A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.

Slides:



Advertisements
Similar presentations
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Advertisements

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.
State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
Review of the automata-theoretic approach to model-checking.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Witness and Counterexample Li Tan Oct. 15, 2002.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
50.530: Software Engineering
Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.
Linear and Branching Time Safety, Liveness, and Fairness
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.
CS6133 Software Specification and Verification
Dynamic Component Substitutability Analysis Edmund Clarke Natasha Sharygina* Nishant Sinha Carnegie Mellon University The University of Lugano.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
1 Bisimulations as a Technique for State Space Reductions.
Model construction and verification for dynamic programming languages Radu Iosif
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Ukrprog Formal requirement language and its applications A.Letichevsky Glushkov Institute of Cybernetics.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion.
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.
Compositional Verification for System-on-Chip Designs SRC Student Symposium Paper 16.5 Nishant Sinha Edmund Clarke Carnegie Mellon University.
Compositional Verification part II Dimitra Giannakopoulou and Corina Păsăreanu CMU / NASA Ames Research Center.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Basic concepts of Model Checking
Formal methods: Lecture
Having a BLAST with SLAM
Automatic Verification
Over-Approximating Boolean Programs with Unbounded Thread Creation
Formal Methods in software development
Synchronization Verification in System-Level Design with ILP Solvers
Introduction to verification
Predicate Abstraction
Presentation transcript:

A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk

1 Motivation RequirementsSpecification Validation Code Validation Conformance Check Conformance Check Distributed Programs with Message-Passing Communicating Distributed Programs with Message-Passing Communicating

2 Related Work  Model Checking  Symbolic model checking (SMV,MURPHI,MOCHA)  Partial order reduction (SPIN,COSPAN)  Compositional reasoning  Assume-guarantee  Abstraction  Abstract interpretation, existential abstraction  Message-passing systems  CCS,  -Calculus  Simulation, bisimulation, …

3 Iterative Refinement Yes System OK Abstraction Model Counterexample Valid? Counterexample Valid? System Abstraction Guidance No Counterexample Abstraction Refinement Abstraction Refinement Improved Abstraction Guidance No Spurious Counterexample Yes Verification Spec

4 Related Work  Iterative Refinement (Kurshan)  Hardware  Yuan Lu ) Ph.D. thesis  SLAM (device drivers)  BLAST (lazy abstraction, thread modular safety)  Concurrent Software  SPIN, Behave!, ZING  Own modeling language  No iterative refinement  Safety properties

5 Contributions  Compositional Iterative Refinement (IR)  concurrent message-passing programs  simulation conformance  Combining predicate abstraction with existential abstraction  Predicate Minimization  Compositional IR for Liveness properties  Compositional IR for Deadlock detection

6 Basic Concepts  Var : set of variables  Expr : expressions over Var  Store : set of stores  Var ! Addresses  Addresses ! Values  AP : set of atomic propositions  Conc : AP $ Expr

7 Extended FSM  Transitions labeled with guarded commands  Guards are expressions  Command are actions or assignments x == 0 ? x++ x != 0 ?  true ? 

8 Control Flow Graph x=x+y lib() Component 1 2 x == 0 ? x++ x != 0 ?  true ?  EFSM ( lib )

9 Control Flow Graph x=x+y 1 2 x == 0 ? x++ x != 0 ?  true ?  Control Flow Graph

10 Labeled Kripke Structure  M = ( Q, I, , T, AP, L)  Q ´ non-empty set of states  I 2 Q ´ initial state   ´ set of actions ´ alphabet  T µ Q £  £ Q ´ transition relation  AP µ AP ´ set of atomic propositions  L : Q ! 2 AP ´ propositional labeling p q r        = { , , , , ,  } p,q p,r AP = { p,q,r,s }

11 Concurrent C Program  Set of components P = h C 1,…, C n i  Each C i is a single C procedure  Possibly calling library routines  Library routines are specified via EFSMs  Semantics of C is an LKS  Depends on the library specificationss

12 Context for P i  Context = (Init, EFSM, , , AP)  Init ´ An initial condition  EFSM : Lib ! EFSM  Specification EFSMs for all libraries  An internal action   AP µ AP ´ Set of atomic propositions   ´ alphabet

13 Concrete Semantics of C  Context = (Init, EFSM, , , AP)  S CFG ´ States of CFG  I CFG ´ Initial state of CFG  M C = ( Q, I,  [ , T, AP, L)  Q = S CFG £ Store  I = { (s,  ) j s = I CFG and  ² Init }  L(s,  ) = { p j  ² Conc(p) }

14 Transitions of P  (s,  ) ! (s’,  ’)  s ´ assignment  s’ = next(s) and  ’ =  (s)  s ´ branch with condition c  s’ = then(s) and  ² c  s’ = else(s) and  ² : c 

15 Transitions of P  (s,  ) ! (s’,  ’)   2   s ´ inlined EFSM state  s’ = next(s)  s ! s’ with guard g and action    ² g 

16 Concrete Semantics x=x+y 1 2 x == 0 ? x++ x != 0 ?  true ?  x=1,y=-3 x=-2,y=-3   p ´ x = 0 x=5,y=-5 x=1,y=-5 x=0,y=-5 x=1,y=-5    p

17 Predicate Abstraction  Pred µ Expr  Set of expressions (predicates) associated with each state of the CFG  Pred ¶ { Conc(p) j p 2 AP }  Predicate corresponding to every atomic proposition must be associated with each state of the CFG  In practice each CFG state has a different set of associated predicates

18 Valuation : Two Views  Valuation ´ minterm Pred  Set of all valuations ´ 2 Pred  Pred = { x = 0, y = 0 }  x  0 Æ y  0, {}  x = 0 Æ y  0, {x = 0}  x  0 Æ y = 0, {y = 0}  x = 0 Æ y = 0, {x = 0, y=0} Expression Subset of Pred

19 Compatibility  Given expressions e 1 and e 2  e 1 ° e 2 iff e 1 Æ e 2 is satisfiables  9  2 Store ¦  ² e 1 Æ  ² e 2  e 1 ° e 2 ´ e 1 and e 2 are compatible  Each valuation v is an expression  v ° e and v ° v’ defined as above

20 Abstract Semantics of C  Context = (Init, EFSM, , , AP, Pred)  S CFG ´ States of CFG  I CFG ´ Initial state of CFG  M [C] = ( Q, I,  [ , T, AP, L)  Q = S CFG £ 2 Pred  I = { (s,v) j s = I CFG and v ° Init }  L(s,v) = { p j Conc(p) 2 v }

21 Transitions of P  (s,v) ! (s’,v’)  s ´ assignment  s’ = next(s) and v ° WP [v’] (s)  s ´ branch with condition c  s’ = then(s) and v ² c Æ v’  s’ = else(s) and v ² : c Æ v’ 

22 Transitions of P  (s,v) ! (s’,v’)   2   s ´ inlined EFSM state  s’ = next(s)  s ! s’ with guard g and action   v ² g Æ v’ 

23 Abstract Semantics x=x+y 1 2 x == 0 ? x++ x != 0 ?  true ?  x  0,y=0   p ´ x = 0 x=0,y=0 x  0,y=0 x=0,y=0 X  0,y=0    p p

24 Simulation  M 1 = ( Q 1, I 1, , T 1, AP, L 1 )  M 2 = ( Q 2, I 2, , T 2, AP, L 2 )  R µ Q 1 £ Q 2 is a simulation relation if  s 1 R s 2 )  L 1 (s 1 ) = L 2 (s 2 )  8 (s 1, , s’ 1 ) 2 T 1 ¦ 9 s’ 2 ¦ (s 2, , s’ 2 ) 2 T 2 Æ s’ 1 R s’ 2  M 1 4 M 2 ´ 9 R µ Q 1 £ Q 2 ¦ 8 s 1 2 I 1 ¦ 9 s 2 2 I 2 ¦ s 1 R s 2

25 Satisfaction   ( e) ´ evaluation of e under    ² e ´  (e)  0   ( stmt) ´ new store after executing statement stmt in store 

26 M C 4 M [C]   ( e) ´ evaluation of e under    ² e ´  (e)  0  Define relation R µ Q C £ Q [C]  (s,m) R (s,v), m ² v  R is a simulation relation  8 s 2 I C ¦ 9 [s] 2 I [C] ¦ s R [s]

27 Parallel Composition  M 1 = ( Q 1, I 1,   , T 1, AP 2, L 1 )  M 2 = ( Q 2, I 2,  2 , T 2, AP 1, L 2 )  M 1 || M 2 = ( Q 1 £ Q 2, I 1 £ I 2,  1 [  2 , T, AP 1 [ AP 2, L)  L(s 1,s 2 ) = L 1 (s 1 ) [ L 2 (s 2 )  ((s 1, s 2 ), , (s’ 1, s’ 2 )) 2 T iff for i 2 {1,2}     i Æ (s i, , s’ i ) 2 T i     i Æ s i = s’ i

28 Program Semantics  P = h C, C’ i  M P = M C || M C’  M [P] = M [C] || M [C’]  Abstraction is done modularly 4 44

29 Program Semantics  P = C || C’  [P] = [C] || [C’] 4 44

30 Verification  Specification is an LKS Spec  Given P and Spec, check if P 4 Spec 1.Construct [P] 2.Check if [P] 4 Spec 1.P 4 [P] Æ [P] 4 Spec ) P 4 Spec 2.Otherwise …

31 Counterexample  : ([P] 4 Spec) )  9 CE ¦ CE 4 [P] Æ : ( CE 4 Spec )  CE has a tree structure  Look at Chapter 5 for the procedure to check [P] 4 Spec and construct CE if necessary

32 Counterexample Validation  Check if CE 4 P  : ( CE 4 Spec ) Æ CE 4 P ) : ( P 4 Spec )  Real  P = C || C’

33 Problems CE 4 C || C’ Infinite States Statespace Explosion Symbolic RepresentationCompositional Reasoning

34 LKS Projection p q r        = { , , , , ,  } p,q p,r AP = { p,q,r,s } M  ’ = { , ,  }AP’ = { p,r,t }   [ ’  [ ’

35 LKS Projection pr        Å  ’ [ {  } p r AP Å AP’ M ¼ {  ’,AP’ }  ’ = { , ,  }AP’ = { p,r,t }   [ ’  [ ’ M’ = ( …,  ’, AP’, …) ) M ¼ M’ ´ M ¼ {  ’, AP’ }

36 Weak Simulation  M 1 = ( Q 1, I 1,  [ {  }, T 1, AP, L 1 )  M 2 = ( Q 2, I 2, , T 2, AP, L 2 )  R µ Q 1 £ Q 2 is a weak simulation relation if  s 1 R s 2 )  L 1 (s 1 ) = L 2 (s 2 )  8 (s 1, , s’ 1 ) 2 T 1 ¦ 9 s’ 2 ¦ (s 2, , s’ 2 ) 2 T 2 Æ s’ 1 R s’ 2  8 (s 1, , s’ 1 ) 2 T 1 ¦ s’ 1 R s 2  M 1 - M 2 ´ 9 R µ Q 1 £ Q 2 ¦ 8 s 1 2 I 1 ¦ 9 s 2 2 I 2 ¦ s 1 R s 2

37 Compositional Validation CE 4 C || C’, CE ¼ C - C Æ CE ¼ C’ - C’

38 Compositional Validation CE 4 C || C’, CE ¼ - C Æ CE ¼ - C’ Infinite States Symbolic Representation

39 Symbolic Representation  M C = ( Q, I, , T, AP, L)  There exists a class R µ 2 Q  Each r 2 R has a finite representation  Q 2 R  R closed under intersection and pre-image  Given r 2 R can check if r = ;

40 CE ¼ - C CE ¼ C      Q Q  Q) Q Q Q  Q) Q

41 CE ¼ - C      Q Q  Q) QQ Q Å  Q) Q  Q Å  Q))  Q)  Q) CE ¼ C

42 CE ¼ - C      Q Q  Q) QQ Q Å  Q) Q  Q) Å  (Q) Å  Q Å  Q)) = ; ? CE ¼ C

43 Abstraction Refinement  Check if CE 4 P  CE 4 P ) Real  Update the set Pred such that for the new [P] we have : ( CE 4 [P] )  Chapter 6  Minimize number of predicates to be added  Chapter 7

44 Case Study: SSL Handshake  Verify that OpenSSL correctly implements the SSL handshake  Server and client code  Each about 2500 LOC  400 LOC after abstracting away library routine calls  Analyzed client and server separately and together

45 SSL Results NAME LINES OF CODE NO. OF ITER AVG. MODEL SIZE AVG. MODEL TIME (SEC) SPEC SIZE (ST/TR) AVG. HORN VAR NUM AVG. HORN CLAUSE NUM VERIF TIME TOTAL TIME (SEC) MEMORY (MB) SERVER / CLIENT / SRVR-CLNT /

46 SSL Results NAME LINES OF CODE NO. OF ITER AVG. MODEL SIZE AVG. MODEL TIME (SEC) SPEC SIZE (ST/TR) AVG. HORN VAR NUM AVG. HORN CLAUSE NUM VERIF TIME TOTAL TIME (SEC) MEMORY (MB) SERVER / CLIENT / SRVR-CLNT /

47 Thoughts  Predicate abstraction alone inadequate for concurrent systems  States from different control locations are always kept distinct  They might be merged  How do we combine other kinds of abstractions with predicate abstraction

48 Iterative Refinement System OK Abstraction Model Counterexample Valid? Counterexample Valid? System No Abstraction Refinement Abstraction Refinement Improved Abstraction Guidance No Verification Spec

49 IR ´ Model Checking System OK Abstraction Model Counterexample Valid? System No Abstraction Refinement Improved Abstraction Guidance No Verification Spec

50 Verification ´ IR System OK Abstraction Model Counterexample Valid? Counterexample Valid? System No Abstraction Refinement Abstraction Refinement Improved Abstraction Guidance No Iterative Refinement Iterative Refinement Spec

51 Existential Abstraction  M = ( Q, I, , T, AP, L)  Equivalence R µ Q £ Q  Compatible with propositional labeling  s R s’ ) L(s) = L(s’)  [s] ´ equivalence class of s  Induces a quotient LKS M R

52 Quotient LKS  M = ( Q, I, , T, AP, L), R µ Q £ Q  M R = ( Q R, I R, , T R, AP, L R )  Q R = { [s] j s 2 Q }  I R = { [s] j s 2 I }  ([s], , [s’]) 2 T R, (s, , s’) 2 T  L R ([s]) = L(s)  R compatible with L ) L R well-defined

53 Example ab be M Theorem M ¹ M R Proof (s R [s]) is a simulation relation 57 ac d MRMR eb [2,3] [4,5][6,7] [1] ab ca d q p

54 Verification  Given [P] = [C] || [C’] and Spec 1.Use equivalence relations R and R’  Initially R and R’ are maximal 2.Construct [P] RR’ = [C] R || [C’] R’  [P] 4 [P] RR’ 3.Check if [P] RR’ 4 Spec 1.[P] 4 [P] RR’ Æ [P] RR’ 4 Spec ) [P] 4 Spec 2.Otherwise …

55 Counterexample Validation  : ([P] RR’ 4 Spec) )  9 CE ¦ CE 4 [P] RR’ Æ : ( CE 4 Spec )  CE has a tree structure  Check if CE 4 [P] = [C] || [C’]  Same as CE ¼ - [C] Æ CE ¼ - [C’]  : ( CE 4 Spec ) Æ CE 4 [P] ) : ( [P] 4 Spec )

56 Refinement  Suppose : (CE ¼ - [C])  We know CE 4 [P] RR’ = [C] R || [C’] R’  Hence CE ¼ - [C] R  By transitivity : ([C] R - [C])  Can split some equivalence class of R

57 Splitting R CE ¼ [C] R   [C] R -   [C] 4  

58 Splitting R     Repeated Splitting ) C R converges to bisimulation quotient of C CE ¼ [C] R [C] R -

59 Two Level IR C1C1 Spec 4 [C 1 ] 4 Spec Predicate Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Existential Abstraction 4 Spec A1A1 A2A2 A3A3 A4A4

60 Two Level IR C1C1 Spec 4 [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A3A3 A4A4 A1A1 Existential Refinement 4 4

61 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A4A4 A1A1 Existential Refinement A3A3 A3A

62 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A4A4 A1A1 Existential Refinement A3A3 A3A3 A1A

63 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A4A4 A1A1 Existential Refinement A3A3 A3A3 A1A A2A2 A2A2

64 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A4A4 Existential Refinement A3A3 A3A3 [C 2 ] A1A1 A1A No bugs or real

65 Test Name One LevelTwo Level Gain S1S1 M1M1 T1T1 S2S2 M2M2 T2T2 T 1 /T 2 M 1 /M 2 SSL-1 SSL-2 SSL-3 SSL-4 SSL-5 SSL-6 SSL-7 SSL-8 SSL-9 SSL-10 SSL-11 SSL-12 SSL-13 Results

66 Test Name One LevelTwo Level Gain S1S1 M1M1 T1T1 S2S2 M2M2 T2T2 T 1 /T 2 M 1 /M 2 SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL Results

67 Test Name One LevelTwo Level Gain S1S1 M1M1 T1T1 S2S2 M2M2 T2T2 T 1 /T 2 M 1 /M 2 SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL SSL Results

68 Summary  Compositional IR for concurrent programs  Message-passing communication  Simulation conformance  Combine predicate abstraction and existential abstraction in a two-level compositional IR algorithm  Experimental validation

69 Thank you!  Edmund Clarke  Exemplary advisor  Alex Groce, Somesh Jha, Helmut Veith  The original magicians  Tom Ball, Sriram Rajamani, Jakob Rehof  Superb summer job mentors  Orna Grumberg, Joel Ouaknine, Natalia Sharygina, Ofer Strichman, Karen Yorav  Awesome guides  Randal Bryant, David Garlan  Excellent thesis committee members

70 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.