smt based software model checking experimental comparison
play

SMT-based Software Model Checking: Experimental Comparison of Four - PowerPoint PPT Presentation

Apr 01, 2023 •227 likes •496 views

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

  1. SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany

  2. SMT-based Software Model Checking ◮ Bounded Model Checking ( Cbmc , CPAchecker , Esbmc , ...) ◮ k -Induction ( CPAchecker , Esbmc , 2LS , ...) ◮ Predicate Abstraction ( Blast , CPAchecker , Slam , ...) ◮ Impact ( CPAchecker , Impact , Wolverine , ...) ◮ Property-Directed Reachability (PDR, also known as IC3) ( Seahorn , VVT , ...) ◮ ... Matthias Dangl University of Passau, Germany 2 / 24

  3. SMT-based Software Model Checking ◮ Bounded Model Checking ( Cbmc , CPAchecker , Esbmc , ...) ◮ k -Induction ( CPAchecker , Esbmc , 2LS , ...) ◮ Predicate Abstraction ( Blast , CPAchecker , Slam , ...) ◮ Impact ( CPAchecker , Impact , Wolverine , ...) Matthias Dangl University of Passau, Germany 2 / 24

  4. Our Goals ◮ Perform an extensive comparative evaluation ◮ Confirm intuitions about strengths ◮ Determine potential of extensions and combinations Matthias Dangl University of Passau, Germany 3 / 24

  5. Approach ◮ Understand, and, if necessary, re-formulate the algorithms ◮ Implement all algorithms in one tool ( CPAchecker ) ◮ Run the algorithms on a large set of benchmarks ◮ Measure efficiency and effectiveness Matthias Dangl University of Passau, Germany 4 / 24

  6. Experimental Validity: All Algorithms in one Tool Compare algorithms, not tools: ◮ Share same front-end code ◮ Share same utilities ◮ Share same SMT-solver integration ◮ Share algorithm-independent optimizations → Differences in performance must be caused by algorithms Matthias Dangl University of Passau, Germany 5 / 24

  7. Bounded Model Checking ◮ Bounded Model Checking: ◮ Biere, Cimatti, Clarke, Zhu: [TACAS’99] ◮ No abstraction ◮ Unroll loops up to a loop bound k ◮ Check that P holds in the first k iterations: k � P ( i ) i =1 ◮ Good for finding bugs Matthias Dangl University of Passau, Germany 6 / 24

  8. k -Induction ◮ k -Induction generalizes the induction principle: ◮ No abstraction ◮ Base case: Check that P holds in the first k iterations: → Equivalent to BMC with loop bound k ◮ Step case: Check that the safety property is k -inductive: �� k � � � ∀ n : P ( n + i − 1) = ⇒ P ( n + k ) i =1 ◮ Stronger hypothesis is more likely to succeed ◮ Add auxiliary invariants ◮ Kahsai, Tinelli: [PDMC’11] ◮ Heavy-weight proof technique Matthias Dangl University of Passau, Germany 7 / 24

  9. k -Induction with Auxiliary Invariants Induction: Invariant generation: 1: prec = <weak> 1: k = 1 2: while !finished do 2: invariants = ∅ BMC(k) 3: while !finished do 3: Induction( k , invariants) invariants = GenInv(prec) 4: 4: k ++ prec = RefinePrec(prec) 5: 5: Matthias Dangl University of Passau, Germany 8 / 24

  10. Predicate Abstraction ◮ Predicate Abstraction ◮ Graf, Saïdi: [CAV’97] ◮ Abstract-Interpretation technique ◮ Abstract domain constructed from a set of predicates π ◮ Use CEGAR to add predicates to π (refinement) ◮ Derive new predicates using Craig interpolation ◮ Good for finding proofs Matthias Dangl University of Passau, Germany 9 / 24

