External Program Model Checking

Stefan Edelkamp, Shahid Jabar, Dino Midzic, Daniel Rikowski and Damian Sulewski

Computer Science Department

University of Dortmund

Otto-Hahn Straße 14

- Why software model checking

- States in our program model checker StEAM

- Externalization Algorithm

- Experimental results

Motivation - Overview

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Model checker

Formal specification of code

manual rewriting

Checking a software implementation rather then a formal specification

Formal specification of code

manual rewriting

Checking a software implementation rather then a formal specification

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Model checker

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Error trail

manual rewriting

Checking a software implementation rather then a formal specification

Model checker

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Model checker

Virtual Machine Compiler

Using a virtual machine to explore a model

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Model checker

Virtual Machine

Model checker

Virtual Machine

Assumes an error free virtual machine

+ Can detect errors in the implementation

+ User is not required to be familiar with modeling language

- Exceeds the available memory

- Slows down the exploration

Using a virtual machine to explore a model

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Compiler

Int main(int argc, char ** argv) {

int a = 0;

int b = 7;

int c = b / a;

}

Model checker

Virtual Machine

Techniques for state space compression

- Partial order reduction

- Minimal binary state encoding

- Abstraction methods

- Bit-state hashing

- Search heuristics

External model checking

- Using virtual memory can slow down the performance significantly

- General purpose virtual memory scheme is used

- External memory algorithms are more informed about the states

- Show remarkable performance in the large-scale analysis of games

- Introduced in explicit-state model checker SPIN

=physical memory = VM_memory

PCFPSPR0…

FP0

m1

s1

Obj. file mem. Image(MI)

------------------------zero ebd<_erno>move (4,%r2),%r3……------------------------Int a,b,c …------------------------Int d=12Int e=17Int f=-1…------------------------

Code-Section

BSS-Section

Data-Sectiona=4b=6c=12

BSS-memory

=program memory

dyn. alloc.regions

States in StEAM

PCFPSPR0…

FP0

m2

s2

mn1

mn2

mn3

memory-pool

li1

li2

li3

lock-pool

PCFPSPR0…

FP0

mn

sn

The externalization algorithm

- Relaxed the requirement of a constant main memory

- Mini-states

- Pointer to a full system state on the secondary memory

- Its predecessor information

- Constant size in contrast to a full state

The externalization algorithm

CacheMini-states Secondary memory

Internal memory

The externalization algorithm

Cache Secondary memoryMini-states

Internal memory

The externalization algorithm

Cache Secondary memoryMini-states

Internal memory

The externalization algorithm

Cache Secondary memoryMini-states

Internal memory

The externalization algorithm

Cache Secondary memoryMini-states

Internal memory

The externalization algorithm - external collapse compression

Full stateCaches Files

Data - Section

BSS - Section

Stack

Fixed values

Experimental results

- first running case study: the Dining Philosophers

0

200

400

600

800

1000

1200

1400

25 50 100 150 200 250 300

external

collapse

original

Experimental results – Philosophers using most blocked heuristic

Internal memory in MB

Philosophers

0

50000

100000

150000

200000

250000

300000

350000

400000

50 100 150 200 250 300

external

collapse

original

Experimental results – Philosophers using most blocked heuristic

Time in seconds

Philosophers

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

50 100 150

external

collapse

original

Experimental results – Philosophers using most blocked heuristic

Time in seconds

Philosophers

8

7 6

5

4

3

2 1

Experimental results

- second running case study: the 8-Puzzle

0

10000

20000

30000

40000

50000

60000

70000

15 16 17 18 19 20 21

extern

collapse

original

Experimental results – 8-Puzzle using Breath First Search

Time in seconds

Moves

0

500

1000

1500

2000

2500

15 16 17 18 19 20 21

extern

collapse

original

Experimental results – 8-Puzzle using Breath First Search

Internal memory in MB

Moves

Conclusion and future work

- StEAM is the first external program model checker

- Largest exploration in program model checking

- Software still experimental

- Can be used for non-deterministic programs

- Further information on

http://bugfinder.sourceforge.net