Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China
|
|
- Jasmine Adams
- 6 years ago
- Views:
Transcription
1 Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China
2 Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion and Future Work
3 Background & Motivation We focus on Software model checking in code-level (1) Rechability analysis of bad things int* a; int i=0; if(a==0) goto Err; i= *a; //de-referencing a Err: However, verifiation of other temporal properties such as liveness etc. cannot be supported! Suitable for only safety property verification Two well known ways: CEGAR and bounded model checking Tools: SLAM, BLAST, CPAChecker and CBMC
4 Background & Motivation (2) Model checking temporal properties without executing code (static) Considering all possible behaviors makes small programs have large state-space Tools: Ultmate LTLAutomizer, T2,... Difficult to verify programs in large scale Poor in accuracy with lots of false positives
5 Background & Motivation (3) Model checking temporal properties at run-time Extracting events while executing systems A monitor is designed in advance to check whether the trace violates the desired property Tools: Java PathExplorer, RiTHM, Interaction between systems and monitors incurs extra overhead
6 Background & Motivation Our approach: Verifying full-regular (temporal) properties of programs via dynamic program execution Executing both the program and property
7 Background & Motivation Approach Overview MSVL Program M MSVL Compiler IR KLEE Verification cases MSVL Program M_and_M.exe Verification Results M MSVL Program MSVL Compiler PPTL formula Trans MSVL Program M and M P M
8 Modeling Simulation and Verification Language Modeling Simulation and Verification Language (MSVL) is an executing subset of Projection Temporal Logic (PTL) with framing techniue Data Types: (unsigned) int, float, (unsigned) char, string, array, pointer, struct, union Syntax : Arithmetic expression Boolean expression
9 Modeling Simulation and Verification Language Two kinds of functions in MSVL programs External functions C standard library functions (strcat, strcmp, strlen, strcpy ) MSVL functions MSVL standard library functions (int getline(int len,char s[ ]){ }) MSVL user-defined functions (void f(int x 1, x 2,,x n ){ }) Two kinds of function calls in MSVL programs Black-box call (extern f(e 1,e 2,,e n )) White-box call (only for MSVL functions: f(e 1,e 2,,e n ))
10 Elementary Statements in MSVL Projection Temporal Logic
11 MSVL Normal form of MSVL programs Present components Future components A program Conjunction of state statements An internal program where variables may refer to the previous states Execution of MSVL programs is based on transforming programs into normal forms
12 MSVL Compiler MSVL Program MSVL Frontend Symbol table managing Lexical analysis Syntax analysis Preprocessing Semantic analysis IR generation Developed based on Error handling LLVM IR optimizing Object code generation Object code LLVM Backend
13 MSVL Compiler Case Studies Dining philosophers problem LTL2BA A program for translating LTL formulas to Büchi automata Simple CPU An adder including dereference, decode and execution
14 Propositional Projection Temporal Logic Propositional Projection Temporal Loigc (PPTL) Syntax Semantics An interval σ is a non-empty seuence of states, which can be finite or infinite.
15 Propositional Projection Temporal Logic An interpretation is a triple I = (σ, i, j), where σ is an interval, i is an integer, and j an integer or ω. The satisfaction relation is inductively defined as follows: I = p iff si[p] = true, and p Prop is an atomic proposition p I = P iff i < j and (σ, i+1, j) = P P I = P iff I P I = P Q iff I = P or I = Q
16 Propositional Projection Temporal Logic I = (P 1, P 2,,P m ) prj P, if there exist integers r 0 r 1 r m j such that (σ, r l-1, r l ) = P l, 1 l m, and (σ, 0, σ ) = P for one of the following σ : (a) r m < j and σ = σ (r 0,, r m ) σ(r m+1,, j), or (b) r m = j and σ = σ (r 0,, r h ) for some 0 h m <s 0,s 1,s 2,s 3,s 4 > (0,0,2,2,2,3)=<s 0,s 2,s 3 > (P 1, P 2, P 3 ) prj P P Derived formulas P 1 P 2 P 3
17 Normal Form of PPTL formulas A PPTL formula P is in normal form if, P fj is a PPTL formula without disjuct being the main operator P ei and P cj are true or state formulas of the form: Theorem: Any PPTL formula can be euivalently transformed into its normal form.
