Presentation is loading. Please wait.

Presentation is loading. Please wait.

Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger."— Presentation transcript:

1 Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger

2 SLA YER Abstraction-based Static Analyzer Uses Separation Logic Proves Memory Safety of Heap Manipulating Programs  Shape Analysis Abstraction-based Static Analyzer Abstract Counterexamples Failure to prove does not imply that a bug has been found Even if the bug is real, the counterexample is still abstract 2

3 SLA YER Results UNSAFE? SAFE UNSAFE UNSAFE? SAFE 3

4 Concrete Counterexamples If unsafe, return a set of inputs causing failure – Program inputs – Nondeterministic assignments Established Techniques – Symbolic Execution (Sage, KLEE) – Bounded Model Checking (CBMC) 4

5 Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 5

6 Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 6

7 Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 7

8 Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 8

9 Symbolic Execution Heuristics guide the search Whole paths are checked before checking other paths No guarantees any particular bug will be found 9

10 Bounded Model Checking l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 10

11 Bounded Model Checking l := 0 11

12 Bounded Model Checking l := 0 t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 12

13 Bounded Model Checking l := 0 l := *(l+next) t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 13 t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t

14 Bounded Model Checking l := 0 l := *(l+next) t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 14 t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t l := *(l+next) return

15 Bounded Model Checking Complete search up to some depth Searching all branches may be time consuming Depth of search may be insufficient Use failed separation logic proof to prune branches 15

16 BMC on Abstract Counterexample Perform BMC on abstract counterexample, unrolling loops Prune any states that are not on a path to error Use state constraints to restrict search (would work for symbolic execution as well) Abstract State S (constraints) Abstract State S’ (constraints) Program Statements 16 Program Statements

17 Abstract Counterexample 17 t := alloc(2) *(t+next) := l l := t l := *(l+next) l := 0

18 Abstract Counterexample 18 t := alloc(2) *(t+next) := l l := t l := *(l+next) l := 0

19 Practicalities Use Z3 to perform BMC Z3 doesn’t understand separation logic – Weaken formulas to first order A different way of encoding BMC – Make Z3 do all of the work – No iteration: give Z3 a single problem 19

20 Prune and Weaken 20 emp true ERROR t := alloc(2) *(t+next) := l l := t l := *(l+next) l := 0 First-order sub-formula

21 BMC Safety Violations Satisfiable – Array/Structure out of bounds – Access unallocated memory/NULL – Double free – Free of incorrect memory Unsatisfiable – No violation within bounds Heap size Unrolling limit 21

22 Precise Word-Level Memory Model 22 0 Heap Alloc Size 000000000 0123456789

23 Precise Word-Level Memory Model 23 0 Heap Alloc Size 0 x 3 x 0 x 000000 alloc(3) 0123456789

24 Precise Word-Level Memory Model 24 0 Heap Alloc Size 0 x 3 x 0 17 x 000000 *4 = 17 0123456789

25 Precise Word-Level Memory Model 25 0 Heap Alloc Size 000 17 000000 free(2) 0123456789

26 Encoding – High Level 26 Use UFBV logic: Quantified bit-vectors with uninterpreted functions

27 Initial state 27

28 Transition 28

29 Encode Step whole basic block – Eliminates quantifiers based on structure of program Use state in encoder – Maximize structure sharing – Reduce quantifiers and uninterpreted functions 29

30 Encode – Threading State 30 Initialize State Initialize State Encode Stmt Encode Stmt To Error Encode Stmt Encode Stmt To Error Encode Stmt Encode Stmt To Error Store State To Successor Store State To Successor …

31 Encode - alloc 31

32 Encode - store 32

33 Process Summary 33 C Program Separation Logic Analysis BMC Encoder Z3 SAFE UNSAFE + COUNTEREXAMPLE UNSAFE? SMT-LIB Abstract Transition System UNSAT SAT SLA YER

34 Performance Equivalent to SLA YER on sample problems Problems like example < 0.5s Scalability unknown Not competitive with Sage or KLEE – Z3 could match or beat Sage or KLEE, though. 34

35 Z3 Pain Relief 35

36 QUESTIONS? 36

37 ©2011 Microsoft Corporation. All rights reserved.

38 Array theory? 38

39 Encoding a basic block 39

Download ppt "Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
50.530: Software Engineering

50.530: Software Engineering
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:

Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,

Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

Similar presentations

Ads by Google