CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Similar documents
Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Action Language Verifier, Extended

SAT-based Model Checking for C programs

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Lecture 2: Symbolic Model Checking With SAT

Finite State Verification. CSCE Lecture 14-02/25/2016

Software Model Checking. Xiangyu Zhang

Finite State Verification. CSCE Lecture 21-03/28/2017

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Deductive Methods, Bounded Model Checking

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

Ashish Sabharwal Computer Science and Engineering University of Washington, Box Seattle, Washington

Boolean Representations and Combinatorial Equivalence

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

Bounded Model Checking Of C Programs: CBMC Tool Overview

SAT Solver. CS 680 Formal Methods Jeremy Johnson

Binary Decision Diagrams

Introduction to CBMC: Part 1

More on Verification and Model Checking

Symbolic Trajectory Evaluation - A Survey

8.1 Polynomial-Time Reductions

Boolean Functions (Formulas) and Propositional Logic

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Finite Model Generation for Isabelle/HOL Using a SAT Solver

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

NP-Completeness of 3SAT, 1-IN-3SAT and MAX 2SAT

Parallel and Distributed Computing

Handling Loops in Bounded Model Checking of C Programs via k-induction

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

NuSMV Hands-on introduction

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Symbolic and Concolic Execution of Programs

F-Soft: Software Verification Platform

Formal Verification: Practical Exercise Model Checking with NuSMV

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Decision Procedures in the Theory of Bit-Vectors

PLDI 2016 Tutorial Automata-Based String Analysis

Bounded Model Checking of Concurrent Programs

Cyber Physical System Verification with SAL

CS 510/13. Predicate Abstraction

[Ch 6] Set Theory. 1. Basic Concepts and Definitions. 400 lecture note #4. 1) Basics

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

White-Box Testing Techniques III

Symbolic Model Checking

Model checking pushdown systems

Analyzing Tabular Requirements Specifications Using Infinite State Model Checking

Predicate Abstraction of ANSI C Programs using SAT

Static Analysis and Bugfinding

Alloy: A Lightweight Object Modelling Notation

! Greed. O(n log n) interval scheduling. ! Divide-and-conquer. O(n log n) FFT. ! Dynamic programming. O(n 2 ) edit distance.

Model Checking Software Programs with. First Order Logic Specifications using AIG Solvers

HECTOR: Formal System-Level to RTL Equivalence Checking

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis

Program verification. Generalities about software Verification Model Checking. September 20, 2016

1 Definition of Reduction

EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving. Sanjit A. Seshia EECS, UC Berkeley

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

arxiv: v2 [cs.pl] 3 Apr 2018

Automated Test Generation using CBMC

EECS 219C: Formal Methods Boolean Satisfiability Solving. Sanjit A. Seshia EECS, UC Berkeley

SAT-CNF Is N P-complete

Lecture Notes on Binary Decision Diagrams

Having a BLAST with SLAM

Chapter 8. NP and Computational Intractability. Slides by Kevin Wayne. Copyright 2005 Pearson-Addison Wesley. All rights reserved.

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

8.1 Polynomial-Time Reductions

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

From Program to Logic: An Introduction

EECS 219C: Formal Methods Binary Decision Diagrams (BDDs) Sanjit A. Seshia EECS, UC Berkeley

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Program Analysis and Constraint Programming

NP-Complete Reductions 2

! Greed. O(n log n) interval scheduling. ! Divide-and-conquer. O(n log n) FFT. ! Dynamic programming. O(n 2 ) edit distance.

CSC2108: Automated Verification Assignment 1 - Solutions

Randomness and Computation March 25, Lecture 5

1.4 Normal Forms. We define conjunctions of formulas as follows: and analogously disjunctions: Literals and Clauses

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

Discrete Mathematics Lecture 4. Harper Langston New York University

Model Checking I Binary Decision Diagrams

Analyzing Tabular Requirements Specifications Using Infinite State Model Checking

Chapter 10 Part 1: Reduction

Mixed Integer Linear Programming

Lecture 14: Lower Bounds for Tree Resolution

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

NP and computational intractability. Kleinberg and Tardos, chapter 8

Reductions and Satisfiability

Opportunities for Industrial Applications of Formal Methods

Lecture Notes on Real-world SMT

Polynomial SAT-Solver Algorithm Explanation

Model-Checking Concurrent Systems

On Reasoning about Finite Sets in Software Checking

Error Explanation with Distance Metrics

Transcription:

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan

Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas Fixpoint computation becomes formula manipulation pre-condition (EX) computation: Existential variable elimination conjunction (intersection), disjunction (union) and negation (set difference), and equivalence check Use an efficient data structure for boolean logic formulas Binary Decision Diagrams (BDDs)

An Extremely Simple Example Variables: x, y: boolean Set of states: S = {(F,F), (F,T), (T,F), (T,T)} S True Initial condition: I x y F,F F,T T,F T,T Transition relation (negates one variable at a time): R x = x y =y x =x y = y (= means )

An Extremely Simple Example Assume that we want to check if this transition system satisfies the property AG( x y) Instead of checking AG( x y) we can check EF(x y) Since AG( x y) EF(x y) I AG( x y) if and only if I EF(x y) = If we find an initial state which satisfies EF(x y) (i.e., there exists a path from an initial state where eventually x and y both become true at the same time) Then we conclude that the property AG( x y) does not hold for this transition system If there is no such initial state, then property AG( x y) holds for this transition system

An Extremely Simple Example Given p x y, compute EX(p) F,F T,F EX(p) V R p[v / V] V R x y V (x = x y =y x =x y = y ) x y V (x = x y =y) x y (x =x y = y) x y V x y x y x y x y x y x y F,T T,T EX(x y) x y x y In other words EX({(T,T)}) {(F,T), (T,F)}

An Extremely Simple Example 3 F,F T,F 2 Let s compute compute EF(x y) F,T T,T 1 The fixpoint sequence is False, x y, x y EX(x y), x y EX (x y EX(x y)),... If we do the EX computations, we get: False, x y, x y x y x y, True 0 1 2 3 EF(x y) True {(F,F),(F,T), (T,F),(T,T)} This transition system violates the property AG( x y) since it has an initial state that satisfies the property EF(x y)

Bounded Model Checking Represent sets of states and the transition relation as Boolean logic formulas Instead of computing the fixpoints, unroll the transition relation up to certain fixed bound and search for violations of the property within that bound Transform this search to a Boolean satisfiability problem and solve it using a SAT solver

Same Extremely Simple Example Variables: x, y: boolean Set of states: S = {(F,F), (F,T), (T,F), (T,T)} S True Initial condition: I(x,y) x y F,F F,T T,F T,T Transition relation (negates one variable at a time): R(x,y,x,y ) x = x y =y x =x y = y (= means )

Bounded Model Checking Assume that we like to check that if the initial states satisfy the formula EF(x y) Instead of computing a backward fixpoint, we will unroll the transition relation a fixed number of times starting from the initial states For each unrolling we will create a new set of variables: The initial states of the system will be characterized with the variables x 0 and y 0 The states of the system after executing one transition will be characterized with the variables x 1 and y 1 The states of the system after executing two transitions will be characterized with the variables x 2 and y 2

Unrolling the Transition Relation Initial states: I(x 0,y 0 ) x 0 y 0 Unrolling the transition relation once (bound k=1): I(x 0,y 0 ) R(x 0,y 0,x 1,y 1 ) x 0 y 0 (x 1 = x 0 y 1 =y 0 x 1 =x 0 y 1 = y 0 ) Unrolling the transition relation twice (bound k=2): I(x 0,y 0 ) R(x 0,y 0,x 1,y 1 ) R(x 1,y 1,x 2,y 2 ) x 0 y 0 (x 1 = x 0 y 1 =y 0 x 1 =x 0 y 1 = y 0 ) (x 2 = x 1 y 2 =y 1 x 2 =x 1 y 2 = y 1 ) Unrolling the transition relation thrice (bound k=3): I(x 0,y 0 ) R(x 0,y 0,x 1,y 1 ) R(x 1,y 1,x 2,y 2 ) R(x 2,y 2,x 3,y 3 ) x 0 y 0 (x 1 = x 0 y 1 =y 0 x 1 =x 0 y 1 = y 0 ) (x 2 = x 1 y 2 =y 1 x 2 =x 1 y 2 = y 1 ) (x 3 = x 2 y 3 =y 2 x 3 =x 2 y 3 = y 2 )

Expressing the Property How do we represent the property we wish to verify? Remember the property: We were interested in finding out if some initial state satisfies EF(x y) This is equivalent to checking if x y holds in some reachable state If we are doing bounded model checking with bound k=3, we can express this property as: x 0 y 0 x 1 y 1 x 2 y 2 x 3 y 3

Converting to Satisfiability We end up with the following formula for bound k=3: F I(x 0,y 0 ) R(x 0,y 0,x 1,y 1 ) R(x 1,y 1,x 2,y 2 ) R(x 2,y 2,x 3,y 3 ) (x 0 y 0 x 1 y 1 x 2 y 2 x 3 y 3 ) x 0 y 0 (x 1 = x 0 y 1 =y 0 x 1 =x 0 y 1 = y 0 ) (x 2 = x 1 y 2 =y 1 x 2 =x 1 y 2 = y 1 ) (x 3 = x 2 y 3 =y 2 x 3 =x 2 y 3 = y 2 ) (x 0 y 0 x 1 y 1 x 2 y 2 x 3 y 3 ) Here is the main observation: if F is a satisfiable formula then there exists an initial state which satisfies EF(x y) A satisfying assignment to the boolean variables in F corresponds to a counter-example for AG( x y) (i.e., a witness for EF(x y))

The Result F x 0 y 0 (x 1 = x 0 y 1 =y 0 x 1 =x 0 y 1 = y 0 ) (x 2 = x 1 y 2 =y 1 x 2 =x 1 y 2 = y 1 ) (x 3 = x 2 y 3 =y 2 x 3 =x 2 y 3 = y 2 ) (x 0 y 0 x 1 y 1 x 2 y 2 x 3 y 3 ) F,F F,T T,F T,T Here is a satisfying assignment: x 0 =F, y 0 =F, x 1 =F, y 1 =T, x 2 =T, y 2 =T, x 3 =F, y 3 =T which corresponds to the (bounded) path: (F,F), (F,T), (T,T), (F,T)

What Can We Guarantee? We converted checking property AG(p) to Boolean SAT solving by looking for bounded paths that satisfy EF( p) Note that we are checking only for bounded paths (paths which have at most k+1 distinct states) So if the property is violated by only paths with more than k+1 distinct states, we would not find a counterexample using bounded model checking Hence if we do not find a counter-example using bounded model checking we are not sure that the property holds However, if we find a counter-example, then we are sure that the property is violated since the generated counterexample is never spurious (i.e., it is always a concrete counter-example)

Bounded Model Checking for LTL It is possible to extend the basic ideas we discussed for verifying properties of the form AG(p) to all LTL (and even ACTL*) properties. The basic observation is that we can define a bounded semantics for LTL properties so that if a path satisfies an LTL property based on the bounded semantics, then it satisfies the property based on the unbounded semantics This is why a counter-example found on a bounded path is guaranteed to be a real counter-example However, this does not guarantee correctness

Bounded Model Checking: Proving Correctness One can also show that given an LTL property f, if E f holds for a finite state transition system, then E f also holds for that transition system using bounded semantics for some bound k So if we keep increasing the bound, then we are guaranteed to find a path that satisfies the formula And, if we do not find a path that satisfies the formula, then we decide that the formula is not satisfied by the transition system Is there a problem here?

Proving Correctness We can modify the bounded model checking algorithm as follows: Start from an initial bound. If no counter-examples are found using the current bound, increment the bound and try again. The problem is: We do not know when to stop

Proving Correctness If we can find a way to figure out when we should stop then we would be able to provide guarantee of correctness. There is a way to define a diameter of a transition system so that a property holds for the transition system if and only if it is not violated on a path bounded by the diameter. So if we do bounded model checking using the diameter of the system as our bound, then we can guarantee correctness if no counter-example is found.

Bounded Model Checking What are the differences between bounded model checking and BDD-based symbolic model checking? In bounded model checking we are using a SAT solver instead of a BDD library In symbolic model checking we do not unroll the transition relation as in bounded model checking In bounded model checking we do not compute the fixpoint as in symbolic model checking In symbolic model checking for finite state systems both verification and falsification results are guaranteed In bounded model checking we can only guarantee the falsification results, in order to guarantee the verification results we need to know the diameter of the system

Bounded Model Checking Boolean satisfiability problem (SAT) is an NP-complete problem A bounded model checker needs an efficient SAT solver zchaff SAT solver is one of the most commonly used ones However, in the worst case any SAT solver we know will take exponential time Most SAT solvers require their input to be in Conjunctive Normal Form (CNF) So the final formula has to be converted to CNF

Bounded Model Checking Similar to BDD-based symbolic model checking, bounded model checking was also first used for hardware verification Later on, it was applied to software verification

Bounded Model Checking for Software CBMC is a bounded model checker for ANSI-C programs Handles function calls using inlining Unwinds the loops a fixed number of times Allows user input to be modeled using non-determinism So that a program can be checked for a set of inputs rather than a single input Allows specification of assertions which are checked using the bounded model checking

Loops Unwind the loop n times by duplicating the loop body n times Each copy is guarded using an if statement that checks the loop condition At the end of the n repetitions an unwinding assertion is added which is the negation of the loop condition Hence if the loop iterates more than n times in some execution, the unwinding assertion will be violated and we know that we need to increase the bound in order to guarantee correctness A similar strategy is used for recursive function calls The recursion is unwound up to a certain bound and then an assertion is generated stating that the recursion does not go any deeper

A Simple Loop Example Original code x=0; while (x < 2) { y=y+x; x++; } Unwinding assertion: Unwinding the loop 3 times x=0; if (x < 2) { y=y+x; x++; } if (x < 2) { y=y+x; x++; } if (x < 2) { y=y+x; x++; } assert (! (x < 2))

From Code to SAT After eliminating loops and recursion, CBMC converts the input program to the static single assignment (SSA) form In SSA each variable appears at the left hand side of an assignment only once This is a standard program transformation that is performed by creating new variables In the resulting program each variable is assigned a value only once and all the branches are forward branches (there is no backward edge in the control flow graph) CBMC generates a Boolean logic formula from the program using bit vectors to represent variables

Another Simple Example Original code x=x+y; if (x!=1) x=2; else x++; assert(x<=3); Generate constraints Convert to static single assignment x 1 =x 0 +y 0 ; if (x 1!=1) x 2 =2; else x 3 =x 1 +1; x 4 =(x 1!=1)?x 2 :x 3 ; assert(x 4 <=3); C x 1 =x 0 +y 0 x 2 =2 x 3 =x 1 +1 (x 1!=1 x 4 =x 2 x 1 =1 x 4 =x 3 ) P x 4 <= 3 Check if C P is satisfiable, if it is then the assertion is violated C P is converted to boolean logic using a bit vector representation for the integer variables y 0,x 0,x 1,x 2,x 3,x 4

Bounded Verification Approaches What we have discussed above is bounded verification by bounding the number of steps of the execution. For this approach to work, the variable domains also need to be bounded, otherwise we cannot convert the problems to boolean SAT Bounding the execution steps and bounding the data domain are two orthogonal approaches. When people say bounded verification it may refer to either of these When people say bounded model checking, it typically refers to bounding the execution steps

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback