Counterexample Guided Abstraction Refinement in Blast

Similar documents
CS 510/13. Predicate Abstraction

Having a BLAST with SLAM

Having a BLAST with SLAM

Formal Systems Tutorial Hybrid System Modeling, Program Analysis

Static Program Analysis

Software Model Checking with Abstraction Refinement

Software Model Checking. Xiangyu Zhang

Having a BLAST with SLAM

Having a BLAST with SLAM

On Reasoning about Finite Sets in Software Checking

Scalable Program Verification by Lazy Abstraction

Configurable Software Model Checking

More on Verification and Model Checking

Program Verification (6EC version only)

An Eclipse Plug-in for Model Checking

F-Soft: Software Verification Platform

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

Abstraction Learning

Hoare Logic: Proving Programs Correct

Lecture Notes: Hoare Logic

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Verifying Multithreaded Software with Impact

TRACER: A Symbolic Execution Tool for Verification

Lectures 20, 21: Axiomatic Semantics

The software model checker BLAST

SYNERGY : A New Algorithm for Property Checking

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Static Analysis Basics II

Program Analysis and Constraint Programming

Using Build-Integrated Static Checking to Preserve Correctness Invariants

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Software Model Checking. From Programs to Kripke Structures

Proofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

Predicate Refinement Heuristics in Program Verification with CEGAR

Unbounded Symbolic Execution for Program Verification

Page # 20b -Advanced-DFA. Reading assignment. State Propagation. GEN and KILL sets. Data Flow Analysis

Checking Program Properties with ESC/Java

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Predicate Abstraction and CEGAR for Higher Order Model Checking

CS 4120 Lecture 31 Interprocedural analysis, fixed-point algorithms 9 November 2011 Lecturer: Andrew Myers

Reducing Fair Stuttering Refinement of Transaction Systems

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

20b -Advanced-DFA. J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 1977, pp

Towards a Software Model Checker for ML. Naoki Kobayashi Tohoku University

VS 3 : SMT Solvers for Program Verification

Introduction to Machine-Independent Optimizations - 4

Formal Verification by Model Checking

A survey of new trends in symbolic execution for software testing and analysis

A Verifier for Temporal Properties

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Dataflow Analysis. Xiaokang Qiu Purdue University. October 17, 2018 ECE 468

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Proofs from Tests. Sriram K. Rajamani. Nels E. Beckman. Aditya V. Nori. Robert J. Simmons.

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Symbolic and Concolic Execution of Programs

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Static Program Analysis CS701

COS 320. Compiling Techniques

Abstractions from Proofs

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Handling Loops in Bounded Model Checking of C Programs via k-induction

Static Analysis in Practice

Model Checking with Abstract State Matching

Lecture Notes on Common Subexpression Elimination

BDD-Based Software Model Checking with CPAchecker

Duet: Static Analysis for Unbounded Parallelism

Program Static Analysis. Overview

Verifying Concurrent Programs

Inductive Invariant Generation via Abductive Inference

Static Program Checking

On Reasoning About Finite Sets in Software Model Checking

Lecture 6. Abstract Interpretation

Static program checking and verification

Program Verification. Aarti Gupta

The Pointer Assertion Logic Engine

Lecture Notes: Pointer Analysis

Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

PANDA: Simultaneous Predicate Abstraction and Concrete Execution

The ComFoRT Reasoning Framework

Computer Sciences Department

CSE 501 Midterm Exam: Sketch of Some Plausible Solutions Winter 1997

Interprocedural Heap Analysis using Access Graphs and Value Contexts

Unit Testing as Hypothesis Testing

DPLL(Γ+T): a new style of reasoning for program checking

Computer aided verification

Week 3 Video 4. Automated Feature Generation Automated Feature Selection

Crema. Research Briefing. Jacob Torrey & Mark Bridgman May 21, 2015

Checking Memory Safety with Blast

A Survey of Automated Techniques for Formal Software Verification

Refinement Strategies for Inductive Learning Of Simple Prolog Programs

Homework Assignment #1 Sample Solutions

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Transcription:

Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something we can t analyze (user input, random value) Line 10: the lock is held if and only if got_lock = 1 2 1

How would you analyze this? * means something we can t analyze (user input, random value) Line 5: the lock is held if and only if old = new 3 Motivation Dataflow analysis uses fixed abstraction e.g. zero/nonzero, locked/unlocked Model checking version of DFA similar PREfix shows need to eliminate infeasible paths E.g. lock/unlock on correlated branches Requires extending abstraction with branch predicates Unfortunately, PREfix sacrifices soundness Infeasible to cover all paths Although PREfix merges paths with similar analysis info, the information is too detailed to assure finitely many explored paths Can we get both soundness and the precision to eliminate infeasible paths? In general: of course not! That s undecideable. But in many situations we can solve it with abstraction refinement; it s just that this technique may not always terminate 4 2

CEGAR: Counterexample Guided Abstraction Refinement Program Abstract Using Predicates Abstract Program Model Checker No Error Property Holds New Predicates Error Found Generate New Predicates Infeasible Path Feasibility Checker Feasible Report Bug 5 CEGAR: Counterexample Guided Abstraction Refinement Begin with control flow graph abstraction Check reachability of error nodes Typically take cross product of dataflow abstraction and CFG, as in previous lecture However, can encode dataflow abstraction in CFG through error nodes assert(false) If error node is reachable, check if path is feasible Can use weakest preconditions; if you get false, the path is impossilbe For feasible paths, report an error For infeasible paths, figure out why e.g. correlation between lock and got_lock Add reason for infeasible paths to abstraction and try again! This time the analysis won t consider that path But it might consider other infeasible paths, so you may have to repeat the process multiple times 6 3

Control Flow Automaton One node for each location (before/after a statement) Edges Blocks of statements Assume clauses model if and loops some predicate must be true to take the edge 7 Control Flow Automaton Example 2 lock(); old=new; 4 [T] 3 [T] [new!= old] unlock(); new++; 5 [new = old] 6 unlock(); ret 8 4

Checking for Reachability Generate Abstract Reachability Tree Contains all reachable nodes Annotates each node with state Initially LOCK = 0 or LOCK = 1 Cross product of CFA and data flow abstraction Algorithm: depth-first search Generate nodes one by one If you come to a node that s already in the tree, stop This state has already been explored through a different control flow path If you come to an error node, stop The error is reachable 9 Depth First Search Example 10 5

Is the Error Real? Use weakest preconditions to find out the weakest precondition that leads to the error If the weakest precondition is false, there is no initial program condition that can lead to the error Therefore the error is spurious Blast uses a variant of weakest preconditions creates a new variable for each assignment before using weakest preconditions Instead of substituting on assignment, adds new constraint Helps isolate the reason for the spurious error more effectively 11 Is the Error Real? lock(); old = new; unlock(); new++; assume new==old error (lock==0) 12 6

Model Locking as Assignment lock = 1; old = new; lock = 0; new = new + 1; assume new==old error (lock==0) 13 Index the Variables lock1 = 1 old1 = new1; lock2 = 0 new2 = new1 + 1 assume new2==old1 error (lock2==0) 14 7

Generate Weakest Preconditions lock1 = 1 old1 = new1; lock2 = 0 new2 = new1 + 1 assume new2==old1 error (lock2==0) True lock1==1 old1==new1 True lock2==0 new2==new1+1 new2==old1 lock2==0 Contradictory! 15 Why is the Error Spurious? More precisely, what predicate could we track that would eliminate the spurious error message? Consider, for each node, the constraints generated before that node (c1) and after that node (c2) Find a condition I such that c1 => I I is true at the node I only contains variables mentioned in both c1 and c2 I mentions only variables in scope (not old or future copies) I c2 = false I is enough to show that the rest of the path is infeasible I is guaranteed to exist See Craig Interpolation True lock1==1 old1==new1 True lock2==0 new2==new1+1 new2==old1 lock2==0 Interpolant: old == new 16 8

Reanalyzing the Program Explore a subtree again Start where new predicates were discovered This time, track the new predicates If the conjunction of the predicates on a node is false, stop exploring this node is unreachable 17 Reanalysis Example Already Covered Unreachable 18 9

Analyzing the Right Hand Side 19 Generate Weakest Preconditions got_lock = 0; assume got_lock!= 0; error (lock==0) 20 10

Why is the Error Spurious? More precisely, what predicate could we track that would eliminate the spurious error message? Consider, for each node, the constraints generated before that node (c1) and after that node (c2) Find a condition I such that c1 => I I is true at the node I only contains variables mentioned in both c1 and c2 I mentions only variables in scope (not old or future copies) I c2 = false I is enough to show that the rest of the path is infeasible I is guaranteed to exist See Craig Interpolation True got_lock==0 True got_lock!=0 lock==0 21 Reanalysis Key: L = locked=1 Z = got_lock=0 22 11

Blast Techniques, Graphically Explores reachable state, not all paths Stops when state already seen on another path Lazy Abstraction Uses predicates on demand Only applies predicate to relevant part of tree 23 Termination Not guaranteed The system could go on generating predicates forever Can guarantee termination The set of possible predicates is finite Finite height lattices in data flow analysis! Those predicates are enough to predict observable behavior of program E.g. the ordering of lock and unlock statements Predicates are restricted in practice E.g. likely can t handle arbitrary quantification as in ESC/Java Model checking is hard if properties depend on heap data, for example Can t prove arbitrary properties in this case In practice Terminate abstraction refinement after a time bound 24 12

Key Points of CEGAR To prove a property, may need to strengthen it Just like strengthening induction hypothesis CEGAR figures out strengthening automatically From analyzing why errors are spurious Blast uses lazy abstraction Only uses an abstraction in the parts of the program where it is needed Only builds the part of the abstract state that is reached Explored state space is much smaller than potential state space 25 Experimental Results 26 13

Blast in Practice Has scaled past 100,000 lines of code Realistically starts producing worse results after a few 10K lines Sound up to certain limitations Assumes safe use of C No aliases of different types; how realistic? No recursion, no function pointers Need models for library functions Has also been used to find memory safety errors, race conditions, generate test cases 27 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback