Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Similar documents
Automatic Software Verification

Formal Methods for Software Development

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Model checking pushdown systems

Tool demonstration: Spin

More on Verification and Model Checking

Symbolic and Concolic Execution of Programs

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

On Reasoning about Finite Sets in Software Checking

Software Model Checking. Xiangyu Zhang

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Introduction to CBMC: Part 1

Static program checking and verification

Bounded Model Checking Of C Programs: CBMC Tool Overview

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Formal Methods in Software Engineering. Lecture 07

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

The Spin Model Checker : Part I/II

Finite State Verification. CSCE Lecture 14-02/25/2016

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Verifying C & C++ with ESBMC

Model Checking Embedded C Software using k-induction and Invariants

Leveraging DTrace for runtime verification

Monitoring Interfaces for Faults

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

B.V. Patel Institute of Business Management, Computer & Information Technology, Uka Tarsadia University

Aryan College. Fundamental of C Programming. Unit I: Q1. What will be the value of the following expression? (2017) A + 9

Formal Verification Using Static and Dynamic Analyses. Aleksandr Zaks. A dissertation submitted in partial fulfillment

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

Handling Loops in Bounded Model Checking of C Programs via k-induction

BITCOIN MINING IN A SAT FRAMEWORK

Having a BLAST with SLAM

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Finite State Verification. CSCE Lecture 21-03/28/2017

C Code Verification based on the Extended Labeled Transition System Model

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Having a BLAST with SLAM

Deductive Methods, Bounded Model Checking

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Static Program Analysis

Formal Specification and Verification

T Reactive Systems: Kripke Structures and Automata

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model Checking with Automata An Overview

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

: A Bounded Model Checking Tool to Verify Qt Applications

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

Verification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80

Logic Model Checking

Simulation and Verification of the Virtual Memory Management System with MSVL

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Lectures 20, 21: Axiomatic Semantics

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Formal Specification and Verification

CS61C Machine Structures. Lecture 3 Introduction to the C Programming Language. 1/23/2006 John Wawrzynek. www-inst.eecs.berkeley.

TLA+ TLC. Rui Fan Stanislav Funiac Mandana Vaziri. Presented by Spring 2001

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Having a BLAST with SLAM

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

Network Protocol Design and Evaluation

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Software Engineering using Formal Methods

Timo Latvala. January 28, 2004

Lexical Analysis. Lexical analysis is the first phase of compilation: The file is converted from ASCII to tokens. It must be fast!

Computer-Aided Program Design

Model checking Timber program. Paweł Pietrzak

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

Software Model Checking. From Programs to Kripke Structures

Introduction to Axiomatic Semantics (1/2)

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking

Constraint Programming on Infinite Data Streams

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Having a BLAST with SLAM

µz An Efficient Engine for Fixed Points with Constraints

PLDI 2016 Tutorial Automata-Based String Analysis

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Applications of Formal Verification

HECTOR: Formal System-Level to RTL Equivalence Checking

15-819M: Data, Code, Decisions

Practical Model-based Testing With Papyrus and RT-Tester

The Pointer Assertion Logic Engine

Proving liveness. Alexey Gotsman IMDEA Software Institute

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

Combining Static and Dynamic Contract Checking for Curry

Introduction to Axiomatic Semantics (1/2)

Symbolic Execu.on. Suman Jana

Model-Checking Concurrent Systems

Termination Analysis of C Programs Using Compiler Intermediate Languages

Lectures 5-6: Introduction to C

Hyperkernel: Push-Button Verification of an OS Kernel

The SPIN Model Checker

(How) Did you specify your test suite?

Integrating a SAT Solver with Isabelle/HOL

CUTE: A Concolic Unit Testing Engine for C

Transcription:

Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China

Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion and Future Work

Background & Motivation We focus on Software model checking in code-level (1) Rechability analysis of bad things int* a; int i=0; if(a==0) goto Err; i= *a; //de-referencing a Err: However, verifiation of other temporal properties such as liveness etc. cannot be supported! Suitable for only safety property verification Two well known ways: CEGAR and bounded model checking Tools: SLAM, BLAST, CPAChecker and CBMC

Background & Motivation (2) Model checking temporal properties without executing code (static) Considering all possible behaviors makes small programs have large state-space Tools: Ultmate LTLAutomizer, T2,... Difficult to verify programs in large scale Poor in accuracy with lots of false positives

Background & Motivation (3) Model checking temporal properties at run-time Extracting events while executing systems A monitor is designed in advance to check whether the trace violates the desired property Tools: Java PathExplorer, RiTHM, Interaction between systems and monitors incurs extra overhead

Background & Motivation Our approach: Verifying full-regular (temporal) properties of programs via dynamic program execution Executing both the program and property

Background & Motivation Approach Overview MSVL Program M MSVL Compiler IR KLEE Verification cases MSVL Program M_and_M.exe Verification Results M MSVL Program MSVL Compiler PPTL formula Trans MSVL Program M and M P M

Modeling Simulation and Verification Language Modeling Simulation and Verification Language (MSVL) is an executing subset of Projection Temporal Logic (PTL) with framing techniue Data Types: (unsigned) int, float, (unsigned) char, string, array, pointer, struct, union Syntax : Arithmetic expression Boolean expression

Modeling Simulation and Verification Language Two kinds of functions in MSVL programs External functions C standard library functions (strcat, strcmp, strlen, strcpy ) MSVL functions MSVL standard library functions (int getline(int len,char s[ ]){ }) MSVL user-defined functions (void f(int x 1, x 2,,x n ){ }) Two kinds of function calls in MSVL programs Black-box call (extern f(e 1,e 2,,e n )) White-box call (only for MSVL functions: f(e 1,e 2,,e n ))

Elementary Statements in MSVL Projection Temporal Logic

MSVL Normal form of MSVL programs Present components Future components A program Conjunction of state statements An internal program where variables may refer to the previous states Execution of MSVL programs is based on transforming programs into normal forms

MSVL Compiler MSVL Program MSVL Frontend Symbol table managing Lexical analysis Syntax analysis Preprocessing Semantic analysis IR generation Developed based on Error handling LLVM IR optimizing Object code generation Object code LLVM Backend

MSVL Compiler Case Studies Dining philosophers problem LTL2BA A program for translating LTL formulas to Büchi automata Simple CPU An adder including dereference, decode and execution

Propositional Projection Temporal Logic Propositional Projection Temporal Loigc (PPTL) Syntax Semantics An interval σ is a non-empty seuence of states, which can be finite or infinite.

Propositional Projection Temporal Logic An interpretation is a triple I = (σ, i, j), where σ is an interval, i is an integer, and j an integer or ω. The satisfaction relation is inductively defined as follows: I = p iff si[p] = true, and p Prop is an atomic proposition p I = P iff i < j and (σ, i+1, j) = P P I = P iff I P I = P Q iff I = P or I = Q

Propositional Projection Temporal Logic I = (P 1, P 2,,P m ) prj P, if there exist integers r 0 r 1 r m j such that (σ, r l-1, r l ) = P l, 1 l m, and (σ, 0, σ ) = P for one of the following σ : (a) r m < j and σ = σ (r 0,, r m ) σ(r m+1,, j), or (b) r m = j and σ = σ (r 0,, r h ) for some 0 h m <s 0,s 1,s 2,s 3,s 4 > (0,0,2,2,2,3)=<s 0,s 2,s 3 > (P 1, P 2, P 3 ) prj P P Derived formulas P 1 P 2 P 3

Normal Form of PPTL formulas A PPTL formula P is in normal form if, P fj is a PPTL formula without disjuct being the main operator P ei and P cj are true or state formulas of the form: Theorem: Any PPTL formula can be euivalently transformed into its normal form.

Labeled Normal Form Graph labeled normal form graphs (LNFG) are constructed based on normal form of PPTL formulas LNFG of a PPTL formula is a 4-tuple CL : non-empty finite set of nodes EL: set of directed edges among CL V 0 : set of initial (root) nodes :, 1 i k, set of nodes with l i being the label. Inf(π): set of nodes which infinitely often occur in path π A path is acceptable if it is finite, or infinite and all the nodes in Inf(π) do not share a same label.

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 p n 1 n 2 NF(n 0 ) = ( ( ) ((p;) ) ) p ( ( ) (true;) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (true;) ((p;) )

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 p p n 1 n 2 NF(n 1 ) = ( ( ) ((p;) ) ) p ( ( ) (true;) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (true;) ((p;) )

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 Rewrite n 2 with fin label p p n 1 n 2 l 1 n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (fin(l 1 );) ((p;) )

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 Rewrite n 2 with fin label p NF(n 2 ) = p ( ( ) ((p;) ) ) n 1 n 2 l 1 ( ( ) (fin(l 1 );) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (fin(l 1 );) ((p;) )

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 0 p p n 1 n 2 l 1

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 0 p p n 1 n 2 l 1 Path π =< n 0,, n 1, p, (n 2, ) ω > Nodes that occur infinitely often have the same label l 1 Unacceptable

Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 1 n 0 p p n 2 l 1 Path π =< n 0,, n 1, p, (n 2, ) ω > Nodes that occur infinitely often have the same label l 1 Unacceptable Path π =< n 0, p, (n 2,, n 1, p ) ω > Nodes that occur infinitely often do not have a same label Acceptable

From PPTL to MSVL Use a uniue integer to represent each of nodes in the LNFG 1 p p 2 3

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 Global Variable CuNode:presenting the node explored at the current state. The first node to be explored is a root node (CuNode <==1)

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced

From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced

Verification as Dynamic Program Execution Example: Traffic Light EW= SN= 1 2 3 4 EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

Verification as Dynamic Program Execution Example: Traffic Light EW= SN= 1 2 3 4 EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

Verification as Dynamic Program Execution Example: Traffic Light EW= SN= 1 2 3 4 EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

Verification as Dynamic Program Execution Example: Traffic Light EW= SN= 1 2 3 4 EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

Verification as Dynamic Program Execution Whether M violates P? Program M frame(ew,sn,f) and ( char EW and char SN and int f<==0 and while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) Desired Property P 1 e1: true e2: (EW= SN=) (EW= SN=) e1 e3 e4 e3: true e2 e4: (EW= SN=) (EW= SN=) e5: true 2 4 e5 e10 e6: EW= SN= e11 e7: EW= SN= e6 e12 e8: true 3 e9: true e7 e8 e9 e10: true e11: EW= SN= e12: EW= SN= MSVL Program frame(ew,sn,f) and ( char EW and char SN and int f<==0 and while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) and CuNode<==1 and while(more) { if(cunode=1)then{ CuNode:=2 or if((ew= and SN=) or (EW= and SN=)) then{cunode:=3}else{false} or CuNode:=4 } else { if(cunode=2)then{ L={l 1 } and ( CuNode:=2 or if(ew= and SN=) then{node:=3}else {false})} else{ if(cunode=3)then{cunode:=3} else{ if(cunode=4) then{ L={l 2 } and ( CuNode:=4 or if(ew= and SN=) then {CuNode:=3}else{false}) }else{false}}}} }; if(cunode=1) then{ } else { if(cunode=2)then{ } else{ if(cunode=3)then{ } else{ if(cunode=4)then{ }else{false}}} } M P

Verification as Dynamic Program Execution EW SN An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > A finite execution in M A finite path in LNFG of P 1 2 3 4 5 1 2 4 3 All executions in M and P 1,1 2,2 2,4 3,2 3,4 4,2 4,4 1,4 1,2 2,3 5 3,3 Finite: A finite execution in M and P 1,1 2,2 3,2 4,2 5,5 5,5 4,3 1,3 EW SN

EW SN Verification as Dynamic Program Execution An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > All executions in M and P An infinite execution in M 1 2 3 4 An infinite path in LNFG of P 5 2 1 3 4 3,2 4,2 2,2 1,2 3,3 1,1 2,3 2,4 1,4 3,4 4,4 Infinite: EW SN An infinite execution in M and P 1,1 2,2 3,3 4,3 1,3 2,3 5 5,5 4,3 1,3

EW SN Verification as Dynamic Program Execution An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > All executions in M and P Infinite: An infinite execution in M 1 2 3 4 EW SN An infinite execution in M and P An infinite path in LNFG of P 1,1 2,2 3,2 4,2 1,2 5 2 1 3 4 5 3,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4

Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. EW SN Finite: Verification as Dynamic Program Execution EW SN 1 2 3 4 1,1 2,2 3,2 4,2 5,5 EW= SN= EW= EW= SN= SN= false Feasibility checking(finite) 5 true true 2 EW= SN= 1 3 check true true true false 4 5 3,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 Infeasible 1,3 2,4 1,4 3,4 4,4

EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. Infinite: EW SN 1 2 3 4 EW= SN= EW= SN= EW= SN= 5 1,1 2,2 3,3 4,3 1,3 2,3 check true false false true 2 1 EW= SN= Feasibility checking (infinite) 3 4 5 3,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4 Infeasible

EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. 2,2 Infinite: 1 2 3 4 Feasibility checking (infinite) true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true 5 true 2 true 1 3 4 5 3,2 4,2 1,2 5,5 Feasible 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4

EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. 2,2 Infinite: 1 2 3 4 Feasibility checking (infinite) true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true 5 true 2 true 1 3 4 5 3,2 4,2 1,2 Feasible 1,1 2,4 1,4 3,4 4,4 All feasible executions in M and P

EW SN Verification as Dynamic Program Execution A feasible execution σ =<s 0, s 1,...> is acceptable if (1) σ is finite; or (2) σ is infinite and no lables are shared by all the states in Inf (σ) 1 2 3 4 5 true 2 1 true l 2,2 1 3 4 5 3,2 4,2 1,2 1,1 2,4 1,4 3,4 4,4 Infinite: Whether a feasible path is acceptable? true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true = {l 1 } label φ {l 1 } {l 1 } {l 1 } {l 1 } l 1 is shared by all the states in Inf (σ) Unacceptable

Verification as Dynamic Program Execution Suppose the model is modified as follows: All feasible executions in M and P 1,1 EW SN Infinite: 1 2 3 4 1,1 2,2 3,3 4,3 1,3 EW SN check true true true true 5 true 2 1 3 4 true A counterexample is found! true = φ label φ l 1 φ φ φ φ l 1 EW= SN= true 5 2,3 3,2 4,2 2,2 1,2 5,5 3,3 4,3 2,3 1,3 2,4 1,4 3,4 4,4 no label is shared by all the states in Inf (σ) Acceptable

Implementation MSVL program M PPTL formula UMC4MSVL Construct LNFG M_IR MSVL Compiler M and M M LNFG LNFG2MSVL KLEE M_and_M.exe feasible? yes Verification cases no no acceptable? All cases are verified yes No error found Error

Verifying Programs Case Studies Dining philosophers problem liveness property: every philosopher can eat. LTL2BA A software for translating LTL formula to Büchi automata a Büchi automaton is generated with at most n 2 n (n is the number of fairness conditions) states Simple CPU An adder including dereference, decode and execution If the address signal is true, the address is program counter address

Translating from C to MSVL C program Preprocessing Twolf (C Program) Lexical analysis ( C:15,912LOC MSVL:32,843LOC) YES Direct translation Syntax analysis Existing corresponding statement in MSVL? NO Semantics guided translation Twolf is selected from the SPEC CPU 2000 Benchmark. It is used in the process of creating the lithography artwork needed for the production of microchips. Post processing MSVL program C library function

Translating from Verilog/VHDL to MSVL Verilog/VHDL program Preprocessing Lexical analysis Syntax analysis Semantic analysis IR generation Semantics guided translation SHA (Verilog Program) (Verilog:20,397LOC MSVL:44,583LOC) SHA (Secure Hash Algorithm) is a cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). MSVL program

Generating Verification Cases Dynamic Symbolic Execution is used to generate verification cases MSVL program (IR) KLEE execute record path constraint negate a branch condition generate new inputs solve path constraints (SMT solver Z3) yes successful? no Verification cases end

Generating Verification Cases Case Studies RERS P15 (RERS Benchmark) A reactive system, where an engine calculates an output depending on the input and current state, and finally writes the output to the standard output Totally, 16807 verification cases are generated with KLEE Line Coverage: 41.81% Branch Coverage: 50.70% Property: 24 will never be output later than 22

Verifying Programs Verification of (small) programs of Benchmark1 Our method All the four tools can successfully output the verification results. However, UMC4MSVL is more efficient than other three tools.

Verifying Programs Verification of larger programs in Benchmark2 Our method Success rate 44% 19% 100% 100% Avg Time(s) 133.49 49.41 134.49 14.29

Verifying Programs Verification of real-world programs All the programs and properties are successfully verified by UMC4MSVL in 403.2 seconds. Other three tools fail on these programs.

Conclusion and Future Research We proposed a run-time unified model checking approach by executing both programs and properties at the same time. We use dynamic symbolic execution techniue to generate verification cases for achieving higher path coverage. However, the proposed approach is incomplete. In the future: Investigate more strategies for generating better verification cases Planning with MSVL Complier Bug-fixing guided by counterexamples

Thanks! & Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback