SkillAgentSearch skills...

Esbmc

The efficient SMT-based context-bounded model checker (ESBMC)

GenerateConvertImprove

Install / Use

/learn @esbmc/Esbmc
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

The ESBMC model checker

Zulip Codacy Badge codecov GitHub All Releases

ESBMC (the Efficient SMT-based Context-Bounded Model Checker) is a mature, permissively licensed open-source context-bounded model checker that automatically detects or proves the absence of runtime errors in single- and multi-threaded C, C++, CUDA, CHERI, Kotlin, Python, Rust, and Solidity programs. It can automatically verify predefined safety properties (e.g., bounds check, pointer safety, overflow) and user-defined program assertions.

ESBMC supports:

  • The Clang compiler as its C/C++/CHERI/CUDA frontend;
  • The Soot framework via Jimple as its Java/Kotlin frontend;
  • The CPython 3.10 parser as its Python frontend; the first SMT-based bounded model checker for Python programs;
  • Implements the Solidity grammar production rules as its Solidity frontend;
  • Supports IEEE floating-point arithmetic for various SMT solvers.

ESBMC implements state-of-the-art incremental BMC and k-induction proof-rule algorithms based on Satisfiability Modulo Theories (SMT) and Constraint Programming (CP) solvers.

We provide some background material/publications to help you understand what ESBMC can offer. These are available online. For further information about our main components, check the ESBMC architecture.

Our main website is esbmc.org.

Features

ESBMC detects errors in software by simulating a finite prefix of the program execution with all possible inputs. Classes of implementation errors that can be detected include:

  • User-specified assertion failures
  • Out-of-bounds array access
  • Illegal pointer dereferences, such as:
    • Dereferencing null
    • Performing an out-of-bounds dereference
    • Double-free of malloc'd memory
    • Misaligned memory access
  • Integer overflows
  • Undefined behavior on shift operations
  • Floating-point for NaN
  • Divide by zero
  • Memory leaks

Concurrent software (using the pthread API) is verified by explicitly exploring interleavings, producing one symbolic execution per interleaving. By default, pointer-safety, array-out-of-bounds, division-by-zero, and user-specified assertions will be checked for; one can also specify options to check concurrent programs for:

  • Deadlock (only on pthread mutexes and conditional variables)
  • Data races (i.e., competing writes)
  • Atomicity violations at visible assignments
  • Lock acquisition ordering

By default, ESBMC performs a "lazy" depth-first search of interleavings -- it can also encode (explicitly) all interleavings into a single SMT formula.

Many SMT solvers are currently supported:

  • Z3 4.13+
  • Bitwuzla
  • Boolector 3.0+
  • MathSAT
  • CVC4
  • CVC5
  • Yices 2.2+

In addition, ESBMC can be configured to use the SMTLIB interactive text format with a pipe to communicate with an arbitrary solver process, although there are not insignificant overheads involved.

Installing ESBMC

Ubuntu

The easiest way to install ESBMC on Ubuntu is through our official PPA, which provides releases for automatic installation:

sudo add-apt-repository ppa:esbmc/esbmc
sudo apt update
sudo apt install esbmc

This method is recommended for general users and supports Ubuntu 22.04 (Jammy) and 24.04 (Noble).

GitHub Release

You can also download the latest ESBMC binary for Ubuntu and Windows from the releases page.

Building ESBMC

See the building instructions document.

How to use ESBMC

Verifying C Programs

As an illustrative example to show some of the ESBMC features, consider the following C code:

#include <stdlib.h>
int *a, *b;
int n;
#define BLOCK_SIZE 128
void foo () {
  int i;
  for (i = 0; i < n; i++)
    a[i] = -1;
  for (i = 0; i < BLOCK_SIZE - 1; i++)
    b[i] = -1;
}
int main () {
  n = BLOCK_SIZE;
  a = malloc (n * sizeof(*a));
  b = malloc (n * sizeof(*b));
  *b++ = 0;
  foo ();
  if (b[-1])
  { free(a); free(b); }
  else
  { free(a); free(b); }
  return 0;
}

Here, ESBMC is invoked as follows:

$esbmc file.c --incremental-bmc

Where file.c is the C program to be checked, and --incremental-bmc selects the incremental BMC strategy. The user can choose the SMT solver, property, and verification strategy. Note that you need math.h installed on your system, especially if you are running a release version; build-essential typically includes math.h.

For this particular C program, ESBMC provides the following output as the verification result:

[Counterexample]


State 1 file memory.c line 14 column 3 function main thread 0
----------------------------------------------------
  a = (signed int *)(&dynamic_1_array[0])

State 2 file memory.c line 15 column 3 function main thread 0
----------------------------------------------------
  b = (signed int *)0

State 3 file memory.c line 16 column 3 function main thread 0
----------------------------------------------------
Violated property:
  file memory.c line 16 column 3 function main
  dereference failure: NULL pointer


VERIFICATION FAILED

Bug found (k = 1)

We refer the user to our documentation webpage for further examples of the ESBMC's features.

Verifying Python Programs

ESBMC-Python supports verifying Python code with type annotations, detecting errors such as division by zero, indexing errors, arithmetic overflow, and user-defined assertions.

Example Python program to verify:

import random as rand

def div1(cond: int, x: int) -> int:
    if (not cond):
        return 42 // x
    else:
       return x // 10

cond:int = rand.random()
x:int = rand.random()

assert div1(cond, x) != 1

Command:

$ esbmc main.py

ESBMC Output:

[Counterexample]


State 1 file main.py line 12 column 8 function random thread 0
----------------------------------------------------
  value = 2.619487e-10 (00111101 11110010 00000000 01000000 00000010 00000000 00010000 00001000)

State 3 file main.py line 12 column 8 function random thread 0
----------------------------------------------------
  value = 3.454678e-77 (00110000 00010000 00000000 01000000 00000010 00000000 00010000 00000000)

State 5 file main.py line 5 column 8 function div1 thread 0
----------------------------------------------------
Violated property:
  file main.py line 5 column 8 function div1
  division by zero
  x != 0


VERIFICATION FAILED

ESBMC-Python will parse the Python code, generate an Abstract Syntax Tree (AST), perform type inference, and translate it into the GOTO intermediate representation for symbolic execution and verification. For detailed information about Python support, please take a look at the Python Frontend Documentation.

Tutorials

We provide a short video that explains ESBMC:

https://www.youtube.com/watch?v=uJ5Jn0sxm08&t=2182s

In a workshop between ARM Research and the University of Manchester, this video was delivered as part of a technical talk on exploiting the SAT revolution for automated software verification.

We offer a post-graduate course in software security that explains the internals of ESBMC.

This course unit introduces students to basic and advanced approaches to formally building verified trustworthy software systems, where trustworthiness comprises five attributes: reliability, availability, safety, resilience, and security.

Selected Publications

esbmc

View profile

View on GitHub
GitHub Stars459
CategoryDevelopment
Updated1h ago
Forks131
esbmc/esbmc

Languages

C

Security Score

85/100

Audited on Mar 31, 2026

No findings