SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Transcription

1 SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

2 Bounded Model Checking (BMC) Basic Idea: check negation of given property up to given depth transition system ϕ ϕ 1 ϕ 2 ϕ k-1 ϕ k... M M 1 M 2 M k-1 M k counterexample trace property bound transition system M unrolled k times for programs: unroll loops, unfold arrays, translated into verification condition ψ such that ψ satisfiable iff ϕ has counterexample of max. depth k has been applied successfully to verify (embedded) software

3 SAT-based CBMC [D. Kroening] implements BMC for ANSI-C/C++ programs using SAT-solvers: C/C++ source scan and parse parse tree typecheck and convert to SSA IRep tree properties BMC unroll program k times verification conditions check satisfiability using a SAT solver SAT solver

4 SAT-based CBMC [D. Kroening] implements BMC for ANSI-C/C++ programs using SAT-solvers: C/C++ source scan and parse parse tree typecheck and convert to SSA IRep tree properties Problems (due to bit-blasting): BMC unroll program k times verification conditions SAT solver complex expressions lead to large propositional formulae high-level information is lost check satisfiability using a SAT solver conversion to propositional form Encoding of x == a + b represent x, a, b by n independent propositional variables each represent addition by logical circuit represent equality by equivalences on propositional variables

5 Objective of this work Exploit SMT to improve BMC of embedded software exploit background theories of SMT solvers provide suitable encodings for pointers bit operations unions arithmetic over- and underflow build an SMT-based BMC tool for full ANSI-C build on top of CBMC front-end use several third-party SMT solvers as back-ends evaluate ESBMC over embedded software applications

6 Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories ( building-in operators). Theory Example Equality x 1 =x 2 (x 1 =x 3 ) (x 1 =x 3 ) Bit-vectors (b >> i) & 1 = 1 Linear arithmetic (4y 1 + 3y 2 4) (y 2 3y 3 3) Arrays (j = k a[k]=2) a[j]=2 Combined theories (j k a[j]=2) a[i] < 3

7 Satisfiability Modulo Theories (2) Given a decidable -theory T a quantifier-free formula ϕ ϕ is T-satisfiable iff T {ϕ} is satisfiable, i.e., there exists a structure that satisfies both formula and sentences of T Given a set Γ {ϕ} of first-order formulae over T ϕ is a T-consequence of Γ (Γ T ϕ) iff every model of T Γ is also a model of ϕ Checking Γ T ϕ can be reduced in the usual way to checking the T-satisfiability of Γ { ϕ}

8 Software BMC using ESBMC program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unrolled up to given bounds number of loop iterations size of arrays unrolled program optimized to reduce blow-up constant folding forward substitutions crucial int main() { int a[2], i, x; if (x==) a[i]=; else a[i+2]=1; assert(a[i+1]==1); }

9 Software BMC using ESBMC program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unrolled up to given bounds number of loop iterations size of arrays unrolled program optimized to reduce blow-up constant folding forward substitutions crucial front-end converts unrolled and optimized program into SSA int main() { int a[2], i, x; if (x==) a[i]=; else a[i+2]=1; assert(a[i+1]==1); } g 1 = x 1 == a 1 = a WITH [i :=] a 2 = a a 3 = a 2 WITH [2+i :=1] a 4 = g 1? a 1 : a 3 t 1 = a 4 [1+i ] == 1

10 Software BMC using ESBMC program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unrolled up to given bounds number of loop iterations size of arrays unrolled program optimized to reduce blow-up constant folding forward substitutions crucial front-end converts unrolled and optimized program into SSA extraction of constraints C and properties P specific to selected SMT solver, uses theories satisfiability check of C P int main() { int a[2], i, x; if (x==) a[i]=; else a[i+2]=1; assert(a[i+1]==1); } ( x1 = ) = store( a, i,) g1 : = a1 : C : = a2 : = a a3 : = store 2 a4 : = ite( g1, a1, a3) ( a,2 + i,1) i i < i 2 + i < 2 P : = 1+ i 1+ < 2 i select( a4, i + 1) = 1

11 Encoding of Numeric Types SMT solvers typically provide different encodings for numbers: abstract domains (Z, R) fixed-width bit vectors (unsigned int, ) > internalized bit-blasting verification results can depend on encodings (a > ) (b > ) (a + b > ) valid in abstract domains such as Z or R majority of VCs solved faster if numeric types are modelled by abstract domains but possible loss of precision ESBMC supports both encodings doesn t hold for bitvectors, due to possible overflows

12 Encoding Numeric Types as Bitvectors Bitvector encodings need to handle type casts and implicit conversions arithmetic conversions implemented using word-level functions (part of the bitvector theory: extractbits, ) > different conversions for every pair of types > uses type information provided by front-end conversion to / from bool via if-then-else operator arithmetic over- / underflow standard requires modulo-arithmetic for unsigned integers define error literals to detect over- / underflow for other types res_ok overflow(x, y) underflow(x, y) > similar to conversions floating-point numbers approximated by fixed-point numbers, integral part only represented by fixed-width bitvector

13 Encoding of Structured Datatypes arrays and records / tuples typically handled directly by SMT-solver pointers modelled as tuples p.o representation of underlying object p.i index (if pointer used as array base) Store object at position int main() { int a[2], i, x, *p; p=a; if (x==) a[i]=; else a[i+1]=1; assert(*(p+2)==1); } C:= p 1 := store(p,, &a[]) p 2 := store(p 1, 1, ) g 2 := (x 2 == ) a 1 := store(a, i, ) a 2 := a a 3 := store(a 2, 1+ i, 1) Update index Store index at position 1 a 4 := ite(g 1, a 1, a 3 ) p 3 := store(p 2, 1, select(p 2, 1)+2)

14 Encoding of Structured Datatypes arrays and records / tuples typically handled directly by SMT-solver pointers modelled as tuples p.o representation of underlying object p.i index (if pointer used as array base) int main() { int a[2], i, x, *p; p=a; if (x==) a[i]=; else a[i+1]=1; assert(*(p+2)==1); } P:= i i < 2 1+ i 1+ i < 2 select(p 3, ) == &a[] select(select(p 3, ), negation satisfiable (a[2] unconstrained) assert fails select(p 3, 1)) == 1

15 Evaluation

16 Comparison of SMT solvers Goal: compare efficiency of different SMT-solvers CVC3 (1.5) Boolector (1.) Z3 (2.) Set-up: identical ESBMC front-end, individual back-ends operations not supported by SMT-solvers are axiomatized standard desktop PC, time-out 36 seconds

17 Comparison of SMT solvers Module #L #P BubbleSort lines of code (n=35) (n=14) SelectionSort (n=35) (n=14) CVC3 Boolector Z3 Time Error Time Error Time Error 28.3 number of 1.9 properties MO checked MO InsertionSort (n=35) (n=14) MO 1 TO Prim size of arrays StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode

18 Comparison of SMT solvers Module #L #P BubbleSort (n=35) (n=14) CVC3 Boolector Z3 Time Error Time Error Time Error 28.3 MO SelectionSort (n=35) (n=14) MO All SMT-solvers can InsertionSort (n=35) handle (n=14) 86 17the VCs MO from 1the TO embedded applications Prim StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode

19 Comparison of SMT solvers Module #L #P BubbleSort (n=35) (n=14) SelectionSort (n=35) (n=14) CVC3 Boolector Z3 Time Error Time Error Time Error CVC3 doesn t scale MO that well and runs out of memory MO InsertionSort (n=35) (n=14) MO 1 TO Prim StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode

20 Comparison of SMT solvers Module #L #P BubbleSort (n=35) (n=14) Boolector 43 17and Z3 MOroughly 1 comparable, with some SelectionSort (n=35) advantages (n=14) for MO Z3 1 CVC3 Boolector Z3 Time Error Time Error Time Error InsertionSort (n=35) (n=14) MO 1 TO Prim StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode

21 Comparison of SMT solvers Goal: compare efficiency of different SMT-solvers CVC3 (1.5) Boolector (1.) Z3 (2.) Set-up: identical ESBMC front-end, individual back-ends unsupported operations axiomatized standard desktop PC, time-out 36 seconds SMT-solver of choice: Z3 best coverage of domain overall fastest

22 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) MO * SelectionSort (n=35) (n=14) MO 66.5 MO BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO

23 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module All benchmarks taken from SMT-CBMC suite ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) MO * SelectionSort (n=35) (n=14) MO 66.5 MO BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO

24 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) ESBMC substantially faster, MO * even SelectionSort with identical (n=35) solvers.8 probably better (n=14) encoding MO 66.5 MO BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO

25 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) MO * Z3 not uniformly SelectionSort (n=35) (n=14) 74.4 MO better than MO CVC3 BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO

26 Comparison to SAT-CBMC [D. Kroening] SAT-based BMC for full ANSI-C not recent SMT-based version mature tool (V 2.9) front-end and overall structure shared with ESBMC Goal: compare efficiency of SAT vs. SMT on identical verification problems

27 Comparison to SAT-CBMC [D. Kroening] encoding time SAT-CBMC SMT / SAT solver time ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO error detected in module GOOD THING error occurred in tool BAD THING ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres

28 Comparison to SAT-CBMC [D. Kroening] encoding time SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO MO error detected in module GOOD THING SMT / SAT solver time error occurred in tool BAD THING ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 all embedded systems applicatons exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres

29 Comparison to SAT-CBMC [D. Kroening] SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres

30 Comparison to SAT-CBMC [D. Kroening] SMT-encoding often more efficient than bit-blasting and never worse SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres

31 Comparison to SAT-CBMC [D. Kroening] SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 SMT-solver often significantly faster than SAT-solver jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres

32 Comparison to SAT-CBMC [D. Kroening] SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 SMT-solver often significantly faster than SAT-solver, but not always SMT good on multiple theories jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres

33 Conclusions SMT-based BMC is more efficient than SAT-based BMC but not uniformly described and evaluated first SMT-based BMC for ANSI-C provided encodings for typical ANSI-C constructs not directly supported by SMT-solvers available at users.ecs.soton.ac.uk/lcc8r/esbmc/ Future work: better handling of floating-point numbers concurrency (based on Pthread library) termination analysis