Bounded Model Checking of Multi-Threaded C Programs via Lazy Sequentialization Omar Inverso University of Southampton, UK Ermenegildo Tomasco University.

Slides:

Advertisements

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Ermenegildo Tomasco University of Southampton, UK Omar Inverso University of Southampton, UK Bernd Fischer Stellenbosch University, South Africa Salvatore.

Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)

Writing Model-Checkers for Boolean Recursive Programs using a Fixed-Point Calculus Gennaro Parlato - UIUC Joint work with Madhusudan - UIUC Salvatore La.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Adapted from Scott, Chapter 6:: Control Flow Programming Language Pragmatics Michael L. Scott.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Verification for Concurrency Part 2: Incomplete techniques and bug finding.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

On Sequentializing Concurrent Programs Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA, University of Paris 7, France Michael Emmi LIAFA, University.

Lazy-CSeq A Lazy Sequentialization Tool for C Omar Inverso University of Southampton, UK Ermenegildo Tomasco University of Southampton, UK Bernd Fischer.

1/25 Context-Bounded Analysis of Concurrent Queue Systems Gennaro Parlato University of Illinois at Urbana-Champaign Università degli Studi di Salerno.

Sanjit A. Seshia and Randal E. Bryant Computer Science Department

Computing OverApproximations with Bounded Model Checking Daniel Kroening ETH Zürich.

A. Frank - P. Weisberg Operating Systems Introduction to Tasks/Threads.

Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.

Verifying Concurrent Programs by Memory Unwinding Ermenegildo Tomasco University of Southampton, UK Omar Inverso University of Southampton, UK Bernd Fischer.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.

Scope-Bounded Pushdown Languages Salvatore La Torre Università degli Studi di Salerno joint work with Margherita Napoli Università degli Studi di Salerno.

Model Checking Embedded Systems

Introduction to Threads CS240 Programming in C. Introduction to Threads A thread is a path execution By default, a C/C++ program has one thread called.

Scope-bounded Multistack Pushdown Systems: - fixed-point - sequentialization - tree-width 1 Salvatore La Torre Gennaro Parlato (U. Salerno, Italy) (U.

On Sequentializing Concurrent Programs Gennaro Parlato University of Southampton, UK UPMARC 7 th Summer School on Multicore Computing, June 8-10, 2015.

Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,

CS333 Intro to Operating Systems Jonathan Walpole.

On Sequentializing Concurrent Programs (Bounded Model Checking) Gennaro Parlato University of Southampton, UK UPMARC 7 th Summer School on Multicore Computing,

Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.

Pointer Analysis for Multithreaded Programs Radu Rugina and Martin Rinard M I T Laboratory for Computer Science.

CS527 Topics in Software Engineering (Software Testing and Analysis) Darko Marinov August 30, 2011.

Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.

Getting Rid of Store-Buffers in TSO Analysis Mohamed Faouzi Atig Uppsala University, Sweden Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA,

OpenMP for Networks of SMPs Y. Charlie Hu, Honghui Lu, Alan L. Cox, Willy Zwaenepoel ECE1747 – Parallel Programming Vicky Tsang.

1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,

Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.

Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

KISS: K EEP I T S IMPLE AND S EQUENTIAL Guy Martin, OSLab, GNU09 Shaz Qadeer Microsoft Research One Microsoft Way Redmond, WA Dinghao Wu Department.

Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.

A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.

On Sequentializing Concurrent Programs

Lazy Sequentialization via Shared Memory Abstractions

Verification for Concurrent Programs

SS 2017 Software Verification Bounded Model Checking, Outlook

Sequentializing Parameterized Programs

Sequentialization by Read-implicit Coarse-grained Memory Unwindings

Ermenegildo Tomasco1, Truc L

Introduction to Software Verification

Over-Approximating Boolean Programs with Unbounded Thread Creation

Lazy Sequentialization Unbounded Concurrent Programs

A Lazy Sequentialization Tool for Unbounded Context Switches

Predicate Abstraction

Presentation transcript:

Bounded Model Checking of Multi-Threaded C Programs via Lazy Sequentialization Omar Inverso University of Southampton, UK Ermenegildo Tomasco University of Southampton, UK Bernd Fischer Stellenbosch University, South Africa Salvatore La Torre Università di Salerno, Italy Gennaro Parlato University of Southampton, UK

Concurrent Programs - Reachability Problem concurrent C programs POSIX threads SC memory model reachability assertion failure out-of-bound array division-by-zero, … bounded model checking (BMC) bug-finding, not complete analysis SHARED MEMORY … T1T1 T2T2 TNTN THREADS

BMC approach - Sequential C Programs tools BLITZ [ Cho, D'Silva, Song – ASE’13 ] CBMC [ Clarke, Kroening, Lerda – TACAS’04 ] LLBMC [ Falke, Merz, Sinz – ASE’13 ] ESBMC [ Cordeiro, Fischer, Marques-Silva – ASE’09 ] PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER inlining unrolling SSA form

direct SAT/SMT approach encode each thread as in the sequential case add a conjunct for shared memory operations all possible interleavings in the bounded program φ threads ∧ φ concurrency papers: [ Sinha, Wang – POPL’11 ] [ Alglave, Kroening, Tautschnig – CAV’13 ] BMC approach - Concurrent C Programs CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER concurrency handling

Sequentialization pros reuse robust sequential analysis tools fast prototyping of concurrency handling delegating all sequential reasoning to an existing target analysis tool easier to implement than full-fledged tools CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM SEQ TOOL SEQUENTIALIZATION (code-to-code translation)

SEQUENTIALIZATION (code-to-code translation) Sequentialization papers proposal [ Qadeer, Wu – PLDI’04 ] eager, bounded context-switch, finite # threads [ Lal, Reps – CAV’08 ] lazy, finite # threads, parameterized [La Torre, Madhusudan, Parlato – CAV’09, CAV’10] thread creation [Bouajjani, Emmi, Parlato – SAS’11] [Emmi, Qadeer, Rakamaric – POPL’11] Lal/Reps for real-time systems [Chaki, Gurfinkel, Strichman – FMCAD’11] message-passing programs [Bouajjani, Emmi -- TACAS’12] CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM SEQ TOOL

SEQUENTIALIZATION (code-to-code translation) Sequentialization tools (Implementations of variants of Lal/Reps schema) Corral [ Lal, Qadeer, Lahiri – CAV’12 ] CSeq [ Fischer, Inverso, Parlato – ASE’13 ] Rek [ Chaki, Gurfinkel, Strichman – FMCAD’11 ] STORM [ Lahiri,Qadeer,Rakamaric CAV’09 ] CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM SEQ TOOL BMC based

Sequentialization what we propose new sequentialization targeting BMC efficient + surprisingly simple CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM SEQ TOOL SEQUENTIALIZATION (code-to-code translation)

Lazy-CSeq: Schema Overview (new sequentialization for BMC)

Lazy-CSeq Approach BOUNDED PROGRAM BMC SEQUENTIAL TOOL SEQ PROGRAM SEQUENTIALIZATION (code-to-code translation) CONC PROGRAM

Bounded Concurrent Programs main() T 0 TNTN T N-1 T1T1 … no loops no function calls Control flow only forward one procedure for each thread

Round Robin Schedule main() T 0 TNTN T N-1 T1T1 … Lazy-Cseq sequentialization: captures all bounded Round-Robin computations for a given bound error manifest themselves within very few rounds [ Musuvathi, Qadeer – PLDI’07 ] round 1 round 2 round k round 3

Schema Overview … main() T 0 T1T1 TNTN … F0F0 F1F1 FNFN main() bounded concurrent program sequential program Sequentialization (code-to-code translation) Sequentialized functions Driver translates …

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } main driver a global pc for each thread thread locals  thread global

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } main driver for each round for each thread T i simulate T i

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE.. M: CS(M); stmt M; main driver F i ()

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE.. M: CS(M); stmt M; main driver F i ()... context-switch resume mechanism

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... Context-switch simulation: #define CS(j) if (*) { pc i =j; return; } Context-switch simulation: #define CS(j) if (*) { pc i =j; return; }

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()...

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0; pc 1 =0;... pc N =0; local 0 ; local 1 ;... local k ; main() { for (r=0; r<R; r++) for (k=0; k<N; k++) // simulate T k F k (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver... Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M 2 ) guards Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M 2 ) guards

pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1; pc 0 =0;... pc N =0; local 0 ;... local k ; nextCS; main() for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) nextCS = nondet; assume(nextCS>=pc i ) F i (); pc i = nextCS;

switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i () CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1; pc 0 =0;... pc N =0; local 0 ;... local k ; nextCS; main() for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) nextCS = nondet; assume(nextCS>=pc i ) F i (); pc i = nextCS;

switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i () CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1;... pc 0 =0;... pc N =0; local 0 ;... local k ; nextCS; main() for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) nextCS = nondet; assume(nextCS>=pc i ) F i (); pc i = nextCS;

resuming + context-switch 1: CS(1); stmt1; 2: CS(2); stmt2; 3: CS(3); stmt3; EXECUTE M: CS(M); stmt M; nextCS... skip pc i... skip #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1; CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

Individual Threads Sequentialization 1: CS(1); stmt1; 2: CS(2); stmt2; 3: CS(3); stmt3; EXECUTE M: CS(M); stmt M;... Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M) guards Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M) guards

Individual Threads Sequentialization 1: CS(1); stmt1; 2: CS(2); stmt2; 3: CS(3); stmt3; EXECUTE M: CS(M); stmt M;... #define CS(j) if (j =next_CS) goto pc+1; #define CS(j) if (j =next_CS) goto pc+1; inject light-weight, non- invasive control code no non-determinism no assignments o return inject light-weight, non- invasive control code no non-determinism no assignments o return

Tool / Empirical Evaluation

Tool: CSeq sequential non-deterministic C program P'P' concurrent C program P true/false CSeq sequential BMC CBMC, ESBMC, LLBMC roundsbackendunwind [ Fischer, Inverso, Parlato -- ASE’13 ]

Evaluation: bug-hunting SVCOMP’14, Concurrency (UNSAFE instances) Lazy-CSeqConcurrent Tools UR BLITZ CBMC ESBMC LLBMC CBMC ESBMC Corral CSeq Threade r 27_Boop_simple_vf TO _buggy_simple_ _pthread5_vs TO2.2n/aTO 40_barrier_vf n/a0.8n/a0.7 49_bigshot_p n/a 50_bigshot_s n/a 53_fib_bench _fib_bench_longer _fib_bench_longest11 TO214.0TO 75.2TO n/a _lazy _qrcu safe0.7TO5.8safeTO 65_queue TO20.9TOn/a128.7n/a 67_read_write_lock safe0.4TO _reorder_ n/a1.30.7TO1.3n/a2.4 70_reorder_ n/a3.30.7TO1.9n/a3.5 72_sigma n/a TOn/a 73_singleton safe1.6TOn/a 75_stack TO _stateful TO _twostage_ n/a8.04.9TO3.6n/aTO

Evaluation: bug-hunting SVCOMP’14, Concurrency (UNSAFE instances) Lazy-CSeqConcurrent Tools UR BLITZ CBMC ESBMC LLBMC CBMC ESBMC Corral CSeq Threade r 27_Boop_simple_vf TO _buggy_simple_ _pthread5_vs TO2.2n/aTO 40_barrier_vf n/a0.8n/a0.7 49_bigshot_p n/a 50_bigshot_s n/a 53_fib_bench _fib_bench_longer _fib_bench_longest11 TO214.0TO 75.2TO n/a _lazy _qrcu safe0.7TO5.8safeTO 65_queue TO20.9TOn/a128.7n/a 67_read_write_lock safe0.4TO _reorder_ n/a1.30.7TO1.3n/a2.4 70_reorder_ n/a3.30.7TO1.9n/a3.5 72_sigma n/a TOn/a 73_singleton safe1.6TOn/a 75_stack TO _stateful TO _twostage_ n/a8.04.9TO3.6n/aTO

Conclusions

Conclusions / Future Work We have presented a new sequentialization targeted to BMC backends lazy based on bounded round-robin computations efficient for bug-hunting simple to implement (CSeq framework) Eager vs Lazy no empirical evidence that lazy is faster (maybe faster because of good handing of CFG) Lazy does not require an implementation of memory model and handling of error checks Lazy-CSeq won the gold medal in the Concurrency category of SVCOMP’14 all verification tasks solved 30x faster than the best tool with native concurrency handling Future Work integration with partial order reduction Weak Memory Models (WMM) Message Passing Interface (MPI) sequentializations targeting other analysis technologies: abstract interpretation cegar-based testing

Thank You users.ecs.soton.ac.uk/gp4/cseq

Evaluation: state space coverage Lazy-CSeq + CBMC vs CBMC (SAFE instances) How far is it possible to push the unwind bound with the two different methods and still finish the analysis within the given time and space requirements (10GB, 750s)? CBMC starts failing >60% files when increasing unwind bound bounding the rounds allows deeper exploration of loops alternative coverage of the state space

Evaluation: formula size Lazy-CSeq + CBMC vs CBMC (SAFE instances) What is the VC size for sequentialized files compared to native concurrency handling? 5x..15x less variables 5x..25x less clauses