by dirk beyer, alessandro cimatti, alberto griggio, erkan keremoglu and roberto sebastiani simon...
TRANSCRIPT
![Page 1: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/1.jpg)
By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 2: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/2.jpg)
A successful approach to model checking is through construction and analysis of an abstract reachability tree (ART) + predicate abstraction
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Unwind
![Page 3: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/3.jpg)
ART nodes consist of Control-Flow Location Call stack Data State formulas
In Single-Block Encoding (SBE) each program op is represented by a single edge in ART Huge number of paths and nodes
But in Large-Block Encoding (LBE) entire part of the program is represented by an edge Smaller number of paths are enumerated in ART Exponential reduction in number of states (maybe)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 4: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/4.jpg)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
We use Satisfiability Modulo Theories (SMT)
SBE LBE(more general representation of
abstract states)
Conjunction of Predicates Arbitrary Boolean Combination of Predicates
More Accurate Abstract Successor Computation
SBE + Cartesian Abs(BLAST, SLAM)
LBE + Boolean Abstraction(CPACHECKER)
Large number of successor computations
Reduced number of successor computations
Efficient computation of Cartesian abstraction by SMT
Boolean abstraction is expensivetradeoff
![Page 5: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/5.jpg)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
SBE
LBE
![Page 6: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/6.jpg)
We work on a simple imperative PL Assume Op Assignment Just integers
Program is presented by a Control Flow Automaton (CFA) CFA: A(L, G) Program: P = (A, l0, lE)
A concrete data state of the program is a variable assignment like c that assigns to each variable an integer value
A formula φ represents the set S of states c that: S = {c | c |= φ}
SPOP (φ): represents the set of data states that are reachable from states in region φ after applying OP
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 7: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/7.jpg)
We define precision (like π) as a finite subset from the universal predicate set of the program
Cartesian Predicate Abstraction: A CartPA φ c
π of a formula φ is the strongest conjunction of predicates from π entailed by φ
This is used as an Abstract State
Boolean Predicate Abstraction: A BoolPA φ B
π of a formula is the strongest combination of predicates from π entailed by φ
Simon Fraser University (Spring 09)
Presentation By:Pashootan Vaezipoor
![Page 8: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/8.jpg)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Cartesian Abstraction Boolean Abstraction
Simple Complex
Efficient Expensive
Imprecise Precisetradeoff
![Page 9: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/9.jpg)
![Page 10: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/10.jpg)
The Precision function assigns to each program location, a precision formula
The nodes of ART are like n=(l, φ) The tree is complete when there are no
uncovered nodes, or all possible abstract successor states are present in the ART as the children of the node
If the final ART does not have any error nodes, then we are done
Else the error path is checked for feasibility If feasible: the error is reported If not feasible: refinement!
For practical reasons, SBEs use Cartesian abstraction
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 11: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/11.jpg)
![Page 12: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/12.jpg)
Each large control-flow subgraph that is free of loops is replaced with a single control-flow edge with a large formula
This is done with applying the following rules: Rule 0 (Error Sink): make all error points, a
sink Rule 1 (Sequence): remove intermediate
nodes and go directly to successor nodes Rule 2 (Choice): If there are two edges btw two
nodes we should replace that with a single edge
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 13: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/13.jpg)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
Rule 1 Rule 2
![Page 14: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/14.jpg)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 15: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/15.jpg)
LBE: Possibly exponentially smaller ARTs Less abstract refinement steps Each step is more expensive than SBE More expressive representation of
abstract states
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 16: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/16.jpg)
In the paper, BLAST is used for the model checking phase All four configs are tested:▪ bfs▪ dfs▪ predH 0▪ predH 7
The config –dfs –predH 7 is the winner for programs without defects
For unsafe programs –bfs –predH 7 is winner
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 17: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/17.jpg)
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor
![Page 18: By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Simon Fraser University (Spring 09) Presentation By: Pashootan](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c9a5503460f94958318/html5/thumbnails/18.jpg)
In the experiments, all four combinations of LBE vs. SBE and Cartesian vs. Boolean abstraction are tested
Results: SBE doesn’t benefit from Boolean
Abstraction Combination of LBE with Cartesian
Abstraction failed to solve any experiments due to the loss of precision
SBE + CartAbs is OK LBE + BoolAbs is OK
Simon Fraser University (Spring 09)Presentation By:
Pashootan Vaezipoor