Sliced Path Prefixes: An Effective Method to Enable Refinement Selection
|
|
- Bathsheba Hopkins
- 5 years ago
- Views:
Transcription
1 FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems
2 We want Refinement Selection!!! Because straight-forward interpolation completely and utterly sucks!!!11! Dirk Beyer, Stefan Löwe Philipp Wendler SoSy-Lab Software Systems
3 Software Verification Goal: Build an automatic software verifier C program int main() { int x = 10; int y = 3; int z = x+y; assert(z > 0); } specification software verifier SAFE i.e., assertions cannot be violated UNSAFE i.e., there is a bug in the program 3
4 Software Verification Goal: Build an automatic software verifier C program Linux Device Driver int ldv_mutex_is_locked_usb_bus_list_lock(struct mutex *lock ) { int ldv_mutex_is_locked_usb_bus_list_lock(struct mutex *lock ) { int nondetermined ; int nondetermined ; { #line { 1495 #line if (ldv_mutex_usb_bus_list_lock 1495 == 1) { #line if 1498 (ldv_mutex_usb_bus_list_lock == 1) { #line nondetermined 1498 = VERIFIER_nondet_int(); #line nondetermined 1501 = VERIFIER_nondet_int(); #line if (nondetermined) 1501 { #line if 1504 (nondetermined) { #line return 1504 (0); } else return { (0); #line } 1509 else { #line return 1509 (1); } return (1); } else } { #line } else 1515 { #line return 1515(1); } return (1); } } } } #line } 1520 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1520 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxvoid 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_unlock_usb_bus_list_lock(struct mutex *lock ) { void ldv_mutex_unlock_usb_bus_list_lock(struct mutex *lock ) { SAFE i.e., assertions cannot be violated { #line { 1523 #line if (ldv_mutex_usb_bus_list_lock 1523 == 2) { if (ldv_mutex_usb_bus_list_lock == 2) { } else { #line } else 1523 { #line ldv_error(); 1523 } ldv_error(); #line } 1525 #line ldv_mutex_usb_bus_list_lock 1525 = 1; #line ldv_mutex_usb_bus_list_lock 1526 = 1; #line return; 1526 } return; } } #line } 1528 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1528 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxstatic 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" int ldv_mutex_usbfs_mutex ; #line static 1531 int "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux- ldv_mutex_usbfs_mutex ; 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1531 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxint 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_lock_interruptible_usbfs_mutex(struct mutex *lock ) { int ldv_mutex_lock_interruptible_usbfs_mutex(struct mutex *lock ) { int nondetermined ; int nondetermined ; { #line { 1536 #line if (ldv_mutex_usbfs_mutex 1536 == 1) { if (ldv_mutex_usbfs_mutex == 1) { } else { #line } else 1536 { #line ldv_error(); 1536 } ldv_error(); #line } 1539 #line nondetermined 1539 = VERIFIER_nondet_int(); #line nondetermined 1542 = VERIFIER_nondet_int(); #line if (nondetermined) 1542 { #line if 1545 (nondetermined) { #line ldv_mutex_usbfs_mutex 1545 = 2; #line ldv_mutex_usbfs_mutex 1547 = 2; #line return 1547(0); } else return { (0); #line } else 1552 { #line return 1552(-4); } return (-4); } } } } #line } 1557 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1557 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxint 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_lock_killable_usbfs_mutex(struct mutex *lock ) { int ldv_mutex_lock_killable_usbfs_mutex(struct mutex *lock ) { int nondetermined ; int nondetermined ; { #line { 1562 #line if (ldv_mutex_usbfs_mutex 1562 == 1) { if (ldv_mutex_usbfs_mutex == 1) { } else { #line } else 1562 { #line ldv_error(); 1562 } ldv_error(); #line } 1565 #line nondetermined 1565 = VERIFIER_nondet_int(); #line nondetermined 1568 = VERIFIER_nondet_int(); #line if (nondetermined) 