ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

Similar documents
SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

SMT-Based Bounded Model Checking of C++ Programs

: A Bounded Model Checking Tool to Verify Qt Applications

Model Checking Embedded C Software using k-induction and Invariants

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Verifying C & C++ with ESBMC

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Handling Loops in Bounded Model Checking of C Programs via k-induction

Software Model Checking. Xiangyu Zhang

Cpt S 122 Data Structures. Course Review Midterm Exam # 2

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

C++ TEMPLATES. Templates are the foundation of generic programming, which involves writing code in a way that is independent of any particular type.

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)

Chapter 5: Procedural abstraction. Function procedures. Function procedures. Proper procedures and function procedures

CS 240 Final Exam Review

Absolute C++ Walter Savitch

Problem Solving with C++

CSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1

Agenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Introduction to Programming Using Java (98-388)

VALLIAMMAI ENGINEERING COLLEGE

Purpose of Review. Review some basic C++ Familiarize us with Weiss s style Introduce specific constructs useful for implementing data structures

Chapter 16: Exceptions, Templates, and the Standard Template Library (STL)

F1 A Java program. Ch 1 in PPIJ. Introduction to the course. The computer and its workings The algorithm concept

Question Paper Code : 97044

Welcome to Teach Yourself Acknowledgments Fundamental C++ Programming p. 2 An Introduction to C++ p. 4 A Brief History of C++ p.

Design issues for objectoriented. languages. Objects-only "pure" language vs mixed. Are subclasses subtypes of the superclass?

Polymorphism. Programming in C++ A problem of reuse. Swapping arguments. Session 4 - Genericity, Containers. Code that works for many types.

Model Checking of C and C++ with DIVINE 4

The Low-Level Bounded Model Checker LLBMC

C Code Verification based on the Extended Labeled Transition System Model

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Short Notes of CS201

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

CS201 - Introduction to Programming Glossary By

Templates and Vectors

C++ Programming Basics III

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

5/23/2015. Core Java Syllabus. VikRam ShaRma

STL: C++ Standard Library

1. The term STL stands for?

Chapter 17: Linked Lists

Exceptions, Templates, and the STL

Static Program Analysis Part 1 the TIP language

Preface... (vii) CHAPTER 1 INTRODUCTION TO COMPUTERS

Unit 4 Basic Collections

Introduction to C++ Introduction to C++ Dr Alex Martin 2013 Slide 1

Objects Managing a Resource

CPSC 427: Object-Oriented Programming

Preface to the Second Edition Preface to the First Edition Brief Contents Introduction to C++ p. 1 A Review of Structures p.

I BCS-031 BACHELOR OF COMPUTER APPLICATIONS (BCA) (Revised) Term-End Examination. June, 2015 BCS-031 : PROGRAMMING IN C ++

Abstract Data Types 1

Template based set of collection classes STL collection types (container types)

Integration of SMT Solvers with ITPs There and Back Again

Sequence Containers. Cristian Cibils

Introduction to CBMC: Part 1

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

Study Guide to Exam 2

Type Checking. Chapter 6, Section 6.3, 6.5

Automatic Software Verification

First Name: AITI 2004: Exam 2 July 19, 2004

Abstract Data Types. CptS 223 Advanced Data Structures. Larry Holder School of Electrical Engineering and Computer Science Washington State University

Satisfiability Modulo Theories: ABsolver

CS 162, Lecture 25: Exam II Review. 30 May 2018

STL components. STL: C++ Standard Library Standard Template Library (STL) Main Ideas. Components. Encapsulates complex data structures and algorithms

! An exception is a condition that occurs at execution time and makes normal continuation of the program impossible.

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

use static size for this buffer

When we program, we have to deal with errors. Our most basic aim is correctness, but we must

Hyperkernel: Push-Button Verification of an OS Kernel

Sequential Containers. Ali Malik

CONTENTS. PART 1 Structured Programming 1. 1 Getting started 3. 2 Basic programming elements 17

Outline. Object Oriented Programming. Course goals. Staff. Course resources. Assignments. Course organization Introduction Java overview Autumn 2003

F-Soft: Software Verification Platform

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Borland 105, 278, 361, 1135 Bounded array Branch instruction 7 break statement 170 BTree 873 Building a project 117 Built in data types 126

CHAPTER 1 Introduction to Computers and Programming CHAPTER 2 Introduction to C++ ( Hexadecimal 0xF4 and Octal literals 031) cout Object

Formally Certified Satisfiability Solving

CSC Java Programming, Fall Java Data Types and Control Constructs

Computer Components. Software{ User Programs. Operating System. Hardware

04-24/26 Discussion Notes

Table : IEEE Single Format ± a a 2 a 3 :::a 8 b b 2 b 3 :::b 23 If exponent bitstring a :::a 8 is Then numerical value represented is ( ) 2 = (

Bounded Model Checking Of C Programs: CBMC Tool Overview

Program Correctness and Efficiency. Chapter 2

Java Language Features

First Name: AITI 2004: Exam 2 July 19, 2004

Abstract Interpretation

Syllabus for Bachelor of Technology. Computer Engineering. Subject Code: 01CE1303. B.Tech. Year - II

Introduction A Tiny Example Language Type Analysis Static Analysis 2009

Standard Library Reference

Object-Oriented Principles and Practice / C++

Data Structures and Algorithms Design Goals Implementation Goals Design Principles Design Techniques. Version 03.s 2-1

! Errors can be dealt with at place error occurs

Programming with Haiku

Outline. Variables Automatic type inference. Generic programming. Generic programming. Templates Template compilation

Introduction to Computers and C++ Programming p. 1 Computer Systems p. 2 Hardware p. 2 Software p. 7 High-Level Languages p. 8 Compilers p.

Transcription:

EBS 2013 SMT-Bounded Model hecking of Programs Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas ordeiro, Bernd Fischer

Bounded Model hecking (BM) Idea: check negation of given property up to given depth transition system ϕ 0 ϕ 1 ϕ 2 ϕ k-1 ϕ k... M 0 M 1 M 2 M k-1 M k counterexample trace property bound transition system M unrolled k times for programs: unroll loops, unfold arrays, translated into verification condition ψ such that ψ satisfiable iff ϕ has counterexample of max. depth k has been applied successfully to verify (sequential) software

BM of Programs there have been attempts to apply BM to the verification of programs but with limited success handle large programs and support complex features problem: BM of programs presents greater challenges than that of programs more complex features such as templates, containers, and exception handling (contains and handles error situations in embedded systems) main insights: optimized implementation of the standard library complicates the Vs unnecessarily abstract representation of the standard libraries to conservatively approximate their semantics

Objetive of this work Extend BM to support complex features of exploit background theories of Satisfability Modulo Theories (SMT) solvers provide suitable encodings for template exception handling containers arithmetic over- and underflow build and evaluate an SMT-based BM tool (ESBM) build on top of BM front-end use different SMT encodings as back-ends

ESBM Architecture (1) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck originally only ANSI- language was supported extend to support the verification of programs with: template (creation and instantiation) exception handling (converted to goto functions) standart template library (operational model)

ESBM Architecture (2) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck lexer/parser based on the flex/bison most of the intermediate representation of the program (IRep) is created this IRep is the base for the remaining phases of the verification

ESBM Architecture (3) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck some checks are made in this step: assignment check typecast check pointer initialization check function call check template instantiation

ESBM Architecture (4) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck conversion from IRep to goto programs: int main() { int x=5; main() (c::main): intx; x = 5; } if(x==5) return 0; return -1; IF!(x == 5) THEN GOTO 1 return 0; 1: return -1; END_FUNTION

ESBM Architecture (5) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck creation of SSA expressions from goto programs: assertions are inserted to check for pointer safety, memory-leak, division by zero, etc jump instructions are inserted for exception handling x = 5; x = 6; y = x; x 1 = 5; x 2 = 6; y 1 = x 2 ; 0 0 0

ESBM Architecture (6) Source Parser Typecheck Goto Programs onverter Goto Symex Solver Source Parser Typecheck encoding to bit-vector or integer/real arithmetic verification results can depend on encodings: majority of Vs solved faster if numeric types are modelled by abstract domains but possible loss of precision

SMT-Based BM of Programs there have been attempts to apply BM to the verification of programs but with limited success handle large programs and support complex features standard libraries contain complex (and low-level) data structures (complicates the Vs unnecessarily) provide a operational model (OM) which is an abstract representation of the standard libraries that conservatively approximates their semantics Standard Libraries of OM Programs g++ compiler ESBM executable file verification result

ontainer Model (1) the container model uses three variables: P that points to the first element of the array size that stores the quantity of elements in the container capacity that stores the total capacity of a container iterators are modelled using two variables (source and pos) container size= N capacity < 2*size e0 e1 e2 e3... en-1 iterator pos contains the index value pointed by the iterator in the container P source pos source points to the underlying container

ontainer Model (2) the core container model only supports the insert, erase, and search methods push_back, pop_back, front, back, push_front,and pop_front are variation of these basic methods (( c', i') = c. erase( i)) : = c'. size c'. array i'. source = c. size 1 i'. pos = i. pos = store(...( store( c. array, decrement the size of the container i. pos, select( c. array, i. pos + 1)),..., = c' c. size 2, select( c. array, c. size 1)) points to the position next to the previously erased part of the container the exclusion is made by a given position, regardless the value

Inheritance and Polymorphism polymorphism allows the creation of reusable code by changing only specific methods from the base class in constrast to Java, allows multiple inheritance which increase the complexity of the static analysis in ESBM, each new class instantiation replicate all the methods and attributes from the base classes this feature allows base classes pointers to keep reference to derived classes during verification time decides which method is being called from such pointer

Running Example (1) triple <, s, r > where is the set of classes shared inheritance s x replicated inheritance r x square class relation: <,, {(Square, Rectangle, Shape), (Square, Rectangle, Display)}> direct access to the attributes and methods of the derived class replicate information to any new class

Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } int area(void) { return width*width; } Square Shape constructor *sqre= and newsquare(10); assert area(sqre->area() method == 100); : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } Instantiation of square and area call int area(void) { return width*width; } Shape *sqre= newsquare(10); assert (sqre->area() == 100); : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } int area(void) { return width*width; } Shape *sqre= newsquare(10); assert (sqre->area() == 100); Internal SMT representation : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

Running Example (2) Square (int w) : Rectangle(w,w) { width= w; } contain the address of the object s bound methods int area(void) { return width*width; } Shape *sqre= newsquare(10); assert (sqre->area() == 100); : = j 1 = store ( j 0, vtable, Rectanle) (,,10) j2 = store j1 width j3 = store( j2, height,10) j4 = store( j3, vtable,square) j5 = store( j4, width,10) return _ value1 = ( ( 5, ) ( 5, ) select j width select j width P : = [ return _ value = 100] 1

Exception Handling (1) exceptions are unexpected situations within a programs access an invalid position in a vector throws an out_of_range exception exception handling is divided into three elements: a try block, a catch block, and a throw statement int main (void) { try { throw 1; } catch (int) { return 1; } catch (char) { return 2; } return 0; } try block throw statement catch block

Exception Handling (2) try-catch conversion to goto functions (internal flow) main(): ATH signed_int->1, char->2 THROW signed_int: 1 ATH GOTO 3 1: int #anon; return 1; GOTO 3 2: char #anon; return 2; 3: return 0; END_FUNTION This goto instruction is modified if an exception is thrown jump when the type is signed int jump when the type is char

Exception Handling (2) try-catch conversion to goto functions (internal flow) main(): ATH signed_int->1, char->2 THROW signed_int: 1 ATH GOTO 1 1: int #anon; return 1; GOTO 3 2: char #anon; return 2; This goto instruction is modified if an exception is thrown 3: return 0; END_FUNTION

Experimental Results Goal: compare the efficiency of verification on 1165 programs using ESBM and LLBM Setup: ESBM v1.20 with SMT Solver Z3 3.2 LLBM 2012.2a Intel ore i7-2600, 3.40 GHz with 24 GB of RAM running Ubuntu 64-bits

About the benchmarks Number of programs Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm 130 3376 996 63 38 16 13 0 0 0 2 Deque 43 1239 238 19 20 0 4 0 0 0 3 Vector 146 6853 2714 95 37 3 11 0 0 0 Lines of code Time out BAD THING Memory out BAD THING rash BAD THING 4 List 670 2292 3928 25 25 3 17 0 0 0 5 Queue 14 328 177 7 7 0 0 0 0 0 Verification time of the modules (s) 6 Stack 12 286 82 6 6 0 0 0 0 0 7 Inheritance 51 3460 311 28 17 1 2 3 0 0 8 Try catch 67 4743 45 17 41 7 2 0 0 0 9 Stream 66 1831 1892 51 13 0 2 0 0 0 Positive verification GOOD THING Negative verification GOOD THING Negative verification BAD THING Negative verification BAD THING 10 String 233 4921 48186 100 112 5 16 0 0 0 11 pp 343 26624 1817 269 38 7 25 4 0 0 1165 55953 58386 680 354 42 92 7 0 0

Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm 130 3376 996 63 38 16 13 0 0 0 STL modules 2 Deque 43 1239 238 19 20 0 4 0 0 0 3 Vector 146 6853 2714 95 37 3 11 0 0 0 4 List 670 2292 3928 25 25 3 17 0 0 0 5 Queue 14 328 177 7 7 0 0 0 0 0 6 Stack 12 286 82 6 6 0 0 0 0 0 7 Inheritance 51 3460 311 28 17 1 2 3 0 0 8 Try catch 67 4743 45 17 41 7 2 0 0 0 9 Stream 66 1831 1892 51 13 0 2 0 0 0 10 String 233 4921 48186 100 112 5 16 0 0 0 11 pp 343 26624 1817 269 38 7 25 4 0 0 1165 55953 58386 680 354 42 92 7 0 0

Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm 130 3376 996 63 38 16 13 0 0 0 2 Deque 43 1239 238 19 20 0 4 0 0 0 3 Vector 146 6853 2714 95 37 3 11 0 0 0 4 List 670 2292 3928 25 25 3 17 0 0 0 Inheritance and exception handling 5 Queue 14 328 177 7 7 0 0 0 0 0 6 Stack 12 286 82 6 6 0 0 0 0 0 7 Inheritance 51 3460 311 28 17 1 2 3 0 0 8 Try catch 67 4743 45 17 41 7 2 0 0 0 9 Stream 66 1831 1892 51 13 0 2 0 0 0 10 String 233 4921 48186 100 112 5 16 0 0 0 11 pp 343 26624 1817 269 38 7 25 4 0 0 1165 55953 58386 680 354 42 92 7 0 0

Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm 130 3376 996 63 38 16 13 0 0 0 2 Deque 43 1239 238 19 20 0 4 0 0 0 3 Vector 146 6853 2714 95 37 3 11 0 0 0 4 List 670 2292 3928 25 25 3 17 0 0 0 5 Queue 14 328 177 7 7 0 0 0 0 0 6 Stack 12 286 82 6 6 0 0 0 0 0 I/O Streams Strings 7 Inheritance 51 3460 311 28 17 1 2 3 0 0 8 Try catch 67 4743 45 17 41 7 2 0 0 0 9 Stream 66 1831 1892 51 13 0 2 0 0 0 10 String 233 4921 48186 100 112 5 16 0 0 0 11 pp 343 26624 1817 269 38 7 25 4 0 0 1165 55953 58386 680 354 42 92 7 0 0

Experimental Results with ESBM Testsuite N L Time P N FP FN FAIL TO MO 1 Algorithm 130 3376 996 63 38 16 13 0 0 0 2 Deque 43 1239 238 19 20 0 4 0 0 0 3 Vector 146 6853 2714 95 37 3 11 0 0 0 4 List 670 2292 3928 25 25 3 17 0 0 0 5 Queue 14 328 177 7 7 0 0 0 0 0 6 Stack 12 286 82 6 6 0 0 0 0 0 7 Inheritance 51 3460 311 28 17 1 2 3 0 0 8 Try catch 67 4743 45 17 41 7 2 0 0 0 Generic programs from Deitel 9 Stream 66 1831 1892 51 13 0 2 0 0 0 10 String 233 4921 48186 100 112 5 16 0 0 0 11 pp 343 26624 1817 269 38 7 25 4 0 0 1165 55953 58386 680 354 42 92 7 0 0

omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 Algorithm 996 63 38 16 13 0 0 0 2 Deque 238 19 20 0 4 0 0 0 3 Vector 2714 95 37 3 11 0 0 0 4 List 3928 25 25 3 17 0 0 0 5 Queue 177 7 7 0 0 0 0 0 6 Stack 82 6 6 0 0 0 0 0 8135 215 133 22 45 0 0 0 1 Algorithm 22964 53 45 1 5 0 24 2 2 Deque 8585 16 17 0 0 1 9 0 3 Vector 7234 91 38 1 3 4 6 3 4 List 2562 5 26 5 30 0 0 4 5 Queue 45 6 7 0 1 0 0 0 6 Stack 45 6 6 0 0 0 0 0 ESBM LLBM 41435 177 139 7 39 5 39 9

omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 Inheritance 311 28 17 1 2 3 0 0 2 Try catch 45 17 41 7 2 0 0 0 356 45 58 8 4 3 0 0 1 Inheritance 122 32 12 1 3 3 0 0 2 Try catch 4 0 1 0 0 66 0 0 ESBM LLBM 126 32 13 1 3 69 0 0

omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 Stream 1892 51 13 0 2 0 0 0 2 String 46186 100 112 5 16 0 0 0 48078 151 125 5 18 0 0 0 1 Stream 11 17 13 0 35 1 0 0 2 String 37 6 121 4 102 0 0 0 ESBM LLBM 48 23 134 4 137 1 0 0

omparison between ESBM and LLBM Testsuite Time P N FP FN FAIL TO MO 1 pp 1817 269 38 7 25 4 0 0 58386 680 354 42 92 7 0 0 1 pp 3260 235 24 10 56 15 2 1 44869 467 310 22 235 90 41 10 ESBM LLBM ESBM took approximately 16 hours and successfully verified 1046 out of 1165 (89%) LLBM took approximately 12 hours and successfully verified 777 out of 1165 (66%)

Experimental Results Sniffer ode ESBM was used to verify a commercial application provided by Nokia Institute of Technology (INdT) The sniffer code contains 20 classes, 85 methods, and approximately 2839 lines of code Five bugs were identified that were related to arithmetic under- and over-flow. The bugs were later confirmed by the developers

onclusions SMT-based verification of programs by focusing on the major features of the language Described the implementation of STL containers, inheritance, polymorphism and exception handling in particular, exception specification, which is a feature that is not supported by others BM tools ESBM outperforms LLBM if we consider the verification of programs with increased accuracy (i.e. exception enabled verification) Also, ESBM was able to find undiscovered bugs in the sniffer code, a commercial application

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback