SLIDE 1
Software Model Checking
2
Finding and Understanding Bugs in Software Model Checkers Chengyu - - PowerPoint PPT Presentation
Finding and Understanding Bugs in Software Model Checkers Chengyu - - PowerPoint PPT Presentation
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software
SLIDE 2
SLIDE 3
Software Model Checking
P
3
SLIDE 4
Software Model Checking
P
ϕ
4
SLIDE 5
Software Model Checking
P
ϕ
Software Model Checker
5
SLIDE 6
Software Model Checking
P
ϕ
Software Model Checker
Determines whether ϕ Holds on P
6
SLIDE 7
Software Model Checking
P
ϕ
safe
Software Model Checker
7
Determines whether ϕ Holds on P
SLIDE 8
Software Model Checking
P
ϕ
Software Model Checker
safe
P’
¬ϕ
8
Determines whether ϕ Holds on P
SLIDE 9
Software Model Checking
P
ϕ
Software Model Checker
safe
P’
¬ϕ
unsafe
9
Determines whether ϕ Holds on P
SLIDE 10
Example: Reachability Safety Property
10
int main() { int i = 0; if (i > 0) { …… //unreachable __VERIFIER_error(); } return 0; }
SLIDE 11
Determines whether this function is reachable
Example: Reachability Safety Property
11
int main() { int i = 0; if (i > 0) { …… //unreachable __VERIFIER_error(); } return 0; }
SLIDE 12
Example: Reachability Safety Property
int main() { int i = 0; if (i > 0) { …… //unreachable __VERIFIER_error(); } return 0; }
12
SLIDE 13
SAFE!
Example: Reachability Safety Property
int main() { int i = 0; if (i > 0) { …… //unreachable __VERIFIER_error(); } return 0; }
12
SLIDE 14
Example: Reachability Safety Property
int main() { int i = 0; if (i == 0) { …… //reachable __VERIFIER_error(); } return 0; }
13
SLIDE 15
UNSAFE!
Example: Reachability Safety Property
int main() { int i = 0; if (i == 0) { …… //reachable __VERIFIER_error(); } return 0; }
13
SLIDE 16
Example: Reachability Safety Property
SAFE!
software model checker:
14
int main() { int i = 0; if (i == 0) { …… //reachable __VERIFIER_error(); } return 0; }
SLIDE 17
Example: Reachability Safety Property
SAFE!
software model checker:
15
int main() { int i = 0; if (i == 0) { …… //reachable __VERIFIER_error(); } return 0; }
SLIDE 18
Bug#529 in CPAchecker
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
16
SLIDE 19
Bug#529 in CPAchecker
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
i:0
17
SLIDE 20
Bug#529 in CPAchecker
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
i:0
18
SLIDE 21
Bug#529 in CPAchecker
i:1
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
19
SLIDE 22
Bug#529 in CPAchecker
i:1
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
20
SLIDE 23
Bug#529 in CPAchecker
i:1
!
UNSAFE
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
21
SLIDE 24
Bug#529 in CPAchecker
i:1
SAFE!
!
UNSAFE
22
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
SLIDE 25
Bug#529 in CPAchecker
i:0 *(&i):1
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
23
SLIDE 26
Bug#529 in CPAchecker
i:0 *(&i):1
void main() { int i = 0; while (1) { if (i > 0) { __VERIFIER_error(); break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
SAFE!
24
SLIDE 27
Workflow
Software Model Checker instrument Checking results profile Compare Bug reports [ inconsistent ] [ consistent ]
Seed programs Test programs
Intermediate Programs
Oracles
1 2
mutate
3 4 validate
25
SLIDE 28
Workflow
Software Model Checker instrument Checking results profile Compare Bug reports [ inconsistent ] [ consistent ]
Seed programs Test programs
Intermediate Programs
Oracles
1 2
mutate
3 4 validate
26
SLIDE 29
Approach I: Enumerative Reachability (ER)
void main() { int i = 0; while (1) {
void main() { int i = 0; while (1) { if (i > 0) {
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){
if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
*(&i) = *(&i) + 1; } } }
Bug#529 in CPAchecker Bug#529 in CPAchecker Bug#529 in CPAchecker
27
SLIDE 30
Approach I: Enumerative Reachability (ER)
void main() { int i = 0; while (1) {
void main() { int i = 0; while (1) { if (i > 0) {
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){
if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
*(&i) = *(&i) + 1; } } } __VERIFIER_error(); __VERIFIER_error(); __VERIFIER_error();