1568 { #line if 1571 (nondetermined) { #line ldv_mutex_usbfs_mutex 1571 = 2; #line ldv_mutex_usbfs_mutex 1573 = 2; #line return 1573(0); } else return { (0); #line } else 1578 { #line return 1578(-4); } return (-4); } } } } #line } 1583 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linux /csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" #line 1583 "/work/vladimir/ufo/work/test/work/current--x--drivers/usb/core/usbcore.ko--x--defaultlinux x--32_7a--x--ufo/linuxvoid 3.7.3/csd_deg_dscv/29/dscv_tempdir/rule-instrumentor/32_7a/common-model/ldv_common_model.c" ldv_mutex_lock_usbfs_mutex(struct mutex *lock ) { void ldv_mutex_lock_usbfs_mutex(struct mutex *lock ) { { #line { 1586 #line if (ldv_mutex_usbfs_mutex 1586 == 1) { if (ldv_mutex_usbfs_mutex == 1) { } else { #line } else 1586 { #line ldv_error(); 1586 } ldv_error(); #line } 1588 #line 1588 specification software verifier UNKNOWN timeout, memory out... UNSAFE i.e., there is a bug in the program 4
5 Abstraction Disregard irrelevant information Avoids state-space explosion Allows verification of real-world software to scale Success story of SLAM project at Microsoft But how does a good abstraction look like? Too coarse False alarms Too precise More timeouts Impossible to do manually Automation needed 5
6 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refine precision is feasible? error path is infeasible 6
7 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refine precision precision is analysis dependent: e.g., set of predicates for predicate analysis e.g., set of variable identifiers for value analysis is feasible? error path is infeasible 7
8 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refinement procedure: black magic in a mystery box is feasible? error path is infeasible 8
9 program source code Counterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refinement procedure: interpolation over infeasible error path is feasible? error path is infeasible 9
10 L3 L4 L6 L9 L10 L11 error b := 0; i := 0; [i > 9] [b!= 0] [i!= 10] assert(0); Craig Interpolation φ φ + At L6 the interpolant ψ for φ and φ + could be: [b = 0], or [i = 0], or [b = 0 i = 0], or... itp ψ the interpolant [Abstractions from Proofs, 2004, Henzinger, Jhala, Majumdar, McMillan] 10
11 Explicit-Value Interpolation For a pair of constraint sequences γ and γ +, such that γ γ + is contradicting, interpolant ψ is a constraint sequence γ that fulfills the following requirements: 1) γ implies ψ 2) ψ γ + is unsatisfiable 3) ψ only contains symbols that are common to both γ and γ + At L6 the interpolant ψ for γ and γ + could be: [b = 0], or [i = 0], or [b = 0 i = 0], or... γ + L3 L4 L3 L6 L9 L10 L11 error b := 0; i := 0; [i > 9] [b!= 0] [i!= 10] assert(0); [Explicit-State Software Model Checking Based on CEGAR and Interpolation, , D. Beyer, S. Löwe]
12 Interpolants Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision 12
13 Interpolation Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision Theoretically, well suited for refinement of precision 13
14 Example Good vs. Bad Interpolants Input Program 14
15 Example Good vs. Bad Interpolants Input Program Abstract Error Path 15
16 Example Good vs. Bad Interpolants Input Program Abstract Error Path 16
17 Example Good vs. Bad Interpolants Input Program Abstract Error Path Good Interpolants Bad Interpolants 17
18 Example Good vs. Bad Interpolants Input Program Abstract Error Path Good Interpolants Bad Interpolants 18
19 Interpolation Recap Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision Theoretically, well suited for refinement of precision Single interpolation problem typically has several solutions Which interpolant do we get? Some are good, others might lead to divergence Selection controlled by internals of interpolation engine 19
20 Interpolation Guided Represent concise explanations for infeasibility of error Therefore, ideally suited for refinement of precision Theoretically, well suited for refinement of precision Single interpolation problem typically has several solutions Which interpolant do we get? Some are good, others might lead to divergence Selection controlled by internals of interpolation engine Guide interpolation, ideally towards good interpolants 20
21 Extraction of Infeasible Sliced Prefixes Abstract Error Path
22 Extraction of Infeasible Sliced Prefixes Abstract Error Path
23 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix
24 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix Sliced Error Path
25 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix Sliced Error Path
26 Extraction of Infeasible Sliced Prefixes Abstract Error Path 1 st Prefix Sliced Error Path 2 nd Prefix
27 Extraction of Infeasible Sliced Prefixes Single Abstract Error Path 1 st Prefix 2 nd Prefix
28 Extraction of Infeasible Sliced Prefixes Single Abstract Error Path 1 st Prefix 2 nd Prefix itp itp Interpolant sequence over loop-counter variable Interpolant sequence over boolean variable
29 Proposition: Interpolants of Prefixes Any infeasible sliced prefix φ that is extracted from an infeasible error path σ can be used for interpolation to exclude the original error path σ from subsequent iterations of CEGAR loop
30 Proposition: Interpolants of Prefixes Any infeasible sliced prefix φ that is extracted from an infeasible error path σ can be used for interpolation to exclude the original error path σ from subsequent iterations of CEGAR loop We can use any prefix we want for interpolation! refinement selection is now possible Proof is in the Paper
31 program source code Couterexample-Guided Abstraction Refinement build & check abstract model no error path error pathfound SAFE UNSAFE refine precision using refinement selection is feasible? error path is infeasible 32
32 Refinement Selection Refinement is now an optimization problem Select any refinement from a set of refinements Different heuristics for selecting an refinement Shortest or longest prefix Best or worst score based on Domain-Types Width of precision Depth of refinement root
33 Implementation & Experiments Evaluated on over 2500 benchmarks from SV-COMP'15 Evaluated under rules of SV-COMP'15 15 minutes CPU Time 15 GB RAM All ideas and concepts described are implemented Integrated into CPAchecker Extended Value Analysis
34 Results Powered by BenchExec -
35 Results Powered by BenchExec -
36 Results Sliced-Prefix Length Powered by BenchExec -
37 Results Domain-Type Score Powered by BenchExec -
38 We want Refinement Selection!!! Because straight-forward interpolation completely and utterly sucks!!!11! Stefan Löwe
39 Now also for Predicate Abstraction!
40 Conclusion Defined and implemented for two domains infeasible sliced prefixes precision selection heuristics Enables refinement selection Nice Results Refinement selection matters! More research needed on how to select refinements 41
Static Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationProc. ISoLA 2018, c Springer
Proc. ISoLA 2018, c Springer In-Place vs. Copy-on-Write. CEGAR Refinement for Block Summarization with Caching Dirk Beyer and Karlheinz Friedberger LMU Munich, Germany Abstract. Block summarization is
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationUfo: A Framework for Abstraction- and Interpolation-Based Software Verification
Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationThe software model checker BLAST
Int J Softw Tools Technol Transfer (2007) 9:505 525 DOI 10.1007/s10009-007-0044-z SPECIAL SECTION FASE 04/ 05 The software model checker BLAST Applications to software engineering Dirk Beyer Thomas A.
More informationCounter-Example Guided Program Verification
Counter-Example Guided Program Verification Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Bui Phi Diep Uppsala University, Sweden {parosh,mohamed faouzi.atig,bui.phi-diep}@it.uu.se Abstract. This paper
More informationHaving a BLAST with SLAM
Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver
More informationBDD-Based Software Model Checking with CPAchecker
BDD-Based Software Model Checking with CPAchecker Dirk Beyer and Andreas Stahlbauer University of Passau, Germany Abstract. In symbolic software model checking, most approaches use predicates as symbolic
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationProgram Analysis and Constraint Programming
Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization
More informationLife, Death, and the Critical Transition: Finding Liveness Bugs in System Code
Life, Death, and the Critical Transition: Finding Liveness Bugs in System Code Charles Killian, James W. Anderson, Ranjit Jhala, and Amin Vahdat Presented by Nick Sumner 25 March 2008 Background We already
More informationReducer-Based Construction of Conditional Verifiers
2018 ACM/IEEE 40th International Conference on Software Engineering Reducer-Based Construction of Conditional Verifiers ABSTRACT Dirk Beyer LMU Munich, Germany Thomas Lemberger LMU Munich, Germany Despite
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
More informationSoftware Model Checking via Large-Block Encoding
Software Model Checking via Large-Block Encoding Dirk Beyer Simon Fraser University Alessandro Cimatti FBK-irst, Trento Alberto Griggio University of Trento & Simon Fraser University M. Erkan Keremoglu
More informationPANDA: Simultaneous Predicate Abstraction and Concrete Execution
PANDA: Simultaneous Predicate Abstraction and Concrete Execution Jakub Daniel and Pavel Parízek Charles University in Prague, Faculty of Mathematics and Physics, Department of Distributed and Dependable
More informationC Code Verification based on the Extended Labeled Transition System Model
C Code Verification based on the Extended Labeled Transition System Model Dexi Wang, Chao Zhang, Guang Chen, Ming Gu, and Jiaguang Sun School of Software, TNLIST, Tsinghua University, China {dx-wang12,zhang-chao13,chenguan14}@mails.tsinghua.edu.cn
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationBenchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel
Benchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel JPF Workshop 2018 What is SV-COMP? https://sv-comp.sosy-lab.org
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationPredicate Abstraction with Adjustable-Block Encoding
Predicate Abstraction with Adjustable-Block Encoding Dirk Beyer Simon Fraser University / University of Passau M. Erkan Keremoglu Simon Fraser University, B.C., Canada Philipp Wendler University of Passau,
More informationVerifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China
Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion
More informationAlgorithms for Software Model Checking: Predicate Abstraction vs. IMPACT
Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT Dirk Beyer University of Passau, Germany Philipp Wendler University of Passau, Germany Abstract CEGAR, SMT solving, and Craig interpolation
More informationPredicate Refinement Heuristics in Program Verification with CEGAR
Predicate Refinement Heuristics in Program Verification with CEGAR Tachio Terauchi (JAIST) Part of this is joint work with Hiroshi Unno (U. Tsukuba) 1 Predicate Abstraction with CEGAR Iteratively generate
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationTRACER: A Symbolic Execution Tool for Verification
TRACER: A Symbolic Execution Tool for Verification Joxan Jaffar, Vijayaraghavan Murali, Jorge A. Navas, and Andrew E. Santosa 3 National University of Singapore The University of Melbourne 3 University
More informationInterpolation-based Software Verification with Wolverine
Interpolation-based Software Verification with Wolverine Daniel Kroening 1 and Georg Weissenbacher 2 1 Computer Science Department, Oxford University 2 Department of Electrical Engineering, Princeton University
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationSYNERGY : A New Algorithm for Property Checking
SYNERGY : A New Algorithm for Property Checking Bhargav S. Gulavani Thomas A. Henzinger Yamini Kannan Aditya V. Nori Sriram K. Rajamani bhargav@cse.iitb.ernet.in tah@epfl.ch yaminik@microsoft.com adityan@microsoft.com
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationDIPARTIMENTO DI INGEGNERIA E SCIENZA DELL INFORMAZIONE Povo Trento (Italy), Via Sommarive 14
UNIVERSITY OF TRENTO DIPARTIMENTO DI INGEGNERIA E SCIENZA DELL INFORMAZIONE 38050 Povo Trento (Italy), Via Sommarive 14 http://www.disi.unitn.it SOFTWARE MODEL CHECKING VIA LARGE-BLOCK ENCODING Dirk Beyer,
More informationBDD-Based Software Verification
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) BDD-Based Software Verification Applications to Event-Condition-Action Systems Dirk Beyer and Andreas Stahlbauer University
More informationPredicate Abstraction and CEGAR for Higher Order Model Checking
Predicate Abstraction and CEGAR for Higher Order Model Checking Naoki Kobayashi, Ryosuke Sato, and Hiroshi Unno Tohoku University (Presented at PLDI2011) 1 Our Goal Software model checker for functional
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationTree Interpolation in Vampire
Tree Interpolation in Vampire Régis Blanc 1, Ashutosh Gupta 2, Laura Kovács 3, and Bernhard Kragl 4 1 EPFL 2 IST Austria 3 Chalmers 4 TU Vienna Abstract. We describe new extensions of the Vampire theorem
More informationMinimizing the number of static verifier traces to reduce time for finding bugs in Linux kernel modules
Minimizing the number of static verifier traces to reduce time for finding bugs in Linux kernel modules Vitaly Mordan Institute for System Programming Russian Academy of Sciences Moscow, Russia Email:
More informationProving Properties of non-array Programs
Proving Properties of non-array Programs Thanks to Priyanka Darke Tata Research Development and Design Centre, Pune, India December 13, 2017 Copyright 2012 Tata Consultancy Services Limited 1 Background
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationarxiv: v2 [cs.pl] 3 Apr 2018
1 Scheduling Constraint Based Abstraction Refinement for Multi-Threaded Program Verification arxiv:1708.08323v2 [cs.pl] 3 Apr 2018 LIANGZE YIN, School of Computer, National University of Defense Technology,
More informationChecking Memory Safety with Blast
Checking Memory Safety with Blast Dirk Beyer 1 Thomas A. Henzinger 12 Ranjit Jhala 3 Rupak Majumdar 4 1 EPFL, Switzerland 2 University of California, Berkeley 3 University of California, San Diego 4 University
More informationInductive Invariant Generation via Abductive Inference
Inductive Invariant Generation via Abductive Inference Isil Dillig Department of Computer Science College of William & Mary idillig@cs.wm.edu Thomas Dillig Department of Computer Science College of William
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationSoftware Model Checking with Abstraction Refinement
Software Model Checking with Abstraction Refinement Computer Science and Artificial Intelligence Laboratory MIT Armando Solar-Lezama With slides from Thomas Henzinger, Ranjit Jhala and Rupak Majumdar.
More informationSlicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference
Slicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference Mikhail Mandrykin ISP RAS ISP RAS, September 26th, 2018 ISP RAS, September 26th, 2018 1 / 26 Contents 1 Motivation 2
More informationUninformed Search Strategies
Uninformed Search Strategies Alan Mackworth UBC CS 322 Search 2 January 11, 2013 Textbook 3.5 1 Today s Lecture Lecture 4 (2-Search1) Recap Uninformed search + criteria to compare search algorithms - Depth
More informationBITCOIN MINING IN A SAT FRAMEWORK
BITCOIN MINING IN A SAT FRAMEWORK Jonathan Heusser @jonathanheusser DISCLAIMER JUST TO BE CLEAR.. This is research! Not saying ASICs suck I am not a cryptographer, nor SAT solver guy WTF REALISED PHD RESEARCH
More informationSPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa
SPIN part 2 Verification with LTL Jaime Ramos Departamento de Matemática, Técnico, ULisboa Borrowed from slides by David Henriques, Técnico, ULisboa LTL model checking How Spin works Checks non-empty intersection
More informationPredicate Abstraction Daniel Kroening 1
Predicate Abstraction 20.1.2005 Daniel Kroening 1 Motivation Software has too many state variables State Space Explosion Graf/Saïdi 97: Predicate Abstraction Idea: Only keep track of predicates on data
More informationKRATOS A Software Model Checker for SystemC
KRATOS A Software Model Checker for SystemC A. Cimatti, A. Griggio, A. Micheli, I. Narasamdya, and M. Roveri Fondazione Bruno Kessler Irst {cimatti,griggio,amicheli,narasamdya,roveri}@fbk.eu Abstract.
More informationModel Checking with Abstract State Matching
Model Checking with Abstract State Matching Corina Păsăreanu QSS, NASA Ames Research Center Joint work with Saswat Anand (Georgia Institute of Technology) Radek Pelánek (Masaryk University) Willem Visser
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationIntroduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion
.. Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de Introduction Preliminaries
More informationBDD-based software verification
Int J Softw Tools Technol Transfer (2014) 16:507 518 DOI 10.1007/s10009-014-0334-1 RERS BDD-based software verification Applications to event-condition-action systems Dirk Beyer Andreas Stahlbauer Published
More informationUnbounded Symbolic Execution for Program Verification
Unbounded Symbolic Execution for Program Verification JOXAN JAFFAR 1, JORGE A. NAVAS 1, AND ANDREW E. SANTOSA 2 1 National University of Singapore 2 University of Sydney, Australia {joxan,navas}@comp.nus.edu.sg,
More informationAbstraction Learning
Abstraction Learning Joxan Jaffar National University of Singapore joxan@comp.nus.edu.sg Jorge Navas National University of Singapore navas@comp.nus.edu.sg Andrew E. Santosa National University of Singapore
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationTowards a Software Model Checker for ML. Naoki Kobayashi Tohoku University
Towards a Software Model Checker for ML Naoki Kobayashi Tohoku University Joint work with: Ryosuke Sato and Hiroshi Unno (Tohoku University) in collaboration with Luke Ong (Oxford), Naoshi Tabuchi and
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationCraig Interpretation
Craig Interpretation Aws Albarghouthi 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto, Canada 2 Software Engineering Institute, Carnegie Mellon University,
More informationLazy Shape Analysis. Dirk Beyer, Thomas A. Henzinger, and Grégory Théoduloz. EPFL, Switzerland
Lazy Shape Analysis Dirk Beyer, Thomas A. Henzinger, and Grégory Théoduloz EPFL, Switzerland Abstract. Many software model checkers are based on predicate abstraction. If the verification goal depends
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationAbstraction Refinement for Quantified Array Assertions
Abstraction Refinement for Quantified Array Assertions Mohamed Nassim Seghir 1,, Andreas Podelski 1, and Thomas Wies 1,2 1 University of Freiburg, Germany 2 EPFL, Switzerland Abstract. We present an abstraction
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationSymbolic Evaluation/Execution
Symbolic Evaluation/Execution Reading Assignment *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationScalable Program Analysis Using Boolean Satisfiability: The Saturn Project
Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project Alex Aiken Stanford University Saturn 1 The Idea Verify properties of large systems! Doesn t {SLAM, BLAST, CQual, ESP} already
More informationFrom Underapproximations to Overapproximations and Back!
From Underapproximations to Overapproximations and Back! Software Engineering Institute Carnegie Mellon University joint work with Aws Albarghouthi and Marsha Chechik from University of Toronto NO WARRANTY
More informationUNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira
More informationKRATOS A Software Model Checker for SystemC
KRATOS A Software Model Checker for SystemC A. Cimatti, A. Griggio, A. Micheli, I. Narasamdya, and M. Roveri Fondazione Bruno Kessler Irst {cimatti,griggio,amicheli,narasamdya,roveri}@fbk.eu Abstract.
More informationVerifying Multithreaded Software with Impact
Verifying Multithreaded Software with Impact Björn Wachter, Daniel Kroening and Joël Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers,
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationJBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik
: A Bounded Model Checking Tool for Verifying Java Bytecode Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik Computer Aided Verification 2018 Why? Java and JVM languages: Most
More informationAbstractions from Proofs
Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala Rupak Majumdar EECS Department, University of California Berkeley, CA 94720-1770, U.S.A. {tah,jhala,rupak}@eecs.berkeley.edu Kenneth L. McMillan
More informationSOFTWARE MODEL CHECKING WITH EXPLICIT SCHEDULER AND SYMBOLIC THREADS
SOFTWARE MODEL CHECKING WITH EXPLICIT SCHEDULER AND SYMBOLIC THREADS ALESSANDRO CIMATTI, IMAN NARASAMDYA, AND MARCO ROVERI Fondazione Bruno Kessler e-mail address: {cimatti,narasamdya,roveri}@fbk.eu ABSTRACT.
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationReading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis
Reading Assignment Symbolic Evaluation/Execution *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationShape Refinement through Explicit Heap Analysis
Shape Refinement through Explicit Heap Analysis Dirk Beyer 1,2, Thomas A. Henzinger 3, Grégory Théoduloz 4, and Damien Zufferey 3 1 Simon Fraser University, B.C., Canada 2 University of Passau, Germany
More informationLYREBIRD David Cock
davec@cse.unsw.edu.aullyrebird LYREBIRD David Cock λ What is the Motivation? Program proof is important, but there s more to do. NICTA Copyright c 2011 From Imagination to Impact 2 What is the Motivation?
More informationSmall Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis
Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis Isil Dillig, Thomas Dillig, Alex Aiken Stanford University Scalability and Formula Size Many program analysis
More informationC07: Testing and JUnit
CISC 3120 C07: Testing and JUnit Hui Chen Department of Computer & Information Science CUNY Brooklyn College 9/19/2017 CUNY Brooklyn College 1 Outline Recap and issues Grades and feedback Assignments &
More informationApplication of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3
More informationFormal Specification and Verification
Formal Specification and Verification Model Checking with Temporal Logic Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification
More informationCS1110 Lab 6 (Mar 17-18, 2015)
CS1110 Lab 6 (Mar 17-18, 2015) First Name: Last Name: NetID: The lab assignments are very important and you must have a CS 1110 course consultant tell CMS that you did the work. (Correctness does not matter.)
More informationLecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University
Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University 1 Cost of Software Errors June 2002 Software bugs, or errors, are so prevalent and so detrimental that they
More informationFormal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints
Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk Agenda
More informationDART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley
DAR: Directed Automated Random esting CUE: Concolic Unit esting Engine Slide Source: Koushik Sen from Berkeley Verification and esting We would like to prove programs correct Verification and esting We
More information(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt
Verification (See related materials in textbook.) Outline What are the goals of verification? What are the main approaches to verification? What kind of assurance do we get through testing? How can testing
More informationApplying Data Refinement for Monadic Programs to Hopcroft s Algorithm
Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm Peter Lammich, Thomas Tuerk ITP 2012, 13th August 2012 Background Peter Lammich (lammich@in.tum.de) Isabelle Collection Framework (ICF)
More informationOver-Approximating Boolean Programs with Unbounded Thread Creation
Over-Approximating Boolean Programs with Unbounded Thread Creation Byron Cook Microsoft Research Cambridge Email: bycook@microsoft.com Daniel Kroening Computer Systems Institute ETH Zurich Email: daniel.kroening@inf.ethz.ch
More informationTiming Analysis of Parallel Software Using Abstract Execution
Timing Analysis of Parallel Software Using Abstract Execution Björn Lisper School of Innovation, Design, and Engineering Mälardalen University bjorn.lisper@mdh.se 2014-09-10 EACO Workshop 2014 Motivation
More informationRegression Verification - a practical way to verify programs
Regression Verification - a practical way to verify programs Ofer Strichman Benny Godlin Technion, Haifa, Israel. Email: ofers@ie.technion.ac.il bgodlin@cs.technion.ac.il 1 Introduction When considering
More informationExplainHoudini: Making Houdini inference transparent
ExplainHoudini: Making Houdini inference transparent Shuvendu K. Lahiri 1 and Julien Vanegue 2 1 Microsoft Research shuvendu@microsoft.com 2 Microsoft Corporation jvanegue@microsoft.com Abstract. Houdini
More informationKing s Research Portal
King s Research Portal DOI: 10.1007/978-3-662-54580-5_12 Link to publication record in King's Research Portal Citation for published version (APA): Alt, L., Asadi, S., Chockler, H., Even Mendoza, K., Fedyukovich,
More information