Optimizing Incremental Scope-Bounded Checking with Data-Flow Analysis

Shao, Danhua; Gopinath, Divya; Khurshid, Sarfraz; Perry, Dewayne E.

doi:10.1109/issre.2010.27

Cited by 8 publications

(6 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Slicing is commonly used to reduce the size of BMC instances by removing variables that are syntactically irrelevant to a property (e.g., [19], [18]). It is also known as 'cone of influence' reduction, where the set of relevant variables expands with the size of the slice, diminishing its effectiveness (e.g., despite slicing, CBMC and ESBMC frequently run out of time/memory).…”

Section: E Evaluation Of Blitz Featuresmentioning

confidence: 99%

BLITZ: Compositional bounded model checking for real-world programs

Cho

D’Silva

Song

2013

2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

Abstract-Bounded Model Checking (BMC) for software is a precise bug-finding technique that builds upon the efficiency of modern SAT and SMT solvers. BMC currently does not scale to large programs because the size of the generated formulae exceeds the capacity of existing solvers. We present a new, compositional and property-sensitive algorithm that enables BMC to automatically find bugs in large programs. A novel feature of our technique is to decompose the behaviour of a program into a sequence of BMC instances and use a combination of satisfying assignments and unsatisfiability proofs to propagate information across instances. A second novelty is to use the control-and data-flow of the program as well as information from proofs to prune the set of variables and procedures considered and hence, generate smaller instances. Our tool BLITZ outperforms existing tools and scales to programs with over 100,000 lines of code. BLITZ automatically and efficiently discovers bugs in widely deployed software including new vulnerabilities in Internet infrastructure software.

show abstract

Section: E Evaluation Of Blitz Featuresmentioning

confidence: 99%

BLITZ: Compositional bounded model checking for real-world programs

Cho

D’Silva

Song

2013

2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

show abstract

“…We start by discussing some tools that perform dataflow analyses on C programs [4,19]. Then, we comment about approaches that apply it for Java programs [12,27,30]. These papers use an approach similar to TACO in the sense they use Alloy as back-end but use dataflow analyses for different optimization purposes.…”

Section: Related Workmentioning

confidence: 99%

“…In [27] the authors propose a technique for optimizing an incremental scope-based model checking using a divide-and-solve approach as a mean to improve the scalability of bounded model checking approaches. To do that, they rely on a dataflow analysis (variable-definitions) to split the SATproblem into several simpler sub-problems.…”

Section: Related Workmentioning

confidence: 99%

TacoFlow: optimizing SAT program verification using dataflow analysis

Parrino¹,

Galeotti

Garbervetsky

et al. 2014

Softw Syst Model

View full text Add to dashboard Cite

In previous work we presented TACO, a tool for efficient bounded verification. TACO translates programs annotated with contracts to a SAT problem which is then solved resorting to off-the-shelf SAT-solvers. TACO may deem propositional variables used in the description of a program initial states as being unnecessary. Since the worst-case complexity of SAT (a known NP problem) depends on the number of variables, most times this allows us to obtain significant speed ups. In this article we present TacoFlow, an improvement over TACO that uses dataflow analysis in order to also discard propositional variables that describe intermediate program states. We present an extensive empirical evaluation that considers the effect of removing those variables at different levels of abstraction, and a discussion on the benefits of the proposed approach.

show abstract

“…In [34], parallel analysis of code is performed by splitting the program control flow graph and using JForge [8] (which relies on Kodkod) to analyze each slice. Note that, as in [33], parallelization occurs at the code level, not at the intermediate Alloy representation level. In [28], parallel analysis of Java code is performed by translating complete methods to Alloy.…”

Section: Related Workmentioning

confidence: 99%

Ranger: Parallel analysis of alloy models by range partitioning

Rosner¹,

Siddiqui

Aguirre³

et al. 2013

2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

View full text Add to dashboard Cite

We present a novel approach for parallel analysis of models written in Alloy, a declarative extension of first-order logic based on relations. The Alloy language is supported by the fully automatic Alloy Analyzer, which translates models into propositional formulas and uses off-the-shelf SAT technology to solve them. Our key insight is that the underlying constraint satisfaction problem can be split into subproblems of lesser complexity by using ranges of candidate solutions, which partition the space of all candidate solutions. Conceptually, we define a total ordering among the candidate solutions, split this space of candidates into ranges, and let independent SAT searches take place within these ranges' endpoints. Our tool, Ranger, embodies our insight. Experimental evaluation shows that Ranger provides substantial speedups (in several cases, superlinear ones) for a variety of hard-to-solve Alloy models, and that adding more hardware reduces analysis costs almost linearly.

show abstract

Optimizing Incremental Scope-Bounded Checking with Data-Flow Analysis

Cited by 8 publications

References 35 publications

BLITZ: Compositional bounded model checking for real-world programs

BLITZ: Compositional bounded model checking for real-world programs

TacoFlow: optimizing SAT program verification using dataflow analysis

Ranger: Parallel analysis of alloy models by range partitioning

Contact Info

Product

Resources

About