No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Similar documents
Having a BLAST with SLAM

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

Having a BLAST with SLAM

CS 510/13. Predicate Abstraction

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Having a BLAST with SLAM

Software Model Checking. Xiangyu Zhang

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Proofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur

Software Model Checking. From Programs to Kripke Structures

Having a BLAST with SLAM

Predicate Abstraction Daniel Kroening 1

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Software Model Checking with Abstraction Refinement

Static Program Analysis

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Program Static Analysis. Overview

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Reasoning About Imperative Programs. COS 441 Slides 10

PROGRAM ANALYSIS & SYNTHESIS

More on Verification and Model Checking

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Proofs from Tests. Sriram K. Rajamani. Nels E. Beckman. Aditya V. Nori. Robert J. Simmons.

F-Soft: Software Verification Platform

Symbolic and Concolic Execution of Programs

Polymorphic Predicate Abstraction

CS2104 Prog. Lang. Concepts

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Software Model Checking with SLAM

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

An Eclipse Plug-in for Model Checking

Abstract Interpretation

Forward Assignment; Strongest Postconditions

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

6. Hoare Logic and Weakest Preconditions

Formal Methods for Software Development

Finite State Verification. CSCE Lecture 14-02/25/2016

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

An Annotated Language

Context-Sensitive Pointer Analysis. Recall Context Sensitivity. Partial Transfer Functions [Wilson et. al. 95] Emami 1994

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

Proving Properties on Programs From the Coq Tutorial at ITP 2015

SAT-based Model Checking for C programs

Static program checking and verification

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Reasoning about programs

Checks and Balances - Constraint Solving without Surprises in Object-Constraint Programming Languages: Full Formal Development

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

Mutual Summaries: Unifying Program Comparison Techniques

Type checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39

Programming Languages Third Edition

The Spin Model Checker : Part I/II

Symbolic Evaluation/Execution

Finite State Verification. CSCE Lecture 21-03/28/2017

Dynamic Path Reduction for Software Model Checking

Counterexample Guided Abstraction Refinement in Blast

Introduction to Axiomatic Semantics

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Data Flow Analysis. Agenda CS738: Advanced Compiler Optimizations. 3-address Code Format. Assumptions

Synthesis for Concurrency

Motivation was to facilitate development of systems software, especially OS development.

Model checking Timber program. Paweł Pietrzak

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

3.7 Denotational Semantics

Model Requirements and JAVA Programs MVP 2 1

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt

Advanced Compiler Construction

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Introduction to Axiomatic Semantics (1/2)

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Motivation was to facilitate development of systems software, especially OS development.

Reading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Lectures 20, 21: Axiomatic Semantics

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

The Pointer Assertion Logic Engine

SYNERGY : A New Algorithm for Property Checking

Lecture 3: Recursion; Structural Induction

Failure-Directed Program Trimming

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model Checking with Abstract State Matching

Cover Page. The handle holds various files of this Leiden University dissertation

Hoare Logic and Model Checking

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

CS153: Compilers Lecture 17: Control Flow Graph and Data Flow Analysis

Interacting Process Classes

Profile-Guided Program Simplification for Effective Testing and Analysis

Midterm II CS164, Spring 2006

Testing, Debugging, Program Verification

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking

Source Code Formal Verification. Riccardo Sisto, Politecnico di Torino

Program Verification (6EC version only)

Programming Embedded Systems

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

TermComp Proposal: Pushdown Systems as a Model for Programs with Procedures

Alias Analysis. Last time Interprocedural analysis. Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Transcription:

No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable properties Verify CS 5219 2010-11 by Abhik 1 CS 5219 2010-11 by Abhik 2 Recap on Model Checking Inputs: A finite state transition system M A temporal property ϕ Check M = ϕ Output True if M = ϕ Counter-example evidence, otherwise Model Checking for SW Verif. The steps: Generate transition system-like models from code Typically involves at least data abstractions Exhaustive search through the model For time/space efficiency, the model may not be explicitly represented and searched. Explaining counter-examples CS 5219 2010-11 by Abhik 3 CS 5219 2010-11 by Abhik 4 More on the big picture Explaining counter-example Counter-example points to an actual violation of property p ϕ in program. How to locate the bug from the counterexample SW Engineering activity It was introduced owing to the abstractions Refine the abstraction and run model checking on the model derived by refined abstraction Abstract Model Check Refine loop. CS 5219 2010-11 by Abhik 5 Abst -> MC -> Refine Program P Model Extraction Spurious, Refine Counterexample Additional preds Real Counter-example, ϕ disproved Finite state Model M Model Checker M = ϕ? In practice, provides preds. Temporal Property ϕ YES, ϕ Proved. CS 5219 2010-11 by Abhik 6 1

