Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan.

Published byDamaris Strother Modified over 9 years ago

Similar presentations

Presentation on theme: "By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan."— Presentation transcript:

1 By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

2  A successful approach to model checking is through construction and analysis of an abstract reachability tree (ART) + predicate abstraction Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor Unwind

3  ART nodes consist of  Control-Flow Location  Call stack  Data State formulas  In Single-Block Encoding (SBE) each program op is represented by a single edge in ART  Huge number of paths and nodes  But in Large-Block Encoding (LBE) entire part of the program is represented by an edge  Smaller number of paths are enumerated in ART  Exponential reduction in number of states (maybe) Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

4 Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor  We use Satisfiability Modulo Theories (SMT) SBELBE (more general representation of abstract states) Conjunction of PredicatesArbitrary Boolean Combination of Predicates More Accurate Abstract Successor Computation SBE + Cartesian Abs (B LAST, SLAM) LBE + Boolean Abstraction (CPA CHECKER ) Large number of successor computationsReduced number of successor computations Efficient computation of Cartesian abstraction by SMT Boolean abstraction is expensive tradeoff

5 Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor SBE LBE

6  We work on a simple imperative PL  Assume Op  Assignment  Just integers  Program is presented by a Control Flow Automaton (CFA)  CFA: A(L, G)  Program: P = (A, l 0, l E )  A concrete data state of the program is a variable assignment like c that assigns to each variable an integer value  A formula φ represents the set S of states c that:  S = {c | c |= φ}  SP OP (φ): represents the set of data states that are reachable from states in region φ after applying OP Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

7  We define precision (like π) as a finite subset from the universal predicate set of the program  Cartesian Predicate Abstraction:  A CartPA φ c π of a formula φ is the strongest conjunction of predicates from π entailed by φ  This is used as an Abstract State  Boolean Predicate Abstraction:  A BoolPA φ B π of a formula is the strongest combination of predicates from π entailed by φ  Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

8 Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor Cartesian AbstractionBoolean Abstraction SimpleComplex EfficientExpensive ImprecisePrecise tradeoff

9

10  The Precision function assigns to each program location, a precision formula  The nodes of ART are like n=(l, φ)  The tree is complete when there are no uncovered nodes, or all possible abstract successor states are present in the ART as the children of the node  If the final ART does not have any error nodes, then we are done  Else the error path is checked for feasibility  If feasible: the error is reported  If not feasible: refinement!  For practical reasons, SBEs use Cartesian abstraction Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

11

12  Each large control-flow subgraph that is free of loops is replaced with a single control-flow edge with a large formula  This is done with applying the following rules:  Rule 0 (Error Sink): make all error points, a sink  Rule 1 (Sequence): remove intermediate nodes and go directly to successor nodes  Rule 2 (Choice): If there are two edges btw two nodes we should replace that with a single edge Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

13 Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor Rule 1 Rule 2

14 Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

15  LBE:  Possibly exponentially smaller ARTs  Less abstract refinement steps  Each step is more expensive than SBE  More expressive representation of abstract states Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

16  In the paper, B LAST is used for the model checking phase  All four configs are tested: ▪ bfs ▪ dfs ▪ predH 0 ▪ predH 7  The config –dfs –predH 7 is the winner for programs without defects  For unsafe programs –bfs –predH 7 is winner Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

17 Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

18  In the experiments, all four combinations of LBE vs. SBE and Cartesian vs. Boolean abstraction are tested  Results:  SBE doesn’t benefit from Boolean Abstraction  Combination of LBE with Cartesian Abstraction failed to solve any experiments due to the loss of precision  SBE + CartAbs is OK  LBE + BoolAbs is OK Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor

Download ppt "By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Satisfiability modulo the Theory of Bit Vectors

Satisfiability modulo the Theory of Bit Vectors
CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Tree Searching. Tree searches A tree search starts at the root and explores nodes from there, looking for a goal node (a node that satisfies certain conditions,

Tree Searching. Tree searches A tree search starts at the root and explores nodes from there, looking for a goal node (a node that satisfies certain conditions,
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
CPSC 322, Lecture 12Slide 1 CSPs: Search and Arc Consistency Computer Science cpsc322, Lecture 12 (Textbook Chpt 4.3-4.5) January, 29, 2010.

CPSC 322, Lecture 12Slide 1 CSPs: Search and Arc Consistency Computer Science cpsc322, Lecture 12 (Textbook Chpt ) January, 29, 2010.

Similar presentations

Ads by Google