Verifying C & C++ with ESBMC

Size: px
Start display at page:

Download "Verifying C & C++ with ESBMC"

Transcription

1 Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [fb & tw]

2 ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed at Southampton by Lucas Cordeiro under the supervision of Berndt Fischer. Jeremy Morse further developed ESBMC during his PhD here. Development is now led from Southampton by Mikhail Ramalho.

3 Model Checking vs Testing orsimulation Execute test cases OK error Testing Coverage of some system behaviours Only samples nondeterminism May fail to cover error behaviours Only checks with a specific toolchain and version Much cheaper than model checking 4

4 Model Checking vs Testing/Simulation Model Checking OK Error trace Line 5: Line 12: Line 41: Model Checking Exhaustively explores all executions Can be bounded to limit number of iterations, contextswitches, etc. Reports errors as traces Can be extremely resource-hungry 5

5 Bounded Model checking k = 0 k = 1 Bounded model checkers slice the state space in depth. k = 2 It s aimed to find bugs and k = 3 k = 4 k = 5 (naïvely) can only prove correctness if all states are reachable within the bound. k = 6

6 ESBMC design Exploits SMT solvers and their background theories: optimized encodings for pointers, bit operations, unions and arithmetic overflow and underflow Support for Boolector, Z3, MathSAT, CVC4 and Yices C++ support does not include virtual methods. Supports verifying multi-threaded software using explicit state interleaving By default, checks for C/C++ errors and assert() failures

7 Naïve bounded model checking CyberSecuritySoton.org [fb & tw]

8 Simple example int mul(const int ain, const int b) { int a = ain; assume (a >= 0); assume (( a == 0 ) (( b <= (INT_MIN/a)) && ( b >= (INT_MAX/a)) ); int result = 0; while (a--) { result = result + b; } assert(result == ain * b); return result; } 8

9 Unrolling while (a--) { result = result+b; } becomes, if we bound the unrolling at nine iterations, if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) { a = a-1; result = result+b; } if (a) assert(false); // Unrolling assertion 9

10 Single assignment form int mul(const int ain, const int b) { int a_0 = ain; assume (a_0 >= 0); assume (( a == 0 ) (( b <= (INT_MAX/a)) && ( b >= (INT_MIN/a)) ); int result_0 = 0; int a_1 = a_0? a_0-1:a_0 ; int result_1 = a_0? result_0+b:result_0; int a_2 = a_1? a_1-1:a_1 ; int result_2 = a_1? result_1+b:result_1; int a_3 = a_2? a_2-1:a_2 ; int result_3 = a_2? result_2+b:result_2; int a_4 = a_3? a_3-1:a_3 ; int result_4 = a_3? result_3+b:result_3; int a_5 = a_4? a_4-1:a_4 ; int result_5 = a_4? result_4+b:result_4; int a_6 = a_5? a_5-1:a_5 ; int result_6 = a_5? result_5+b:result_5; int a_7 = a_6? a_6-1:a_6 ; int result_7 = a_6? result_6+b:result_6; int a_8 = a_7? a_7-1:a_7 ; int result_8 = a_7? result_7+b:result_7; int a_9 = a_8? a_8-1:a_8 ; int result_9 = a_8? result_8+b:result_8; assert(!a_9); assert (result_9 == ain * b); return result_9; } 10

11 Verify the algebraic expression We look for satisfying assignments to the integer unknowns which would cause the assertion to fail. The program is broken if there is a set of assignments to ain, b, a_0 a_9, result_0 result_9 which makes the following expression true: (a_0 == ain) & (a_0 >= 0) & ((a == 0) (( b <= (INT_MAX/a)) & ( b >= (INT_MIN/a))) & (result_0 == 0) & (a_1 == a_0? a_0-1:a_0) & (result_1 == a_0? result_0+b:result_0) & (a_2 == a_1? a_1-1:a_1) & (result_2 == a_1? result_1+b:result_1) & (a_3 == a_2? a_2-1:a_2) & (result_3 == a_2? result_2+b:result_2) & (a_4 == a_3? a_3-1:a_3) & (result_4 == a_3? result_3+b:result_3) & (a_5 == a_4? a_4-1:a_4) & (result_5 == a_4? result_4+b:result_4) & (a_6 == a_5? a_5-1:a_5) & (result_6 == a_5? result_5+b:result_5) & (a_7 == a_6? a_6-1:a_6) & (result_7 == a_6? result_6+b:result_6) & (a_8 == a_7? a_7-1:a_7) & (result_8 == a_7? result_7+b:result_7) & (a_9 == a_8? a_8-1:a_8) & (result_9 == a_8? result_8+b:result_8) & ((a_9!= 0) (result_9!= ain * b)); 11

12 Feed the expression to an SMT solver Z3 is a good example If z3 can find a satisfying set of assignments, then the program is incorrect, and we know an example set of inputs on which it fails. Boolector is good too 12

13 It is all much harder in practice Think about arrays and pointers C statements may not be executed in order between sequence points For OO languages, worry about dynamic dispatch (method pointers) Concurrency is a real pain; all valid interleavings must be considered 13

14 k-induction We can sometimes analyse to unbounded depths CyberSecuritySoton.org [fb & tw]

15 Another sample program unsigned int sumint(const unsigned int n) { unsigned int i = 0; unsigned int result = 0; // Here we are ignoring the assume // that should prevent overflow while (i<n) { i = i + 1; result = result + i; assert(result == i*(i+1)/2); assert (i <= n); } assert(result == n*(n+1)/2); return result; }

16 Whence comes the invariant? In general, there is no way to deduce it halting problem lots of current work on deducing invariants For simple loops, they can sometimes be guessed Range analysis will often control the induction variable We know (i < n) at the top of the loop We know i is incremented by exactly one, so (i -1 < n) at the bottom of the loop The proof falls into three parts

17 Base case unsigned int i = 0; unsigned int result = 0; if (i<n) { i = i + 1; result = result + i; assert(result == i*(i+1)/2); assert (i <= n); } else { assert(result == n*(n+1)/2); } The base case can be extended to perform some bounded unrolling as well.

18 Inductive step unsigned int i; unsigned int result; assume(result = i*(i+1)/2); assume (i <= n); if (i<n) { i = i + 1; result = result + i; assert(result == i*(i+1)/2); assert (i <= n); } Sometimes it helps to unroll the inductive step a few times (k-induction)

19 Termination condition unsigned int i; unsigned int result; assume(result == i*(i+1)/2); assume (i <= n); if (!(i<n)) { assert(result == n*(n+1)/2); } The inductive step and the termination condition can be fused into a single test

20 Linear Temporal Logic specifications CyberSecuritySoton.org [fb & tw]

21 Broader specifications So far, we are just checking for language errors and the validity of point assertions: predicates that have to hold true at a particular point in the execution Temporal logic allows us to specify global properties that must hold over all time Our formulation is stutter-invariant, as there is no natural concept of an immediate successor state in a high level programming language

22 Temporal Operators

23 An LTL expression G({pressed} -> F{charge > min}) G is box: at every time in the future F is diamond: at some time in the future X is not used explicitly The LTL expression is used to generate a Büchi automaton which runs in a monitor thread

24 Büchi automata The left BA accepts the example from the previous page The right BA is its negation, used for the never claim in our monitor.

25 Bounded semantics of infinite programs

26 Floating Point CyberSecuritySoton.org [fb & tw]

27 Illustrative Example int main() { float x; float y = x; assert (x == y); return 0; }

28 Model checker input

29 MathSAT output sat ( ( main::x (_ NaN 8 24)) ( main::y (_ NaN 8 24)) ( nondet_symex::nondet0 (_ NaN 8 24)) ( execution_statelet::\\guard_exec true) )

30 Counterexample

31 Floating point performance 172 benchmarks from SV-COMP 17 Timeout: 900s Memory limit: 15GB MathSAT v Z3 v4.5.0

32 Experimental Evaluation

33 Experimental Evaluation 76 out of the 172 (44%) benchmarks are deterministic (no solver is invoked) MathSAT is 4.5x faster than Z3 when verifying the same set of benchmarks

34 Comparison to other Software Verifiers ESBMC + MathSAT achieved the highest score among all verifiers

35

Model Checking Embedded C Software using k-induction and Invariants

Model Checking Embedded C Software using k-induction and Invariants FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda

More information

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given

More information

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC: SMT-based BMC of single- and multi-threaded software exploits SMT solvers and their

More information

Handling Loops in Bounded Model Checking of C Programs via k-induction

Handling Loops in Bounded Model Checking of C Programs via k-induction Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and

More information

: A Bounded Model Checking Tool to Verify Qt Applications

: A Bounded Model Checking Tool to Verify Qt Applications 23 rd International SPIN symposium on Model Checking of Software : A Bounded Model Checking Tool to Verify Qt Applications Mário A. P. Garcia, Felipe R. Monteiro, Lucas C. Cordeiro, and Eddie B. de Lima

More information

OptCE: A Counterexample-Guided Inductive Optimization Solver

OptCE: A Counterexample-Guided Inductive Optimization Solver Federal University of Amazonas (UFAM) Postgraduate Program in Electrical Engineering (PPGEE) OptCE: A Counterexample-Guided Inductive Optimization Solver Higo Albuquerque, Rodrigo Araújo, Iury Bessa, Lucas

More information

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks 1 Mikhail Y. R. Gadelha 1, Lucas C. Cordeiro 2, and Denis A. Nicole 1 1 Electronics and

More information

Applications of Program analysis in Model-Based Design

Applications of Program analysis in Model-Based Design Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,

More information

More on Verification and Model Checking

More on Verification and Model Checking More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,

More information

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto,

More information

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira

More information

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks 1 Mikhail Y. R. Gadelha 1, Lucas C. Cordeiro 2, and Denis A. Nicole 1 1 Electronics and

More information

System LAV and Its Applications

System LAV and Its Applications Progress in Decision Procedures: From Formalizations to Applications Belgrade, March 30, 2013. Overview, Viktor Kuncak Development and Evaluation of : an SMT-Based Error Finding Platform. Verified Software:

More information

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk Agenda

More information

Model Checking with Automata An Overview

Model Checking with Automata An Overview Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques

More information

Model Checking of C and C++ with DIVINE 4

Model Checking of C and C++ with DIVINE 4 Model Checking of C and C++ with DIVINE 4 Zuzana Baranová, Jiří Barnat, Katarína Kejstová, Tadeáš Kučera, Henrich Lauko, Jan Mrázek, Petr Ročkai, Vladimír Štill Faculty of Informatics, Masaryk University

More information

Counterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017

Counterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017 Cnterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017 Rodrigo Araújo, Alexandre Ribeiro, Iury Bessa, Lucas Cordeiro, and João Edgar Chaves Filho Federal University

More information

Duet: Static Analysis for Unbounded Parallelism

Duet: Static Analysis for Unbounded Parallelism Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing

More information

Bounded Model Checking Of C Programs: CBMC Tool Overview

Bounded Model Checking Of C Programs: CBMC Tool Overview Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning

More information

An Introduction to Satisfiability Modulo Theories

An Introduction to Satisfiability Modulo Theories An Introduction to Satisfiability Modulo Theories Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se February 13, 2019 1/28 Outline From theory... From DPLL to DPLL(T) Slides courtesy of Alberto

More information

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer EBS 2013 SMT-Bounded Model hecking of Programs Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas ordeiro, Bernd Fischer Bounded Model hecking (BM) Idea: check negation of given property

More information

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH Promela and SPIN Promela (Protocol Meta Language): Language for modelling discrete, event-driven

More information

Proving Properties of non-array Programs

Proving Properties of non-array Programs Proving Properties of non-array Programs Thanks to Priyanka Darke Tata Research Development and Design Centre, Pune, India December 13, 2017 Copyright 2012 Tata Consultancy Services Limited 1 Background

More information

Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers

Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers Isil Dillig, Thomas Dillig, and Alex Aiken Computer Science Department Stanford University Linear Arithmetic

More information

Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)

Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract) Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract) Felipe R. Monteiro Mário A. P. Garcia Lucas C. Cordeiro Eddie B. de Lima Filho 33 rd IEEE/ACM International

More information

HECTOR: Formal System-Level to RTL Equivalence Checking

HECTOR: Formal System-Level to RTL Equivalence Checking ATG SoC HECTOR: Formal System-Level to RTL Equivalence Checking Alfred Koelbl, Sergey Berezin, Reily Jacoby, Jerry Burch, William Nicholls, Carl Pixley Advanced Technology Group Synopsys, Inc. June 2008

More information

Configurable Software Model Checking

Configurable Software Model Checking Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification

More information

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Embedded Software Verification Challenges and Solutions. Static Program Analysis Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline

More information

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology The Spin Model Checker : Part I Copyright 2008 CS655 System Korea Advanced Institute of Science and Technology System Spec. In Promela Req. Spec. In LTL Overview of the Spin Architecture Spin Model pan.c

More information

Symbolic and Concolic Execution of Programs

Symbolic and Concolic Execution of Programs Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James

More information

Generating Small Countermodels. Andrew Reynolds Intel August 30, 2012

Generating Small Countermodels. Andrew Reynolds Intel August 30, 2012 Generating Small Countermodels using SMT Andrew Reynolds Intel August 30, 2012 Acknowledgements Intel Corporation AmitGoel, Sava Krstic University of Iowa Cesare Tinelli, Francois Bobot New York University

More information

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols Lee Pike (Presenting), Galois, Inc. leepike@galois.com Geoffrey M. Brown, Indiana University geobrown@cs.indiana.edu

More information

The Spin Model Checker : Part I/II

The Spin Model Checker : Part I/II The Spin Model Checker : Part I/II Moonzoo Kim CS Dept. KAIST Korea Advanced Institute of Science and Technology Motivation: Tragic Accidents Caused by SW Bugs 2 Cost of Software Errors June 2002 Software

More information

Program Verification. Aarti Gupta

Program Verification. Aarti Gupta Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)

More information

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas

More information

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems V Brazilian Symposium on Computing Systems Engineering Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems Alessandro Trindade, Hussama Ismail, and Lucas Cordeiro Foz

More information

JPF SE: A Symbolic Execution Extension to Java PathFinder

JPF SE: A Symbolic Execution Extension to Java PathFinder JPF SE: A Symbolic Execution Extension to Java PathFinder Saswat Anand 1,CorinaS.Păsăreanu 2, and Willem Visser 2 1 College of Computing, Georgia Institute of Technology saswat@cc.gatech.edu 2 QSS and

More information

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Seminar in Software Engineering Presented by Dima Pavlov, November 2010 Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions

More information

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion

More information

F-Soft: Software Verification Platform

F-Soft: Software Verification Platform F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com

More information

DSVerifier: A Bounded Model Checking Tool for Digital Systems

DSVerifier: A Bounded Model Checking Tool for Digital Systems DSVerifier: A Bounded Model Checking Tool for Digital Systems Hussama I. Ismail, Iury V. Bessa, Lucas C. Cordeiro, Eddie B. de Lima Filho and João E. Chaves Filho Electronic and Information Research Center

More information

Deductive Methods, Bounded Model Checking

Deductive Methods, Bounded Model Checking Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded

More information

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,

More information

Software Model Checking. Xiangyu Zhang

Software Model Checking. Xiangyu Zhang Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions

More information

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network

More information

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use

More information

Symbolic Execution. Wei Le April

Symbolic Execution. Wei Le April Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving

More information

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271 Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing

More information

Alive: Provably Correct InstCombine Optimizations

Alive: Provably Correct InstCombine Optimizations Alive: Provably Correct InstCombine Optimizations David Menendez Santosh Nagarakatte Rutgers University John Regehr University of Utah Nuno Lopes Microsoft Research Can We Trust Compilers? Any large software

More information

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software 1 SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, and Joao Marques-Silva Abstract Propositional bounded model checking has been applied successfully to verify

More information

The Low-Level Bounded Model Checker LLBMC

The Low-Level Bounded Model Checker LLBMC The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of

More information

InterprocStack analyzer for recursive programs with finite-type and numerical variables

InterprocStack analyzer for recursive programs with finite-type and numerical variables InterprocStack analyzer for recursive programs with finite-type and numerical variables Bertrand Jeannet Contents 1 Invoking InterprocStack 1 2 The Simple language 2 2.1 Syntax and informal semantics.........................

More information

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001 Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright

More information

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems We want Refinement Selection!!! Because straight-forward

More information

Static Analysis and Bugfinding

Static Analysis and Bugfinding Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have

More information

BITCOIN MINING IN A SAT FRAMEWORK

BITCOIN MINING IN A SAT FRAMEWORK BITCOIN MINING IN A SAT FRAMEWORK Jonathan Heusser @jonathanheusser DISCLAIMER JUST TO BE CLEAR.. This is research! Not saying ASICs suck I am not a cryptographer, nor SAT solver guy WTF REALISED PHD RESEARCH

More information

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration

More information

Abstract Interpretation

Abstract Interpretation Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis

More information

Formal Specification and Verification

Formal Specification and Verification Formal Specification and Verification Introduction to Promela Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification and Verification:

More information

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike June 3, 2005 lee.s.pike@nasa.gov Model-Checking 101 Model-checking is a way automatically to verify hardware or software. For a property P, A Model-checking program checks to ensure that every state on

More information

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK 1 GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK Tool architecture User view Source gnatprove Verdict 2 Tool architecture More detailed view... Source Encoding CVC4 gnat2why gnatwhy3

More information

Verifying Concurrent Programs

Verifying Concurrent Programs Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs

More information

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning Lecture 1 Contracts 15-122: Principles of Imperative Computation (Fall 2018) Frank Pfenning In these notes we review contracts, which we use to collectively denote function contracts, loop invariants,

More information

Automatic Software Verification

Automatic Software Verification Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework

More information

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3

More information

Software Engineering using Formal Methods

Software Engineering using Formal Methods Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt 03 September 2015 SEFM: Promela /GU 150903 1 / 36 Towards Model Checking System Model Promela Program byte n = 0; active

More information

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning Lecture 1 Contracts 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning In these notes we review contracts, which we use to collectively denote function contracts, loop invariants,

More information

Model Checking Parallel Programs with Inputs

Model Checking Parallel Programs with Inputs Model Checking Parallel Programs with Inputs Jiří Barnat, Petr Bauch and Vojtěch Havel 12 February 2014 Barnat et. al. (ParaDiSe) Control Explicit Data Symbolic 1 / 23 Motivation: Parallel Software Verification

More information

Testing, Fuzzing, & Symbolic Execution

Testing, Fuzzing, & Symbolic Execution Testing, Fuzzing, & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed

More information

Program Analysis and Constraint Programming

Program Analysis and Constraint Programming Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization

More information

PKIND: A parallel k-induction based model checker

PKIND: A parallel k-induction based model checker PKIND: A parallel k-induction based model checker Temesghen Kahsai The University of Iowa temesghen-kahsaiazene@uiowa.edu Cesare Tinelli The University of Iowa cesare-tinelli@uiowa.edu PKIND is a novel

More information

Lecture 2: Symbolic Model Checking With SAT

Lecture 2: Symbolic Model Checking With SAT Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.

More information

A Verification Approach for GALS Integration of Synchronous Components

A Verification Approach for GALS Integration of Synchronous Components GALS 2005 Preliminary Version A Verification Approach for GALS Integration of Synchronous Components F. Doucet, M. Menarini, I. H. Krüger and R. Gupta 1 Computer Science and Engineering University of California,

More information

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel

More information

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata Automata-Theoretic LTL Model Checking Graph Algorithms for Software Model Checking (based on Arie Gurfinkel s csc2108 project) Automata-Theoretic LTL Model Checking p.1 Emptiness of Büchi Automata An automation

More information

SAT-based Model Checking for C programs

SAT-based Model Checking for C programs SAT-based Model Checking for C programs Moonzoo Kim Provable Software Lab. CS Division of EE 1 Formal Methods Definition in Wikepedia Formal methods are mathematically-based techniques for the specification,

More information

Applications of Formal Verification

Applications of Formal Verification Applications of Formal Verification Model Checking: Introduction to PROMELA Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State of Baden-Württemberg

More information

Testing & Symbolic Execution

Testing & Symbolic Execution Testing & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior

More information

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,

More information

A survey of new trends in symbolic execution for software testing and analysis

A survey of new trends in symbolic execution for software testing and analysis Int J Softw Tools Technol Transfer (2009) 11:339 353 DOI 10.1007/s10009-009-0118-1 REGULAR PAPER A survey of new trends in symbolic execution for software testing and analysis Corina S. Păsăreanu Willem

More information

PLDI 2016 Tutorial Automata-Based String Analysis

PLDI 2016 Tutorial Automata-Based String Analysis PLDI 2016 Tutorial Automata-Based String Analysis Tevfik Bultan, Abdulbaki Aydin, Lucas Bang Verification Laboratory http://vlab.cs.ucsb.edu Department of Computer Science Common Usages of Strings } Input

More information

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis (abridged version of DAC slides) Sanjit A. Seshia Associate Professor EECS Department UC Berkeley Design Automation

More information

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1 Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 2012 The MathWorks, Inc. 1 Agenda Formal Verification Key concept Applications Verification of designs against (functional) requirements Design error detection Test

More information

Having a BLAST with SLAM

Having a BLAST with SLAM Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver

More information

Software Model Checking. From Programs to Kripke Structures

Software Model Checking. From Programs to Kripke Structures Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y

More information

Static Program Analysis Part 1 the TIP language

Static Program Analysis Part 1 the TIP language Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate

More information

JavaPathFinder. Radek Mařík K333, FEE, CTU, Prague As a selection of slides from several JavaPathFinder tutorials 2013 November 26

JavaPathFinder. Radek Mařík K333, FEE, CTU, Prague As a selection of slides from several JavaPathFinder tutorials 2013 November 26 JavaPathFinder Radek Mařík K333, FEE, CTU, Prague As a selection of slides from several JavaPathFinder tutorials 2013 November 26 Outline What is JPF Usage examples Test case generation JPF architecture

More information

Satisfiability Modulo Theories: ABsolver

Satisfiability Modulo Theories: ABsolver Satisfiability Modulo Theories: ABsolver Michael Tautschnig Joint work with: Andreas Bauer Martin Leucker Christian Schallhart Michael Tautschnig 1 Outline 1. Introduction Michael Tautschnig 2 Outline

More information

arxiv: v1 [cs.ai] 11 Apr 2017

arxiv: v1 [cs.ai] 11 Apr 2017 Counterexample Guided Inductive Optimization Rodrigo F. Araújo a, Higo F. Albuquerque b, Iury V. de Bessa b, Lucas C. Cordeiro c, João Edgar C. Filho b arxiv:1704.03738v1 [cs.ai] 11 Apr 2017 a Federal

More information

C Code Verification based on the Extended Labeled Transition System Model

C Code Verification based on the Extended Labeled Transition System Model C Code Verification based on the Extended Labeled Transition System Model Dexi Wang, Chao Zhang, Guang Chen, Ming Gu, and Jiaguang Sun School of Software, TNLIST, Tsinghua University, China {dx-wang12,zhang-chao13,chenguan14}@mails.tsinghua.edu.cn

More information

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking Instructor: Tevfik Bultan Buchi Automata Language

More information

Parallel Model Checking of ω-automata

Parallel Model Checking of ω-automata Parallel Model Checking of ω-automata Vincent Bloemen Formal Methods and Tools, University of Twente v.bloemen@utwente.nl Abstract. Specifications for non-terminating reactive systems are described by

More information

Cover Page. The handle holds various files of this Leiden University dissertation

Cover Page. The handle   holds various files of this Leiden University dissertation Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue

More information

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao 6th International Conference on Information Engineering for Mechanics and Materials (ICIMM 2016) Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa,

More information

6.0 ECTS/4.5h VU Programm- und Systemverifikation ( ) June 22, 2016

6.0 ECTS/4.5h VU Programm- und Systemverifikation ( ) June 22, 2016 6.0 ECTS/4.5h VU Programm- und Systemverifikation (184.741) June 22, 2016 Kennzahl (study id) Matrikelnummer (student id) Familienname (family name) Vorname (first name) Gruppe (version) A 1.) Coverage

More information

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation, PRISM An overview PRISM is a probabilistic model checker automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation, Construction/analysis of probabilistic

More information

Distributed Systems Programming (F21DS1) Formal Verification

Distributed Systems Programming (F21DS1) Formal Verification Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on

More information

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015

Lost in translation. Leonardo de Moura Microsoft Research. how easy problems become hard due to bad encodings. Vampire Workshop 2015 Lost in translation how easy problems become hard due to bad encodings Vampire Workshop 2015 Leonardo de Moura Microsoft Research I wanted to give the following talk http://leanprover.github.io/ Automated

More information

PySMT: a Solver-Agnostic Library for Fast Prototyping of SMT-Based Algorithms

PySMT: a Solver-Agnostic Library for Fast Prototyping of SMT-Based Algorithms 1/14 PySMT: a Solver-Agnostic Library for Fast Prototyping of SMT-Based Algorithms Marco Gario and Andrea Micheli gario@fbk.eu Fondazione Bruno Kessler (FBK) University of Trento 2015-05-04 Interaction

More information

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH BOOGIE A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH Presentation by Itsik Hefez Introduction Boogie is an intermediate verification language, intended as a layer on which

More information