smt based software model checking experimental comparison
play

SMT-based Software Model Checking: Experimental Comparison of Four - PowerPoint PPT Presentation

Apr 01, 2023 •227 likes •496 views

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

  1. SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany

  2. SMT-based Software Model Checking ◮ Bounded Model Checking ( Cbmc , CPAchecker , Esbmc , ...) ◮ k -Induction ( CPAchecker , Esbmc , 2LS , ...) ◮ Predicate Abstraction ( Blast , CPAchecker , Slam , ...) ◮ Impact ( CPAchecker , Impact , Wolverine , ...) ◮ Property-Directed Reachability (PDR, also known as IC3) ( Seahorn , VVT , ...) ◮ ... Matthias Dangl University of Passau, Germany 2 / 24

  3. SMT-based Software Model Checking ◮ Bounded Model Checking ( Cbmc , CPAchecker , Esbmc , ...) ◮ k -Induction ( CPAchecker , Esbmc , 2LS , ...) ◮ Predicate Abstraction ( Blast , CPAchecker , Slam , ...) ◮ Impact ( CPAchecker , Impact , Wolverine , ...) Matthias Dangl University of Passau, Germany 2 / 24

  4. Our Goals ◮ Perform an extensive comparative evaluation ◮ Confirm intuitions about strengths ◮ Determine potential of extensions and combinations Matthias Dangl University of Passau, Germany 3 / 24

  5. Approach ◮ Understand, and, if necessary, re-formulate the algorithms ◮ Implement all algorithms in one tool ( CPAchecker ) ◮ Run the algorithms on a large set of benchmarks ◮ Measure efficiency and effectiveness Matthias Dangl University of Passau, Germany 4 / 24

  6. Experimental Validity: All Algorithms in one Tool Compare algorithms, not tools: ◮ Share same front-end code ◮ Share same utilities ◮ Share same SMT-solver integration ◮ Share algorithm-independent optimizations → Differences in performance must be caused by algorithms Matthias Dangl University of Passau, Germany 5 / 24

  7. Bounded Model Checking ◮ Bounded Model Checking: ◮ Biere, Cimatti, Clarke, Zhu: [TACAS’99] ◮ No abstraction ◮ Unroll loops up to a loop bound k ◮ Check that P holds in the first k iterations: k � P ( i ) i =1 ◮ Good for finding bugs Matthias Dangl University of Passau, Germany 6 / 24

  8. k -Induction ◮ k -Induction generalizes the induction principle: ◮ No abstraction ◮ Base case: Check that P holds in the first k iterations: → Equivalent to BMC with loop bound k ◮ Step case: Check that the safety property is k -inductive: �� k � � � ∀ n : P ( n + i − 1) = ⇒ P ( n + k ) i =1 ◮ Stronger hypothesis is more likely to succeed ◮ Add auxiliary invariants ◮ Kahsai, Tinelli: [PDMC’11] ◮ Heavy-weight proof technique Matthias Dangl University of Passau, Germany 7 / 24

  9. k -Induction with Auxiliary Invariants Induction: Invariant generation: 1: prec = <weak> 1: k = 1 2: while !finished do 2: invariants = ∅ BMC(k) 3: while !finished do 3: Induction( k , invariants) invariants = GenInv(prec) 4: 4: k ++ prec = RefinePrec(prec) 5: 5: Matthias Dangl University of Passau, Germany 8 / 24

  10. Predicate Abstraction ◮ Predicate Abstraction ◮ Graf, Saïdi: [CAV’97] ◮ Abstract-Interpretation technique ◮ Abstract domain constructed from a set of predicates π ◮ Use CEGAR to add predicates to π (refinement) ◮ Derive new predicates using Craig interpolation ◮ Good for finding proofs Matthias Dangl University of Passau, Germany 9 / 24

  11. Impact ◮ Impact ◮ "Lazy Abstraction with Interpolants" ◮ McMillan: [CAV’06] ◮ Counter-draft to predicate abstraction ◮ Abstraction is derived dynamically/lazily ◮ Solution to avoiding expensive abstraction computations ◮ Compute fixed point over three operations ◮ Expand ◮ Refine ◮ Cover ◮ Quick exploration of the state space ◮ Good for finding bugs Matthias Dangl University of Passau, Germany 10 / 24

  12. Experimental Comparison ◮ 4 779 verification tasks taken from SV-COMP’16 ◮ 15 min timeout (CPU time) ◮ 15 GB memory ◮ Measured with BenchExec Matthias Dangl University of Passau, Germany 11 / 24

  13. All 3 459 bug-free tasks 1000 100 CPU time (s) 10 BMC k-Induction Predicate abstraction Impact 1 0 500 1000 1500 2000 2500 n-th fastest correct proof Matthias Dangl University of Passau, Germany 12 / 24

  14. All 1 320 tasks with known bugs 1000 100 CPU time (s) 10 BMC k-Induction Predicate Abstraction Impact 1 0 100 200 300 400 500 600 n-th fastest correct alarm Matthias Dangl University of Passau, Germany 13 / 24

  15. Category: Device Drivers ◮ Several thousands LOC per task ◮ Complex structures ◮ Pointer arithmetics Matthias Dangl University of Passau, Germany 14 / 24

