By Dirk Beyer Alessandro Cimatti Alberto Griggio Erkan

By Dirk Beyer, Alessandro Cimatti, Alberto Griggio, Erkan Keremoglu and Roberto Sebastiani Software Model Checking via Large-Block Encoding Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Introduction �A successful approach to model checking is through construction and analysis of an abstract reachability tree (ART) + predicate abstraction Unwind Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Introduction � ART nodes consist of Control-Flow Location Call stack Data State formulas � In Single-Block Encoding (SBE) each program op is represented by a single edge in ART Huge number of paths and nodes � But in Large-Block Encoding (LBE) entire part of the program is represented by an edge Smaller number of paths are enumerated in ART Exponential reduction in number of states (maybe) Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

SBE to LBE: Consequences SBE LBE (more general representation of abstract states) Conjunction of Predicates Arbitrary Boolean Combination of Predicates More Accurate Abstract Successor Computation �We use Satisfiability Modulo Theories (SMT) SBE + Cartesian Abs (BLAST, SLAM) LBE + Boolean Abstraction (CPACHECKER) Large number of successor computations Reduced number of successor computations Efficient computation of Cartesian abstraction by SMT Boolean abstraction is expensive tradeoff Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

SBE to LBE: Example SBE LBE Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Program and CFA � We work on a simple imperative PL Assume Op Assignment Just integers � � � Program is presented by a Control Flow Automaton (CFA) CFA: A(L, G) Program: P = (A, l 0, l. E) A concrete data state of the program is a variable assignment like c that assigns to each variable an integer value � A formula φ represents the set S of states c that: � � S = {c | c |= φ} SPOP (φ): represents the set of data states that are reachable from states in region φ after applying OP Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Predicate Abstraction �We define precision (like π) as a finite subset from the universal predicate set of the program �Cartesian Predicate Abstraction: A Cart. PA φ cπ of a formula φ is the strongest conjunction of predicates from π entailed by φ This is used as an Abstract State �Boolean Predicate Abstraction: A Bool. PA φ Bπ of a formula is the strongest combination of predicates from π entailed by φ Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Predicate Abstraction Cartesian Abstraction Boolean Abstraction Simple Complex Efficient Expensive Imprecise Precise tradeoff Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Single-Block Encoding

ART-Based SMC with SBE � The Precision function assigns to each program location, a precision formula � The nodes of ART are like n=(l, φ) � The tree is complete when there are no uncovered nodes, or all possible abstract successor states are present in the ART as the children of the node � If the final ART does not have any error nodes, then we are done � Else the error path is checked for feasibility If feasible: the error is reported If not feasible: refinement! � For practical reasons, SBEs use Cartesian abstraction Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Large-Block Encoding

Summarization of CFA �Each large control-flow subgraph that is free of loops is replaced with a single control-flow edge with a large formula �This is done with applying the following rules: Rule 0 (Error Sink): make all error points, a sink Rule 1 (Sequence): remove intermediate nodes and go directly to successor nodes Rule 2 (Choice): If there are two edges btw two nodes we should replace that with a single edge Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Summarization of CFA (cont…) Rule 1 Presentation By: Pashootan Vaezipoor Rule 2 Simon Fraser University (Spring 09)

Example Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

SBE vs. LBE �LBE: Possibly exponentially smaller ARTs Less abstract refinement steps Each step is more expensive than SBE More expressive representation of abstract states Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Experimental Configs �In the paper, BLAST is used for the model checking phase All four configs are tested: ▪ ▪ bfs dfs pred. H 0 pred. H 7 The config –dfs –pred. H 7 is the winner for programs without defects For unsafe programs –bfs –pred. H 7 is winner Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Performance Results Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)

Experiments �In the experiments, all four combinations of LBE vs. SBE and Cartesian vs. Boolean abstraction are tested �Results: SBE doesn’t benefit from Boolean Abstraction Combination of LBE with Cartesian Abstraction failed to solve any experiments due to the loss of precision SBE + Cart. Abs is OK LBE + Bool. Abs is OK Presentation By: Pashootan Vaezipoor Simon Fraser University (Spring 09)