SMT-based Software Model Checking: Experimental Comparison of Four - - PowerPoint PPT Presentation

smt based software model checking experimental comparison
SMART_READER_LITE
LIVE PREVIEW

SMT-based Software Model Checking: Experimental Comparison of Four - - PowerPoint PPT Presentation

Apr 01, 2023 227 likes •498 views

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

slide-1
SLIDE 1

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms

Matthias Dangl

Joint work with Dirk Beyer

University of Passau, Germany

slide-2
SLIDE 2

SMT-based Software Model Checking

◮ Bounded Model Checking

(Cbmc, CPAchecker, Esbmc, ...)

◮ k-Induction

(CPAchecker, Esbmc, 2LS, ...)

◮ Predicate Abstraction

(Blast, CPAchecker, Slam, ...)

◮ Impact

(CPAchecker, Impact, Wolverine, ...)

◮ Property-Directed Reachability (PDR, also known as IC3)

(Seahorn, VVT, ...)

◮ ...

Matthias Dangl University of Passau, Germany 2 / 24

slide-3
SLIDE 3

SMT-based Software Model Checking

◮ Bounded Model Checking

(Cbmc, CPAchecker, Esbmc, ...)

◮ k-Induction

(CPAchecker, Esbmc, 2LS, ...)

◮ Predicate Abstraction

(Blast, CPAchecker, Slam, ...)

◮ Impact

(CPAchecker, Impact, Wolverine, ...)

Matthias Dangl University of Passau, Germany 2 / 24

slide-4
SLIDE 4

Our Goals

◮ Perform an extensive comparative evaluation ◮ Confirm intuitions about strengths ◮ Determine potential of extensions and combinations

Matthias Dangl University of Passau, Germany 3 / 24

slide-5
SLIDE 5

Approach

◮ Understand, and, if necessary, re-formulate the algorithms ◮ Implement all algorithms in one tool (CPAchecker) ◮ Run the algorithms on a large set of benchmarks ◮ Measure efficiency and effectiveness

Matthias Dangl University of Passau, Germany 4 / 24

slide-6
SLIDE 6

Experimental Validity: All Algorithms in one Tool

Compare algorithms, not tools:

◮ Share same front-end code ◮ Share same utilities ◮ Share same SMT-solver integration ◮ Share algorithm-independent optimizations

→ Differences in performance must be caused by algorithms

Matthias Dangl University of Passau, Germany 5 / 24

slide-7
SLIDE 7

Bounded Model Checking

◮ Bounded Model Checking:

◮ Biere, Cimatti, Clarke, Zhu: [TACAS’99] ◮ No abstraction ◮ Unroll loops up to a loop bound k ◮ Check that P holds in the first k iterations:

k

  • i=1

P(i)

◮ Good for finding bugs Matthias Dangl University of Passau, Germany 6 / 24

slide-8
SLIDE 8

k-Induction

◮ k-Induction generalizes the induction principle:

◮ No abstraction ◮ Base case: Check that P holds in the first k iterations:

→ Equivalent to BMC with loop bound k

◮ Step case: Check that the safety property is k-inductive:

∀n :

k

  • i=1

P(n + i − 1)

  • =

⇒ P(n + k)

  • ◮ Stronger hypothesis is more likely to succeed

◮ Add auxiliary invariants ◮ Kahsai, Tinelli: [PDMC’11] ◮ Heavy-weight proof technique Matthias Dangl University of Passau, Germany 7 / 24

slide-9
SLIDE 9

k-Induction with Auxiliary Invariants

Induction:

1: k = 1 2: while !finished do 3:

BMC(k)

4:

Induction(k, invariants)

5:

k++ Invariant generation:

1: prec = <weak> 2: invariants = ∅ 3: while !finished do 4:

invariants = GenInv(prec)

5:

prec = RefinePrec(prec)

Matthias Dangl University of Passau, Germany 8 / 24

slide-10
SLIDE 10

Predicate Abstraction

◮ Predicate Abstraction

◮ Graf, Saïdi: [CAV’97] ◮ Abstract-Interpretation technique ◮ Abstract domain constructed from a set of predicates π ◮ Use CEGAR to add predicates to π (refinement) ◮ Derive new predicates using Craig interpolation ◮ Good for finding proofs Matthias Dangl University of Passau, Germany 9 / 24

slide-11
SLIDE 11

Impact

◮ Impact

◮ "Lazy Abstraction with Interpolants" ◮ McMillan: [CAV’06] ◮ Counter-draft to predicate abstraction ◮ Abstraction is derived dynamically/lazily ◮ Solution to avoiding expensive abstraction computations ◮ Compute fixed point over three operations ◮ Expand ◮ Refine ◮ Cover ◮ Quick exploration of the state space ◮ Good for finding bugs Matthias Dangl University of Passau, Germany 10 / 24

slide-12
SLIDE 12

Experimental Comparison

◮ 4 779 verification tasks taken from SV-COMP’16 ◮ 15 min timeout (CPU time) ◮ 15 GB memory ◮ Measured with BenchExec

