System LAV and Its Applications

Similar documents
ARGO - Automated Reasoning GrOup

Verifying C & C++ with ESBMC

: A Bounded Model Checking Tool to Verify Qt Applications

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

An Introduction to Satisfiability Modulo Theories

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Model Checking Embedded C Software using k-induction and Invariants

OptCE: A Counterexample-Guided Inductive Optimization Solver

Formalization of Incremental Simplex Algorithm by Stepwise Refinement

The Low-Level Bounded Model Checker LLBMC

Handling Loops in Bounded Model Checking of C Programs via k-induction

Program Analysis and Code Verification

Undefined Behaviour in C

Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)

Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

ECE 587 Hardware/Software Co-Design Lecture 11 Verification I

Program Analysis And Its Support in Software Development

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Verification and Test with Model-Based Design

Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing

C++ Programming Language Lecture 2 Problem Analysis and Solution Representation

Deductive Methods, Bounded Model Checking

F-Soft: Software Verification Platform

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Outline. Program development cycle. Algorithms development and representation. Examples.

B. Subject-specific skills B1. Problem solving skills: Supply the student with the ability to solve different problems related to the topics

Satisfiability Modulo Theories: ABsolver

Symbolic Execution, Dynamic Analysis

Static Analysis of C++ Projects with CodeSonar

Cost Modelling for Vectorization on ARM

URBiVA: Uniform Reduction to Bit-Vector Arithmetic

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Program Verification. Aarti Gupta

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Lightweight Verification of Array Indexing

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

More on Verification and Model Checking

JBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik

logistics: ROP assignment

Turbo-Charging Lemmas on Demand with Don t Care Reasoning

CSE123 LECTURE 3-1. Program Design and Control Structures Repetitions (Loops) 1-1

Advanced Programming Methods. Introduction in program analysis

CSE 565 Computer Security Fall 2018

Computer Security Course. Midterm Review

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

CSCI 2132 Software Development. Lecture 17: Functions and Recursion

CS558 Programming Languages

Static program checking and verification

Static Analysis in C/C++ code with Polyspace

Pierce Ch. 3, 8, 11, 15. Type Systems

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Outline. software testing: search bugs black-box and white-box testing static and dynamic testing

Intro to Proving Absence of Errors in C/C++ Code

Verifying Recursive Programs using Intra-procedural Analyzers

CMPE/SE 135 Object-Oriented Analysis and Design

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

A Gentle Introduction to Program Analysis

Automated Item Banking and Test Development Model used at the SSAC.

Hyperkernel: Push-Button Verification of an OS Kernel

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

Bounded Model Checking Of C Programs: CBMC Tool Overview

Symbolic and Concolic Execution of Programs

Runtime Checking and Test Case Generation for Python

Model Checking and Its Applications

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Lecture Notes on Linear Search

Parametric Real Time System Feasibility Analysis Using Parametric Timed Automata

From Design to Production

Simple algorithm portfolio for SAT

Counterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

DEPARTMENT OF COMPUTER SCIENCE

KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND

Static Analysis Techniques

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Efficiently Solving Bit-Vector Problems Using Model Checkers

Lecture 15 Software Testing

Arithmetic type issues

CS 161 Computer Security

Compiler-guaranteed Safety in Code-copying Virtual Machines

Voting Machines and Automotive Software: Explorations with SMT at Scale

C Code Verification based on the Extended Labeled Transition System Model

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks

ABSTRACT INTERPRETATION

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Verification and Validation

Overview of the ECE Computer Software Curriculum. David O Hallaron Associate Professor of ECE and CS Carnegie Mellon University

DSVerifier: A Bounded Model Checking Tool for Digital Systems

Abstract Interpretation

Advanced Compiler Construction

Encoding floating-point numbers using the SMT theory in ESBMC: An empirical evaluation over the SV-COMP benchmarks

n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!

CRI: Symbolic Debugger for MCAPI Applications

Transcription:

Progress in Decision Procedures: From Formalizations to Applications Belgrade, March 30, 2013.

Overview, Viktor Kuncak Development and Evaluation of : an SMT-Based Error Finding Platform. Verified Software: Theories, Tools, Experiments. Lecture Notes in Computer Science, Volume 7152, Springer 2012, ISBN 978-3-642-27704-7., Mladen Nikolić, Dušan Tošić, Viktor Kuncak Software Verification and Graph Similarity for Automated Evaluation of Students Assignments. Information and Software Technology. Elsevier, 2013 DOI: 10.1016/j.infsof.2012.12.005

People prof. Dušan Tošić Faculty of Mathematics, Belgrade prof. Viktor Kuncak EPFL Switzerland Mladen Nikolić Faculty of Mathematics, Belgrade

is a tool for statically verifying program assertions and locating bugs such as buffer overflows, pointer errors and division by zero. is publicly available and open-source http://argo.matf.bg.ac.rs/?content=lav Experimental evaluation shows that is competitive with related tools based on symbolic execution and bounded model checking (KLEE, CBMC and ESBMC)

Input code

LLVM Input code is primarily developed for programs in C Thanks to LLVM, can be used for other procedural languages Input program is transformed to LLVM code

Code transformation input code LLVM Input code LLVM is a rich compiler framework Each LLVM function consists of blocks of instructions which are interconected LLVM uses simple RISC-like instructions

Code transformation loop-free code Symbolic execution of blocks input code LLVM Input code LLVM code is an input to unrolls loops to get loop-free program can unroll loops in two ways, by using under-approximation or over-approximation

Code transformation loop-free code Symbolic execution of blocks input code LLVM symbolically executes instructions of each block Input code For safety critical commands, generates safety conditions checks these conditions in different contexts communicates with an SMT solver through an SMT interface

Code transformation loop-free code Symbolic execution of blocks input code condition LLVM SMT interface Input code

Code transformation loop-free code Symbolic execution of blocks input code condition LLVM SMT interface Input code Boolector bv,arr

Code transformation loop-free code Symbolic execution of blocks input code condition LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf

Code transformation loop-free code Symbolic execution of blocks input code condition LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf

Code transformation loop-free code Symbolic execution of blocks input code condition LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

Code transformation loop-free code Symbolic execution of blocks input code sat/unsat LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

Code transformation loop-free code Symbolic execution of blocks input code condition LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

Code transformation loop-free code Symbolic execution of blocks input code sat/unsat LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

Code transformation loop-free code Symbolic execution of blocks Relationships between blocks input code LLVM SMT interface Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

Code transformation loop-free code Symbolic execution of blocks input code LLVM Input code Relationships between blocks For each block constructs its postcondition built from: control flow information transformation done by symbolic execution Correctness conditions

next function analysis Code transformation loop-free code Symbolic execution of blocks Relationships between blocks Correctness conditions input code LLVM Input code For each unresolved safety critical command, considers the function context At this stage, uses SMT solver in an incremental manner A command gets its status: safe, unsafe, flawed, unreachable

next function analysis Code transformation loop-free code Symbolic execution of blocks Relationships between blocks input code LLVM Input code Correctness conditions

next function analysis Code transformation loop-free code Symbolic execution of blocks Relationships between blocks Correctness conditions input code LLVM SMT interface Output Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

next function analysis Code transformation loop-free code Symbolic execution of blocks Relationships between blocks Correctness conditions input code LLVM SMT interface Output Input code Boolector bv,arr MathSAT la,bv,euf Yices la,bv,euf Z3 la, bv,euf,arr

Output Output format For a command that is not safe, outputs the line number, the kind of the error, a program trace that introduces the error, and values of variables along this trace. 1: #include <stdio.h> verification failed: 2: #define MAX 10 line 16: UNSAFE 3: int main() function: main, error: buffer_overflow 4: { 5: int arr[max],d,n,n_copy,max; 16: d = -8, max = -8, n = 0, n_copy = -899 6: get_array(arr, MAX); 10: d = -8, max = -8, n = 0, n_copy = -899 7: scanf("%d", &n); 14: d = -8, max = -8, n = 0, n_copy = -899 8: n_copy = n; 13: d = -8, max = -8, n = -8, n_copy = -899 9: max = n%10; 12: d = -8, max = -9, n = -8, n_copy = -899 10:while(n){ 10: d = -9, max = -9, n = -8, n_copy = -899 11: d = n%10; 14: d = -9, max = -9, n = -8, n_copy = -899 12: if(max<d) 12: d = -9, max = -9, n = -89, n_copy = -899 13: max=d; 10: d = -9, max = -9, n = -89, n_copy = -899 14: n = n/10; 14: d = -9, max = -9, n = -89, n_copy = -899 15:} 12: d = -9, max = -9, n = -899, n_copy = -899 16:if(arr[max]>n_copy) 10: d = 0, max = -9, n = -899, n_copy = -899 17: printf("it is bigger\n"); 18:else printf("it is not bigger\n"); 19:}

in Education Automated evaluation Testing vs. verification Similarity measure Automated grading Verification tools are usually used for safety critical programs New domain: Education analyzed corpus of 157 students programs (tests written at introductory programming course) found 423 errors!

in Education Automated evaluation Testing vs. verification Similarity measure Automated grading Verification tools are usually used for safety critical programs New domain: Education analyzed corpus of 157 students programs (tests written at introductory programming course) found 423 errors! Verification in education Can a verification tool help in automated evaluation of students programs?

in Education Automated evaluation Testing vs. verification Similarity measure Automated grading Verification tools are usually used for safety critical programs New domain: Education analyzed corpus of 157 students programs (tests written at introductory programming course) found 423 errors! Verification in education Can a verification tool help in automated evaluation of students programs?

Automated evaluation Automated evaluation Testing vs. verification Similarity measure Automated grading Beneficial for both teachers (automated grading) and students (immediate feedback) Can a verification tool help teachers in grading assignments? Can a verification tool help students to learn programming? Important for introductory programming courses the biggest number of students With a growing number of on-line courses, this automation becomes even more significant

Automated evaluation Automated evaluation Testing vs. verification Similarity measure Automated grading Beneficial for both teachers (automated grading) and students (immediate feedback) Can a verification tool help teachers in grading assignments? Can a verification tool help students to learn programming? Important for introductory programming courses the biggest number of students With a growing number of on-line courses, this automation becomes even more significant

Testing vs. verification Automated evaluation Testing vs. verification Similarity measure Automated grading Automated evaluation based on automated testing does the program give the desired outputs for specific inputs? Standard problem: Testing cannot reveal all bugs Are there bugs that can be discovered by a verification tool in a program that successfully passed testing? 266 programs (solutions of 15 different problems) successfully passed testing

Testing vs. verification Automated evaluation Testing vs. verification Similarity measure Automated grading Automated evaluation based on automated testing does the program give the desired outputs for specific inputs? Standard problem: Testing cannot reveal all bugs Are there bugs that can be discovered by a verification tool in a program that successfully passed testing? 266 programs (solutions of 15 different problems) successfully passed testing found 35 errors

Testing vs. verification Automated evaluation Testing vs. verification Similarity measure Automated grading Automated evaluation based on automated testing does the program give the desired outputs for specific inputs? Standard problem: Testing cannot reveal all bugs Are there bugs that can be discovered by a verification tool in a program that successfully passed testing? 266 programs (solutions of 15 different problems) successfully passed testing found 35 errors

Testing vs. verification Automated evaluation Testing vs. verification Similarity measure Automated grading Randomly generated test-cases (fuzzing) discovered only 12 of these bugs and took significantly more time Important issue (concerning feedback to students): If a program crashes, testing cannot give an explanation why it crashed Verification tools can give explanations

Similarity measure Automated evaluation Testing vs. verification Similarity measure Automated grading Functional correctness is not the only important aspect in automated evaluation Requirements concerning the design of a solution cannot be addressed by testing and verification To address the design, we used similarity measure between CFGs of expected solution and student s solution: Mladen Nikolić, Measuring Similarity of Graph Nodes by Neighbor Matching, Intelligent Data Analysis, (2013). Open-source, publicly available from s page

Similarity measure Automated evaluation Testing vs. verification Similarity measure Automated grading Functional correctness is not the only important aspect in automated evaluation Requirements concerning the design of a solution cannot be addressed by testing and verification To address the design, we used similarity measure between CFGs of expected solution and student s solution: Mladen Nikolić, Measuring Similarity of Graph Nodes by Neighbor Matching, Intelligent Data Analysis, (2013). Open-source, publicly available from s page

Automated grading Automated evaluation Testing vs. verification Similarity measure Automated grading Predicting a grade Linear model based on testing (t), verification (v) and CFG similarity (s) grade = c 1 t + c 2 v + c 3 s Coefficients c i are determined based on a set of instructor graded solutions The model obtained high correlation between predicted and instructor provided grades (84%) Better results compared to the model without verification component and to the model without similarity component All obtained results statistically significant

Conclusions Conclusions Future work is an SMT-Based error finding platform Uses symbolic execution and elements of BMC Competitive to related tools Verification in education Verification can add new quality to automated evaluation of students assignments: Feedback for students Automated grading for teachers

Conclusions Future work Future work Further improvements of Integrating automated evaluation into a web-based system

The end Conclusions Future work Thank you for your attention!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback