1,728 research outputs found
The software model checker BLAST: Applications to software engineering
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and test-case generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a type-based memory-safety analyzer, to annotate a program with run-time assertions that check for safe memory operations. Then, we use BLAST to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining run-time checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs
Lazy Shape Analysis
Many software model checkers are based on predicate abstraction. If
the verification goal depends on pointer structures, the approach does
not work well, because it is difficult to find adequate predicate
abstractions for the heap. In contrast, shape analysis, which uses
graph-based heap abstractions, can provide a compact representation of
recursive data structures. We integrate shape analysis into the
software model checker BLAST. Because shape analysis is expensive, we
do not apply it globally. Instead, we ensure that, like predicates,
shape graphs are computed and stored locally, only where necessary for
proving the verification goal. To achieve this, we extend lazy
abstraction refinement, which so far has been used only for predicate
abstractions, to three-valued logical structures. This approach does
not only increase the precision of model checking, but it also
increases the efficiency of shape analysis. We implemented the
technique by extending BLAST with calls to TVLA
Software Model Checking via Large-Block Encoding
The construction and analysis of an abstract reachability tree (ART) are the
basis for a successful method for software verification. The ART represents
unwindings of the control-flow graph of the program. Traditionally, a
transition of the ART represents a single block of the program, and therefore,
we call this approach single-block encoding (SBE). SBE may result in a huge
number of program paths to be explored, which constitutes a fundamental source
of inefficiency. We propose a generalization of the approach, in which
transitions of the ART represent larger portions of the program; we call this
approach large-block encoding (LBE). LBE may reduce the number of paths to be
explored up to exponentially. Within this framework, we also investigate
symbolic representations: for representing abstract states, in addition to
conjunctions as used in SBE, we investigate the use of arbitrary Boolean
formulas; for computing abstract-successor states, in addition to Cartesian
predicate abstraction as used in SBE, we investigate the use of Boolean
predicate abstraction. The new encoding leverages the efficiency of
state-of-the-art SMT solvers, which can symbolically compute abstract
large-block successors. Our experiments on benchmark C programs show that the
large-block encoding outperforms the single-block encoding.Comment: 13 pages (11 without cover), 4 figures, 5 table
Development of a framework for automated systematic testing of safety-critical embedded systems
āThis material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder." āCopyright IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.āIn this paper we introduce the development of a framework for testing safety-critical embedded systems based on the concepts of model-based testing. In model-based testing the test cases are derived from a model of the system under test. In our approach the model is an automaton model that is automatically extracted from the C-source code of the system under test. Beside random test data generation the test case generation uses formal methods, in detail model checking techniques. To find appropriate test cases we use the requirements defined in the system specification. To cover further execution paths we developed an additional, to our best knowledge, novel method based on special structural coverage criteria. We present preliminary results on the model extraction using a concrete industrial case study from the automotive domain
Model Checking with Program Slicing Based on Variable Dependence Graphs
In embedded control systems, the potential risks of software defects have
been increasing because of software complexity which leads to, for example,
timing related problems. These defects are rarely found by tests or
simulations. To detect such defects, we propose a modeling method which can
generate software models for model checking with a program slicing technique
based on a variable dependence graph. We have applied the proposed method to
one case in automotive control software and demonstrated the effectiveness of
the method. Furthermore, we developed a software tool to automate model
generation and achieved a 35% decrease in total verification time on model
checking.Comment: In Proceedings FTSCS 2012, arXiv:1212.657
Model Checker Execution Reports
Software model checking constitutes an undecidable problem and, as such, even
an ideal tool will in some cases fail to give a conclusive answer. In practice,
software model checkers fail often and usually do not provide any information
on what was effectively checked. The purpose of this work is to provide a
conceptual framing to extend software model checkers in a way that allows users
to access information about incomplete checks. We characterize the information
that model checkers themselves can provide, in terms of analyzed traces, i.e.
sequences of statements, and safe cones, and present the notion of execution
reports, which we also formalize. We instantiate these concepts for a family of
techniques based on Abstract Reachability Trees and implement the approach
using the software model checker CPAchecker. We evaluate our approach
empirically and provide examples to illustrate the execution reports produced
and the information that can be extracted
- ā¦