18 Labeled Normal Form Graph labeled normal form graphs (LNFG) are constructed based on normal form of PPTL formulas LNFG of a PPTL formula is a 4-tuple CL : non-empty finite set of nodes EL: set of directed edges among CL V 0 : set of initial (root) nodes :, 1 i k, set of nodes with l i being the label. Inf(π): set of nodes which infinitely often occur in path π A path is acceptable if it is finite, or infinite and all the nodes in Inf(π) do not share a same label.
19 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 p n 1 n 2 NF(n 0 ) = ( ( ) ((p;) ) ) p ( ( ) (true;) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (true;) ((p;) )
20 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 p p n 1 n 2 NF(n 1 ) = ( ( ) ((p;) ) ) p ( ( ) (true;) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (true;) ((p;) )
21 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 Rewrite n 2 with fin label p p n 1 n 2 l 1 n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (fin(l 1 );) ((p;) )
22 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 Rewrite n 2 with fin label p NF(n 2 ) = p ( ( ) ((p;) ) ) n 1 n 2 l 1 ( ( ) (fin(l 1 );) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (fin(l 1 );) ((p;) )
23 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 0 p p n 1 n 2 l 1
24 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 0 p p n 1 n 2 l 1 Path π =< n 0,, n 1, p, (n 2, ) ω > Nodes that occur infinitely often have the same label l 1 Unacceptable
25 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 1 n 0 p p n 2 l 1 Path π =< n 0,, n 1, p, (n 2, ) ω > Nodes that occur infinitely often have the same label l 1 Unacceptable Path π =< n 0, p, (n 2,, n 1, p ) ω > Nodes that occur infinitely often do not have a same label Acceptable
26 From PPTL to MSVL Use a uniue integer to represent each of nodes in the LNFG 1 p p 2 3
27 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 Global Variable CuNode:presenting the node explored at the current state. The first node to be explored is a root node (CuNode <==1)
28 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i
29 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i
30 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i
31 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i
32 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced
33 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced
34 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced
35 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S
36 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S
37 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S
38 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S
39 Verification as Dynamic Program Execution Whether M violates P? Program M frame(ew,sn,f) and ( char EW and char SN and int f<==0 and while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) Desired Property P 1 e1: true e2: (EW= SN=) (EW= SN=) e1 e3 e4 e3: true e2 e4: (EW= SN=) (EW= SN=) e5: true 2 4 e5 e10 e6: EW= SN= e11 e7: EW= SN= e6 e12 e8: true 3 e9: true e7 e8 e9 e10: true e11: EW= SN= e12: EW= SN= MSVL Program frame(ew,sn,f) and ( char EW and char SN and int f<==0 and while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) and CuNode<==1 and while(more) { if(cunode=1)then{ CuNode:=2 or if((ew= and SN=) or (EW= and SN=)) then{cunode:=3}else{false} or CuNode:=4 } else { if(cunode=2)then{ L={l 1 } and ( CuNode:=2 or if(ew= and SN=) then{node:=3}else {false})} else{ if(cunode=3)then{cunode:=3} else{ if(cunode=4) then{ L={l 2 } and ( CuNode:=4 or if(ew= and SN=) then {CuNode:=3}else{false}) }else{false}}}} }; if(cunode=1) then{ } else { if(cunode=2)then{ } else{ if(cunode=3)then{ } else{ if(cunode=4)then{ }else{false}}} } M P
40 Verification as Dynamic Program Execution EW SN An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > A finite execution in M A finite path in LNFG of P All executions in M and P 1,1 2,2 2,4 3,2 3,4 4,2 4,4 1,4 1,2 2,3 5 3,3 Finite: A finite execution in M and P 1,1 2,2 3,2 4,2 5,5 5,5 4,3 1,3 EW SN
41 EW SN Verification as Dynamic Program Execution An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > All executions in M and P An infinite execution in M An infinite path in LNFG of P ,2 4,2 2,2 1,2 3,3 1,1 2,3 2,4 1,4 3,4 4,4 Infinite: EW SN An infinite execution in M and P 1,1 2,2 3,3 4,3 1,3 2,3 5 5,5 4,3 1,3
42 EW SN Verification as Dynamic Program Execution An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > All executions in M and P Infinite: An infinite execution in M EW SN An infinite execution in M and P An infinite path in LNFG of P 1,1 2,2 3,2 4,2 1, ,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4
43 Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. EW SN Finite: Verification as Dynamic Program Execution EW SN ,1 2,2 3,2 4,2 5,5 EW= SN= EW= EW= SN= SN= false Feasibility checking(finite) 5 true true 2 EW= SN= 1 3 check true true true false 4 5 3,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 Infeasible 1,3 2,4 1,4 3,4 4,4
44 EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. Infinite: EW SN EW= SN= EW= SN= EW= SN= 5 1,1 2,2 3,3 4,3 1,3 2,3 check true false false true 2 1 EW= SN= Feasibility checking (infinite) ,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4 Infeasible
45 EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. 2,2 Infinite: Feasibility checking (infinite) true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true 5 true 2 true ,2 4,2 1,2 5,5 Feasible 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4
46 EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. 2,2 Infinite: Feasibility checking (infinite) true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true 5 true 2 true ,2 4,2 1,2 Feasible 1,1 2,4 1,4 3,4 4,4 All feasible executions in M and P
47 EW SN Verification as Dynamic Program Execution A feasible execution σ =<s 0, s 1,...> is acceptable if (1) σ is finite; or (2) σ is infinite and no lables are shared by all the states in Inf (σ) true 2 1 true l 2, ,2 4,2 1,2 1,1 2,4 1,4 3,4 4,4 Infinite: Whether a feasible path is acceptable? true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true = {l 1 } label φ {l 1 } {l 1 } {l 1 } {l 1 } l 1 is shared by all the states in Inf (σ) Unacceptable
48 Verification as Dynamic Program Execution Suppose the model is modified as follows: All feasible executions in M and P 1,1 EW SN Infinite: ,1 2,2 3,3 4,3 1,3 EW SN check true true true true 5 true true A counterexample is found! true = φ label φ l 1 φ φ φ φ l 1 EW= SN= true 5 2,3 3,2 4,2 2,2 1,2 5,5 3,3 4,3 2,3 1,3 2,4 1,4 3,4 4,4 no label is shared by all the states in Inf (σ) Acceptable
49 Implementation MSVL program M PPTL formula UMC4MSVL Construct LNFG M_IR MSVL Compiler M and M M LNFG LNFG2MSVL KLEE M_and_M.exe feasible? yes Verification cases no no acceptable? All cases are verified yes No error found Error
50 Verifying Programs Case Studies Dining philosophers problem liveness property: every philosopher can eat. LTL2BA A software for translating LTL formula to Büchi automata a Büchi automaton is generated with at most n 2 n (n is the number of fairness conditions) states Simple CPU An adder including dereference, decode and execution If the address signal is true, the address is program counter address
51 Translating from C to MSVL C program Preprocessing Twolf (C Program) Lexical analysis ( C:15,912LOC MSVL:32,843LOC) YES Direct translation Syntax analysis Existing corresponding statement in MSVL? NO Semantics guided translation Twolf is selected from the SPEC CPU 2000 Benchmark. It is used in the process of creating the lithography artwork needed for the production of microchips. Post processing MSVL program C library function
52 Translating from Verilog/VHDL to MSVL Verilog/VHDL program Preprocessing Lexical analysis Syntax analysis Semantic analysis IR generation Semantics guided translation SHA (Verilog Program) (Verilog:20,397LOC MSVL:44,583LOC) SHA (Secure Hash Algorithm) is a cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). MSVL program
53 Generating Verification Cases Dynamic Symbolic Execution is used to generate verification cases MSVL program (IR) KLEE execute record path constraint negate a branch condition generate new inputs solve path constraints (SMT solver Z3) yes successful? no Verification cases end
54 Generating Verification Cases Case Studies RERS P15 (RERS Benchmark) A reactive system, where an engine calculates an output depending on the input and current state, and finally writes the output to the standard output Totally, verification cases are generated with KLEE Line Coverage: 41.81% Branch Coverage: 50.70% Property: 24 will never be output later than 22
55 Verifying Programs Verification of (small) programs of Benchmark1 Our method All the four tools can successfully output the verification results. However, UMC4MSVL is more efficient than other three tools.
56 Verifying Programs Verification of larger programs in Benchmark2 Our method Success rate 44% 19% 100% 100% Avg Time(s)
57 Verifying Programs Verification of real-world programs All the programs and properties are successfully verified by UMC4MSVL in seconds. Other three tools fail on these programs.
58 Conclusion and Future Research We proposed a run-time unified model checking approach by executing both programs and properties at the same time. We use dynamic symbolic execution techniue to generate verification cases for achieving higher path coverage. However, the proposed approach is incomplete. In the future: Investigate more strategies for generating better verification cases Planning with MSVL Complier Bug-fixing guided by counterexamples
59 Thanks! & Questions?
Automatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationFormal Methods for Software Development
Formal Methods for Software Development Model Checking with Temporal Logic Wolfgang Ahrendt 21st September 2018 FMSD: Model Checking with Temporal Logic /GU 180921 1 / 37 Model Checking Check whether a
More informationIntroduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL
Introduction to Linear-Time Temporal Logic CSE 814 Introduction to LTL 1 Outline Motivation for TL in general Types of properties to be expressed in TL Structures on which LTL formulas are evaluated Syntax
More informationModel checking pushdown systems
Model checking pushdown systems R. Ramanujam Institute of Mathematical Sciences, Chennai jam@imsc.res.in Update Meeting, IIT-Guwahati, 4 July 2006 p. 1 Sources of unboundedness Data manipulation: integers,
More informationTool demonstration: Spin
Tool demonstration: Spin 1 Spin Spin is a model checker which implements the LTL model-checking procedure described previously (and much more besides). Developed by Gerard Holzmann of Bell Labs Has won
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationSMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva
SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationSliced Path Prefixes: An Effective Method to Enable Refinement Selection
FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems We want Refinement Selection!!! Because straight-forward
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationThe Spin Model Checker : Part I/II
The Spin Model Checker : Part I/II Moonzoo Kim CS Dept. KAIST Korea Advanced Institute of Science and Technology Motivation: Tragic Accidents Caused by SW Bugs 2 Cost of Software Errors June 2002 Software
More informationFinite State Verification. CSCE Lecture 14-02/25/2016
Finite State Verification CSCE 747 - Lecture 14-02/25/2016 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationApplications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo
Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationLeveraging DTrace for runtime verification
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties System Every request gets
More informationMonitoring Interfaces for Faults
Monitoring Interfaces for Faults Aleksandr Zaks RV 05 - Fifth Workshop on Runtime Verification Joint work with: Amir Pnueli, Lenore Zuck Motivation Motivation Consider two components interacting with each
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationB.V. Patel Institute of Business Management, Computer & Information Technology, Uka Tarsadia University
Unit 1 Programming Language and Overview of C 1. State whether the following statements are true or false. a. Every line in a C program should end with a semicolon. b. In C language lowercase letters are
More informationAryan College. Fundamental of C Programming. Unit I: Q1. What will be the value of the following expression? (2017) A + 9
Fundamental of C Programming Unit I: Q1. What will be the value of the following expression? (2017) A + 9 Q2. Write down the C statement to calculate percentage where three subjects English, hindi, maths
More informationFormal Verification Using Static and Dynamic Analyses. Aleksandr Zaks. A dissertation submitted in partial fulfillment
Formal Verification Using Static and Dynamic Analyses by Aleksandr Zaks A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Departemnt of Computer
More informationSmall Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis
Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis Isil Dillig, Thomas Dillig, Alex Aiken Stanford University Scalability and Formula Size Many program analysis
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationBITCOIN MINING IN A SAT FRAMEWORK
BITCOIN MINING IN A SAT FRAMEWORK Jonathan Heusser @jonathanheusser DISCLAIMER JUST TO BE CLEAR.. This is research! Not saying ASICs suck I am not a cryptographer, nor SAT solver guy WTF REALISED PHD RESEARCH
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
More informationComputer Lab 1: Model Checking and Logic Synthesis using Spin (lab)
Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu Calornia Institute of Technology AFRL, 25 April 2012 Outline Spin model checker: modeling
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationFinite State Verification. CSCE Lecture 21-03/28/2017
Finite State Verification CSCE 747 - Lecture 21-03/28/2017 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationC Code Verification based on the Extended Labeled Transition System Model
C Code Verification based on the Extended Labeled Transition System Model Dexi Wang, Chao Zhang, Guang Chen, Ming Gu, and Jiaguang Sun School of Software, TNLIST, Tsinghua University, China {dx-wang12,zhang-chao13,chenguan14}@mails.tsinghua.edu.cn
More informationCopyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology
The Spin Model Checker : Part I Copyright 2008 CS655 System Korea Advanced Institute of Science and Technology System Spec. In Promela Req. Spec. In LTL Overview of the Spin Architecture Spin Model pan.c
More informationHaving a BLAST with SLAM
Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationOutline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions
Outline Introduction SDV Motivation Model vs Real Implementation SIC SDVRP SAM-2 Comparisons Conclusions SDV Research Platform Academic release of SDV (Static Driver Verifier), based on the code that ships
More informationCSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 Practical Applications of SAT courses.cs.washington.edu/courses/cse507/18sp/ Emina Torlak emina@cs.washington.edu Today Past 2 lectures The theory and mechanics
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationFormal Specification and Verification
Formal Specification and Verification Introduction to Promela Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification and Verification:
More informationT Reactive Systems: Kripke Structures and Automata
Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Kripke Structures and Automata Spring 2005, Lecture 3 January 31, 2005 Tik-79.186 Reactive Systems 2 Properties of systems invariants: the system
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationOverview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?
Computer Engineering and Networks Overview Discrete Event Systems - Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationUNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira
More information: A Bounded Model Checking Tool to Verify Qt Applications
23 rd International SPIN symposium on Model Checking of Software : A Bounded Model Checking Tool to Verify Qt Applications Mário A. P. Garcia, Felipe R. Monteiro, Lucas C. Cordeiro, and Eddie B. de Lima
More informationAutomata-Theoretic LTL Model Checking. Emptiness of Büchi Automata
Automata-Theoretic LTL Model Checking Graph Algorithms for Software Model Checking (based on Arie Gurfinkel s csc2108 project) Automata-Theoretic LTL Model Checking p.1 Emptiness of Büchi Automata An automation
More informationVerification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80
1 / 80 Verification Miaoqing Huang University of Arkansas Outline 1 Verification Overview 2 Testing Theory and Principles Theoretical Foundations of Testing Empirical Testing Principles 3 Testing in Practice
More informationLogic Model Checking
Logic Model Checking Lecture Notes 17:18 Caltech 101b.2 January-March 2005 Course Text: The Spin Model Checker: Primer and Reference Manual Addison-Wesley 2003, ISBN 0-321-22862-6, 608 pgs. checking omega
More informationSimulation and Verification of the Virtual Memory Management System with MSVL
Proceedings of the 2014 IEEE 18th International Conference on Computer Supported Cooperative Work in Design SimulationandVerificationoftheVirtualMemory ManagementSystemwithMSVL Meng Wang Institute of ComputingTheory
More informationModel-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner
Model-Checking Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at 1.
More informationFormal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints
Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk Agenda
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationApplication of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3
More informationFormal Specification and Verification
Formal Specification and Verification Model Checking with Temporal Logic Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification
More informationCS61C Machine Structures. Lecture 3 Introduction to the C Programming Language. 1/23/2006 John Wawrzynek. www-inst.eecs.berkeley.
CS61C Machine Structures Lecture 3 Introduction to the C Programming Language 1/23/2006 John Wawrzynek (www.cs.berkeley.edu/~johnw) www-inst.eecs.berkeley.edu/~cs61c/ CS 61C L03 Introduction to C (1) Administrivia
More informationTLA+ TLC. Rui Fan Stanislav Funiac Mandana Vaziri. Presented by Spring 2001
TLA+ TLC Presented by Rui Fan Stanislav Funiac Mandana Vaziri 6.897 Spring 2001 Outline Overview of TLA/TLA+ Subset of TLA+ supported by TLC Alternating Bit Protocol example Model checking Demo L. Lamport,
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationComplete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar
Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge Leonardo de Moura ACSys Seminar 2008.12 Motivation SMT solvers have been successful Quantified smt formulas are
More informationNetwork Protocol Design and Evaluation
Network Protocol Design and Evaluation 05 - Validation, Part III Stefan Rührup Summer 2009 Overview In the first parts of this chapter: Validation models in Promela Defining and checking correctness claims
More informationCSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27
CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 2.1-2.7 p. 1/27 CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer
More informationSoftware Engineering using Formal Methods
Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt & Richard Bubel & Reiner Hähnle & Wojciech Mostowski 31 August 2011 SEFM: Promela /GU 110831 1 / 35 Towards Model Checking
More informationTimo Latvala. January 28, 2004
Reactive Systems: Kripke Structures and Automata Timo Latvala January 28, 2004 Reactive Systems: Kripke Structures and Automata 3-1 Properties of systems invariants: the system never reaches a bad state
More informationLexical Analysis. Lexical analysis is the first phase of compilation: The file is converted from ASCII to tokens. It must be fast!
Lexical Analysis Lexical analysis is the first phase of compilation: The file is converted from ASCII to tokens. It must be fast! Compiler Passes Analysis of input program (front-end) character stream
More informationComputer-Aided Program Design
Computer-Aided Program Design Spring 2015, Rice University Unit 1 Swarat Chaudhuri January 22, 2015 Reasoning about programs A program is a mathematical object with rigorous meaning. It should be possible
More informationModel checking Timber program. Paweł Pietrzak
Model checking Timber program Paweł Pietrzak 1 Outline Background on model checking (spam?) The SPIN model checker An exercise in SPIN - model checking Timber Deriving finite models from Timber programs
More informationDefinition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,
CMPSCI 601: Recall From Last Time Lecture 5 Definition: A context-free grammar (CFG) is a 4- tuple, variables = nonterminals, terminals, rules = productions,,, are all finite. 1 ( ) $ Pumping Lemma for
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationLecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking Instructor: Tevfik Bultan Buchi Automata Language
More informationConstraint Programming on Infinite Data Streams
Constraint Programming on Infinite Data Streams A. Lallouet 1, Y.C. Law 2, J.H.M. Lee 2, and C.F.K. Siu 2 1 Université de Caen, France 2 The Chinese University of Hong Kong, Hong Kong 1 Infinite Data Streams
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationµz An Efficient Engine for Fixed Points with Constraints
µz An Efficient Engine for Fixed Points with Constraints Kryštof Hoder, Nikolaj Bjørner, and Leonardo de Moura Manchester University and Microsoft Research Abstract. The µz tool is a scalable, efficient
More informationPLDI 2016 Tutorial Automata-Based String Analysis
PLDI 2016 Tutorial Automata-Based String Analysis Tevfik Bultan, Abdulbaki Aydin, Lucas Bang Verification Laboratory http://vlab.cs.ucsb.edu Department of Computer Science Common Usages of Strings } Input
More informationOn Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER
raft On Search Strategies for Constraint-Based Bounded Model Checking Michel RUEHER Joined work with Hélène Collavizza, Nguyen Le Vinh, Olivier Ponsini and Pascal Van Hentenryck University Nice Sophia-Antipolis
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Prof. Dr. Bernhard Beckert Dr. Vladimir Klebanov SS 2012 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationHECTOR: Formal System-Level to RTL Equivalence Checking
ATG SoC HECTOR: Formal System-Level to RTL Equivalence Checking Alfred Koelbl, Sergey Berezin, Reily Jacoby, Jerry Burch, William Nicholls, Carl Pixley Advanced Technology Group Synopsys, Inc. June 2008
More information15-819M: Data, Code, Decisions
15-819M: Data, Code, Decisions 08: First-Order Logic André Platzer aplatzer@cs.cmu.edu Carnegie Mellon University, Pittsburgh, PA André Platzer (CMU) 15-819M/08: Data, Code, Decisions 1 / 40 Outline 1
More informationPractical Model-based Testing With Papyrus and RT-Tester
Practical Model-based Testing With Papyrus and RT-Tester Jan Peleska and Wen-ling Huang University of Bremen Verified Systems International GmbH Fourth Halmstad Summer School on Testing, 2014-06-11 Acknowledgements.
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationProving liveness. Alexey Gotsman IMDEA Software Institute
Proving liveness Alexey Gotsman IMDEA Software Institute Safety properties Ensure bad things don t happen: - the program will not commit a memory safety fault - it will not release a lock it does not hold
More informationIntroduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion
.. Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de Introduction Preliminaries
More informationCombining Static and Dynamic Contract Checking for Curry
Michael Hanus (CAU Kiel) Combining Static and Dynamic Contract Checking for Curry LOPSTR 2017 1 Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel Programming Languages
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2 #3 Observations
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationModel-Checking Concurrent Systems
Model-Checking Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang
More informationTermination Analysis of C Programs Using Compiler Intermediate Languages
Karlsruhe Reports in Informatics 2011,6 Edited by Karlsruhe Institute of Technology, Faculty of Informatics ISSN 2190-4782 Termination Analysis of C Programs Using Compiler Intermediate Languages Stephan
More informationLectures 5-6: Introduction to C
Lectures 5-6: Introduction to C Motivation: C is both a high and a low-level language Very useful for systems programming Faster than Java This intro assumes knowledge of Java Focus is on differences Most
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationThe SPIN Model Checker
The SPIN Model Checker Metodi di Verifica del Software Andrea Corradini Lezione 1 2013 Slides liberamente adattate da Logic Model Checking, per gentile concessione di Gerard J. Holzmann http://spinroot.com/spin/doc/course/
More information(How) Did you specify your test suite?
(How) Did you specify your test suite? Helmut Veith Formal Methods in Systems Engineering Vienna University of Technology Joint work with Andreas Holzer, Christian Schallhart, and Michael Tautschnig high
More informationIntegrating a SAT Solver with Isabelle/HOL
Integrating a SAT Solver with / Tjark Weber (joint work with Alwen Tiu et al.) webertj@in.tum.de First Munich-Nancy Workshop on Decision Procedures for Theorem Provers March 6th & 7th, 2006 Integrating
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More information