Bounded Model Checking Of C Programs: CBMC Tool Overview

Similar documents
Introduction to CBMC: Part 1

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Automated Test Generation using CBMC

Software Model Checking. Xiangyu Zhang

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Model Checking Embedded C Software using k-induction and Invariants

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

More on Verification and Model Checking

Bounded Model Checking. Mooly Sagiv Slides from Arie Gurfinkel & Sagar Chaki, Daniel Jackson, Shahar Maoz

Name :. Roll No. :... Invigilator s Signature : INTRODUCTION TO PROGRAMMING. Time Allotted : 3 Hours Full Marks : 70

C Bounded Model Checker

Handling Loops in Bounded Model Checking of C Programs via k-induction

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Automatic Software Verification

Verifying C & C++ with ESBMC

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

CIS 890: Safety Critical Systems

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Software Model Checking. From Programs to Kripke Structures

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Type Conversion. and. Statements

CSI33 Data Structures

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

C2TLA+: A translator from C to TLA+

Program Verification. Aarti Gupta

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Software Engineering using Formal Methods

COS 320. Compiling Techniques

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

On Reasoning about Finite Sets in Software Checking

Constant-time programming in C

Low level security. Andrew Ruef

The Low-Level Bounded Model Checker LLBMC

Abstraction techniques for Floating-Point Arithmetic

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

The SMT-LIB 2 Standard: Overview and Proposed New Theories

Verification and Test with Model-Based Design

Having a BLAST with SLAM

Static program checking and verification

Symbolic Execution, Dynamic Analysis

Operational Semantics. One-Slide Summary. Lecture Outline

Quantifying Information Leaks in Software

Formal Specification and Verification

Static Analysis and Bugfinding

Software Engineering using Formal Methods

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Static Analysis in C/C++ code with Polyspace

: A Bounded Model Checking Tool to Verify Qt Applications

SAT-based Model Checking for C programs

Short Notes of CS201

C Language Part 1 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

CS201 - Introduction to Programming Glossary By

F-Soft: Software Verification Platform

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

BITCOIN MINING IN A SAT FRAMEWORK

1 Lexical Considerations

Lexical Considerations

Type Checking. Prof. James L. Frankel Harvard University

Symbolic and Concolic Execution of Programs

CS 510/13. Predicate Abstraction

AstréeA From Research To Industry

IBM Rational Rhapsody TestConductor Add On. Code Coverage Limitations

QUIZ. 1. Explain the meaning of the angle brackets in the declaration of v below:

Operational Semantics of Cool

Semantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

C Code Verification based on the Extended Labeled Transition System Model

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao

Proving Properties of non-array Programs

Lecture 3 Notes Arrays

Lexical Considerations

Flow Control. CSC215 Lecture

Having a BLAST with SLAM

Symbolic Computation via Program Transformation

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Introduction to Programming Using Java (98-388)

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Aryan College. Fundamental of C Programming. Unit I: Q1. What will be the value of the following expression? (2017) A + 9

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

a data type is Types

Model Checking and Its Applications

C-LANGUAGE CURRICULAM

Applications of Formal Verification

Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing

CS 430 Spring Mike Lam, Professor. Data Types and Type Checking

Object Oriented Programming Exception Handling

Applications of Formal Verification

Transcription:

Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning www.cprover.org/cbmc/

Model Checking Given a model M of a system and a property P, check : if M P (M models P), P holds in M i.e. the system functions according to P. if M P (M doesn't model P), P doesn t hold in M, and a counterexample is produced, i.e. an execution of the system that does not satisfy P

Why Bounded Model Checking In general, there is a compromise to be made between the precision of the analysis and its decidability Precision Termination Soundness

Bounded Model Checking Given a model M of a system, a property P and a bound k (>0) Encode all executions of M of length k into a formula M k Encode all executions of M of length k that violate P into P k If (M k P k) is un-satisfiable then P holds in M of length k if (M k P k ) is satisfiable then P doesn t hold in M of length k, and a counterexample is produced

Simplified Safety Properties Array bounds (Buffer Overflows) Division by zero Pointer checks (i.e., NULL pointer dereference) Arithmetic overflow Custom assertions (i.e., assert (i > j) )

C Bounded Model Checker Assertion Proved Annotated C Program CBMC Out of Resources Unrolling Bound Counter Example CBMC Developed and Maintained by Dr Daniel Kröning www.cprover.org/cbmc/

Use Cases Verification of operating systems Verification of Linux device drivers Equivalence Checking (Code Generators / Translation Validation / FBD -> C) Runtime Verification, Reachability Verification Model Based testing WCET analysis. www.cprover.org/cbmc/applications

CBMC Architecture C Program C Parser Type Checking Symbolic Execution Static Analysis and Instrumentation Goto Program Verification Conditions SAT/SMT Solver Counter Example Analysis

CBMC Simplifications and Transformations Removal of side effects Transforming all explicit loops into while loops All non-linear control flow is replaced by guarded goto. Generates one CBMC goto Program per function Performs light weight static analysis to resolve function pointers. Implicit assertions are introduced.

