software model checking with slam thomas ball testing, verification and measurement sriram k....

Software Model Checking withSLAM

Thomas BallTesting, Verification and Measurement

Sriram K. RajamaniSoftware Productivity Tools

Microsoft Research

http://research.microsoft.com/slam/

http://research.microsoft.com/slam/

People behind SLAM

Summer interns– Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)– Satyaki Das, Wes Weimer, Robby (2001)– Jakob Lichtenberg, Mayur Naik (2002)

Visitors– Giorgio Delzanno, Andreas Podelski, Stefan Schwoon

Windows Partners– Byron Cook, Vladimir Levin, Abdullah Ustuner

Outline

• Part I: Overview (30 min)– overview of SLAM process– demonstration (Static Driver Verifier)– lessons learned

• Part II: Basic SLAM (1 hour)– foundations– basic algorithms (no pointers)

• Part III: Advanced Topics (30 min)– pointers + procedures– imprecision in aliasing and mod analysis

Part I: Overview of SLAM

What is SLAM?

SLAM is a software model checking project at Microsoft Research– Goal: Check C programs (system software)

against safety properties using model checking

– Application domain: device drivers

Starting to be used internally inside Windows– Working on making this into a product

Source Code

TestingDevelopment

PreciseAPI Usage Rules

(SLIC)

Software Model Checking

Read forunderstanding

New API rules

Drive testingtools

Defects

100% pathcoverage

Rules

Static Driver VerifierStatic Driver Verifier

SLAM – Software Model Checking

• SLAM innovations– boolean programs: a new model for software– model creation (c2bp)– model checking (bebop)– model refinement (newton)

• SLAM toolkit– built on MSR program analysis infrastructure

SLIC

• Finite state language for stating rules– monitors behavior of C code– temporal safety properties (security automata)– familiar C syntax

• Suitable for expressing control-dominated properties – e.g. proper sequence of events– can encode data values inside state

State Machine for Locking

Unlocked Locked

Error

Rel Acq

Acq

Rel

state {

enum {Locked,Unlocked}

s = Unlocked;

}

KeAcquireSpinLock.entry {

if (s==Locked) abort;

else s = Locked;

}

KeReleaseSpinLock.entry {

if (s==Unlocked) abort;

else s = Unlocked;

}

Locking Rule in SLIC

prog. P’prog. P

SLIC rule

The SLAM Process

boolean program

pathpredicates

slic

c2bp

bebop

newton

do {KeAcquireSpinLock();

nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock();

ExampleDoes this code

obey the locking rule?


if(*){


}} while (*);


ExampleModel checking boolean program

(bebop)

U

L

L

L

L

U

L

U

U

U

E


nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++;

}} while (nPackets != nPacketsOld);


ExampleIs error path feasible

in C program?(newton)

U

L

L

L

L

U

L

U

U

U

E


nPacketsOld = nPackets; b = true;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;

}} while (nPackets != nPacketsOld); !b


ExampleAdd new predicateto boolean program

(c2bp)b : (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E


b = true;

if(*){

KeReleaseSpinLock();b = b ? false : *;

}} while ( !b );


b

b

b

b

ExampleModel checking

refined boolean program

(bebop)

b : (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E

b

b

!b

Example


b = true;

if(*){

KeReleaseSpinLock();b = b ? false : *;

}} while ( !b );


b : (nPacketsOld == nPackets)

b

b

b

b

U

L

L

L

L

U

L

U

U

b

b

!b

Model checking refined

boolean program(bebop)

Observations about SLAM

• Automatic discovery of invariants– driven by property and a finite set of (false) execution paths– predicates are not invariants, but observations– abstraction + model checking computes inductive invariants

(boolean combinations of observations)

• A hybrid dynamic/static analysis– newton executes path through C code symbolically – c2bp+bebop explore all paths through abstraction

• A new form of program slicing– program code and data not relevant to property are dropped– non-determinism allows slices to have more behaviors

Part I: Demo

Static Driver Verifier results

Part I: Lessons Learned

SLAM

• Boolean program model has proved itself

• Successful for domain of device drivers– control-dominated safety properties– few boolean variables needed to do proof or find real

counterexamples

• Counterexample-driven refinement– terminates in practice– incompleteness of theorem prover not an issue

What is hard?

• Abstracting – from a language with pointers (C) – to one without pointers (boolean programs)

• All side effects need to be modeled by copying (as in dataflow)

• Open environment problem

What stayed fixed?

• Boolean program model

• Basic tool flow

• Repercussions:– newton has to copy between scopes – c2bp has to model side-effects by value-result – finite depth precision on the heap is all

boolean programs can do

What changed?

• Interface between newton and c2bp

• We now use predicates for doing more things

• refine alias precision via aliasing predicates• newton helps resolve pointer aliasing imprecision

in c2bp

Scaling SLAM

• Largest driver we have processed has ~60K lines of code

• Largest abstractions we have analyzed have several hundred boolean variables

• Routinely get results after 20-30 iterations

• Out of 672 runs we do daily, 607 terminate within 20 minutes

Scale and SLAM components

• Out of 67 runs that time out, tools that take longest time:– bebop: 50, c2bp: 10, newton: 5, constrain: 2

• C2bp:– fast predicate abstraction (fastF) and incremental predicate

abstraction (constrain) – re-use across iterations

• Newton:– biggest problems are due to scope-copying

• Bebop:– biggest issue is no re-use across iterations– solution in the works

SLAM Status• 2000-2001

– foundations, algorithms, prototyping– papers in CAV, PLDI, POPL, SPIN, TACAS

• March 2002– Bill Gates review

• May 2002– Windows committed to hire two people with model checking background to

support Static Driver Verifier (SLAM+driver rules)

• July 2002– running SLAM on 100+ drivers, 20+ properties

• September 3, 2002– made initial release of SDV to Windows (friends and family)

• April 1, 2003– made wide release of SDV to Windows (any internal driver developer)

Part II: Basic SLAM

Syntactic sugar

if (e) { S1;} else { S2;}S3;

goto L1, L2;

L1: assume(e); S1; goto L3;

L2: assume(!e); S2; goto L3;

L3: S3;

Example, in C

void cmp (int a , int b) { if (a == b) g = 0; else g = 1;}

int g;

main(int x, int y){

cmp(x, y);

if (!g) { if (x != y) assert(0); } }

void cmp(int a , int b) { goto L1, L2; L1: assume(a==b); g = 0; return;

L2: assume(a!=b); g = 1; return;}

int g;

main(int x, int y){

cmp(x, y);

assume(!g); assume(x != y) assert(0); }

Example, in C--

prog. P’prog. P

SLIC rule

The SLAM Process

boolean program

pathpredicates

slic

c2bp

bebop

newton

c2bp: Predicate Abstraction for C Programs

Given• P : a C program• F = {e1,...,en}

– each ei a pure boolean expression– each ei represents set of states for which ei is true

Produce a boolean program B(P,F)• same control-flow structure as P• boolean vars {b1,...,bn} to match {e1,...,en}• properties true of B(P,F) are true of P

Assumptions

Given• P : a C program• F = {e1,...,en}

– each ei a pure boolean expression– each ei represents set of states for which ei is true

• Assume: each ei uses either:– only globals (global predicate)– local variables from some procedure (local predicate for that

procedure)

• Mixed predicates:– predicates using both local variables and global variables– complicate “return” processing– covered in advanced topics

C2bp Algorithm

• Performs modular abstraction– abstracts each procedure in isolation

• Within each procedure, abstracts each statement in isolation– no control-flow analysis– no need for loop invariants

void cmp (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


Preds: {x==y}

{g==0}

{a==b}

void cmp (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


decl {g==0} ;

main( {x==y} ) {

}

void cmp ( {a==b} ) {

}

Preds: {x==y}

{g==0}

{a==b}

void equal (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


decl {g==0} ;

main( {x==y} ) {

cmp( {x==y} );

assume( {g==0} ); assume( !{x==y} ); assert(0); }

void cmp ( {a==b} ) { goto L1, L2; L1: assume( {a==b} ); {g==0} = T; return;

L2: assume( !{a==b} ); {g==0} = F; return;}

Preds: {x==y}

{g==0}

{a==b}

• Statement y=y+1 and F={ y<4, y<5 }– {y<4}, {y<5} = ((!{y<5} || !{y<4}) ? F : *), {y<4} ;

• WP(x=e,Q) = Q[x -> e]

• WP(y=y+1, y<5) = (y<5) [y -> y+1] =

(y+1<5) =

(y<4)

Abstracting Assigns via WP

WP Problem

• WP(s, ei) not always expressible via { e1,...,en }

• Example

– F = { x==0, x==1, x<5 }

– WP( x=x+1 , x<5 ) = x<4

– Best possible: x==0 || x==1

Abstracting Expressions via F

• F = { e1,...,en }

• ImpliesF(e)

– best boolean function over F that implies e

• ImpliedByF(e)

– best boolean function over F implied by e

– ImpliedByF(e) = !ImpliesF(!e)

ImpliesF(e) and ImpliedByF(e)

e

ImpliesF(e)

ImpliedByF(e)

Computing ImpliesF(e) • minterm m = d1 && ... && dn

– where di = ei or di = !ei

• ImpliesF(e) – disjunction of all minterms that imply e

• Naïve approach– generate all 2n possible minterms– for each minterm m, use decision procedure to check

validity of each implication me

• Many optimizations possible

Abstracting Assignments

• if ImpliesF(WP(s, ei)) is true before s then– ei is true after s

• if ImpliesF(WP(s, !ei)) is true before s then– ei is false after s

{ei} = ImpliesF(WP(s, ei)) ? true :

ImpliesF(WP(s, !ei)) ? false : *;

Assignment Example

Statement in P: Predicates in E:

y = y+1; {x==y}

Weakest Precondition:WP(y=y+1, x==y) = x==y+1

ImpliesF( x==y+1 ) = false

ImpliesF( x!=y+1 ) = x==y

Abstraction of assignment in B:{x==y} = {x==y} ? false : *;

Absracting Assumes

• WP( assume(e) , Q) = eQ

• assume(e) is abstracted to: assume( ImpliedByF(e) )

• Example:F = {x==2, x<5}assume(x < 2) is abstracted to:

assume( {x<5} && !{x==2} )

Abstracting Procedures

• Each predicate in F is annotated as being either global or local to a particular procedure

• Procedures abstracted in two passes:– a signature is produced for each procedure in

isolation– procedure calls are abstracted given the

callees’ signatures

Abstracting a procedure call

• Procedure call– a sequence of assignments from actuals to formals– see assignment abstraction

• Procedure return– NOP for C-- with assumption that all predicates

mention either only globals or only locals– with pointers and with mixed predicates:

• Most complicated part of c2bp• Covered in the advanced topics section

void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


decl {g==0} ;

main( {x==y} ) {

cmp( {x==y} );

assume( {g==0} ); assume( !{x==y} ); assert(0); }

void cmp ( {a==b} ) {Goto L1, L2 L1: assume( {a==b} ); {g==0} = T; return;

L2: assume( !{a==b} ); {g==0} = F; return;}

{x==y}

{g==0}

{a==b}

Precision• For program P and E = {e1,...,en}, there exist two “ideal”

abstractions:– Boolean(P,E) : most precise abstraction– Cartesian(P,E) : less precise abtraction, where each boolean

variable is updated independently– [See Ball-Podelski-Rajamani, TACAS 00]

• Theory:– with an “ideal” theorem prover, c2bp can compute Cartesian(P,E)

• Practice:– c2bp computes a less precise abstraction than Cartesian(P,E)– we use Das/Dill’s technique to incrementally improve precision – with an “ideal” theorem prover, the combination of c2bp + Das/Dill

can compute Boolean(P,E)

prog. P’prog. P

SLIC rule

The SLAM Process

boolean program

pathpredicates

slic

c2bp

bebop

newton

Bebop

• Model checker for boolean programs

• Based on CFL reachability– [Sharir-Pnueli 81] [Reps-Sagiv-Horwitz 95]

• Iterative addition of edges to graph– “path edges”: <entry,d1> <v,d2>– “summary edges”: <call,d1> <ret,d2>

Symbolic CFL reachability Partition path edges by their “target”

PE(v) = { <d1,d2> | <entry,d1> <v,d2> }

What is <d1,d2> for boolean programs? A bit-vector!

What is PE(v)? A set of bit-vectors

Use a BDD (attached to v) to represent PE(v)

BDDs• Canonical representation

of– boolean functions– set of (fixed-length)

bitvectors– binary relations over finite

domains

• Efficient algorithms for common dataflow operations– transfer function– join/meet– subsumption test

void cmp ( e2 ) {[5]Goto L1, L2 [6]L1: assume( e2 ); [7] gz = T; goto L3;

[8]L2: assume( !e2 ); [9]gz = F; goto L3 [10] L3: return;}

e2=e2’ & gz’=e2’

BDD at line [10] of cmp:

Read: “cmp leaves e2 unchanged and sets gz to have the same final value as e2”

gz=gz’& e=e’

e=e’& gz’=e’

e=e’ & gz’=1 & e’=1

gz=gz’& e2=e2’

gz=gz’& e2=e2’& e2’=T

e2=e2’& gz’=e2’

decl gz ;main( e ) {

[1] equal( e );

[2] assume( gz );

[3] assume( !e );

[4] assert(F); }

void cmp ( e2 ) {[5]Goto L1, L2

[6]L1: assume( e2 );

[7] gz = T; goto L3;

[8]L2: assume( !e2 );

[9]gz = F; goto L3 [10] L3: return;}

gz=gz’& e2=e2’& e2’=F

e2=e2’& e2’=T & gz’=T

e2=e2’& e2’=F & gz’=F

e2=e

Bebop: summary

Explicit representation of CFG Implicit representation of path edges and

summary edges Generation of hierarchical error traces

Complexity: O(E * 2O(N)

) E is the size of the CFG N is the max. number of variables in scope

prog. P’prog. P

SLIC rule

The SLAM Process

boolean program

pathpredicates

slic

c2bp

bebop

newton

Newton

• Given an error path p in boolean program B– is p a feasible path of the corresponding C

program?• Yes: found an error• No: find predicates that explain the infeasibility

– uses the same interfaces to the theorem provers as c2bp.

Newton

• Execute path symbolically

• Check conditions for inconsistency using theorem prover (satisfiability)

• After detecting inconsistency:– minimize inconsistent conditions– traverse dependencies– obtain predicates

Symbolic simulation for C--

Domains– variables: names in the program– values: constants + symbols

State of the simulator has 3 components:– store: map from variables to values– conditions: predicates over symbols– history: past valuations of the store

Symbolic simulation AlgorithmInput: path p

For each statement s in p domatch s with

Assign(x,e):let val = Eval(e) inif (Store[x]) is defined then

History[x] := History[x] Store[x]Store[x] := val

Assume(e):let val = Eval(e) in

Cond := Cond and vallet result = CheckConsistency(Cond) inif (result == “inconsistent”) then

GenerateInconsistentPredicates()End

Say “Path p is feasible”

Symbolic Simulation: Caveats

• Procedure calls– add a stack to the simulator– push and pop stack frames on calls and returns– implement mappings to keep values “in scope” at

calls and returns

• Dependencies– for each condition or store, keep track of which values

where used to generate this value– traverse dependency during predicate generation



int g;

main(int x, int y){

cmp(x, y);




int g;

main(int x, int y){

cmp(x, y);


Global:

main:

(1) x: X

(2) y: Y

Conditions:



int g;

main(int x, int y){

cmp(x, y);


Global:

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

Map:

X A

Y B



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]Map:

X A

Y B



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]

(6) (X == Y) [5]

Map:

X A

Y B



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]

(6) (X == Y) [5]

(7) (X != Y) [1, 2]



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]

(6) (X == Y) [5]

(7) (X != Y) [1, 2]

Contradictory!



int g;

main(int x, int y){

cmp(x, y);


Predicates after simplification:

{ x == y, a == b }

Part III: Advanced Topics

Two Problems

• Extending SLAM tools for pointers

• Dealing with imprecision of alias analysis

Pointers and SLAM

• With pointers, C supports call by reference– Strictly speaking, C supports only call by value– With pointers and the address-of operator, one can

simulate call-by-reference

• Boolean programs support only call-by-value-result– SLAM mimics call-by-reference with call-by-value-result

• Extra complications:– address operator (&) in C– multiple levels of pointer dereference in C

What changes with pointers?

• C2bp– abstracting assignments– abstracting procedure returns

• Newton– simulation needs to handle pointer accesses– need to copy local heap across scopes to match Bebop’s

semantics– need to refine imprecise alias analysis using predicates

• Bebop– remains unchanged!

Assignments + Pointers

Weakest Precondition:WP( *p=3 , x==5 ) = x==5 What if *p and x alias?

We use Das’s pointer analysis [PLDI 2000] to prune disjuncts representing infeasible alias scenarios.

Correct Weakest Precondition:(p==&x and 3==5) or (p!=&x and x==5)

Statement in P: Predicates in E:

*p = 3 {x==5}

Abstracting Procedure Return

• Need to account for – lhs of procedure call– mixed predicates– side-effects of procedure

• Boolean programs support only call-by-value-result– C2bp models all side-effects using return

processing

Abstracting Procedure Returns

• Let a be an actual at call-site P(…)– pre(a) = the value of a before transition to P

• Let f be a formal of a procedure P– pre(f) = the value of f upon entry to P

int R (int f) {

int r = f+1;

f = 0;

return r;

}

WP(x=r, x==2) = r==2

Q() {

int x = 1;

x = R(x)

}

pre(f) == pre(x)

x = r

{x==1}

{x==2}

{f==pre(f)}

{r==pre(f)+1}

predicate call/return relation call/return assign

{x==2} = s & {x==1};

}

bool R ( {f==pre(f)} ) {

{r==pre(f)+1} = {f==pre(f)};

{f==pre(f)} = *;

return {r==pre(f)+1};

}

WP(f=x, f==pre(f) ) = x==pre(f)

f = x

x==pre(f) is true at the call to R

pre(f)==pre(x) and pre(x)==1 and r==pre(f)+1 implies r==2

Q() { {x==1},{x==2} = T,F;

s = R(T);

{x==1} s

{x==1}, {x==2} = *, s & {x==1};

}

int R (int f) {

int r = f+1;

f = 0;

return r;

}

WP(x=r, x==2) = r==2

Q() {

int x = 1;

x = R(x)

}

{x==1}

{x==2}

{f==pre(f)}

{r==pre(f)+1}


bool R ( {f==pre(f)} ) {

{r==pre(f)+1} = {f==pre(f)};

{f==pre(f)} = *;

return {r==pre(f)+1};

}

WP(f=x, f==pre(f) ) = x==pre(f) x==pre(f) is true at the call to R

pre(f)==pre(x) and pre(x)==1 and r==pre(f)+1 implies r==2

Q() { {x==1},{x==2} = T,F;

s = R(T);

{x==1} s

f = x

x = r

pre(f) == pre(x)

Extending Pre-states

• Suppose formal parameter is a pointer– eg. P(int *f)

• pre( *f )– value of *f upon entry to P– can’t change during P

• * pre( f )– value of dereference of pre( f )– can change during P

int R (int *a) {

*a = *a+1;

}

Q() {

int x = 1;

R(&x);

}

pre(a) = &x

{x==1}

{x==2}


{x==2} = s & {x==1};

}

bool R ( {a==pre(a)}, {*pre(a)==pre(*a)} ) {

{*pre(a)==pre(*a)+1} =

{a==pre(a)} & {*pre(a)==pre(*a)} ;

return {*pre(a)==pre(*a)+1};

}

a = &x

Q() { {x==1},{x==2} = T,F;

s = R(T,T);

{a==pre(a)} {*pre(a)==pre(*a)}

{*pre(a)=pre(*a)+1}

pre(x)==1 and pre(*a)==pre(x) and *pre(a)==pre(*a)+1 and pre(a)==&x implies x==2

{x==1}

s

Newton: what changes with pointers?

• Simulation needs to handle pointer accesses

• Need to copy local heap across scopes to match Bebop’s semantics

void foo (int *a) {assume(*a > 5);assert(0);

}

main(int *x){

assume(*x < 5); foo(x);

}

Contradictory!

void foo (int *a) {assume(*a > 5);assert(0);

}

main(int *x){

assume(*x < 5); foo(x);

}

main:

(1) x: X

(2) *X: Y [1]

foo:

(3) a: A

(4) *A: B [3]

Conditions:

(5) (Y< 5) [1,2]

(6) (B < 5) [3,4,5]

(7) (B > 5) [3,4]

Predicates after simplification:

*x < 5 , *a < 5, *a > 5

SLAM Imprecision due to Alias Imprecision (Flow Insensitivity)

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;

{x==0}

{x==0} = T;skip;skip;

{x==0} = *;

assume( !{x==0} );

skip;

Pts-to(p)=

{ &x, &y}

x = 0;y = 0;p = &y

if (p == &x) x = x + 1;else y = y + 1;

assume(x!=0);

p = &x;

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;


{x==0} = *;

assume(!{x==0} );

skip;

Newton: Path is Infeasible

Consider values in abstract trace

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;


{x==0} = *;

assume(!{x==0} );

skip;

{x==0} is true

{x==0} is false

INCONSISTENT

Consider values in abstract trace

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;


{x==0} = *;

assume(!{x==0} );

skip;

WP(*p = *p +1, !(x==0) )

= ((p == &x) and !(x==-1)) or ((p != &x) and !(x==0))

(p!=&x) gets added as a predicate

What changes with pointers?

• C2bp– abstracting assignments– abstracting procedure returns

• Newton– simulation needs to handle pointer accesses– need to copy local heap across scopes to match Bebop’s

semantics– need to refine imprecise alias analysis using predicates

• Bebop– remains unchanged!

What worked well?

• Specific domain problem• Safety properties• Shoulders & synergies• Separation of concerns• Summer interns & visitors

– Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)– Satyaki Das, Wes Weimer, Robby (2001)– Jakob Lichtenberg, Mayur Naik (2002)– Giorgio Delzanno, Andreas Podelski, Stefan Schwoon

• Windows Partners– Byron Cook, Vladimir Levin, Abdullah Ustuner

Future Work

• Concurrency– SLAM analyzes drivers one thread at a time– Work in progress to analyze interleavings between threads

• Rules and environment-models– Large scale development or rules and environment-models is a

challenge– How can we simplify and manage development of rules?

• Modeling C semantics faithfully• Theory:

– Prove that SLAM will make progress on any property and any program

– Identify classes of programs and properties on which SLAM will terminate

Further Reading

See papers, slides from:

http://research.microsoft.com/slam

http://research.microsoft.com/slam

GlossaryModel checking Checking properties by systematic exploration of the state-space of a

model. Properties are usually specified as state machines, or using temporal logics

Safety properties Properties whose violation can be witnessed by a finite run of the system. The most common safety properties are invariants

Reachability Specialization of model checking to invariant checking. Properties are specified as invariants. Most common use of model checking. Safety properties can be reduced to reachability.

Boolean programs “C”-like programs with only boolean variables. Invariant checking and reachability is decidable for boolean programs.

Predicate A Boolean expression over the state-space of the program eg. (x < 5)

Predicate abstraction A technique to construct a boolean model from a system using a given set of predicates. Each predicate is represented by a boolean variable in the model.

Weakest precondition The weakest precondition of a set of states S with respect to a statement T is the largest set of states from which executing T, when terminating, always results in a state in S.

software model checking with slam thomas ball testing, verification and measurement sriram k....

Documents