Intermediate Program 1 Intermediate Program 2 Intermediate Program 3
Bug#529 in CPAchecker Bug#529 in CPAchecker Bug#529 in CPAchecker
27
SLIDE 31
Workflow
Software Model Checker instrument Checking results profile Compare Bug reports [ inconsistent ] [ consistent ]
Seed programs Test programs
Intermediate Programs
Oracles
1 2
mutate
3 4 validate
28
SLIDE 32
Approach I: Enumerative Reachability (ER)
void main() { int i = 0; while (1) {
void main() { int i = 0; while (1) { if (i > 0) {
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){
if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
*(&i) = *(&i) + 1; } } } __VERIFIER_error(); __VERIFIER_error(); __VERIFIER_error();
Intermediate Program 1 Intermediate Program 2 Intermediate Program 3
Actual execution: unsafe Actual execution: unsafe Actual execution: unsafe
Bug#529 in CPAchecker Bug#529 in CPAchecker Bug#529 in CPAchecker
29
SLIDE 33
Workflow
Software Model Checker instrument Checking results profile Compare Bug reports [ inconsistent ] [ consistent ]
Seed programs Test programs
Intermediate Programs
Oracles
1 2
mutate
3 4 validate
30
SLIDE 34
Approach I: Enumerative Reachability (ER)
void main() { int i = 0; while (1) {
void main() { int i = 0; while (1) { if (i > 0) {
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){
if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
*(&i) = *(&i) + 1; } } } __VERIFIER_error(); __VERIFIER_error(); __VERIFIER_error();
Test program 1 Test program 2 Test program 3 Actual execution: unsafe Actual execution: unsafe Actual execution: unsafe Model checker: unsafe Model checker: safe Model checker: unsafe
Bug#529 in CPAchecker Bug#529 in CPAchecker Bug#529 in CPAchecker
31
SLIDE 35
Approach I: Enumerative Reachability (ER)
void main() { int i = 0; while (1) {
void main() { int i = 0; while (1) { if (i > 0) {
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){
if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
*(&i) = *(&i) + 1; } } } __VERIFIER_error(); __VERIFIER_error(); __VERIFIER_error();
Test program 1 Test program 2 Test program 3 Actual execution: unsafe Actual execution: unsafe Actual execution: unsafe Model checker: unsafe Model checker: safe Model checker: unsafe
Bug#529 in CPAchecker Bug#529 in CPAchecker Bug#529 in CPAchecker
32
SLIDE 36
Approach
- Approach I: Enumerative Reachability (ER)
33
SLIDE 37
Bug#534 in CPAchecker
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
a[3]:{1,0,0}
34
SLIDE 38
Bug#534 in CPAchecker
a[3]:{1,1,1}
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
35
SLIDE 39
Bug#534 in CPAchecker
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
a[3]:{1,1,1}: unsafe a[3]:{1,0,0}: unsafe
36
SLIDE 40
Bug#534 in CPAchecker
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
__VERIFIER_error();
a[3]:{1,1,1}: unsafe a[3]:{1,0,0}: unsafe
36
SLIDE 41
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
Approach II: Enumerative Counting Reachability (ECR)
37
SLIDE 42
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0; br++; int br = 0; br++; GetValue(br) GetValue(br)
Approach II: Enumerative Counting Reachability (ECR)
37
SLIDE 43
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0; br++; int br = 0; br++; GetValue(br) GetValue(br)
Actual execution: br=1 Actual execution: br=3
Approach II: Enumerative Counting Reachability (ECR)
37
SLIDE 44
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0; br++; if(br != 1) __VERIFIER_error(); int br = 0; br++; if(br != 3) __VERIFIER_error();
Actual execution: br=1 Actual execution: br=3
Approach II: Enumerative Counting Reachability (ECR)
37
SLIDE 45
Approach II: Enumerative Counting Reachability (ECR)
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0; br++; if(br != 1) __VERIFIER_error(); int br = 0; br++; if(br != 3) __VERIFIER_error();
Test oracle: safe Test oracle: safe
38
SLIDE 46
Approach II: Enumerative Counting Reachability (ECR)
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0; br++; if(br != 1) __VERIFIER_error();
Model checker: unsafe Model checker: safe
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0; br++; if(br != 3) __VERIFIER_error();
39
Test oracle: safe Test oracle: safe
SLIDE 47
Approach
- Approach I: Enumerative Reachability (ER)
- Approach II: Enumerative Counting Reachability (ECR)
40
SLIDE 48
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
Approach III: Fused Counting Reachability (FCR)
41
SLIDE 49
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0;int br2 = 0; br1++; GetValue(br1)
Approach III: Fused Counting Reachability (FCR)
br2++; GetValue(br2)
Actual execution: br1=1; br2=3
41
SLIDE 50
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0;int br2 = 0; br1++; if(br1 != 3 || br2 != 1) __VERIFIER_error();
Approach III: Fused Counting Reachability (FCR)
br2++;
41
SLIDE 51
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0;int br2 = 0; br1++; if(br1 != 3 || br2 != 1) __VERIFIER_error();
Approach III: Fused Counting Reachability (FCR)
br2++;
Test oracle: safe
41
SLIDE 52
int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; }
int br = 0;int br2 = 0; br1++; if(br1 != 3 || br2 != 1) __VERIFIER_error();
Approach III: Fused Counting Reachability (FCR)
br2++;
Test oracle: safe
Model checker: unsafe
41
SLIDE 53
Approach
- Approach I: Enumerative Reachability (ER)
- Approach II: Enumerative Counting Reachability (ECR)
- Approach III: Fused Counting Reachability (FCR)
42
SLIDE 54
Approach
- Approach I: Enumerative Reachability (ER)
- Approach II: Enumerative Counting Reachability (ECR)
- Approach III: Fused Counting Reachability (FCR)
42
find more kinds of bugs
SLIDE 55
Approach
- Approach I: Enumerative Reachability (ER)
- Approach II: Enumerative Counting Reachability (ECR)
- Approach III: Fused Counting Reachability (FCR)
42
find more kinds of bugs save more time
SLIDE 56
Evaluation Setup
43
SLIDE 57
Evaluation Setup
GCC test suite
43
SLIDE 58
Evaluation Setup
4,609 Files 219,636 Loc GCC test suite
43
SLIDE 59
Evaluation Setup
4,609 Files 219,636 Loc GCC test suite IC3 based
43
SLIDE 60
Evaluation Setup
4,609 Files 219,636 Loc GCC test suite IC3 based CEGAR based
43
SLIDE 61
Evaluation Setup
4,609 Files 219,636 Loc GCC test suite IC3 based CEGAR based BMC based
43
SLIDE 62
Evaluation Setup
4,609 Files 219,636 Loc GCC test suite IC3 based CEGAR based BMC based
43
SLIDE 63
RQ1: Can our approaches find bugs?
44
SLIDE 64
RQ1: Can our approaches find bugs?
45
SLIDE 65
RQ1: Can our approaches find bugs?
46
SLIDE 66
RQ1: Can our approaches find bugs?
47
SLIDE 67
RQ1: Can our approaches find bugs?
48
SLIDE 68
RQ1: Can our approaches find bugs?
49
SLIDE 69
RQ1: Can our approaches find bugs?
50
SLIDE 70
RQ1: Can our approaches find bugs?
51
SLIDE 71
RQ2: How many bugs can be found by each approach?
52
SLIDE 72
Approach I
52
53
RQ2: How many bugs can be found by each approach?
SLIDE 73
Approach I
52
Approach II
61
54
RQ2: How many bugs can be found by each approach?
SLIDE 74
Approach I
52
Approach II/III
61
55
RQ2: How many bugs can be found by each approach?
SLIDE 75
Approach I
52
Approach II/III
61
56
RQ2: How many bugs can be found by each approach?
SLIDE 76
Approach I
52
Approach II/III
61
56
RQ2: How many bugs can be found by each approach?
SLIDE 77
1 10 51
Approach I
Approach II/III
57
RQ2: How many bugs can be found by each approach?
SLIDE 78
Bug#529 in CPAchecker (False negative in approach II/III)
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
58
i:0 *(&i):1
SLIDE 79
Bug#529 in CPAchecker (False negative in approach II/III)
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
int br = 0; br++; if(br != 1) __VERIFIER_error();
Test oracle: safe
58
i:0 *(&i):1
SLIDE 80
Bug#529 in CPAchecker (False negative in approach II/III)
void main() { int i = 0; while (1) { if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } }
int br = 0; br++; if(br != 1) __VERIFIER_error();
Test oracle: safe Buggy model checker: safe
58
i:0 *(&i):1
SLIDE 81
RQ3: How much time does each approach consume?
59
SLIDE 82
60
RQ3: How much time does each approach consume?
SLIDE 83
61
RQ3: How much time does each approach consume?
SLIDE 84
Save 89% of time
62
RQ3: How much time does each approach consume?
SLIDE 85
63
1 10 51
Approach I
Approach II/III
RQ3: How much time does each approach consume?
SLIDE 86
Assorted Bug Samples
- Front-end
- Memory model
- Pointer alias
- Third-party component
- C standard library
- Language feature
- Configuration
64
https://github.com/MCFuzzer/MCFuzz/issues
SLIDE 87
void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; }
Example: Front-end related bug in CPAchecker
65
SLIDE 88
Example: Front-end related bug in CPAchecker
d = c&&e = 1
Test oracle: unsafe
void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; }
66
SLIDE 89
__CPAchecker_TMP_0 = c&&e
d = __CPAchecker_TMP_0
Example: Front-end related bug in CPAchecker
Test oracle: unsafe
void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; }
67
SLIDE 90
__CPAchecker_TMP_0 = c&&e
d = __CPAchecker_TMP_0
Example: Front-end related bug in CPAchecker
Test oracle: unsafe
void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; }
67
SLIDE 91
__CPAchecker_TMP_0 = c&&e
d = __CPAchecker_TMP_0
Example: Front-end related bug in CPAchecker
Test oracle: unsafe : safe
void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; }
67
SLIDE 92
struct { int a:4; int :4; int b:4; int c:4; } x = { 2,3,4 }; int main (){ if (x.b != 3) __VERIFIER_error(); return 0; }
Example: Language feature related bug in CBMC
2 u 3 4
x
“Unnamed members of objects of structure type do not participate in initialization.” —— C standard
a c b _
Test oracle: safe
68
SLIDE 93
struct { int a:4; int :4; int b:4; int c:4; } x = { 2,3,4 }; int main (){ if (x.b != 3) __VERIFIER_error(); return 0; } 2 3 4 u
x a c b _
Example: Language feature related bug in CBMC
“Unnamed members of objects of structure type do not participate in initialization.” —— C standard
Test oracle: safe
69
SLIDE 94
struct { int a:4; int :4; int b:4; int c:4; } x = { 2,3,4 }; int main (){ if (x.b != 3) __VERIFIER_error(); return 0; } 2 3 4 u
x a c b _
Example: Language feature related bug in CBMC
“Unnamed members of objects of structure type do not participate in initialization.” —— C standard
: unsafe Test oracle: safe
69
SLIDE 95
void test(int x,int y, int q){ if ((x / y) != q ) __VERIFIER_error(); } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; }
Example: Configuration related bug in Seahorn
7/6 == 1
- 7/-6 == 1
Test oracle: safe
70
SLIDE 96
void test(int x,int y, int q){ if ((x / y) != q ) __VERIFIER_error(); } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; }
7/6 == 1
- 7/-6 == 1
sea pf file.c
Example: Configuration related bug in Seahorn
Test oracle: safe
71
SLIDE 97
void test(int x,int y, int q){ if ((x / y) != q ) __VERIFIER_error(); } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; }
7/6 == 1
- 7/-6 == 1
sea pf file.c
Example: Configuration related bug in Seahorn
Test oracle: safe : unsafe
71
SLIDE 98
7/6 == 1
- 7/-6 == 1
sea pf —inline file.c
Example: Configuration related bug in Seahorn
Test oracle: safe
void test(int x,int y, int q){ if ((x / y) != q ) __VERIFIER_error(); } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; }
72
SLIDE 99
7/6 == 1
- 7/-6 == 1
sea pf —inline file.c
Example: Configuration related bug in Seahorn
: safe Test oracle: safe
void test(int x,int y, int q){ if ((x / y) != q ) __VERIFIER_error(); } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; }
72
SLIDE 100
Evaluation on SV-COMP benchmarks
73
SLIDE 101
Evaluation on SV-COMP benchmarks
- SV-COMP benchmarks
- Benchmarks for software verification competition.
74
SLIDE 102
Evaluation on SV-COMP benchmarks
- SV-COMP benchmarks
- Benchmarks for software verification competition.
- Selected 1106 files from ReachSafety and SoftwareSystems.
75
SLIDE 103
Evaluation on SV-COMP benchmarks
- SV-COMP benchmarks
- Benchmarks for software verification competition.
- Selected 1106 files from ReachSafety and SoftwareSystems.
- Result
- Found 5 bugs via SV-COMP benchmark.
76
SLIDE 104
Evaluation on SV-COMP benchmarks
- SV-COMP benchmarks
- Benchmarks for software verification competition.
- Selected 1106 files from ReachSafety and SoftwareSystems.
- Result
- Found 5 bugs via SV-COMP benchmark.
- Undefined behavior
- It is not the bug, but leads to false alarms.
77
SLIDE 105
Usability of software model checkers
78
SLIDE 106
Usability of software model checkers
✓ Should not give wrong checking result. ✓ Should not let user to choose the right configuration. ✓ Better user manual.
79
SLIDE 107
Usability of software model checkers
✓ Should not give wrong checking result. ✓ Should not let user to choose the right configuration. ✓ Better user manual.
80
SLIDE 108
Usability of software model checkers
✓ Should not give wrong checking result. ✓ Should not let user to choose the right configuration. ✓ Better user manual.
81
SLIDE 109
Developers’ Feedback
82
SLIDE 110
Software model checker may have bugs
83
SLIDE 111
Software model checker may have bugs Proposed the approaches to find the bug
83
SLIDE 112
Software model checker may have bugs Proposed the approaches to find the bug Totally found 62 bugs in three model checkers
83
SLIDE 113
Software model checker may have bugs Proposed the approaches to find the bug Totally found 62 bugs in three model checkers Categorized the bugs into 7 categories
83
SLIDE 114
Thank you !
84
Software model checker may have bugs Proposed the approaches to find the bug Totally found 62 bugs in three model checkers Categorized the bugs into 7 categories
84