Configurable Software Model Checking

Similar documents
Static Program Analysis

Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT

BDD-Based Software Model Checking with CPAchecker

Proc. ISoLA 2018, c Springer

Counterexample Guided Abstraction Refinement in Blast

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

BDD-based software verification

KRATOS A Software Model Checker for SystemC

More on Verification and Model Checking

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Duet: Static Analysis for Unbounded Parallelism

BDD-Based Software Verification

KRATOS A Software Model Checker for SystemC

On Reasoning about Finite Sets in Software Checking

Reducer-Based Construction of Conditional Verifiers

Verifying C & C++ with ESBMC

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Verifying Recursive Programs using Intra-procedural Analyzers

Model Checking Embedded C Software using k-induction and Invariants

An Eclipse Plug-in for Model Checking

Having a BLAST with SLAM

F-Soft: Software Verification Platform

Software Model Checking. From Programs to Kripke Structures

Predicate Abstraction with Adjustable-Block Encoding

Software Model Checking of Linux Device Drivers

The Pointer Assertion Logic Engine

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Handling Loops in Bounded Model Checking of C Programs via k-induction

Benchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel

PANDA: Simultaneous Predicate Abstraction and Concrete Execution

Block-wise abstract interpretation by combining abstract domains with SMT

Counter-Example Guided Program Verification

Software Model Checking via Large-Block Encoding

Proving Properties of non-array Programs

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

Verifying Concurrent Programs

Model Checking: Back and Forth Between Hardware and Software

RATCOP: Relational Analysis Tool for Concurrent Programs

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Software Model Checking. Xiangyu Zhang

Sendmail crackaddr - Static Analysis strikes back

DIPARTIMENTO DI INGEGNERIA E SCIENZA DELL INFORMAZIONE Povo Trento (Italy), Via Sommarive 14

Lecture 2: Symbolic Model Checking With SAT

Applications of Program analysis in Model-Based Design

Combining Model Checking and Data-Flow Analysis

Configurable Pointer-Alias Analysis for CPAchecker

SMT-Style Program Analysis with Value-based Refinements

CS 510/13. Predicate Abstraction

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

SeaHorn: Software Model Checking with SMT and AI

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

The software model checker BLAST

C Code Verification based on the Extended Labeled Transition System Model

Having a BLAST with SLAM

Partitioned Memory Models for Program Analysis

Interpolation-based Software Verification with Wolverine

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Program Analysis and Code Verification

Having a BLAST with SLAM

TRACER: A Symbolic Execution Tool for Verification

Tutorial on Model Checking Modelling and Verification in Computer Science

HECTOR: Formal System-Level to RTL Equivalence Checking

Towards a Software Model Checker for ML. Naoki Kobayashi Tohoku University

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Modular Verification of Web Services Using Efficient Symbolic Encoding and Summarization

Predicate Abstraction Daniel Kroening 1

Predicate Abstraction of ANSI C Programs using SAT Λ

Scalable Program Verification by Lazy Abstraction

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Lecture 6. Abstract Interpretation

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

A Toolbox for Counter-Example Analysis and Optimization

Synthesizing Ranking Functions from Bits and Pieces

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

Control-Flow Refinment via Partial Evaluation

Verifying Multithreaded Software with Impact

Synthesizing Ranking Functions from Bits and Pieces

Using Build-Integrated Static Checking to Preserve Correctness Invariants

Having a BLAST with SLAM

Software Model Checking with Abstraction Refinement

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

Hyperkernel: Push-Button Verification of an OS Kernel

Using Counterexamples for Improving the Precision of Reachability Computation with Polyhedra

Distributed Systems Programming (F21DS1) Formal Verification

Danger Invariants. 1 Introduction. Cristina David 1, Pascal Kesseli 1, Daniel Kroening 1, Matt Lewis 1,2

The GNU Compiler Collection

Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels

Type Theory meets Effects. Greg Morrisett

Bottom-up Context-Sensitive Pointer Analysis for Java

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Predicate Abstraction and CEGAR for Higher Order Model Checking

A Survey of Automated Techniques for Formal Software Verification

Checking Memory Safety with Blast

Predicate Refinement Heuristics in Program Verification with CEGAR

On Reasoning About Finite Sets in Software Model Checking

Model Checking Parallel Programs with Inputs

Lecture 27. Pros and Cons of Pointers. Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis

Lecture 20 Pointer Analysis

Network Verification: Reflections from Electronic Design Automation (EDA)

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Transcription:

Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26

Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification is satisfied FALSE i.e., bug found General method: Create an overapproximation of the program states / compute program invariants Overapproximation Reachable States Error States Dirk Beyer 2 / 26

CPAchecker History 2002: BLAST with lazy abstraction refinement 2003: Multi-threading support 2004: Test-case generation, interpolation, spec. lang. 2005: Memory safety, predicated lattices 2006: Lazy shape analysis Maintenance and extensions became extremely difficult because of design choices that were not easy to revert 2007: Configurable program analysis, CPAchecker was started as complete reimplementation from scratch Dirk Beyer 3 / 26

CPAchecker History (2) 2009: Large-block encoding 2010: Adjustable-block encoding 2012: Conditional model checking, PredAbs vs. Impact 2013: Explicit-state MC, BDDs, precision reuse... Dirk Beyer 4 / 26

Software Verification by Model Checking [Clarke/Emerson, Sifakis 1981] Iterative fixpoint (forward) post computation R 0 Dirk Beyer 5 / 26

Software Verification by Model Checking [Clarke/Emerson, Sifakis 1981] Iterative fixpoint (forward) post computation R 0 R 1 Dirk Beyer 5 / 26

Software Verification by Model Checking [Clarke/Emerson, Sifakis 1981] Iterative fixpoint (forward) post computation R 0 R 1 R 2 Dirk Beyer 5 / 26

Software Verification by Model Checking [Clarke/Emerson, Sifakis 1981] Iterative fixpoint (forward) post computation R 0 R 1 R 2... R Dirk Beyer 5 / 26

Software Model Checking Reached, Frontier := {e 0 } while Frontier do remove e from Frontier for all e post(e) do if stop(e, Reached) then add e to Reached, Frontier return Reached Dirk Beyer 6 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Verification by Data-Flow Analysis Fixpoint computation on the CFG Dirk Beyer 7 / 26

Software Model Checking Reached, Frontier := {e 0 } while Frontier do remove e from Frontier for all e post(e) do if stop(e, Reached) then add e to Reached, Frontier return Reached Dirk Beyer 8 / 26

Configurable Program Analysis Reached, Frontier := {e 0 } while Frontier do remove e from Frontier for all e post(e) do for all e Reached do e new := merge(e, e ) if e new e then replace e in Reached, Frontier by e new if stop(e, Reached) then add e to Reached, Frontier return Reached Dirk Beyer 9 / 26

Configurable Program Analysis Better combination of abstractions Configurable Program Analysis [Beyer/Henzinger/Theoduloz CAV 07] Imprecise Scalable Precise Expensive Data-flow analysis CPA Model Checking Unified framework that enables intermediate algorithms Dirk Beyer 10 / 26

Dynamic Precision Adjustment Lazy abstraction refinement: [Henzinger/Jhala/Majumdar/Sutre POPL 02] Different predicates per location and per path Incremental analysis instead of restart from scratch after refinement Dirk Beyer 11 / 26

Dynamic Precision Adjustment Better fine tuning of the precision of abstractions Adjustable Precision [Beyer/Henzinger/Theoduloz ASE 08] Unified framework enables: switch on and off different analysis, and can adjust each analysis separately CPA Imprecise Scalable Not only refine, also abstract! Precise Expensive Dirk Beyer 12 / 26

Adjustable Block-Encoding Handle loop-free blocks of statements at once Abstract only between blocks (less abstractions, less refinements) [Beyer/Cimatti/Griggio/Keremoglu/Sebastiani FMCAD 09] [Beyer/Keremoglu/Wendler FMCAD 10] SBE Block size Whole Program Dirk Beyer 13 / 26

CPAchecker [Beyer/Keremoglu CAV 11] CPA Dirk Beyer 14 / 26

CPA Summary Unification of several approaches reduced to their essential properties Allow experimentation with new configurations that we could never think of Flexible implementation CPAchecker Dirk Beyer 15 / 26

CPAchecker Framework for Software Verification current status Written in Java Open Source: Apache 2.0 License ~80 contributors so far from 15 universities/institutions 430.000 lines of code (275.000 without blank lines and comments) Started 2007 https://cpachecker.sosy-lab.org Dirk Beyer 16 / 26

CPAchecker: Features Input language C (experimental: Java) Web frontend available: https://cpachecker.appspot.com Counterexample output with graphs Benchmarking infrastructure available (with large cluster of machines) Cross-platform: Linux, Mac, Windows Dirk Beyer 17 / 26

CPAchecker: Achievements Among world s best software verifiers: https://sv-comp.sosy-lab.org/2018/results/ Continuous success in competition since 2012 (52 medals: 16x gold, 18x silver, 18x bronze) Awarded Gödel medal by Kurt Gödel Society Used for Linux driver verification with dozens of real bugs found and fixed in Linux Dirk Beyer 18 / 26

CPAchecker: Concepts Included Concepts: CEGAR Interpolation Adjustable-block encoding Conditional model checking Verification witnesses Further available analyses: Impact algorithm Bounded model checking k-induction Property-directed reachability Dirk Beyer 19 / 26

CPAchecker: Concepts Completely modular, and thus flexible and easily extensible Every abstract domain is implemented as a "Configurable Program Analysis" (CPA) E.g., predicate abstraction, explicit-value analysis, intervals, octagon, BDDs, memory graphs, and more Algorithms are central and implemented only once Separation of concerns Combined with Composite pattern Dirk Beyer 20 / 26

CPAchecker: Algorithms CPAAlgorithm is the core algorithm for reachability analysis / fixpoint iteration Other algorithms can be added if desired, e.g., CEGAR Double-checking counterexamples Sequential combination of analyses Dirk Beyer 21 / 26

CPAchecker: Architecture k-induction Algorithm Source Code Parser & CFA Builder CEGAR Algorithm Results CPA Algorithm Spec Spec CPA Location CPA Callstack CPA Predicate CPA Dirk Beyer 22 / 26

Try CPAchecker Online at Google AppEngine: https://cpachecker.appspot.com/ Download for Linux/Windows: https://cpachecker.sosy-lab.org Run scripts/cpa.sh scripts\cpa.bat -predicateanalysis <FILE> Windows/Mac need to disable bitprecise analysis: -predicateanalysis-linear -setprop solver.solver=smtinterpol -setprop analysis.checkcounterexamples=false Look at output/cpalog.txt for problems Open.dot files with dotty / xdot (www.graphviz.org/) Open graphical report in browser: output/*.html Dirk Beyer 23 / 26

CPAchecker: Specification Model Checkers check only what you specified CPAchecker s default: Label ERROR Calling function _assert_fail() assert(pred) needs to be pre-processed SV-COMP: Calling function _VERIFIER_error() -spec sv-comp-reachability Dirk Beyer 24 / 26

CPAchecker for Developers Want to implement your own analysis? Easy, just write a CPA in Java Implementations for 10 interfaces needed But for 8, we have default implementations Minimal configuration: abstract state and abstract post operator Dirk Beyer 25 / 26

CPAchecker for Developers The CPA framework is flexible: Many components are provided as CPAs: Location / program counter tracking Callstack tracking Specification input (as automata) Pointer-aliasing information CPAs can be combined, so your analysis doesn t need to care about these things Dirk Beyer 26 / 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback