o Will probably creates a very big query⦠⢠Option 2: o Each iteration has its own subset of facts o Traverse through instance of Lmin per iteration. 12.
Lattice-Based Refinement in Bounded Model Checking Karine Even-Mendoza, Sepideh Asadi, Antti E. J. Hyvärinen, Hana Chockler, and Natasha Sharygina King's College London, UK, and Universita della Svizzera italiana, Switzerland
FLoC 2018 - VSTTE 2018
1/20
Verification of Code with Library Functions • Library functions o sqrt, isdigit, isnan, sin, cos, mod, abs, log, exp, etc. • Model checking with library functions o Abstract the function from code ➔ too many spurious counterexamples o Use the function full definition ➔ the state explosion problem • Bounded Model Checking (BMC) o can help to avoid the state explosion o Yet, with a small bound, code with library functions can cause state explosion • E.g., Out-of-Memory loop over ,: … x += r*cos()*sin(); …
2/20
Verification of Code with Library Functions • Satisfiability Modulo Theories (SMT) scales for such code o Depends on property + library function + theory
loop over ,: … x += r*cos()*sin(); …
• Modelling with SMT theories o some support exists (e.g., div, mod, abs, etc.) o support ➔ more precise theory ➔ more expensive computationally o no support for in general all standard library functions o no support for user-defined functions
3/20
Verification of Code with Library Functions • gcd with constants • single assert, Safe • unwind = 3 ➔ 2 % operators
int main(void) { int x = 45; int y = 18; int g = gcd(x,y); assert(g fact2 o Subset lattice: 8 elements = all the possible subset of poset {fact1,fact2,fact3}
{ 𝑓1, 𝑓2, 𝑓3 }
{ 𝑓1, 𝑓2 }
{ 𝑓1, 𝑓3 }
{ 𝑓2, 𝑓3 }
{ 𝑓1 }
{ 𝑓2 }
{ 𝑓3 }
• To simple model, by:
7/20
Refinement via Lattice of a Function • The model: o 3 facts of % operator from before o fact3 => fact1, fact3 => fact2 o Subset lattice: 8 elements = all the possible subset of poset {fact1,fact2,fact3} • To simple model, by: o Remove Contradictions: fact1 + fact2 is false
{ 𝑓1 }
{ 𝑓1, 𝑓3 }
{ 𝑓2, 𝑓3 }
{ 𝑓2 }
{ 𝑓3 }
7/20
Refinement via Lattice of a Function • The model: o 3 facts of % operator from before o fact3 => fact1, fact3 => fact2 o Subset lattice: 8 elements = all the possible subset of poset {fact1,fact2,fact3} • To simple model, by: o Remove Contradictions: fact1 + fact2 is false o Remove Duplications: fact3 to replace the rest
{ 𝑓3 }
{ 𝑓1 }
{ 𝑓2 }
{ 𝑓3 }
{ 𝑓3 }
7/20
Refinement via Lattice of a Function • The model: o 3 facts of % operator from before o fact3 => fact1, fact3 => fact2 o Subset lattice: 8 elements = all the possible subset of poset {fact1,fact2,fact3} • To simple model, by: o Remove Contradictions: fact1 + fact2 is false o Remove Duplications: fact3 to replace the rest
{ 𝑓3 }
{ 𝑓1 }
{ 𝑓2 }
7/20
Refinement via Lattice of a Function • gcd with constants • two % op. ➔ 2 LRA lattices first mod
mod1 = {}, mod2 = {}
second mod
int gcd(int x, int y) { int tmp; while (y!=0){ tmp = x%y; x = y; y = tmp; } return x; } int main(void) { int x = 45; int y = 18; int g = gcd(x,y);
Result: assert(g