Goto Program int main() int a,size; a =2; SIZE = 8; int i, sn=0; for(i=size; i>=0; i--) if (i<6) sn = sn + a; assert(sn<=size*a); main /* main */ signed int a; signed int SIZE; a = 2; SIZE = 8; signed int i; signed int sn; sn = 0; i = SIZE; 1: IF!(i >= 0) THEN GOTO 3 IF!(i < 6) THEN GOTO 2 sn = sn + a; 2: i = i - 1; GOTO 1 3: ASSERT sn <= SIZE * a IF!(sn <= SIZE * a) THEN GOTO 4 4: dead sn; dead i; dead SIZE; dead a; main#return_value = NONDET(signed int); END_FUNCTION

Generation of Verification Conditions int a; int b = 10,c = 3; if( a>3) b = c +3; else c = b -7; assert(b == 10 b ==6) b1 = 10 c1 = 3 \guard1 = a1 >=4 b2= c1 + 3 c2 = c1 c3 = b1 7 b3 = b1 b4 = (\guard1? b2: b3) c4= (\guard1? c3:c2) ============= b5 ==10 b5 == 6

int choice; if(choice > 0) switch (choice%4) case 0: c = a+b; break; case 1: c= a-b; break; case 2: c = a*b; break; case 3: c = a/b; break; default: assert(0); c = 0; break; Paths choice > 0 choice % 4 0 choice % 4 1 choice % 4 2 choice % 4 3 c = a+b c = a -b c = a *b c = a /b Case 0 Choice %4! = 0 Case 1 Choice %4! = 1 Case 2 Choice %4! = 2 Case 3 Choice %4! = 3 Exit c = 0 default

Loops while( some condition holds) do something here int a, b; while(a < b) a = a+1;

Loop Unrolling if( some condition holds) do something here while( same condition holds) do same thing here

Unwinding Assertions if( some condition holds) do something here if( same condition holds) do same thing here while( same condition holds) do same thing here if( some condition holds) do something here if( same condition holds) do same thing here while( same condition holds) do same thing here assume(!cond) if( some condition holds) do something here if( same condition holds) do same thing here while( same condition holds) do same thing here assert (!cond)

int a, b; if(a < b) a = a+1; while(a < b) a = a+1; int a, b; if(a < b) a = a+1; if(a < b) a = a+1; while(a< b) a = a+1; int a, b; if(a < b) a = a+1; if(a < b) a = a+1; if(a<b) a = a+1; assume(a >= b)

Assumptions and Assertions The CPROVER_assume statement restricts the program traces that are considered and allows assume-guarantee reasoning. The CPROVER_assert statement aborts the program successfully if the condition evaluates to false. int onetoten () int value=nondetint(); CPROVER_assume ( value>=1 && value <=10); return value ; value!0@1#2 == nondet_symbol(symex::nondet0) value!0@1#2 >= 1 &&!(value!0@1#2 >= 11) onetoten#return_value!0#1 == value!0@1#2 a!0@1#2 == onetoten#return_value!0#1 -------------------------- 1 a!0@1#2 >= 1 &&!(a!0@1#2 >= 11)

CBMC Checks Bounds check Div by Zero checks Pointer Checks Memory Leak checks Unsigned Overflows Float overflows Nans Signed Overflow Checks

Supported Language Features: Arithmetic Operators Supports all ANSI-C Boolean operators on scalar variables Support all integer and floating arithmetic operators on scalar variables Full support for arithmetic type casts Different rounding modes are currently not supported CBMC allows to model user-input by means of non-deterministic choice functions.