  16. Category: Device Drivers 1 857 bug-free tasks: 1000 100 CPU time (s) 10 BMC k-Induction Predicate Abstraction Impact 1 0 200 400 600 800 1000 1200 n-th fastest correct result Matthias Dangl University of Passau, Germany 15 / 24

  17. Category: Device Drivers 263 tasks with known bugs: 1000 100 CPU time (s) 10 BMC k-Induction Predicate Abstraction Impact 1 0 10 20 30 40 50 n-th fastest correct result Matthias Dangl University of Passau, Germany 16 / 24

  18. Category: Event Condition Action Systems ◮ Several thousand LOC per task ◮ Auto-generated ◮ Only integer variables ◮ Linear and non-linear arithmetics ◮ Complex and dense control structure Matthias Dangl University of Passau, Germany 17 / 24

  19. Category: Event Condition Action Systems ◮ Several thousand LOC per task ◮ Auto-generated ◮ Only integer variables ◮ Linear and non-linear arithmetics ◮ Complex and dense control structure if (((a24==3) && (((a18==10) && ((input == 6) && ((115 < a3) && (306 >= a3)))) && (a15==4)))) { a3 = (((a3 ∗ 5) + − 583604) ∗ 1); a24 = 0; a18 = 8; return − 1; } Matthias Dangl University of Passau, Germany 17 / 24

  20. Category: Event Condition Action Systems 734 bug-free tasks: 1000 100 CPU time (s) 10 k-Induction Predicate Abstraction Impact 1 0 100 200 300 400 500 n-th fastest correct result Matthias Dangl University of Passau, Germany 18 / 24

  21. Category: Event Condition Action Systems 406 tasks with known bugs: Only BMC and k -Induction find one bug (the same one). Matthias Dangl University of Passau, Germany 19 / 24

  22. Category: Product Lines ◮ Several hundred LOC ◮ Mostly integer variables, some structs ◮ Mostly simple linear arithmetics ◮ Lots of property-independent code Matthias Dangl University of Passau, Germany 20 / 24

  23. Category: Product Lines 332 bug-free tasks: 1000 100 CPU time (s) 10 BMC k-Induction Predicate abstraction Impact 1 0 50 100 150 200 250 300 350 n-th fastest correct result Matthias Dangl University of Passau, Germany 21 / 24

  24. Category: Product Lines 265 tasks with known bugs: 1000 100 CPU time (s) 10 BMC k-Induction Predicate abstraction Impact 1 0 50 100 150 200 250 n-th fastest correct result Matthias Dangl University of Passau, Germany 22 / 24

  25. Summary We reconfirm that ◮ BMC is a good bug hunter ◮ k -Induction is a heavy-weight proof technique: effective, but slow ◮ CEGAR makes abstraction techniques (Predicate Abstraction, Impact) scalable ◮ Impact is lazy, and explores the state space and finds bugs quicker ◮ Predicate Abstraction is eager, and prunes irrelevant parts and finds proofs quicker Matthias Dangl University of Passau, Germany 23 / 24

  26. Outlook ◮ Abstraction is required for scalability ◮ k -Induction needs some form of abstraction ◮ Maybe the ideas of k -Induction can be transferred to PDR Matthias Dangl University of Passau, Germany 24 / 24

Recommend

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given property

957 views • 33 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

628 views • 34 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

301 views • 8 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

777 views • 31 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

307 views • 20 slides
Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition systems checks safety and

439 views • 17 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking Lucas

Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking Lucas

Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva lcc08r@ecs.soton.ac.uk

639 views • 37 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

1.41k views • 114 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development

Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development

Software Verification with BLAST Daniele Sgandurra Introduction Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development via Model Checking Lazy Abstraction Reachability Tree Seminar Complete

970 views • 95 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Model-checking Erlang - A Comparison between EtomCRL2 and McErlang Clara Benac Earle and Lars-

Model-checking Erlang - A Comparison between EtomCRL2 and McErlang Clara Benac Earle and Lars-

Model-checking Erlang - A Comparison between EtomCRL2 and McErlang Clara Benac Earle and Lars- Qiang Guo, John Derrick Ake Fredlund Department of Computer Science Facultad de Inform atica, The University of Sheffield Universidad Polit

452 views • 33 slides
Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan Patrice Godefroid

Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan Patrice Godefroid

Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan Patrice Godefroid UC Santa Cruz Bell Labs Presented by: Ulrich Mller Model Checking Given a multithreaded program Wed like to check for deadlocks and

462 views • 17 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and Verification Group RWTH Aachen University associated to University of Twente, Formal Methods and Tools Lecture at Quantitative Model Checking School, March

638 views • 45 slides
Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and Verification Group RWTH Aachen University associated to University of Twente, Formal Methods and Tools Lecture at Quantitative Model Checking School, March

672 views • 66 slides
Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1

Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1

Predicate-Based Model Checking Dirk Beyer LMU Munich, Germany Dirk Beyer LMU Munich, Germany 1 / 1 Based on: Dirk Beyer, Matthias Dangl, Philipp Wendler: A Unifying View on SMT-Based Software Verification Journal of Automated Reasoning,

658 views • 62 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F.

Improved Algorithms for the Automata-based Approach to Model-Checking L. Doyen (EPFL) and J.-F. Raskin (ULB) TACAS 2007 Braga - Portugal March 28, 2007 Automata-based approach to model-checking Programs and properties are formalized as

812 views • 52 slides

More recommend