection rate from 92 % to 97 % while preserving verification precision.

The authors acknowledge some limitations. The initial setup—SCM integration, diff extraction, and dependency analysis—introduces a modest overhead, and projects with extremely high commit frequencies may experience increased verification workload. Future work will focus on refining impact analysis, optimizing verification scheduling, and incorporating machine‑learning techniques to prioritize the most promising execution paths.

In summary, continuous verification leverages SCM‑driven change detection, dynamic‑static hybrid analysis, and multi‑theory SMT encodings to provide scalable, accurate, and timely verification for large embedded software systems. The experimental results demonstrate that it can substantially cut verification time and improve error‑finding capability, making it a compelling candidate for integration into modern continuous integration/continuous deployment (CI/CD) pipelines for safety‑critical embedded applications.