ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

Transcription

1 EBS 2013 SMT-Bounded Model hecking of Programs Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas ordeiro, Bernd Fischer

2 Bounded Model hecking (BM) Idea: check negation of given property up to given depth transition system ϕ 0 ϕ 1 ϕ 2 ϕ k-1 ϕ k... M 0 M 1 M 2 M k-1 M k counterexample trace property bound transition system M unrolled k times for programs: unroll loops, unfold arrays, translated into verification condition ψ such that ψ satisfiable iff ϕ has counterexample of max. depth k has been applied successfully to verify (sequential) software

3 BM of Programs there have been attempts to apply BM to the verification of programs but with limited success handle large programs and support complex features problem: BM of programs presents greater challenges than that of programs more complex features such as templates, containers, and exception handling (contains and handles error situations in embedded systems) main insights: optimized implementation of the standard library complicates the Vs unnecessarily abstract representation of the standard libraries to conservatively approximate their semantics

4 Objetive of this work Extend BM to support complex features of exploit background theories of Satisfability Modulo Theories (SMT) solvers provide suitable encodings for template exception handling containers arithmetic over- and underflow build and evaluate an SMT-based BM tool (ESBM) build on top of BM front-end use different SMT encodings as back-ends

5 ESBM Architecture (1) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck originally only ANSI- language was supported extend to support the verification of programs with: template (creation and instantiation) exception handling (converted to goto functions) standart template library (operational model)

6 ESBM Architecture (2) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck lexer/parser based on the flex/bison most of the intermediate representation of the program (IRep) is created this IRep is the base for the remaining phases of the verification

7 ESBM Architecture (3) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck some checks are made in this step: assignment check typecast check pointer initialization check function call check template instantiation

8 ESBM Architecture (4) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck conversion from IRep to goto programs: int main() { int x=5; main() (c::main): intx; x = 5; } if(x==5) return 0; return -1; IF!(x == 5) THEN GOTO 1 return 0; 1: return -1; END_FUNTION

9 ESBM Architecture (5) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck creation of SSA expressions from goto programs: assertions are inserted to check for pointer safety, memory-leak, division by zero, etc jump instructions are inserted for exception handling x = 5; x = 6; y = x; x 1 = 5; x 2 = 6; y 1 = x 2 ; 0 0 0

10 ESBM Architecture (6) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck encoding to bit-vector or integer/real arithmetic verification results can depend on encodings: majority of Vs solved faster if numeric types are modelled by abstract domains but possible loss of precision

11 SMT-Based BM of Programs there have been attempts to apply BM to the verification of programs but with limited success handle large programs and support complex features standard libraries contain complex (and low-level) data structures (complicates the Vs unnecessarily) provide a operational model (OM) which is an abstract representation of the standard libraries that conservatively approximates their semantics Standard Libraries of OM Programs g++ compiler ESBM executable file verification result

12 ontainer Model (1) the container model uses three variables: P that points to the first element of the array size that stores the quantity of elements in the container capacity that stores the total capacity of a container iterators are modelled using two variables (source and pos) container size= N capacity < 2*size e0 e1 e2 e3... en-1 iterator pos contains the index value pointed by the iterator in the container P source pos source points to the underlying container

13 ontainer Model (2) the core container model only supports the insert, erase, and search methods push_back, pop_back, front, back, push_front,and pop_front are variation of these basic methods (( c', i') = c. erase( i)) : = c'. size c'. array i'. source = c. size 1 i'. pos = i. pos = store(...( store( c. array, decrement the size of the container i. pos, select( c. array, i. pos + 1)),..., = c' c. size 2, select( c. array, c. size 1)) points to the position next to the previously erased part of the container the exclusion is made by a given position, regardless the value

14 Inheritance and Polymorphism polymorphism allows the creation of reusable code by changing only specific methods from the base class in constrast to Java, allows multiple inheritance which increase the complexity of the static analysis in ESBM, each new class instantiation replicate all the methods and attributes from the base classes this feature allows base classes pointers to keep reference to derived classes during verification time decides which method is being called from such pointer

15 Running Example (1) triple <, s, r > where is the set of classes shared inheritance s x replicated inheritance r x square class relation: <,, {(Square, Rectangle, Shape), (Square, Rectangle, Display)}> direct access to the attributes and methods of the derived class replicate information to any new class

16 Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } int area(void) { return width*width; } Square Shape constructor *sqre= and newsquare(10); assert area(sqre->area() method == 100); : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

17 Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } Instantiation of square and area call int area(void) { return width*width; } Shape *sqre= newsquare(10); assert (sqre->area() == 100); : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

18 Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } int area(void) { return width*width; } Shape *sqre= newsquare(10); assert (sqre->area() == 100); Internal SMT representation : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

19 Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } contain the address of the object s bound methods int area(void) { return width*width; } Shape *sqre= newsquare(10); assert (sqre->area() == 100); : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

20 Exception Handling (1) exceptions are unexpected situations within a programs access an invalid position in a vector throws an out_of_range exception exception handling is divided into three elements: a try block, a catch block, and a throw statement int main (void) { try { throw 1; } catch (int) { return 1; } catch (char) { return 2; } return 0; } try block throw statement catch block

21 Exception Handling (2) try-catch conversion to goto functions (internal flow) main(): ATH signed_int->1, char->2 THROW signed_int: 1 ATH GOTO 3 1: int #anon; return 1; GOTO 3 2: char #anon; return 2; 3: return 0; END_FUNTION This goto instruction is modified if an exception is thrown jump when the type is signed int jump when the type is char

22 Exception Handling (2) try-catch conversion to goto functions (internal flow) main(): ATH signed_int->1, char->2 THROW signed_int: 1 ATH GOTO 1 1: int #anon; return 1; GOTO 3 2: char #anon; return 2; This goto instruction is modified if an exception is thrown 3: return 0; END_FUNTION

23 Experimental Results Goal: compare the efficiency of verification on 1165 programs using ESBM and LLBM Setup: ESBM v1.20 with SMT Solver Z3 3.2 LLBM a Intel ore i7-2600, 3.40 GHz with 24 GB of RAM running Ubuntu 64-bits

24 About the benchmarks Number of programs Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm Deque Vector Lines of code Time out BAD THING Memory out BAD THING rash BAD THING 4 List Queue Verification time of the modules (s) 6 Stack Inheritance Try catch Stream Positive verification GOOD THING Negative verification GOOD THING Negative verification BAD THING Negative verification BAD THING 10 String pp

25 Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm STL modules 2 Deque Vector List Queue Stack Inheritance Try catch Stream String pp

26 Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm Deque Vector List Inheritance and exception handling 5 Queue Stack Inheritance Try catch Stream String pp

27 Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm Deque Vector List Queue Stack I/O Streams Strings 7 Inheritance Try catch Stream String pp

28 Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm Deque Vector List Queue Stack Inheritance Try catch Generic programs from Deitel 9 Stream String pp

29 omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 Algorithm Deque Vector List Queue Stack Algorithm Deque Vector List Queue Stack ESBM LLBM

30 omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 Inheritance Try catch Inheritance Try catch ESBM LLBM

31 omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 Stream String Stream String ESBM LLBM

32 omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 pp pp ESBM LLBM ESBM took approximately 16 hours and successfully verified 1046 out of 1165 (89%) LLBM took approximately 12 hours and successfully verified 777 out of 1165 (66%)

33 Experimental Results Sniffer ode ESBM was used to verify a commercial application provided by Nokia Institute of Technology (INdT) The sniffer code contains 20 classes, 85 methods, and approximately 2839 lines of code Five bugs were identified that were related to arithmetic under- and over-flow. The bugs were later confirmed by the developers

34 onclusions SMT-based verification of programs by focusing on the major features of the language Described the implementation of STL containers, inheritance, polymorphism and exception handling in particular, exception specification, which is a feature that is not supported by others BM tools ESBM outperforms LLBM if we consider the verification of programs with increased accuracy (i.e. exception enabled verification) Also, ESBM was able to find undiscovered bugs in the sniffer code, a commercial application