Challenges and Applications of Assembly-Level Software Model Checking

Künstliche Intell. Pub Date : 2006-05-17 DOI:10.17877/DE290R-8397

Tilman Mehler

{"title":"Challenges and Applications of Assembly-Level Software Model Checking","authors":"Tilman Mehler","doi":"10.17877/DE290R-8397","DOIUrl":null,"url":null,"abstract":"ion functions φ map states S = (S1, . . . , Sk) to patterns φ(S) = (φ(S1), . . . , φ(Sk)). Pattern databases [CS98] are hash tables for fully explored abstract state spaces, storing with each abstract state the shortest path distance in the abstract space to the abstract goal. They are constructed in a complete traversal of the inverse abstract search space graph. Each distance value stored in the hash table is a lower bound on the solution cost in original space and serves as a heuristic estimate. Different pattern databases can be combined either by adding or maximizing the individual entries for a state. Pattern databases work, if the abstraction function is a homomorphism, so that each path in the original state space has a corresponding one in the abstract state space. In difference to the search in original space, the entire abstract space has to be looked at. As pattern databases are themselves hash tables we apply incremental hashing, too. If we restrict the exploration in STRIPS planning to some certain subset of propositions R ⊆ AP , we generate a planning state space homomorphism φ and an abstract planning state space [Ede01] with states SA ⊆ R. Abstractions of operators o = (P,A, D) are defined as φ(o) = (P ∩ R, A ∩ R,D ∩ R). Multiple pattern databases are composed based on a partition AP = R1 ∪ . . . ∪ Rl and induce abstractions φ1, . . . , φl as well as lookup hash tables PDB1,. . . ,PDBl. Two pattern databases are additive, if the sum of the retrieved values is admissible. One sufficient criterion is the following. For every pair of non-trivial operators o1 and o2 in the abstract spaces according to φ1 and φ2, we have that preimage φ−1 1 (o1) differs from φ −1 2 (o2). For pattern database addressing we use a multivariate variable encoding, namely, SAS+ [Hel04]. 6.7 Hashing Dynamic State Vectors In the previous section, we devised an incremental hashing scheme for static state vectors. This is not directly applicable for program model checkers, as they operate on dynamic and structured states. Dynamic means, that the size of a vector may change. For example, a program can dynamically allocate new memory regions. Structured means, that the state is separated in several subvectors rather than a single big vector. In StEAM for example, the stacks, machines, variable sections and the lock/memory pools constitute subvectors which together form a global state vector. In the following, we extend the incremental hashing scheme from the last section to be applicable for dynamic and distributed states. For dynamic vectors, components may be inserted at arbitrary positions. We will regard dynamic vectors as the equivalent of strings over an alphabet Σ. In the following, for two vectors a and b, let a, b denote the concatenation of a and b. For 100 CHAPTER 6. HASHING example, for a = (0, 8) and b = (15), we define a, b = (0, 8, 15). We define four general lemmas for the hash function h as used in Rabin-Karp hashing (cf. Section 6.5.1). Lemmas 1 and 2 relate to the insertion-, lemmas 3 and 4 to the deletion of components. Afterwards, we apply the lemmas to different types of data structures, such as stacks and queues. We use |a| to denote the size of a vector a. Lemma 1. For all a, b, c ∈ Σ∗ we have h(a, b, c) = h(a, c)− h(c) · |Σ||a| + h(b) · |Σ||a| + h(c) · |Σ||a|+|b| mod q.","PeriodicalId":165875,"journal":{"name":"Künstliche Intell.","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Künstliche Intell.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.17877/DE290R-8397","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 16

Abstract

ion functions φ map states S = (S1, . . . , Sk) to patterns φ(S) = (φ(S1), . . . , φ(Sk)). Pattern databases [CS98] are hash tables for fully explored abstract state spaces, storing with each abstract state the shortest path distance in the abstract space to the abstract goal. They are constructed in a complete traversal of the inverse abstract search space graph. Each distance value stored in the hash table is a lower bound on the solution cost in original space and serves as a heuristic estimate. Different pattern databases can be combined either by adding or maximizing the individual entries for a state. Pattern databases work, if the abstraction function is a homomorphism, so that each path in the original state space has a corresponding one in the abstract state space. In difference to the search in original space, the entire abstract space has to be looked at. As pattern databases are themselves hash tables we apply incremental hashing, too. If we restrict the exploration in STRIPS planning to some certain subset of propositions R ⊆ AP , we generate a planning state space homomorphism φ and an abstract planning state space [Ede01] with states SA ⊆ R. Abstractions of operators o = (P,A, D) are defined as φ(o) = (P ∩ R, A ∩ R,D ∩ R). Multiple pattern databases are composed based on a partition AP = R1 ∪ . . . ∪ Rl and induce abstractions φ1, . . . , φl as well as lookup hash tables PDB1,. . . ,PDBl. Two pattern databases are additive, if the sum of the retrieved values is admissible. One sufficient criterion is the following. For every pair of non-trivial operators o1 and o2 in the abstract spaces according to φ1 and φ2, we have that preimage φ−1 1 (o1) differs from φ −1 2 (o2). For pattern database addressing we use a multivariate variable encoding, namely, SAS+ [Hel04]. 6.7 Hashing Dynamic State Vectors In the previous section, we devised an incremental hashing scheme for static state vectors. This is not directly applicable for program model checkers, as they operate on dynamic and structured states. Dynamic means, that the size of a vector may change. For example, a program can dynamically allocate new memory regions. Structured means, that the state is separated in several subvectors rather than a single big vector. In StEAM for example, the stacks, machines, variable sections and the lock/memory pools constitute subvectors which together form a global state vector. In the following, we extend the incremental hashing scheme from the last section to be applicable for dynamic and distributed states. For dynamic vectors, components may be inserted at arbitrary positions. We will regard dynamic vectors as the equivalent of strings over an alphabet Σ. In the following, for two vectors a and b, let a, b denote the concatenation of a and b. For 100 CHAPTER 6. HASHING example, for a = (0, 8) and b = (15), we define a, b = (0, 8, 15). We define four general lemmas for the hash function h as used in Rabin-Karp hashing (cf. Section 6.5.1). Lemmas 1 and 2 relate to the insertion-, lemmas 3 and 4 to the deletion of components. Afterwards, we apply the lemmas to different types of data structures, such as stacks and queues. We use |a| to denote the size of a vector a. Lemma 1. For all a, b, c ∈ Σ∗ we have h(a, b, c) = h(a, c)− h(c) · |Σ||a| + h(b) · |Σ||a| + h(c) · |Σ||a|+|b| mod q.

查看原文本刊更多论文

装配级软件模型检验的挑战与应用

离子函数φ映射态S = (S1，…)， Sk)到模式φ(S) = (φ(S1)，…φ(Sk))。模式数据库[CS98]是用于充分探索抽象状态空间的哈希表，每个抽象状态存储在抽象空间中到抽象目标的最短路径距离。它们是在逆向抽象搜索空间图的完全遍历中构造的。存储在哈希表中的每个距离值都是原始空间中解决成本的下界，并作为启发式估计。可以通过添加或最大化某个状态的单个条目来组合不同的模式数据库。模式数据库工作时，如果抽象函数是同态的，那么原始状态空间中的每条路径在抽象状态空间中都有相应的路径。与在原始空间中搜索不同的是，必须查看整个抽象空间。由于模式数据库本身就是散列表，我们也应用增量散列。将strip规划中的探索限制在命题R≥≥AP的某个子集上，生成状态为SA≥≥R的规划状态空间同态φ和抽象规划状态空间[Ede01]。将算子o = (P, a,D)的抽象定义为φ(o) = (P∩R, a∩R,D∩R)，基于分区AP = R1∪…∪Rl和归纳抽象φ1，…， φl以及查找哈希表PDB1，…, PDBl。如果检索值的总和是允许的，则两个模式数据库是相加的。一个充分的标准如下。对于抽象空间中根据φ1和φ2的每一对非平凡算子o1和o2，我们得到了φ−11 (o1)不同于φ−12 (o2)的原像。对于模式数据库寻址，我们使用多变量编码，即SAS+ [Hel04]。在上一节中，我们为静态状态向量设计了一个增量散列方案。这并不直接适用于程序模型检查器，因为它们对动态和结构化状态进行操作。动态意味着向量的大小可以改变。例如，程序可以动态分配新的内存区域。结构化意味着状态在几个子向量中分离，而不是一个大向量。例如，在StEAM中，堆栈、机器、变量段和锁/内存池构成子向量，它们共同形成全局状态向量。在下文中，我们将扩展上一节的增量散列方案，使其适用于动态和分布式状态。对于动态矢量，可以在任意位置插入分量。我们将动态向量看作是字母表Σ上字符串的等价物。在下面的例子中，对于两个向量a和b，设a, b表示a和b的连接。哈希示例，对于a =(0,8)和b =(15)，我们定义a, b =(0,8,15)。我们为Rabin-Karp哈希中使用的哈希函数h定义了四个一般引理(参见第6.5.1节)。引理1和2与插入有关，引理3和4与成分的删除有关。然后，我们将引理应用于不同类型的数据结构，例如堆栈和队列。我们用|a|表示向量a的大小。引理1。对于所有的a, b, c∈Σ∗我们h (a, b, c) = h (a, c)−h (c)·|Σ| | | + h (b)·|Σ| | | + h (c)·|Σ| | | + | | b国防部q。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Künstliche Intell.

自引率

0.00%

发文量