UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Similar documents
Model Checking Embedded C Software using k-induction and Invariants

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Exploiting Safety Properties in Bounded Model Checking for Test Cases Generation of C Programs

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

: A Bounded Model Checking Tool to Verify Qt Applications

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Handling Loops in Bounded Model Checking of C Programs via k-induction

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

F-Soft: Software Verification Platform

Verifying C & C++ with ESBMC

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

DSVerifier: A Bounded Model Checking Tool for Digital Systems

Bounded Model Checking Of C Programs: CBMC Tool Overview

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

A Bounded Model Checker for SPARK Programs

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

System LAV and Its Applications

Introduction to CBMC: Part 1

Software Model Checking. Xiangyu Zhang

OptCE: A Counterexample-Guided Inductive Optimization Solver

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Symbolic Execution, Dynamic Analysis

Counterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017

The Spin Model Checker : Part I/II

Deductive Methods, Bounded Model Checking

COLLECTING AND ANALYZING INTERNAL EVIDENCES OF SOFTWARE SERVICES VIA MODEL CHECKING

Automated Test Generation using CBMC

Automatic Software Verification

Software Model Checking. From Programs to Kripke Structures

BITCOIN MINING IN A SAT FRAMEWORK

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Interpolation-based Software Verification with Wolverine

Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

The SPIN Model Checker

Quantifying Information Leaks in Software

The Low-Level Bounded Model Checker LLBMC

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Frama-C Value Analysis

Equivalence Checking of C Programs by Locally Performing Symbolic Simulation on Dependence Graphs

Java PathFinder JPF 2 Second Generation of Java Model Checker

Model Checking: Back and Forth Between Hardware and Software

CS453: Software Verification Techniques

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Formal Specification and Verification

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Static Program Analysis

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Verification of Tree-Based Hierarchical Read-Copy Update in the Linux Kernel

Program Verification. Aarti Gupta

Static Analysis in C/C++ code with Polyspace

Abstract Interpretation

Formal Modeling for Persistence Checking of Signal Transition Graph Specification with Promela

More on Verification and Model Checking

Applying Multi-Core Model Checking to Hardware- Software Partitioning in Embedded Systems (extended version)

Bounded Model Checking of Concurrent Programs

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

An Eclipse Plug-in for Model Checking

Symbolic and Concolic Execution of Programs

Software Engineering using Formal Methods

SAT-based Model Checking for C programs

Error Explanation with Distance Metrics

Regression Verification - a practical way to verify programs

KRATOS A Software Model Checker for SystemC

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

C Code Verification based on the Extended Labeled Transition System Model

Executable Counterexamples in Software Model Checking

Graph Query Verification using Monadic 2 nd -Order Logic

Verification Tests for MCAPI

Software Engineering using Formal Methods

Profile-Guided Program Simplification for Effective Testing and Analysis

Symbolic Execu.on. Suman Jana

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Bounded Model Checking with Parametric Data Structures

OpenSMT2. A Parallel, Interpolating SMT Solver. Antti Hyvärinen, Matteo Marescotti, Leonardo Alt, Sepideh Asadi, and Natasha Sharygina

arxiv: v2 [cs.se] 13 Jul 2009

Model Checking Software Programs with. First Order Logic Specifications using AIG Solvers

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Formal Verification of Programs and Their Transformations

Cover Page. The handle holds various files of this Leiden University dissertation

Software verification for ubiquitous computing

Ranking Functions for Loops with Disjunctive Exit-Conditions

BDD-Based Software Verification

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Decision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion

Program Analysis and Code Verification

Over-Approximating Boolean Programs with Unbounded Thread Creation

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Synchronous Specification

Low level security. Andrew Ruef

Model checking Timber program. Paweł Pietrzak

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Transcription:

FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira Rocha, Raimundo Barreto, Lucas Cordeiro and Arilo Dias Netto

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Results 5. Related Work 6. Conclusions and Future Work 2

Introduction Software Applications 3

Introduction Model Checking In the last few years, we can observe a trend towards the application of formal verification techniques to the implementation level; BMCs have gained popularity due to their ability to handle the full semantics of actual programming languages, and to support the verification of a rich set of properties. 4

Introduction And what are we proposing? The EZProofC Method To apply a software bounded model checker, in this case ESBMC (Efficient SMT-Based Context-Bounded Model Checker); To verify critical parts of a software written in the C programming language; To gather data to show the evidence that failures might happen. 5

Introduction The motivation of this work - EZProofC Data collected by verification tools is usually not trivial to be understood: Amount of variables; Values involved in the counter-example; The lack of a standard output to represent the counter-example; Our techniques can also be applied to other programming languages like C++ and Java 6

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Results 5. Related Work 6. Conclusions and Future Work 7

Introduction -> Background Bounded Model Checking The basic idea of BMC is to check (the negation of) a given property at a given depth. Transition system M unrolled k times for programs: unroll loops, unfold arrays, Translated into verification condition ψ such that ψ satisfiable iff φ has counterexample of max. depth k. 8

Introduction -> Background Context-Bounded Model Checking with ESBMC ESBMC is a bounded model checker for embedded ANSI-C software based on SMT (Satisfiability Modulo Theories) solvers, which allows: Out-of-bounds array indexing; Division by zero; Pointers safety Dynamic memory allocation; Data races; Deadlocks; Underflow e Overflow; 9

Introduction -> Background Counter-Example A counter-example is a trace that shows that a given property does not hold in the model; Counter-examples allow the user: i. to analyze the failure; ii. iii. to understand the root of the error; to correct either the specification or the model, in this case, from the property and the program that has been analyzed respectively. 10

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Results 5. Related Work 6. Conclusions and Future Work 11

Introduction -> Background -> Proposed Method EZProofC An easy way to demonstrate and verify errors in C code 1 12

Introduction -> Background -> Proposed Method EZProofC An easy way to demonstrate and verify errors in C code 1 2 13

Introduction -> Background -> Proposed Method EZProofC An easy way to demonstrate and verify errors in C code 1 2 3 14

Introduction -> Background -> Proposed Method EZProofC An easy way to demonstrate and verify errors in C code 1 2 4 3 15

Introduction -> Background -> Proposed Method First Step: Code Preprocessing UNCRUSTIFY 1. 2. #define INSIZE 14 int main (void){ 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. } 17. } 18. } unsigned char in[insize+1];... if (c == `-') { i=0; idx_in++; c = in[idx_in]; while ((`0' <= c) && (c <= `9')) { j = c - `0'; i = i * 10 + j; idx_in++; c = in[idx_in]; ttflag_arr_two_loops_bad.c from Verisec benchmark 16

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC 17

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC The line number 18

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC The variables involved The line number 19

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC The variables involved The line number The specific value for variable 20

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC The variables involved The line number The specific value for variable Violated Property 21

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. #define INSIZE 14 int main (void){ unsigned char in[insize+1];... if (c == `-') { i=0; idx_in++; c = in[idx_in]; while ((`0' <= c) && (c <= `9')) { j = c - `0'; i = i * 10 + j; idx_in++; c = in[idx_in]; } } Property idx_in < 15 that has } been violated 22

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. #define INSIZE 14 int main (void){ unsigned char in[insize+1];... if (c == `-') { i=0; idx_in++; c = in[idx_in]; while ((`0' <= c) && (c <= `9')) { j = c - `0'; i = i * 10 + j; idx_in++; c = in[idx_in]; } } } Define the BOUND [0.. 14] Property idx_in < 15 that has been violated 23

Introduction -> Background -> Proposed Method Second Step: Model Checking with ESBMC 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. #define INSIZE 14 int main (void){ unsigned char in[insize+1];... if (c == `-') { i=0; idx_in++; c = in[idx_in]; while ((`0' <= c) && (c <= `9')) { j = c - `0'; i = i * 10 + j; idx_in++; c = in[idx_in]; } } } Define the BOUND [0.. 14] Loop doesn't control the value of the variable Property idx_in < 15 that has been violated 24

Introduction -> Background -> Proposed Method Third Step: Code Instantiation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Input: Code, CE_Out Output: New_instanced_code.c The runtime complexity is O(n + m) BEGIN Analysis The counter-example (CE_Out) and C program to collect several pieces of information FOREACH line from the C program IF the line number identified (counter-example) is equal to the line number of the C program IF the violated property is in a set of specific cases Apply a Trigger for a specific case Generate and write a new line using variable values from counter-example ELSE Generate and write a new line using variable values from counter-example ELSE Write the line from the C program END 25

Introduction -> Background -> Proposed Method Third Step: Code Instantiation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Input: Code, CE_Out Output: New_instanced_code.c FIRST PHASE: Collect several pieces of information BEGIN Analysis The counter-example (CE_Out) and C program to collect several pieces of information FOREACH line from the C program IF the line number identified (counter-example) is equal to the line number of the C program line = 14, var =idx_in and IF the violated property is in a set of specific value cases = 15 Apply a Trigger for a specific case Generate and write a new line using variable values from counter-example ELSE Generate and write a new line using variable values from counter-example ELSE Write the line from the C program END 26

Introduction -> Background -> Proposed Method Third Step: Code Instantiation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Input: Code, CE_Out Output: New_instanced_code.c SECOND PHASE: Generate a new instanced code BEGIN Analysis The counter-example (CE_Out) and C program to collect several pieces of information FOREACH line from the C program IF the line number identified (counter-example) is equal to the line number of the C program IF the violated property is in a set of specific cases Apply a Trigger for a specific case Generate and write a new line using variable values from counter-example ELSE Generate and write a new line using variable values from counter-example ELSE Write the line from the C program END 27

Introduction -> Background -> Proposed Method Third Step: Code Instantiation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Input: Code, CE_Out Output: New_instanced_code.c BEGIN Analysis The counter-example (CE_Out) and C program to collect several pieces of information FOREACH line from the C program IF the line number identified (counter-example) is equal to the line number of the C program END It makes a copy and replaces variables assignments CE: line = 14, var =idx_in and value = 15 IF the violated property is in a set of specific cases Apply a Trigger for New a specific Line: case idx_in = 15; Generate and write a new line using variable values from counter-example ELSE Generate and write a new line using variable values from counter-example ELSE Write the line from the C program 28

Introduction -> Background -> Proposed Method Third Step: Code Instantiation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Input: Code, CE_Out Output: New_instanced_code.c BEGIN Analysis The counter-example (CE_Out) and C program to collect several pieces of information UPPER BOUND FOREACH line from the C program Assert(idx_in < 15); IF the line number identified (counter-example) is equal to the line number of the C program IF the violated property is in a set of specific cases Apply a Trigger for a specific case Generate and write a new line using variable values from counter-example ELSE Generate and write a new line using variable values from counter-example ELSE Write the line from the C program END 29

Introduction -> Background -> Proposed Method Third Step: Code Instantiation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. #define INSIZE 14 int main (void){ unsigned char in[insize+1];... if (c == `-') { i=0; idx_in= 9 ; //<- by EZProofC c =48 ; //<- by EZProofC while ((`0' <= c) && (c <= `9')) { j =3 ; //<- by EZProofC i =33 ; //<- by EZProofC idx_in= 15 ; //<- by EZProofC assert(idx_in<15); //<- by EZProofC c =51 ; //<- by EZProofC } } } Directly from the counter-example 30

Introduction -> Background -> Proposed Method Fourth Step: Code execution and confirmation of errors Module newz_ttflag_arr_two_loops_bad.c Result of the Execution Line:15:main:Assertion & idx in<15 failed. Aborted 31

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Results 5. Related Work 6. Conclusions and Future Work 32

Introduction -> Background -> Proposed Method -> Experimental Results Planning and Design the Experiments In order to evaluate the proposed method: We considered 211 ANSI-C programs Six different ANSI-C programs benchmarks: EUREKA, SNU, WCET, NEC, Siemens (SIR) and CBMC (C bounded model checker) tutorial. During this empirical evaluation: (1) Application of the EZProofC method; (2) Application of the tool Frama-C with value analysis plug-in frama-c -val <file.c> (3) Application of the tool Frama-C with the plug-in Jessie frama-c -jessie -jessie-atp=z3 <file.c> 33

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC #W TW #P TC TV #V CE SC and SW 1 bf5_20.c 49 6 <1s 33 <1s <60s 0-0 2 bubble_sort1_13.c 51 2 <1s 25 <1s <15s 0-0 3 fibonacci1_13.c 25 1 <1s 1 <1s <1s 0-0 4 init_sel_sort1_13.c 54 2 <1s 25 <1s <15s 0-0 5 minmax1_13.c 19 6 <1s 9 <1s <3s 0-0 6 n_k_gray_codes1_13.c 45 36 <1s 22 <1s <120s 0-11 7 prim4_8.c 79 12 <1s 30 <1s <60s 0-3 8 selection_sort1_13.c 54 2 <1s 25 <1s <15s 0-0 9 crc_det.c 125 1 <1s 15 <1s 840s 0-1 10 cnt_nondet.c 139 0 <1s 16 <1s <60s 0-0 11 minmax_unsafe1_13.c 19 6 <1s 9 <1s <4s 1 16 0 12 no_init_bubble_sort_safe1_13.c 25 2 <1s 14 <1s <7s 1 32 1 13 no_init_sel_sort1_13.c 41 5 <1s 25 <1s <15s 12 144 3 14 no_init_sel_sort_safe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 15 no_init_sel_sort_unsafe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 16 strcmp1_13.c 15 4 <1s 6 <1s 14400s 3 80 0 17 sum1_13.c 21 1 <1s 1 <1s <1s 1 48 0 18 sum_array1_13.c 11 1 <1s 7 <1s <3s 1 8 0 19 D_CBMC_assert_unsafy.c 15 4 <1s 1 <1s <1s 1 24 0 20 D_CBMC_bound_array.c 16 2 <1s 10 <1s <10s 1 30 1 21 D_CBMC_division_by_zero.c 32 3 <1s 1 <1s <1s 1 24 1 22 ex26.c 29 4 <1s 8 <1s 420s 2 1236 1 23 select_det.c 122 3 <1s 39 <1s 14400s 3 40 1 24 Siemens_print_tokens2.c 508 90 <1s 51 <1s 18000s 1 3344 34 34

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW C Program name LOC 35

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW Number of Warnings Execution time of Frama-C with Value Analysis plug-in 36

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW Number of Properties Time - Properties Identification 37

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW Time spent by ESBMC Counterexample LOC Violated Properties 38

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW Claims in common between EZProofC and Frama-C EZProofC tool are available at : https://sites.google.com/site/ezproofc/ 39

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW 1 bf5_20.c 49 6 <1s 33 <1s <60s 0-0 2 bubble_sort1_13.c 51 2 <1s 25 <1s <15s 0-0 3 fibonacci1_13.c 25 1 <1s 1 <1s <1s 0-0 4 init_sel_sort1_13.c 54 2 <1s 25 <1s <15s 0-0 5 minmax1_13.c 19 6 <1s 9 <1s <3s 0-0 6 n_k_gray_codes1_13.c 45 36 <1s 22 <1s <120s 0-11 7 prim4_8.c 79 12 <1s 30 <1s <60s 0-3 8 selection_sort1_13.c 54 2 <1s 25 <1s <15s 0-0 9 crc_det.c 125 1 <1s 15 <1s 840s 0-1 10 cnt_nondet.c 139 0 <1s 16 <1s <60s 0-0 EZProofC did not find any violated property 40

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW 11 minmax_unsafe1_13.c 19 6 <1s 9 <1s <4s 1 16 0 12 no_init_bubble_sort_safe1_13.c 25 2 <1s 14 <1s <7s 1 32 1 13 no_init_sel_sort1_13.c 41 5 <1s 25 <1s <15s 12 144 3 14 no_init_sel_sort_safe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 15 no_init_sel_sort_unsafe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 16 strcmp1_13.c 15 4 <1s 6 <1s 14400s 3 80 0 17 sum1_13.c 21 1 <1s 1 <1s <1s 1 48 0 18 sum_array1_13.c 11 1 <1s 7 <1s <3s 1 8 0 19 D_CBMC_assert_unsafy.c 15 4 <1s 1 <1s <1s 1 24 0 20 D_CBMC_bound_array.c 16 2 <1s 10 <1s <10s 1 30 1 21 D_CBMC_division_by_zero.c 32 3 <1s 1 <1s <1s 1 24 1 22 ex26.c 29 4 <1s 8 <1s 420s 2 1236 1 23 select_det.c 122 3 <1s 39 <1s 14400s 3 40 1 24 Siemens_print_tokens2.c 508 90 <1s 51 <1s 18000s 1 3344 34 All possible scenarios in terms of LOC??? 41

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW 11 minmax_unsafe1_13.c 19 6 <1s 9 <1s <4s 1 16 0 12 no_init_bubble_sort_safe1_13.c 25 2 <1s 14 <1s <7s 1 32 1 13 no_init_sel_sort1_13.c 41 5 <1s 25 <1s <15s 12 144 3 14 no_init_sel_sort_safe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 15 no_init_sel_sort_unsafe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 16 strcmp1_13.c 15 4 <1s 6 <1s 14400s 3 80 0 17 sum1_13.c 21 1 <1s 1 <1s <1s 1 48 0 18 sum_array1_13.c 11 1 <1s 7 <1s <3s 1 8 0 19 D_CBMC_assert_unsafy.c 15 4 <1s 1 <1s <1s 1 24 0 20 D_CBMC_bound_array.c 16 2 <1s 10 <1s <10s 1 30 1 21 D_CBMC_division_by_zero.c 32 3 <1s 1 <1s <1s 1 24 1 22 ex26.c 29 4 <1s 8 <1s 420s 2 1236 1 23 select_det.c 122 3 <1s 39 <1s 14400s 3 40 1 24 Siemens_print_tokens2.c 508 90 <1s 51 <1s 18000s 1 3344 34 Frama-C X EZProofC 42

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW 11 minmax_unsafe1_13.c 19 6 <1s 9 <1s <4s 1 16 0 12 no_init_bubble_sort_safe1_13.c 25 2 <1s 14 <1s <7s 1 32 1 13 no_init_sel_sort1_13.c 41 5 <1s 25 <1s <15s 12 144 3 14 no_init_sel_sort_safe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 15 no_init_sel_sort_unsafe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 16 strcmp1_13.c 15 4 <1s 6 <1s 14400s 3 80 0 17 sum1_13.c 21 1 <1s 1 <1s <1s 1 48 0 18 sum_array1_13.c 11 1 <1s 7 <1s <3s 1 8 0 19 D_CBMC_assert_unsafy.c 15 4 <1s 1 <1s <1s 1 24 0 20 D_CBMC_bound_array.c 16 2 <1s 10 <1s <10s 1 30 1 21 D_CBMC_division_by_zero.c 32 3 <1s 1 <1s <1s 1 24 1 22 ex26.c 29 4 <1s 8 <1s 420s 2 1236 1 23 select_det.c 122 3 <1s 39 <1s 14400s 3 40 1 24 Siemens_print_tokens2.c 508 90 <1s 51 <1s 18000s 1 3344 34 Frama-C X EZProofC Why?? Values Analysis plug-in 43

Introduction -> Background -> Proposed Method -> Experimental Results Experiment s Execution and Results Analysis ID Module #L Frama-C EZProofC/ESBMC SC and #W TW #P TC TV #V CE SW 11 minmax_unsafe1_13.c 19 6 <1s 9 <1s <4s 1 16 0 12 no_init_bubble_sort_safe1_13.c 25 2 <1s 14 <1s <7s 1 32 1 13 no_init_sel_sort1_13.c 41 5 <1s 25 <1s <15s 12 144 3 14 no_init_sel_sort_safe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 15 no_init_sel_sort_unsafe1_13.c 28 5 <1s 14 <1s <7s 1 32 3 16 strcmp1_13.c 15 4 <1s 6 <1s 14400s 3 80 0 17 sum1_13.c 21 1 <1s 1 <1s <1s 1 48 0 18 sum_array1_13.c 11 1 <1s 7 <1s <3s 1 8 0 19 D_CBMC_assert_unsafy.c 15 4 <1s 1 <1s <1s 1 24 0 20 D_CBMC_bound_array.c 16 2 <1s 10 <1s <10s 1 30 1 21 D_CBMC_division_by_zero.c 32 3 <1s 1 <1s <1s 1 24 1 22 ex26.c 29 4 <1s 8 <1s 420s 2 1236 1 23 select_det.c 122 3 <1s 39 <1s 14400s 3 40 1 24 Siemens_print_tokens2.c 508 90 <1s 51 <1s 18000s 1 3344 34 Jessie plug-in?? Frama-C X EZProofC Why?? Values Analysis plug-in 44

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Results 5. Related Work 6. Conclusions and Future Work 45

Introduction -> Background -> Proposed Method -> Experimental Results -> Related Work Related Work Ji et al.: Design and Implementation of Retargetable Software Debugger Based on GDB. In: Intl. Conf. on Convergence and Hybrid Information Technology (CHIT). 2008. Fixed entry values X Tests exhautively Taghdiri, M.: Inferring Specifications to Detect Errors in Code. In: Intl. Conf. on Automated Software Engineering (ASE). 2004. SAT solver X SMT solver Drawback: Solving only structural properties (constrain configuration) 46

Introduction -> Background -> Proposed Method -> Experimental Results -> Related Work Related Work Cousot et al.: The ASTRÉE analyzer. In: Programming Languages and Systems (PLS). 2005. Analyzes structured C programs, BUT without dynamic memory allocation and recursion EZProofC provides support for structures not supported by Astrée 47

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Results 5. Related Work 6. Conclusions and Future Work 48

Proposed Method -> Experimental Results -> Related Work -> Conclusions and Future Work Conclusions and Future Work Proposed Method To help developers not familiar with formal verification techniques (find failures); EZProofC is a completely automatic method that does not need to write specifications; The experimental results have shown to be very effective over publicly available benchmarks; 49

Proposed Method -> Experimental Results -> Related Work -> Conclusions and Future Work Conclusions and Future Work Future Work Verification with simplifications in the model (e.g. function-byfunction verification); We intend to extend our experiments to evaluate the usability of the proposed method; We also plan to adapt the proposed method to use other model checkers (Blast and Java PathFinder) that rely on other abstraction techniques. 50

Experimental Results -> Related Work -> Conclusions and Future Work -> Questions Questions?? Thank you for your attention! 51

Experimental Results -> Related Work -> Conclusions and Future Work -> Questions -> References References Baier, C., Katoen, J.P.: Principles of Model Checking. MIT Press (2008) Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker Blast: Applications to software engineering. In: Int. J. Softw. Tools Technol. Transf. (STTT). vol. 9, pp. 505 525 (2007) Cordeiro, L., Fischer, B.: Verifying Multi-threaded Software using SMT-based Context-Bounded Model Checking. In: Intl. Conf. on Software Engineering (ICSE). pp. 331 340 (2011) Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-Based Bounded Model Checking for Embedded ANSI-C Software. In: IEEE Transactions on Software Engineering (TSE). vol. 99 (2011), http://eprints.ecs.soton.ac.uk/22291/ Havelund, K.: Java PathFinder, A Translator from Java to Promela. In: Intl. SPIN Workshops on Theoretical and Practical Aspects of SPIN Model Checking. p. 152 (1999) 52

Experimental Results -> Related Work -> Conclusions and Future Work -> Questions -> References References ESBMC. Efficient SMT-Based Context Bounded Model Checker. http://esbmc.org. EUREKA. www.ai-lab.it/eureka/bmc.html. SNU. http://archi.snu.ac.kr/realtime/benchmark; WCET. www.mrtc.mdh.se/projects/wcet/benchmarks.html NEC. http://www.nec-labs.com/research/system; SIR-SIEMENS. http://sir.unl.edu/portal/index.htm; CBMC. http://www.cprover.org/cbmc/doc/manual.pdf UNCRUSTIFY. http://uncrustify.sourceforge.net VERISEC. http://se.cs.toronto.edu/index.php/verisec_suite 53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback