Dirk Beyer,Nian-Ze Lee,Philipp Wendler

2024-03-13

Abstract:The article "Interpolation and SAT-Based Model Checking" (McMillan, 2003) describes a formal-verification algorithm, which was originally devised to verify safety properties of finite-state transition systems. It derives interpolants from unsatisfiable BMC queries and collects them to construct an overapproximation of the set of reachable states. Although 20 years old, the algorithm is still state-of-the-art in hardware model checking. Unlike other formal-verification algorithms, such as k-induction or PDR, which have been extended to handle infinite-state systems and investigated for program analysis, McMillan's interpolation-based model-checking algorithm from 2003 has not been used to verify programs so far. Our contribution is to close this significant, two decades old gap in knowledge by adopting the algorithm to software verification. We implemented it in the verification framework CPAchecker and evaluated the implementation against other state-of-the-art software-verification techniques on the largest publicly available benchmark suite of C safety-verification tasks. The evaluation demonstrates that McMillan's interpolation-based model-checking algorithm from 2003 is competitive among other algorithms in terms of both the number of solved verification tasks and the run-time efficiency. Our results are important for the area of software verification, because researchers and developers now have one more approach to choose from.

Software Engineering,Programming Languages

Dirk Beyer,Po-Chun Chien,Nian-Ze Lee

2024-10-25

Abstract:Software model checking is a challenging problem, and generating relevant invariants is a key factor in proving the safety properties of a program. Program invariants can be obtained by various approaches, including lightweight procedures based on data-flow analysis and intensive techniques using Craig interpolation. Although data-flow analysis runs efficiently, it often produces invariants that are too weak to prove the properties. By contrast, interpolation-based approaches build strong invariants from interpolants, but they might not scale well due to expensive interpolation procedures. Invariants can also be injected into model-checking algorithms to assist the analysis. Invariant injection has been studied for many well-known approaches, including k-induction, predicate abstraction, and symbolic execution. We propose an augmented interpolation-based verification algorithm that injects external invariants into interpolation-based model checking (McMillan, 2003), a hardware model-checking algorithm recently adopted for software verification. The auxiliary invariants help prune unreachable states in Craig interpolants and confine the analysis to the reachable parts of a program. We implemented the proposed technique in the verification framework CPAchecker and evaluated it against mature SMT-based methods in CPAchecker as well as other state-of-the-art software verifiers. We found that injecting invariants reduces the number of interpolation queries needed to prove safety properties and improves the run-time efficiency. Consequently, the proposed invariant-injection approach verified difficult tasks that none of its plain version (i.e., without invariants), the invariant generator, or any compared tools could solve.

Software Engineering

Ting Wang,Songzheng Song,Jun Sun,Yang Liu,Jin Song Dong,Xinyu Wang,Shanping Li

DOI: https://doi.org/10.1007/978-3-642-34281-3_26

2012-01-01

Abstract:Refinement checking plays an important role in system verification. It establishes properties of an implementation by showing a refinement relationship between the implementation and a specification. Recently, it has been shown that anti-chain based approaches increase the efficiency of trace refinement checking significantly. In this work, we study the problem of adopting anti-chain for stable failures refinement checking, failures-divergence refinement checking and probabilistic refine checking (i.e., a probabilistic implementation against a non-probabilistic specification). We show that the first two problems can be significantly improved, because the state space of the product model may be reduced dramatically. Though applying anti-chain for probabilistic refinement checking is more complicated, we manage to show improvements in some cases. We have integrated these techniques into the PAT model checking framework. Experiments are conducted to demonstrate the efficiency of our approach.

Chien-Yu Lai,Cheng-Yin Wu,Chung-Yang (Ric) Huang

DOI: https://doi.org/10.1109/ASPDAC.2014.6742979

2014-01-01

Abstract:Interpolation-based model checking (IMC) is an important technique in modern formal verification tools. In essence, it relies on an abstraction and refinement process to derive an adequate image approximation for the reachability analysis. However, previous IMC algorithms only offer fixed degrees of abstraction and thus may fail in the proofs if the abstraction is too coarse- or fine-grained. In this paper, we propose an adaptive interpolation-based model checking algorithm in which the degree of abstraction can be adjusted on demand. That is, during the proof process, we closely monitor the effectiveness of the interpolation-based over-approximated image computation and thus adjust the degree of abstraction for the best performance. The experimental results confirm that our flexible interpolation indeed leads to an adequate degree of abstraction as our IMC algorithm outperforms previous ones in various aspects.

Lin Gui,Jun Sun,Yang Liu,Yuanjie Si,Jin Song Dong,Xinyu Wang

DOI: https://doi.org/10.1145/2483760.2483779

2013-01-01

Abstract:Testing provides a probabilistic assurance of system correctness. In general, testing relies on the assumptions that the system under test is deterministic so that test cases can be sampled. However, a challenge arises when a system under test behaves non-deterministiclly in a dynamic operating environment because it will be unknown how to sample test cases. In this work, we propose a method combining hypothesis testing and probabilistic model checking so as to provide the ``assurance" and quantify the error bounds. The idea is to apply hypothesis testing to deterministic system components and use probabilistic model checking techniques to lift the results through non-determinism. Furthermore, if a requirement on the level of ``assurance" is given, we apply probabilistic model checking techniques to push down the requirement through non-determinism to individual components so that they can be verified using hypothesis testing. We motivate and demonstrate our method through an application of system reliability prediction and distribution. Our approach has been realized in a toolkit named RaPiD, which has been applied to investigate two real-world systems.

Cheng-Yin Wu,Chi-An Wu,Chien-Yu Lai,Chung-Yang R. Huang

DOI: https://doi.org/10.1109/tcad.2014.2363395

IF: 2.9

2014-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Interpolation is an important and distinguished method popularly applied to recent synthesis and verification research topics. Existing approaches generate interpolants by analysing unsatisfiability proofs from SAT solvers. Unfortunately, the interpolant is predestinedly determined by how the unsatisfiability proof is logged. This particularly weakens the abstraction of interpolation-based model checking procedure. In this paper, a new approach to generate a variety of functionally different interpolants using simulation and SAT solving is proposed. We further seamlessly integrated the novel interpolant generation algorithm into the reinterpreted interpolation-based model checking procedure. Moreover, spurious counterexamples from the model checker further guide the generation of interpolants to refute excessive refinements. As an extra benefit, proof logging is not required for SAT solvers. Experiments show promising results of our interpolation-based model checker NewITP on solving a large set of HWMCC benchmarks.

Kun Liu,Xiaozhen Zhang,Weiqiang Kong,Gang Hou,Masahiko Watanabe,Akira Fukuda

DOI: https://doi.org/10.1109/dsa.2019.00013

2020-01-01

Abstract:Bounded model checking, an effective way to reduce the state space, plays a significant role in verifying the reliability of a system. By combining bounded model checking and interpolation sequence, the verification of the properties out of some certain boundary can be completed. However, the introduction of interpolation-sequence increases the complexity of the model encoding and then affects the overall performance of a model checker. In order to alleviate the problem, we propose interpolation-based multi-core bounded model checking technology. Decomposing large problems into small ones, multicore parallel solutions can effectively shorten the elapsed time of problem processing. According to the conditional predicates, the paths in the model are divided into path clusters, and the interpolation sequence is used to determine if there is no counterexample path in each path cluster. Based on the nature of fixpoint in the path cluster, we propose a path cluster pruning algorithm in order to reduce the scale of the state space to be searched, which contributes to improving the efficiency. In this paper, we also present two optimization methods: incremental encoding and verification hypothesis. We have implemented the algorithms in the verification of the Hierarchical State Transition Matrix (HSTM) model design, and the experimental results have shown that our method have significantly increase the credibility of the verification results.

屈婉霞,李暾,郭阳,杨晓东

DOI: https://doi.org/10.3969/j.issn.1001-2486.2008.04.011

2008-01-01

Abstract:With the growing increase in software/hardware system scale and function,the further development and application of model checking has been greatly limited by state space explosion,which has been the bottleneck of verifying large industrial designs.Based on the Murphi,an explicit state model checking tool,the problem of organization of reachable state space of model checking was studied,and a novel organization method of reachable state space based on integer pointer and Fibonacci hash was presented.In the approach,an efficient model checking system was suggested.The new approach can effectively shorten verification cycle,and give counter example when the system specification is unsatisfiable.All this greatly helped rapid error location.The analysis and experiment results prove the effectiveness of our method.

YU Yin-Bo,LIU Jia-Jia,MU De-Jun

DOI: https://doi.org/10.21655/ijsi.1673-7288.00286

2022-01-01

International Journal of Software and Informatics

Abstract:Software verification has always been a popular research topic to ensure the correctness and security of software.However, due to the complex semantics and syntax of programming languages, the formal methods for verifying the correctness of programs have the problems of low accuracy and low efficiency.In particular, the state change in address space caused by pointer operations makes it difficult to guarantee the verification accuracy of existing model checking methods.By combining model checking and sparse value-flow analysis, this paper designs a spatial flow model to effectively describe the state behavior of C code at the symbolic-variable level and address-space level and proposes a model checking algorithm of CounterExample-Guided Abstraction refinement and Sparse value-flow strong update (CEGAS), which enables points-to-sensitive formal verification for C code.This paper establishes a C-code benchmark containing a variety of pointer operations and conducts comparative experiments on the basis of this benchmark.These experiments indicate that in the task of analyzing multi-class C code features, the model checking algorithm CEGAS proposed in this paper can achieve outstanding results compared with the existing model checking tools.The verification accuracy of CEGAS is 92.9%, and the average verification time of each line of code is 2.58 ms, both of which are better than those of existing verification tools.

Yueling Zhang,Jianwen Li,G. Pu,Shufang Zhu,Moshe Y. Vardi

DOI: https://doi.org/10.1109/ICCAD.2017.8203765

2016-11-15

Abstract:Formal-verification techniques, such as model checking, are becoming popular in hardware design. SAT-based model checking techniques, such as IC3/PDR, have gained a significant success in the hardware industry. In this paper, we present a new framework for SAT-based safety model checking, named Complementary Approximate Reachability (CAR). CAR is based on standard reachability analysis, but instead of maintaining a single sequence of reachable-state sets, CAR maintains two sequences of over- and under-approximate reachable-state sets, checking safety and unsafety at the same time. To construct the two sequences, CAR uses standard Boolean-reasoning algorithms, based on satisfiability solving, one to find a satisfying cube of a satisfiable Boolean formula, and one to provide a minimal unsatisfiable core of an unsatisfiable Boolean formula. We applied CAR to 548 hardware model-checking instances, and compared its performance with IC3/PDR. Our results show that CAR is able to solve 42 instances that cannot be solved by IC3/PDR. When evaluated against a portfolio that includes IC3/PDR and other approaches, CAR is able to solve 21 instances that the other approaches cannot solve. We conclude that CAR should be considered as a valuable member of any algorithmic portfolio for safety model checking.

Mathematics,Computer Science,Engineering

Xiaoyu Zhang,Shengping Xiao,Yechuan Xia,Jianwen Li,Mingsong Chen,Geguang Pu

DOI: https://doi.org/10.1109/tcad.2023.3236272

IF: 2.9

2023-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Model checking is an automatic formal verification method that is widely applied to hardware verification. Safety properties are the mainly verified properties in practice that can be falsified within finite steps if they do not hold for systems. However, state-of-the-art safety model-checking algorithms cannot meet the performance requirement driven by the industry as the sizes of (hardware) systems to be verified increase rapidly. Therefore, more efficient techniques are still eagerly in demand. Recently, a new safety model-checking technique complementary approximate reachability (CAR) was presented and received considerable concerns from the community. CAR has shown its advantages in unsafe checking (bug finding), but cannot be as competitive as other state-of-the-art techniques, e.g., IC3/PDR, on safe checking (proving correctness). In this article, we propose four kinds of heuristics, two inspired by IC3/PDR and another two dedicated to CAR, to improve the performance of CAR. We integrate the heuristics into the open-source model checker SimpleCAR and compare the performance to the original CAR and IC3/PDR on 748 instances from the hardware model-checking competitions. Our results show that by fixing the time and memory resources, CAR can solve 124 more instances with the four proposed heuristics, i.e., 53.4% more instances can be solved comparing to the original CAR. Furthermore, CAR in both forward and backward directions can solve ten more instances than IC3/PDR in corresponding directions, and uniquely solve 44 more instances that IC3/PDR in corresponding directions cannot solve, which increases the capability of the current model-checking portfolio.

