SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva
|
|
- Juliana York
- 5 years ago
- Views:
Transcription
1 SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva
2 Bounded Model Checking (BMC) Basic Idea: check negation of given property up to given depth transition system ϕ ϕ 1 ϕ 2 ϕ k-1 ϕ k... M M 1 M 2 M k-1 M k counterexample trace property bound transition system M unrolled k times for programs: unroll loops, unfold arrays, translated into verification condition ψ such that ψ satisfiable iff ϕ has counterexample of max. depth k has been applied successfully to verify (embedded) software
3 SAT-based CBMC [D. Kroening] implements BMC for ANSI-C/C++ programs using SAT-solvers: C/C++ source scan and parse parse tree typecheck and convert to SSA IRep tree properties BMC unroll program k times verification conditions check satisfiability using a SAT solver SAT solver
4 SAT-based CBMC [D. Kroening] implements BMC for ANSI-C/C++ programs using SAT-solvers: C/C++ source scan and parse parse tree typecheck and convert to SSA IRep tree properties Problems (due to bit-blasting): BMC unroll program k times verification conditions SAT solver complex expressions lead to large propositional formulae high-level information is lost check satisfiability using a SAT solver conversion to propositional form Encoding of x == a + b represent x, a, b by n independent propositional variables each represent addition by logical circuit represent equality by equivalences on propositional variables
5 Objective of this work Exploit SMT to improve BMC of embedded software exploit background theories of SMT solvers provide suitable encodings for pointers bit operations unions arithmetic over- and underflow build an SMT-based BMC tool for full ANSI-C build on top of CBMC front-end use several third-party SMT solvers as back-ends evaluate ESBMC over embedded software applications
6 Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories ( building-in operators). Theory Example Equality x 1 =x 2 (x 1 =x 3 ) (x 1 =x 3 ) Bit-vectors (b >> i) & 1 = 1 Linear arithmetic (4y 1 + 3y 2 4) (y 2 3y 3 3) Arrays (j = k a[k]=2) a[j]=2 Combined theories (j k a[j]=2) a[i] < 3
7 Satisfiability Modulo Theories (2) Given a decidable -theory T a quantifier-free formula ϕ ϕ is T-satisfiable iff T {ϕ} is satisfiable, i.e., there exists a structure that satisfies both formula and sentences of T Given a set Γ {ϕ} of first-order formulae over T ϕ is a T-consequence of Γ (Γ T ϕ) iff every model of T Γ is also a model of ϕ Checking Γ T ϕ can be reduced in the usual way to checking the T-satisfiability of Γ { ϕ}
8 Software BMC using ESBMC program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unrolled up to given bounds number of loop iterations size of arrays unrolled program optimized to reduce blow-up constant folding forward substitutions crucial int main() { int a[2], i, x; if (x==) a[i]=; else a[i+2]=1; assert(a[i+1]==1); }
9 Software BMC using ESBMC program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unrolled up to given bounds number of loop iterations size of arrays unrolled program optimized to reduce blow-up constant folding forward substitutions crucial front-end converts unrolled and optimized program into SSA int main() { int a[2], i, x; if (x==) a[i]=; else a[i+2]=1; assert(a[i+1]==1); } g 1 = x 1 == a 1 = a WITH [i :=] a 2 = a a 3 = a 2 WITH [2+i :=1] a 4 = g 1? a 1 : a 3 t 1 = a 4 [1+i ] == 1
10 Software BMC using ESBMC program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unrolled up to given bounds number of loop iterations size of arrays unrolled program optimized to reduce blow-up constant folding forward substitutions crucial front-end converts unrolled and optimized program into SSA extraction of constraints C and properties P specific to selected SMT solver, uses theories satisfiability check of C P int main() { int a[2], i, x; if (x==) a[i]=; else a[i+2]=1; assert(a[i+1]==1); } ( x1 = ) = store( a, i,) g1 : = a1 : C : = a2 : = a a3 : = store 2 a4 : = ite( g1, a1, a3) ( a,2 + i,1) i i < i 2 + i < 2 P : = 1+ i 1+ < 2 i select( a4, i + 1) = 1
11 Encoding of Numeric Types SMT solvers typically provide different encodings for numbers: abstract domains (Z, R) fixed-width bit vectors (unsigned int, ) > internalized bit-blasting verification results can depend on encodings (a > ) (b > ) (a + b > ) valid in abstract domains such as Z or R majority of VCs solved faster if numeric types are modelled by abstract domains but possible loss of precision ESBMC supports both encodings doesn t hold for bitvectors, due to possible overflows
12 Encoding Numeric Types as Bitvectors Bitvector encodings need to handle type casts and implicit conversions arithmetic conversions implemented using word-level functions (part of the bitvector theory: extractbits, ) > different conversions for every pair of types > uses type information provided by front-end conversion to / from bool via if-then-else operator arithmetic over- / underflow standard requires modulo-arithmetic for unsigned integers define error literals to detect over- / underflow for other types res_ok overflow(x, y) underflow(x, y) > similar to conversions floating-point numbers approximated by fixed-point numbers, integral part only represented by fixed-width bitvector
13 Encoding of Structured Datatypes arrays and records / tuples typically handled directly by SMT-solver pointers modelled as tuples p.o representation of underlying object p.i index (if pointer used as array base) Store object at position int main() { int a[2], i, x, *p; p=a; if (x==) a[i]=; else a[i+1]=1; assert(*(p+2)==1); } C:= p 1 := store(p,, &a[]) p 2 := store(p 1, 1, ) g 2 := (x 2 == ) a 1 := store(a, i, ) a 2 := a a 3 := store(a 2, 1+ i, 1) Update index Store index at position 1 a 4 := ite(g 1, a 1, a 3 ) p 3 := store(p 2, 1, select(p 2, 1)+2)
14 Encoding of Structured Datatypes arrays and records / tuples typically handled directly by SMT-solver pointers modelled as tuples p.o representation of underlying object p.i index (if pointer used as array base) int main() { int a[2], i, x, *p; p=a; if (x==) a[i]=; else a[i+1]=1; assert(*(p+2)==1); } P:= i i < 2 1+ i 1+ i < 2 select(p 3, ) == &a[] select(select(p 3, ), negation satisfiable (a[2] unconstrained) assert fails select(p 3, 1)) == 1
15 Evaluation
16 Comparison of SMT solvers Goal: compare efficiency of different SMT-solvers CVC3 (1.5) Boolector (1.) Z3 (2.) Set-up: identical ESBMC front-end, individual back-ends operations not supported by SMT-solvers are axiomatized standard desktop PC, time-out 36 seconds
17 Comparison of SMT solvers Module #L #P BubbleSort lines of code (n=35) (n=14) SelectionSort (n=35) (n=14) CVC3 Boolector Z3 Time Error Time Error Time Error 28.3 number of 1.9 properties MO checked MO InsertionSort (n=35) (n=14) MO 1 TO Prim size of arrays StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode
18 Comparison of SMT solvers Module #L #P BubbleSort (n=35) (n=14) CVC3 Boolector Z3 Time Error Time Error Time Error 28.3 MO SelectionSort (n=35) (n=14) MO All SMT-solvers can InsertionSort (n=35) handle (n=14) 86 17the VCs MO from 1the TO embedded applications Prim StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode
19 Comparison of SMT solvers Module #L #P BubbleSort (n=35) (n=14) SelectionSort (n=35) (n=14) CVC3 Boolector Z3 Time Error Time Error Time Error CVC3 doesn t scale MO that well and runs out of memory MO InsertionSort (n=35) (n=14) MO 1 TO Prim StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode
20 Comparison of SMT solvers Module #L #P BubbleSort (n=35) (n=14) Boolector 43 17and Z3 MOroughly 1 comparable, with some SelectionSort (n=35) advantages (n=14) for MO Z3 1 CVC3 Boolector Z3 Time Error Time Error Time Error InsertionSort (n=35) (n=14) MO 1 TO Prim StrCmp MinMax 19 9 MO lms Bitwise adpcm_encode adpcm_decode
21 Comparison of SMT solvers Goal: compare efficiency of different SMT-solvers CVC3 (1.5) Boolector (1.) Z3 (2.) Set-up: identical ESBMC front-end, individual back-ends unsupported operations axiomatized standard desktop PC, time-out 36 seconds SMT-solver of choice: Z3 best coverage of domain overall fastest
22 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) MO * SelectionSort (n=35) (n=14) MO 66.5 MO BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO
23 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module All benchmarks taken from SMT-CBMC suite ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) MO * SelectionSort (n=35) (n=14) MO 66.5 MO BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO
24 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) ESBMC substantially faster, MO * even SelectionSort with identical (n=35) solvers.8 probably better (n=14) encoding MO 66.5 MO BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO
25 Comparison to SMT-CBMC [A. Armando et al.] SMT-based BMC for C, built on top of CVC3 (hard-coded) limited coverage of language Goal: compare efficiency of encodings Module ESBMC SMT-CBMC Z3 CVC3 CVC3 BubbleSort (n=35) (n=14) MO * Z3 not uniformly SelectionSort (n=35) (n=14) 74.4 MO better than MO CVC3 BellmanFord Prim StrCmp TO SumArray MinMax 6.2 MO MO
26 Comparison to SAT-CBMC [D. Kroening] SAT-based BMC for full ANSI-C not recent SMT-based version mature tool (V 2.9) front-end and overall structure shared with ESBMC Goal: compare efficiency of SAT vs. SMT on identical verification problems
27 Comparison to SAT-CBMC [D. Kroening] encoding time SAT-CBMC SMT / SAT solver time ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO error detected in module GOOD THING error occurred in tool BAD THING ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres
28 Comparison to SAT-CBMC [D. Kroening] encoding time SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO MO error detected in module GOOD THING SMT / SAT solver time error occurred in tool BAD THING ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 all embedded systems applicatons exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres
29 Comparison to SAT-CBMC [D. Kroening] SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres
30 Comparison to SAT-CBMC [D. Kroening] SMT-encoding often more efficient than bit-blasting and never worse SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres
31 Comparison to SAT-CBMC [D. Kroening] SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 SMT-solver often significantly faster than SAT-solver jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres
32 Comparison to SAT-CBMC [D. Kroening] SAT-CBMC ESBMC Time #P Time #P Module #L #P Enc. Solver Fail Error Enc. Solver Fail Error fft <.1.4 <.1 fft1k MO <.1 SMT-solver often significantly faster than SAT-solver, but not always SMT good on multiple theories jfdctint < lms MO ludcmp TO 1 < qurt TO pocsag adpcm laplace TO exstbkey < <.1 exstbhdmi exstbled exstbhwacc <.1.7 <.1 exstbres
33 Conclusions SMT-based BMC is more efficient than SAT-based BMC but not uniformly described and evaluated first SMT-based BMC for ANSI-C provided encodings for typical ANSI-C constructs not directly supported by SMT-solvers available at users.ecs.soton.ac.uk/lcc8r/esbmc/ Future work: better handling of floating-point numbers concurrency (based on Pthread library) termination analysis
arxiv: v2 [cs.se] 13 Jul 2009
SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro University of Southampton lcc08r@ecs.soton.ac.uk Bernd Fischer University of Southampton b.fischer@ecs.soton.ac.uk Joao Marques-Silva
More informationSMT-Based Bounded Model Checking for Embedded ANSI-C Software
1 SMT-Based Bounded Model Checking for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, and Joao Marques-Silva Abstract Propositional bounded model checking has been applied successfully to verify
More informationECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer
EBS 2013 SMT-Bounded Model hecking of Programs Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas ordeiro, Bernd Fischer Bounded Model hecking (BM) Idea: check negation of given property
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationUNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira
More informationApplying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems
V Brazilian Symposium on Computing Systems Engineering Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems Alessandro Trindade, Hussama Ismail, and Lucas Cordeiro Foz
More informationESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer
ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC: SMT-based BMC of single- and multi-threaded software exploits SMT solvers and their
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More information: A Bounded Model Checking Tool to Verify Qt Applications
23 rd International SPIN symposium on Model Checking of Software : A Bounded Model Checking Tool to Verify Qt Applications Mário A. P. Garcia, Felipe R. Monteiro, Lucas C. Cordeiro, and Eddie B. de Lima
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationFormal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints
Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk Agenda
More informationSMT-Based Bounded Model Checking of C++ Programs
SMT-Based Bounded Model Checking of C++ Programs Mikhail Ramalho 1, Mauro Freitas 1, Felipe Sousa 1, Hendrio Marques 1, Lucas Cordeiro 1, and Bernd Fischer 2,3 1 Electronic and Information Research Center,
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationMinimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.
Minimum Satisfying Assignments for SMT Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U. 1 / 20 Satisfiability Modulo Theories (SMT) Today, SMT solvers
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationDecision Procedures in the Theory of Bit-Vectors
Decision Procedures in the Theory of Bit-Vectors Sukanya Basu Guided by: Prof. Supratik Chakraborty Department of Computer Science and Engineering, Indian Institute of Technology, Bombay May 1, 2010 Sukanya
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationMEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto,
More informationBITCOIN MINING IN A SAT FRAMEWORK
BITCOIN MINING IN A SAT FRAMEWORK Jonathan Heusser @jonathanheusser DISCLAIMER JUST TO BE CLEAR.. This is research! Not saying ASICs suck I am not a cryptographer, nor SAT solver guy WTF REALISED PHD RESEARCH
More informationVerifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China
Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion
More informationA Bounded Model Checker for SPARK Programs
A Bounded Model Checker for SPARK Programs Cláudio Belo Lourenço, Maria João Frade, and Jorge Sousa Pinto HASLab/INESC TEC & Universidade do Minho, Portugal Abstract. This paper discusses the design and
More informationSystem LAV and Its Applications
Progress in Decision Procedures: From Formalizations to Applications Belgrade, March 30, 2013. Overview, Viktor Kuncak Development and Evaluation of : an SMT-Based Error Finding Platform. Verified Software:
More informationExploiting Safety Properties in Bounded Model Checking for Test Cases Generation of C Programs
Exploiting Safety Properties in Bounded Model Checking for Test Cases Generation of C Programs Herbert Rocha, Lucas Cordeiro, Raimundo Barreto and José Netto 1 Universidade Federal do Amazonas Av. Rodrigo
More informationCSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 Practical Applications of SAT courses.cs.washington.edu/courses/cse507/18sp/ Emina Torlak emina@cs.washington.edu Today Past 2 lectures The theory and mechanics
More informationAn Introduction to Satisfiability Modulo Theories
An Introduction to Satisfiability Modulo Theories Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se February 13, 2019 1/28 Outline From theory... From DPLL to DPLL(T) Slides courtesy of Alberto
More informationAbstraction techniques for Floating-Point Arithmetic
Abstraction techniques for Floating-Point Arithmetic Angelo Brillout 1, Daniel Kroening 2 and Thomas Wahl 2 1 ETH Zurich, 2 Oxford University ETH Zürich Floating-Point Arithmetic (FPA) Used for embedded
More informationOptCE: A Counterexample-Guided Inductive Optimization Solver
Federal University of Amazonas (UFAM) Postgraduate Program in Electrical Engineering (PPGEE) OptCE: A Counterexample-Guided Inductive Optimization Solver Higo Albuquerque, Rodrigo Araújo, Iury Bessa, Lucas
More informationEncoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks
Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks 1 Mikhail Y. R. Gadelha 1, Lucas C. Cordeiro 2, and Denis A. Nicole 1 1 Electronics and
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationEncoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks
Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks 1 Mikhail Y. R. Gadelha 1, Lucas C. Cordeiro 2, and Denis A. Nicole 1 1 Electronics and
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationarxiv: v1 [cs.ai] 11 Apr 2017
Counterexample Guided Inductive Optimization Rodrigo F. Araújo a, Higo F. Albuquerque b, Iury V. de Bessa b, Lucas C. Cordeiro c, João Edgar C. Filho b arxiv:1704.03738v1 [cs.ai] 11 Apr 2017 a Federal
More informationLecture Notes on Real-world SMT
15-414: Bug Catching: Automated Program Verification Lecture Notes on Real-world SMT Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 15 1 Introduction In the previous lecture we studied
More informationIntegration of SMT Solvers with ITPs There and Back Again
Integration of SMT Solvers with ITPs There and Back Again Sascha Böhme and University of Sheffield 7 May 2010 1 2 Features: SMT-LIB vs. Yices Translation Techniques Caveats 3 4 Motivation Motivation System
More informationSatisfiability Modulo Theories: ABsolver
Satisfiability Modulo Theories: ABsolver Michael Tautschnig Joint work with: Andreas Bauer Martin Leucker Christian Schallhart Michael Tautschnig 1 Outline 1. Introduction Michael Tautschnig 2 Outline
More informationComplete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar
Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge Leonardo de Moura ACSys Seminar 2008.12 Motivation SMT solvers have been successful Quantified smt formulas are
More informationHySAT. what you can use it for how it works example from application domain final remarks. Christian Herde /12
CP2007: Presentation of recent CP solvers HySAT what you can use it for how it works example from application domain final remarks Christian Herde 25.09.2007 /2 What you can use it for Satisfiability checker
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationSMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009
1 / 13 SMT-LIB for HOL Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory ITP Workshop MSR Cambridge 25 August 2009 2 / 13 The SMT-LIB Standard SMT Satisfiability
More informationInterpolation-based Software Verification with Wolverine
Interpolation-based Software Verification with Wolverine Daniel Kroening 1 and Georg Weissenbacher 2 1 Computer Science Department, Oxford University 2 Department of Electrical Engineering, Princeton University
More informationApplications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo
Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel
More informationDecision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion
Decision Procedures An Algorithmic Point of View Bit-Vectors D. Kroening O. Strichman ETH/Technion Version 1.0, 2007 Part VI Bit-Vectors Outline 1 Introduction to Bit-Vector Logic 2 Syntax 3 Semantics
More informationDSVerifier: A Bounded Model Checking Tool for Digital Systems
DSVerifier: A Bounded Model Checking Tool for Digital Systems Hussama I. Ismail, Iury V. Bessa, Lucas C. Cordeiro, Eddie B. de Lima Filho and João E. Chaves Filho Electronic and Information Research Center
More informationCOMP2611: Computer Organization. Data Representation
COMP2611: Computer Organization Comp2611 Fall 2015 2 1. Binary numbers and 2 s Complement Numbers 3 Bits: are the basis for binary number representation in digital computers What you will learn here: How
More informationGNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK
1 GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK Tool architecture User view Source gnatprove Verdict 2 Tool architecture More detailed view... Source Encoding CVC4 gnat2why gnatwhy3
More informationModel Checking Software Programs with. First Order Logic Specifications using AIG Solvers
Model Checking Software Programs with 1 First Order Logic Specifications using AIG Solvers Fadi A. Zaraket, Mohamad Noureddine arxiv:1409.6825v1 [cs.se] 24 Sep 2014 Abstract Static verification techniques
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationBounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)
Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract) Felipe R. Monteiro Mário A. P. Garcia Lucas C. Cordeiro Eddie B. de Lima Filho 33 rd IEEE/ACM International
More informationIntroduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion
.. Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de Introduction Preliminaries
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationJBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik
: A Bounded Model Checking Tool for Verifying Java Bytecode Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik Computer Aided Verification 2018 Why? Java and JVM languages: Most
More informationBounded Model Checking with Parametric Data Structures
Bounded Model Checking with Marc Herbstritt (joint work with Erika Ábrahám, Bernd Becker, Martin Steffen) www.avacs.org August 15 2006 4th International Workshop on Bounded Model Checking Context Automated
More informationURBiVA: Uniform Reduction to Bit-Vector Arithmetic
URBiVA: Uniform Reduction to Bit-Vector Arithmetic Filip Marić and Predrag Janičić Faculty of Mathematics, Studentski trg 16, 11000 Belgrade, Serbia filip@matf.bg.ac.rs janicic@matf.bg.ac.rs Abstract.
More informationImproving Coq Propositional Reasoning Using a Lazy CNF Conversion
Using a Lazy CNF Conversion Stéphane Lescuyer Sylvain Conchon Université Paris-Sud / CNRS / INRIA Saclay Île-de-France FroCoS 09 Trento 18/09/2009 Outline 1 Motivation and background Verifying an SMT solver
More informationKing s Research Portal
King s Research Portal DOI: 10.1007/978-3-662-54580-5_12 Link to publication record in King's Research Portal Citation for published version (APA): Alt, L., Asadi, S., Chockler, H., Even Mendoza, K., Fedyukovich,
More informationIncremental Proof Development in Dafny
15-414 Lecture 17 1 Instructor: Matt Fredrikson Incremental Proof Development in Dafny TA: Ryan Wagner In this discussion, we ll see in more detail how to go about proving the total correctness of imperative
More informationConstraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER
Constraint-Based For Bounded Program Verification Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Hélène COLLAVIZZA, Nguyen Le VINH and Pascal Van HENTENRYCK) January
More informationThe SMT-LIB 2 Standard: Overview and Proposed New Theories
1 / 23 The SMT-LIB 2 Standard: Overview and Proposed New Theories Philipp Rümmer Oxford University Computing Laboratory philr@comlab.ox.ac.uk Third Workshop on Formal and Automated Theorem Proving and
More informationPySMT: a Solver-Agnostic Library for Fast Prototyping of SMT-Based Algorithms
1/14 PySMT: a Solver-Agnostic Library for Fast Prototyping of SMT-Based Algorithms Marco Gario and Andrea Micheli gario@fbk.eu Fondazione Bruno Kessler (FBK) University of Trento 2015-05-04 Interaction
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationMotivation. CS389L: Automated Logical Reasoning. Lecture 17: SMT Solvers and the DPPL(T ) Framework. SMT solvers. The Basic Idea.
Motivation Lecture 17: SMT rs and the DPPL(T ) Framework şıl Dillig n previous lectures, we looked at decision procedures for conjunctive formulas in various first-order theories This lecture: How to handle
More informationCounterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017
Cnterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017 Rodrigo Araújo, Alexandre Ribeiro, Iury Bessa, Lucas Cordeiro, and João Edgar Chaves Filho Federal University
More informationVerifying Multithreaded Software with Impact
Verifying Multithreaded Software with Impact Björn Wachter, Daniel Kroening and Joël Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers,
More informationQuantifying Information Leaks in Software
Quantifying Information Leaks in Software Jonathan Heusser, Pasquale Malacaria Queen Mary University of London 11. 10. 2016 Introduction High complexity associated with quantifying precise leakage quantities
More informationApplication of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3
More informationPLDI 2016 Tutorial Automata-Based String Analysis
PLDI 2016 Tutorial Automata-Based String Analysis Tevfik Bultan, Abdulbaki Aydin, Lucas Bang Verification Laboratory http://vlab.cs.ucsb.edu Department of Computer Science Common Usages of Strings } Input
More informationOn Computing Minimum Size Prime Implicants
On Computing Minimum Size Prime Implicants João P. Marques Silva Cadence European Laboratories / IST-INESC Lisbon, Portugal jpms@inesc.pt Abstract In this paper we describe a new model and algorithm for
More informationYices 1.0: An Efficient SMT Solver
Yices 1.0: An Efficient SMT Solver AFM 06 Tutorial Leonardo de Moura (joint work with Bruno Dutertre) {demoura, bruno}@csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An
More informationAutomated Test Generation using CBMC
Automated Test Generation using CBMC Rui Gonçalo CROSS Project Computer Science Department University of Minho December 2012 Automated Test Generation using CBMC Summary 2/61 Summary 1 Software Testing
More informationApplying Multi-Core Model Checking to Hardware- Software Partitioning in Embedded Systems (extended version)
Applying Multi-Core Model Checking to Hardware- Software Partitioning in Embedded Systems (extended version) Alessandro Trindade, Hussama Ismail, and Lucas Cordeiro Federal University of Amazonas - Manaus,
More informationSAT Solvers. Ranjit Jhala, UC San Diego. April 9, 2013
SAT Solvers Ranjit Jhala, UC San Diego April 9, 2013 Decision Procedures We will look very closely at the following 1. Propositional Logic 2. Theory of Equality 3. Theory of Uninterpreted Functions 4.
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationA Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software
A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software Rovedy A. B. e Silva 1,2, Jose M. Parente de Oliveira 2, and Jorge Sousa Pinto 3 1 Aeronautics and Space
More informationSAT-based Model Checking for C programs
SAT-based Model Checking for C programs Moonzoo Kim Provable Software Lab. CS Division of EE 1 Formal Methods Definition in Wikepedia Formal methods are mathematically-based techniques for the specification,
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationFormally Certified Satisfiability Solving
SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future
More informationEfficiently Solving Bit-Vector Problems Using Model Checkers
Efficiently Solving Bit-Vector Problems Using Model Checkers Institute for Formal Models and Verification Johannes Kepler University, Linz, Austria http://fmv.jku.at SMT 2013 July 8 - July 9, 2013 Helsinki,
More informationLecture 12 Integers. Computer and Network Security 19th of December Computer Science and Engineering Department
Lecture 12 Integers Computer and Network Security 19th of December 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 12, Integers 1/40 Outline Data Types Representation Conversions
More informationDecision Procedures. An Algorithmic Point of View. Decision Procedures for Propositional Logic. D. Kroening O. Strichman.
Decision Procedures An Algorithmic Point of View Decision Procedures for Propositional Logic D. Kroening O. Strichman ETH/Technion Version 1.0, 2007 Part I Decision Procedures for Propositional Logic Outline
More informationModel-Based Diagnosis versus Error Explanation
Model-Based Diagnosis versus Error Explanation Heinz Riener Görschwin Fey Institute of Computer Science Institute of Space Systems University of Bremen, Germany German Aerospace Center, Germany {hriener,fey}@informatik.uni-bremen.de
More informationFormalization of Incremental Simplex Algorithm by Stepwise Refinement
Formalization of Incremental Simplex Algorithm by Stepwise Refinement Mirko Spasić, Filip Marić Faculty of Mathematics, University of Belgrade FM2012, 30. August 2012. Overview 1 Introduction 2 Approach
More informationExploring Abstraction Techniques for Scalable Bit-Precise Verification of Embedded Software
Exploring Abstraction Techniques for Scalable Bit-Precise Verification of Embedded Software Nannan He Dissertation submitted to the Faculty of Virginia Polytechnic Institute and State University in partial
More informationHECTOR: Formal System-Level to RTL Equivalence Checking
ATG SoC HECTOR: Formal System-Level to RTL Equivalence Checking Alfred Koelbl, Sergey Berezin, Reily Jacoby, Jerry Burch, William Nicholls, Carl Pixley Advanced Technology Group Synopsys, Inc. June 2008
More informationSymbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationarxiv: v2 [cs.pl] 3 Apr 2018
1 Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification arxiv:1708.08323v2 [cs.pl] 3 Apr 2018 LIANGZE YIN, School of Computer, National University of Defense Technology,
More informationCOUNTEREXAMPLE-GUIDED MODEL SYNTHESIS
COUNTEREXAMPLE-GUIDED MODEL SYNTHESIS Mathias Preiner, Aina Niemetz and Armin Biere Johannes Kepler University Stanford University SMT Workshop July 22-23, 2017 Heidelberg, Germany Introduction Counterexample-Guided
More informationn HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!
Announcements SMT Solvers, Symbolic Execution n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week! n Presentations n Some of
More informationInf2C - Computer Systems Lecture 2 Data Representation
Inf2C - Computer Systems Lecture 2 Data Representation Boris Grot School of Informatics University of Edinburgh Last lecture Moore s law Types of computer systems Computer components Computer system stack
More informationGenerating Small Countermodels. Andrew Reynolds Intel August 30, 2012
Generating Small Countermodels using SMT Andrew Reynolds Intel August 30, 2012 Acknowledgements Intel Corporation AmitGoel, Sava Krstic University of Iowa Cesare Tinelli, Francois Bobot New York University
More informationEvaluation of SAT like Proof Techniques for Formal Verification of Word Level Circuits
Evaluation of SAT like Proof Techniques for Formal Verification of Word Level Circuits André Sülflow Ulrich Kühne Robert Wille Daniel Große Rolf Drechsler Institute of Computer Science University of Bremen
More informationLEARNING TO INSTANTIATE QUANTIFIERS
LEARNING TO INSTANTIATE QUANTIFIERS Armin Biere 1 joint work with Mathias Preiner 1,2, Aina Niemetz 1,2 TACAS 17, SMT 17, PhD Thesis Mathias Preiner in 2017 1 Johannes Kepler University Linz 2 Stanford
More informationAlive: Provably Correct InstCombine Optimizations
Alive: Provably Correct InstCombine Optimizations David Menendez Santosh Nagarakatte Rutgers University John Regehr University of Utah Nuno Lopes Microsoft Research Can We Trust Compilers? Any large software
More informationIntegers II. CSE 351 Autumn Instructor: Justin Hsia
Integers II CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan http://xkcd.com/557/
More informationError Explanation with Distance Metrics
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Error Explanation with Distance Metrics Alex Groce 1, Sagar Chaki 1, Daniel Kroening 2, Ofer Strichman 3 1 School
More information