Domain Types: Abstract-Domain Selection Based on Variable Usage

The success of software model checking depends on finding an appropriate abstraction of the program to verify. The choice of the abstract domain and the analysis configuration is currently left to the user, who may not be familiar with the tradeoffs and performance details of the available abstract domains. We introduce the concept of domain types, which classify the program variables into types that are more fine-grained than standard declared types (e.g., ‘int’ and ‘long’) to guide the selection of an appropriate abstract domain for a model checker. Our implementation on top of an existing verification framework determines the domain type for each variable in a pre-analysis step, based on the usage of variables in the program, and then assigns each variable to an abstract domain. Based on a series of experiments on a comprehensive set of verification tasks from international verification competitions, we demonstrate that the choice of the abstract domain per variable (we consider one explicit and one symbolic domain) can substantially improve the verification in terms of performance and precision.

[1]  Marco Roveri,et al.  Verifying SystemC: A software model checking approach , 2010, Formal Methods in Computer Aided Design.

[2]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[3]  Dirk Beyer,et al.  Competition on Software Verification - (SV-COMP) , 2012, TACAS.

[4]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[5]  Kenneth L. McMillan,et al.  The SMV System , 1993 .

[6]  Dirk Beyer,et al.  The RERS Grey-Box Challenge 2012: Analysis of Event-Condition-Action Systems , 2012, ISoLA.

[7]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[8]  Sven Apel,et al.  Strategies for product-line verification: Case studies and experiments , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[9]  Jorma Sajaniemi,et al.  An empirical analysis of roles of variables in novice-level procedural programs , 2002, Proceedings IEEE 2002 Symposia on Human Centric Computing Languages and Environments.

[10]  Dirk Beyer,et al.  BDD-Based Software Model Checking with CPAchecker , 2012, MEMICS.

[11]  Richard Gerber,et al.  Composite model-checking: verification with type-specific symbolic representations , 1999, TSEM.

[12]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[13]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[14]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[15]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[16]  Dirk Beyer,et al.  Explicit-State Software Model Checking Based on CEGAR and Interpolation , 2013, FASE.

[17]  Thomas A. Henzinger,et al.  Shape Refinement through Explicit Heap Analysis , 2010, FASE.

[18]  Sven Apel,et al.  Introducing Binary Decision Diagrams in the explicit-state verification of Java code , 2011 .

[19]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[20]  Moshe Y. Vardi,et al.  Symbolic systems, explicit properties: on hybrid approaches for LTL symbolic model checking , 2005, International Journal on Software Tools for Technology Transfer.

[21]  Piergiorgio Bertoli,et al.  Searching Powerset Automata by Combining Explicit-State and Symbolic Model Checking , 2001, TACAS.

[22]  S S Stevens,et al.  On the Theory of Scales of Measurement. , 1946, Science.

[23]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[24]  Dirk Beyer,et al.  Second Competition on Software Verification - (Summary of SV-COMP 2013) , 2013, TACAS.

[25]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[26]  Ranjit Jhala,et al.  CSolve: Verifying C with Liquid Types , 2012, CAV.

[27]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[28]  Nitin Upadhyay programming Languages: C, C++, VC++6.0 , 2007 .

[29]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[30]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[31]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[32]  Colin G. Johnson Assessing Roles of Variables by Program Analysis , 2005 .

[33]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[34]  Arie van Deursen,et al.  Understanding COBOL systems using inferred types , 1999, Proceedings Seventh International Workshop on Program Comprehension.

[35]  Tomás Vojnar,et al.  Predator: A Verification Tool for Programs with Dynamic Linked Data Structures - (Competition Contribution) , 2012, TACAS.

[36]  Arie van Deursen,et al.  Type inference for COBOL systems , 1998, Proceedings Fifth Working Conference on Reverse Engineering (Cat. No.98TB100261).

[37]  Sven Apel,et al.  Domain Types: Selecting Abstractions Based on Variable Usage , 2013, ArXiv.

[38]  Sven Apel,et al.  Detection of feature interactions using feature-aware verification , 2011, 2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011).

[39]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[40]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[41]  Helmut Veith,et al.  On the concept of variable roles and its use in software analysis , 2013, 2013 Formal Methods in Computer-Aided Design.

[42]  Petr Hliněný,et al.  Mathematical and Engineering Methods in Computer Science , 2012, Lecture Notes in Computer Science.

[43]  Pierre-Yves Schobbens,et al.  Symbolic model checking of software product lines , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[44]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[45]  Thomas A. Henzinger,et al.  Program Analysis with Dynamic Precision Adjustment , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[46]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .