SAT-based Model Checking for C programs

Similar documents
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

SAT Solver Heuristics

Application of Propositional Logic - How to Solve Sudoku? Moonzoo Kim

Application of Propositional Logic - How to Solve Sudoku? Moonzoo Kim

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

SAT Solver. CS 680 Formal Methods Jeremy Johnson

Automated Test Generation using CBMC

Integrating a SAT Solver with Isabelle/HOL

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

8.1 Polynomial-Time Reductions

Software Model Checking. Xiangyu Zhang

C Bounded Model Checker

Symbolic and Concolic Execution of Programs

Deductive Methods, Bounded Model Checking

Introduction to CBMC: Part 1

Boolean Functions (Formulas) and Propositional Logic

Model Checking and Its Applications

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Where Can We Draw The Line?

(a) (4 pts) Prove that if a and b are rational, then ab is rational. Since a and b are rational they can be written as the ratio of integers a 1

8 NP-complete problem Hard problems: demo

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Computer-Aided Program Design

Formally Certified Satisfiability Solving

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Chapter 8. NP and Computational Intractability. Slides by Kevin Wayne. Copyright 2005 Pearson-Addison Wesley. All rights reserved.

NP-Complete Reductions 2

PROPOSITIONAL LOGIC (2)

! Greed. O(n log n) interval scheduling. ! Divide-and-conquer. O(n log n) FFT. ! Dynamic programming. O(n 2 ) edit distance.

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

Bounded Model Checking Of C Programs: CBMC Tool Overview

BITCOIN MINING IN A SAT FRAMEWORK

Finite Model Generation for Isabelle/HOL Using a SAT Solver

2SAT Andreas Klappenecker

Seminar decision procedures: Certification of SAT and unsat proofs

! Greed. O(n log n) interval scheduling. ! Divide-and-conquer. O(n log n) FFT. ! Dynamic programming. O(n 2 ) edit distance.

Mixed Integer Linear Programming

Handling Loops in Bounded Model Checking of C Programs via k-induction

NP and computational intractability. Kleinberg and Tardos, chapter 8

A Pearl on SAT Solving in Prolog (extended abstract)

Decision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion

Parallelizing SAT Solver With specific application on solving Sudoku Puzzles

Computability Theory

The Spin Model Checker : Part I/II

Finite State Verification. CSCE Lecture 21-03/28/2017

Finite State Verification. CSCE Lecture 14-02/25/2016

SAT Based Efficient Directed Test Generation Techniques

Normal Forms for Boolean Expressions

Polynomial SAT-Solver Algorithm Explanation

SAT and Termination. Nao Hirokawa. Japan Advanced Institute of Science and Technology. SAT and Termination 1/41

8.1 Polynomial-Time Reductions

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Implementation of a Sudoku Solver Using Reduction to SAT

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Rethinking Automated Theorem Provers?

Chapter 10 Part 1: Reduction

4.1 Review - the DPLL procedure

Propositional Calculus. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Decision Procedures. An Algorithmic Point of View. Decision Procedures for Propositional Logic. D. Kroening O. Strichman.

NP-Hardness. We start by defining types of problem, and then move on to defining the polynomial-time reductions.

versat: A Verified Modern SAT Solver

Verifying C & C++ with ESBMC

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

Having a BLAST with SLAM

The Resolution Algorithm

Lecture 5 - Axiomatic semantics

Automated Theorem Proving and Proof Checking

DM841 DISCRETE OPTIMIZATION. Part 2 Heuristics. Satisfiability. Marco Chiarandini

Satisfiability Modulo Theories: ABsolver

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

SAT Solvers. Ranjit Jhala, UC San Diego. April 9, 2013

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

NP-Completeness of 3SAT, 1-IN-3SAT and MAX 2SAT

arxiv: v2 [cs.pl] 3 Apr 2018

Hardware versus software

The Spin Model Checker : Part I. Moonzoo Kim KAIST

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Model Checking Embedded C Software using k-induction and Invariants

P and NP (Millenium problem)

Improving Coq Propositional Reasoning Using a Lazy CNF Conversion

Automated Theorem Proving: DPLL and Simplex

Introduction to Axiomatic Semantics

Zchaff: A fast SAT solver. Zchaff: A fast SAT solver

The Satisfiability Problem [HMU06,Chp.10b] Satisfiability (SAT) Problem Cook s Theorem: An NP-Complete Problem Restricted SAT: CSAT, k-sat, 3SAT

Having a BLAST with SLAM

W4231: Analysis of Algorithms

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Linear Time Unit Propagation, Horn-SAT and 2-SAT

Incremental Proof Development in Dafny

Learning Techniques for Pseudo-Boolean Solving and Optimization

Reference Sheet for CO142.2 Discrete Mathematics II

Program Verification using Templates over Predicate Abstraction. Saurabh Srivastava and Sumit Gulwani

Decision Procedures in the Theory of Bit-Vectors

Parallel and Distributed Computing

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Notes on CSP. Will Guaraldi, et al. version 1.7 4/18/2007

Formal Methods for Software Development

Transcription:

SAT-based Model Checking for C programs Moonzoo Kim Provable Software Lab. CS Division of EE 1

Formal Methods Definition in Wikepedia Formal methods are mathematically-based techniques for the specification, development and verification of software performing appropriate mathematical analyses can contribute to the reliability and robustness of a design. Rigor, completeness Automation Ad-hoc manual development Scalability Brief History Early days: 1960~ :Theorem proving Hoare logic pre & post condition, loop invariant Heavily depends on human expertise Mid days: 1980~: Model checking Design an abstract model and check the model with requirements Fully automatic analysis Recent days: 2000~: Software model checking (semi) automatic model extraction from C code Not yet reliable and weak tool supports 2

Overview of SAT-based Bounded Model Checking Requirements Formal Requirement Properties (Φ Ω) C Program Abstract Model Requirements Formal Requirement Properties in C (ex. assert( x < a[i]); ) C Program Model Checker Translation to SAT formula Satisfied Not satisfied SAT Solver Okay Counter example 3 Satisfied Okay Not satisfied Counter example

SAT Basics (1/2) SAT = Satisfiability = Propositional Satisfiability NP-Complete problem We can use SAT solver for many NP-complete problems Hamiltonian path 3 coloring problem Traveling sales man s problem Recent interest as a verification engine SAT Propositional Formula SAT problem UNSAT 4

SAT Basics (2/2) A set of propositional variables and clauses involving variables (x 1 x 2 x 3 ) (x 2 x 1 x 4 ) x 1, x 2, x 3 and x 4 are variables (true or false) Literals: Variable and its negation x 1 and x 1 A CNF clause is satisfied if one of the literals is true x 1 =true satisfies clause 1 x 1 =false satisfies clause 2 Solution: An assignment that satisfies all clauses 5

Basic SAT Solving Mechanism (1/2) /* The Quest for Efficient Boolean Satisfiability Solvers * by L.Zhang and S.Malik, Computer Aided Verification 2002 */ DPLL(a formula φ, assignment) { necessary = deduction(φ, assignment); new_asgnment = union(necessary, assignment); if (is_satisfied(φ, new_asgnment)) return SATISFIABLE; else if (is_conflicting(φ, new_asgnmnt)) return UNSATISFIABLE; var = choose_free_variable(φ, new_asgnmnt); asgn1 = union(new_asgnmnt, assign(var, 1)); if (DPLL(φ, asgn1) == SATISFIABLE) return SATISFIABLE; else { asgn2 = union (new_asgnmnt, assign(var,0)); return DPLL (φ, asgn2); 6

Basic SAT Solving Mechanism (2/2) (p r) ( p q r) (p r) p=t p=f (T r) ( T q r) (T r) (F r) ( F q r) (F r) SIMPLIFY SIMPLIFY qq r r rr false SIMPLIFY 7

Model Checking as a SAT problem (1/4) CBMC (C Bounded Model Checker, In CMU) Handles function calls using inlining Unwinds the loops a fixed number of times (bounded MC) Thus, a user has to know a upper bound of each loop In practice, it does not cause serious limitation since» Most loops has clear upper bounds» Even when we do not know the upper bound, we can still get analysis result with possibility of false alarms Allows user input to be modeled using non-determinism So that a program can be checked for a set of inputs rather than a single input Allows specification of assertions which are checked using the bounded model checking 8

Model Checking as a SAT problem (2/4) Unwinding Loop Unwinding the loop 3 times Original code x=0; while (x < 2) { y=y+x; x++; Unwinding assertion: 9 x=0; if (x < 2) { y=y+x; x++; if (x < 2) { y=y+x; x++; if (x < 2) { y=y+x; y+x; x++; assert (! (x < 2))

Model Checking as a SAT problem (3/4) From C Code to SAT Formula Original code Convert to static single assignment x=x+y; x 1 =x 0 +y 0 ; if (x!=1) if (x 1!=1) x=2; x 2 =2; else else x++; x 3 =x 1 +1; assert(x<=3); x 4 =(x 1!=1)?x 2 :x 3 ; Generate constraints t assert(x 4 <=3); C x 1 =x 0 +y 0 x 2 =2 x 3 =x 1 +1 (x 1!=1 x 4 =x 2 x 1 =1 x 4 =x 3 ) P x 4 <= 3 Check if C P is satisfiable, if it is then the assertion is violated C P is sconverted etedtoto Boolean ooea logic ogcusing gabt bit vector representation for the integer variables y 0,x 0,x 1,x 2,x 3,x 4 10

Model Checking as a SAT problem (4/4) Example of arithmetic encoding into pure propositional formula Assume that x,y,z are three bits positive integers represented by propositions x 0 x 1 x 2, y 0 y 1 y 2, z 0 z 1 z 2 C z=x+y (z 0 (x( 0 yy 0 ) ( ((x 1 Æyy 1 ) Ç (((x 1 yy 1 )Æ(x 2 Æyy 2 ))) Æ (z 1 (x 1 y 1 ) (x 2 Æy 2 )) Æ (z 2 (x 2 y 2 )) 11

Model Checking Example (1/3) #include<stdio.h> int many_branch(int x) { int y=0; /* Required to show meaningful counter * example for non-deterministic value*/ x=x; Cyclomatic complexity = 4 if( x>0 ) if ( x > 10) if (x >20) y = 4; else y=3; else y=2; else y=1; #ifdef verification assert( 2<= y && y <= 4); #endif return y; 1 2 3 4 0 10 20 12

Model Checking Example (2/3) int main() { int input, output; printf("input x:"); scanf("%d", &input); output=many_branch(input); printf("output y:%d\n",output); Cyclomatic complexity = 4 [moonzoo@verifier cs350]$ a.out Input x:-5 Output y:1 [moonzoo@verifier cs350]$ a.out Input x:5 Output y:2 [moonzoo@verifier cs350]$ a.out Input x:15 Output y:3 [moonzoo@verifier cs350]$ a.out Input x:25 Output y:4 1 2 3 4 0 10 20 13

Model Checking Example (3/3) [moonzoo@verifier cs350]$ cbmc -D verification --function many_branch test.c Starting Bounded Model Checking size of program expression: 30 assignments 388 variables, 897 clauses SAT checker: negated claim is SATISFIABLE, i.e., does not hold Building error trace Cyclomatic complexity = 4 Counterexample: Initial State file /usr/include/bits/sys_errlist.h line 27 thread 0 ---------------------------------------------------- sys_nerr=0 State 2 file test-all-branch.c line 4 function many_branch thread 0 ---------------------------------------------------- test-all-branch::many_branch::1::y=0 State 3 file test-all-branch.c line 7 function many_branch thread 0 ---------------------------------------------------- test-all-branch::many_branch::x=-2147483617 State 5 file test-all-branch.c line 15 function many_branch thread 0 ---------------------------------------------------- test-all-branch::many_branch::1::y=1 Violated property: p file test-all-branch.c line 18 function many_branch assertion 2 <= y && y <= 4 VERIFICATION SAT-based Model FAILED Checking for C Programs 14 1 0 2 3 10 20 4

Model Checking Performances: Sort (1/2) Suppose that we have an array of 4 elements each of which is 32 bits long int a[4]; 9 14 2 999 We wants to verify sort.c works correctly main() { int a[4]; sort(); assert(a[0]<= a[1]<= a[2]<=a[3]); Note that local variables are initialized with non-deterministic values. The # of all possible test cases is 5.4x10 39 (=2 32x4 ) Exhaustive testing ti will takes 1.8x10 10 32 seconds (= 5.8 x 10 24 years) 5.4x10 39 cases x 100 instruction/case x 1/(3x10 9 ) sec/instruction 15

Model Checking Performances: Sort (2/2) #include <stdio.h> #define N 5 int main(){ int data[n], i, j, tmp; /* if a function body is not provided, * function invocation of the function is ignored */ for (i=0; i<n; i++) { data[i] = non_det(); data[i]=data[i]; data[]; /* It misses the last element, i.e., data[n0]*/ for (i=0; i<n-1; i++) for (j=i+1; j<n-1; j++) if (data[i] > data[j]){ tmp = data[i]; data[i] = data[j]; data[j] = tmp; /* Check the array is sorted */ for (i=0; i<n-1; i++) assert(data[i] <= data[i+1]); 16 Total 6224 CNF clause with 19099 boolean propositional variables Theoretically, 2 19099 (2.35 x 10 5749 ) choices should be evaluated!!! SAT Conflicts 73 UNSAT Conflicts 35067 Decisions 2435 Decisions 161406 Time(sec) 0.015 Time(sec) 1.89

Excerpts from Microsoft Research Conf. 06 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback