software model checking via large-block encoding
DESCRIPTION
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani. Software Model Checking via Large-Block Encoding. Presentation By: Pashootan Vaezipoor. Simon Fraser University (Spring 09). Introduction. - PowerPoint PPT PresentationTRANSCRIPT
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
A successful approach to model checking is through construction and analysis of an abstract reachability tree (ART) + predicate abstraction
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Unwind
ART nodes consist of Control-Flow Location Call stack Data State formulas
In Single-Block Encoding (SBE) each program op is represented by a single edge in ART Huge number of paths and nodes
But in Large-Block Encoding (LBE) entire part of the program is represented by an edge Smaller number of paths are enumerated in ART Exponential reduction in number of states (maybe)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
We use Satisfiability Modulo Theories (SMT)
SBE LBE(more general representation of
abstract states)
Conjunction of Predicates Arbitrary Boolean Combination of Predicates
More Accurate Abstract Successor Computation
SBE + Cartesian Abs(BLAST, SLAM)
LBE + Boolean Abstraction(CPACHECKER)
Large number of successor computations
Reduced number of successor computations
Efficient computation of Cartesian abstraction by SMT
Boolean abstraction is expensivetradeoff
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
SBE
LBE
We work on a simple imperative PL Assume Op Assignment Just integers
Program is presented by a Control Flow Automaton (CFA) CFA: A(L, G) Program: P = (A, l0, lE)
A concrete data state of the program is a variable assignment like c that assigns to each variable an integer value
A formula φ represents the set S of states c that: S = {c | c |= φ}
SPOP (φ): represents the set of data states that are reachable from states in region φ after applying OP
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
We define precision (like π) as a finite subset from the universal predicate set of the program
Cartesian Predicate Abstraction: A CartPA φ c
π of a formula φ is the strongest conjunction of predicates from π entailed by φ
This is used as an Abstract State
Boolean Predicate Abstraction: A BoolPA φ B
π of a formula is the strongest combination of predicates from π entailed by φ
Simon Fraser University (Spring 09)
Presentation By:Pashootan Vaezipoor
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Cartesian Abstraction Boolean Abstraction
Simple Complex
Efficient Expensive
Imprecise Precisetradeoff
The Precision function assigns to each program location, a precision formula
The nodes of ART are like n=(l, φ) The tree is complete when there are no
uncovered nodes, or all possible abstract successor states are present in the ART as the children of the node
If the final ART does not have any error nodes, then we are done
Else the error path is checked for feasibility If feasible: the error is reported If not feasible: refinement!
For practical reasons, SBEs use Cartesian abstraction
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Each large control-flow subgraph that is free of loops is replaced with a single control-flow edge with a large formula
This is done with applying the following rules: Rule 0 (Error Sink): make all error points, a
sink Rule 1 (Sequence): remove intermediate
nodes and go directly to successor nodes Rule 2 (Choice): If there are two edges btw two
nodes we should replace that with a single edge
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Rule 1 Rule 2
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
LBE: Possibly exponentially smaller ARTs Less abstract refinement steps Each step is more expensive than SBE More expressive representation of
abstract states
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
In the paper, BLAST is used for the model checking phase All four configs are tested:▪ bfs▪ dfs▪ predH 0▪ predH 7
The config –dfs –predH 7 is the winner for programs without defects
For unsafe programs –bfs –predH 7 is winner
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
In the experiments, all four combinations of LBE vs. SBE and Cartesian vs. Boolean abstraction are tested
Results: SBE doesn’t benefit from Boolean
Abstraction Combination of LBE with Cartesian
Abstraction failed to solve any experiments due to the loss of precision
SBE + CartAbs is OK LBE + BoolAbs is OK
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor