74 research outputs found
Fast LTL Satisfiability Checking by SAT Solvers
Satisfiability checking for Linear Temporal Logic (LTL) is a fundamental step
in checking for possible errors in LTL assertions. Extant LTL satisfiability
checkers use a variety of different search procedures. With the sole exception
of LTL satisfiability checking based on bounded model checking, which does not
provide a complete decision procedure, LTL satisfiability checkers have not
taken advantage of the remarkable progress over the past 20 years in Boolean
satisfiability solving. In this paper, we propose a new LTL
satisfiability-checking framework that is accelerated using a Boolean SAT
solver. Our approach is based on the variant of the \emph{obligation-set
method}, which we proposed in earlier work. We describe here heuristics that
allow the use of a Boolean SAT solver to analyze the obligations for a given
LTL formula. The experimental evaluation indicates that the new approach
provides a a significant performance advantage
LTLf satisfiability checking
We consider here Linear Temporal Logic (LTL) formulas interpreted over
\emph{finite} traces. We denote this logic by LTLf. The existing approach for
LTLf satisfiability checking is based on a reduction to standard LTL
satisfiability checking. We describe here a novel direct approach to LTLf
satisfiability checking, where we take advantage of the difference in the
semantics between LTL and LTLf. While LTL satisfiability checking requires
finding a \emph{fair cycle} in an appropriate transition system, here we need
to search only for a finite trace. This enables us to introduce specialized
heuristics, where we also exploit recent progress in Boolean SAT solving. We
have implemented our approach in a prototype tool and experiments show that our
approach outperforms existing approaches
Safety Model Checking with Complementary Approximations
Formal verification techniques such as model checking, are becoming popular
in hardware design. SAT-based model checking techniques such as IC3/PDR, have
gained a significant success in hardware industry. In this paper, we present a
new framework for SAT-based safety model checking, named Complementary
Approximate Reachability (CAR). CAR is based on standard reachability analysis,
but instead of maintaining a single sequence of reachable- state sets, CAR
maintains two sequences of over- and under- approximate reachable-state sets,
checking safety and unsafety at the same time. To construct the two sequences,
CAR uses standard Boolean-reasoning algorithms, based on satisfiability
solving, one to find a satisfying cube of a satisfiable Boolean formula, and
one to provide a minimal unsatisfiable core of an unsatisfiable Boolean
formula. We applied CAR to 548 hardware model-checking instances, and compared
its performance with IC3/PDR. Our results show that CAR is able to solve 42
instances that cannot be solved by IC3/PDR. When evaluated against a portfolio
that includes IC3/PDR and other approaches, CAR is able to solve 21 instances
that the other approaches cannot solve. We conclude that CAR should be
considered as a valuable member of any algorithmic portfolio for safety model
checking
SmartUnit: Empirical Evaluations for Automated Unit Testing of Embedded Software in Industry
In this paper, we aim at the automated unit coverage-based testing for
embedded software. To achieve the goal, by analyzing the industrial
requirements and our previous work on automated unit testing tool CAUT, we
rebuild a new tool, SmartUnit, to solve the engineering requirements that take
place in our partner companies. SmartUnit is a dynamic symbolic execution
implementation, which supports statement, branch, boundary value and MC/DC
coverage. SmartUnit has been used to test more than one million lines of code
in real projects. For confidentiality motives, we select three in-house real
projects for the empirical evaluations. We also carry out our evaluations on
two open source database projects, SQLite and PostgreSQL, to test the
scalability of our tool since the scale of the embedded software project is
mostly not large, 5K-50K lines of code on average. From our experimental
results, in general, more than 90% of functions in commercial embedded software
achieve 100% statement, branch, MC/DC coverage, more than 80% of functions in
SQLite achieve 100% MC/DC coverage, and more than 60% of functions in
PostgreSQL achieve 100% MC/DC coverage. Moreover, SmartUnit is able to find the
runtime exceptions at the unit testing level. We also have reported exceptions
like array index out of bounds and divided-by-zero in SQLite. Furthermore, we
analyze the reasons of low coverage in automated unit testing in our setting
and give a survey on the situation of manual unit testing with respect to
automated unit testing in industry.Comment: In Proceedings of 40th International Conference on Software
Engineering: Software Engineering in Practice Track, Gothenburg, Sweden, May
27-June 3, 2018 (ICSE-SEIP '18), 10 page
On Reachability Analysis of Pushdown Systems with Transductions: Application to Boolean Programs with Call-by-Reference
Pushdown systems with transductions (TrPDSs) are an extension of pushdown systems (PDSs) by associating each transition rule with a transduction, which allows to inspect and modify the stack content at each step of a transition rule. It was shown by Uezato and Minamide that TrPDSs can model PDSs with checkpoint and discrete-timed PDSs. Moreover, TrPDSs can be simulated by PDSs and the predecessor configurations pre^*(C) of a regular set C of configurations can be computed by a saturation procedure when the closure of the transductions in TrPDSs is finite. In this work, we comprehensively investigate the reachability problem of finite TrPDSs. We propose a novel saturation procedure to compute pre^*(C) for finite TrPDSs. Also, we introduce a saturation procedure to compute the successor configurations post^*(C) of a regular set C of configurations for finite TrPDSs. From these two saturation procedures, we present two efficient implementation algorithms to compute pre^*(C) and post^*(C). Finally, we show how the presence of transductions enables the modeling of Boolean programs with call-by-reference parameter passing. The TrPDS model has finite closure of transductions which results in model-checking approach for Boolean programs with call-by-reference parameter passing against safety properties
- …