Software Model Checking via Large-Block Encoding

1
Software Model Checking via Large-Block Encoding

• By Dirk Beyer, Alessandro Cimatti, Alberto
  Griggio, Erkan Keremoglu and
• Roberto Sebastiani

2
Introduction

• A successful approach to model checking is
  through construction and analysis of an abstract
  reachability tree (ART) predicate abstraction

Unwind
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
3
Introduction

• ART nodes consist of
• Control-Flow Location
• Call stack
• Data State formulas
• In Single-Block Encoding (SBE) each program op is
  represented by a single edge in ART
• Huge number of paths and nodes
• But in Large-Block Encoding (LBE) entire part of
  the program is represented by an edge
• Smaller number of paths are enumerated in ART
• Exponential reduction in number of states (maybe)

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
4
SBE to LBE Consequences
SBE LBE (more general representation of abstract states)
Conjunction of Predicates Arbitrary Boolean Combination of Predicates
More Accurate Abstract Successor Computation

• We use Satisfiability Modulo Theories (SMT)

SBE Cartesian Abs (BLAST, SLAM) LBE Boolean Abstraction (CPACHECKER)
Large number of successor computations Reduced number of successor computations
Efficient computation of Cartesian abstraction by SMT Boolean abstraction is expensive
tradeoff
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
5
SBE to LBE Example
SBE
LBE
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
6
Program and CFA

• We work on a simple imperative PL
• Assume Op
• Assignment
• Just integers
• Program is presented by a Control Flow Automaton
  (CFA)
• CFA A(L, G)
• Program P (A, l0, lE)
• A concrete data state of the program is a
  variable assignment like c that assigns to each
  variable an integer value
• A formula f represents the set S of states c
  that
• S c c f
• SPOP (f) represents the set of data states that
  are reachable from states in region f after
  applying OP

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
7
Predicate Abstraction

• We define precision (like p) as a finite subset
  from the universal predicate set of the program
• Cartesian Predicate Abstraction
• A CartPA f cp of a formula f is the strongest
  conjunction of predicates from p entailed by f
• This is used as an Abstract State
• Boolean Predicate Abstraction
• A BoolPA f Bp of a formula is the strongest
  combination of predicates from p entailed by f

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
8
Predicate Abstraction
Cartesian Abstraction Boolean Abstraction
Simple Complex
Efficient Expensive
Imprecise Precise
tradeoff
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
9
Single-Block Encoding
10
ART-Based SMC with SBE

• The Precision function assigns to each program
  location, a precision formula
• The nodes of ART are like n(l, f)
• The tree is complete when there are no uncovered
  nodes, or all possible abstract successor states
  are present in the ART as the children of the
  node
• If the final ART does not have any error nodes,
  then we are done
• Else the error path is checked for feasibility
• If feasible the error is reported
• If not feasible refinement!
• For practical reasons, SBEs use Cartesian
  abstraction

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
11
Large-Block Encoding
12
Summarization of CFA

• Each large control-flow subgraph that is free of
  loops is replaced with a single control-flow edge
  with a large formula
• This is done with applying the following rules
• Rule 0 (Error Sink) make all error points, a
  sink
• Rule 1 (Sequence) remove intermediate nodes and
  go directly to successor nodes
• Rule 2 (Choice) If there are two edges btw two
  nodes we should replace that with a single edge

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
13
Summarization of CFA (cont)
Rule 1
Rule 2
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
14
Example
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
15
SBE vs. LBE

• LBE
• Possibly exponentially smaller ARTs
• Less abstract refinement steps
• Each step is more expensive than SBE
• More expressive representation of abstract states

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
16
Experimental Configs

• In the paper, BLAST is used for the model
  checking phase
• All four configs are tested
• bfs
• dfs
• predH 0
• predH 7
• The config dfs predH 7 is the winner for
  programs without defects
• For unsafe programs bfs predH 7 is winner

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
17
Performance Results
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
18
Experiments

• In the experiments, all four combinations of LBE
  vs. SBE and Cartesian vs. Boolean abstraction are
  tested
• Results
• SBE doesnt benefit from Boolean Abstraction
• Combination of LBE with Cartesian Abstraction
  failed to solve any experiments due to the loss
  of precision
• SBE CartAbs is OK
• LBE BoolAbs is OK

Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)