Efficient state space exploration: Interleaving stateless and state-based model checking

State-based model checking methods comprise computing and storing reachable states, while stateless model checking methods directly reason about reachable paths using decision procedures, thereby avoiding computing and storing the reachable states. Typically, state-based methods involve memory-intensive operations, while stateless methods involve time-intensive operations. We propose a divide-and-conquer strategy to combine the complementary strengths of these methods for efficient verification of embedded software. Specifically, our model checking engine uses both state decomposition and state prioritization to guide the combination of a Presburger arithmetic based symbolic traversal algorithm (state-based) and an SMT based bounded model checking algorithm (stateless). These two underlying algorithms are interleaved-based on memory/time bounds and dynamic task partitioning-in order to systematically explore the state space and to avoid storing the entire reachable state set. We have implemented our new method in a tightly integrated verification tool called HMC (Hybrid Model Checker). We demonstrate the efficacy of the proposed method on some industry examples.

[1]  Bruno Dutertre,et al.  A Fast Linear-Arithmetic Solver for DPLL(T) , 2006, CAV.

[2]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[3]  F. Somenzi,et al.  Decomposing Image Computation for Symbolic Reachability Analysis Using Control Flow Information , 2006, 2006 IEEE/ACM International Conference on Computer Aided Design.

[4]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[5]  Chao Wang,et al.  Using Counterexamples for Improving the Precision of Reachability Computation with Polyhedra , 2007, CAV.

[6]  Fabio Somenzi,et al.  Efficient Term-ITE Conversion for Satisfiability Modulo Theories , 2009, SAT.

[7]  Chao Wang,et al.  Disjunctive image computation for software verification , 2007, TODE.

[8]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[9]  M.K. Ganai,et al.  Accelerating High-level Bounded Model Checking , 2006, 2006 IEEE/ACM International Conference on Computer Aided Design.

[10]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[11]  Aarti Gupta,et al.  SAT-Based Scalable Formal Verification Solutions (Series on Integrated Circuits and Systems) , 2007 .

[12]  Aarti Gupta,et al.  SAT-Based Scalable Formal Verification Solutions , 2007, Series on Integrated Circuits and Systems.

[13]  Eli Singerman,et al.  Efficient Symbolic Simulation of Low Level Software , 2008, 2008 Design, Automation and Test in Europe.

[14]  Sharon Barner,et al.  Effcient Symbolic Model Checking of Software Using Partial Disjunctive Partitioning , 2003, CHARME.

[15]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[16]  Weihong Li,et al.  Bang for the buck: Improvising and scheduling verification engines for effective resource utilization , 2009, 2009 7th IEEE/ACM International Conference on Formal Methods and Models for Co-Design.

[17]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[18]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[19]  David L. Dill,et al.  Validation with guided search of the state space , 1998, Proceedings 1998 Design and Automation Conference. 35th DAC. (Cat. No.98CH36175).

[20]  Gianpiero Cabodi,et al.  Exploiting Target Enlargement and Dynamic Abstraction within Mixed BDD and SAT Invariant Checking , 2005, BMC@CAV.

[21]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[22]  Aarti Gupta,et al.  Completeness in SMT-based BMC for Software Programs , 2008, 2008 Design, Automation and Test in Europe.

[23]  Chao Wang,et al.  Disjunctive Image Computation for Embedded Software Verification , 2006, Proceedings of the Design Automation & Test in Europe Conference.

[24]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[25]  Chao Wang,et al.  Mixed symbolic representations for model checking software programs , 2006, Fourth ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2006. MEMOCODE '06. Proceedings..

[26]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[27]  Richard Gerber,et al.  Composite model-checking: verification with type-specific symbolic representations , 1999, TSEM.

[28]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[29]  Alan J. Hu Distance-Guided Hybrid Verification with GUIDO , 2006, 2006 IEEE International High Level Design Validation and Test Workshop.

[30]  Tevfik Bultan,et al.  A Library for Composite Symbolic Representations , 2001, TACAS.

[31]  Jian Shen,et al.  On Combining Formal and Informal Verification , 1997, CAV.

[32]  Robert K. Brayton,et al.  Reachability analysis using partitioned-ROBDDs , 1997, 1997 Proceedings of IEEE International Conference on Computer Aided Design (ICCAD).

[33]  Aarti Gupta,et al.  Tunneling and slicing: Towards scalable BMC , 2008, 2008 45th ACM/IEEE Design Automation Conference.

[34]  Chao Wang,et al.  Abstraction and BDDs Complement SAT-Based BMC in DiVer , 2003, CAV.

[35]  Enrico Macii,et al.  Algorithms for approximate FSM traversal based on state space decomposition , 1996, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[36]  Stephan Merz,et al.  Model Checking , 2000 .