Supported Features: Arrays Arrays are encoded with the WITH and [] operators. Can be mapped to store and select Operators in theory of arrays i = 0; x[i] = j; p = x[i] + k; q = j+k; i2 =0 x2 = x1 WITH [0 l := j1] p2 = x2[i1 l ] + k1 q2 = j1 +k1

Supported Features: Pointers Exact points-to analysis is performed. if(d ==0) x = &a; else x= &b; *x = c; \guard1 = (d1 == 0) x2 = &a1 x3 = x1 x4 = &b1 x5 = \guard1? &a1 : &b1 b2 = (x5 == &b1)? c1: b1 a2 = (x5 == &b1)? a1: c1

Supported Features: Structures Structures are handled as aggregate data structures like arrays p = &y if(choice ==1) p->a[1] = 1; p->b = c ; else p->a[1] = 1; p->b = c ; p2 = &y1 \gaurd1 = (choice1 == 1) y2 = y1 WITH [.a:=y1.a WITH [1l = 1]] y3 = y2 WITH [.b = c ] y4 = y1 y5 = y4 WITH [.a = y4.a WITH [1l = 2]] y6 = y5 WITH [.b = c ] y7 = \guard1? y3 : y6

Supported Features: Unions Unions are allowed in CBMC, but access to elements of the unions is not allowed across fields. Access to a field is permitted if only it was the field last updated. union myunion char a[2]; int b; ; union myunion mu; mu.a[0]= 0; mu.a[1] = 3; k = mu.b; assert(k ==3); -12 mu!0@1#2 == byte_update_little_endian(mu!0@1#1, 0l, 0, char) -13 mu!0@1#3 == byte_update_little_endian(mu!0@1#2, 1l, 3, char) -14 k!0@1#2 == byte_extract_little_endian(mu!0@1#3, 0l, signed int) -------------------------- 1 k!0@1#2 == 3

Trace for main.assertion.1: ---------------------------------------------------- mu=.a= 0, 3 ( 00000000, 00000011 ) State 21 file /home/prateek/workspace/workshop/examples/union.c line 17 function main thread 0 ---------------------------------------------------- k=0 (00000000000000000000000000000000) State 22 file /home/prateek/workspace/workshop/examples/union.c line 18 function main thread 0 ---------------------------------------------------- k=768 (00000000000000000000001100000000) Violated property: file /home/prateek/workspace/workshop/examples/union.c line 19 function main assertion k ==3 k == 3

mu=.a= 0, 3 ( 00000000, 00000011 ) State 21 file /home/prateek/workspace/workshop/examples/union.c line 17 function main thread 0 ---------------------------------------------------- k=0 (00000000000000000000000000000000) State 22 file /home/prateek/workspace/workshop/examples/union.c line 18 function main thread 0 ---------------------------------------------------- k=536871680 (00100000000000000000001100000000) Violated property: file /home/prateek/workspace/workshop/examples/union.c line 19 function main assertion k ==768 k == 768

Function Calls Support functions by in-lining. Preserves the locality of the parameters and the non-static local variables by renaming. Supports Recursion by finite unwinding

Other Supported Features Test case generation: CBMC can be used to automatically generate test cases following a certain code coverage criterion. 1. MC/DC 2. Decision Coverage 3. Branch 4. Path

Test Case Generation contd int foo(int a,int b, int c) int d; if (a > 12 && b < 45) if (c > 4) d =1; else d = 2; else d = 3; return d;./cbmc simple_test_case.c --cover mcdc --function foo ** 11 of 11 covered (100.0%) ** Used 5 iterations Test suite: a=13, b=45, c=-2147483644 a=-2147483636, b=45, c=-2147483644 a=-2147483636, b=-2147483634, c=-2147483644 a=13, b=-2147483634, c=5 a=13, b=-2147483634, c=-2147483644

Supported features CBMC has support for concurrency. Supports various memory models: SC, PSO, TSO void* foo(void *arg) CPROVER_atomic_begin(); ++i; CPROVER_atomic_end(); return 0;./cbmc --mm sc thread_example.c --trace int i=0; int main() pthread_t th1, th2; pthread_create(&th1, 0, foo, 0); pthread_create(&th2, 0, foo, 0); pthread_join(th1, 0); pthread_join(th2, 0); assert(i==1); assert(i==2); ** Results: [main.assertion.1] assertion i==1: FAILURE [main.assertion.2] assertion i==2: SUCCESS ** 1 of 2 failed (2 iterations) VERIFICATION FAILED

References CBMC C Bounded Model Checker, Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2014 Daniel Kroening et al CBMC Ver 1.0 Slides by Daniel Kroenig CBMC CMU Website: www.cprover.org/cbmc Introduction to CBMC Arie Gurfinkel, December 5, 2011 Rui Goncalo : Automated test Generation using CBMC Ajith K J: VBMC - A VHDL bounded Model Checker, Feb 20, 2017

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback