© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel,

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
Satisfiability Modulo Theories (An introduction)
The University of Adelaide, School of Computer Science
Programming Languages and Paradigms The C Programming Language.
1 Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
© 2012 Carnegie Mellon University Introduction to CBMC Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel November.
Pointer applications. Arrays and pointers Name of an array is a pointer constant to the first element whose value cannot be changed Address and name refer.
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Honors Compilers An Introduction to Algol-68S Jan 24 th 2002.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Lab Session-III CSIT-120 Spring 2001 Revising Previous session Data input and output While loop Exercise Limits and Bounds GOTO SLIDE 13 Lab session.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
Daniel Kroening and Ofer Strichman Decision Procedure
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Pointers (Continuation) 1. Data Pointer A pointer is a programming language data type whose value refers directly to ("points to") another value stored.
C++ / G4MICE Course Session 3 Introduction to Classes Pointers and References Makefiles Standard Template Library.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
1 Lab Session-III CSIT-120 Fall 2000 Revising Previous session Data input and output While loop Exercise Limits and Bounds Session III-B (starts on slide.
COMP26120: Algorithms and Imperative Programming Lecture 3: Control flow Information representation (part I)
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.
Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.
Pointers OVERVIEW.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
Design Issues. How to parallelize  Task decomposition  Data decomposition  Dataflow decomposition Jaruloj Chongstitvatana 2 Parallel Programming: Parallelization.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Computer Organization and Design Pointers, Arrays and Strings in C Montek Singh Sep 18, 2015 Lab 5 supplement.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Refactoring1 Improving the structure of existing code.
Chapter 1 Java Programming Review. Introduction Java is platform-independent, meaning that you can write a program once and run it anywhere. Java programs.
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Lucas Bang Lecture 11: Pointers.
1 Linked List. 2 List A list refers to a sequence of data items  Example: An array The array index is used for accessing and manipulation of array elements.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Chapter 15 Running Time Analysis. Topics Orders of Magnitude and Big-Oh Notation Running Time Analysis of Algorithms –Counting Statements –Evaluating.
LINKED LISTS.
C++ for Engineers and Scientists Second Edition Chapter 12 Pointers.
DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.
SAT for Software Model Checking Introduction to SAT-problem for newbie
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Code Optimization Code produced by compilation algorithms can often be improved (ideally optimized) in terms of run-time speed and the amount of memory.
Stack and Heap Memory Stack resident variables include:
SS 2017 Software Verification Bounded Model Checking, Outlook
Software Model Checking
Introduction to Software Verification
Secure Coding Rules for C++ Copyright © Curt Hill
Chapter 7 Additional Control Structures
Over-Approximating Boolean Programs with Unbounded Thread Creation
Pointers.
NASA Secure Coding Rules
Programming Languages and Paradigms
Presentation transcript:

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening

2 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use a SAT-solver to find whether there exists an execution that violates the claim. Program Claim Analysis Engine SAT Solver UNSAT (no counterexample found) SAT (counterexample exists) CNF

3 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Programs and Claims Arbitrary ANSI-C programs With bitvector arithmetic, dynamic memory, pointers, … Simple Safety Claims Array bound checks (i.e., buffer overflow) Division by zero Pointer checks (i.e., NULL pointer dereference) Arithmetic overflow User supplied assertions (i.e., assert (i > j) ) etc

4 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Why use a SAT Solver? SAT Solvers are very efficient Analysis is completely automated Analysis as good as the underlying SAT solver Allows support for many features of a programming language bitwise operations, pointer arithmetic, dynamic memory, type casts

5 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Decision Procedures An algorithmic point of view 5 SAT made some progress…

6 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University A (very) simple example (1) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 7 || w == 9) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 7 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 7, w != 9 y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 7, w != 9 ProgramConstraints UNSAT no counterexample assertion always holds!

7 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University A (very) simple example (2) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 5 || w == 9) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 5 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 5, w != 9 y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 5, w != 9 ProgramConstraints SAT counterexample found! y = 8, x = 1, w = 0, z = 7

8 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University What about loops?! SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis Engine SAT Solver UNSAT (no counterexample of bound n is found) SAT (counterexample exists) CNF Bound (n)

9 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University CBMC: C Bounded Model Checker Developed at CMU by Daniel Kroening et al. Available at: Supported platfoms: Windows (requires VisualStudio’s` CL), Linux Provides a command line and Eclipse-based interfaces Known to scale to programs with over 30K LOC Was used to find previously unknown bugs in MS Windows device drivers

10 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University CBMC: Supported Language Features ANSI-C is a low level language, not meant for verification but for efficiency Complex language features, such as Bit vector operators (shifting, and, or,…) Pointers, pointer arithmetic Dynamic memory allocation: malloc/free Dynamic data types: char s[n] Side effects float / double Non-determinism

© 2006 Carnegie Mellon University Introduction to CBMC: Part 2 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening

12 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University How does it work 1. Simplify control flow 2. Convert into Single Static Assignment (SSA) 3. Convert into equations 4. Unwind loops 5. Bit-blast 6. Solve with a SAT Solver 7. Convert SAT assignment into a counterexample

13 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Control Flow Simplifications All side effect are removal e.g., j=i++ becomes j=i;i=i+1 Control Flow is made explicit continue, break replaced by goto All loops are simplified into one form for, do while replaced by while

14 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Transforming Loop-Free Programs Into Equations (1) Easy to transform when every variable is only assigned once! x = a; y = x + 1; z = y – 1; x = a; y = x + 1; z = y – 1; ProgramConstraints x = a && y = x + 1 && z = y – 1 && x = a && y = x + 1 && z = y – 1 &&

15 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Transforming Loop-Free Programs Into Equations (2) When a variable is assigned multiple times, use a new variable for the RHS of each assignment ProgramSSA Program

16 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University What about conditionals? ProgramSSA Program if (v) x = y; x = y;else x = z; x = z; w = x; if (v) x = y; x = y;else x = z; x = z; w = x; if (v 0 ) x 0 = y 0 ; x 0 = y 0 ;else x 1 = z 0 ; x 1 = z 0 ; w 1 = x?? ; if (v 0 ) x 0 = y 0 ; x 0 = y 0 ;else x 1 = z 0 ; x 1 = z 0 ; w 1 = x?? ; What should ‘x’ be?

17 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University What about conditionals? For each join point, add new variables with selectors ProgramSSA Program if (v) x = y; x = y;else x = z; x = z; w = x; if (v) x = y; x = y;else x = z; x = z; w = x; if (v 0 ) x 0 = y 0; x 0 = y 0;else x 1 = z 0; x 1 = z 0; x 2 = v 0 ? x 0 : x 1 ; w 1 = x 2 if (v 0 ) x 0 = y 0; x 0 = y 0;else x 1 = z 0; x 1 = z 0; x 2 = v 0 ? x 0 : x 1 ; w 1 = x 2

18 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Adding Unbounded Arrays Arrays are updated “whole array” at a time A[1] = 5; A[2] = 10; A[k] = 20; A 1 =λ i : i == 1 ? 5 : A 0 [i] A 2 =λ i : i == 2 ? 10 : A 1 [i] A 3 =λ i : i == k ? 20 : A 2 [i] Examples: A 2 [2] == ??A 2 [1]==?? A 2 [3] == ?? A 3 [2] == ??

19 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Example

20 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Pointers While unwinding, record right hand side of assignments to pointers This results in very precise points-to information Separate for each pointer Separate for each instance of each program location Dereferencing operations are expanded into case-split on pointer object (not: offset) Generate assertions on offset and on type Pointer data type assumed to be part of bit-vector logic Consists of pair

21 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Pointer Typecast Example void *p; int i; int c; int main (void) { int input1, intput2, z; int input1, intput2, z; p = input1 ? (void*)&i : (void*) &c; p = input1 ? (void*)&i : (void*) &c; if (input2) if (input2) z = *(int*)p; z = *(int*)p; else else z = *(char*)p; } z = *(char*)p; } void *p; int i; int c; int main (void) { int input1, intput2, z; int input1, intput2, z; p = input1 ? (void*)&i : (void*) &c; p = input1 ? (void*)&i : (void*) &c; if (input2) if (input2) z = *(int*)p; z = *(int*)p; else else z = *(char*)p; } z = *(char*)p; }

22 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Dynamic Objects Dynamic Objects: malloc / free Local variables of functions Auxiliary variables for each dynamically allocated object: Size (number of elements) Active bit Type malloc sets size (from parameter) and sets active bit free asserts that active bit is set and clears bit Same for local variables: active bit is cleared upon leaving the function

23 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Loop Unwinding All loops are unwound can use different unwinding bounds for different loops to check whether unwinding is sufficient special “unwinding assertion” claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions

24 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Loop Unwinding while() loops are unwound iteratively Break / continue replaced by goto void f(...) {... cond while(cond) { Body; Body; } Remainder; } void f(...) {... cond while(cond) { Body; Body; } Remainder; }

25 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Loop Unwinding while() loops are unwound iteratively Break / continue replaced by goto void f(...) {... cond if(cond) { Body; cond while(cond) { Body; Body; } Remainder; } void f(...) {... cond if(cond) { Body; cond while(cond) { Body; Body; } Remainder; }

26 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Loop Unwinding while() loops are unwound iteratively Break / continue replaced by goto void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond while(cond) { Body; Body; } Remainder; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond while(cond) { Body; Body; } Remainder; }

27 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond while(cond) { Body; Body; } Remainder; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond while(cond) { Body; Body; } Remainder; }

28 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond assert(!cond); } Remainder; } void f(...) {... cond if(cond) { Body; cond if(cond) { Body; cond if(cond) { Body; Body; cond assert(!cond); } Remainder; } Unwinding assertion

29 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Example: Sufficient Loop Unwinding void f(...) { j = 1 j <= 2 if(j <= 2) { j = j + 1; j <= 2 if(j <= 2) { j = j + 1; j <= 2 if(j <= 2) { j = j + 1; j = j + 1; (j <= 2) assert(!(j <= 2)); } Remainder; } void f(...) { j = 1 j <= 2 if(j <= 2) { j = j + 1; j <= 2 if(j <= 2) { j = j + 1; j <= 2 if(j <= 2) { j = j + 1; j = j + 1; (j <= 2) assert(!(j <= 2)); } Remainder; } void f(...) { j = 1 j <= 2 while (j <= 2) j = j + 1; Remainder; } void f(...) { j = 1 j <= 2 while (j <= 2) j = j + 1; Remainder; } unwind = 3

30 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Example: Insufficient Loop Unwinding void f(...) { j = 1 j <= 10 if(j <= 10) { j = j + 1; j <= 10 if(j <= 10) { j = j + 1; j <= 10 if(j <= 10) { j = j + 1; j = j + 1; (j <= 10) assert(!(j <= 10)); } Remainder; } void f(...) { j = 1 j <= 10 if(j <= 10) { j = j + 1; j <= 10 if(j <= 10) { j = j + 1; j <= 10 if(j <= 10) { j = j + 1; j = j + 1; (j <= 10) assert(!(j <= 10)); } Remainder; } void f(...) { j = 1 j <= 10 while (j <= 10) j = j + 1; Remainder; } void f(...) { j = 1 j <= 10 while (j <= 10) j = j + 1; Remainder; } unwind = 3

31 Introduction to CBMC: Part 1 Gurfinkel, Chaki, Oct 2, 2007 © 2006 Carnegie Mellon University Convert Bit Vector Logic Into Propositional Logic

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.