Model checking LTL properties over ANSI-C programs with bounded traces

Jeremy Morse, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Research output: Contribution to journalArticlepeer-review


Context-bounded model checking has been used successfully to verify safety properties in multi-threaded systems automatically, even if they are implemented in low-level programming languages such as C. In this paper, we describe and experiment with an approach to extend context-bounded software model checking to safety and liveness properties expressed in linear-time temporal logic (LTL). Our approach checks the actual C program, rather than an extracted abstract model. It converts the LTL formulas into Büchi automata for the corresponding never claims and then further into C monitor threads that are interleaved with the execution of the program under analysis. This combined system is then checked using the ESBMC model checker. We use an extended, four-valued LTL semantics to handle the finite traces that bounded model checking explores; we thus check the combined system several times with different acceptance criteria to derive the correct truth value. In order to mitigate the state space explosion, we use a dedicated scheduler that selects the monitor thread only after updates to global variables occurring in the LTL formula. We demonstrate our approach on the analysis of the sequential firmware of a medical device and a small multi-threaded control application.

Original languageEnglish
Pages (from-to)65-81
JournalSoftware and Systems Modeling
Issue number1
Publication statusPublished - Feb 2015


  • Model checking
  • Linear temporal logic
  • Software verification


Dive into the research topics of 'Model checking LTL properties over ANSI-C programs with bounded traces'. Together they form a unique fingerprint.

Cite this