Conditional Model Checking

Software model checking, as an undecidable problem, has three possible outcomes: (1) the program satisfies the specification, (2) the program does not satisfy the specification, and (3) the model checker fails. The third outcome usually manifests itself in a space-out, time-out, or one component of the verification tool giving up; in all of these failing cases, significant computation is performed by the verification tool before the failure, but no result is reported. We propose to reformulate the model-checking problem as follows, in order to have the verification tool report a summary of the performed work even in case of failure: given a program and a specification, the model checker returns a condition P —usually a state predicate— such that the program satisfies the specification under the condition P —that is, as long as the program does not leave states in which P is satisfied. We are of course interested in model checkers that return conditions P that are as weak as possible. Instead of outcome (1), the model checker will return P = true; instead of (2), the condition P will return the part of the state space that satisfies the specification; and in case (3), the condition P can summarize the work that has been performed by the model checker before space-out, time-out, or giving up. If complete verification is necessary, then a different verification method or tool may be used to focus on the states that violate the condition. We give such conditions as input to a conditional model checker, such that the verification problem is restricted to the part of the state space that satisfies the condition. Our experiments show that repeated application of conditional model checkers, using different conditions, can significantly improve the verification results, state-space coverage, and performance.

💡 Research Summary

The paper introduces Conditional Model Checking (CMC), a novel reformulation of software model checking that aims to produce useful output even when traditional verification tools run out of resources. Conventional model checking, being undecidable, yields three possible outcomes: (1) the program satisfies the specification, (2) it violates the specification, or (3) the tool fails (e.g., due to memory or time exhaustion). In the failure case, substantial computation is often performed, yet no result is reported. CMC addresses this gap by returning a condition Ψ—typically a state predicate—such that the program is guaranteed to satisfy the specification as long as it never leaves states where Ψ holds. The goal is to make Ψ as weak (i.e., as inclusive) as possible, thereby summarizing the maximal amount of verified state space.

The authors embed CMC into the open‑source verification framework CPAchecker and augment it with three families of condition‑generation mechanisms:

1. Real‑time monitoring of each verification component (abstraction, refinement, SMT solving, etc.). When a component exceeds its allocated resources, the monitor aborts it and synthesizes a condition that excludes the problematic states from the verified region.
2. Predictive heuristics that proactively stop exploration of parts of the program that are likely to cause non‑termination or explosion. Examples include limiting loop unwindings, bounding path length, or applying a conditional depth‑first search.
3. Condition cross‑use, where the negation of a condition produced by one analysis run (¬Ψ) becomes the input condition for a subsequent run, forcing the next analysis to focus on the yet‑unverified portion of the state space.

Two concrete representations of Ψ are provided:

• An assumption formula over program locations and variables, which is human‑readable and can be fed directly into a subsequent analysis.
• An assumption automaton, derived from the abstract reachability tree (ART). This automaton annotates each transition with the corresponding assumption, allowing the verification engine to stop exploring a path as soon as it reaches a sink state where all future assumptions are trivially true.

The paper illustrates CMC with several examples. In a program containing a large loop, a conventional predicate‑analysis would attempt to unwind the loop indefinitely, leading to a timeout. By supplying a condition that caps the number of unwindings, CMC skips the loop, quickly verifies the remaining code, and reports the uncovered error. In a second example involving non‑linear arithmetic (multiplication), a linear‑predicate analysis cannot prove a safety property, but the first CMC run generates a condition that isolates the linear part. A second run using an explicit‑value analysis, guided by the condition, successfully proves the remaining property. Thus, CMC enables complementary analyses to cooperate: each supplies a condition that narrows the search space for the next.

Experimental evaluation on a diverse benchmark suite demonstrates that CMC substantially improves verification coverage and performance. Programs that previously timed out after minutes can now be proved safe or unsafe within seconds. Moreover, the “No‑Fail” property holds: every execution yields a condition, turning a failure into a partial, yet meaningful, result. The authors also discuss several practical applications:

• Partial verification – restricting verification to selected modules while other parts are handled by testing or theorem proving.
• Regression checking – re‑using previously generated conditions to accelerate verification after small code changes.
• Bug‑hunting acceleration – using conditional iteration orders (e.g., bounded path length) to focus on likely error locations.
• Benchmark generation – extracting the unverified remainder as a hard benchmark for future tool development.
• Tool comparison – evaluating not only runtime and memory but also the strength (weakness) of the produced conditions.

The work situates CMC within the broader assume‑guarantee paradigm, emphasizing that the generated condition serves as an explicit assumption under which the tool guarantees correctness. By making the verification outcome explicit and composable, CMC bridges the gap between exhaustive formal verification and practical, resource‑constrained analysis. The paper concludes with suggestions for future research, including automated synthesis of optimal conditions, integration with other verification techniques (e.g., symbolic execution), and application to safety‑critical domains such as embedded systems and security‑critical software.