Matthias Dangl University of Passau, Germany 11 / 24

slide-13
SLIDE 13

All 3 459 bug-free tasks

1 10 100 1000 500 1000 1500 2000 2500 CPU time (s) n-th fastest correct proof BMC k-Induction Predicate abstraction Impact

Matthias Dangl University of Passau, Germany 12 / 24

slide-14
SLIDE 14

All 1 320 tasks with known bugs

1 10 100 1000 100 200 300 400 500 600 CPU time (s) n-th fastest correct alarm BMC k-Induction Predicate Abstraction Impact

Matthias Dangl University of Passau, Germany 13 / 24

slide-15
SLIDE 15

Category: Device Drivers

◮ Several thousands LOC per task ◮ Complex structures ◮ Pointer arithmetics

Matthias Dangl University of Passau, Germany 14 / 24

slide-16
SLIDE 16

Category: Device Drivers

1 857 bug-free tasks:

1 10 100 1000 200 400 600 800 1000 1200 CPU time (s) n-th fastest correct result

BMC k-Induction Predicate Abstraction Impact

Matthias Dangl University of Passau, Germany 15 / 24

slide-17
SLIDE 17

Category: Device Drivers

263 tasks with known bugs:

1 10 100 1000 10 20 30 40 50 CPU time (s) n-th fastest correct result

BMC k-Induction Predicate Abstraction Impact

Matthias Dangl University of Passau, Germany 16 / 24

slide-18
SLIDE 18

Category: Event Condition Action Systems

◮ Several thousand LOC per task ◮ Auto-generated ◮ Only integer variables ◮ Linear and non-linear arithmetics ◮ Complex and dense control structure

Matthias Dangl University of Passau, Germany 17 / 24

slide-19
SLIDE 19

Category: Event Condition Action Systems

◮ Several thousand LOC per task ◮ Auto-generated ◮ Only integer variables ◮ Linear and non-linear arithmetics ◮ Complex and dense control structure

if (((a24==3) && (((a18==10) && ((input == 6) && ((115 < a3) && (306 >= a3)))) && (a15==4)))) { a3 = (((a3 ∗ 5) + −583604) ∗ 1); a24 = 0; a18 = 8; return −1; }

Matthias Dangl University of Passau, Germany 17 / 24

slide-20
SLIDE 20

Category: Event Condition Action Systems

734 bug-free tasks:

1 10 100 1000 100 200 300 400 500 CPU time (s) n-th fastest correct result

k-Induction Predicate Abstraction Impact

Matthias Dangl University of Passau, Germany 18 / 24

slide-21
SLIDE 21

Category: Event Condition Action Systems

406 tasks with known bugs: Only BMC and k-Induction find one bug (the same one).

Matthias Dangl University of Passau, Germany 19 / 24

slide-22
SLIDE 22

Category: Product Lines

◮ Several hundred LOC ◮ Mostly integer variables, some structs ◮ Mostly simple linear arithmetics ◮ Lots of property-independent code

Matthias Dangl University of Passau, Germany 20 / 24

slide-23
SLIDE 23

Category: Product Lines

332 bug-free tasks:

1 10 100 1000 50 100 150 200 250 300 350 CPU time (s) n-th fastest correct result

BMC k-Induction Predicate abstraction Impact

Matthias Dangl University of Passau, Germany 21 / 24

slide-24
SLIDE 24

Category: Product Lines

265 tasks with known bugs:

1 10 100 1000 50 100 150 200 250 CPU time (s) n-th fastest correct result

BMC k-Induction Predicate abstraction Impact

Matthias Dangl University of Passau, Germany 22 / 24

slide-25
SLIDE 25

Summary

We reconfirm that

◮ BMC is a good bug hunter ◮ k-Induction is a heavy-weight proof technique: effective,

but slow

◮ CEGAR makes abstraction techniques (Predicate

Abstraction, Impact) scalable

◮ Impact is lazy, and explores the state space and finds bugs

quicker

◮ Predicate Abstraction is eager, and prunes irrelevant parts

and finds proofs quicker

Matthias Dangl University of Passau, Germany 23 / 24

slide-26
SLIDE 26

Outlook

◮ Abstraction is required for scalability ◮ k-Induction needs some form of abstraction ◮ Maybe the ideas of k-Induction can be transferred to PDR

Matthias Dangl University of Passau, Germany 24 / 24