Software Model Checking. From Programs to Kripke Structures

Similar documents
F-Soft: Software Verification Platform

More on Verification and Model Checking

Model Checking with Abstract State Matching

Software Model Checking. Xiangyu Zhang

CS 510/13. Predicate Abstraction

Having a BLAST with SLAM

Having a BLAST with SLAM

Static Program Analysis

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Having a BLAST with SLAM

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Having a BLAST with SLAM

Counter-Example Guided Program Verification

Formal Verification by Model Checking

Bonsai: Cutting Models Down to Size

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

Verifying Multithreaded Software with Impact

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Bounded Model Checking Of C Programs: CBMC Tool Overview

Automated Program Analysis with Software Model Checking

Over-Approximating Boolean Programs with Unbounded Thread Creation

Verifying Concurrent Programs

VS 3 : SMT Solvers for Program Verification

A Survey of Automated Techniques for Formal Software Verification

Model Checking: Back and Forth Between Hardware and Software

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Interpolation-based Software Verification with Wolverine

Configurable Software Model Checking

JPF SE: A Symbolic Execution Extension to Java PathFinder

The Spin Model Checker : Part I/II

Counterexample Guided Abstraction Refinement in Blast

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Predicate Abstraction Daniel Kroening 1

Introduction to CBMC: Part 1

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Abstract Interpretation

Bogor An extensible and highly-modular model checking framework

Software Model Checking with Abstraction Refinement

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

SYNERGY : A New Algorithm for Property Checking

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Formal Specification and Verification

Predicate Abstraction of ANSI C Programs using SAT Λ

Tutorial on Model Checking Modelling and Verification in Computer Science

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

KRATOS A Software Model Checker for SystemC

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

C Code Verification based on the Extended Labeled Transition System Model

Formal modelling and verification in UPPAAL

An Eclipse Plug-in for Model Checking

Software Engineering using Formal Methods

Formal Syntax and Semantics of Programming Languages

Model Checking and Its Applications

Towards a Software Model Checker for ML. Naoki Kobayashi Tohoku University

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

On Reasoning about Finite Sets in Software Checking

Formal Methods. CITS5501 Software Testing and Quality Assurance

Model checking Timber program. Paweł Pietrzak

Counterexample Guided Abstraction Refinement via Program Execution

Formal Verification at Higher Levels of Abstraction

Compiler Construction

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Software Model Checking with SLAM

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Distributed Systems Programming (F21DS1) Formal Verification

Predicate Refinement Heuristics in Program Verification with CEGAR

Part II: Atomicity for Software Model Checking. Analysis of concurrent programs is difficult (1) Transaction. The theory of movers (Lipton 75)

Lecture 2: Symbolic Model Checking With SAT

Verifying Recursive Programs using Intra-procedural Analyzers

Building Program Verifiers from Compilers and Theorem Provers

Model Checking with Automata An Overview

Software Engineering using Formal Methods

Formal Verification of Synchronization Issues in SpecC Description with Automatic Abstraction

Proof Pearl: The Termination Analysis of Terminator

Verifying C & C++ with ESBMC

Verifying Concurrent Message-Passing C Programs with Recursive Calls

Pooya Saadatpanah, Michalis Famelis, Jan Gorzny, Nathan Robinson, Marsha Chechik, Rick Salay. September 30th, University of Toronto.

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Edmund Clarke Computer Science Dept., Carnegie Mellon University Pittsburgh, PA, USA

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Programming Languages Third Edition

Tree Interpolation in Vampire

On Reasoning About Finite Sets in Software Model Checking

Efficient Verification of Sequential and Concurrent C Programs

Counterexamples with Loops for Predicate Abstraction

The Rule of Constancy(Derived Frame Rule)

Modular Verification of Software Components in C

Computer aided verification

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Foundations: Syntax, Semantics, and Graphs

Software verification for ubiquitous computing

Program verification. Generalities about software Verification Model Checking. September 20, 2016

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Transcription:

Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; EF (pc = 5) Model of of the theprogram Correctness property Model Model Checker Yes/No Answer 1 From s to Kripke Structures State 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; pc 3 x 1 y 3 Step pc x y 2 1 2 Property: EF (pc = 5) 2 1

In Our ming Language All variables are global Functions are in-lined int is integer i.e., no overflow Special statements: skip assume(e) x,y=e1,e2 x=nodet() goto L1,L2 do nothing if e then skip else abort x, y are assigned e1,e2 in parallel x gets an arbitrary value non-deterministically go to L1 or L2 3 s as Control Flow Graphs Labeled CFG 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; Semantics S 1: x,y=2,2 2: y=y-1 y>2 y<=2 4: 3: x==2 x!=2 5: 4 2

Model Checking Software s are not finite state integer variables recursion unbounded data structures dynamic memory allocation dynamic thread creation pointers Model Checker 5 Abstraction Model Checking Software s are not finite state integer variables recursion unbounded data structures dynamic memory allocation dynamic thread creation pointers Model Checker Build a finite abstraction small enough to analyze rich enough to give conclusive results 6 3

Software Model Checking and Abstraction Kripke Structure K Abstraction Boolean BP Abstract Semantics Semantics P Abstract Kripke K Soundness of Abstraction: BP abstracts P implies that K approximates K 7 CounterExample Guided Abstraction Refinement (CEGAR) [ClGJLV00], [BR01] Abstract Predicates Refine Boolean Is Safe? (Is ERROR unreachable) Over- Approximate Boolean Model Model Check No + Abstract Counterexample No Counterexample Valid? Yes Yes 8 4

Outline ming Language syntax and semantics Predicate Abstraction for s Boolean s as intermediate representation Automatic computation of abstraction Three abstract semantics of Boolean s over-, under-, and Belnap abstractions Discovering the right abstraction automatically Counterexample-guided abstraction refinement Finding a place to refine counterexample- and proof-guided approaches Discovering new predicates Overview of state-of-the-art software MCs 9 The Running Example Property Expected Answer 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; EF (pc = 5) EG (pc 4) (loop does not terminate) False True 10 5

Boolean (Predicate) s (BP) Variables correspond to predicates Usual control flow statements while, if-then-else, goto Expressions usual Boolean expressions * unknown if a then true else ch(a,b) if b then false else * Parallel Assignment p 1 = ch(a 1,b 1 ), p 2 = ch(a 2,b 2 ),... b 1 = ch(b 1, b 1 ), b 2 = ch(b 1 b 2, f), b 3 =ch(f,f) 11 An Example Abstraction 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; Abstraction (with y<=2) bool b is (y <= 2) 1: b = T; 2: while (b) 3: b = ch(b,f); 4: if (*) 5: ERROR:; 12 6

Boolean Abstraction Update p = ch(a, b) is an approximation of a concrete statement S iff {a}s{p} and {b}s{ p} are valid i.e., y = y 1 is approximated by (x == 2) = ch(x ==2, x!=2), and (y <= 2) = ch(y<=2,false) Parallel assignment approximates a concrete statement S iff all of its updates approximate S i.e., y = y 1 is approximated by (x == 2) = ch(x ==2, x!=2) (y <= 2) = ch(y<=2,false) A Boolean program approximates a concrete program iff all of its statements approximate corresponding concrete statements 13 Computing An Abstract Update // pre-condition: P.contains (t) // S a statement under abstraction // P a list of predicates used for abstraction // t a target predicate for the update absupdate (Statement S, List<Predicates> P, Predicate t) { rest, resf = false, false; foreach m : mono(p) { if (tpq( m WP(S,t) ) rest = rest m; if (tpq( m WP(S, t) ) resf = resf m; } return t = ch(rest, resf) } 14 7

Example Computation P is {y <= 2} y = y - 1; absupdate t is (y <= 2) Theorem Prover Queries: (y<=2) (y 1) <= 2 (y>2) (y 1) <= 2 (y<=2) (y 1) > 2 (y>2) (y 1) > 2 (y<=2) = ch (y<=2,f) Aside: y>2 is (y<=2) 15 Over-Approximating Semantics of BP State: boolean valuations to all predicates i.e., b 1 b 2, b 1 b 2, b 2 b 1, b 1 b 2 Semantics of an update O(p = ch(q, r)) (s,v) = (v=t and s r) or (v=f and s q) Semantics of a parallel assignment O({U i }) (s,t) = i={1..n} O(U i ) (s,t(b i )) O(BP) y = y - 1 BP b1=ch(b1,f), =ch(,!) b1 b1 is y<=2 is x==2 16 8

Under-Approximating Semantics of BP State: boolean valuations to some predicates i.e., b 1, b 1, b 2 b 1, b 1 b 2, etc. Semantics of an update U(p = ch(q, r)) (s,v) = (v = t and a q) or (v = f and a r) or (v = ) Semantics of a parallel assignment conjunction as before U(BP) y = y - 1 BP b1=ch(b1,f), =ch(,!) b1 is y<=2 is x==2 b1 b1? b1? 17 Belnap (Exact) Semantics of BP State: boolean valuations to some predicates i.e., b 1, b 1, b 2 b 1, b 1 b 2, etc. Semantics of an update E(p=ch(q,r))(s,v) = (v=t s 3 ch(q,r)) or (v=f s 3 ch(q,r)) or (v= ) Semantics of a parallel assignment conjunction as before E(BP) y = y - 1 BP b1=ch(b1,f), =ch(,!) b1 is y<=2 is x==2 b1 b1? b1? 18 9

Summary: The Three Semantics Concrete Abstract b1 is (y <= 2) is (x == 2) t y = y - 1; b1 = ch(b1,f); = ch(, ) f Over-Approx Belnap (Exact) Under-Approx b1 b1 b1? b1 b1? b1? b1? 19 Summary: Abstraction Kripke Structure K Abstraction Boolean BP Abstract Semantics Semantics 1. Abstract a program P by a boolean program BP 2. Pick an abstract semantics for this BP: 1. Over-approximating 2. Under-approximating 3. Belnap (Exact) 3. Yield relationship between K and K : 1. Over-approximation 2. Under-approximation 3. Belnap abstraction P Abstract Kripke K 20 10

Outline ming Language syntax and semantics Predicate Abstraction for s Boolean s as intermediate representation Automatic computation of abstraction Three abstract semantics of Boolean s over-, under-, and Belnap abstractions Discovering the right abstraction automatically Counterexample-guided abstraction refinement Finding a place to refine counterexample- and proof-guided approaches Discovering new predicates Overview of state-of-the-art software MCs 21 CounterExample Guided Abstraction Refinement (CEGAR) [CGJLV00], [BR01] Abstract Predicates Refine Abstract Abstract Semantics No Model Is Safe? (Is ERROR unreachable) Model Check No + Abstract Counterexample Counterexample Valid? Yes Yes 22 11

Example: Is ERROR Unreachable? Abstraction Over- Approximation Need This! 1: 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; 1: ; 2: while (*) 3: ; 4: if (*) 5: ERROR:; 4: 2: 5: 3: CEGAR steps Abstract Translate Check Validate Repeat 23 Example: Is ERROR Unreachable? Abstraction (with y<=2) Over- Approximation 1: int x = 2; int y = 2; 2: while (y <= 2) 3: y = y 1; 4: if (x == 2) 5: ERROR:; bool b is (y <= 2) 1: b = T; 2: while (b) 3: b = b? T : *; 4: if (*) 5: ERROR:; 2:b=F 4:b=F 1: 2:b=T 3:b=T 5:b=F UNREACHABLE b=f CEGAR steps Abstract Translate Check NO ERROR 24 12

Using Cex for Refinement s 0 s 0 s 1 s 1 s 2 s 3 s 2 s 5 s 4 ERROR s 4 ERROR Counterexample t f Is ERROR Reachable? EF (ERROR) MC UNKNOWN 25 Using Proofs for Refinement cause s 0 s 1 s 3 s 2 s 5 s 4 ERROR Refine HERE s 0 s 1 EF 4 (ERROR)(s 0 ) = n EF n (ERROR)(s 0 ) = EF (ERROR) (s 0 ) = can stop here s 1 s 2 EF 2 (ERROR)(s 2 ) = t EF 3 (ERROR)(s 1 ) = Why? t f Is ERROR Reachable? EF (ERROR) MC UNKNOWN 26 13

s 3 s 0 s 1 s 5 s 4 Using Proofs for Refinement Is ERROR Reachable? EF (ERROR) cause Refine can stop here HERE s 1 s 2 EF 2 (ERROR)(s 2 ) = t s 0 s 1 EF 3 (ERROR)(s 1 ) = EF 4 (ERROR)(s 0 ) = n EF n (ERROR)(s 0 ) = unknown steps EF (ERROR) are already t (s 0 ) = marked in the proof When proofs are used to guide the refinement only a part of the proof must be generated s no 2 need to validate the counterexample Why? ERROR Refinement is not limited to finite linear explanations! MC UNKNOWN f 27 Recall Finding Refinement Predicates each abstract state is a conjunction of predicates i.e., y<=2 x==2 y>2 x!=2 etc. each abstract transition corresponds to a program statement Result from a partial proof Unknown transition s 1 s 2 MC needs to know validity of {s 1 } C {s 2 } C is the statement corresponding to the transition 28 14

Refinement via Weakest Precondition If s 1 s 2 corresponds to a conditional statement refine by adding the condition as a new predicate If s 1 s 2 corresponds to a statement C Find a predicate p in s 2 with uncertain value i.e., {s 1 }C{p} is not valid refine by adding WP(C,p) An Example s 1 is y>2 x==2 {s 1 }C{x==2} is valid s 2 is y>2 x==2 {s 1 }C{y>2} is not valid C is y = y-1 add WP(C,y>2) = y>3 29 Summary: Software Model Checking SoftMC is an effective technique for analyzing behavioral properties of software systems Based on a combination of static analysis and traditional model-checking techniques Abstraction is essential for scalability Boolean programs are used as an intermediate step Different abstract semantics lead to different abs. over-, under-, Belnap Automatic abstraction refinement enables to find the right abstraction incrementally 30 15

Overview of Software Model Checkers Tools: Comparison parameters YASM Properties SLAM Types of abstraction BLAST Model-checking engine CBMC How refinement is done MAGIC Java PathFinder 31 YASM http://www.cs.toronto.edu/~arie/yasm Properties: CTL Abstraction: Predicate Over- and Under- MC Engine: Symbolic BDD-based Refinement: CTL Proof-based + WP 32 16

YASM: System Architecture ~ 30K Java foo.c Temporal Property Answer CIL Parser CUDD Parse tree Abstract model XChek Partial proof Abstractor Control-flow graph CVCLite Refiner Predicates Predicate generator Initial predicates 33 Main Features of YASM Checks real C programs Not biased towards verification or refutation Sound for both True and False answers Can check arbitrary CTL property including liveness! Handles recursive programs 34 17

Current Applications BLAST Benchmarks [GC06] Device drivers (4K-6K LOC) Parts of OpenSSH (2K-3K LOC) Split OpenSSH (100K LOC) with UofT Security Group Detecting setuid/seteuid security flaws with UofT Security Group, in progress Concurrent Toy s Lamport s Bakery Mutual Exclusion Error detection in NASA RAX [PPV05] Finding livelock bugs Can a library routine get stuck? with B. Cook at Microsoft Research, in progress 35 SLAM Part of Windows DDK Static Driver Verifier Properties: Reachability Abstraction: Predicate over-approximation MC Engine: Symbolic BDD-based Refinement: Symbolic simulation of cexs Key Features: robust, support for recursion, (almost) in production use 36 18

BLAST http://embedded.eecs.berkeley.edu/blast/ Properties: Reachability Abstraction: Predicate over-approximation MC Engine: Symbolic BDD-based MC and abstraction are interleaved Refinement: Predicates from a proof of impossibility of a counter-example 37 SATABS & CBMC http://www.inf.ethz.ch/personal/daniekro/satabs/ Properties: Bounded reachability Abstraction: Predicate over-approximation MC Engine: Symbolic SAT-based Refinment: Symbolic simulation of cex + UNASTCORE Key Features: supports precise machine arithmetic including bit-level operations 38 19

MAGIC http://www.cs.cmu.edu/~chaki/magic/ Properties: Automata Simulation Abstraction: Predicate over-approximation MC Engine: SAT-based Refinement: Symbolic simulation of cex Key Features: support for concurrent C modules 39 Java PathFinder http://javapathfinder.sourceforge.net/ Properties: Reachability Abstraction: user-provided data abstraction MC Engine: Explicit state with symbolic execution Refinement: None Key Features: support for Java including Objects and Threads 40 20

References [BR01] T. Ball, S. Rajamani. The SLAM Toolkit. In CAV 01. [CGJLV00] E. Clarke, O. Grumberg, S. Jha, Y. Lu, H. Veith. Counterexample-Guided Abstraction Refinement. In CAV 00. [GC06] A. Gurfinkel, M. Chechik. Why Waste a Perfectly Good Abstraction. In TACAS 06. [PPV05] C. Pasareanu, R. Pelanek, W. Visser. Concrete Search with Abstract Matching and Refinement. In CAV 05. 41 Acknowledgements We thank the model-checking group at CMU (Ed Clarke) and the BANDERA project (Matt Dwyer, Corina Pasarenau) for the source of and the inspiration for some of our slides. These slides were originally created for a modelchecking tutorial at Formal Methods 06. Presenters: Marsha Chechik & Arie Gurfinkel 42 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback