Over-Approximating Loops to Prove Properties using Bounded Model Checking

Darke, Priyanka; Chimdyalwar, Bharti; Venkatesh, R.; Shrotri, Ulka; Metta, Ravindra

doi:10.7873/date.2015.0245

Cited by 19 publications

(16 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The techniques of loop acceleration and loop abstraction have been shown to be effective for Model Checking of source code [9]. These techniques are used to replace a loop directly with assignments to the variables modified inside the loop.…”

Section: Loop Acceleration ( ) and Loop Abstraction ( )mentioning

confidence: 99%

TIC: a scalable model checking based approach to WCET estimation

Metta

Becker

Bokil

et al. 2016

Proceedings of the 17th ACM SIGPLAN/SIGBED Conference on Languages, Compilers, Tools, and Theory for Embedded Systems

Self Cite

View full text Add to dashboard Cite

The application of Model Checking to compute WCET has not been explored as much as Integer Linear Programming (ILP), primarily because model checkers fail to scale for complex programs. These programs have loops with large or unknown bounds, leading to a state space explosion that model checkers cannot handle. To overcome this, we have developed a technique, TIC, that employs slicing, loop acceleration and over-approximation on timeannotated source code, enabling Model Checking to scale better for WCET computation. Further, our approach is parametric, so that the user can make a trade-off between the tightness of WCET estimate and the analysis time.We conducted experiments on the Mälardalen benchmarks to evaluate the effect of various abstractions on the WCET estimate and analysis time. Additionally, we compared our estimates to those made by an ILP-based analyzer and found that ours were tighter for more than 30% of the examples and equal for the rest.

show abstract

Section: Loop Acceleration ( ) and Loop Abstraction ( )mentioning

confidence: 99%

TIC: a scalable model checking based approach to WCET estimation

Metta

Becker

Bokil

et al. 2016

Proceedings of the 17th ACM SIGPLAN/SIGBED Conference on Languages, Compilers, Tools, and Theory for Embedded Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…a single loop followed by the property to be checked, the tool supports most C constructs including pointers, structure, arrays, heaps and non-recursive function calls. It uses LABMC [12] to discover index expressions that can be accelerated and CBMC 5.8 as the bounded model checker to determine shrinkability of the loop and to check the residual property on the abstracted program. If a loop is not found shrinkable within a candidate shrink-factor of 5, we report the shrinkability of the loop to be unknown.…”

Section: Implementation and Measurementsmentioning

confidence: 99%

“…1, the value of the variable i in the beginning of an iteration j is expressible as j-1. We assume that we have available tools [12] to identify accelerable variables and their corresponding accelerating expressions. While our approach does not require us to identify all accelerable variables, the precision of the result does depend on the identification of as many accelerable variables as possible.…”

Section: Introductionmentioning

confidence: 99%

Property Checking Array Programs Using Loop Shrinking

Sanyal

Venkatesh

Shah

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Most verification tools find it difficult to prove properties of programs containing loops that process arrays of large or unknown size. These methods either fail to abstract the array at the right granularity and are therefore limited in precision or scalability, or they attempt to synthesize an appropriate invariant that is quantified over the elements of the array, a task known to be difficult. In this paper, we present a different approach based on a notion called loop shrinkability, in which an array processing loop is transformed to a loop of much smaller bound that processes only a few non-deterministically chosen elements of the array. The result is a finite state program with a drastically reduced state space that can be analyzed by bounded model checkers. We show that the proposed transformation is an over-approximation, i.e. if the transformed program is correct, so is the original. In addition, when applicable, the method is impervious to the size or existence of the bound of the array. As an assessment of usefulness, we tested a tool based on our method on the ArraysReach category of SV-COMP 2017 benchmarks. After excluding programs with feature not handled by our tool, we could successfully verify 87 of the 93 remaining programs.

show abstract

“…VeriAbs has implemented abstract acceleration [5] and kinduction techniques to scale Bounded Model Checking (BMC) for programs with loops of large or unknown bounds. VeriAbs abstracts such loops to loops of known small bounds, which can be proved by BMC.…”

Section: Verification Approachmentioning

confidence: 99%

“…VeriAbs uses CBMC version 5.8 for generating error witnesses. For fuzz testing, VeriAbs uses AFL-fuzz [12] The SV-COMP 2018 version of VeriAbs first analyzes every loop to check if it contains some linear modifications to numerical variables so that they can be precisely validated by Loop Abstraction for BMC (LABMC) [5]. If this check passes, it applies a range analysis [11] to identify ranges of those variables.…”

Section: Verification Process and Software Architecturementioning

confidence: 99%

VeriAbs: Verification by Abstraction and Test Generation

Darke¹,

Prabhu²,

Chimdyalwar³

et al. 2018

Tools and Algorithms for the Construction and Analysis of Systems

Self Cite

View full text Add to dashboard Cite

Abstract. VeriAbs is a portfolio software verifier for ANSI-C programs. To prove properties with better efficiency and scalability, this version implements output abstraction with k -induction in the presence of resets. VeriAbs now generates post conditions over the abstraction to find invariants by applying Z3's tactics of quantifier elimination. These invariants are then used to generate validation witnesses. To find errors in the absence of known program bounds, VeriAbs searches for property violating inputs by applying random test generation with fuzz testing for a better scalability as compared to bounded model checking. Verification ApproachBackground. VeriAbs has implemented abstract acceleration [5] and kinduction techniques to scale Bounded Model Checking (BMC) for programs with loops of large or unknown bounds. VeriAbs abstracts such loops to loops of known small bounds, which can be proved by BMC. This abstraction is achieved by accelerating selected variables processed inside loops. Further, VeriAbs applies incremental k -induction to improve precision. Loops processing arrays of large and unknown sizes are substituted by abstract loops that execute a small nondeterministically chosen sequence of original loop iterations. The idea is based on the concept of loop shrinkability [10].

show abstract

Over-Approximating Loops to Prove Properties using Bounded Model Checking

Cited by 19 publications

References 0 publications

TIC: a scalable model checking based approach to WCET estimation

TIC: a scalable model checking based approach to WCET estimation

Property Checking Array Programs Using Loop Shrinking

VeriAbs: Verification by Abstraction and Test Generation

Contact Info

Product

Resources

About