Concurrent Bounded Model Checking

Symbolic Execution vs. Bounded Model Checking
Concurrent Bounded Model Checking
Evaluation
Conclusion
Q. Sang Phan, Pasquale Malacaria and Corina S. Pasareanuy
Queen Mary University of London
yCarnegie Mellon Silicon Valley and NASA Ames
November 07, 2014
1 / 12

Evaluation
Conclusion
Outline
1 Symbolic Execution vs. Bounded Model Checking
2 Concurrent Bounded Model Checking
3 Evaluation
4 Conclusion
2 / 12

Evaluation
Conclusion
Classical Symbolic Execution
Symbolic Execution and Program Testing. James C. King.
Communications of the ACM 1976.
pc ` c : execute the then path
pc ` :c : execute the else path
(pc 0 c) ^ (pc 0 :c): execute
both paths
? then path: pc1 = pc ^ c
? else path: pc2 = pc ^ :c
3 / 12

Evaluation
Conclusion
Symbolic Execution in Bounded Model Checking
Behavioral Consistency of C and Verilog Programs Using
Bounded Model Checking. Edmund Clarke, Daniel Kroening,
and Karen Yorav. DAC 2003.
x=x+y;
if(x !=1){
x=2;
if(z) x ++;
}
assert (x 3);
!
x1=x0+y0;
if(x1 !=1){
x2 =2;
if(z0) x3=x2 +1;
}
assert (x3 3);
!
C := x1 = x0 + y0 ^
x2 = ((x16= 1)?2 : x1) ^
x3 = ((x16= 1 ^ z0)?x2 + 1 : x2)
P := x3 3
4 / 12

Evaluation
Conclusion
Symbolic Execution Bounded Model Checking
? Explore paths without errors ? Encode only paths with errors
? Call SMT solver multiple times ? Call SMT solver after encoding
? Only input symbols are variables ? Introduce new symbolic variables
? Path conditions are cubes ? Resulting formulas are in CNF
5 / 12

Evaluation
Conclusion
This paper:
Use classical Symbolic Execution for Bounded Model Checking
5 / 12

Evaluation
Conclusion
This paper:
Use classical Symbolic Execution for Bounded Model Checking
? Explore only paths with errors
? Call SMT solver after encoding
? Only input symbols are variables
? Resulting formulas are in DNF ) parallelizable
5 / 12

Evaluation
Conclusion
Bounded Model Checking by Symbolic Execution
Use Symbolic Execution with constraint solver turning o
? SPF: symbolic.dp = no solver
Encode the program and the property to check into a formula:
M_
i=0
pci
Check the resulting formula with an SMT solver.
6 / 12

Evaluation
Conclusion
Bounded Model Checking by Symbolic Execution
Use Symbolic Execution with constraint solver turning o
? SPF: symbolic.dp = no solver
Encode the program and the property to check into a formula:
M_
i=0
pci
Check the resulting formula with an SMT solver.
Parallelization
D_1
i=0
pci _
2D_1
i=D
pci _
kD_1
i=(k1)D
pci _
M_
i=kD
pci
6 / 12

Evaluation
Conclusion
Bounded Model Checking by Symbolic Execution: Example
void test ( int x, int y){
if(x 5){
x++;
if (x 3)
x --;
else
y = x;
}
assert (x 10 );
}
Encode the program into a formula:
((x0 5) ^ (x0 + 1 3) ^ :(x0 10)) _
((x0 5) ^ :(x0 + 1 3) ^ :(x0 + 1 10)) _
(:(x0 5) ^ :(x0 10))
7 / 12

Evaluation
Conclusion
JCBMC: Concurrent Bounded Model Checker for Java
Solver
Worker thread
Main thread
Solver
Worker thread
Controller
Solver
Worker thread
Stop
Symbolic Execution
(constraint solving off)
A disjunction of D
Program path conditions
B, D, N
B: the bound
D: the number of disjunctions for a solver
N: the number of worker threads
8 / 12

Evaluation
Conclusion
Evaluation
SPF JSBMC CBMC JCBMC (D = 10) JCBMC (D = 200)
Array size Bubble sort with assertion negated
6 5.622 12.604 0.817 1.160 1.389
30 4m32.790 x timed out 1.387 2.905
100 timed out x timed out 4.944 34.697
Veri

cation of bubble sort
5 6m19.222 3.712 7.171 4.193 3.622
6 timed out 26.293 37.816 29.512 21.834
7 x x 5m22.641 x x
8 x x timed out x x
Sum of array
unsafe 1.403 12.671 1m5.738 1.576 2.479
safe failed 12.030 2.252 9.466 10.614
9 / 12

Evaluation
Conclusion
Evaluation
Tool SPF JSBMC JCBMC (D = 10) JCBMC (D = 200)
Flap controller (unsafe) 1.141 2.899 0.948 1.370
Red-black tree (safe) 53.602 3.942 3.267 2.774
MER Arbiter (unsafe) 5.275 8.111 7.479 7.579
MER Arbiter (safe) 47.065 59.145 57.740 58.886
The tool and examples are available at:
https://github.com/qsphan/jpf-bmc
10 / 12

Evaluation
Conclusion
Conclusion
Conclusion
A new approach for Bounded Model Checking using classical
Symbolic Execution.
Parallelization for the new Bounded Model Checking
approach.
An open-source prototype tool JCBMC
https://github.com/qsphan/jpf-bmc
Future Work
Automatic tuning for parameters of JCBMC: B, D
11 / 12

Concurrent Bounded Model Checking

More Related Content

What's hot

Similar to Concurrent Bounded Model Checking

More from Quoc-Sang Phan

Recently uploaded

Concurrent Bounded Model Checking