Static Program Analysis

Similar documents
Having a BLAST with SLAM

Software Model Checking. Xiangyu Zhang

Having a BLAST with SLAM

Counterexample Guided Abstraction Refinement in Blast

Semantics and Verification of Software

CS 510/13. Predicate Abstraction

Having a BLAST with SLAM

Having a BLAST with SLAM

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Static Program Analysis

On Reasoning about Finite Sets in Software Checking

Software Model Checking. From Programs to Kripke Structures

Configurable Software Model Checking

Predicate Abstraction Daniel Kroening 1

F-Soft: Software Verification Platform

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Interpolation-based Software Verification with Wolverine

Proof Pearl: The Termination Analysis of Terminator

Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

An Eclipse Plug-in for Model Checking

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

More on Verification and Model Checking

Predicate Abstraction with Adjustable-Block Encoding

Counter-Example Guided Program Verification

Compiler Construction

Lectures 20, 21: Axiomatic Semantics

Static Program Analysis

Compiler Construction

BDD-Based Software Model Checking with CPAchecker

Compiler Construction

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

TRACER: A Symbolic Execution Tool for Verification

A CRASH COURSE IN SEMANTICS

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

DIPARTIMENTO DI INGEGNERIA E SCIENZA DELL INFORMAZIONE Povo Trento (Italy), Via Sommarive 14

Software Model Checking via Large-Block Encoding

Proc. ISoLA 2018, c Springer

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

An Annotated Language

Computer aided verification

BDD-based software verification

Static Program Analysis

Chapter 3 (part 3) Describing Syntax and Semantics

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Lazy Shape Analysis. Dirk Beyer, Thomas A. Henzinger, and Grégory Théoduloz. EPFL, Switzerland

A Survey of Automated Techniques for Formal Software Verification

Proofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

BDD-Based Software Verification

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Lecture 5 - Axiomatic semantics

Abstract Counterexample-based Refinement for Powerset Domains

Scalable Program Verification by Lazy Abstraction

Induction and Semantics in Dafny

Hoare Logic and Model Checking

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Abstraction Refinement for Quantified Array Assertions

Semantics with Applications 3. More on Operational Semantics

Formal Methods. CITS5501 Software Testing and Quality Assurance

6. Hoare Logic and Weakest Preconditions

Compiler Construction

Explaining Inconsistent Code. Muhammad Numair Mansur

PANDA: Simultaneous Predicate Abstraction and Concrete Execution

Hoare triples. Floyd-Hoare Logic, Separation Logic

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Towards a Software Model Checker for ML. Naoki Kobayashi Tohoku University

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*

Model Checking with Abstract State Matching

Compiler Construction

Hoare Logic: Proving Programs Correct

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

Introduction to Axiomatic Semantics

Compiler Construction

Program verification. Generalities about software Verification Model Checking. September 20, 2016

Compiler Construction

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Grad PL vs. The World

Compiler Construction

Inductive Invariant Generation via Abductive Inference

SYNERGY : A New Algorithm for Property Checking

The software model checker BLAST

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Over-Approximating Boolean Programs with Unbounded Thread Creation

Model Checking Embedded C Software using k-induction and Invariants

Model Checking: Back and Forth Between Hardware and Software

Symbolic Trajectory Evaluation - A Survey

Regression Verification - a practical way to verify programs

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

Programming Languages Third Edition

Software Model Checking with Abstraction Refinement

KRATOS A Software Model Checker for SystemC

Reasoning about modules: data refinement and simulation

Counterexamples with Loops for Predicate Abstraction

FAKULTÄT FÜR INFORMATIK

Transcription:

Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/

Schedule of Lectures Jan 17/19: Interprocedural DFA Jan 24/26: [no lectures/exercise classes] Jan 31/Feb 2: Pointer/shape analysis Feb 7: [no lecture] Feb 9: Exam preparation 2 of 19 Static Program Analysis

Seminar Verification and Static Analysis of Software (SS 2017) Topics Pointer and shape analysis Advanced model checking techniques Analysis of probabilistic programs... More information https://moves.rwth-aachen.de/teaching/ss-17/vsas/ https://xkcd.com/376 Registration between January 13 and 29 via https://www.graphics.rwth-aachen.de/apse/ 3 of 19 Static Program Analysis

Recap: Counterexample-Guided Abstraction Refinement (CEGAR) Reminder: CEGAR Verification successful yes Start with (coarse) initial abstraction A Property ϕ satisfied in A? no Remove counterexample by refining A Find run violating ϕ Problems: How to decide realness of counterexample? How to extract new predicates from spurious counterexample? spurious Analyze counterexample real Error found 5 of 19 Static Program Analysis

Recap: Counterexample-Guided Abstraction Refinement (CEGAR) Abstract Semantics for Predicate Abstraction Definition (Execution relation for predicate abstraction) If c Cmd and Q Abs(P), then c, Q is called an abstract configuration. The execution relation for predicate abstraction is defined by the following rules: (skip) (asgn) skip, Q, Q x := a, Q, {Q σ[x valσ (a)] σ = Q} c 1, Q c 1, Q c 1 c 1, Q, Q (seq1) (wh1) c 1 ;c 2, Q c 1;c 2, Q (if1) (if2) (seq2) c 1 ;c 2, Q c 2, Q if b then c 1 else c 2 end, Q c 1, Q b if b then c 1 else c 2 end, Q c 2, Q b while b do c end, Q c;while b do c end, Q b (wh2) while b do c end, Q, Q b 6 of 19 Static Program Analysis

Recap: Counterexample-Guided Abstraction Refinement (CEGAR) Properties of Interest A certain program location is not reachable (dead code) Division by zero is excluded The value of x never becomes negative After program termination, the value of y is even All representable as (non-)reachability of bad locations Counterexample = path to bad locations Definition (Counterexample) A counterexample is a sequence of k 1 abstract transitions of the form where c 0,..., c k Cmd (or c k = ) Q 1,..., Q k Abs(P) with Q k false c 0, true c 1, Q 1... c k, Q k It is called real if there exist concrete states σ 0,..., σ k Σ such that i {1,..., k} : σ i = Q i and c i 1, σ i 1 c i, σ i Otherwise it is called spurious. 7 of 19 Static Program Analysis

Recap: Counterexample-Guided Abstraction Refinement (CEGAR) Elimination of Spurious Counterexamples Lemma If c 0, true c 1, Q 1... c k, Q k is a spurious counterexample, there exist Boolean expressions b 0,..., b k with b 0 true, b k false, and i {1,..., k}, σ, σ Σ : σ = b i 1 c i 1, σ c i, σ = σ = b i Proof (idea). Inductive definition of b i as strongest postconditions: 1. b 0 := true 2. for i = 1,..., k: definition of b i depending on b i 1 and on (axiom) transition rule applied in c i 1,. c i,. : (skip) b i := b i 1 (if1) b i := b i 1 b (asgn) b i := x.(b i 1 [x x ] x = a[x x ]) (if2) b i := b i 1 b (for x := a; x = previous value of x) (wh1) b i := b i 1 b (wh2) b i := b i 1 b (yields b k false; by induction on k) 8 of 19 Static Program Analysis

Recap: Counterexample-Guided Abstraction Refinement (CEGAR) Abstraction Refinement Using b 1,..., b k 1 as computed before, let P := P {p 1,..., p n } where p 1,..., p n are the atomic conjuncts occurring in b 1,..., b k 1 Refine Abs(P) to Abs(P ) Lemma After refinement, the spurious counterexample with Q k false does not exist anymore. c 0, true c 1, Q 1... c k, Q k Proof. omitted 9 of 19 Static Program Analysis

Where CEGAR Fails Where CEGAR Fails Example 17.1 c := [x := a] 0 ; [y := b] 1 ; while [ (x = 0)] 2 do [x := x - 1] 3 ; [y := y - 1] 4 end; if [a = b (y = 0)] 5 then [skip] 6 else [skip] 7 end Interesting property: label 6 unreachable Initial abstraction: P = ( = Abs(P) = {true, false}) Abstraction refinement: on the board Observation: iteration yields predicates of the form for all k N x = a-k and y = b-k Actually required: loop invariant a = b = x = y but predicate x = y not generated in CEGAR loop 11 of 19 Static Program Analysis

Craig Interpolation Craig Interpolation Problem: predicates often unnecessarily complex and involving irrelevant variables Idea: consider only variables that are relevant for previous and future part of execution Definition 17.2 (Craig interpolant) William Craig (1918 2016) Let b 1, b 2 BExp where b 1 = b 2. A Craig interpolant of b 1 and b 2 is a formula b 3 BExp with b 1 = b 3, b 3 = b 2, and Var b3 Var b1 Var b2. 13 of 19 Static Program Analysis

Craig Interpolation Using Craig Interpolants I 1. Begin with spurious counterexample c 0, true c 1, Q 1... c k, Q k (according to Definition 16.1) 2. Construct strongest postconditions s 0,..., s k with s 0 true, s k false (according to Lemma 16.2) 3. Analogously it is possible to construct weakest preconditions w 0,..., w k with w 0 true, w k false starting from w k i. w k := false ii. for i = 0,..., k 1: definition of w i depending on w i+1 and on (axiom) transition rule applied in c i,. c i+1,. : (skip) w i := w i+1 (asgn) w i := w i+1 [x a] (if1) w i := (w i+1 b) b w i+1 b (if2) w i := w i+1 b (wh1) w i := w i+1 b (wh2) w i := w i+1 b 4. Possible to show: s i = w i for each i {0,..., k} 5. For each i {0,..., k}, choose Craig interpolant b i of s i and w i 6. Refine abstraction by atomic conjuncts occurring in b 1,..., b k 1 Remark: Craig interpolants always exist for first-order formulae (but are not necessarily unique) 14 of 19 Static Program Analysis

Craig Interpolation Using Craig Interpolants II Example 17.3 (cf. Example 16.3) Let c 0 := [x := z] 0 ;[z := z + 1] 1 ;[y := z] 2 ; if [x = y] 3 then [skip] 4 else [skip] 5 end 1. Spurious counterexample: 0, true 1, true 2, true 3, true 4, true 2. Strongest postconditions (cf. Example 16.3): s 0 = true s 1 = (x = z) s 2 = (x + 1 = z) s 3 = (x + 1 = z y = z) s 4 = false 3. Weakest preconditions w i : on the board 4. Craig interpolants b i : on the board 15 of 19 Static Program Analysis

CEGAR in Practice SLAM Tool was: Software, Languages, Analysis, and Modeling SLAM originally was an acronym but we found it too cumbersome to explain. We now prefer to think of slamming the bugs in a program. (T. Ball,, B. Cook, V. LevinS.K. Rajamani, Sriram K.: SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft, IFM 2004) First implementation of CEGAR for C programs Checks behavioural requirements of software interfaces e.g., a thread may not acquire a lock it has already acquired, or release a lock it does not hold Supports recursive procedures, pointers, and memory allocation Sub-tools: C2bp: C program Predicates Boolean program (Boolean variables = predicates) BEPOP: symbolic (BDD-based) model checker for (recursive) Boolean programs newton: abstraction refinement Developed into commercial product (Static Driver Verifier SDV; part of Windows Driver Foundation development kit) T. Ball, V. Levin, S.K. Rajamani: A Decade of Software Model Checking with SLAM. Comm. ACM 54(7), 2011, 68 76 WWW: http://research.microsoft.com/en-us/projects/slam/ 17 of 19 Static Program Analysis

CEGAR in Practice CPAchecker Tool CPA: Configurable Program Analysis Java re-implementation of Berkeley Lazy Abstraction Software Verification Tool (BLAST) Software model checker for C programs Uses CEGAR with Craig interpolation and lazy abstraction abstraction is constructed on-the-fly model locally refined on demand enables use of different predicates at different program points abstract reachability tree Sucessfully applied to C programs with > 130, 000 LOC D. Beyer, M.E. Keremoglu: CPAchecker: A Tool for Configurable Software Verification. Proc. CAV, 2011, 184 190 WWW: http://cpachecker.sosy-lab.org/ 18 of 19 Static Program Analysis

CEGAR in Practice Practical Experiences (cf. V. D Silva, D. Kroening, G. Weissenbacher: A Survey of Automated Techniques for Formal Software Verification, IEEE Trans. on CAD of Integrated Circuits and Systems 27(7), 2008, 1165 1178) Predicate abstraction & CEGAR suitable for checking control-flow-related safety properties predicates good for representation of control flow safety ( Nothing bad is going to happen. ) goes well with over-approximation liveness ( Eventually something good will happen. ) requires under-approximation Does not work well with complex heap-based data structures or arrays ( Pointer/Shape Analysis) (Real) counterexamples often more useful than correctness proof Abstraction refinement cycle may not terminate Main application field: safety properties of device drivers and systems code up to 50 klocs 19 of 19 Static Program Analysis

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback