Software Model Checking via Large-Block Encoding - PowerPoint PPT Presentation
Title:
Software Model Checking via Large-Block Encoding
Description:
... 2 (Choice): If there are two edges btw two nodes we should replace that with a single edge ... SBE doesn't benefit from Boolean Abstraction ... – PowerPoint PPT presentation
Number of Views:66
Avg rating:3.0/5.0
Title: Software Model Checking via Large-Block Encoding
1
Software Model Checking via Large-Block Encoding
- By Dirk Beyer, Alessandro Cimatti, Alberto
Griggio, Erkan Keremoglu and - Roberto Sebastiani
2
Introduction
- A successful approach to model checking is
through construction and analysis of an abstract
reachability tree (ART) predicate abstraction
Unwind
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
3
Introduction
- ART nodes consist of
- Control-Flow Location
- Call stack
- Data State formulas
- In Single-Block Encoding (SBE) each program op is
represented by a single edge in ART - Huge number of paths and nodes
- But in Large-Block Encoding (LBE) entire part of
the program is represented by an edge - Smaller number of paths are enumerated in ART
- Exponential reduction in number of states (maybe)
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
4
SBE to LBE Consequences
SBE LBE (more general representation of abstract states)
Conjunction of Predicates Arbitrary Boolean Combination of Predicates
More Accurate Abstract Successor Computation
- We use Satisfiability Modulo Theories (SMT)
SBE Cartesian Abs (BLAST, SLAM) LBE Boolean Abstraction (CPACHECKER)
Large number of successor computations Reduced number of successor computations
Efficient computation of Cartesian abstraction by SMT Boolean abstraction is expensive
tradeoff
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
5
SBE to LBE Example
SBE
LBE
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
6
Program and CFA
- We work on a simple imperative PL
- Assume Op
- Assignment
- Just integers
- Program is presented by a Control Flow Automaton
(CFA) - CFA A(L, G)
- Program P (A, l0, lE)
- A concrete data state of the program is a
variable assignment like c that assigns to each
variable an integer value - A formula f represents the set S of states c
that - S c c f
- SPOP (f) represents the set of data states that
are reachable from states in region f after
applying OP
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
7
Predicate Abstraction
- We define precision (like p) as a finite subset
from the universal predicate set of the program - Cartesian Predicate Abstraction
- A CartPA f cp of a formula f is the strongest
conjunction of predicates from p entailed by f - This is used as an Abstract State
- Boolean Predicate Abstraction
- A BoolPA f Bp of a formula is the strongest
combination of predicates from p entailed by f
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
8
Predicate Abstraction
Cartesian Abstraction Boolean Abstraction
Simple Complex
Efficient Expensive
Imprecise Precise
tradeoff
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
9
Single-Block Encoding
10
ART-Based SMC with SBE
- The Precision function assigns to each program
location, a precision formula - The nodes of ART are like n(l, f)
- The tree is complete when there are no uncovered
nodes, or all possible abstract successor states
are present in the ART as the children of the
node - If the final ART does not have any error nodes,
then we are done - Else the error path is checked for feasibility
- If feasible the error is reported
- If not feasible refinement!
- For practical reasons, SBEs use Cartesian
abstraction
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
11
Large-Block Encoding
12
Summarization of CFA
- Each large control-flow subgraph that is free of
loops is replaced with a single control-flow edge
with a large formula - This is done with applying the following rules
- Rule 0 (Error Sink) make all error points, a
sink - Rule 1 (Sequence) remove intermediate nodes and
go directly to successor nodes - Rule 2 (Choice) If there are two edges btw two
nodes we should replace that with a single edge
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
13
Summarization of CFA (cont)
Rule 1
Rule 2
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
14
Example
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
15
SBE vs. LBE
- LBE
- Possibly exponentially smaller ARTs
- Less abstract refinement steps
- Each step is more expensive than SBE
- More expressive representation of abstract states
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
16
Experimental Configs
- In the paper, BLAST is used for the model
checking phase - All four configs are tested
- bfs
- dfs
- predH 0
- predH 7
- The config dfs predH 7 is the winner for
programs without defects - For unsafe programs bfs predH 7 is winner
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
17
Performance Results
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
18
Experiments
- In the experiments, all four combinations of LBE
vs. SBE and Cartesian vs. Boolean abstraction are
tested - Results
- SBE doesnt benefit from Boolean Abstraction
- Combination of LBE with Cartesian Abstraction
failed to solve any experiments due to the loss
of precision - SBE CartAbs is OK
- LBE BoolAbs is OK
Presentation By Pashootan Vaezipoor
Simon Fraser University (Spring 09)
