Embedded Software Verification Challenges and Solutions. Static Program Analysis
|
|
- Betty Long
- 6 years ago
- Views:
Transcription
1 Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang NEC Labs America Princeton, NJ ICCAD Tutorial November 11,
2 Outline What programs? Program verification using verification condition generation Static Program Analysis Predicate Abstraction Bounded Model Checking (BMC) 2
3 Static Program Analysis Static program analysis consists of automatically discovering properties of a program that hold for all possible execution paths of the program. 3
4 Motivation Properties C program To supplement model checking (MC/BMC) Automated checkers Static Analyses Proof Start with accurate program modeling Bug Refinement Predicate Abstraction Apply static analyses Find easy proofs, and eliminate MC checks Generate invariants Simplify model for MC Counterexample Analysis FSM Model Model Checker Proof Does it work? 4
5 Static Program Analysis Modeling C programs Model extraction and reduction Numerical abstract domains Interval, Octagon, Polyhedral, Meet, Join, Post, Subset, Fix-point computation Polyhedral power-set domains Widening / Extrapolation Industrial experience 5
6 Model Extraction and Reduction C Program 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t - = 3; 14: else 15: t --; 16: return t; 17: } Transformed C Program CFG Control Flow Graph? W X Symbolic FSM Model M = (S,s0,TR,L) Present State Source-to-source transformations Transition Relation Latches For modeling pointers, arrays, structures Control Flow Graph: Intermediate Representation Well-studied optimizations for model reduction Separating model building from model checking Static Program Analysis conducted on CFG Next State O Y 6
7 Source-to-source Transformations Handling Programming Language (C) Features Pointers are replaced by introducing auxiliary variables [Semeria & DeMicheli 98] Arrays and structures are flattened, i.e. each element/field modeled individually Every variable is assigned a logical address (integer) Adjacent addresses are given consecutive numbers, to model pointer arithmetic Automatic checker instrumentation 7
8 Modeling Pointers int *p; int x,y; p=&x; p=&y; *p=expr; assert(x> 10) Introduce (p ) to track *p Reads/writes as conditional assignments [Semeria & De Micheli 98] Uint p; int p ; int x,y; p=&x; p =x; p=&y; p =y; p =expr; x= (p==&x)?expr:x; y= (p==&y)?expr:y; points-to( p ) = {x, y} assert(x > 10) Compute sound points-to sets [Steensgaard 96] 8
9 Modeling Structures struct S { int i ; float f ; char c ; } s[3] ; int s_i[3]; float s_f[3]; char s_c[3]; Custom memory model Arrays and structures are flattened (up to a fixed depth) Each variable gets a memory address (integer number) Impact of this field-sensitive structure flattening All static analyses become field-sensitive Increase applicability of numeric abstract domains (intervals, octagons, polyhedral, ) 9
10 Adding Checkers Assertions added for array/pointer/string accesses Array buffer overflow checks ptrlo(p) and ptrhi(p) added, to track safe region in memory Pointer validity check ptrvalid(p) variable added, to track whether null or not String bugs strlen(p), fwdbnds(p) added, to track pointer and string length 10
11 Example int A[N], B[N]; int equals () { int i=n, j=n ; int result=1 ; } while ( i > 0 ) { i--; j--; if ( A[i]!= B[j] ) result = 0 ; } return result ; Checkers inserted int A[N], B[N]; void arraymodel () { int i=n, j=n ; int result=1; while ( i > 0 ) { i--; j--; if ( i<0 i>=n) ERROR() ; if ( j<0 j>=n) ERROR() ; if ( A[i]!= B[j] ) result = 0; } } 11
12 Control Flow Graph Line 2 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t - = 3; 14: else 15: t --; 16: return t; 17: } Line 5 (return) Line 7 (return) Basic block w/ parallel assignments Line 3 Line 7 (call) Line 13 Line 16 Line 15 Line 4 Line 5 (call) Lines 11-12,14 12
13 Control Flow Graph Line 2 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t - = 3; 14: else 15: t --; 16: return t; 17: } Line 5 (return) Line 7 (return) Line 3 Line 7 (call) Line 13 Line 16 Line 15 Line 4 Line 5 (call) Lines 11-12,14 13
14 Numerical Program Yields a CFG with only int type variables, i.e. a numerical program Recursive function calls using a bounded call stack Recursive data up to a bounded depth It s a EFSM (you can run model checking) 00 s = x+2; t > 6 t = x-1;! (t > 6) t- = 3; t--; s += t; 11 CFG => State (control + data) Machine Basic blocks => control states (PC variables) Program variables => data states Guarded transitions => TR for control states Parallel assignments => TR for data states Loop back-edges => transitions between control FSMs: Bit-precise accurate models Extended FSMs: finite control, but integer data (infinite) But wait without model reduction, that would be too expensive! 14
15 Simplify the model first Properties Automated Bug checkers Bug Testbench Generator Ctrex Analysis & Refinement Source code (C, stubs) Static Analysis Abstraction Model Transformation, Translation Model Checker (VeriSol) Program slicing Range analysis Invariant generation Polyhedral analysis Predicate Abstraction Proof 15
16 Program Slicing Removes irrelevant variables and code Forward slicing removes code not reachable from the main function Backward (property-specific) slicing removes code not affecting the correctness of given property void arithmetic(int *A, int n) { int sum=0, prod=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; } assert( exp(sum) ); } original program void arithmetic(int *A, int n) { int sum=0, prod=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; prod *= A[i] ; mean += A[i]/n; i++ ; } assert( exp(sum) ); } slice with respect to sum 16
17 Static Invariant Generation int A[N], B[N]; int equals () { int i=n, j=n ; int result=1 ; while ( i > 0 ) { i--; j--; if ( A[i]!= B[j] ) result = 0 ; } return result ; } Checkers inserted int A[N], B[N]; void arraymodel () { int i=n, j=n ; int result=1; while ( i > 0 ) { i--; j--; if ( i<0 i>=n) ERROR() ; if ( j<0 j>=n) ERROR() ; if ( A[i]!= B[j] ) result = 0; } Because of invariants at if-statements no error Difficult to prove by model checking (large N) Difficult to prove by predicate abstraction refinement Invariants: 0 i N 0 j N i==j Such invariants can be easily discovered by abstract interpretation } [Cousot & Cousot 77] 17
18 Abstract Interpretation A general framework for designing static program analyzers Abstract domains Inclusion, join, meet, projection, Abstract program semantics Abstract post condition Fixpoint computation Widening, narrowing 18
19 Program Semantics Concrete semantics: (Σ, ) s = program location, state s s' Abstract semantics: (Σ, ) Ŝ = program location, abstract state Ŝ Ŝ ' 19
20 Abstract Domains Sets: a1, a2, a Inclusion: a1 a2 imposes a partial order Join: a = a1 U a2 is the smallest set: a1 a, a2 a Used at join point of the CFG Meet: a = a1 a2 is the largest set: a a1, a a2 Used at the conditional branches of the CFG Abstract post condition: transfer function Model the effect of assignment Widening ( ) and narrowing ( ) to enforce convergence and improve solution Often Used at the back edges of loops 20
21 Program Semantics Concrete semantics: (Σ, ) s = program location, state s s' 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end 3,n=0^k=0 4,n=1 ^k=0 3,n=1^k=1 4,n=2 ^k=0... 3,n=9^k=45 4,n=10^k=45 21
22 Reachability Computation 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end Two choices: 1. Stay precise but store frontier set only 2. Over-approximate the state set F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=0^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=0^k=0, 4,n=1^k=0 } F5 = { 1,, 2,n=0^k=0, 3,n=0^k=0 v n=1^k=1, 3,n=0^k=0, 4,n=1^k=0 }... Problems: (1) state set may blow up (2) may not terminate 22
23 Convex Polyhedral Set (Join) 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end Two choices: 1. Stay precise but store frontier set only 2. Use a convex set (an over-approximation) F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=1^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=1^k=0, 4,n=1^k=1 } F5 = { 1,, 2,n=0^k=0, 3,n>=0^n<=1^k>=0^k<=1, 3,n=1^k=0,...}... = { 1,, 2,n=0^k=0, 3,n>=0^n<=10^k>=0^k<=55, Fixpoint! 23
24 Convex Polyhedral Set (Join) 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=1^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=1^k=0, 4,n=1^k=1 } F5 = { 1,, 2,n=0^k=0, 3,n>=0^n<=1^k>=0^k<=1, 3,n=1^k=0,...}... = { 1,, 2,n=0^k=0, 3,n>=0^n<=10^k>=0^k<=55, Fixpoint! 24
25 Polyhedral Power-Sets (frontier) 1: n = k = 0; 2: while n < 10 do 3: n = n + 1; 4: k = k + n; 5: end Two choices: 1. Stay precise but store frontier set only 2. Use a convex set (an over-approximation) F1 = { 1, } F2 = { 1,, 2,n=0^k=0 } F3 = { 1,, 2,n=0^k=0, 3,n=0^k=0 } F4 = { 1,, 2,n=0^k=0, 3,n=0^k=0, 4,n=1^k=0 } F5 = { 1,, 2,n=0^k=0, 3,n=1^k=1, 4,n=2^k=1 }... = { 1,, 2,n=0^k=0, 3,n=9^k=45, 4,n=10^k=45 } Fixpoint! Potential problems with this approach: termination! 25
26 The Middle Ground int x[10]; int len, ok; if ( len >= 0 && len < 10) ok = 1; else ok = 0;. if (ok) x[len] = 0; Required a Disjunctive Invariant: (ok=0) OR (ok =1 and 0 len< 10) Disjunctive union of polyhedra [Sankaranarayanan et al. 06] Fix the upper limit of disjuncts allowed in the abstract domain Heuristically merge at join points, or keep them separate Good performance vs. accuracy (~20% more proofs, 1.5X time) Still less time than power-set based model checking 26
27 Numerical Abstract Domains Interval domain [Cousot+Cousot 77] Ranges for the program variables (X in [10,15], Y in [50,90], ) Octagon domain [Miné 01] Difference expressions between variables (± x ± y c) Symbolic ranges [Sankaranarayanan et al. 07] Interval with linear expressions as ranges (x in [10,15], y in [exp1(x), exp2(y)], z in [exp1(x,y),exp2(x,y)], ) Polyhedral domain [Cousot + Halbwachs 79] Arbitrary linear invariants (Polyhedral) power-set domains Union of polyhedra (not a convex set) Proofs are valid, but bugs (lack of proofs) may be bogus Follow up with bit-precise model checking / BMC 27
28 BDDs + Polyhedral Powersets 9!rtr x>4 0 x<= t>6 6 5 t<=6 p 3 p 2 p 1 p 0 q 3 q 2 q 1 q 0 condition x<= x> t> t<= rtr= rtr= rtr 8 7 PC (program counter) expressions in Boolean logic (could use BDDs) Data expressions in integer domains (octagons, polyhedral,etc.) 28
29 Symbolic Transition Relation ( d c T = ) ( bi, bj E ) ti tij Transition from block bi b to block under condition t = ( P = i) ( x ' = e ) d X i k = 1 k ik c t = ( P = i ) ( P ' = j ) θ ( b, b ) ij i j j p 3 p 2 p 1 p 0 q 3 q 2 q 1 q 0 condition x<= x> t> t<= rtr= rtr= (pc=1 ^ pc =2) ^ (x<=4) ^ (y = y+1 ^ ) OR (pc=1 ^ pc =3) ^ (x>4 ) ^ (l = 1 ^ rtr = 1 ^ ) OR 29
30 Unified View: Composite Symbolic Computation Definition F F F :Boolean logic I :Presburger arithmetic R :Real linear constraints DNF B F : = F F F F F F B I R F = ( F F F ) CUDD for Omega library for i i i i B F F Parma Polyhedral Library for I B I R Existential Quantification by individual solvers in isolation! v, v, v. F = (( v. F ) ( v. F ) ( v. F )) B I R nf B B I I R R i= 1 i i i F R 30
31 Symbolic Fixpoint Computation Image of a set D of abstract states post( T, D) = ( X, P.( T ) D) ( bi, bj) E ij ( X / X ', P / P') = ( X, P. T D) ( bi, bj) E ij ( X / X ', P / P') Image is computed by BDD and polyhedral analysis separately based on the subformula types 31
32 Experiments Test Program Completed CPU Time (s) nonlinear appx. MIX m.c. [Yang et al. MEMOCODE 2006] Comparing MIX with other methods for reachability computation (T/O = 3600s) Name bvar depth BDDm.c. SATbmc BDDm.c. SATbmc bakery Y (68) Y 2 T/O 13 tcas-1a Y (103) Y 433 T/O 374 tcas-any (103) (100) Y T/O T/O 415 ppp Y (84) Y 687 T/O 51 mcf1_as Y (98) Y 150 T/O 2 * mcf2_afr Y (60) Y 110 T/O 5 mcf3_mrr Y (43) Y 190 T/O 4 bftpd_useringrp Y Y Y 1 T/O 1 bftpd_chkuser (0) (70) Y T/O T/O 20 bftpd_chkshell (0) (44) Y T/O T/O 48 bftpd_chkpasswd (10) (13) Y T/O T/O 760 MIX m.c. BDD: BDD-based model checking, SAT: SAT-based BMC, MIX: composite symbolic model checking 32
33 What If It doesn t Terminate? 33
34 What If It doesn t Terminate? 34
35 Widening (interval domain) [a, b] [a', b'] If a a' then a else - If b' b then b else + a a b b a 35
36 Widening (polyhedral domain) 36
37 Have more info about the expected result? 37
38 Widening Up-To (polyhedral domain) 38
39 Cooperative Framework Scalability F-Soft Static analysis engines Model Checking engines Accuracy Common decision procedures SAT solver, SMT solver, Octagon library, Polyhedra library Common program representation: Control Flow Graph Translation of CFG to representation for decision procedures Translation of witness back to CFG (when applicable) 39
40 When widening is too coarse 40
41 Extrapolation with a Care Set 41
42 CEX Driven Refinement of the Care Set 42
43 CEX Driven Refinement Iteratively tightening up the care set CEX driven refinement helps improving Join operator [Gulavani & Rajamani, 2006, 2008] Widening up-to operator [Halbwachs 93, 97] Extrapolation with care set [Wang et al. CAV 2007] 43
44 Experiments [Wang et al. CAV 2007] Automatic refinement of the Extrapolation with Care Set operator Combines precision of model checking and performance of static analysis 44
45 F-Soft Technology Transfer: Varvel Product Acknowledgement: Y. Hashimoto et al., NEC Statically detects typical run-time error for C from source code Currently in practical in-house use for commercial product software No test programs, No test data Source code to be verified Typical run-time error detection - Invalid pointer dereferencing - Array bounds violation - String operation errors - Memory management errors Listing results. Showing trace for each result working with editor. Assumption Approximation VARVEL Control flow graph (Bounded) Model Checking Exhaustive search Post processing Control flow graph Program Analysis Static analysis techniques similarly used in compilers Logical equations expressing finite state space Counter examples (Execution) path to cause errors. 45
46 Varvel: In-house Verification Service Acknowledgement: Y. Hashimoto et al., NEC Varvel is used to provide in-house Source code Verification Service Service provided by SW developers, not verification experts Verified source code of several commercial SW projects Total lines: about 3.7 MLOC in ~10 projects (up to 1.2 MLOC in one project) Verified source code had been already tested Found many bugs, subsequently confirmed by developers 46 46
47 Lessons Learned Accuracy of program modeling AND efficiency of analysis are crucial Conflicting requirements in general, but don t give up too early Harder to regain global precision (e.g. pointer aliasing info) from local refinements Advancements in symbolic constraint solvers (SAT, SMT) offer hope Sophisticated search heuristics and learning are useful for finding concrete traces (for bugs, for test inputs) More scalable than methods that store (concrete) states Model-specific constraints provide additional performance benefits Stage the analyses (cheaper methods first) in cooperative framework Difficult to handle MLOC, 1000s of properties: no silver bullet Stage the analyses to reduce model and # properties, and to improve precision Pay attention to proofs (provide useful abstractions/interpolants) STAGED ANALYSES Less # properties, Model simplification, More precise analysis Static Program Analysis Engines Intervals, Octagons, Sym ranges, Polyhedra Model Checking Engines SAT/SMT-based BMC, BDD+Omega 47
Verifying C Programs Using SAT-based Model Checking
Verifying C Programs Using SAT-based Model Checking Satisfiability Solvers and Program Verification (SSPV) August 11, 2006 Aarti Gupta agupta@nec-labs.com NEC Laboratories America Princeton Acknowledgements:
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationSMT-Style Program Analysis with Value-based Refinements
SMT-Style Program Analysis with Value-based Refinements Vijay D Silva Leopold Haller Daniel Kröning NSV-3 July 15, 2010 Outline Imprecision and Refinement in Abstract Interpretation SAT Style Abstract
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationUsing Counterexamples for Improving the Precision of Reachability Computation with Polyhedra
Using Counterexamples for Improving the Precision of Reachability Computation with Polyhedra Chao Wang 1, Zijiang Yang 2, Aarti Gupta 1, and Franjo Ivančić 1 1 NEC Laboratories America, Princeton, NJ 08540,
More informationModel Checking Sequential Software Programs Via Mixed Symbolic Analysis
Model Checking Sequential Software Programs Via Mixed Symbolic Analysis ZIJIANG YANG Western Michigan University CHAO WANG NEC Laboratories America AARTI GUPTA NEC Laboratories America FRANJO IVANČIĆ NEC
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationSplitting the Control Flow with Boolean Flags
École Normale Supérieure, Paris, France A.Simon@ens.fr July 2008 Good States are Usually Convex Declare C variable int array[12];. 0 1 2 3 4 5 6 7 8 9 10 11 i Access array[i] within bound if 0 i and i
More informationAction Language Verifier, Extended
Action Language Verifier, Extended Tuba Yavuz-Kahveci 1, Constantinos Bartzis 2, and Tevfik Bultan 3 1 University of Florida 2 Carnegie Mellon University 3 UC, Santa Barbara 1 Introduction Action Language
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationHECTOR: Formal System-Level to RTL Equivalence Checking
ATG SoC HECTOR: Formal System-Level to RTL Equivalence Checking Alfred Koelbl, Sergey Berezin, Reily Jacoby, Jerry Burch, William Nicholls, Carl Pixley Advanced Technology Group Synopsys, Inc. June 2008
More informationStructuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C
Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C David Bühler CEA LIST, Software Safety Lab Frama-C & SPARK Day 2017 May 30th, 2017 David
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationIterative Program Analysis Abstract Interpretation
Iterative Program Analysis Abstract Interpretation Summary by Ben Riva & Ofri Ziv Soundness Theorem Theorem: If a computation fixed-point is sound, then its least-fixed-point is sound. More precisely,
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationInterval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships
Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships Liqian Chen 1,2 Antoine Miné 3,2 Ji Wang 1 Patrick Cousot 2,4 1 National Lab. for Parallel and Distributed Processing, Changsha,
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationVerification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control
Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationLecture Notes on Real-world SMT
15-414: Bug Catching: Automated Program Verification Lecture Notes on Real-world SMT Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 15 1 Introduction In the previous lecture we studied
More informationApplication of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationA New Abstraction Framework for Affine Transformers
A New Abstraction Framework for Affine Transformers Tushar Sharma and Thomas Reps SAS 17 Motivations Prove Program Assertions Function and loop summaries Sound with respect to bitvectors A NEW ABSTRACTION
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationProfile-Guided Program Simplification for Effective Testing and Analysis
Profile-Guided Program Simplification for Effective Testing and Analysis Lingxiao Jiang Zhendong Su Program Execution Profiles A profile is a set of information about an execution, either succeeded or
More informationTemporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols
Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols Lee Pike (Presenting), Galois, Inc. leepike@galois.com Geoffrey M. Brown, Indiana University geobrown@cs.indiana.edu
More informationMore Dataflow Analysis
More Dataflow Analysis Steps to building analysis Step 1: Choose lattice Step 2: Choose direction of dataflow (forward or backward) Step 3: Create transfer function Step 4: Choose confluence operator (i.e.,
More informationProgram Analysis and Constraint Programming
Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization
More informationAutomated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania
Automated Refinement Checking of Asynchronous Processes Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ Intel Formal Verification Seminar, July 2001 Problem Refinement Checking Given two
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationModel Checking Embedded C Software using k-induction and Invariants
FEDERAL UNIVERSITY OF RORAIMA and FEDERAL UNIVESITY OF AMAZONAS Model Checking Embedded C Software using k-induction and Invariants Herbert Rocha, Hussama Ismail, Lucas Cordeiro and Raimundo Barreto Agenda
More informationVerasco: a Formally Verified C Static Analyzer
Verasco: a Formally Verified C Static Analyzer Jacques-Henri Jourdan Joint work with: Vincent Laporte, Sandrine Blazy, Xavier Leroy, David Pichardie,... June 13, 2017, Montpellier GdR GPL thesis prize
More informationPolyèdres et compilation
Polyèdres et compilation François Irigoin & Mehdi Amini & Corinne Ancourt & Fabien Coelho & Béatrice Creusillet & Ronan Keryell MINES ParisTech - Centre de Recherche en Informatique 12 May 2011 François
More informationWidening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)
EXPERIENCE AN INTRODUCTION WITH THE DESIGN TOF A SPECIAL PURPOSE STATIC ANALYZER ABSTRACT INTERPRETATION P. Cousot Patrick.Cousot@ens.fr http://www.di.ens.fr/~cousot Biarritz IFIP-WG 2.3 2.4 meeting (1)
More informationDisjunctive Image Computation for Embedded Software Verification
Disjunctive Image Computation for Embedded Software Verification Chao Wang NEC Laboratories America Princeton, NJ, U.S.A. Zijiang Yang Western Michigan University Kalamazoo, MI, U.S.A. Franjo Ivančić,
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationAnalyzing Tabular Requirements Specifications Using Infinite State Model Checking
Analyzing Tabular Requirements Specifications Using Infinite State Model Checking Tevfik Bultan 1 Univ. of California, Santa Barbara Constance Heitmeyer 2 Naval Research Laboratory Abstract This paper
More informationBlock-wise abstract interpretation by combining abstract domains with SMT
Block-wise abstract interpretation by combining abstract domains with SMT Jiahong Jiang, Liqian Chen, Xueguang Wu, Ji Wang National University of Defense Technology, China 01/16/2017 VMCAI 2017 Overview
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationFrama-C Value Analysis
Frama-C Value Analysis Séminaire CAP TRONIC Virgile Prevosto virgile.prevosto@cea.fr June 18 th, 2015 Outline Introduction Abstract domains Arithmetic Memory Methodology Basic commands Parameters Introduction
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationCollaborative Verification and Testing. Sungmin Cho EECS, UC Berkeley
Collaborative Verification and Testing Sungmin Cho EECS, UC Berkeley 1 Outline Motivations and Ideas Pros and Cons of Verification and Testing Combining Verification and Testing More advanced research
More informationApplications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo
Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel
More informationSoftware Model Checking with Abstraction Refinement
Software Model Checking with Abstraction Refinement Computer Science and Artificial Intelligence Laboratory MIT Armando Solar-Lezama With slides from Thomas Henzinger, Ranjit Jhala and Rupak Majumdar.
More informationType checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39
Type checking Jianguo Lu November 27, 2014 slides adapted from Sean Treichler and Alex Aiken s Jianguo Lu November 27, 2014 1 / 39 Outline 1 Language translation 2 Type checking 3 optimization Jianguo
More informationFunctor abstract domain by example
A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Scalability Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco Logozzo, MSR Precision // here:
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationAbstract Semantic Differencing for Numerical Programs
Abstract Semantic Differencing for Numerical Programs Nimrod Partush Eran Yahav Technion, Israel Semantic differencing Characterize semantic difference between similar programs 2 Motivating example 1.
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationWhy does ASTRÉE scale up?
Form Methods Syst Des (2009) 35: 229 264 DOI 10.1007/s10703-009-0089-6 Why does ASTRÉE scale up? Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné Xavier Rival Published online:
More informationStatic Analysis Basics II
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics
More informationSLR: Path-Sensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement.
SLR: Path-Sensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement. Gogul Balakrishnan 1, Sriram Sankaranarayanan 1, Franjo Ivančić 1, Ou Wei 2, and Aarti Gupta 1 1 NEC Laboratories
More informationThe Spin Model Checker : Part I/II
The Spin Model Checker : Part I/II Moonzoo Kim CS Dept. KAIST Korea Advanced Institute of Science and Technology Motivation: Tragic Accidents Caused by SW Bugs 2 Cost of Software Errors June 2002 Software
More informationAnalyzing Tabular Requirements Specifications Using Infinite State Model Checking
Analyzing Tabular Requirements Specifications Using Infinite State Model Checking Tevfik Bultan 1 Univ. of California, Santa Barbara Constance Heitmeyer 2 Naval Research Laboratory Abstract This paper
More informationµz An Efficient Engine for Fixed Points with Constraints
µz An Efficient Engine for Fixed Points with Constraints Kryštof Hoder, Nikolaj Bjørner, and Leonardo de Moura Manchester University and Microsoft Research Abstract. The µz tool is a scalable, efficient
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationVerification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80
1 / 80 Verification Miaoqing Huang University of Arkansas Outline 1 Verification Overview 2 Testing Theory and Principles Theoretical Foundations of Testing Empirical Testing Principles 3 Testing in Practice
More informationRelational Abstract Domains for the Detection of Floating-Point Run-Time Errors
ESOP 2004 Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors Antoine Miné École Normale Supérieure Paris FRANCE This work was partially supported by the ASTRÉE RNTL project
More informationResearch on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao
6th International Conference on Information Engineering for Mechanics and Materials (ICIMM 2016) Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa,
More informationHySAT. what you can use it for how it works example from application domain final remarks. Christian Herde /12
CP2007: Presentation of recent CP solvers HySAT what you can use it for how it works example from application domain final remarks Christian Herde 25.09.2007 /2 What you can use it for Satisfiability checker
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationCSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 Practical Applications of SAT courses.cs.washington.edu/courses/cse507/18sp/ Emina Torlak emina@cs.washington.edu Today Past 2 lectures The theory and mechanics
More informationTowards a Software Model Checker for ML. Naoki Kobayashi Tohoku University
Towards a Software Model Checker for ML Naoki Kobayashi Tohoku University Joint work with: Ryosuke Sato and Hiroshi Unno (Tohoku University) in collaboration with Luke Ong (Oxford), Naoshi Tabuchi and
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationSmall Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis
Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis Isil Dillig, Thomas Dillig, Alex Aiken Stanford University Scalability and Formula Size Many program analysis
More informationSlicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference
Slicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference Mikhail Mandrykin ISP RAS ISP RAS, September 26th, 2018 ISP RAS, September 26th, 2018 1 / 26 Contents 1 Motivation 2
More informationEvolving Frama-C Value Analysis
Evolving Frama-C Value Analysis Evolving Frama-C Value Analysis Frama-C Day 2016 Boris Yakobowski, CEA Tech List Frama-C Value Analysis: a Brief Recap Frama-C Value Analysis: a Brief Recap The Value Analysis
More informationQualifying Exam in Programming Languages and Compilers
Qualifying Exam in Programming Languages and Compilers University of Wisconsin Fall 1991 Instructions This exam contains nine questions, divided into two parts. All students taking the exam should answer
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationLogic-Flow Analysis of Higher-Order Programs
Logic-Flow Analysis of Higher-Order Programs Matt Might http://matt.might.net/ POPL 2007 Why? Tim Sweeney, POPL 2006 Static array-bounds checking. Example... a[i]... Will 0 i < a.length always hold? 3
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationInterprocStack analyzer for recursive programs with finite-type and numerical variables
InterprocStack analyzer for recursive programs with finite-type and numerical variables Bertrand Jeannet Contents 1 Invoking InterprocStack 1 2 The Simple language 2 2.1 Syntax and informal semantics.........................
More informationBinary Decision Diagrams and Symbolic Model Checking
Binary Decision Diagrams and Symbolic Model Checking Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant Binary Decision Diagrams Restricted Form of
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationTopic 12: Register Allocation
Topic 12: Register Allocation COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Structure of backend Register allocation assigns machine registers (finite supply!) to virtual
More informationJPF SE: A Symbolic Execution Extension to Java PathFinder
JPF SE: A Symbolic Execution Extension to Java PathFinder Saswat Anand 1,CorinaS.Păsăreanu 2, and Willem Visser 2 1 College of Computing, Georgia Institute of Technology saswat@cc.gatech.edu 2 QSS and
More informationThe Reachability-Bound Problem
The Reachability-Bound Problem Sumit Gulwani Microsoft Research sumitg@microsoft.com Florian Zuleger TU Darmstadt zuleger@forstye.cs.tu-darmstadt.de Abstract We define the reachability-bound problem to
More informationLeveraging Data Invariants in Model Inference for Test Case Generation
Leveraging Data Invariants in Model Inference for Test Case Generation Roykrong Sukkerd Abstract Testing is an effective mean to find bugs in systems, but manually writing test cases is often tedious.
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More information