Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.

Slides:



Advertisements
Similar presentations
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Advertisements

Exploiting SAT solvers in unbounded model checking
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
50.530: Software Engineering
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Delta Debugging and Model Checkers for fault localization
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
Verification of Functional Programs in Scala Philippe Suter (joint work w/ Ali Sinan Köksal and Viktor Kuncak) ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE,
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
D IAGNOSING A BSTRACTION F AILURE IN S EPARATION L OGIC - BASED A NALYSES Arlen Cox Josh Berdine Samin Ishtiaq Christoph Wintersteiger.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Yeting Ge Leonardo de Moura New York University Microsoft Research.
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Completeness and Complexity of Bounded Model Checking.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL
SAT-Based Model Checking Without Unrolling Aaron R. Bradley.
Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science.
This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.
Logic Engines as a Service Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
SS 2017 Software Verification Bounded Model Checking, Outlook
Model Checking Java Programs (Java PathFinder)
Symbolic Execution Suman Jana
Solving Linear Arithmetic with SAT-based MC
Scalability in Model Checking
Predicate Abstraction
SAT Based Abstraction/Refinement in Model-Checking
Presentation transcript:

Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger

SLA YER Abstraction-based Static Analyzer Uses Separation Logic Proves Memory Safety of Heap Manipulating Programs  Shape Analysis Abstraction-based Static Analyzer Abstract Counterexamples Failure to prove does not imply that a bug has been found Even if the bug is real, the counterexample is still abstract 2

SLA YER Results UNSAFE? SAFE UNSAFE UNSAFE? SAFE 3

Concrete Counterexamples If unsafe, return a set of inputs causing failure – Program inputs – Nondeterministic assignments Established Techniques – Symbolic Execution (Sage, KLEE) – Bounded Model Checking (CBMC) 4

Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 5

Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 6

Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 7

Symbolic Execution l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 8

Symbolic Execution Heuristics guide the search Whole paths are checked before checking other paths No guarantees any particular bug will be found 9

Bounded Model Checking l := 0 l := *(l+next) return t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 10

Bounded Model Checking l := 0 11

Bounded Model Checking l := 0 t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 12

Bounded Model Checking l := 0 l := *(l+next) t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 13 t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t

Bounded Model Checking l := 0 l := *(l+next) t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t 14 t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t t := alloc(2) *(t+next) := l l := t l := *(l+next) return

Bounded Model Checking Complete search up to some depth Searching all branches may be time consuming Depth of search may be insufficient Use failed separation logic proof to prune branches 15

BMC on Abstract Counterexample Perform BMC on abstract counterexample, unrolling loops Prune any states that are not on a path to error Use state constraints to restrict search (would work for symbolic execution as well) Abstract State S (constraints) Abstract State S’ (constraints) Program Statements 16 Program Statements

Abstract Counterexample 17 t := alloc(2) *(t+next) := l l := t l := *(l+next) l := 0

Abstract Counterexample 18 t := alloc(2) *(t+next) := l l := t l := *(l+next) l := 0

Practicalities Use Z3 to perform BMC Z3 doesn’t understand separation logic – Weaken formulas to first order A different way of encoding BMC – Make Z3 do all of the work – No iteration: give Z3 a single problem 19

Prune and Weaken 20 emp true ERROR t := alloc(2) *(t+next) := l l := t l := *(l+next) l := 0 First-order sub-formula

BMC Safety Violations Satisfiable – Array/Structure out of bounds – Access unallocated memory/NULL – Double free – Free of incorrect memory Unsatisfiable – No violation within bounds Heap size Unrolling limit 21

Precise Word-Level Memory Model 22 0 Heap Alloc Size

Precise Word-Level Memory Model 23 0 Heap Alloc Size 0 x 3 x 0 x alloc(3)

Precise Word-Level Memory Model 24 0 Heap Alloc Size 0 x 3 x 0 17 x *4 =

Precise Word-Level Memory Model 25 0 Heap Alloc Size free(2)

Encoding – High Level 26 Use UFBV logic: Quantified bit-vectors with uninterpreted functions

Initial state 27

Transition 28

Encode Step whole basic block – Eliminates quantifiers based on structure of program Use state in encoder – Maximize structure sharing – Reduce quantifiers and uninterpreted functions 29

Encode – Threading State 30 Initialize State Initialize State Encode Stmt Encode Stmt To Error Encode Stmt Encode Stmt To Error Encode Stmt Encode Stmt To Error Store State To Successor Store State To Successor …

Encode - alloc 31

Encode - store 32

Process Summary 33 C Program Separation Logic Analysis BMC Encoder Z3 SAFE UNSAFE + COUNTEREXAMPLE UNSAFE? SMT-LIB Abstract Transition System UNSAT SAT SLA YER

Performance Equivalent to SLA YER on sample problems Problems like example < 0.5s Scalability unknown Not competitive with Sage or KLEE – Z3 could match or beat Sage or KLEE, though. 34

Z3 Pain Relief 35

QUESTIONS? 36

©2011 Microsoft Corporation. All rights reserved.

Array theory? 38

Encoding a basic block 39

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.