Most of the tutorials I have found on model checking and bounded model checking start with, the model is given as a Kripke Structure M = (S,I,T,L) where S is a set of states, I is a set of initial states, T is a transition relation, and L is a labeling function. Model checking takes a property P and tries to determine if P is true in the model M.
The algorithms for model checking (and bounded model checking) provided for a given Kripke structure are very understandable, and are all quite neat. For example,
An Analysis of SAT-based Model Checking Techniques in an Industrial Environment
and the survey by Prasad et all 2005, are both very readable and understandable.
Now, suppose one wants to take a program and use model checking to determine if the program is correct. As far as I can tell, the hard part is determining a suitable model of the program. I am trying to figure out, for example, how CBMC derives a formula for a plain SAT solver since this would involve constructing a model and then a CNF formula for plain SAT such that if the formula is true then there is a counter example to the predicate. I think they use bit-vector logic, whatever that means.
I have glanced through:
CBMC (C Bounded Model Checker)
Bit-Vectors in Decision Procedures An Algorithmic Point of View
Slides for CBMC: Bounded Model Checking for ANSI-C
These are focused on how a tool works, and lack some of the details I am looking for. I'm curious if there are any more tutorialish writeups on how to build a SAT based model checking tool, and discuss how to develop the model and whether to use plain SAT of SMT solver.
Alternatively, if someone could point me in the direction of producing a model, given a property and a program written in a very simple language with say a single type: 32bit-Integers, functions, assignments, if-then, if-then-else, and optionally while-loops, that would output a formula for a SAT or SMT solver such that the formula is satisfiable iff the property is not true of the program, then I would also be so grateful.
