MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Similar documents
Model Checking Embedded C Software using k-induction and Invariants

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Handling Loops in Bounded Model Checking of C Programs via k-induction

: A Bounded Model Checking Tool to Verify Qt Applications

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Verifying C & C++ with ESBMC

Static Analysis in C/C++ code with Polyspace

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Exploiting Safety Properties in Bounded Model Checking for Test Cases Generation of C Programs

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Program Verification. Aarti Gupta

JBMC: A Bounded Model Checking Tool for Verifying Java Bytecode. Lucas Cordeiro Pascal Kesseli Daniel Kroening Peter Schrammel Marek Trtik

Bounded Model Checking Of C Programs: CBMC Tool Overview

C Code Verification based on the Extended Labeled Transition System Model

Proving Properties of non-array Programs

Verification & Validation of Open Source

Counterexample Guided Inductive Optimization Applied to Mobile Robot Path Planning SBR/LARS 2017

DSVerifier: A Bounded Model Checking Tool for Digital Systems

Static Program Analysis Part 1 the TIP language

Introduction to CBMC: Part 1

System LAV and Its Applications

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

OptCE: A Counterexample-Guided Inductive Optimization Solver

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Software Model Checking. Xiangyu Zhang

C Review. MaxMSP Developers Workshop Summer 2009 CNMAT

Automated Test Generation using CBMC

Understanding Undefined Behavior

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Automatic Software Verification

CS2141 Software Development using C/C++ Debugging

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

Benchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel

Static program checking and verification

More on Verification and Model Checking

The Low-Level Bounded Model Checker LLBMC

CS558 Programming Languages

Oracle Developer Studio Code Analyzer

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Bounded Model Checking of C++ Programs based on the Qt Cross-Platform Framework (Journal-First Abstract)

Program Analysis and Code Verification

CUTE: A Concolic Unit Testing Engine for C

On Reasoning about Finite Sets in Software Checking

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Executable Counterexamples in Software Model Checking

Cascade 2.0. C static analysis tool with an SMT backend. Wei Wang, Clark Barrett, Thomas Wies

Applications of Program analysis in Model-Based Design

Static Analysis in Practice

Lecture 07 Debugging Programs with GDB

Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives

Optimistic Hybrid Analysis

Homework #3 CS2255 Fall 2012

Symbolic Computation via Program Transformation

Project 0: Implementing a Hash Table

Static Analysis and Bugfinding

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Static Program Analysis

DEBUGGING: STATIC ANALYSIS

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

A Bounded Model Checker for SPARK Programs

Fiji VM Safety Critical Java

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

CS 161 Exam II Winter 2018 FORM 1

CS558 Programming Languages

Verifying the Safety of Security-Critical Applications

Program Analysis. CSCE Lecture 16-03/03/2016

Program Correctness and Efficiency. Chapter 2

Lecture Notes on Memory Management

CS107 Handout 08 Spring 2007 April 9, 2007 The Ins and Outs of C Arrays

Model Checking of C and C++ with DIVINE 4

Guidelines for Writing C Code

Principles of Programming Languages

COMP26120: Linked List in C (2018/19) Lucas Cordeiro

ROSE-CIRM Detecting C-Style Errors in UPC Code

Analysis/Bug-finding/Verification for Security

Formally Certified Satisfiability Solving

High-performance computing and programming Intro to C on Unix/Linux. Uppsala universitet

Programming in C. Lecture 9: Tooling. Dr Neel Krishnaswami. Michaelmas Term

Stephen McLaughlin. From Uncertainty to Belief: Inferring the Specification Within

Concolic Fault Abstraction

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

CSCE 548 Building Secure Software Software Analysis Basics

CS 161 Computer Security

Testing & Symbolic Execution

Profile-Guided Program Simplification for Effective Testing and Analysis

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

Inference of Memory Bounds

Symbolic Execution, Dynamic Analysis

PUG (Prover of User GPU Programs) v0.2

Automatic Generation of Program Specifications

DEBUGGING: DYNAMIC PROGRAM ANALYSIS

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C

Pointers and Arrays CS 201. This slide set covers pointers and arrays in C++. You should read Chapter 8 from your Deitel & Deitel book.

Verifying Multithreaded Software with Impact

CS 61C: Great Ideas in Computer Architecture. C Arrays, Strings, More Pointers

Transcription:

FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto, and Lucas Cordeiro

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Evaluation 5. Conclusions and Future Work 2

Software Applications 3

In software testing: Verification and Testing Software a significant human effort is required to generate effective test cases subtle bugs are difficult to detect In software model checking: limited scalability to large software missing tool-supported integration into the development process 4

In software testing: Verification and Testing Software a significant human effort is required to generate effective test cases subtle bugs are difficult to detect In software model checking: limited scalability to large software missing tool-supported integration into the development process The integration aims to alleviate the weaknesses from those strategies 5

Whatdo youneedtocheck? Analyzing memory management is an important task to avoid unexpected behavior of the program Pointer safety violation results in an invalid address Produce an incorrect result of the program and not necessarily a crash Memory leaks have a negative impact in other application running onthesamesystem they typically remain unobserved until they consume a large portion of the memory 6

And what are we proposing? The Map2Check Method Map2Check generates automatically: memory management test cases for structural unit tests for Cprograms assertions from safety properties generated by BMC tools Map2Check aims to improve the unit testing environment, adopting features from(bounded) model checkers Map2Check adopts source code instrumentation to: monitor the program s executions validate assertions with safety properties ifm'2012 7

And what are we proposing? The Map2Check Method Map2Check method checks the program out of the BMC tools flow It is based on dynamic analysis and assertion verification The assertions contain a set of specifications The BMC is adopted as verification condition (VC) generator that translates a program fragment and its correctness property into logical formula ifm'2012 8

The motivation of this work - Map2Check Aims to check for properties related to pointer safety, memory leaks, and invalid free Provides trace of memory addresses, in case of property violation Support the integration between testing and verification in an environment, where a software engineer can extend the analysis of the program through APIs and include new BMC and unit testing tools #include <map2check.h> ifm'2012 9

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Evaluation 5. Conclusions and Future Work 10

Efficient SMT-Based Bounded Model Checking - ESBMC ESBMC is a bounded model checker for embedded ANSI-C software based on SMT (Satisfiability Modulo Theories) solvers, which allows: Out-of-bounds array indexing; Division by zero; Pointers safety Dynamic memory allocation; Data races; Deadlocks; Underflow e Overflow; ifm'2012 11

Safety Property Informally, a property in linear-time specifies the allowable (or desired) behavior of a system In this study, we use ESBMC VCs generator to check for memory safety as follows: checking for safety pointers - SAME OBJECT if a pointer is NULL or invalid object -INVALID POINTER VCs for dynamic memory allocation - IS DYNAMIC OBJECT if the argument to any free, or dereferencing operation is still a valid object -VALID OBJECT 12

Software Testing A test case consists of a test data analysis associated with an expected result of the software specification Unit tests are typically written based on a set of test cases to ensure that the program meets its design and behaves as expected We create unit tests to analyze the software specification together with their test data WeadopttheCUnitframeworktodevelopunittests Available at: http://cunit.sourceforge.net 13

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Evaluation 5. Conclusions and Future Work 14

Memory Management Test Case Generation for C Programs- Map2Check Map2Check tool2 is available at https://sites.google.com/site/map2check/ 15

3. 4. 5. 6. 7. 8. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. int *a, *b; int n; #define BLOCK_SIZE 128 void foo (){... } int main () { n = BLOCK_SIZE; a = malloc (n * sizeof(*a)); b = malloc (n * sizeof(*b)); *b++ = 0; foo (); if (b[-1]) { /* invalid free (b was iterated) */ free(a); free(b); } else { free(a); free(b); } /* ditto */ } Memory Management Test Case Generation for C Programs- Map2Check return 0; 960521 1_false-valid-free.c SV-COMP 2014: 55.6% of the tools in the MemorySafety category are not able to findthe property violation 16

Step 1: Identification of safety properties $ esbmc --64 --no-library --show-claims 960521-1_false-valid-free.c file 960521-1_false-valid-free.c: Parsing Converting Type-checking 960521-1_false-valid-free Generating GOTO Program Pointer Analysis Adding Pointer Checks Claim 1: file 960521-1_false-valid-free.c line 12 function foo dereference failure: dynamic object lower bound!(pointer_offset(a) + i < 0)!(IS_DYNAMIC_OBJECT(a)) 17

Step 1: Identification of safety properties $ esbmc --64 --no-library --show-claims 960521-1_false-valid-free.c file 960521-1_false-valid-free.c: Parsing Converting Type-checking 960521-1_false-valid-free Generating GOTO Program Pointer Analysis Adding Pointer Checks Claim 1: file 960521-1_false-valid-free.c line 12 function foo dereference failure: dynamic object lower bound!(pointer_offset(a) + i < 0)!(IS_DYNAMIC_OBJECT(a)) Claimsgeneratedautomatically by ESBMC do not necessarily correspond to errors 18

Step 2: Extract information from safety properties Claims Comments Line Property Claim 1 Claim 2 Claim 3 Claim 4 dereference failure: dynamic object lower bound dereference failure: dynamic object upper bound dereference failure: dynamic object lower bound File sum_arrayline14 function main array `a upper bound 12 12 14 14!(POINTER_OFFSET(a) + i < 0)!(IS_DYNAMIC_OBJECT(a))!(POINTER_OFFSET(a) + i >= DYNAMIC_SIZE(a))!(IS_DYNAMIC_OBJECT(a))!(POINTER_OFFSET(b) + i < 0)!(IS_DYNAMIC_OBJECT(b))!(POINTER_OFFSET(b) + i >= DYNAMIC_SIZE(b))!(IS_DYNAMIC_OBJECT(b))............ 19

Step 3: Translation of safety properties Translate claims provided by ESBMC to assertions into the C program: INVALID-POINTER. INVALID POINTER(i + pat) IS _VALID_POINTER_MF (LIST_LOG, (void )&(i+pat), (void )(intptr_t)(i+pat)) #include <map2check.h> Map2Check provides a library to the C program, which offers support to execute the functions generated by the translator. 20

Consists of two phases: Step 4: Memory tracking 1) identify and track variables in the analyzed source code, as well as, the variable operations and assignments 2) instrument the source code with specific functions for monitoring the memory addresses and the addresses pointing by these variables according to the program execution 21

Step 4: Memory tracking 3. 4. 5. 6. 7. 8. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. int *a, *b; int n; #define BLOCK_SIZE 128 void foo (){... } int main () { n = BLOCK_SIZE; a = malloc (n * sizeof(*a)); b = malloc (n * sizeof(*b)); *b++ = 0; foo (); if (b[-1]) { /* invalid free (b was iterated) */ free(a); free(b); } else { free(a); free(b); } /* ditto */ } return 0; Phase 1: identify and track variables Input: Abstract Syntax Tree (AST) Output: Variables Tracking(Map) Analyzing the program scope 22

Step 4: Memory tracking 3. 4. 5. 6. 7. 8. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. int *a, *b; int n; #define BLOCK_SIZE 128 void foo (){... } int main () { n = BLOCK_SIZE; a = malloc (n * sizeof(*a)); b = malloc (n * sizeof(*b)); *b++ = 0; foo (); if (b[-1]) { /* invalid free (b was iterated) */ free(a); free(b); } else { free(a); free(b); } /* ditto */ } return 0; Tracking of the variables Pointer variable assignments 23

Step 4: Memory tracking Phase 2: Instrumentation of the source code mark_map_mf. This function trackes the memory addresses (LIST_LOG) of the variables according to the program execution; IS_VALID_DYN_OBJ_MF. This function identifies if a dynamic object is valid; INVALID_FREE. This function identifies whether a given dynamic object can be released/deallocated from the memory properly; CHECK_MEMORY_LEAK. Identifies if, in the end of the program, some allocated memory is not released. 24

Step 4: Memory tracking 3. 4. 5. 6. 7. 8. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. int *a, *b; int n; #define BLOCK_SIZE 128 void foo (){... } int main () { n = BLOCK_SIZE; a = malloc (n * sizeof(*a)); b = malloc (n * sizeof(*b)); *b++ = 0; foo (); if (b[-1]) { /* invalid free (b was iterated) */ free(a); free(b); } else { free(a); free(b); } /* ditto */ } return 0; Invalid free Tracking memory execution Line Address Points to Escope Is Dynamic Is Free 28 0x601050 0xb44034 global 0 1 28 0x601060 0xb44010 global 0 1.................. 10 0x7fff39f18a2c (nil) foo 0 0 22 0x601050 0xb44034 global 0 0 21 0x601050 0xb44030 global 1 0.................. variable b was iterated 25

Step 5: Code instrumentation with assertions 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37.... int main () { n = BLOCK_SIZE; a = malloc (n * sizeof(*a)); b = malloc (n * sizeof(*b)); *b++ = 0; foo (); if (b[-1]) {... } else { ASSERT(INVALID_FREE(LIST_LOG, (void *)(intptr_t)(a), 28)); free(a); ASSERT(INVALID_FREE(LIST_LOG, (void *)(intptr_t)(b), 28)); free(b); } return 0; } 26

Step 6: Implementation of the tests Model using C assertions debugging #include <map2check.h> Model for CUnit options/statements for unit testing Unit Testing Framework 27

Step 6: Implementation of the tests 28

Step 7: Execution of the tests 29

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Evaluation 5. Conclusions and Future Work 30

Planning and Designing the Experiments Goal: Analyzing the ability of Map2Check to generate and verify test cases related to memory management. The experiments are conducted on an Intel Core i7-2670qmcpu, 2.20GHz,32GBRAMcomLinuxOS Thetimelimittotheverificationis15min Disponível em https://github.com/hbgit/map2check 31

Planning and Designing the Experiments We consider 61 ANSI-C programs from the MemorySafety category of the SV-COMP 14 benchmark Comparison to the tools: Valgrind s Memcheck(Nethercote e Seward, 2007) CBMC(Clarkeetal.,2004) LLBMC(Merzetal.,2012) CPAChecker(Beyer e Keremoglu, 2011) Predator(Dudka et al., 2014) ESBMC(Cordeiro et al., 2012). 32

Experiment s Execution and Results Analysis 95.72% 95.08% 93.44% > 76% Tool CPAChecker Map2Check Valgrind CBMC Predator LLBMC ESBMC Correct Results False Negatives False Positives Unknown andto 59 58 57 46 43 31 7 0 0 0 8 0 0 0 0 0 0 2 12 0 36 2 3 4 5 6 30 18 Time (min) 23.33 190.98 151.57 200 76.66 416.66 139.06 33

Experiment s Execution and Results Analysis Memory consumed by the tools in the programs Map2Check is the 2nd tool that consumes less memory Map2Check in 95%of the programs has consumed about 50 MB 34

Experiment s Execution and Results Analysis The runtime verification: Map2Check is 54.16%faster than LLBMC and 4.5%than CBMC Map2Check does not identify more correct results only, but also generates less Unknown and TO than CPAChecker Map2Check time: the concrete execution of the nondeterministic programs The function VERIFIER_nondet_int()in loop structures Map2Check depends on a random functionto determine the halting condition of a loop 35

Experiment s Execution and Results Analysis Analyzing Map2Check in the context of the SVCOMP 14 in the MemorySafety category. Scores: 1stplace:CPAChecker=95eMap2Check=95 2thplace:LLBMC=38 3thplace:Predator=14 The scores could be ranked with negative points 36

Experiment s Execution and Results Analysis We had participated in SV-COMP with Map2Check tool in the MemorySafety category Updates in SV-COMP: In SV-COMP 2014 the total file was 61 and in SV-COMP was 205 The scores were updated to penalize incorrect results Map2Check won the 6th from 9 tools (number of correct programs was 165 from 205) Forester(Holik et al., ) Seahorn(Kahsai et al., ) CBMC(Clarkeetal.,2004a) 37

Agenda 1. Introduction 2. Background 3. Proposed Method 4. Experimental Evaluation 5. Conclusions and Future Work 38

Conclusions and Future Work Wepresentedamethodto: integrate unit testing with model checkers, focusing on memory management defects disseminate the application of formal methods and helping developers not very familiar with this subject to verify large C programs Map2Check can be adopted as a complementary technique for the verification performed by BMC tools Mainly when BMC tools cannot, usually because of time-out; or when there are false negative or false positive 39

Conclusions and Future Work The experimental results have shown to be very effective The Map2Check method has detected at least as many memory management defects as the state-of-the-art tools For future work To improve the verification runtime and precision of Map2Check: adopting program invariants static verification based on abstract domain Adopting a witness checker 40

Questions? Thank you for your attention! herberthb12@gmail.com 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback