external program model checking
DESCRIPTION
External Program Model Checking. Stefan Edelkamp, Shahid Jabar, Dino Midzic, Daniel Rikowski and Damian Sulewski. Computer Science Department University of Dortmund Otto-Hahn Straße 14. Motivation - Overview. - Why software model checking. - States in our program model checker StEAM. - PowerPoint PPT PresentationTRANSCRIPT
External Program Model Checking
Stefan Edelkamp, Shahid Jabar, Dino Midzic, Daniel Rikowski and Damian Sulewski
Computer Science Department
University of Dortmund
Otto-Hahn Straße 14
- Why software model checking
- States in our program model checker StEAM
- Externalization Algorithm
- Experimental results
Motivation - Overview
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Model checker
Formal specification of code
manual rewriting
Checking a software implementation rather then a formal specification
Formal specification of code
manual rewriting
Checking a software implementation rather then a formal specification
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Model checker
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Error trail
manual rewriting
Checking a software implementation rather then a formal specification
Model checker
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Model checker
Virtual Machine Compiler
Using a virtual machine to explore a model
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Model checker
Virtual Machine
Model checker
Virtual Machine
Assumes an error free virtual machine
+ Can detect errors in the implementation
+ User is not required to be familiar with modeling language
- Exceeds the available memory
- Slows down the exploration
Using a virtual machine to explore a model
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Compiler
Int main(int argc, char ** argv) {
int a = 0;
int b = 7;
int c = b / a;
}
Model checker
Virtual Machine
Techniques for state space compression
- Partial order reduction
- Minimal binary state encoding
- Abstraction methods
- Bit-state hashing
- Search heuristics
External model checking
- Using virtual memory can slow down the performance significantly
- General purpose virtual memory scheme is used
- External memory algorithms are more informed about the states
- Show remarkable performance in the large-scale analysis of games
- Introduced in explicit-state model checker SPIN
=physical memory = VM_memory
PCFPSPR0…
FP0
m1
s1
Obj. file mem. Image(MI)
------------------------zero ebd<_erno>move (4,%r2),%r3……------------------------Int a,b,c …------------------------Int d=12Int e=17Int f=-1…------------------------
Code-Section
BSS-Section
Data-Sectiona=4b=6c=12
BSS-memory
=program memory
dyn. alloc.regions
States in StEAM
PCFPSPR0…
FP0
m2
s2
mn1
mn2
mn3
memory-pool
li1
li2
li3
lock-pool
PCFPSPR0…
FP0
mn
sn
The externalization algorithm
- Relaxed the requirement of a constant main memory
- Mini-states
- Pointer to a full system state on the secondary memory
- Its predecessor information
- Constant size in contrast to a full state
The externalization algorithm
CacheMini-states Secondary memory
Internal memory
The externalization algorithm
Cache Secondary memoryMini-states
Internal memory
The externalization algorithm
Cache Secondary memoryMini-states
Internal memory
The externalization algorithm
Cache Secondary memoryMini-states
Internal memory
The externalization algorithm
Cache Secondary memoryMini-states
Internal memory
The externalization algorithm - external collapse compression
Full stateCaches Files
Data - Section
BSS - Section
Stack
Fixed values
Experimental results
- first running case study: the Dining Philosophers
0
200
400
600
800
1000
1200
1400
25 50 100 150 200 250 300
external
collapse
original
Experimental results – Philosophers using most blocked heuristic
Internal memory in MB
Philosophers
0
50000
100000
150000
200000
250000
300000
350000
400000
50 100 150 200 250 300
external
collapse
original
Experimental results – Philosophers using most blocked heuristic
Time in seconds
Philosophers
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
50 100 150
external
collapse
original
Experimental results – Philosophers using most blocked heuristic
Time in seconds
Philosophers
8
7 6
5
4
3
2 1
Experimental results
- second running case study: the 8-Puzzle
0
10000
20000
30000
40000
50000
60000
70000
15 16 17 18 19 20 21
extern
collapse
original
Experimental results – 8-Puzzle using Breath First Search
Time in seconds
Moves
0
500
1000
1500
2000
2500
15 16 17 18 19 20 21
extern
collapse
original
Experimental results – 8-Puzzle using Breath First Search
Internal memory in MB
Moves
Conclusion and future work
- StEAM is the first external program model checker
- Largest exploration in program model checking
- Software still experimental
- Can be used for non-deterministic programs
- Further information on
http://bugfinder.sourceforge.net