CS 510/13. Predicate Abstraction
|
|
- Eugene Norton
- 6 years ago
- Views:
Transcription
1 CS 50/3 Predicate Abstraction
2 Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft
3 Example for Predicate Abstraction int main() { int i; i=0; while(even(i)) i++; + p i=0 = p 2 even(i) void main() { bool p, p2; p=true; p2=true; while(p2) { p=p?false:nondet(); p2=!p2; C program Predicates Boolean program [Graf, Saidi 97] [Ball, Rajamani 0]
4 Computing Predicate Abstraction How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an overapproximation How to refine coarse abstractions
5 Counterexample Guided Abstraction Refinement loop C Program Initial Abstraction Abstraction refinement Abstract model Refinement Verification Model Checker Simulator No error or bug found Property holds Simulation sucessful Bug found Spurious counterexample
6 Example Example ( ) { : do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return; unlock lock unlock lock
7 What a program really is pc lock old new q State a 3 a a 5 a 5 a 0x33a Transition 3: 3: unlock(); new++; 4: Example Example ( ) { : : do{ do{ lock(); lock(); old old = new; new; q = q->next; 2: 2: if if (q (q!=!= NULL){ NULL){ 3: 3: q->data q->data = new; new; unlock(); new new ++; ++; 4: 4: while(new!=!= old); old); 5: 5: unlock unlock (); (); return; pc lock old new q a 4 a a 5 a 6 a 0x33a
8 The Safety Verification Problem Error Initial Safe Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula
9 Idea : Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite
10 Abstract States and Transitions State pc lock old new q a 3 a a 5 a 5 a 0x33a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x33a lock old=new! lock! old=new
11 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x33a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x33a Existential Approximation lock old=new! lock! old=new
12 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x33a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x33a lock old=new! lock! old=new
13 Analyze Abstraction Analyze finite graph Over Approximate: Safe => System Safe Problem Spurious counterexamples
14 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!
15 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Build refined abstraction
16 Iterative Abstraction-Refinement [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 0] Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe
17 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); ();! LOCK Predicates: LOCK
18 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); lock() old = new q=q->next 2! LOCK LOCK 2 Predicates: LOCK
19 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); [q!=null] 3 2 LOCK! LOCK LOCK 2 3 Predicates: LOCK
20 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); q->data = new unlock() new LOCK! LOCK! LOCK LOCK Predicates: LOCK
21 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 5 [new==old] LOCK! LOCK! LOCK! LOCK LOCK Predicates: LOCK
22 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 5 4 unlock() LOCK! LOCK! LOCK! LOCK! LOCK LOCK 2 3 Predicates: LOCK
23 Analyze Counterexample Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK! LOCK! LOCK! LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] unlock() 4! LOCK 2 3 Predicates: LOCK
24 Analyze Counterexample Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK : LOCK : LOCK : LOCK : LOCK LOCK old = new new++ [new==old] Inconsistent new == old Predicates: LOCK
25 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); : LOCK Predicates: LOCK, new==old
26 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2! LOCK lock() old = new q=q->next 2 Predicates: LOCK, new==old
27 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); ();! LOCK LOCK, new==old 2 LOCK, new==old 3 q->data = new unlock()! LOCK,! new = old 4 new Predicates: LOCK, new==old
28 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3! LOCK,! new = old 4 [new==old]! LOCK Predicates: LOCK, new==old
29 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3! LOCK,! new = old 4 [new!=old]! LOCK 2 4 3! LOCK,! new == old Predicates: LOCK, new==old
30 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old LOCK, new==old! LOCK,! new = old 3 4! LOCK,! new == old 2 4 5! LOCK! LOCK, new==old LOCK, new=old SAFE Predicates: LOCK, new==old
31 Another Example : x = ctr; 2: y = ctr + ; 3: if (x = i-){ 4: if (y!= i){ ERROR: Abstract : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: C program No predicates available currently
32 Checking the abstract model Is ERROR reachable? : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: yes Abstract model has a path leading to error state
33 Does this Simulation correspond to a real bug? : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) Check using a Not SAT solver possible Concrete trace
34 Refinement : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: Spurious Counterexample Initial abstraction
35 Refinement : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: skip; 3: if (*){ 4: if (b0){ ERROR: boolean b0 : y!= i
36 Refinement : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: skip; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-
37 Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P]
38 Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP Assign x=e P[e/x] P OP new+ = old new = old new = new+ [WP(P, OP)] [P]
39 Refinement boolean b2 : ctr +! = i Weakest precondition of y!= i : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : skip; 2: b0 = b2; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-
40 Refinement boolean b2 : ctr +! = i boolean b3: ctr == i - : x = ctr; 2: y = ctr + ; 3: assume(x == i-) 4: assume (y!= i) : b = b3; 2: b0 = b2; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-
41 Refinement What about initial values of b2 and b3? b2 and b3 are mutually exclusive. b2 =, b3 = 0 b2 =0, b3 = So system is safe! boolean b2 : ctr +! = i boolean b3: ctr == i - : b = b3; 2: b0 = b2; 3: if (b){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b : x== i-
42 Tools for Predicate Abstraction of C SLAM at Microsoft Used for verifying correct sequencing of function calls in windows device drivers MAGIC at CMU Allows verification of concurrent C programs Found bugs in MicroC OS BLAST at Berkeley Lazy abstraction, interpolation SATABS at CMU Computes predicate abstraction using SAT Can handle pointer arithmetic, bit-vectors F-Soft at NEC Labs Localization, register sharing
Software Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationSoftware Model Checking with Abstraction Refinement
Software Model Checking with Abstraction Refinement Computer Science and Artificial Intelligence Laboratory MIT Armando Solar-Lezama With slides from Thomas Henzinger, Ranjit Jhala and Rupak Majumdar.
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationHaving a BLAST with SLAM
Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver
More informationScalable Program Verification by Lazy Abstraction
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley ars, July, 997 Lost contact due to real-time priority inversion bug ars, December, 999 Crashed due to uninitialized variable
More informationPredicate Abstraction Daniel Kroening 1
Predicate Abstraction 20.1.2005 Daniel Kroening 1 Motivation Software has too many state variables State Space Explosion Graf/Saïdi 97: Predicate Abstraction Idea: Only keep track of predicates on data
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationUfo: A Framework for Abstraction- and Interpolation-Based Software Verification
Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationVerifying Multithreaded Software with Impact
Verifying Multithreaded Software with Impact Björn Wachter, Daniel Kroening and Joël Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers,
More informationInterpolation-based Software Verification with Wolverine
Interpolation-based Software Verification with Wolverine Daniel Kroening 1 and Georg Weissenbacher 2 1 Computer Science Department, Oxford University 2 Department of Electrical Engineering, Princeton University
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationPredicate Abstraction of ANSI C Programs using SAT Λ
Predicate Abstraction of ANSI C Programs using SAT Λ Edmund Clarke and Daniel Kroening and Natalia Sharygina and Karen Yorav School of Computer Science Carnegie Mellon University, Pittsburgh, PA, USA Software
More informationUsing Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction
Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction Thanyapat Sakunkonchak, Satoshi Komatsu, and Masahiro Fujita VLSI Design and Education Center, The University
More informationThe ComFoRT Reasoning Framework
Pittsburgh, PA 15213-3890 The ComFoRT Reasoning Framework Sagar Chaki James Ivers Natasha Sharygina Kurt Wallnau Predictable Assembly from Certifiable Components Enable the development of software systems
More informationModel Checking: Back and Forth Between Hardware and Software
Model Checking: Back and Forth Between Hardware and Software Edmund Clarke 1, Anubhav Gupta 1, Himanshu Jain 1, and Helmut Veith 2 1 School of Computer Science, Carnegie Mellon University {emc, anubhav,
More informationTRACER: A Symbolic Execution Tool for Verification
TRACER: A Symbolic Execution Tool for Verification Joxan Jaffar, Vijayaraghavan Murali, Jorge A. Navas, and Andrew E. Santosa 3 National University of Singapore The University of Melbourne 3 University
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationProofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur
1 Proofs from Tests Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur Abstract We present an algorithm DASH to check if a program P satisfies a safety
More informationA Survey of Automated Techniques for Formal Software Verification
TRANSACTIONS ON CAD 1 A Survey of Automated Techniques for Formal Software Verification Vijay D Silva Daniel Kroening Georg Weissenbacher Abstract The quality and the correctness of software is often the
More informationModel Checking with Abstract State Matching
Model Checking with Abstract State Matching Corina Păsăreanu QSS, NASA Ames Research Center Joint work with Saswat Anand (Georgia Institute of Technology) Radek Pelánek (Masaryk University) Willem Visser
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationAbstraction Refinement for Quantified Array Assertions
Abstraction Refinement for Quantified Array Assertions Mohamed Nassim Seghir 1,, Andreas Podelski 1, and Thomas Wies 1,2 1 University of Freiburg, Germany 2 EPFL, Switzerland Abstract. We present an abstraction
More informationScalable Program Analysis Using Boolean Satisfiability: The Saturn Project
Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project Alex Aiken Stanford University Saturn 1 The Idea Verify properties of large systems! Doesn t {SLAM, BLAST, CQual, ESP} already
More informationProofs from Tests. Sriram K. Rajamani. Nels E. Beckman. Aditya V. Nori. Robert J. Simmons.
Proofs from Tests Nels E. Beckman Carnegie Mellon University nbeckman@cs.cmu.edu Aditya V. Nori Microsoft Research India adityan@microsoft.com Robert J. Simmons Carnegie Mellon University rjsimmon@cs.cmu.edu
More informationPredicate Abstraction of ANSI C Programs using SAT
Predicate Abstraction of ANSI C Programs using SAT Edmund Clarke Daniel Kroening Natasha Sharygina Karen Yorav September 23, 2003 CMU-CS-03-186 School of Computer Science Carnegie Mellon University Pittsburgh,
More informationSTATIC PROGRAM TRANSFORMATIONS FOR EFFICIENT SOFTWARE MODEL CHECKING
STATIC PROGRAM TRANSFORMATIONS FOR EFFICIENT SOFTWARE MODEL CHECKING Shobha Vasudevan Computer Engineering Research Center The University of Texas at Austin Austin, Texas, U.S.A. shobha@cerc.utexas.edu
More informationFormal Verification at Higher Levels of Abstraction
Formal Verification at Higher Levels of Abstraction Daniel Kroening Oxford University Computing Laboratory kroening@kroening.com Sanjit A. Seshia UC Berkeley sseshia@eecs.berkeley.edu Abstract Most formal
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationIntroduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion
.. Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de Introduction Preliminaries
More informationEmbedded Software Verification Challenges and Solutions. Static Program Analysis
Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline
More informationCounterexamples with Loops for Predicate Abstraction
Counterexamples with Loops for Predicate Abstraction Daniel Kroening and Georg Weissenbacher Computer Systems Institute, ETH Zurich, 8092 Zurich, Switzerland {daniel.kroening, georg.weissenbacher}@inf.ethz.ch
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationPredicate Abstraction of ANSI C Programs using SAT
Predicate Abstraction of ANSI C Programs using SAT Edmund Clarke Daniel Kroening Natasha Sharygina Karen Yorav September 23, 2003 CMU-CS-03-186 School of Computer Science Carnegie Mellon University Pittsburgh,
More informationAutomated Debugging with Error Invariants
Automated Debugging with Error Invariants Thomas Wies New York University joint work with Jürgen Christ, Evren Ermis (Freiburg University), Martin Schäf (SRI), Daniel Schwartz-Narbonne (NYU) Faulty Shell
More informationThe software model checker BLAST
Int J Softw Tools Technol Transfer (2007) 9:505 525 DOI 10.1007/s10009-007-0044-z SPECIAL SECTION FASE 04/ 05 The software model checker BLAST Applications to software engineering Dirk Beyer Thomas A.
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationTopic: Software Model Checking via Counter-Example Guided Abstraction Refinement. Having a BLAST with SLAM. Combining Strengths. SLAM Overview SLAM
Hving BLAST with SLAM Topic: Softwre Model Checking vi Counter-Exmple Guided Abstrction Refinement There re esily two dozen SLAM/BLAST/MAGIC ppers; I will skim. # # Theorem Proving Combining Strengths
More informationEdmund Clarke Computer Science Dept., Carnegie Mellon University Pittsburgh, PA, USA
Checking Consistency of C and Verilog using Predicate Abstraction and Induction Daniel Kroening Computer Systems Institute, ETH Zürich Zürich, Switzerland daniel.kroening@inf.ethz.ch Edmund Clarke Computer
More informationAbstraction techniques for Floating-Point Arithmetic
Abstraction techniques for Floating-Point Arithmetic Angelo Brillout 1, Daniel Kroening 2 and Thomas Wahl 2 1 ETH Zurich, 2 Oxford University ETH Zürich Floating-Point Arithmetic (FPA) Used for embedded
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationCounterexample Guided Abstraction Refinement via Program Execution
Counterexample Guided Abstraction Refinement via Program Execution Daniel Kroening, Alex Groce and Edmund Clarke 1 Department of Computer Science Carnegie Mellon University Pittsburgh, PA, 15213 Abstract.
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationSliced Path Prefixes: An Effective Method to Enable Refinement Selection
FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems We want Refinement Selection!!! Because straight-forward
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationOver-Approximating Boolean Programs with Unbounded Thread Creation
Over-Approximating Boolean Programs with Unbounded Thread Creation Byron Cook Microsoft Research Cambridge Email: bycook@microsoft.com Daniel Kroening Computer Systems Institute ETH Zurich Email: daniel.kroening@inf.ethz.ch
More informationSciduction: Combining Induction, Deduction and Structure for Verification and Synthesis
Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis (abridged version of DAC slides) Sanjit A. Seshia Associate Professor EECS Department UC Berkeley Design Automation
More informationTutorial on Model Checking Modelling and Verification in Computer Science
Tutorial on Model Checking Modelling and Verification in Computer Science Armin Biere Institute for Formal Models and Verification Johannes Kepler University, Linz, Austria Abstract. This paper serves
More informationUsing Counterexamples for Improving the Precision of Reachability Computation with Polyhedra
Using Counterexamples for Improving the Precision of Reachability Computation with Polyhedra Chao Wang 1, Zijiang Yang 2, Aarti Gupta 1, and Franjo Ivančić 1 1 NEC Laboratories America, Princeton, NJ 08540,
More informationPredicate Abstraction with Adjustable-Block Encoding
Predicate Abstraction with Adjustable-Block Encoding Dirk Beyer Simon Fraser University / University of Passau M. Erkan Keremoglu Simon Fraser University, B.C., Canada Philipp Wendler University of Passau,
More informationPredicate Abstraction and Refinement Techniques for Verifying Verilog
Predicate Abstraction and Refinement Techniques for Verifying Verilog Edmund Clarke Himanshu Jain Daniel Kroening June 25, 2004 CMU-CS-04-139 School of Computer Science Carnegie Mellon University Pittsburgh,
More informationInductive Invariant Generation via Abductive Inference
Inductive Invariant Generation via Abductive Inference Isil Dillig Department of Computer Science College of William & Mary idillig@cs.wm.edu Thomas Dillig Department of Computer Science College of William
More informationNOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or
NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 7, U.S. Code) governs the making of photocopies or other reproductions of copyrighted material. Any copying
More informationOutline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions
Outline Introduction SDV Motivation Model vs Real Implementation SIC SDVRP SAM-2 Comparisons Conclusions SDV Research Platform Academic release of SDV (Static Driver Verifier), based on the code that ships
More informationSoftware Model Checking with SLAM
Software Model Checking with SLAM Thomas Ball Software Reliability Research MSR Redmond Sriram K. Rajamani Reliable Software Engineering MSR Bangalore http://research.microsoft.com/slam/ People behind
More informationChecking Memory Safety with Blast
Checking Memory Safety with Blast Dirk Beyer 1 Thomas A. Henzinger 12 Ranjit Jhala 3 Rupak Majumdar 4 1 EPFL, Switzerland 2 University of California, Berkeley 3 University of California, San Diego 4 University
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationChecking Consistency of C and Verilog using Predicate Abstraction and Induction
Checking Consistency of C and Verilog using Predicate Abstraction and Induction Edmund Clarke Daniel Kroening June 25, 2004 CMU-CS-04-131 School of Computer Science Carnegie Mellon University Pittsburgh,
More informationLazy Abstraction with Interpolants
Lazy Abstraction with Interpolants Kenneth L. McMillan Cadence Berkeley Labs Abstract. We describe a model checker for infinite-state sequential programs, based on Craig interpolation and the lazy abstraction
More informationLecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University
Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University 1 Cost of Software Errors June 2002 Software bugs, or errors, are so prevalent and so detrimental that they
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationFormal Systems Tutorial Hybrid System Modeling, Program Analysis
Formal Systems Tutorial Hybrid System Modeling, Program Analysis Department of Computer Science & Engineering, Indian Institute of Technology, Kharagpur 1. There are three taps in the system, namely Tap-1
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationSYNERGY : A New Algorithm for Property Checking
SYNERGY : A New Algorithm for Property Checking Bhargav S. Gulavani Thomas A. Henzinger Yamini Kannan Aditya V. Nori Sriram K. Rajamani bhargav@cse.iitb.ernet.in tah@epfl.ch yaminik@microsoft.com adityan@microsoft.com
More informationPROGRAM ANALYSIS & SYNTHESIS
Lecture 02 Structural Operational Semantics (SOS) PROGRAM ANALYSIS & SYNTHESIS EranYahav 1 Previously static analysis over-approximation of program behavior abstract interpretation abstraction, transformers,
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationAbstractions from Proofs
Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala Rupak Majumdar EECS Department, University of California Berkeley, CA 94720-1770, U.S.A. {tah,jhala,rupak}@eecs.berkeley.edu Kenneth L. McMillan
More informationRegression Verification - a practical way to verify programs
Regression Verification - a practical way to verify programs Ofer Strichman Benny Godlin Technion, Haifa, Israel. Email: ofers@ie.technion.ac.il bgodlin@cs.technion.ac.il 1 Introduction When considering
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationProof Pearl: The Termination Analysis of Terminator
Proof Pearl: The Termination Analysis of Terminator Joe Hurd Computing Laboratory Oxford University joe.hurd@comlab.ox.ac.uk Abstract. Terminator is a static analysis tool developed by Microsoft Research
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationPredicate Abstraction and CEGAR for Higher Order Model Checking
Predicate Abstraction and CEGAR for Higher Order Model Checking Naoki Kobayashi, Ryosuke Sato, and Hiroshi Unno Tohoku University (Presented at PLDI2011) 1 Our Goal Software model checker for functional
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationFormal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints
Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk Agenda
More informationSymmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer Science Department, Oxford University, United
More informationEffectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky
Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky Anindya Banerjee Neil Immerman Ori Lahav Aleks Nanevski Mooly Sagiv http://www.cs.tau.ac.il/~shachar/afwp.html
More informationApproximating Predicate Images for Bit-Vector Logic
Approximating Predicate Images for Bit-Vector Logic Daniel Kroening 1 and Natasha Sharygina 2 1 Computer Systems Institute, ETH Zürich 2 University of Lugano, Switzerland Abstract. Predicate abstraction
More informationRace Analysis for SystemC using Model Checking
Race Analysis for SystemC using Model Checking Nicolas Blanc ETH Zurich, Switzerland nicolas.blanc@inf.ethz.ch Daniel Kroening Oxford University, Computing Laboratory, UK Daniel.Kroening@comlab.ox.ac.uk
More informationAlternation for Termination
Alternation for Termination William R. Harris 1, Akash Lal 2, Aditya V. Nori 2, and Sriram K. Rajamani 2 1 University of Wisconsin; Madison, WI, USA 2 Microsoft Research India; Bangalore, India Abstract.
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationAbstraction Learning
Abstraction Learning Joxan Jaffar National University of Singapore joxan@comp.nus.edu.sg Jorge Navas National University of Singapore navas@comp.nus.edu.sg Andrew E. Santosa National University of Singapore
More informationGenerating Small Countermodels. Andrew Reynolds Intel August 30, 2012
Generating Small Countermodels using SMT Andrew Reynolds Intel August 30, 2012 Acknowledgements Intel Corporation AmitGoel, Sava Krstic University of Iowa Cesare Tinelli, Francois Bobot New York University
More informationFormal Methods. CITS5501 Software Testing and Quality Assurance
Formal Methods CITS5501 Software Testing and Quality Assurance Pressman, R. Software Engineering: A Practitioner s Approach. Chapter 28. McGraw-Hill, 2005 The Science of Programming, David Gries, 1981
More informationProgram Verification using Templates over Predicate Abstraction. Saurabh Srivastava and Sumit Gulwani
Program Verification using Templates over Predicate Abstraction Saurabh Srivastava and Sumit Gulwani ArrayInit(Array A, int n) i := 0; while (i < n) A[i] := 0; i := i + 1; Assert( j: 0 j
More informationPredicate Refinement Heuristics in Program Verification with CEGAR
Predicate Refinement Heuristics in Program Verification with CEGAR Tachio Terauchi (JAIST) Part of this is joint work with Hiroshi Unno (U. Tsukuba) 1 Predicate Abstraction with CEGAR Iteratively generate
More informationTowards a Software Model Checker for ML. Naoki Kobayashi Tohoku University
Towards a Software Model Checker for ML Naoki Kobayashi Tohoku University Joint work with: Ryosuke Sato and Hiroshi Unno (Tohoku University) in collaboration with Luke Ong (Oxford), Naoshi Tabuchi and
More informationNon-blocking Array-based Algorithms for Stacks and Queues!
Non-blocking Array-based Algorithms for Stacks and Queues! Niloufar Shafiei! Department of Computer Science and Engineering York University ICDCN 09 Outline! Introduction! Stack algorithm! Queue algorithm!
More information