3,341 research outputs found
Software Model Checking via Large-Block Encoding
The construction and analysis of an abstract reachability tree (ART) are the
basis for a successful method for software verification. The ART represents
unwindings of the control-flow graph of the program. Traditionally, a
transition of the ART represents a single block of the program, and therefore,
we call this approach single-block encoding (SBE). SBE may result in a huge
number of program paths to be explored, which constitutes a fundamental source
of inefficiency. We propose a generalization of the approach, in which
transitions of the ART represent larger portions of the program; we call this
approach large-block encoding (LBE). LBE may reduce the number of paths to be
explored up to exponentially. Within this framework, we also investigate
symbolic representations: for representing abstract states, in addition to
conjunctions as used in SBE, we investigate the use of arbitrary Boolean
formulas; for computing abstract-successor states, in addition to Cartesian
predicate abstraction as used in SBE, we investigate the use of Boolean
predicate abstraction. The new encoding leverages the efficiency of
state-of-the-art SMT solvers, which can symbolically compute abstract
large-block successors. Our experiments on benchmark C programs show that the
large-block encoding outperforms the single-block encoding.Comment: 13 pages (11 without cover), 4 figures, 5 table
A Multi-Core Solver for Parity Games
We describe a parallel algorithm for solving parity games,\ud
with applications in, e.g., modal mu-calculus model\ud
checking with arbitrary alternations, and (branching) bisimulation\ud
checking. The algorithm is based on Jurdzinski's Small Progress\ud
Measures. Actually, this is a class of algorithms, depending on\ud
a selection heuristics.\ud
\ud
Our algorithm operates lock-free, and mostly wait-free (except for\ud
infrequent termination detection), and thus allows maximum\ud
parallelism. Additionally, we conserve memory by avoiding storage\ud
of predecessor edges for the parity graph through strictly\ud
forward-looking heuristics.\ud
\ud
We evaluate our multi-core implementation's behaviour on parity games\ud
obtained from mu-calculus model checking problems for a set of\ud
communication protocols, randomly generated problem instances, and\ud
parametric problem instances from the literature.\ud
\u
PrIC3: Property Directed Reachability for MDPs
IC3 has been a leap forward in symbolic model checking. This paper proposes
PrIC3 (pronounced pricy-three), a conservative extension of IC3 to symbolic
model checking of MDPs. Our main focus is to develop the theory underlying
PrIC3. Alongside, we present a first implementation of PrIC3 including the key
ingredients from IC3 such as generalization, repushing, and propagation
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
GPUVerify: A Verifier for GPU Kernels
We present a technique for verifying race- and divergence-freedom of GPU kernels that are written in mainstream ker-nel programming languages such as OpenCL and CUDA. Our approach is founded on a novel formal operational se-mantics for GPU programming termed synchronous, delayed visibility (SDV) semantics. The SDV semantics provides a precise definition of barrier divergence in GPU kernels and allows kernel verification to be reduced to analysis of a sequential program, thereby completely avoiding the need to reason about thread interleavings, and allowing existing modular techniques for program verification to be leveraged. We describe an efficient encoding for data race detection and propose a method for automatically inferring loop invari-ants required for verification. We have implemented these techniques as a practical verification tool, GPUVerify, which can be applied directly to OpenCL and CUDA source code. We evaluate GPUVerify with respect to a set of 163 kernels drawn from public and commercial sources. Our evaluation demonstrates that GPUVerify is capable of efficient, auto-matic verification of a large number of real-world kernels
Why Just Boogie? Translating Between Intermediate Verification Languages
The verification systems Boogie and Why3 use their respective intermediate
languages to generate verification conditions from high-level programs. Since
the two systems support different back-end provers (such as Z3 and Alt-Ergo)
and are used to encode different high-level languages (such as C# and Java),
being able to translate between their intermediate languages would provide a
way to reuse one system's features to verify programs meant for the other. This
paper describes a translation of Boogie into WhyML (Why3's intermediate
language) that preserves semantics, verifiability, and program structure to a
large degree. We implemented the translation as a tool and applied it to 194
Boogie-verified programs of various sources and sizes; Why3 verified 83% of the
translated programs with the same outcome as Boogie. These results indicate
that the translation is often effective and practically applicable
- âŠ