The approach (1) Reasoning techniques over finite-state models well-understood. Search based procedures (Model Checking) Need to generate models from code Typically finitely many control locations Infinitely many data states (memory store) How to abstract the memory store? This can give a finite state model CS 5219 2010-11 by Abhik 7 The approach (2) Boolean abstraction used on memory store State of memory captured by finitely many boolean variables which answer queries about its contents Check all possible behaviors of a program Translate program to a finite state model and employ model checking (this lecture) OR Modify the state space search algorithm in model checking to directly verify programs e.g. Verisoft checker from Bell Labs (not covered in this course) CS 5219 2010-11 by Abhik 8 Model Generation Projects Source Language Modeling Language E.g. C PROMELA (FeaVer tool) C Boolean Pgm (SLAM toolkit) Various choices in Bandera toolkit In this lecture, we consider a source language with sequential programs Properties are locational invariants AG( (pc = 34) (v = 0) ) Predicate Abstraction Input Source Program P S P, Set of Predicates about variables in P Output Abstracted program P1 Data states in P1 correspond to valuations of predicates in S P CS 5219 2010-11 by Abhik 9 CS 5219 2010-11 by Abhik 10 Predicate Abs. (once more) Input : A C program P1 A set of predicates containing vars of P1 Output A boolean program P2 Only data type of P2 is boolean P2 contains more execution paths than P1 i.e. All paths of P1 are captured in P2, not vice-versa P2 is being used for invariant verification of P1. The Language of Predicates Boolean expressions containing program variables, No function calls Pointer referencing is allowed P val > Var Of course Bool. Exp contains B = B B B B B A Relop A A = A + A A A A*A A/A Var Int Relop = < > = CS 5219 2010-11 by Abhik 11 CS 5219 2010-11 by Abhik 12 2

Simple Examples Control constructs Source Code Var := 0 Var := Var1 Abstracted Code [Var = 0] := true [Var = 1] := false [Var = 0] := unknown (no preds. about Var1) OR- [Var= 0] := [Var1= 0] (Var1=0 is another pred) CS 5219 2010-11 by Abhik 13 Abstraction scheme will be developed for Within a procedure Assignments Branches All other constructs can be represented by these Across procedures Formal and actual parameters Local variables Return variables CS 5219 2010-11 by Abhik 14 Assignments to predicates We are converting a C program to a boolean program where the only type is boolean. The boolean program will not be executed. Assignment to our predicate variables can assign true / false / unknown If unknown is assigned, both possibilities should be explored during model checking Assignments Predicate abstraction of pgm. P w.r.t. { b 1,,b k } Effect of X := e on b 1,,b k Variable b i denotes expression ϕ i If ϕ i [x e] holds before X := e then set b i := true If ϕ i [x e] holds before X := e then set b i := false CS 5219 2010-11 by Abhik 15 CS 5219 2010-11 by Abhik 16 Simple Ex. of Assignments b1 X > 2 b2 Y > 2 Assignment X := Y Transform it to b1 := b2 b1 X > 2 b2 Y > 2 b3 X < 3 b4 Y < 3 Transform X := Y to the parallel assignment b1, b3 := b2, b4 CS 5219 2010-11 by Abhik 17 Assignments (2) But ϕ i [x e] may not be representable as a boolean formula over b 1,,b k Examples: Predicates: X < 5, X = 2 Assignment stmt: X := X + 1 X < 5 [X X+1] equivalent to X +1 < 5 equivalent to X < 4 X = 2 [X X+1] equivalent to X + 1 = 2 equivalent to X = 1 CS 5219 2010-11 by Abhik 18 3

Assignments (3) Define predicate b1 as X < 5 b2 as X = 2 What is the weakest formula over b1 and b2 which implies X < 4? If this formula is true, we can conclude X < 4 before X := X +1 is executed X < 5 after X := X + 1 is executed b1 = true after X := X + 1 is executed CS 5219 2010-11 by Abhik 19 Assignments - Summary Predicates: {b 1,,b k } Predicate b i represents expression ϕ i X := e is an assignment statement in the pgm. being abstracted. We can conclude b i = true after X := e iff ϕ i [ X e] before X :=e is executed. CS 5219 2010-11 by Abhik 20 Assignments - Summary Find the weakest formula over b1,,bk which implies ϕ i [ X e] and check whether it is true before X := e If yes, set b i = true as an effect of X := e in the abstracted program Set b i = false in the abstracted pgm if the weakest formula over b1,,bk which implies ϕ i [ X e] holds If none of this is possible, b i = unknown Assignments - Example Predicates: b1 is X < 5, b2 is X =2 Assignment: X := X + 1 Weakest pre-condition for b1 to hold, denoted as WP(X:= X+1, b1) X < 4 Weakest formula over {b1, b2} to imply WP(X:= X+1, b1), denoted as F( WP(X := X +1), b1)) X = 2, that is, the formula b2 CS 5219 2010-11 by Abhik 21 CS 5219 2010-11 by Abhik 22 Assignments Example Predicates: b1 is X < 5, b2 is X =2 WP(X:= X+1, b1) equivalent to X + 1 5equivalentto to X 4 F(WP(X:= X+1, b1)) = F(X 4) is X 5, that is, the formula b1 itself Computation of the F function is in general exponential, Why?? Computation of F(ϕ) Consider all minterms of b1,,bk b1 b2 b1 b2 b1 b2 b1 b2 Which of them imply ϕ? Take the disjunction of all such minterms and simplify. Improvements to this algo. possible. CS 5219 2010-11 by Abhik 23 CS 5219 2010-11 by Abhik 24 4

Exercise b1 X < 5, b2 X = 2 Assignment in the program X:=X+1 X What will it be substituted with in our boolean program? Let us do it now Aliasing via pointers To compute the effect of X := 3 on b1 We compute F(WP(X := 3, b1)) Suppose b1 is *p > 5, p is a pointer Effect of X := 3 depends on whether X and p are aliases Use a points-to analysis to determine this. Typically flow insensitive Aliasing analysis sharpens information about program states and hence the abstraction. CS 5219 2010-11 by Abhik 25 CS 5219 2010-11 by Abhik 26 Effect of aliasing WP( X := 3, *p > 5) is (&x = p 3 > 5) (&x p *p > 5) Thus, WP(X := e, ϕ(y)) is (&X = &Y ϕ[y e]) (&x & Y ϕ(y) If X and Y are aliases replace Y by e in ϕ Otherwise, the assignment has no effect If ϕ refers to several locations, each of them may/may not alias to X. CS 5219 2010-11 by Abhik 27 Another exponential blowup If ϕ refers to k locations Each may/not alias to X 2^k possibilities WP is a disjunction of 2^k minterms In practice, accurate static not-points-to analysis is feasible Removes conjuncts corresponding to confirmed non-aliases (in any control loc.) CS 5219 2010-11 by Abhik 28 Control constructs Abstraction scheme will be developed for Within a procedure Assignments Branches All other constructs can be represented by these Across procedures Formal and actual parameters Local variables Return variables Control branches So far, considered straight-line code. Consider the effect of conditional branch instructions as in if-then-else statements. Loops are conditional branch instructions ti with one branch executing a goto. Sufficient to consider Abstract( If (c) {S1} else {S2} ) CS 5219 2010-11 by Abhik 29 CS 5219 2010-11 by Abhik 30 5

Control Branches If (c ) {S1} else {S2} Different from the assert statement If (*) { assume (c ) ; S1 } else { assume ( c); S2 } (*) denotes non-deterministic choice assume(ϕ) terminates exec. if ϕ is false Otherwise, the statement has no effect. Abstracting Branches Abstract( If (c ) {S1} else {S2} ) is If (*) { assume G( c); Abstract(S1) } else { assume G( c ); Abstract(S2)} Predicates: b 1,,b k G( c ) is the strongest formula over b 1,,b k which is implied by c Formal definition in next slide. CS 5219 2010-11 by Abhik 31 CS 5219 2010-11 by Abhik 32 Abstracting Branches G(c ) = F ( c) Dual of the F operator studied earlier CAUTION: G and F operators of this lecture different from temporal ops Questions Abstract( if (c ) {S1} else {S2} ) If G( c ) { Abstract(S1)} else {Abstract(S2)} Exercise: Why choose the G operator for abstracting branches, why not F? CS 5219 2010-11 by Abhik 33 Was the assume statement necessary Does the assume statement introduce new paths? CS 5219 2010-11 by Abhik 34 Abstracting Branches- Example If (*p <= x) {*p := x} else {*p := *p + x} Predicates b1 is *p <= 0 b2 is x = 0 G( *p <= x ) = F (*p > x) To compute F (*p > x) consider all minterms of b1 and b2 CS 5219 2010-11 by Abhik 35 Abstracting Branches- Example Minterms of b1, b2 b1 b2 is *p > 0 x 0 b1 b2 is *p <=0 x 0 b1 b2 is *p >0 x = 0 b1 b2 is *p <= 0 x = 0 F(*p > x) = b1 b2 &x and p are considered to be non-aliases CS 5219 2010-11 by Abhik 36 6

Abstracting Branches- Example G(*p <= x) = F(*p > x)= (b2 b1) = b2 \/ b1 = b2 b1 = (x = 0) (*p <= 0) Similarly compute G( (*p <= x)) Abstracted template If (*) { assume (x = 0 (*p <= 0)) ; } else { assume (x=0 (*p <=0)); } CS 5219 2010-11 by Abhik 37 Control constructs Abstraction scheme will be developed for Within a procedure Assignments Branches All other constructs can be represented by these Across procedures Formal parameter, Local variables, Return variables Procedure calls and returns CS 5219 2010-11 by Abhik 38 Inter-procedural Abstraction One-to-one mapping of procedure Each proc. to an abstract one No inlining introduced by abstraction. Given predicates: b1,,bk Each pred. is marked global (refers to global vars.) or local to a specific procedure. Does not allow capturing relationships of variables across procedures. Will Revisit this! Abstracted procedures? Given A concrete procedure R A set E R of predicates b1,,bj specific to R E R can refer to parameters of R Need to define an abstract procedure R1 Formal Parameters of R1 Return Vars. of R1 CS 5219 2010-11 by Abhik 39 CS 5219 2010-11 by Abhik 40 Example Parameters, Local Vars int procedure(int* q, int y) { int l1, l2;.... return l1; } Predicates: b1 is y >= 0 b2 is *q <= y b3 is y = l1 b4 is y > l2 Formal parameters of R1 All predicates in E R which do not refer to local variables of R All other preds. in E R are local l vars. of R1. Natural notion of input context for R1. Example: Concrete Parameters: q, y Abstract Parameters: y>=0, *q <= y CS 5219 2010-11 by Abhik 41 CS 5219 2010-11 by Abhik 42 7

Return Variables Natural notion of output context for R1. Pass information to callers about Return value of R Global Vars Call-by-reference parameters Info. about return value captured by those preds in E R which refer to return var. of R, but no other local variable (return var. can be a local var.) CS 5219 2010-11 by Abhik 43 Return Variables Info about global var/reference parameters Preds. in E R which were computed to be formal parameters of R1, AND Refer to global l variables, dereferences E R = { y>=0, *q <=y, y = l1, y > l2 } Concrete ret. Var. : l1 Concrete Parameters: q, y Abst. Ret. Vars: y =l1, *q <= y CS 5219 2010-11 by Abhik 44 Control constructs Abstraction scheme will be developed for Within a procedure Assignments Branches All other constructs can be represented by these Across procedures Formal parameter, Local variables, Return variables Procedure calls and returns Procedure Calls So far, abstraction of a single procedure Assignments (with aliasing) Branches (if-then-else, loops) Formal Parameters Local and global variables Return variables Use input/output contexts in procedure call/return in inter-procedural abstraction. CS 5219 2010-11 by Abhik 45 CS 5219 2010-11 by Abhik 46 Passing Parameters Take any formal parameter predicate b of R1 Void main() { int procedure(int *q, int y){ All predicates of r = procedure(p, x); } int l1, l2; return l1; } procedure : - y >= 0 -*q <= y -y= l1 Formal parameter preds. of procedure -y > l2 -y >= 0 -*q < = y CS 5219 2010-11 by Abhik 47 Passing Parameters Replace formals by actuals in b. y >= 0 is a formal parameter pred. After replacement, it becomes x >= 0 If F(b[formals actuals)) holds during procedure invocation of the boolean pgm, then pass true to the parameter b If F( b[formals actuals)) holds, then pass false to parameter b Otherwise, pass unknown. CS 5219 2010-11 by Abhik 48 8

Exercise Work out the boolean expressions passed to the two parameters of procedure in our example shown before Use the definition of the F operator given earlier and the abst. predicates given. CS 5219 2010-11 by Abhik 49 Procedure Returns If procedure S calls procedure R, and S1/R1 are abstractions of S/R b1,,bj bj are abstract ret. Vars of R1 Then S1 has j corresponding local boolean vars. which will be updated by call to R1. Do the local preds. in S need to be updated? YES CS 5219 2010-11 by Abhik 50 Procedure returns These local preds. of S can refer to Concrete Return var. for R Global Vars (along with other local vars) For each such pred b, again compute F(b) and F( b) to decide the value of b. The function F is computed w.r.t Set of abstraction preds (under the carpet Procedure returns To compute the effect of return from R into S (calling procedure), compute F w.r.t. Return predicates of R (Capture effect on global l vars/return vars/ref.) Predicates of S which do not need to be updated. An implicit partitioning of the preds of S!! Self Study: This portion in the reading. CS 5219 2010-11 by Abhik 51 CS 5219 2010-11 by Abhik 52 Reading(s) Automatic Predicate Abstraction of C Programs Ball, Majumdar, Millstein, Rajamani PLDI 2001. Also useful: Polymorphic Predicate Abstraction MSR Tech Rep. by same set of authors. Reading Exercise Currently, the predicates used for abstraction can only contain program variables. Is this a restriction? What about values returned by procedures and/or passed by parameters? Can we track such values by introducing new names? We can have preds like Ret_value_of_v = Passed_value_of_v + 1 CS 5219 2010-11 by Abhik 53 CS 5219 2010-11 by Abhik 54 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback