C Bounded Model Checker

Similar documents
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Introduction to CBMC: Part 1

Bounded Model Checking Of C Programs: CBMC Tool Overview

SAT-based Model Checking for C programs

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

COP 3223 Introduction to Programming with C - Study Union - Fall 2017


COP 3223 Introduction to Programming with C - Study Union - Spring 2018

Procedural programming with C

Advanced Programming. Lists. A list is a data structure based on usage of pointers and dynamic allocation of memory.

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

CS 322 Operating Systems Practice Midterm Questions

POINTER & REFERENCE VARIABLES

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Proving Properties of non-array Programs

Midterm Review (overview of fall 2005 midterm)" Jennifer Rexford!

CS 33. Intro to Storage Allocation. CS33 Intro to Computer Systems XXVI 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

CSE 12 Spring 2016 Week One, Lecture Two

Programming in C - Part 2

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING B.E SECOND SEMESTER CS 6202 PROGRAMMING AND DATA STRUCTURES I TWO MARKS UNIT I- 2 MARKS

SOFTWARE Ph.D. Qualifying Exam Spring Consider the following C program, which includes three function definitions, including the main function.

Stack and Queue. Stack:

Writing an ANSI C Program Getting Ready to Program A First Program Variables, Expressions, and Assignments Initialization The Use of #define and

Stack. Data structure with Last-In First-Out (LIFO) behavior. Out

Queues. A queue is a special type of structure that can be used to maintain data in an organized way.

The output will be: marks all or nothing. 1 #include <stdio.h> 2 main() { 3 int i; int j; 4 int *p; int *q; 6 p = &i; 7 q = &j; 8 i = 1;

Preface... (vii) CHAPTER 1 INTRODUCTION TO COMPUTERS

Quantifying Information Leaks in Software

Midterm I Exam Principles of Imperative Computation Frank Pfenning. February 17, 2011

Linked List. April 2, 2007 Programming and Data Structure 1

Computer Science. Section 1B

COP 3223 Introduction to Programming with C - Study Union - Fall 2017

EL2310 Scientific Programming

A. Year / Module Semester Subject Topic 2016 / V 2 PCD Pointers, Preprocessors, DS

Crown Examples. - Basic Examples - Function Examples - Limitation Examples

The Low-Level Bounded Model Checker LLBMC

Lecture 9 Assertions and Error Handling CS240

[0569] p 0318 garbage

Pointers, Arrays, and Strings. CS449 Spring 2016

Data Structures And Algorithms

Data Types and Computer Storage Arrays and Pointers. K&R, chapter 5

List, Stack, and Queues

SYSC 2006 C Winter 2012

Motor Industry Software Reliability Association (MISRA) C:2012 Standard Mapping of MISRA C:2012 items to Goanna checks

Arrays. An array is a collection of several elements of the same type. An array variable is declared as array name[size]

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

C Language Part 1 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

ENEE 150: Intermediate Programming Concepts for Engineers Spring 2018 Handout #27. Midterm #2 Review

Functions in C C Programming and Software Tools

Borland 105, 278, 361, 1135 Bounded array Branch instruction 7 break statement 170 BTree 873 Building a project 117 Built in data types 126

Introduction to Data Structures

Parameter passing. Programming in C. Important. Parameter passing... C implements call-by-value parameter passing. UVic SEng 265

.:: UNIT 4 ::. STACK AND QUEUE

Comp Sci 1MD3 Mid-Term II 2004 Dr. Jacques Carette

JTSK Programming in C II C-Lab II. Lecture 3 & 4

Linear Data Structure

High-performance computing and programming Intro to C on Unix/Linux. Uppsala universitet

C Data Structures Stacks. Stack. push Adds a new node to the top of the stack

Department of Computer Science & Engineering Indian Institute of Technology Kharagpur. Practice Sheet #13

Department of Computer Science & Engineering Indian Institute of Technology Kharagpur. Practice Sheet #10

Principles of C and Memory Management

a data type is Types

Data Structures and Algorithms for Engineers

(6-1) Basics of a Queue. Instructor - Andrew S. O Fallon CptS 122 (September 26, 2018) Washington State University

Formal Verification of Communications in Networks on Chips

#include <stdio.h> int main() { char s[] = Hsjodi, *p; for (p = s + 5; p >= s; p--) --*p; puts(s); return 0;

Solution for Data Structure

CSC 1052 Algorithms & Data Structures II: Linked Queues

CS11001/CS11002 Programming and Data Structures (PDS) (Theory: 3-0-0)

Pointers. Part VI. 1) Introduction. 2) Declaring Pointer Variables. 3) Using Pointers. 4) Pointer Arithmetic. 5) Pointers and Arrays

EM108 Software Development for Engineers

CSC209H Lecture 4. Dan Zingaro. January 28, 2015

C Programming Language

Programming and Data Structure Solved. MCQs- Part 2

CSCI 2212: Intermediate Programming / C Review, Chapters 10 and 11

Midterm Exam Answers Instructor: Randy Shepherd CSCI-UA.0201 Spring 2017

Model Checking Embedded C Software using k-induction and Invariants

Queues. Manolis Koubarakis. Data Structures and Programming Techniques

Dynamic Data Structures

Stacks and Queues. CSE Data Structures April 12, 2002

CGS 3460 Summer 07 Midterm Exam

Exercise 3 / Ch.7. Given the following array, write code to initialize all the elements to 0: int ed[100]; Hint: It can be done two different ways!

So far, system calls have had easy syntax. Integer, character string, and structure arguments.

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

struct node{ int info; struct node *left, *right; }; typedef struct node nodeptr; A Linear Doubly Linked List

ECE 264 Exam 2. 6:30-7:30PM, March 9, You must sign here. Otherwise you will receive a 1-point penalty.

CSCI 171 Chapter Outlines

Midterm Examination # 2 Wednesday, March 19, Duration of examination: 75 minutes STUDENT NAME: STUDENT ID NUMBER:

Program Verification. Aarti Gupta

DEEPIKA KAMBOJ UNIT 2. What is Stack?

Pointers, Dynamic Data, and Reference Types

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

BBM 201 DATA STRUCTURES

SOFTWARE Ph.D. Qualifying Exam Spring Consider the following C program which consists of two function definitions including the main function.

Lectures 5-6: Introduction to C

The Spin Model Checker : Part I/II

CS 61C: Great Ideas in Computer Architecture Introduction to C

Transcription:

C Bounded Model Checker Targeting arbitrary ANSI-C programs Bit vector operators ( >>, <<,, &) Array Pointer arithmetic Dynamic memory allocation Floating # Can check Array bound checks (i.e., buffer overflow) Division by 0 Pointer checks (i.e., NULL pointer dereference) Arithmetic overflow/underflow User defined assert(cond) Handles function calls using inlining Unwinds the loops a fixed number of times 1/11

Modeling with CBMC Models an environment (i.e., various scenarios) using non-determinism 1. By using undefined functions 2. By using uninitialized local variables 3. By using function parameters 4. By explicitly using CPROVER_assume() foo(int x) { CPROVER_assume (0<x && x<10); x++; assert (x*x <= 100); bar() { int y=0; CPROVER_assume ( y > 10); assert(0); int x = nondet(); bar() { int y; CPROVER_assume (0<x && 0<y); if(x < 0 && y < 0) assert(0); 2/11

Ex1. Circular Queue APIs #include<stdio.h> #define SIZE 12 #define EMPTY 0 unsigned int q[size],head,tail; void enqueue(unsigned int x) { q[tail]=x; tail=(++tail)%size; unsigned int dequeue() { unsigned int ret; ret = q[head]; q[head]=0; head= (++head)%size; return ret; Step 1) 0 1 2 3 4 5 6 7 8 9 10 11 0 0 0 0 0 0 15 6 9 8 4 0 head=6 tail=11 Step 2) 3 5 0 0 0 0 15 6 9 8 4 17 tail=2 head=6 Step 3) 3 5 0 0 0 0 0 6 9 8 4 17 tail=2 head=7 3/11

#include<stdio.h> #define SIZE 12 #define EMPTY 0 // Initial random queue setting following the script void environment_setup() { int i; for(i=0;i<size;i++) { q[i]=empty; head=non_det(); CPROVER_assume(0<= head && head < SIZE); unsigned int q[size],head,tail; void enqueue(unsigned int x) { q[tail]=x; tail=(++tail)%size; unsigned int dequeue() { unsigned int ret; ret = q[head]; q[head]=0; head= (++head)%size; return ret; tail=non_det(); CPROVER_assume(0<= tail && tail < SIZE); if( head < tail) for(i=head; i < tail; i++) { q[i]=non_det(); CPROVER_assume(0< q[i]); else if(head > tail) { for(i=0; i < tail; i++) { q[i]=non_det(); CPROVER_assume(0< q[i]); for(i=head; i < SIZE; i++) { q[i]=non_det(); CPROVER_assume(0< q[i]); // We assume that q[] is empty if head==tail

void enqueue_verify() { unsigned int x, old_head, old_tail; unsigned int old_q[size], i; CPROVER_assume(x>0); for(i=0; i < SIZE; i++) old_q[i]=q[i]; old_head=head; old_tail=tail; enqueue(x); void dequeue_verify() { unsigned int ret, old_head, old_tail; unsigned int old_q[size], i; for(i=0; i < SIZE; i++) old_q[i]=q[i]; old_head=head; old_tail=tail; CPROVER_assume(head!=tail); ret=dequeue(); assert(q[old_tail]==x); assert(tail== ((old_tail +1) % SIZE)); assert(head==old_head); for(i=0; i < old_tail; i++) assert(old_q[i]==q[i]); for(i=old_tail+1; i < SIZE; i++) assert(old_q[i]==q[i]); assert(ret==old_q[old_head]); assert(q[old_head]== EMPTY); assert(head==(old_head+1)%size); assert(tail==old_tail); for(i=0; i < old_head; i++) assert(old_q[i]==q[i]); for(i=old_head+1; i < SIZE; i++) assert(old_q[i]==q[i]); int main() {// cbmc q.c unwind SIZE+2 environment_setup(); enqueue_verify(); int main() {// cbmc q.c unwind SIZE+2 environment_setup(); dequeue_verify();

Ex2. Tower of Hanio Write down a C program to solve the Tower of Hanoi ga me (3 poles and 4 disks) by using CBMC Hint: you may non-deterministically select the disk to move Find the shortest solution by analyzing counter examples. Also explain why your solution is the shortest one. Use non-determinism and CPROVER_assume() properly for the moving choice Use assert statement to detect when all the disks are moved to the destination 6/11

Top[3] 2-1 -1 //cbmc hanoi3.c unwind 7 no-unwinding-assertions 1:signed char disk[3][3] = {{3,2,1,{0,0,0,{0,0,0; 2:char top[3]={2,-1,-1;// The position where the top disk is located at. 3: // If the pole does not have any disk, top is -1 4:int main() { 5: unsigned char dest, src; 14: while(1) { 15: src = non_det(); 16: CPROVER_assume(src==0 src==1 src==2); 17: CPROVER_assume(top[src]!= -1); 18: 19: dest= non_det(); 20: CPROVER_assume((dest==0 dest==1 dest==2) && (dest!= src)); 21: CPROVER_assume(top[dest]==-1 (disk[src][top[src]] < disk[dest][top[dest]]) ); 22: 25: top[dest]++; 26: disk[dest][top[dest]]=disk[src][top[src]]; 27: 28: disk[src][top[src]]=0; 29: top[src]--; 30: 31: assert(!(disk[2][0]==3 && disk[2][1]==2 && disk[2][2]==1 )); 2 1 0 2 1 0 0 1 2 1 0 0 2 0 0 3 0 0 0 1 2 0 0 1 0 0 2 0 0 3

Ex3. Flash read verification 1. Formal verification of a flash memory reading unit (70 pts) Show the correctness of the flash_read() By using randomized testing Randomly select the physical sectors to write four characters and set the corresponding SAMs By using exhaustive testing Create 43680 (16*15*14*13) distinct test cases» Do not print test cases in your hardcopy to save trees By using CBMC Create environment model satisfying the invariant formula by using CPROVER_assume() and nested loops

Problem #1. Random solution void main(){ char res[50]; int tc = 0; int count = 0; int ntc = 43680;// # of possible distribution // 16*15*14*13 while(tc++ < ntc){ randomized_test(); flash_read(&res[count],sam,pu); assert(res[0] == 'a' && res[1] == 'b' && res[2] == 'c' && res[3] =='d'); ind_sect 0 1 2 3 ind_pu 0 1 2 3 #include <stdio.h> #include <time.h> #include <assert.h> #define SECT_PER_U 4 #define NUM_PHI_U 4 typedef struct _SAM_type{ unsigned char offset[sect_per_u]; SAM_type; typedef struct _PU_type{ unsigned char sect[sect_per_u]; PU_type; char data[sect_per_u] = "abcd"; PU_type pu[num_phi_u]; SAM_type SAM[NUM_PHI_U]; void randomized_test(){ unsigned int i = 0, j = 0; unsigned char ind_pu, ind_sect; // Initialization for(i = 0;i < NUM_PHI_U;i++){ for(j = 0;j < SECT_PER_U;j++){ SAM[i].offset[j] = 255; pu[i].sect[j] = 0; while (i< SECT_PER_U) { ind_pu = rand()%4; ind_sect= rand()%4; if(pu[ind_pu].sect[ind_sect] == 0){ pu[ind_pu].sect[ind_sect] = data[i]; SAM[ind_pu].offset[i] = ind_sect; i++;

Problem #1. Exhaustive solution data_pos ind_sect 0 5 10 11 0 1 2 3 ind_pu 0 1 2 3 a b c d void exhaustive_test(int *data_pos){ unsigned int i = 0, j = 0; unsigned char ind_pu, ind_sect; for(i = 0;i < NUM_PHI_U;i++){ for(j = 0;j < SECT_PER_U;j++){ SAM[i].offset[j] = 255; pu[i].sect[j] = 0; for(i = 0;i < NUM_PHI_U;i++){ ind_pu = data_pos[i]/4; ind_sect = data_pos[i]%4; pu[ind_pu].sect[ind_sect] = data[i]; SAM[ind_pu].offset[i] = ind_sect; void main(){ char res[4]; int i, j,k,l, data_pos[4]; //# of all distributions = 16*15*14*13 for(i = 0;i < NUM_PHI_U * SECT_PER_U;i++){ for(j = 0;j < NUM_PHI_U * SECT_PER_U;j++){ if (j == i) continue; for(k = 0;k < NUM_PHI_U * SECT_PER_U;k++){ if (k == i k == j) continue; for(l = 0;l < NUM_PHI_U * SECT_PER_U;l++){ if(l == i l == j l == k) continue; data_pos[0] = i; data_pos[1] = j; data_pos[2] = k; data_pos[3] = l; exhaustive_test(data_pos); flash_read(&res[count],sam,pu); assert(res[0] == 'a' && res[1] == 'b' && res[2] == 'c' && res[3] == 'd');

Problem #1. CBMC solution void CBMC_environ_setting(){ unsigned int i = 0, j = 0; unsigned char ind_pu, ind_sect; for(i = 0;i < NUM_PHI_U;i++){ for(j = 0;j < SECT_PER_U;j++){ SAM[i].offset[j] = 255; pu[i].sect[j] = 0; for(i = 0;i < SECT_PER_U;i++){ ind_pu = nondet_char(); ind_sect = nondet_char(); CPROVER_assume(ind_pu>=0 && ind_pu <NUM_PHI_U); CPROVER_assume(ind_Sect>=0 && ind_sect <SECT_PER_U); CPROVER_assume(pu[ind_pu].sect[ind_Sect] == 0); pu[ind_pu].sect[ind_sect] = data[i]; SAM[ind_pu].offset[i] = ind_sect; void main(){ char res[50]; int count = 0; CBMC_environ_setting(); flash_read(&res[count],sam,pu); assert(res[0] == 'a' && res[1] == 'b' && res[2] == 'c' && res[3] == 'd'); 0.5 0.4 0.3 0.2 0.1 0 Execution time(sec) Randomize Exhaustive CBMC Execution time(sec)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback