1 / 18

Software Model Checking via Large-Block Encoding

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani. Software Model Checking via Large-Block Encoding. Presentation By: Pashootan Vaezipoor. Simon Fraser University (Spring 09). Introduction.

fagan
Download Presentation

Software Model Checking via Large-Block Encoding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Software Model Checking via Large-Block Encoding Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  2. Introduction • A successful approach to model checking is through construction and analysis of an abstract reachability tree (ART) + predicate abstraction Unwind PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  3. Introduction • ART nodes consist of • Control-Flow Location • Call stack • Data State formulas • In Single-Block Encoding (SBE) each program op is represented by a single edge in ART • Huge number of paths and nodes • But in Large-Block Encoding (LBE) entire part of the program is represented by an edge • Smaller number of paths are enumerated in ART • Exponential reduction in number of states (maybe) PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  4. SBE toLBE: Consequences • We use Satisfiability Modulo Theories (SMT) tradeoff PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  5. SBE toLBE: Example SBE LBE PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  6. Program and CFA • We work on a simple imperative PL • Assume Op • Assignment • Just integers • Program is presented by a Control Flow Automaton (CFA) • CFA: A(L, G) • Program: P = (A, l0, lE) • A concrete data state of the program is a variable assignment like c that assigns to each variable an integer value • A formula φ represents the set S of states c that: • S = {c | c |= φ} • SPOP (φ): represents the set of data states that are reachable from states in region φafter applying OP PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  7. Predicate Abstraction • We define precision (like π) as a finite subset from the universal predicate set of the program • Cartesian Predicate Abstraction: • A CartPAφ cπ of a formula φ is the strongest conjunction of predicates from π entailed by φ • This is used as an Abstract State • Boolean Predicate Abstraction: • A BoolPAφ Bπ of a formula is the strongest combination of predicates from π entailed by φ PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  8. Predicate Abstraction tradeoff PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  9. Single-Block Encoding

  10. ART-Based SMC with SBE • The Precision function assigns to each program location, a precision formula • The nodes of ART are like n=(l, φ) • The tree is complete when there are no uncovered nodes, or all possible abstract successor states are present in the ART as the children of the node • If the final ART does not have any error nodes, then we are done • Else the error path is checked for feasibility • If feasible: the error is reported • If not feasible: refinement! • For practical reasons, SBEs use Cartesian abstraction PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  11. Large-Block Encoding

  12. Summarization of CFA • Each large control-flow subgraph that is free of loops is replaced with a single control-flow edge with a large formula • This is done with applying the following rules: • Rule 0 (Error Sink): make all error points, a sink • Rule 1 (Sequence): remove intermediate nodes and go directly to successor nodes • Rule 2 (Choice): If there are two edges btw two nodes we should replace that with a single edge PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  13. Summarization of CFA (cont…) Rule 1 Rule 2 PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  14. Example PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  15. SBE vs. LBE • LBE: • Possibly exponentially smaller ARTs • Less abstract refinement steps • Each step is more expensive than SBE • More expressive representation of abstract states PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  16. Experimental Configs • In the paper, BLAST is used for the model checking phase • All four configs are tested: • bfs • dfs • predH 0 • predH 7 • The config–dfs –predH 7 is the winner for programs without defects • For unsafe programs –bfs –predH 7 is winner PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  17. Performance Results PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

  18. Experiments • In the experiments, all four combinations of LBE vs. SBE and Cartesian vs. Boolean abstraction are tested • Results: • SBE doesn’t benefit from Boolean Abstraction • Combination of LBE with Cartesian Abstraction failed to solve any experiments due to the loss of precision • SBE + CartAbs is OK • LBE + BoolAbs is OK PresentationBy: Pashootan Vaezipoor Simon Fraser University (Spring 09)

More Related