Yinbo Yu,Jiajia Liu,Dejun Mu

DOI: https://doi.org/10.1109/jiot.2022.3163383

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) provides convenience for our daily lives via a huge number of devices. However, due to low-resource and poor computing capability, these devices have a high number of firmware vulnerabilities. Software verification is a powerful solution to ensure the correctness and security of IoT firmware programs. Unfortunately, due to the complex semantics and syntax of program languages (typically C), applying software verification in IoT firmware faces the tradeoff between efficiency and accuracy. One of the fundamental reasons is that verification methods cannot support verifying state transitions on the memory space caused by pointer operations well. To this end, by combining sparse value flow (SVF) analysis into model checking and optimizing computational redundancy among them, we design a novel points-to-sensitive model checker, called PCHECKER, which can provide a highly precise and efficient verification for IoT firmware programs. We first design a spatial flow model to effectively describe state behaviors of a C program both on the symbolic and memory space. We then propose a counterexample-guided model checking algorithm that can dynamically refine abstract precisions and update nondeterministic points-to relations. With a set of C benchmarks containing a variety of pointer operations and other complex C features, our experiments have shown that compared with state of the art (SOTA), PCHECKER can achieve outstanding results in the verification tasks of C programs that its verification accuracy is 95.9%, and its average verification time of each line of code is 1.27 ms, which are both better than existing model checkers.

邝宏斌,罗贵明

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.19.009

2008-01-01

Abstract:Parallelism is an effective method in improving the efficiency of model checking. C program model checking based on LTS is studied and a methodology for parallel software model checking is presented. It utilizes modularity of MAGIC, a software model checker, to decompose C program into components, distributes them over computational nodes and parallel call MAGIC to complete the verification. Close to linear speedup and good scalability can be achieved due to little synchronization and inter-nodes communication. The reduction of time expense is beneficial to formal verification of large-scale software.

Kuanjiu Zhou,Jiawei Yong,Xiaolong Wang,Longtao Ren,Gang Hou,Junwang Chang

DOI: https://doi.org/10.1007/978-3-642-45293-2_26

2013-01-01

Abstract:Model checking technique has been gradually applied to verify the reliability of software systems. However, as to software with large scale and complex structure, the verification procedure suffers from the state space explosion, thus leading to a low efficiency or resource exhaustion. In this paper, we propose a method of accelerating software model checking based on program backbone to verify the properties in ANSI-C source codes. We prune the program with respect to the assertion property, and compress the circular paths by maximal strongly connected components to extract the program backbone. Subsequently, the Hoare theory is used to generate an invariant from the compressed circular nodes, which reduces the length of path encoding. The assertion property is finally translated into a quantifier-free formula and checked for satisfiability by the SMT solver Z3. The experiments show that this method substantially improves the efficiency of program verification.

Fei He,Xiaoyu Song,William N. N. Hung,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/tc.2009.105

2010-01-01

Abstract:Model checking for large-scale systems is extremely difficult due to the state explosion problem. Creating useful abstractions for model checking task is a challenging problem, often involving many iterations of refinement. In this paper we consider techniques for model checking in the counter example-guided abstraction refinement. The state separation problem is one popular approach in counterexample-guided abstraction refinement, and it poses the main hurdle during the refinement process. To achieve effective minimization of the separation set, we present a novel probabilistic learning approach based on the sample learning technique, evolutionary algorithm, and effective heuristics. We integrate it with the abstraction refinement framework in the VIS model checker. We include experimental results on model checking to compare our new approach to recently published techniques. The benchmark results show that our approach has overall speedup of more than 56 percent against previous techniques. Our work is the first successful integration of evolutionary algorithm and abstraction refinement for model checking.

Yechuan Xia,Anna Becchi,Alessandro Cimatti,Alberto Griggio,Jianwen Li,Geguang Pu

DOI: https://doi.org/10.1007/978-3-031-37703-7_14

2023-01-01

Abstract:IC3/PDR and its variants have been the prominent approaches to safety model checking in recent years. Compared to the previous model-checking algorithms like BMC (Bounded Model Checking) and IMC (Interpolation Model Checking), IC3/PDR is attractive due to its completeness (vs. BMC) and scalability (vs. IMC). IC3/PDR maintains an over-approximate state sequence for proving the correctness. Although the sequence refinement methodology is known to be crucial for performance, the literature lacks a systematic analysis of the problem. We propose an approach based on the definition of i- good lemmas, and the introduction of two kinds of heuristics, i.e., branching and referskipping, to steer the search towards the construction of i-good lemmas. The approach is applicable to IC3 and its variant CAR (Complementary Approximate Reachability), and it is very easy to integrate within existing systems. We implemented the heuristics into two open-source model checkers, IC3Ref and SimpleCAR, as well as into the mature nuXmv platform, and carried out an extensive experimental evaluation on HWMCC benchmarks. The results show that the proposed heuristics can effectively compute more i-good lemmas, and thus improve the performance of all the above checkers.

Tao Zhihong,Chen Zhenyu,Chen Zhong,Wang Lifu

IF: 1.019

2007-01-01

Chinese Journal of Electronics

Abstract:The success of combining local and global model checking is utilization of on-the-fly process and compactness of symbolic representation. In this paper, a new paradigm of on-the-fly model checking for CTL is presented. A 3-valued logic is introduced to produce a form of abstract interpretations. A novel feature of our approach is the combination of explicit and symbolic representation. In the early stage, explicit representation is implemented for quick verification. It could be switched to symbolic model checking smoothly for sheering state space explosion. The fixpoint semantics and reduction of 3-valued logic ensure such transplant is seamless. The experimental results demonstrate the feasibility and effectiveness of our approach.

WanXia Qu,Tun Li,Yang Guo,XiaoDong Yang

DOI: https://doi.org/10.1109/ICYCS.2008.457

2008-01-01

Abstract:As the size of the formal model grows, the reachable state space grows exponentially thereby creating state space explosion problem. To alleviate the efficiency and memory bottleneck of explicit model checking, we present a technique that efficiently organizes the reachable state space, and implement an efficient explicit model checking system. The new method could not only effectively shorten verification cycle, but also generates counter example in cases system specification is unsatisfiable, which helps system designer to locate error rapidly. Experiments on some real-world models are conducted. Analysis and experiment results prove the effectiveness of our method.

Wei-Tek Tsai,Hai Huang

2005-01-01

Abstract:Model checking is a formal approach for software verification. It can prove mathematically the absence of certain types of malicious behaviors, such as deadlocks. Because model checking exhaustively explores all possible states and transitions of given software system, its sluggish performance has impeded broad application in software development. Recent progress on leveraging the performance sheds light on its massive adoption in daily practices. One key contribution of this dissertation is an innovative model checking technique, proof slicing, that simultaneously reduces running time and storage requirement. Theoretical results have shown that proof slicing subsumes several existing abstraction-based, counterexample-driven model checking approaches, such as Lazy Abstraction, Craig Interpolation, and Localization. Experimental data have shown the superior performance in both running time and storage requirement of Blade, the model checker that implements proof slicing technique, over existing model checkers, such as BLAST from University of California at Berkeley. Web services and Services-Oriented Architecture (SOA) is a new paradigm for software development. SOA provide uniform data marshaling protocols (via Simple Object Access Protocol: SOAP and eXtensible Markup Language: XML), consistent information exchange infrastructure (via Web Service Definition Language: WSDL and HyperText Transfer Protocol: HTTP), and service query facility (via Universal Description, Discovery, and Integration: UDDI). New applications can be composed rapidly with SOA. Moreover, existing applications can be easily reconfigured or recomposed to meet new functional or non-functional requirements. The rapid development permitted by SOA imposes challenges on dynamic verification and validation on the newly developed applications. This dissertation reports an automated verification and validation framework powered by proof slicing and other techniques and its applications to dynamic verification and validation. This dissertation also reports the application of model checking techniques to the verification of service collaboration.

Radu Calinescu,Colin Paterson,Kenneth Johnson

DOI: https://doi.org/10.48550/arXiv.1812.09952

2018-12-25

Abstract:We introduce an efficient parametric model checking (ePMC) method for the analysis of reliability, performance and other quality-of-service (QoS) properties of software systems. ePMC speeds up the analysis of parametric Markov chains modelling the behaviour of software by exploiting domain-specific modelling patterns for the software components. To this end, ePMC precomputes closed-form expressions for key QoS properties of such patterns, and uses these expressions in the analysis of whole-system models. To evaluate ePMC, we show that its application to service-based systems and multi-tier software architectures reduces analysis time by several orders of magnitude compared to current parametric model checking methods.

Software Engineering