Introduction to CBMC: Part 1

Similar documents
Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Bounded Model Checking. Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Software Model Checking. Xiangyu Zhang

Bounded Model Checking Of C Programs: CBMC Tool Overview

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Automated Test Generation using CBMC

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

C Bounded Model Checker

The Low-Level Bounded Model Checker LLBMC

BITCOIN MINING IN A SAT FRAMEWORK

Automatic Software Verification

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Decision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

Handling Loops in Bounded Model Checking of C Programs via k-induction

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

SAT-based Model Checking for C programs

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Decision Procedures in the Theory of Bit-Vectors

Symbolic and Concolic Execution of Programs

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

On Reasoning about Finite Sets in Software Checking

Proving Properties of non-array Programs

Deductive Methods, Bounded Model Checking

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Abstraction techniques for Floating-Point Arithmetic

More on Verification and Model Checking

Software Model Checking. From Programs to Kripke Structures

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Lexical Considerations

C Code Verification based on the Extended Labeled Transition System Model

Pointers as Arguments

Time-Bounded Analysis of Real- Time Systems

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Quantifying Information Leaks in Software

Analysis/Bug-finding/Verification for Security

Predicate Abstraction of ANSI C Programs using SAT Λ

Lecture Notes on Real-world SMT

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

CS 510/13. Predicate Abstraction

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

C2TLA+: A translator from C to TLA+

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

HySAT. what you can use it for how it works example from application domain final remarks. Christian Herde /12

Type Conversion. and. Statements

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Error Explanation with Distance Metrics

Lexical Considerations

Modular and Verified Automatic Program Repairs

Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking

1 Lexical Considerations

Automated Program Analysis with Software Model Checking

Splitting the Control Flow with Boolean Flags

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

Formal Specification and Verification

Predicate Abstraction of ANSI C Programs using SAT

Boolean Representations and Combinatorial Equivalence

Abstractions and small languages in synthesis CS294: Program Synthesis for Everyone

ANSI-C Bounded Model Checker User Manual

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Model Checking Embedded C Software using k-induction and Invariants

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Applications of Formal Verification

Lecture 2: Symbolic Model Checking With SAT

Limitations of the stack

Computer Components. Software{ User Programs. Operating System. Hardware

Course Summary! What have we learned and what are we expected to know?

Contents of Lecture 3

Exam 1 Prep. Dr. Demetrios Glinos University of Central Florida. COP3330 Object Oriented Programming

Software Engineering using Formal Methods

Foundations: Syntax, Semantics, and Graphs

CS 61c: Great Ideas in Computer Architecture

Model Checking and Its Applications

The Spin Model Checker : Part I/II

Model-Driven Verifying Compilation of Synchronous Distributed Applications

CS558 Programming Languages

Introduction to C. Robert Escriva. Cornell CS 4411, August 30, Geared toward programmers

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Data Structures and Algorithms for Engineers

The ComFoRT Reasoning Framework

CSCI 171 Chapter Outlines

Finite Model Generation for Isabelle/HOL Using a SAT Solver

Java Basic Programming Constructs

Quiz 0 Review Session. October 13th, 2014

CSE 565 Computer Security Fall 2018

CS 314 Principles of Programming Languages. Lecture 9

CODE ANALYSIS CARPENTRY

Software Engineering using Formal Methods

Predicate Abstraction of ANSI C Programs using SAT

Verifying Periodic Programs with Priority Inheritance Locks

A Context-Sensitive Memory Model for Verification of C/C++ Programs

Lectures 5-6: Introduction to C

Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

: A Bounded Model Checking Tool to Verify Qt Applications

Introduction to Programming Using Java (98-388)

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Transcription:

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening

Bug Catching with SAT Solvers Main Idea: Given a program and a claim use a SAT solver to find whether there exists an execution that violates the claim. Program Claim Analysis CNF Engine SAT Solver SAT UNSAT (counterexample exists) (no counterexample found) 2

Programs and Claims Arbitrary ANSI C programs With bitvector arithmetic, dynamic memory, pointers, Simple Safety Claims Array bound checks (i.e., buffer overflow) Division by zero Pointer checks (i.e., NULL pointer dereference) Arithmetic overflow User supplied assertions (i.e., assert (i > j) ) etc 3

Why use a SAT Solver? SAT Solvers are very efficient Analysis is completely automated Analysis as good as the underlying SAT solver Allows support for many features of a programming language bitwise operations, pointer arithmetic, dynamic memory, type casts 4

A (very) simple example (1) Program int x; Constraints y = 8, int y=8,z=0,w=0; if (x) z = y 1; else z = x? y 1 : 0, w = x? 0 :y + 1, z!= 7, UNSAT no counterexample assertion always holds! w!= 9 w = y + 1; assert (z == 7 9) w == 5

A (very) simple example (2) Program int x; Constraints y = 8, int y=8,z=0,w=0; if (x) z = y 1; else z = x? y 1 : 0, w = x? 0 :y + 1, z!= 5, w!= 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7 w = y + 1; assert (z == 5 9) w == 6

What about loops?! SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis CNF Engine SAT Solver Bound (n) SAT UNSAT (counterexample exists) (no counterexample of bound n is found) 7

CBMC: C Bounded Model Checker Developed Available at: http://www.cs.cmu.edu/~modelcheck/cbmc/ Supported Provides Known at CMU by Daniel Kroening et al. platafoms: Windows (requires VisualStudio s` CL), Linux a command line and Eclipse based interfaces to scale to programs with over 30K LOC Was used to find previously unknown bugs in MS Windows device drivers 8

CBMC: Supported Language Features ANSI C is a low level language, not meant for verification but for efficiency Complex language features, such as Bit vector operators (shifting, and, or, ) Pointers, pointer arithmetic Dynamic memory allocation: malloc/free Dynamic data types: char s[n] Side effects float / double Non determinism 9

DEMO

Using CBMC from Command Line To see the list of claims cbmc show claims I include file.c To check a single claim cbmc unwind n claim x I include file.c For help cbmc help 11

Introduction to CBMC: Part 2 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening

What about loops?! SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis CNF Engine SAT Solver Bound (n) SAT UNSAT (counterexample exists) (no counterexample of bound n is found) 13

How does it work Transform a programs into a set of equations 2. Simplify control flow 3. Unwind all of the loops 4. Convert into Single Static Assignment (SSA) 5. Convert into equations 6. Bit blast 7. Solve with a SAT Solver 8. Convert SAT assignment into a counterexample 14

Control Flow Simplifications All side effect are removal Control Flow is made explicit e.g., j=i++ becomes j=i;i=i+1 continue, break replaced by goto All loops are simplified into one form for, do while replaced by while 15

Loop Unwinding All loops are unwound can use different unwinding bounds for different loops to check whether unwinding is sufficient special unwinding assertion claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions 16

Loop Unwinding void f(...) {... while(cond) cond { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto 17

Loop Unwinding void f(...) {... if(cond) cond { Body; while(cond) cond { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto 18

Loop Unwinding void f(...) {... if(cond) cond { Body; if(cond) cond { Body; while(cond) cond { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto 19

Unwinding assertion void f(...) {... if(cond) cond { Body; if(cond) cond { Body; if(cond) cond { Body; while(cond) cond { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits 20

Unwinding assertion void f(...) {... if(cond) cond { Body; if(cond) cond { Body; if(cond) cond { Body; assert(!cond); cond Remainder; while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits Positive correctness result! Unwinding assertion 21

Example: Sufficient Loop Unwinding void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 2) 2 { j = j + 1; if(j <= 2) 2 { j = j + 1; if(j <= 2) 2 { j = j + 1; assert(!(j <= 2)); 2) Remainder; 22

Example: Insufficient Loop Unwinding void f(...) { j = 1 while (j <= 10) 10 j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 10) 10 { j = j + 1; if(j <= 10) 10 { j = j + 1; if(j <= 10) 10 { j = j + 1; assert(!(j <= 10)); 10) Remainder; 23

Transforming Loop Free Programs Into Equations (1) Easy to transform when every variable is only assigned once! Program Constraints x = a; x = a && y = x + 1; y = x + 1 && z = y 1; z = y 1 && 24

Transforming Loop Free Programs Into Equations (2) When a variable is assigned multiple times, use a new variable for the RHS of each assignment Program SSA Program 25

What about conditionals? Program SSA Program if (v) if (v0) x = y; else x = z; w = x; x0 = y0; else x1 = z0; What should x be? w1 = x??; 26

What about conditionals? Program SSA Program if (v) if (v0) x = y; else x = z; w = x; x0 = y0; else x1 = z0; x2 = v0? x0 : x1; w1 = x2 For each join point, add new variables with selectors 27

Adding Unbounded Arrays Arrays are updated whole array at a time A[1] = 5; A1=λ i : i == 1? 5 : A0[i] A[2] = 10; A2=λ i : i == 2? 10 : A1[i] A[k] = 20; A3=λ i : i == k? 20 : A2[i] Examples: A2[2] == 10 A2[1]==5 A2[3] == A0[3] A3[2] == (k==2? 20 : 10) Uses only as much space as there are uses of the array! 28

Example 29

Pointers While unwinding, record right hand side of assignments to pointers This results in very precise points to information Separate for each pointer Separate for each instance of each program location Dereferencing operations are expanded into case split on pointer object (not: offset) Generate assertions on offset and on type Pointer data type assumed to be part of bit vector logic Consists of pair <object, offset> 30

Pointer Typecast Example void *p; int i; int c; int main (void) { int input1, intput2, z; p = input1? (void*)&i : (void*) &c if (input2) z = *(int*)p; else z = *(char*)p; 31

Dynamic Objects Dynamic Objects: malloc / free Local variables of functions Auxiliary variables for each dynamically allocated object: Size (number of elements) Active bit Type malloc sets size (from parameter) and sets active bit free asserts that active bit is set and clears bit Same for local variables: active bit is cleared upon leaving the function 32

Deciding Bit Vector Logic with SAT Pro: all operators modeled with their precise semantics Arithmetic operators are flattened into circuits Not efficient for multiplication, division Fixed point for float/double Unbounded arrays Use uninterpreted functions to reduce to equality logic Similar implementation in UCLID But: Contents of array are interpreted Problem: SAT solver happy with first satisfying assignment that is found. Might not look nice. 33

Example void f (int a, int b, int c) { a= 8193 int temp; b= 402 temp = a; a = b; b = temp; (1111111111111111111111100110111 temp=0 (10000011111111111110 (0000000000000000000000000000000 State 4 file sort.c line 10 if (b > c) { CBMC temp= 402 (111111111111111111111110011 temp = b; b = c; c = temp; State 5 file sort.c line 11 b= 2080380800 if (a < b) { temp = a; a = b; b = temp; assert (a<=b && b<=c); (111111111111111111011111111111 c= 2080380800 if (a > b) { State 1 3 (10000011111111111110 State 6 file sort.c line 12 c= 402 (1111111111111111111111100110111 Failed assertion: assertion fi sort.c line 19 34

Problem (I) Reason: Very first satisfying assignment that is found is reported Strange Hard SAT solver performs DPLL backtracking search values artifact from bit level encoding to read Would like nicer values 35

Problem (II) Might not get shortest counterexample! Not all statements that are in the formula actually get executed There is a variable for each statement that decides if it is executed or not (conjunction of if guards) Counterexample actually executed The trace only contains assignments that are SAT solver picks some 36

Example from SSA void f (int a, int b, int c) { if(a) { a=0; b=1; assert(c); CBMC { 1 b_1#2 == (a_1#0?b_1#1:b_1# { 2 a_1#2 == (a_1#0?a_1#1:a_1# { 3 b_1#1 == 1 { 4 a_1#1 == 0 { 5 \guard#1 == a_1#0 { 6 \guard#0 == TRUE assign ments {1 c_1#0 37

Example void f (int a, int b, State 1 3 int c) a=1 { b=0 if(a) { a=0; b=1; assert(c); c=0 CBMC (00000000000000000000000000000001) (00000000000000000000000000000000) (00000000000000000000000000000000) State 4 file length.c line 5 a=0 (00000000000000000000000000000000) State 5 file length.c line 6 b=1 (00000000000000000000000000000001) Failed assertion: assertion file length.c line 11 38

Basic Solution Counterexample length typically considered to be most important e.g., SPIN iteratively searches for shorter counterexamples Phase one: Minimize length lg: Truth value (0/1) of guard, lw: Weight = number of assignments Phase two: Minimize values 39

Pseudo Boolean Solver (PBS) Input: CNF constraints Pseudo Boolean constraints 2x + 3y + 6z <= 7, where x, y, z are Boolean variables Pseudo Boolean objective function Output: Decision (SAT/UNSAT) Optimizatioin (Minimize/Maximize an objective function) Some implementations: PBS http://www.eecs.umich.edu/~faloul/tools/pbs MiniSat+ (from MiniSat web page) 40

Example void f (int a, int b, int c) { a=0 int temp; b=0 c= 1 if (a > b) { temp = a; a = b; b = temp; if (b > c) { CBMC + (00000000000000000000000000000000) (00000000000000000000000000000000) (11111111111111111111111111111111) temp=0 (0000000000000000000000000000000 State 4 file sort.c line 10 temp=0 (0000000000000000000000000000000 temp = b; b = c; c = temp; State 5 file sort.c line 11 if (a < b) { b= 1 Mini mization State temp = a; a = b; b = temp; assert (a<=b && b<=c); State 1 3 c=0 (11111111111111111111111111111111) 6 file sort.c line 12 (00000000000000000000000000000000) Failed assertion: assertion fi sort.c line 19 41

Modeling with CBMC (1) CBMC provides 2 modeling (not in ANSI C) primitives xxx nondet_xxx () Returns a non deterministic value of type xxx (); int nondet_int (); char nondet_char Useful for modeling external input, unknown environment, library functions, etc. 42

Using nondet for modeling Library spec: foo is given non deterministically, but is taken until returned CMBC stub: int nondet_int (); int return_foo () int is_foo_taken = 0; { is_foo_taken = 0 int grab_foo () { if (!is_foo_taken) is_foo_taken = nondet_int (); return is_foo_taken; 43

Modeling with CBMC (2) The other modeling primitive CPROVER_assume (expr) If the expr is fasle abort the program, otherwise continue executing CPROVER_assume (x>0 && y <= 10); 44

Assume Guarantee Reasoning (1) Is foo correct? int foo (int* p) { void main(void) { Check by splitting on the argument of foo foo(x); foo(y); 45

Assume Guarantee Reasoning (2) (A) Is foo correct assuming p is not NULL? int foo (int* p) { CPROVER_assume (p!=null); (G)Is foo guaranteed to be called with a non NULL argument? void main(void) { assert (x!=null);// foo(x); assert (y!=null); // foo(y); 46

Dangers of unrestricted assumptions Assumptions can lead to vacuous satisfaction if (x > 0) { CPROVER_assume (x < This program is passed by CMBMC! assert (0); Assume must either be checked with assert or used as an idiom: x = nondet_int (); y = nondet_int (); CPROVER_assume (x < y); 47

Checking user specified claims Assert, assume, and non determinism + Programming can be used to specify many interesting claims dir=1; while (x>0) How to use CBMC to check whether { x = x + dir; the loop if (x>10) dir = 1*di has an infinite execution? if (x<5) dir = 1*dir 48

49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback