Just as program execution has hotspots that we can use execution profiling to identify, (automatic) verification of code has hotspots that we would like to find using verification profilers.

galea:arxiv:2018 identifies the following requirements: generality (of profiling model), explainable (independent of internal details), and actionable (finds root causes).

Profilers in existing systems

• KLEE verifier has profiling described in galea:arxiv:2018 and in the detailed KLEE testing CoreUtils tutorial.

  KLEE dumps around 10 statistics about each line in the format used by KCachegrind: covered, uncovered, time, solver time, successful solver queries, unsuccessful solver queries, forks, etc.

• Rosette solver has the SymPro profiler described in detail by bornholt:oopsla:2018 and based on a simple profiling API.

  This is based on some of the same metrics as KLEE but it adds more detail about the fan-in and fan-out of the graph to get more insight into splits and joins. It also tracks the number of terms created but never used.

• Jalanji also implements the SymPro profiler API.

Profiling seems to be a bit like profiling lazy functional languages: you are often more interested in where a symbolic term was constructed than in where it was evaluated and, like lazy execution, just looking at where a verifier spends time will tend to show you where it was evaluated (in a solver).

Notes related to Verification profiling of code

Verification performance of code, Verifier performance

Papers related to Verification profiling of code

• SymNav: Visually assisting symbolic execution [angelini:vizsec:2019]
• The Axiom profiler: Understanding and debugging SMT quantifier instantiations [becker:tacas:2019]
• Finding code that explodes under symbolic evaluation [bornholt:oopsla:2018]
• Evaluating manual intervention to address the challenges of bug finding with KLEE [galea:arxiv:2018]