Software Model Checking. Xiangyu Zhang

Similar documents
CS 510/13. Predicate Abstraction

Having a BLAST with SLAM

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Having a BLAST with SLAM

Having a BLAST with SLAM

Having a BLAST with SLAM

Software Model Checking with Abstraction Refinement

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Introduction to CBMC: Part 1

Scalable Program Verification by Lazy Abstraction

Predicate Abstraction Daniel Kroening 1

More on Verification and Model Checking

Static Program Analysis

Counterexample Guided Abstraction Refinement in Blast

On Reasoning about Finite Sets in Software Checking

Verifying Multithreaded Software with Impact

Software Model Checking. From Programs to Kripke Structures

Bounded Model Checking. Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Bounded Model Checking Of C Programs: CBMC Tool Overview

F-Soft: Software Verification Platform

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Model Checking with Abstract State Matching

Interpolation-based Software Verification with Wolverine

Predicate Abstraction of ANSI C Programs using SAT Λ

Verifying Concurrent Programs

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

C Code Verification based on the Extended Labeled Transition System Model

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

The ComFoRT Reasoning Framework

Symbolic and Concolic Execution of Programs

Predicate Abstraction of ANSI C Programs using SAT

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Predicate Abstraction of ANSI C Programs using SAT

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Model Checking: Back and Forth Between Hardware and Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Automatic Software Verification

Abstraction techniques for Floating-Point Arithmetic

Handling Loops in Bounded Model Checking of C Programs via k-induction

Counter-Example Guided Program Verification

Static Program Checking

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

SAT-based Model Checking for C programs

Model Checking and Its Applications

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Program Verification (6EC version only)

Proofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur

A Survey of Automated Techniques for Formal Software Verification

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Proving Properties of non-array Programs

Edmund Clarke Computer Science Dept., Carnegie Mellon University Pittsburgh, PA, USA

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Deductive Methods, Bounded Model Checking

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Model Checking Software Programs with. First Order Logic Specifications using AIG Solvers

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Formal Verification at Higher Levels of Abstraction

CSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak

Model Checking Embedded C Software using k-induction and Invariants

Counterexample Guided Abstraction Refinement via Program Execution

Regression Verification - a practical way to verify programs

Predicate Abstraction and Refinement Techniques for Verifying Verilog

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

Over-Approximating Boolean Programs with Unbounded Thread Creation

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

TRACER: A Symbolic Execution Tool for Verification

Abstract Interpretation

Backward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction

Program Verification. Aarti Gupta

The software model checker BLAST

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Software Engineering using Formal Methods

Yices 1.0: An Efficient SMT Solver

Slice n Dice Algorithm Implementation in JPF

Proof Pearl: The Termination Analysis of Terminator

DPLL(Γ+T): a new style of reasoning for program checking

Finite State Verification. CSCE Lecture 14-02/25/2016

An Eclipse Plug-in for Model Checking

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or

The Spin Model Checker : Part I/II

Cover Page. The handle holds various files of this Leiden University dissertation

A survey of new trends in symbolic execution for software testing and analysis

Lecture Notes on Memory Layout

Predicate Refinement Heuristics in Program Verification with CEGAR

Inductive Invariant Generation via Abductive Inference

Checking Consistency of C and Verilog using Predicate Abstraction and Induction

Program Analysis and Code Verification

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

BITCOIN MINING IN A SAT FRAMEWORK

Bounded Model Checking of Concurrent Programs

VS 3 : SMT Solvers for Program Verification

Transcription:

Software Model Checking Xiangyu Zhang

Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions Model checking directly encodes both the program and the property to check to constraints Program Claim Analysis Engine CNF SMT Solver SAT counterexample exists UNSAT no counterexample found 2

A (very) simple example (1) Program Constraints CS510 S o f t w a r e E n g i n e e r i n g int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 7 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 7, w!= 9 UNSAT no counterexample assertion always holds! 3

A (very) simple example (2) Program Constraints CS510 S o f t w a r e E n g i n e e r i n g int x; int y=8,z=0,w=0; if (x) z = y 1; else w = y + 1; assert (z == 5 w == 9) y = 8, z = x? y 1 : 0, w = x? 0 :y + 1, z!= 5, w!= 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7 4

Procedure Unroll loops CS510 S o f t w a r e E n g i n e e r i n g Program Claim Bound (n) Analysis CNF Engine SAT counterexample exists Translate to SSA form SSA to SMT constraints SMT Solver UNSAT no counterexample of bound n 5

Loop Unwinding All loops are unwound can use different unwinding bounds for different loops to check whether unwinding is sufficient special unwinding assertion claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions

Loop Unwinding void f(...) {... while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

Loop Unwinding void f(...) {... if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

Loop Unwinding void f(...) {... if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto

Unwinding assertion void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; Remainder; while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits

Unwinding assertion void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; assert(!cond); Remainder; Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits

Example: Sufficient Loop Unwinding void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; assert(!(j <= 2)); Remainder;

Example: Insufficient Loop Unwinding void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; unwind = 3 void f(...) { j = 1 if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; assert(!(j <= 10)); Remainder;

Transforming Loop-Free Programs Into Equations (1) Easy to transform when every variable is only assigned once! CS510 S o f t w a r e E n g i n e e r i n g Program x = a; y = x + 1; z = y 1; Constraints x = a && y = x + 1 && z = y 1 && 14

Transforming Loop-Free Programs Into Equations (2) CS510 S o f t w a r e E n g i n e e r i n g When a variable is assigned multiple times, use a new variable for the RHS of each assignment Program SSA Program 15

What about conditionals? CS510 S o f t w a r e E n g i n e e r i n g Program if (v) x = y; else x = z; w = x; SSA Program if (v 0 ) x 0 = y 0 ; else x 1 = z 0 ; w 1 = x??; What should x be? 16

What about conditionals? Program SSA Program CS510 S o f t w a r e E n g i n e e r i n g if (v) x = y; else x = z; w = x; if (v 0 ) x 0 = y 0; else x 1 = z 0; x 2 = v 0? x 0 : x 1 ; w 1 = x 2 For each join point, add new variables with selectors 17

Encoding CS510 S o f t w a r e E n g i n e e r i n g Declare symbolic variables for each (SSA) scalar variables Assignments to equivalence Phi functions to ITE expressions Array accesses to select/store operations Scalar pointer dereferences to identify operations Heap dereferences to select/store operations if (v) p = &x; else p = &y; p =(int*) malloc(100); i = 10; q = p+i *q = 10 *p = 10; q=p; z=*q 18

CBMC: C Bounded Model Checker CS510 S o f t w a r e E n g i n e e r i n g Developed at CMU by Daniel Kroening et al. Available at: http://www.cs.cmu.edu/~modelcheck/cbmc/ Supported platfoms: Windows (requires VisualStudio s CL), Linux Provides a command line and Eclipse-based interfaces Known to scale to programs with over 30K LOC Was used to find previously unknown bugs in MS Windows device drivers 19

Explicit State Model Checking The program is indeed executing jpf <your class> <parameters> Very similar to java <your class> <parameters> Execute in a way that all possible scenarios are explored Thread interleaving Undeterministic values (random values) Concrete input is provided A state is indeed a concrete state, consisting of Concrete values in heap/stack memory

An Example

An Example (cont.) One execution corresponds to one path.

JPF explores multiple possible executions GIVEN THE SAME CONCRETE INPUT

Two Essential Capabilities Backtracking Means that JPF can restore previous execution states, to see if there are unexplored choices left. While this is theoretically can be achieved by re-executing the program from the beginning, backtracking is a much more efficient mechanism if state storage is optimized. State matching JPF checks every new state if it already has seen an equal one, in which case there is no use to continue along the current execution path, and JPF can backtrack to the nearest non-explored nondeterministic choice Heap and thread-stack snapshots.

State Abstraction Eliminate details irrelevant to the property Obtain simple finite models sufficient to verify the property Disadvantage Loss of Precision: False positives/negatives

Data Abstraction S h h h h h S Abstraction Function h : from S to S

Data Abstraction Example Abstraction proceeds component-wise, where variables are components x:int, -2, 0, 2, 4,, -3, -1, 1, 3, Even Odd y:int, -3, -2, -1 0 1, 2, 3, Neg Zero Pos

How do we Abstract Behaviors? Abstract domain A Abstract concrete values to those in A Then compute transitions in the abstract domain

Data Type Abstraction Code Abstract Data domain int x = 0; if (x == 0) x = x + 1; int (n<0) : NEG (n==0): ZERO (n>0) : POS Signs x = ZERO; if (Signs.eq(x,ZERO)) x = Signs.add(x,POS); Signs NEG ZERO POS

Existential/Universal Abstractions Existential Make a transition from an abstract state if at least one corresponding concrete state has the transition. Abstract model M simulates concrete model M Universal Make a transition from an abstract state if all the corresponding concrete states have the transition.

Existential Abstraction (Over-approximation) I S h I S

Universal Abstraction (Under-Approximation) I S h I S

Guarantees from Abstraction Assume M is an abstraction of M Strong Preservation: P holds in M iff P holds in M Weak Preservation: P holds in M implies P holds in M

Guarantees from Exist. Abstraction Let φ be a hold-for-all-paths property M existentially abstracts M Preservation Theorem M φ M φ Converse does not hold M φ M φ M M M φ : counterexample may be spurious

Guarantees from Univ. Abstraction Let φ be a existential-quantified property and M simulates M Preservation Theorem M φ M φ Converse does not hold M φ M φ

Spurious counterexample in Overapproximation I Deadend states I Bad States f Failure State

Refinement Problem: Deadend and Bad States are in the same abstract state. Solution: Refine abstraction function. The sets of Deadend and Bad states should be separated into different abstract states.

Refinement h Refinement : h

Automated Abstraction/Refinement Good abstractions are hard to obtain Automate both Abstraction and Refinement processes Counterexample-Guided AR (CEGAR) Build an abstract model M Model check property P, M P? If M P, then M P by Preservation Theorem Otherwise, check if Counterexample (CE) is spurious Refine abstract state space using CE analysis results Repeat

Counterexample-Guided Abstraction-Refinement (CEGAR) M Build New Abstract Model M Model Check Pass No Bug Fail Obtain Refinement Cue Spurious CE Check Counterexample Real CE Bug

Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows device driver verification) MAGIC, BLAST, F-Soft

Example for Predicate Abstraction int main() { int i; i=0; while(even(i)) i++; + p1 = i=0 p 2 even(i) void main() { bool p1, p2; p1=true; p2=true; while(p2) { p1=p1?false:nondet(); p2=!p2; C program Predicates Boolean program [Graf, Saidi 97] [Ball, Rajamani 01]

Computing Predicate Abstraction How to get predicates for checking a given property? How do we compute the abstraction? Predicate Abstraction is an overapproximation How to refine coarse abstractions

Counterexample Guided Abstraction Refinement loop C Program Initial Abstraction Abstract model Verification Model Checker No error or bug found Property holds Abstraction refinement Refinement Simulator Simulation sucessful Bug found Spurious counterexample

Example Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return; unlock lock unlock lock

What a program really is State Transition pc lock old new q 3 5 5 0x133a 3: unlock(); new++; 4: pc lock old new q 4 5 6 0x133a Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return;

The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula

Idea 1: Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite

Abstract States and Transitions State pc lock old new q 3 5 5 0x133a 3: unlock(); new++; 4: pc lock old new q 4 5 6 0x133a lock old=new! lock! old=new

Abstraction State pc lock old new q 3 5 5 0x133a 3: unlock(); new++; 4: pc lock old new q 4 5 6 0x133a Existential Approximation lock old=new! lock! old=new

Abstraction State pc lock old new q 3 5 5 0x133a 3: unlock(); new++; 4: pc lock old new q 4 5 6 0x133a lock old=new! lock! old=new

Analyze Abstraction Analyze finite graph Over Approximate: Safe => System Safe Problem Spurious counterexamples

Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!

Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction

Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01] 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe

Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 1! LOCK 1 Predicates: LOCK

Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); lock() old = new q=q->next 1 2! LOCK LOCK 1 2 Predicates: LOCK

Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); [q!=null] 3 1 2 LOCK! LOCK LOCK 1 2 3 Predicates: LOCK

Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); q->data = new unlock() new++ 3 4 1 2 LOCK! LOCK! LOCK LOCK 4 1 2 3 Predicates: LOCK

Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 1 2 LOCK! LOCK LOCK 4! LOCK [new==old] 5 5! LOCK 4 1 2 3 Predicates: LOCK

Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 1 2 LOCK! LOCK LOCK 4! LOCK 5 4 unlock() 5! LOCK! LOCK 1 2 3 Predicates: LOCK

Analyze Counterexample Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 4 1 2 LOCK! LOCK! LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] 5 5! LOCK unlock() 4! LOCK 1 2 3 Predicates: LOCK

Analyze Counterexample Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 3 1 2 LOCK : LOCK LOCK old = new new++ 4 : LOCK [new==old] 1 2 5 4 3 5 : LOCK : LOCK Inconsistent new == old Predicates: LOCK

Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 1 : LOCK 1 Predicates: LOCK, new==old

Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 1 LOCK, new==old 2! LOCK lock() old = new q=q->next 1 2 Predicates: LOCK, new==old

Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); 1! LOCK LOCK, new==old 2 LOCK, new==old 3 q->data = new unlock()! LOCK,! new = old 4 new++ 1 2 4 3 Predicates: LOCK, new==old

Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old 2 LOCK, new==old 3! LOCK,! new = old 4 [new==old] 1! LOCK 1 2 4 3 Predicates: LOCK, new==old

Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old 2 LOCK, new==old 3! LOCK,! new = old 4 1 [new!=old]! LOCK 1 2 4 3 1! LOCK,! new == old Predicates: LOCK, new==old

Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4:while(new!= old); 5: unlock (); LOCK, new==old LOCK, new==old 3 1 2! LOCK SAFE! LOCK,! new = old 4 4 LOCK, new=old 5 4 4 1! LOCK,! new == old 5 1 2 3! LOCK, new==old Predicates: LOCK, new==old

Another Example 1: x = ctr; 2: y = ctr + 1; 3: if (x = i-1){ 4: if (y!= i){ ERROR: C program Abstract 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: No predicates available currently

Checking the abstract model Is ERROR reachable? 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: yes Abstract model has a path leading to error state

Does this Simulation correspond to a real bug? 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: Check using a SAT solver Not possible 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y!= i) Concrete trace

Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y!= i) Spurious Counterexample 1: skip; 2: skip; 3: if (*){ 4: if (*){ ERROR: Initial abstraction

Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y!= i) 1: skip; 2: skip; 3: if (*){ 4: if (b0){ ERROR: boolean b0 : y!= i

Refinement 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y!= i) 1: skip; 2: skip; 3: if (b1){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b1 : x== i-1

Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P]

Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] P[e/x] new+1 = old Assign x=e P new = old new = new+1

Refinement boolean b2 : ctr + 1! = i Weakest precondition of y!= i 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y!= i) 1: skip; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b1 : x== i-1

Refinement boolean b2 : ctr + 1! = i boolean b3: ctr == i -1 1: x = ctr; 2: y = ctr + 1; 3: assume(x == i-1) 4: assume (y!= i) 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b1 : x== i-1

Refinement What about initial values of b2 and b3? b2 and b3 are mutually exclusive. b2 =1, b3 = 0 b2 =0, b3 = 1 So system is safe! boolean b2 : ctr + 1! = i boolean b3: ctr == i -1 1: b1 = b3; 2: b0 = b2; 3: if (b1){ 4: if (b0){ ERROR: boolean b0 : y!= i boolean b1 : x== i-1

Tools for Predicate Abstraction of C SLAM at Microsoft Used for verifying correct sequencing of function calls in windows device drivers MAGIC at CMU Allows verification of concurrent C programs Found bugs in MicroC OS BLAST at Berkeley Lazy abstraction, interpolation SATABS at CMU Computes predicate abstraction using SAT Can handle pointer arithmetic, bit-vectors F-Soft at NEC Labs Localization, register sharing

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback