Software Model Checking via Large

Download Report

Transcript Software Model Checking via Large 

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and
Roberto Sebastiani
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)

A successful approach to model checking is
through construction and analysis of an
abstract reachability tree (ART) + predicate
abstraction
Unwind
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)

ART nodes consist of
 Control-Flow Location
 Call stack
 Data State formulas

In Single-Block Encoding (SBE) each program op is
represented by a single edge in ART
 Huge number of paths and nodes

But in Large-Block Encoding (LBE) entire part of the
program is represented by an edge
 Smaller number of paths are enumerated in ART
 Exponential reduction in number of states (maybe)
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)
SBE
LBE
(more general representation of abstract states)
Conjunction of Predicates
Arbitrary Boolean Combination of Predicates
More Accurate Abstract Successor Computation

We use Satisfiability Modulo Theories (SMT)
SBE + Cartesian Abs
(BLAST, SLAM)
LBE + Boolean Abstraction
(CPACHECKER)
Large number of successor computations
Reduced number of successor computations
Efficient computation of Cartesian abstraction
by SMT
Boolean abstraction is expensive
tradeoff
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)
SBE
LBE
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)

We work on a simple imperative PL
 Assume Op
 Assignment
 Just integers



Program is presented by a Control Flow Automaton (CFA)
CFA: A(L, G)
Program: P = (A, l0, lE)
A concrete data state of the program is a variable assignment like c
that assigns to each variable an integer value
 A formula φ represents the set S of states c that:

 S = {c | c |= φ}

SPOP (φ): represents the set of data states that are reachable from
states in region φ after applying OP
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)

We define precision (like π) as a finite subset
from the universal predicate set of the program

Cartesian Predicate Abstraction:
 A CartPA φ cπ of a formula φ is the strongest
conjunction of predicates from π entailed by φ
 This is used as an Abstract State

Boolean Predicate Abstraction:
 A BoolPA φ Bπ of a formula is the strongest
combination of predicates from π entailed by φ

Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)
Cartesian Abstraction
Boolean Abstraction
Simple
Complex
Efficient
Expensive
Imprecise
Precise
tradeoff
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)





The Precision function assigns to each program
location, a precision formula
The nodes of ART are like n=(l, φ)
The tree is complete when there are no uncovered
nodes, or all possible abstract successor states are
present in the ART as the children of the node
If the final ART does not have any error nodes, then
we are done
Else the error path is checked for feasibility
 If feasible: the error is reported
 If not feasible: refinement!

For practical reasons, SBEs use Cartesian abstraction
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)


Each large control-flow subgraph that is free
of loops is replaced with a single control-flow
edge with a large formula
This is done with applying the following rules:
 Rule 0 (Error Sink): make all error points, a sink
 Rule 1 (Sequence): remove intermediate nodes
and go directly to successor nodes
 Rule 2 (Choice): If there are two edges btw two
nodes we should replace that with a single edge
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)
Rule 1
Presentation By:
Pashootan Vaezipoor
Rule 2
Simon Fraser University (Spring 09)
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)

LBE:
 Possibly exponentially smaller ARTs
 Less abstract refinement steps
 Each step is more expensive than SBE
 More expressive representation of abstract states
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)

In the paper, BLAST is used for the model
checking phase
 All four configs are tested:
▪
▪
▪
▪
bfs
dfs
predH 0
predH 7
 The config –dfs –predH 7 is the winner for programs
without defects
 For unsafe programs –bfs –predH 7 is winner
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)


In the experiments, all four combinations of
LBE vs. SBE and Cartesian vs. Boolean
abstraction are tested
Results:
 SBE doesn’t benefit from Boolean Abstraction
 Combination of LBE with Cartesian Abstraction
failed to solve any experiments due to the loss of
precision
 SBE + CartAbs is OK
 LBE + BoolAbs is OK
Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)