Efficient Bounded Model Checking of Heap-Manipulating Programs using Tight Field Bounds
Efficient Bounded Model Checking of Heap-Manipulating Programs using Tight Field Bounds
AbstractSoftware model checkers are able to exhaustively explore different bounded program executions arising from various sources of non-determinism. These tools provide statements to produce non-deterministic values for certain variables, thus forcing the corresponding model checker to considerallpossible values for these during verification. While these statements offer an effective way of verifying programs handling basic data types and simple structured types, they are inappropriate as a mechanism for nondeterministic generation of pointers, favoring the use of insertion routines to produce dynamic data structures when verifying, via model checking, programs handling such data types.We present a technique to improve model checking of programs handling heap-allocated data types, by taming the explosion of candidate structures that can be built when non-deterministically initializing heap object fields. The technique exploits precomputedrelational bounds, that disregard values deemed invalid by the structure’s type invariant, thus reducing the state space to be explored by the model checker. Precomputing the relational bounds is a challenging costly task too, for which we also present an efficient algorithm, based on incremental SAT solving.We implement our approach on top of the bounded model checker, and show that, for a number of data structures implementations, we can handle significantly larger input structures and detect faults that is unable to detect.
- Centro Científico Tecnológico - San Juan Argentina
- National University of Río Cuarto Argentina
- Buenos Aires Institute of Technology Argentina
- National Scientific and Technical Research Council Argentina
- Amazon.com United States
Model checking, Model-Based Testing, Testing-Effort Dependent Models, Mathematical analysis, Article, Model Checking, Bounded function, Theoretical computer science, Symbolic Model Checker, FOS: Mathematics, Guard (computer science), Automated Software Testing Techniques, Computer science, Programming language, Algorithm, Computational Theory and Mathematics, Data structure, Computer Science, Physical Sciences, Heap (data structure), Software Reliability Modeling, Nondeterministic algorithm, Software Reliability Assessment and Prediction, Software, Mathematics, Formal Methods in Software Verification and Control
Model checking, Model-Based Testing, Testing-Effort Dependent Models, Mathematical analysis, Article, Model Checking, Bounded function, Theoretical computer science, Symbolic Model Checker, FOS: Mathematics, Guard (computer science), Automated Software Testing Techniques, Computer science, Programming language, Algorithm, Computational Theory and Mathematics, Data structure, Computer Science, Physical Sciences, Heap (data structure), Software Reliability Modeling, Nondeterministic algorithm, Software Reliability Assessment and Prediction, Software, Mathematics, Formal Methods in Software Verification and Control
selected citations These citations are derived from selected sources.This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).2 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Average influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Average impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average
Citations provided by BIP!Popularity provided by BIP!