By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

Slides:

Advertisements

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Advertisements

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Satisfiability modulo the Theory of Bit Vectors

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

Introducing BLAST Software Verification John Gallagher CS4117.

Tree Searching. Tree searches A tree search starts at the root and explores nodes from there, looking for a goal node (a node that satisfies certain conditions,

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

CPSC 322, Lecture 12Slide 1 CSPs: Search and Arc Consistency Computer Science cpsc322, Lecture 12 (Textbook Chpt ) January, 29, 2010.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

CS 536 Spring Global Optimizations Lecture 23.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Structures and Strategies for State Space Search 3 3.0Introduction 3.1Graph Theory 3.2Strategies for State Space Search 3.3Using the State Space to Represent.

Computational Complexity CSC 172 SPRING 2002 LECTURE 27.

Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Prof. Bodik CS 164 Lecture 16, Fall Global Optimization Lecture 16.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.

Tree Searching Breadth First Search Dept First Search.

By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.

Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

Lecture 22 More NPC problems

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

“Software” Esterel Execution (work in progress) Dumitru POTOP-BUTUCARU Ecole des Mines de Paris

Complexity Non-determinism. NP complete problems. Does P=NP? Origami. Homework: continue on postings.

Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.

Reasoning about programs March CSE 403, Winter 2011, Brun.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

NP-Complete Problems. Running Time v.s. Input Size Concern with problems whose complexity may be described by exponential functions. Tractable problems.

Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.

CSCI 4310 Lecture 2: Search. Search Techniques Search is Fundamental to Many AI Techniques.

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.

C OMPUTING U NSAT C ORES O F B OOLEAN A ND SMT F ORMULAS Computing Small Unsatisfiable Cores in Satisfiability Modulo Theories Alessandro Cimatti, Alberto.

Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

1 Computing Abstractions by integrating BDDs and SMT Solvers Alessandro Cimatti Fondazione Bruno Kessler, Trento, Italy Joint work with R. Cavada, A. Franzen,

Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.

Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.

Dataflow Analysis CS What I s Dataflow Analysis? Static analysis reasoning about flow of data in program Different kinds of data: constants, variables,

Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.

Having a BLAST with SLAM

GC211Data Structure Lecture2 Sara Alhajjam.

CSPs: Search and Arc Consistency Computer Science cpsc322, Lecture 12

Solving Linear Arithmetic with SAT-based MC

MoCHi: Software Model Checker for a Higher-Order Functional Language

Arithmetic Constraints and Automata

Lifting Propositional Interpolants to the Word-Level

CSPs: Search and Arc Consistency Computer Science cpsc322, Lecture 12

NP-Complete Problems.

CSE 589 Applied Algorithms Spring 1999

Instructor: Aaron Roth

Presentation transcript:

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

 A successful approach to model checking is through construction and analysis of an abstract reachability tree (ART) + predicate abstraction Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor Unwind

 ART nodes consist of  Control-Flow Location  Call stack  Data State formulas  In Single-Block Encoding (SBE) each program op is represented by a single edge in ART  Huge number of paths and nodes  But in Large-Block Encoding (LBE) entire part of the program is represented by an edge  Smaller number of paths are enumerated in ART  Exponential reduction in number of states (maybe) Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor  We use Satisfiability Modulo Theories (SMT) SBELBE (more general representation of abstract states) Conjunction of PredicatesArbitrary Boolean Combination of Predicates More Accurate Abstract Successor Computation SBE + Cartesian Abs (B LAST, SLAM) LBE + Boolean Abstraction (CPA CHECKER ) Large number of successor computationsReduced number of successor computations Efficient computation of Cartesian abstraction by SMT Boolean abstraction is expensive tradeoff

Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor SBE LBE

 We work on a simple imperative PL  Assume Op  Assignment  Just integers  Program is presented by a Control Flow Automaton (CFA)  CFA: A(L, G)  Program: P = (A, l 0, l E )  A concrete data state of the program is a variable assignment like c that assigns to each variable an integer value  A formula φ represents the set S of states c that:  S = {c | c |= φ}  SP OP (φ): represents the set of data states that are reachable from states in region φ after applying OP Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

 We define precision (like π) as a finite subset from the universal predicate set of the program  Cartesian Predicate Abstraction:  A CartPA φ c π of a formula φ is the strongest conjunction of predicates from π entailed by φ  This is used as an Abstract State  Boolean Predicate Abstraction:  A BoolPA φ B π of a formula is the strongest combination of predicates from π entailed by φ  Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor Cartesian AbstractionBoolean Abstraction SimpleComplex EfficientExpensive ImprecisePrecise tradeoff

 The Precision function assigns to each program location, a precision formula  The nodes of ART are like n=(l, φ)  The tree is complete when there are no uncovered nodes, or all possible abstract successor states are present in the ART as the children of the node  If the final ART does not have any error nodes, then we are done  Else the error path is checked for feasibility  If feasible: the error is reported  If not feasible: refinement!  For practical reasons, SBEs use Cartesian abstraction Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

 Each large control-flow subgraph that is free of loops is replaced with a single control-flow edge with a large formula  This is done with applying the following rules:  Rule 0 (Error Sink): make all error points, a sink  Rule 1 (Sequence): remove intermediate nodes and go directly to successor nodes  Rule 2 (Choice): If there are two edges btw two nodes we should replace that with a single edge Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor Rule 1 Rule 2

Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

 LBE:  Possibly exponentially smaller ARTs  Less abstract refinement steps  Each step is more expensive than SBE  More expressive representation of abstract states Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

 In the paper, B LAST is used for the model checking phase  All four configs are tested: ▪ bfs ▪ dfs ▪ predH 0 ▪ predH 7  The config –dfs –predH 7 is the winner for programs without defects  For unsafe programs –bfs –predH 7 is winner Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

 In the experiments, all four combinations of LBE vs. SBE and Cartesian vs. Boolean abstraction are tested  Results:  SBE doesn’t benefit from Boolean Abstraction  Combination of LBE with Cartesian Abstraction failed to solve any experiments due to the loss of precision  SBE + CartAbs is OK  LBE + BoolAbs is OK Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor