1 / 71

An Improved Distance Heuristic Function for Directed Software Model Checking

This research proposes an improved distance heuristic function for directed software model checking, addressing the challenges of growing complexity in embedded systems.

grigsby
Download Presentation

An Improved Distance Heuristic Function for Directed Software Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Improved Distance Heuristic Function for Directed Software Model Checking Neha Rungta and Eric G. Mercer Software Model Checking Lab Computer Science Department Brigham Young University Provo, UT - 84602

  2. Motivation • Use of embedded systems has become ubiquitous • Growing complexity challenges ad-hoc testing methods • Vector simulation finds bugs in the early design phase • Code coverage techniques are not feasible • Low-level scheduling decisions create concurrency errors • Motivates a need for a formal approach to find these errors

  3. Software Model Checking int b = 1009 void simple(){ int a; read a; if (a > 1000) assert(b != a) } • It builds a model for a given software system

  4. Simple program start int b = 1009 void simple(){ int a; read a; if (a > 1000) assert(b != a) } max int a=0 a=1 a=2 1009 exit assertb != a assertb != a • It builds a model for a given software system • The transition graph represents all the behaviors of the system

  5. Simple program start int b = 1009 void simple(){ int a; read a; if (a > 1000) assert(b != a) } max int a=0 a=1 a=2 1009 exit assertb!=a assertb!=a error • It builds a model for a given software system • The transition graph represents all the behaviors of the system • The property being verified is whether there exists a path to the error

  6. Exhaustive Search - DFS

  7. Exhaustive Search - DFS

  8. Exhaustive Search - DFS

  9. Exhaustive Search - DFS

  10. Exhaustive Search - DFS

  11. Exhaustive Search - DFS e

  12. Exhaustive Search - BFS

  13. Exhaustive Search - BFS

  14. Exhaustive Search - BFS

  15. Exhaustive Search - BFS

  16. Exhaustive Search - BFS e

  17. Guided Best-first Search

  18. Guided Best-first Search 9 12 2

  19. Guided Best-first Search 9 12 2 4 2 1

  20. Guided Best-first Search 9 12 2 4 2 1 1 1 e

  21. Related Work on Heuristic estimates • Edelkamp, Lafuente, and Leue • Minimum number of changes in program values • Seppi, Jones, and Lamborn • Use Bayesian reasoning • Visser and Groce • Structural properties of thread interdependencies • Edelkamp and Mehler • Minimal number of transitions (FSM distance) • Rungta and Mercer • Use partial context information to improve FSM distance

  22. start m0 ƒoo call ƒoo m1 call ƒoo m2 exit m3 assert FSM Distance Heuristic main

  23. call ƒoo FSM Distance Heuristic main start m0 ƒoo call ƒoo m1 m2 exit m3 assert

  24. call ƒoo FSM Distance Heuristic main m1 ƒoo call ƒoo m1 m2 ƒoo exit m3 assert m2 m3

  25. FSM Distance Heuristic m1 pc = m1 x=1, y=2 Runtime stack ƒoo m2 m3

  26. FSM Distance Heuristic m1 pc = m1 x=1, y=2 Runtime stack ƒoo m2 m3

  27. FSM Distance Heuristic m1 pc = m1 x=1, y=2 Runtime stack ƒoo 2 steps m2 m3

  28. main ƒoo call ƒoo m1 m2 call ƒoo exit m3 assert Lack of Context m1 ƒoo 4 steps m2 m3

  29. ƒoo call ƒoo m1 m2 call ƒoo exit m3 assert k-bounded Graph main m1 ƒoo(m2) ƒoo(m3) m2 m3

  30. main ƒoo call ƒoo m1 m2 call ƒoo exit m3 assert k-bounded Graph m1 ƒoo(m2) ƒoo(m3) m2 m3

  31. ƒoo call ƒoo m1 m2 call ƒoo exit m3 assert k-bounded Graph main m1 ƒoo(m2) ƒoo(m3) 4 steps m2 m3

  32. call ƒoo EFSM Distance Heuristic main ƒoo start m0 start f0 call ƒoo m1 call test f1 m2 end f2 m3 assert test

  33. call ƒoo EFSM Distance Heuristic main ƒoo start m0 start f0 call ƒoo m1 call test f1 m2 end f2 m3 assert test

  34. ƒoo main call ƒoo m1 call test m2 f1 call ƒoo end f2 m3 test assert EFSM Distance Heuristic m1: call ƒoo f1: call test (m2) f1: call test (m3) test (ƒ2) f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  35. ƒoo main call ƒoo m1 call test m2 f1 call ƒoo end f2 m3 test assert EFSM Distance Heuristic m1: call ƒoo f1: call test (m2) f1: call test (m3) test (ƒ2) f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  36. ƒoo main call ƒoo m1 call test m2 f1 call ƒoo end f2 m3 test assert EFSM Distance Heuristic m1: call ƒoo f1: call test (m2) f1: call test (m3) test (ƒ2) f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  37. Recreate the call trace Stack frame for main m2 m2 Return Add :m2 ƒ2 m2 ƒ2 m2 Stack frame for ƒoo Return Add : ƒ2 test ƒ2 test ƒ2 Stack frame fortest

  38. EFSM Distance Heuristic m1: call ƒoo m2 f1: call test (m2) f1: call test (m3) ƒ2 m2 test (ƒ2) test ƒ2 f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  39. EFSM Distance Heuristic m1: call ƒoo m2 f1: call test (m2) f1: call test (m3) ƒ2 m2 test (ƒ2) test ƒ2 f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  40. EFSM Distance Heuristic m1: call ƒoo m2 f1: call test (m2) f1: call test (m3) ƒ2 m2 test (ƒ2) f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  41. EFSM Distance Heuristic m1: call ƒoo m2 f1: call test (m2) f1: call test (m3) test (ƒ2) f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  42. EFSM Distance Heuristic the Heuristic m1: call ƒoo f1: call test (m2) f1: call test (m3) test (ƒ2) f2: end (m2) f2: end (m3) 6 steps m3 m2: call ƒoo

  43. ƒoo main call ƒoo m1 call test m2 f1 call ƒoo end f2 m3 test assert Forward estimates are inaccurate m1: call ƒoo f1: call test (m2) f1: call test (m3) test (ƒ2) f2: end (m2) f2: end (m3) m3 m2: call ƒoo

  44. Full Context Aware (FCA) • Assume no recursion and resolved call-sites • Statically compute distance estimates • Full context information in the forward direction

  45. main sub1 start s1 start m1 assert call s1 s2 m2 s3 m3 end end s4 m4 Full Context Example exit Error Handling

  46. main start m1 1 call s1 m2 m3 end m4 Start DFS at Main CFG sub1 s1 start assert s2 s3 end s4

  47. At Call node move to Target main sub1 s1 start start m1 1 assert call s1 s2 m2 s3 m3 end end s4 m4

  48. Note the edge costs of nodes main sub1 s1 start start m1 1 1 assert call s1 s2 m2 1 s3 m3 1 end end s4 m4

  49. Backtrack at end nodes main sub1 s1 start start m1 1 1 assert call s1 s2 m2 1 s3 m3 1 end end s4 m4

  50. All-pairs Analysis out of Start main sub1 dend = 3 derror = 1 s1 start start m1 1 1 assert dend = 2 derror = 0 call s1 s2 m2 1 dend = 1 derror =  s3 m3 1 dend = 0 derror =  end end s4 m4

More Related