![Page 1: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/1.jpg)
December 08, 2011
Software Model Checking with Abstraction Refinement
Computer Science and Artificial Intelligence Laboratory
MIT Armando Solar-Lezama
With slides from Thomas Henzinger, Ranjit Jhala and Rupak Majumdar.Used with permission.
Dec 08, 2011
1
![Page 2: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/2.jpg)
Model checking so far
o The promise of model checking
- Exhaustive exploration of the state space of a program
- Push-button verification of arbitrary temporal logic formulas
- Dramatic performance improvements from
• State reduction techniques
• Symbolic representations
o But
- It only works for programs with bounded state space
2
![Page 3: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/3.jpg)
Abstraction to the rescue
o We can abstract the infinite state space into a finite one
- Every abstract state corresponds to an infinite set of states
- Is this the same thing as abstract interpretation?
void main(){ int x = *; while(*){ if(x>0) x = 2*x; else x = x-1; x = abs(*)/x; } }
1: 2: 3: 4: 5:
(2,+) (2,z) (2,-)
(4,z) (4,-)
(5,-)
(3,+)
(5,+)
(1,+) (1,z) (1,-)
3
![Page 4: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/4.jpg)
The problem with abstraction
o Abstractions usually have to be tailored to the program
and property of interest
- Imprecision on the abstraction can lead to spurious paths
void main(){ int x = *; while(*){ if(x>1) x = 2*x; else x = x-2; x = abs(*)/x; } }
1: 2: 3: 4: 5:
(2,+) (2,z) (2,-)
(4,z) (4,-)
(5,-)
(3,+)
(5,+)
(1,+) (1,z) (1,-)
(4,+)
(5,0)
x x
4
![Page 5: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/5.jpg)
Spurious path under the microscope
(2,+)
(5,-) (5,+)
(1,+)
(4,+)
(5,0)
x x
void main(){ int x = *; while(*){ if(x>1) x = 2*x; else x = x-2; x = abs(*)/x; } }
1: 2: 3: 4: 5:
x=1
x=2
x>2
(2,+)
(5,-) (5,0)
(5,0)
5
![Page 6: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/6.jpg)
2 Key ingredients for software MC
o We need a simple way to come up with abstractions
o Our abstractions must be flexible
- We need to be able to refine them on demand
- This is how we identify spurious paths and eliminate them
6
![Page 7: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/7.jpg)
Predicate Abstraction
o Abstract state defined by a set of predicates
- Ex: x>0, p.next != null, p.next.val > 0
o Transition function can be computed by a theorem prover
o Big idea:
- We can refine the abstraction by introducing more predicates!
x>0 x>0
x = x-1
not(x>0)
7
![Page 8: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/8.jpg)
Example
Example ( ) { 1: do{
lock(); old = new;
q = q->next; 2: if (q != NULL){ 3: q->data = new;
unlock(); new ++;
} 4: } while(new != old); 5: unlock (); return; }
lock
lock
unlock
unlock
© Henzinger, Jhala,Majumdar 8
![Page 9: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/9.jpg)
What a program really is…
State Transition
3: unlock(); new++; 4:} …
pc
lock
old
new
q
3
5
5
0x133a
pc
lock
old
new
q
4
5
6
0x133a
Example ( ) { 1: do{
lock(); old = new;
q = q->next; 2: if (q != NULL){ 3: q->data = new;
unlock(); new ++;
} 4: } while(new != old); 5: unlock (); return;}
© Henzinger, Jhala,Majumdar 9
![Page 10: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/10.jpg)
The Safety Verification Problem
Initial
Error
Is there a path from an initial to an error state ?
Problem: Infinite state graph
Solution : Set of states = logical formula
Safe
© Henzinger, Jhala,Majumdar 10
![Page 11: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/11.jpg)
Idea 1: Predicate Abstraction
• Predicates on program state:
lock
old = new
• States satisfying same predicates
are equivalent
– Merged into one abstract state
• #abstract states is finite
© Henzinger, Jhala,Majumdar 11
![Page 12: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/12.jpg)
Abstract States and Transitions
State
3: unlock(); new++; 4:} …
pc
lock
old
new
q
3
5
5
0x133a
pc
lock
old
new
q
4
5
6
0x133a
lock
old=new
!lock
! old=new
Theorem Prover
© Henzinger, Jhala,Majumdar 12
![Page 13: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/13.jpg)
Abstraction
State
3: unlock(); new++; 4:} …
pc
lock
old
new
q
3
5
5
0x133a
pc
lock
old
new
q
4
5
6
0x133a
lock
old=new
! lock
! old=new
Theorem Prover
Existential Lifting
© Henzinger, Jhala,Majumdar 13
![Page 14: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/14.jpg)
Abstraction
State
3: unlock(); new++; 4:} …
pc
lock
old
new
q
3
5
5
0x133a
pc
lock
old
new
q
4
5
6
0x133a
lock
old=new
! lock
! old=new
© Henzinger, Jhala,Majumdar 14
![Page 15: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/15.jpg)
Analyze Abstraction
Analyze finite graph
No false negatives
Problem
Spurious counterexamples
© Henzinger, Jhala,Majumdar 15
![Page 16: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/16.jpg)
Idea 2: Counterex.-Guided Refinement
Solution
Use spurious counterexamples
to refine abstraction !
© Henzinger, Jhala,Majumdar 16
![Page 17: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/17.jpg)
1. Add predicates to distinguish
states across cut
2. Build refined abstraction
Solution
Use spurious counterexamples
to refine abstraction
Idea 2: Counterex.-Guided Refinement
Imprecision due to merge
© Henzinger, Jhala,Majumdar 17
![Page 18: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/18.jpg)
Iterative Abstraction-Refinement
1. Add predicates to distinguish
states across cut
2. Build refined abstraction-eliminates counterexample
3. Repeat search
Till real counterexample
or system proved safe
Solution
Use spurious counterexamples
to refine abstraction
[Kurshan et al 93] [Clarke et al 00]
[Ball-Rajamani 01]
© Henzinger, Jhala,Majumdar 18
![Page 19: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/19.jpg)
Lazy Abstraction
Abstract
Refine
C Program Safe
Trace
Yes
No Property
BLAST
© Henzinger, Jhala,Majumdar 19
![Page 20: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/20.jpg)
Lazy Abstraction
C Program Safe
Trace
Yes
No Property
BLAST spec.opt
Instrumented
C file
With ERROR
label
© Henzinger, Jhala,Majumdar 20
![Page 21: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/21.jpg)
Problem: Abstraction is Expensive
Reachable
Problem
#abstract states = 2#predicates
Exponential Thm. Prover queries
Observe Fraction of state space reachable
#Preds ~ 100’s, #States ~ 2100 ,
#Reach ~ 1000’s
© Henzinger, Jhala,Majumdar 21
![Page 22: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/22.jpg)
Safe
Solution Build abstraction during search
Problem
#abstract states = 2#predicates
Exponential Thm. Prover queries
Solution1: Only Abstract Reachable States
© Henzinger, Jhala,Majumdar 22
![Page 23: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/23.jpg)
Solution Don’t refine error-free regions
Problem
#abstract states = 2#predicates
Exponential Thm. Prover queries
Solution2: Don’t Refine Error-Free Regions
Error Free
© Henzinger, Jhala,Majumdar 23
![Page 24: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/24.jpg)
Key Idea: Reachability Tree
5
1
2
3
4
3
Unroll Abstraction 1. Pick tree-node (=abs. state)
2. Add children (=abs. successors)
3. On re-visiting abs. state, cut-off
Find min infeasible suffix - Learn new predicates
- Rebuild subtree with new preds.
Initial
© Henzinger, Jhala,Majumdar 24
![Page 25: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/25.jpg)
Key Idea: Reachability Tree
3
1
2
3
4 5
3
7
6
Error Free
Unroll Abstraction 1. Pick tree-node (=abs. state)
2. Add children (=abs. successors)
3. On re-visiting abs. state, cut-off
Find min infeasible suffix - Learn new predicates
- Rebuild subtree with new preds.
Initial
© Henzinger, Jhala,Majumdar 25
![Page 26: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/26.jpg)
Key Idea: Reachability Tree
3
1
2
3
4 5
3
6
Error Free
7
1
8
8 1
SAFE
Unroll 1. Pick tree-node (=abs. state)
2. Add children (=abs. successors)
3. On re-visiting abs. state, cut-off
Find min spurious suffix - Learn new predicates
- Rebuild subtree with new preds.
S1: Only Abstract Reachable States
S2: Don’t refine error-free regions
Initial
© Henzinger, Jhala,Majumdar 26
![Page 27: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/27.jpg)
Build-and-Search
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
Reachability Tree © Henzinger, Jhala,Majumdar 27
![Page 28: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/28.jpg)
Build-and-Search
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
lock() old = new q=q->next
LOCK 2
2
Reachability Tree © Henzinger, Jhala,Majumdar 28
![Page 29: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/29.jpg)
Build-and-Search
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK 2
2
LOCK
[q!=NULL]
3
3
Reachability Tree © Henzinger, Jhala,Majumdar 29
![Page 30: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/30.jpg)
Build-and-Search
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK 2
2
LOCK 3
3
q->data = new unlock() new++
4
4
! LOCK
Reachability Tree © Henzinger, Jhala,Majumdar 30
![Page 31: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/31.jpg)
Build-and-Search
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK 2
2
LOCK 3
3
4
4
! LOCK
! LOCK
[new==old]
5 5
Reachability Tree © Henzinger, Jhala,Majumdar 31
![Page 32: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/32.jpg)
Build-and-Search
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK 2
2
LOCK 3
3
4
4
! LOCK
! LOCK5 5
unlock()
! LOCK
Reachability Tree © Henzinger, Jhala,Majumdar 32
![Page 33: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/33.jpg)
Analyze Counterexample
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK 2
2
LOCK 3
3
4
4
! LOCK
! LOCK5 5
! LOCK
Reachability Tree
lock() old = new q=q->next
[q!=NULL]
q->data = new unlock() new++
[new==old]
unlock()
© Henzinger, Jhala,Majumdar 33
![Page 34: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/34.jpg)
Analyze Counterexample
Predicates: LOCK
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK 2
2
LOCK 3
3
4
4
! LOCK
! LOCK5 5
! LOCK
[new==old]
new++
old = new
Inconsistent
new == old
Reachability Tree © Henzinger, Jhala,Majumdar 34
![Page 35: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/35.jpg)
Repeat Build-and-Search
Predicates: LOCK, new==old
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
Reachability Tree © Henzinger, Jhala,Majumdar 35
![Page 36: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/36.jpg)
Repeat Build-and-Search
Predicates: LOCK, new==old
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK , new==old 2
2
lock() old = new q=q->next
Reachability Tree © Henzinger, Jhala,Majumdar 36
![Page 37: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/37.jpg)
Repeat Build-and-Search
Predicates: LOCK, new==old
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK , new==old 2
2
LOCK , new==old 3
3
4
4
q->data = new unlock() new++
! LOCK , ! new = old
Reachability Tree © Henzinger, Jhala,Majumdar 37
![Page 38: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/38.jpg)
Repeat Build-and-Search
Predicates: LOCK, new==old
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK , new==old 2
2
LOCK , new==old 3
3
4
4
! LOCK , ! new = old
[new==old]
Reachability Tree © Henzinger, Jhala,Majumdar 38
![Page 39: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/39.jpg)
Repeat Build-and-Search
Predicates: LOCK, new==old
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
LOCK , new==old 2
2
LOCK , new==old 3
3
4
4
! LOCK , ! new = old
! LOCK,! new == old
1
[new!=old]
4
Reachability Tree © Henzinger, Jhala,Majumdar 39
![Page 40: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/40.jpg)
Repeat Build-and-Search
Predicates: LOCK, new==old
! LOCK
Example ( ) { 1: do{
lock(); old = new; q = q->next;
2: if (q != NULL){ 3: q->data = new;
unlock(); new ++; }
4:}while(new != old); 5: unlock (); }
1
1
2
2
3
3
4
4
1
4
LOCK , new=old 4
4
! LOCK , new==old
5 5
SAFE
Reachability Tree
LOCK , new==old
LOCK , new==old
! LOCK , ! new = old
! LOCK,! new == old
© Henzinger, Jhala,Majumdar 40
![Page 41: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/41.jpg)
Key Idea: Reachability Tree
3
1
2
3
4 5
3
6
Error Free
7
1
8
8 1
SAFE
Unroll 1. Pick tree-node (=abs. state)
2. Add children (=abs. successors)
3. On re-visiting abs. state, cut-off
Find min spurious suffix - Learn new predicates
- Rebuild subtree with new preds.
S1: Only Abstract Reachable States
S2: Don’t refine error-free regions
Initial
© Henzinger, Jhala,Majumdar 41
![Page 42: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/42.jpg)
Lazy Abstraction
Abstract
Refine
C Program Safe
Trace
Yes
No Property
Key Idea: Reachability Tree
Solution: 1. Abstract reachable states, 2. Avoid refining error-free regions
Problem: Abstraction is Expensive
© Henzinger, Jhala,Majumdar 42
![Page 43: Software Model Checking with Abstraction Refinement ......The promise of model checking ... • Symbolic representations o But - It only works for programs with bounded state space](https://reader035.vdocuments.net/reader035/viewer/2022071410/6103fc7d7c60267eae166354/html5/thumbnails/43.jpg)
MIT OpenCourseWarehttp://ocw.mit.edu
6.820 Fundamentals of Program AnalysisFall 2015
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.