1 Software Model Checking Andrey Rybalchenko Max Planck Institute for Software Systems Incomplete notes summarizing the 2 nd lecture, Nov 5 th, 2007

2 Today Administrativia –HISPOS registration for exams deadline Dec 1, 2007 –New location for lectures and tutorials see the webpage Topics –Programs computations and related objects symbolic representation modeling data: integers, arrays, objects –Testing –Directed automated random testing

3 Programs Program P consists of V – set of variables L – set of control locations l 0 – initial location, l 0 2 L l E – error location, l E 2 L T – set of transitions Let V’ be a set of primed program variables Each transition t 2 T is a triple (l, , l’) l – start location, l \in L  – transition relation, represented by a formula over V and V’ l’ – final location, l’ \in L

4 States, sets, relations Program state is a valuation of program variables –use s for states –s(v) is the value of the variable v in the state s S – the set of all program states Symbolic representation of sets: –State s satisfies a formula  over V = (v 1,..., v n ) iff  Æ v 1 =s(v 1 ) Æ... Æ v n = s(v n ) evaluates to true, written as s ²  –Formula  over V represents a set of states X: S  = { s | s ²  } Symbolic representation of binary relations: –use formula  over V and V’ –pair of states s and s’ satisfies  iff  Æ v 1 =s(v 1 ) Æ... Æ v n = s(v n ) Æ v’ 1 =s’(v 1 ) Æ... Æ v’ n = s’(v n ) evaluates to true, written as (s, s’) ²  –Formula  over V and V’ represents a binary relation over states R: S  = { (s, s’) | (s, s’) ²  }

5 Computations and paths Program computation: finite or infinite sequence  of states (l 1, s 1 ), (l 2, s 2 ),... such that 1.l 1 = l 0 – initial location 2.for each i = 1 to length of  there exists transition (l, , l’) 2 T such that l i = l, (s i, s i+1 ) ² , and l i+1 = l’ written as s i – t ! s i+1  is safe if error location l E is not visited Program terminates if there is no infinite computation Program path  is a sequence of transitions Path t 1, t 2,... is feasible if there is a computation s 1, s 2,... induced by the path, i.e., s i – t i ! s i+1 for each t i

6 Path relation Relational composition of  and  over V and V’:  ±  = 9 V’’:  [V’’/V’] Æ  [V’’/V] Path relation of path  = t 1,..., t n   =  1 ±... ±  n

7 Modeling data Program variables range over intended data domains, e.g. integers, Booleans, arrays, objects, etc. We use logical theories to describe sets of states and binary relations over states. For integer variables, we may use the theory of linear arithmetic. For arrays, the theory of arrays Please read: Modeling data structuresModeling data structures article in Viktor Kuncak’s lecture notes What's decidable about arraysWhat's decidable about arrays [optional]

8 Testing Please read Sections 1 to 9 in Software Testing article at Wikipedia Software Testing

9 Directed Automated Random Testing Please read slides 29 to 50 from Patrice Godefroid’s presentation onDynamic and Static AnalysisDynamic and Static Analysis