1 / 25

External Program Model Checking

This paper presents StEAM, an innovative external model checker designed for checking software implementations rather than relying solely on formal specifications. The authors describe the motivation behind software model checking, the algorithmic approach used in StEAM, and key experimental results from its application, demonstrating error detection capabilities and exploration efficiency. Notably, the study includes case analyses of classic problems like the Dining Philosophers and the 8-Puzzle, showcasing the model's performance in handling complex state spaces. StEAM serves as a breakthrough tool for non-deterministic software analysis.

riva
Download Presentation

External Program Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. External Program Model Checking Stefan Edelkamp, Shahid Jabar, Dino Midzic, Daniel Rikowski and Damian Sulewski Computer Science Department University of Dortmund Otto-Hahn Straße 14

  2. Motivation - Overview - Why software model checking - States in our program model checker StEAM - Externalization Algorithm - Experimental results

  3. Checking a software implementation rather then a formal specification manual rewriting Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Formal specification of code Model checker

  4. Checking a software implementation rather then a formal specification manual rewriting Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Formal specification of code Model checker

  5. Checking a software implementation rather then a formal specification manual rewriting Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Error trail Model checker

  6. Using a virtual machine to explore a model Compiler Model checker Virtual Machine Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; }

  7. Model checker Compiler Model checker Virtual Machine Virtual Machine Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Int main(int argc, char ** argv) { int a = 0; int b = 7; int c = b / a; } Using a virtual machine to explore a model + Can detect errors in the implementation + User is not required to be familiar with modeling language - Exceeds the available memory - Slows down the exploration Assumes an error free virtual machine

  8. Model checker Virtual Machine Techniques for state space compression - Partial order reduction - Minimal binary state encoding - Abstraction methods - Bit-state hashing - Search heuristics

  9. External model checking - Using virtual memory can slow down the performance significantly - General purpose virtual memory scheme is used - External memory algorithms are more informed about the states - Show remarkable performance in the large-scale analysis of games - Introduced in explicit-state model checker SPIN

  10. m1 m2 mn Obj. file mem. Image(MI) sn s1 s2 PC FP SP R0 … FP0 PC FP SP R0 … FP0 PC FP SP R0 … FP0 ------------------------ zero ebd<_erno> move (4,%r2),%r3 … … ------------------------ Int a,b,c … ------------------------ Int d=12 Int e=17 Int f=-1 … ------------------------ Code-Section BSS-Section lock-pool li1 BSS-memory li2 Data-Section li3 a=4 b=6 c=12 memory-pool mn1 dyn. alloc.regions mn2 mn3 =physical memory = VM_memory =program memory States in StEAM

  11. The externalization algorithm - Relaxed the requirement of a constant main memory - Mini-states - Pointer to a full system state on the secondary memory - Its predecessor information - Constant size in contrast to a full state

  12. Mini-states Cache Secondary memory Internal memory The externalization algorithm

  13. Internal memory The externalization algorithm Mini-states Cache Secondary memory

  14. Internal memory The externalization algorithm Mini-states Cache Secondary memory

  15. Internal memory The externalization algorithm Mini-states Cache Secondary memory

  16. Internal memory The externalization algorithm Mini-states Cache Secondary memory

  17. Full state Caches Files The externalization algorithm - external collapse compression Data - Section BSS - Section Stack Fixed values

  18. Experimental results - first running case study: the Dining Philosophers

  19. Experimental results – Philosophers using most blocked heuristic Internal memoryin MB Philosophers

  20. Experimental results – Philosophers using most blocked heuristic Time in seconds Philosophers

  21. Experimental results – Philosophers using most blocked heuristic Time in seconds Philosophers

  22. Experimental results - second running case study: the 8-Puzzle 7 6 8 5 3 4 1 2

  23. Experimental results – 8-Puzzle using Breath First Search Time in seconds Moves

  24. Experimental results – 8-Puzzle using Breath First Search Internal memory in MB Moves

  25. - Further information on http://bugfinder.sourceforge.net Conclusion and future work - StEAM is the first external program model checker - Largest exploration in program model checking - Software still experimental - Can be used for non-deterministic programs

More Related