Building SMT-based Software Model Checkers: an Experience Report



Similar documents
Building SMT-based Software Model Checkers: an Experience Report

Model Checking: An Introduction

Formal Specification and Verification

Coverability for Parallel Programs

Static Program Transformations for Efficient Software Model Checking

The Course.

InvGen: An Efficient Invariant Generator

Model Checking of Global Power Management Strategies in Software with Temporal Logic Properties

µz An Efficient Engine for Fixed points with Constraints

Software safety - DEF-STAN 00-55

Scalable Automated Symbolic Analysis of Administrative Role-Based Access Control Policies by SMT solving

Regression Verification: Status Report

npsolver A SAT Based Solver for Optimization Problems

Model Checking of Software

Software Verification: Infinite-State Model Checking and Static Program

Formal Verification by Model Checking

Automatic Verification by Abstract Interpretation

FoREnSiC An Automatic Debugging Environment for C Programs

CORRECTNESS of computer systems is critical in today s

Scalable Hybrid Verification for Embedded Software

Introduction to Static Analysis for Assurance

Automated Theorem Proving - summary of lecture 1

Automated Quantitative Software Verification

Verifying Refutations with Extended Resolution

Extending Semantic Resolution via Automated Model Building: applications

Interactive Software Verification

Table-based Software Designs: Bounded Model Checking and Counterexample Tracking

The Union-Find Problem Kruskal s algorithm for finding an MST presented us with a problem in data-structure design. As we looked at each edge,

Formal Verification of Software

2 Temporal Logic Model Checking

Techniques and Tools for Rich Internet Applications Testing

COMPUTER SCIENCE. FACULTY: Jennifer Bowen, Chair Denise Byrnes, Associate Chair Sofia Visa

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

Model Checking based Software Verification

CS Master Level Courses and Areas COURSE DESCRIPTIONS. CSCI 521 Real-Time Systems. CSCI 522 High Performance Computing

Automated Program Behavior Analysis

Foundational Proof Certificates

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

UnitCheck: Unit Testing and Model Checking Combined

Analysis of Boolean Programs

The ProB Animator and Model Checker for B

Verification of Imperative Programs in Theorema

Rigorous Software Engineering Hoare Logic and Design by Contracts

The software model checker BLAST

Prerequisite: High School Chemistry.

Specification and Analysis of Contracts Lecture 1 Introduction

The Model Checker SPIN

Northeast Blackout of 2003

PREDICATE GENERATION FOR LEARNING-BASED QUANTIFIER-FREE LOOP INVARIANT INFERENCE

Checking MTL Properties of Discrete Timed Automata via Bounded Model Checking

An Integrated Data Model Verifier with Property Templates

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

One More Decidable Class of Finitely Ground Programs

CSC148 Lecture 8. Algorithm Analysis Binary Search Sorting

Incremental Analysis of Evolving Administrative Role Based Access Control Policies

Automated Detection of Non-Termination and NullPointerExceptions for Java Bytecode

Boogie: A Modular Reusable Verifier for Object-Oriented Programs

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Software Verification/Validation Methods and Tools... or Practical Formal Methods

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Minimum Satisfying Assignments for SMT

FORMALLY CERTIFIED SATISFIABILITY SOLVING. Duck Ki Oe. An Abstract

AMONG the various storage platforms available, flash

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

50 Computer Science MI-SG-FLD050-02

Pushing the Envelope of Optimization Modulo Theories with Linear-Arithmetic Cost Functions

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Theory of Automated Reasoning An Introduction. Antti-Juhani Kaijanaho

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Chapter 7 Uncomputability

Division of Mathematical Sciences

The Software Model Checker BLAST: Applications to Software Engineering

Summary of Dagstuhl Seminar on Directed Model Checking

Great Theoretical Ideas in Computer Science

How To Prove That A Program Is Terminating

6.080/6.089 GITCS Feb 12, Lecture 3

SAT-based Model-Checking of Security Protocols. Luca Compagna

Proving the Correctness of Pipelined Micro-Architectures

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Proving Non-termination Using Max-SMT

Two Flavors in Automated Software Repair: Rigid Repair and Plastic Repair

Learning is a very general term denoting the way in which agents:

ML for the Working Programmer

UFO: Verification with Interpolants and Abstract Interpretation

KEEP THIS COPY FOR REPRODUCTION PURPOSES. I ~~~~~Final Report

STATUS REPORT ON MAUDE-NPA TOOL

Data Model Bugs. Ivan Bocić and Tevfik Bultan

IMPROVING PERFORMANCE OF RANDOMIZED SIGNATURE SORT USING HASHING AND BITWISE OPERATORS

Electronic Voting Protocol Analysis with the Inductive Method

Testing LTL Formula Translation into Büchi Automata

Testing Decision Procedures for Security-by-Contract

Curriculum Vitae. Alessandro Armando. November 2014

Certification Authorities Software Team (CAST) Position Paper CAST-13

Algebraic Computation Models. Algebraic Computation Models

School of Computer Science

A Decision Procedure for Bit-Vectors and Arrays

The Road from Software Testing to Theorem Proving

Lemmas on Demand for Lambdas

Transcription:

Building SMT-based Software Model Checkers: an Experience Report Alessandro Armando Artificial Intelligence Laboratory (AI-Lab) Dipartimento di Informatica Sistemistica e Telematica (DIST) University of Genova FroCoS 2009 Trento, September 18, 2009 Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 1 / 61

Outline 1 Introduction 2 Bounded Model Checking of Software 3 CounterExample-Guided Abstraction Refinement Predicate Abstraction Array Abstraction 4 Conclusions Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 2 / 61

Software Model Checking Fully automatic technique for reasoning about programs Confluence of techniques from different fields: Model checking Program analysis Automated theorem proving Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 3 / 61

Model Checking Algorithmic exploration of state space of the system Several advances in the past decade: symbolic model checking, symmetry reductions, partial order reductions, bounded model checking using SAT solvers Used by HW companies in the validation cycle Strengths Rich property languages Provides counterexamples Weaknesses Mostly limited to finite state systems (but, extensions to infinite state systems exist) Operates only on models, but how do you get the model? Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 4 / 61

Model Checking Algorithmic exploration of state space of the system Several advances in the past decade: symbolic model checking, symmetry reductions, partial order reductions, bounded model checking using SAT solvers Used by HW companies in the validation cycle Strengths Rich property languages Provides counterexamples Weaknesses Mostly limited to finite state systems (but, extensions to infinite state systems exist) Operates only on models, but how do you get the model? Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 4 / 61

Program Analysis Originated in optimizing compilers: constant propagation, live variable analysis, dead code elimination, loop index optimization. Strengths Works on code Precision efficiency tradeoffs well studied Pointer aware Weaknesses Abstraction hardwired Property hardwired Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 5 / 61

Automated Theorem Proving Strengths Handles unbounded domains naturally Good satisfiability procedures for equality with uninterpreted function symbols linear arithmetics theory of arrays the combination of the above Good integration of satisfiability procedures with modern SAT-solvers Weaknesses Hard to compute fixpoints Requires inductive invariants Pre and post conditions Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 6 / 61

Model Checking, Program Analysis and Automated Theorem Proving Very related to each other Different histories different emphasis different tradeoffs Complementary, in some ways Combination can be extremely powerful Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 7 / 61

Experimental results - Safe Instances Benchmark EUREKA BLAST SATABS total N time refined/total array elems N total ref. time N time total time STRING COPY 1000 127.89 1/2N Incorrect 10 105.98 144.69 STRING COMPARE 1000 28.62 2/2N Incorrect 9 210.619 296.20 GRAY CODE 60 62.75 16/28 Incorrect Inconclusive PARTITION 40 108.23 1/N Incorrect Inconclusive BUBBLE SORT 9 77.67 N/N Incorrect 2 24.39 30.42 INSERTION SORT 16 60.86 N/N Incorrect 2 51.43 74.74 SELECTION SORT 9 64.20 N/N Incorrect 2 75.53 115.86 TCAS 129.64 1/4 Incorrect 11.29 32.42 FIBONACCI 1000 6.91 0/0 24 5.68 1000 1.24 2.21 BRESENHAM 1000 16.84 0/0 Error 1000 71.15 83.16 SWAP 1000 2.40 0/0 24 5.33 64 8.25 109.44 Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 56 / 61

Experimental results - Unsafe Instances Benchmark EUREKA BLAST SATABS total N time refined/total total ref. array elems N time N time total time STRING COPY 1000 73.70 0/2N 100 167.98 21 724.40 819.77 STRING COMPARE 1000 15.07 0/2N 100 435.26 12 292.19 348.19 GRAY CODE 1000 1.70 12/28 1000 7.62 Inconclusive PARTITION 1000 61.42 0/N 10 214.31 21 127.91 186.63 BUBBLE SORT 50 26.19 0/N 15 395.38 7 327.33 460.76 INSERTION SORT 100 190.74 0/N 20 316.00 5 131.58 270.64 SELECTION SORT 500 41.15 0/N 20 506.81 7 101.97 291.20 TCAS 2.96 1/4 3.58 1.16 4.86 FIBONACCI 1000 7.01 0/0 25 5.29 20 444.31 533.99 BRESENHAM 1000 0.74 0/0 Error 2 263.09 287.70 SWAP 1000 5.73 0/0 1000 16.79 1000 4.74 136.43 Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 57 / 61

Outline 1 Introduction 2 Bounded Model Checking of Software 3 CounterExample-Guided Abstraction Refinement Predicate Abstraction Array Abstraction 4 Conclusions Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 58 / 61

Summing up Bounded Model Checking of Software Encoding into a SMT instead of SAT leads to considerable savings This allows us to analyse programs more deeply (w.r.t. the bound) than SAT-based tools whose encoding depend on the size of data structures like arrays. CEGAR with Predicate Abstraction Good on programs that manipulate simple data structures Improvements are being put forward CEGAR with Array Abstraction Linear Programs are a new, useful target of abstraction that natively supports analysis of complex correlations between variables. Tight interplay between model checker and decision procedure via proof transformation. Superior to state-of-the-art SW model checkers on many programs of interest. Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 59 / 61

Challanges and Opportunities Bounded Model Checking of Software New challange testbed for SMT-solvers (SMT-LIB, SMT-COMP) First results are encouraging but competition with SAT-based approaches is fierce. CEGAR with Predicate Abstraction Extracting interpolants from proofs is very useful to get better refinements, cf. work by McMillan on Interpolating Theorem Prover [McM05] CEGAR with Array Abstraction Devise new abstraction/refinement mechanisms to support model checking of programs that manipulate other data structures (e.g. dynamic data structures) Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 60 / 61

Acknowledgements The work presened would not have been possible without the countribution of the following people: Jacopo Mantovani: Array Abstraction, design and development of Eureka, Bounded Model Checking of SW Massimo Benerecetti: Array Abstraction, design of Eureka Lorenzo Platania: Bounded Model Checking of SW, design and development of SMT-CBMC Dario Carotenuto and Pasquale Spica: development of Eureka Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 61 / 61

References Alessandro Armando, Jacopo Mantovani, and Lorenzo Platania. Bounded model checking of software using SMT solvers instead of SAT solvers. In Antti Valmari, editor, SPIN, volume 3925 of Lecture Notes in Computer Science, pages 146 162. Springer, 2006. Armin Biere, Alessandro Cimatti, Edmund M. Clarke, and Yunshan Zhu. Symbolic model checking without BDDs. In Rance Cleaveland, editor, Proceedings of TACAS (Tools and Algorithms for Construction and Analysis of Systems), volume 1579 of Lecture Notes in Computer Science, pages 193 207. Springer, 1999. Daniel Kroening, Edmund Clarke, and Karen Yorav. Behavioral consistency of C and Verilog programs using bounded model checking. In Proceedings of DAC03, pages 368 371. ACM Press, 2003. McMillan. An interpolating theorem prover. TCS: Theoretical Computer Science, 345, 2005. Sriram Rajamani. SLAM: Software model checking from theory to practice. Invited Talk at APSSEM II Workshop, 2004. Alessandro Armando (U. Genova) Building SMT-based SW Model Checkers FroCoS 2009 61 / 61

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information