Having a BLAST with SLAM
|
|
- Coleen King
- 6 years ago
- Views:
Transcription
1 Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver Verifier Airbus applies the Astrée Static Analyzer This Week: Building up to SDV Verify properties or find bugs in software Take an important program (e.g., a device driver) Merge it with a property (e.g., no deads) Transform the result into a boolean program Use a model checker to exhaustively explore the resulting state space Result : program provably satisfies property Result : program violates property right here on line 9,76! Take-Home Message Model Checking There are complete courses in model checking (see ECEN 9, Prof. Somenzi). Model Checking by Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Symbolic Model Checking by Ken McMillan. We will skim. Model checking is the exhaustive exploration of the state space of a system, typically to see if an error state is reachable. It produces concrete counterexamples. The state explosion problem refers to the large number of states in the model. 6
2 Keywords Model checking is an automated technique Model checking verifies transition systems Model checking verifies temporal properties Model checking falsifies by generating counterexamples Verification vs. Falsification What is verification? What is falsification? A model checker is a program that checks if a (transition) system satisfies a (temporal) property 7 8 Verification vs. Falsification An automated verification tool can report that the system is verified (with a proof); or that the system was not verified. When the system was not verified, it would be helpful to explain why. Model checkers can output an error counterexample: a concrete execution scenario that demonstrates the error. Can view a model checker as a falsification tool The main goal is to find bugs So what can we verify or falsify? Software Model Checking via Counterexample Guided Abstraction Refinement There are easily dozens of papers. We will skim. 9 Key Terms Counterexample guided abstraction refinement (CEGAR) A successful software model-checking approach. Sometimes called Iterative Abstraction Refinement. SLAM = The first CEGAR project/tool. Developed at MSR Lazy Abstraction = CEGAR optimization Used in the BLAST tool from Berkeley. What is Counterexample Guided Abstraction Refinement (CEGAR)? Verification by Model Checking? Theorem Proving? Dataflow Analysis or Program Analysis?
3 Verification Verification by Model Checking un : while(new!= old); : un Is this program correct? What does correct mean? How do we determine if a program is correct? un : while(new!= old); : un. (Finite State) Program. State Transition Graph. Reachability - Program Finite state model - State explosion + State exploration + Counterexamples Precise [SPIN,SMV,Bandera,JPF] Verification by Theorem Proving Verification by Theorem Proving un : while(new!= old); : un. Loop Invariants. Logical Formulas. Check Validity Invariant: Æ new = old Ç Æ new old un : while(new!= old); : un. Loop Invariants. Logical Formulas. Check Validity - Loop invariants - Multithreaded programs + Behaviors encoded in logic + Decision procedures Precise [ESC, PCC] 6 Verification by Program Analysis Combining Strengths un : while(new!= old); : un. Dataflow Facts. Constraint System. Solve Constraints - Imprecision: fixed facts + Abstraction + Type/Flow analyses Scalable [Cqual, ESP] 7 Theorem Proving - Need loop invariants (will find automatically) + Behaviors encoded in logic (used to refine abstraction) + Theorem provers (used to compute successors, refine abstraction) SLAM Model Checking Program Analysis - Imprecise (will be precise) + Abstraction (will shrink the state space we must explore) - Finite-state model, state explosion (will find small good model) + State space exploration (used to get a path sensitive analysis) + Counterexamples (used to find relevant facts, refine abstraction) 8
4 Revisiting SLAM Input: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use s correctly, not I am a webserver Output: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec 9 Revisiting SLAM Input: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use s correctly, not I am a webserver Output: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec 0 Property : Double Locking First Question? un un So what can we verify or falsify? An attempt to re-acquire an acquired or release a released will cause a dead. Calls to and un must alternate. Property : Drop Root Privilege Property : IRP Handler start NP MPR synch NP MPR CallDriver completion MPR MPR IRP accessible SKIP CallDriver SKIP Skip CallDriver IPC prop CallDriver PPC completion Complete request DC no prop synch completion CallDriver N/A N/A return child status return not Pend [Chen-Wagner-Dean 0] User applications must not run with root privilege When execv is called, must have suid 0 start P Mark Pending CallDriver SKIP SKIP Skip CallDriver IPC synch MPR NP prop CallDriver PPC MPR completion Complete CallDriver completion MPR MPR request DC no prop completion CallDriver N/A return Pending [Fahndrich]
5 Example SLAM Input SLAM in a Nutshell un : while(new!= old); : un un un SLAM(Program p, Spec s) = Program q = incorporate_spec(p,s); PredicateSet abs = { ; while true do BooleanProgram b = abstract(q,abs); match model_check(b) with No_Error print( no bug ); exit(0) Counterexample(c) if is_valid_path(c, p) then print( real bug ); exit() else abs abs new_preds(c) done // slic // cbp // bebop // newton // newton 6 Incorporating Specs Incorporating Specs un : while(new!= old); : un un 0 un ERR Ideas? #7 un : while(new!= old); : un un 0 un ERR if L= goto ERR; else L=; if L=0 goto ERR; else L=0; : while(new!= old); : if L=0 goto ERR; else L=0; Original program violates spec iff ERR: abort(); new program reaches ERR #8 Program As Labeled Transition System The Safety Verification Problem State Transition pc a a old a new a : un new++; : q a 0xa un : while(new!= old); : un pc a a old a new a 6 q a 0xa 9 Initial Error (e.g., states with PC = Err) Is there a path from an initial to an error state? Problem? Infinite state graph (old=, old=, old= ) Solution? Set of states logical formula Safe States (never reach Error) 0
6 Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F [F ] [F ] F Æ F [F ] [F ] FO formula over program vars Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F [F ] [F ] F Æ F [F ] [F ] F Ç F FO formula over program vars [F] [F] F [F ] [F ] [F ] [F ] F F i.e. F Æ Æ F unsatisfiable i.e. F Æ Æ F unsatisfiable Having a BLAST with SLAM Meeting, CSCI 7, Fall 00 Announcements Please label blog entries with the relevant class date (e.g., 9- ) This will help me keep track of the minimum commenting requirement I read all posts but may not respond to all of them. Soundness and Completeness Review 6
7 Example SLAM Input Program As Labeled Transition System un : while(new!= old); : un un un 7 State Transition pc a a old a new a : un new++; : q a 0xa un : while(new!= old); : un pc a a old a new a 6 q a 0xa 8 The Safety Verification Problem Error (e.g., states with PC = Err) Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F FO formula over program vars Initial Is there a path from an initial to an error state? Problem? Infinite state graph (old=, old=, old= ) Solution? Set of states logical formula Safe States (never reach Error) 9 [F ] [F ] F Æ F [F ] [F ] F Ç F [F] F [F ] [F ] F F 0 Idea : Predicate Abstraction On to Software Model Checking Predicates on program state: old = new (i.e., =true) States satisfying same predicates are equivalent Merged into one abstract state Why? Num of abstract states is finite Thus model-checking the abstraction will be feasible! 7
8 Abstract States and Transitions Abstraction State Transition State c Transition c pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa old=new Theorem Prover old=new old=new Existential Lifting (i.e., A A iff c A. c A. c c ) A A Theorem Prover old=new Abstraction Analyze Abstraction State Transition pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa Analyze finite graph Over Approximate Safe System Safe No false negatives old=new Theorem Prover old=new Problem Spurious counterexamples false positives 6 Idea : Counterexample-Guided Refinement Idea : Counterexample-Guided Refinement Solution Use spurious counterexamples to refine abstraction! Solution Use spurious counterexamples to refine abstraction!. Add predicates to distinguish states across cut. Build refined abstraction Imprecision due to merge 7 8 8
9 Iterative Abstraction-Refinement Problem: Abstraction is Expensive Why? Solution Use spurious counterexamples to refine abstraction! [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]. Add predicates to distinguish states across cut. Build refined abstraction eliminates counterexample. Repeat search until real counterexample or system proved safe 9 Problem #abstract states = #predicates Exponential Thm. Prover queries Reachable Observe Fraction of state space reachable #Preds ~ 00 s, #States ~ 00, #Reach ~ 000 s 0 Solution: Only Abstract Reachable States Solution: Don t Refine Error-Free Regions Safe Error Free Problem #abstract states = #predicates Exponential Thm. Prover queries Solution Build abstraction during search Problem #abstract states = #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions Key Idea for Solutions? 9
10 Key Idea: Key Idea: Initial Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Initial 6 Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 7 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free 6 Key Idea: Build-and-Search Initial Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Learn new predicates 8 - Rebuild subtree with new preds. Find min infeasible suffix un :while(new!= old); :un Error Free SAFE S: Only Abstract Reachable States S: Don t refine error-free regions 7 Predicates: 8 Build-and-Search Build-and-Search un :while(new!= old); :un () old = new q=q->next un :while(new!= old); :un [q!=null] Predicates: 9 Predicates: 60 0
11 Build-and-Search Build-and-Search un :while(new!= old); :un q->data = new un() new++ un :while(new!= old); :un [new==old] Predicates: 6 Predicates: 6 Build-and-Search Analyze Counterexample un :while(new!= old); :un un :while(new!= old); :un () old = new q=q->next [q!=null] q->data = new un() new++ [new==old] un() un() Predicates: 6 Predicates: 6 Analyze Counterexample Repeat Build-and-Search un :while(new!= old); :un old = new new++ un :while(new!= old); :un Predicates: [new==old] Inconsistent new == old 6 66
12 Repeat Build-and-Search Repeat Build-and-Search un :while(new!= old); :un, new==old () old = new q=q->next un :while(new!= old); :un, new==old, new==old, new = old q->data = new un() new Repeat Build-and-Search Repeat Build-and-Search un :while(new!= old); :un, new==old, new==old un :while(new!= old); :un, new==old, new==old, new = old, new = old [new==old] [new!=old], new == old Repeat Build-and-Search Key Idea: un :while(new!= old); :un, new==old, new==old, new = old, new == old, new==old, new=old SAFE 7. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Learn new predicates 8 - Rebuild subtree with new preds. Error Free SAFE Initial Unroll Abstraction Find min infeasible suffix S: Only Abstract Reachable States S: Don t refine error-free regions 7
13 Two Handwaves Two Handwaves un to compute, new==old successors? Q. How :while(new!= old); :un, new==old SAFE q->data = new un(), new = old new++, new=old Q. How to find predicates?, new == old Refinement Predicates:, new==old old, new==old 7 un to compute, new==old successors? Q. How :while(new!= old); :un, new==old SAFE q->data = new un(), new = old new++, new=old, new == old, new==old 7 Weakest Preconditions Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] Assign x=e P[e/x] P new+ = old new = old new=new How to compute successor? How to compute successor? un :while(new!= old); :un, new==old, new == old For each p F OP? Check if p is true (or false) after OP Q: When is p true after OP? - If WP(p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP(p, OP) un :while(new!= old); :un, new==old For each p F OP? Check if p is true (or false) after OP Q: When is p false after OP? - If WP( p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP( p, OP) 77 78
14 How to compute successor? Advanced SLAM/BLAST un :while(new!= old); :un Predicate: new == old True? False?, new==old, new == old For each p F OP? Check if p is true (or false) after OP Q: When is p false after OP? - If WP( p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP( p, OP) (, new==old) (new + = old) NO (, new==old) (new + old) YES 79 Too Many Predicates - Use Predicates Locally Counter-Examples - Craig Interpolants Procedures - Summaries Concurrency - Thread-Context Reasoning 80 SLAM Summary Bonus: SLAM/BLAST Weakness ) Instrument Program With Safety Policy ) Predicates = { ) Abstract Program With Predicates Use Weakest Preconditions and Theorem Prover Calls ) Model-Check Resulting Boolean Program Use Symbolic Model Checking ) Error State Not Reachable? Original Program Has No Errors: Done! 6) Check Counterexample Feasibility Use Symbolic Execution 7) Counterexample Is Feasible? Real Bug: Done! 8) Counterexample Is Not Feasible? ) Find New Predicates (Refine Abstraction) ) Goto Line 8 : F() { : int x=0; : : x++; : while (x 88); 6: if (x < 77) 7: 8: Preds = {, Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0, Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0, x+=88 Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0,x+=88,x+=88 Path = 67 Result: the predicates count the loop iterations 8
Having a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationScalable Program Verification by Lazy Abstraction
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley ars, July, 997 Lost contact due to real-time priority inversion bug ars, December, 999 Crashed due to uninitialized variable
More informationSoftware Model Checking with Abstraction Refinement
Software Model Checking with Abstraction Refinement Computer Science and Artificial Intelligence Laboratory MIT Armando Solar-Lezama With slides from Thomas Henzinger, Ranjit Jhala and Rupak Majumdar.
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationTopic: Software Model Checking via Counter-Example Guided Abstraction Refinement. Having a BLAST with SLAM. Combining Strengths. SLAM Overview SLAM
Hving BLAST with SLAM Topic: Softwre Model Checking vi Counter-Exmple Guided Abstrction Refinement There re esily two dozen SLAM/BLAST/MAGIC ppers; I will skim. # # Theorem Proving Combining Strengths
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationPredicate Abstraction Daniel Kroening 1
Predicate Abstraction 20.1.2005 Daniel Kroening 1 Motivation Software has too many state variables State Space Explosion Graf/Saïdi 97: Predicate Abstraction Idea: Only keep track of predicates on data
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationVerifying Multithreaded Software with Impact
Verifying Multithreaded Software with Impact Björn Wachter, Daniel Kroening and Joël Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers,
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationOutline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions
Outline Introduction SDV Motivation Model vs Real Implementation SIC SDVRP SAM-2 Comparisons Conclusions SDV Research Platform Academic release of SDV (Static Driver Verifier), based on the code that ships
More informationPredicate Refinement Heuristics in Program Verification with CEGAR
Predicate Refinement Heuristics in Program Verification with CEGAR Tachio Terauchi (JAIST) Part of this is joint work with Hiroshi Unno (U. Tsukuba) 1 Predicate Abstraction with CEGAR Iteratively generate
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationUfo: A Framework for Abstraction- and Interpolation-Based Software Verification
Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,
More informationProofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur
1 Proofs from Tests Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur Abstract We present an algorithm DASH to check if a program P satisfies a safety
More informationUsing Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction
Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction Thanyapat Sakunkonchak, Satoshi Komatsu, and Masahiro Fujita VLSI Design and Education Center, The University
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationThe software model checker BLAST
Int J Softw Tools Technol Transfer (2007) 9:505 525 DOI 10.1007/s10009-007-0044-z SPECIAL SECTION FASE 04/ 05 The software model checker BLAST Applications to software engineering Dirk Beyer Thomas A.
More informationSliced Path Prefixes: An Effective Method to Enable Refinement Selection
FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems We want Refinement Selection!!! Because straight-forward
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationModel Checking with Abstract State Matching
Model Checking with Abstract State Matching Corina Păsăreanu QSS, NASA Ames Research Center Joint work with Saswat Anand (Georgia Institute of Technology) Radek Pelánek (Masaryk University) Willem Visser
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationTRACER: A Symbolic Execution Tool for Verification
TRACER: A Symbolic Execution Tool for Verification Joxan Jaffar, Vijayaraghavan Murali, Jorge A. Navas, and Andrew E. Santosa 3 National University of Singapore The University of Melbourne 3 University
More informationTowards a Software Model Checker for ML. Naoki Kobayashi Tohoku University
Towards a Software Model Checker for ML Naoki Kobayashi Tohoku University Joint work with: Ryosuke Sato and Hiroshi Unno (Tohoku University) in collaboration with Luke Ong (Oxford), Naoshi Tabuchi and
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2 #3 Observations
More informationFormal Systems Tutorial Hybrid System Modeling, Program Analysis
Formal Systems Tutorial Hybrid System Modeling, Program Analysis Department of Computer Science & Engineering, Indian Institute of Technology, Kharagpur 1. There are three taps in the system, namely Tap-1
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationSoftware Model Checking with SLAM
Software Model Checking with SLAM Thomas Ball Software Reliability Research MSR Redmond Sriram K. Rajamani Reliable Software Engineering MSR Bangalore http://research.microsoft.com/slam/ People behind
More informationA Survey of Automated Techniques for Formal Software Verification
TRANSACTIONS ON CAD 1 A Survey of Automated Techniques for Formal Software Verification Vijay D Silva Daniel Kroening Georg Weissenbacher Abstract The quality and the correctness of software is often the
More informationProofs from Tests. Sriram K. Rajamani. Nels E. Beckman. Aditya V. Nori. Robert J. Simmons.
Proofs from Tests Nels E. Beckman Carnegie Mellon University nbeckman@cs.cmu.edu Aditya V. Nori Microsoft Research India adityan@microsoft.com Robert J. Simmons Carnegie Mellon University rjsimmon@cs.cmu.edu
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationPredicate Abstraction of ANSI C Programs using SAT Λ
Predicate Abstraction of ANSI C Programs using SAT Λ Edmund Clarke and Daniel Kroening and Natalia Sharygina and Karen Yorav School of Computer Science Carnegie Mellon University, Pittsburgh, PA, USA Software
More informationScalable Program Analysis Using Boolean Satisfiability: The Saturn Project
Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project Alex Aiken Stanford University Saturn 1 The Idea Verify properties of large systems! Doesn t {SLAM, BLAST, CQual, ESP} already
More informationSciduction: Combining Induction, Deduction and Structure for Verification and Synthesis
Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis (abridged version of DAC slides) Sanjit A. Seshia Associate Professor EECS Department UC Berkeley Design Automation
More informationFinite State Verification. CSCE Lecture 14-02/25/2016
Finite State Verification CSCE 747 - Lecture 14-02/25/2016 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationLecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University
Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University 1 Cost of Software Errors June 2002 Software bugs, or errors, are so prevalent and so detrimental that they
More informationSchool of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne
Principles of Dependable Systems Building Reliable Software School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne Winter 2006-2007 Outline Class Projects: mtgs next week
More informationFormal Verification by Model Checking
Formal Verication by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artacts Spring 2006 1 CTL Model Checking
More informationIntroduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion
.. Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de Introduction Preliminaries
More informationAutomatically Validating Temporal Safety Properties of Interfaces
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools Microsoft Research http://www.research.microsoft.com/slam/ Abstract. We
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationUsing Build-Integrated Static Checking to Preserve Correctness Invariants
Using Build-Integrated Static Checking to Preserve Correctness Invariants Hao Chen University of California, Davis Jonathan Shapiro Johns Hopkins University Motivation A key problem in creating secure
More informationUnbounded Symbolic Execution for Program Verification
Unbounded Symbolic Execution for Program Verification JOXAN JAFFAR 1, JORGE A. NAVAS 1, AND ANDREW E. SANTOSA 2 1 National University of Singapore 2 University of Sydney, Australia {joxan,navas}@comp.nus.edu.sg,
More informationSubsumer-First: Steering Symbolic Reachability Analysis
Subsumer-First: Steering Symbolic Reachability Analysis Andrey Rybalchenko 1 and Rishabh Singh 2 1 Max Planck Institute for Software Systems (MPI-SWS) 2 Massachusetts Institue of Technology (MIT) Abstract.
More informationProgram Analysis and Constraint Programming
Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationFinite State Verification. CSCE Lecture 21-03/28/2017
Finite State Verification CSCE 747 - Lecture 21-03/28/2017 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationBinary Decision Diagrams and Symbolic Model Checking
Binary Decision Diagrams and Symbolic Model Checking Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant Binary Decision Diagrams Restricted Form of
More informationProc. ISoLA 2018, c Springer
Proc. ISoLA 2018, c Springer In-Place vs. Copy-on-Write. CEGAR Refinement for Block Summarization with Caching Dirk Beyer and Karlheinz Friedberger LMU Munich, Germany Abstract. Block summarization is
More informationModel Checking: Back and Forth Between Hardware and Software
Model Checking: Back and Forth Between Hardware and Software Edmund Clarke 1, Anubhav Gupta 1, Himanshu Jain 1, and Helmut Veith 2 1 School of Computer Science, Carnegie Mellon University {emc, anubhav,
More informationInterpolation-based Software Verification with Wolverine
Interpolation-based Software Verification with Wolverine Daniel Kroening 1 and Georg Weissenbacher 2 1 Computer Science Department, Oxford University 2 Department of Electrical Engineering, Princeton University
More informationSystem Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine
System Debugging and Verification : A New Challenge Daniel Gajski Samar Abdi Center for Embedded Computer Systems http://www.cecs.uci.edu University of California, Irvine Overview Simulation and debugging
More informationProgram verification. Generalities about software Verification Model Checking. September 20, 2016
Program verification Generalities about software Verification Model Checking Laure Gonnord David Monniaux September 20, 2016 1 / 43 The teaching staff Laure Gonnord, associate professor, LIP laboratory,
More informationFormal Verification of Synchronization Issues in SpecC Description with Automatic Abstraction
Formal Verification of Synchronization Issues in SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak and Masahiro Fujita Department of Electronic Engineering, University of Tokyo 7-3-1
More informationTree Interpolation in Vampire
Tree Interpolation in Vampire Régis Blanc 1, Ashutosh Gupta 2, Laura Kovács 3, and Bernhard Kragl 4 1 EPFL 2 IST Austria 3 Chalmers 4 TU Vienna Abstract. We describe new extensions of the Vampire theorem
More informationProof Carrying Code(PCC)
Discussion p./6 Proof Carrying Code(PCC Languaged based security policy instead of OS-based A mechanism to determine with certainity that it is safe execute a program or not Generic architecture for providing
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationVerifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China
Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion
More informationSymbolic Evaluation/Execution
Symbolic Evaluation/Execution Reading Assignment *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationVerifiable Hierarchical Protocols with Network Invariants on Parametric Systems
Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems Opeoluwa Matthews, Jesse Bingham, Daniel Sorin http://people.duke.edu/~om26/ FMCAD 2016 - Mountain View, CA Problem Statement
More informationFORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY
FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 58D, SPRING 20 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY Pamela Zave AT&T Laboratories Research Florham Park, New Jersey, USA THE
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationAbstraction Refinement for Quantified Array Assertions
Abstraction Refinement for Quantified Array Assertions Mohamed Nassim Seghir 1,, Andreas Podelski 1, and Thomas Wies 1,2 1 University of Freiburg, Germany 2 EPFL, Switzerland Abstract. We present an abstraction
More informationAbstraction Learning
Abstraction Learning Joxan Jaffar National University of Singapore joxan@comp.nus.edu.sg Jorge Navas National University of Singapore navas@comp.nus.edu.sg Andrew E. Santosa National University of Singapore
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationFormal Verification at Higher Levels of Abstraction
Formal Verification at Higher Levels of Abstraction Daniel Kroening Oxford University Computing Laboratory kroening@kroening.com Sanjit A. Seshia UC Berkeley sseshia@eecs.berkeley.edu Abstract Most formal
More informationSYNERGY : A New Algorithm for Property Checking
SYNERGY : A New Algorithm for Property Checking Bhargav S. Gulavani Thomas A. Henzinger Yamini Kannan Aditya V. Nori Sriram K. Rajamani bhargav@cse.iitb.ernet.in tah@epfl.ch yaminik@microsoft.com adityan@microsoft.com
More informationPredicate Abstraction with Adjustable-Block Encoding
Predicate Abstraction with Adjustable-Block Encoding Dirk Beyer Simon Fraser University / University of Passau M. Erkan Keremoglu Simon Fraser University, B.C., Canada Philipp Wendler University of Passau,
More informationAlgorithms for Software Model Checking: Predicate Abstraction vs. IMPACT
Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT Dirk Beyer University of Passau, Germany Philipp Wendler University of Passau, Germany Abstract CEGAR, SMT solving, and Craig interpolation
More informationCompiler Construction 2016/2017 Loop Optimizations
Compiler Construction 2016/2017 Loop Optimizations Peter Thiemann January 16, 2017 Outline 1 Loops 2 Dominators 3 Loop-Invariant Computations 4 Induction Variables 5 Array-Bounds Checks 6 Loop Unrolling
More informationPermissive Interfaces
Permissive Interfaces Thomas A. Henzinger Ranjit Jhala Rupak Majumdar EPFL, Switzerland UC Berkeley UC Los Angeles Abstract A modular program analysis considers components independently and provides succinct
More informationChecking Memory Safety with Blast
Checking Memory Safety with Blast Dirk Beyer 1 Thomas A. Henzinger 12 Ranjit Jhala 3 Rupak Majumdar 4 1 EPFL, Switzerland 2 University of California, Berkeley 3 University of California, San Diego 4 University
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationLecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213
Lecture: Symbolic Model Checking with BDDs Edmund M Clarke, Jr Computer Science Department Carnegie Mellon University Pittsburgh, PA 523 Temporal Logic Model Checking Specification Language: A propositional
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Static Analysis Emina Torlak emina@cs.washington.edu Outline What is static analysis? How does it work? Free and
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationReading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis
Reading Assignment Symbolic Evaluation/Execution *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationAreas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1
Areas related to SW verif. Trends in Software Validation Abhik Roychoudhury CS 6214 Formal Methods Model based techniques Proof construction techniques Program Analysis Static Analysis Abstract Interpretation
More informationPredicate Abstraction and Refinement Techniques for Verifying Verilog
Predicate Abstraction and Refinement Techniques for Verifying Verilog Edmund Clarke Himanshu Jain Daniel Kroening June 25, 2004 CMU-CS-04-139 School of Computer Science Carnegie Mellon University Pittsburgh,
More information