  11. Impact ◮ Impact ◮ "Lazy Abstraction with Interpolants" ◮ McMillan: [CAV’06] ◮ Counter-draft to predicate abstraction ◮ Abstraction is derived dynamically/lazily ◮ Solution to avoiding expensive abstraction computations ◮ Compute fixed point over three operations ◮ Expand ◮ Refine ◮ Cover ◮ Quick exploration of the state space ◮ Good for finding bugs Matthias Dangl University of Passau, Germany 10 / 24

  12. Experimental Comparison ◮ 4 779 verification tasks taken from SV-COMP’16 ◮ 15 min timeout (CPU time) ◮ 15 GB memory ◮ Measured with BenchExec Matthias Dangl University of Passau, Germany 11 / 24

  13. All 3 459 bug-free tasks 1000 100 CPU time (s) 10 BMC k-Induction Predicate abstraction Impact 1 0 500 1000 1500 2000 2500 n-th fastest correct proof Matthias Dangl University of Passau, Germany 12 / 24

  14. All 1 320 tasks with known bugs 1000 100 CPU time (s) 10 BMC k-Induction Predicate Abstraction Impact 1 0 100 200 300 400 500 600 n-th fastest correct alarm Matthias Dangl University of Passau, Germany 13 / 24

  15. Category: Device Drivers ◮ Several thousands LOC per task ◮ Complex structures ◮ Pointer arithmetics Matthias Dangl University of Passau, Germany 14 / 24

  16. Category: Device Drivers 1 857 bug-free tasks: 1000 100 CPU time (s) 10 BMC k-Induction Predicate Abstraction Impact 1 0 200 400 600 800 1000 1200 n-th fastest correct result Matthias Dangl University of Passau, Germany 15 / 24

  17. Category: Device Drivers 263 tasks with known bugs: 1000 100 CPU time (s) 10 BMC k-Induction Predicate Abstraction Impact 1 0 10 20 30 40 50 n-th fastest correct result Matthias Dangl University of Passau, Germany 16 / 24

  18. Category: Event Condition Action Systems ◮ Several thousand LOC per task ◮ Auto-generated ◮ Only integer variables ◮ Linear and non-linear arithmetics ◮ Complex and dense control structure Matthias Dangl University of Passau, Germany 17 / 24

  19. Category: Event Condition Action Systems ◮ Several thousand LOC per task ◮ Auto-generated ◮ Only integer variables ◮ Linear and non-linear arithmetics ◮ Complex and dense control structure if (((a24==3) && (((a18==10) && ((input == 6) && ((115 < a3) && (306 >= a3)))) && (a15==4)))) { a3 = (((a3 ∗ 5) + − 583604) ∗ 1); a24 = 0; a18 = 8; return − 1; } Matthias Dangl University of Passau, Germany 17 / 24

  20. Category: Event Condition Action Systems 734 bug-free tasks: 1000 100 CPU time (s) 10 k-Induction Predicate Abstraction Impact 1 0 100 200 300 400 500 n-th fastest correct result Matthias Dangl University of Passau, Germany 18 / 24

  21. Category: Event Condition Action Systems 406 tasks with known bugs: Only BMC and k -Induction find one bug (the same one). Matthias Dangl University of Passau, Germany 19 / 24

  22. Category: Product Lines ◮ Several hundred LOC ◮ Mostly integer variables, some structs ◮ Mostly simple linear arithmetics ◮ Lots of property-independent code Matthias Dangl University of Passau, Germany 20 / 24

  23. Category: Product Lines 332 bug-free tasks: 1000 100 CPU time (s) 10 BMC k-Induction Predicate abstraction Impact 1 0 50 100 150 200 250 300 350 n-th fastest correct result Matthias Dangl University of Passau, Germany 21 / 24

  24. Category: Product Lines 265 tasks with known bugs: 1000 100 CPU time (s) 10 BMC k-Induction Predicate abstraction Impact 1 0 50 100 150 200 250 n-th fastest correct result Matthias Dangl University of Passau, Germany 22 / 24

  25. Summary We reconfirm that ◮ BMC is a good bug hunter ◮ k -Induction is a heavy-weight proof technique: effective, but slow ◮ CEGAR makes abstraction techniques (Predicate Abstraction, Impact) scalable ◮ Impact is lazy, and explores the state space and finds bugs quicker ◮ Predicate Abstraction is eager, and prunes irrelevant parts and finds proofs quicker Matthias Dangl University of Passau, Germany 23 / 24

  26. Outlook ◮ Abstraction is required for scalability ◮ k -Induction needs some form of abstraction ◮ Maybe the ideas of k -Induction can be transferred to PDR Matthias Dangl University of Passau, Germany 24 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given property

957 views • 33 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

628 views • 34 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

301 views • 8 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

777 views • 31 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

307 views • 20 slides
Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition systems checks safety and

439 views • 17 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking Lucas

Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking Lucas

Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva lcc08r@ecs.soton.ac.uk

639 views • 37 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

1.41k views • 114 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development

Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development

Software Verification with BLAST Daniele Sgandurra Introduction Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development via Model Checking Lazy Abstraction Reachability Tree Seminar Complete

970 views • 95 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Int. Journal on Software Tools for Technology Transfer, 2007 Stefan Buchholz March 17, 2009 1 Model

456 views • 12 slides
Expression of Interest Letters for FY17 Audio is available only by conference call. Please call :

Expression of Interest Letters for FY17 Audio is available only by conference call. Please call :

Expression of Interest Letters for FY17 Audio is available only by conference call. Please call : (800) 700-7784 Participant Access Code: 407190 to join the conference call portion of the webinar (date) Office of Housing Counseling Webinar

550 views • 20 slides
Challenges in Delivering and Deploying Software at Scale in Large Clusters Douglas Thain and Kyle

Challenges in Delivering and Deploying Software at Scale in Large Clusters Douglas Thain and Kyle

Challenges in Delivering and Deploying Software at Scale in Large Clusters Douglas Thain and Kyle Sweeney University of Notre Dame {dthain|ksweene3}@nd.edu Software Deployment on HPC Classic Approach Single process MPI app created by end

1.06k views • 50 slides
Predicting Intermediate Storage Performance for Workflow Applications Lauro B. Costa , Samer

Predicting Intermediate Storage Performance for Workflow Applications Lauro B. Costa , Samer

Predicting Intermediate Storage Performance for Workflow Applications Lauro B. Costa , Samer Al-Kiswany, Abmar Barros*, Hao Yang, and Matei Ripeanu University of British Columbia *UFCG, Brazil PSDW13 Nov, 18th co-located with SC13 Storage

341 views • 31 slides
B a s e b a n d e x p l o i t a t i o n i n 2 0 1 3 : H e x a g o

B a s e b a n d e x p l o i t a t i o n i n 2 0 1 3 : H e x a g o

B a s e b a n d e x p l o i t a t i o n i n 2 0 1 3 : H e x a g o n c h a l l e n g e s R a l f - P h i l i p p W e i n m a n n &lt; r a l f @ c o m s e c u r i s . c

478 views • 21 slides
Be sure you have signed-in Team registration is open http://www.purdue.edu/dp/bdmce/

Be sure you have signed-in Team registration is open http://www.purdue.edu/dp/bdmce/

Be sure you have signed-in Team registration is open http://www.purdue.edu/dp/bdmce/ Questions can be emailed to bmc@purdue.edu Competition Statistics 31 st year One of the oldest competitions in the US Purdue: 1987

363 views • 23 slides
Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using SMT-LIB 2.5 Clifford Wolf 1 Abstract Bounded model checking and other SAT-based formal methods are an important part of todays digital design

773 views • 52 slides
bmclib A Baseboard Management Controller library One library to rule them all? Juliano Martinez

bmclib A Baseboard Management Controller library One library to rule them all? Juliano Martinez

Fosdem 2019 bmclib A Baseboard Management Controller library One library to rule them all? Juliano Martinez Joel Rebello Baseboard Management Controller A BMC is a system on chip that integrates various computer components in a single

401 views • 14 slides

More recommend