An integrated environment for Spin-based C code checking

Model-driven code checking (MDCC) has been successfully used for the verification of functional requirements of C code. An environment model that describes the context, which a program is expected to run in, is defined in Promela, translated to a model checker program by Spin, and linked with the program acting as system under verification. In this article, we summarise the practical advantages of MDCC which motivate its use in an industrial setting and discuss the challenges to its broader adoption. Environment models exhibit heavily intertwined Promela and C code statements, which make them hard to write and understand. We propose a high-level language for verification harness definition which hides the Spin engine under the hood. A small number of language concepts is sufficient to define verification harnesses for commonly encountered C programs. Widening the scope of the approach, we provide means to verify programs that exhibit internal state and extend the set of checked properties beyond classical assertions to those checked by LLVM/Clang code sanitizers. Thus, a user can focus on finding the best solution to combine exhaustive exploration of the environment with testing strategies. Our approach is prototypically integrated into mbeddr development platform. We present its instantiation on real-world code examples and discuss our experiences gained with the verification of software from the railway domain.