Introduction to Software Verification Orna Grumberg Lectures Material winter 2016-17

Lecture 10 Bounded Model Checking (continued) CBMC Efficient SAT solvers

Bounded (SAT-based) Model Checking

Bounded model checking (BMC) for checking AGp Given A finite system M A safety property AGp A bound k Determine Does M contain a counterexample to p of k transitions (or fewer) ?

BMC for checking =EFp Build a propositional formula fMk describing all prefixes of length k of paths of M from an initial state Build a propositional formula fk describing all prefixes of length k of paths satisfying  If (fMk  fk ) is satisfiable, return the satisfying assignment as a counterexample Otherwise, increase k and return to 2.

BMC for checking =EFp fMk (V0,…,Vk) = INIT(V0)  i=0,…k-1 R(Vi,Vi+1) fk (V0,…,Vk) = Vi=0…k p(Vi)

BMC for checking AFp (=EGp) Is there an infinite path in M From an initial state all of its states satisfying p Over k+1 states ? Must be a lasso

BMC for checking AFp (=EGp) An infinite path in M, from an initial state, over k+1 states, all satisfying p: fMk (V0,…,Vk) = INIT(V0)  i=0,…k-1 R(Vi,Vi+1)  Vi=0,…k-1 (Vk=Vi) Vk=Vi means bitwise equality: j=0,…n (vkj  vij) fk (V0,…,Vk) = i=0,…k p (Vi)

Bounded model checking Can handle all of LTL formulas Can be used for verification by choosing k which is large enough Need bound on length of the shortest counterexample. diameter bound. The diameter is the maximum length of the shortest path between any two states. Using such k is often not practical due to the size of the model Computing worst case diameter is exponential. Obtaining better bounds is sometimes possible, but generally intractable.

SAT-based verification Induction Interpolation IC3

CBMC: C Bounded Model Checker Bounded Model Checking of C programs Based on slides by Arie Gurfinkel

A (very) simple example (1) Presentation Title 9/15/2018 A (very) simple example (1) Program Constraints int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 7 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 7, w != 9 UNSAT no counterexample assertion always holds! True if x!=0 © 2006 Carnegie Mellon University

A (very) simple example (2) Presentation Title 9/15/2018 A (very) simple example (2) Program Constraints int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 5 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 5, w != 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7 © 2006 Carnegie Mellon University

How does CBMC work Transform a program into a set of equations Presentation Title 9/15/2018 How does CBMC work Transform a program into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Bit-blast Solve with a SAT Solver Convert SAT assignment into a counterexample © 2006 Carnegie Mellon University

CBMC: Bounded Model Checker for C A tool by D. Kroening/Oxford goto-program C Program Static Analysis Parser equations SAFE UNSAT SAT solver CNF CNF-gen SAT UNSAFE + CEX CEX-gen CBMC

Example: Sufficient Loop Unwinding Presentation Title 9/15/2018 Example: Sufficient Loop Unwinding void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; } void f(...) { j = 1 if(j <= 2) { j = j + 1; assert(!(j <= 2)); } Remainder; unwind = 3 assert(!(j <= 2)) unwinding assertion © 2006 Carnegie Mellon University

Example: Insufficient Loop Unwinding Presentation Title 9/15/2018 Example: Insufficient Loop Unwinding void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; } void f(...) { j = 1 if(j <= 10) { j = j + 1; assert(!(j <= 10)); } Remainder; unwind = 3 © 2006 Carnegie Mellon University

Transforming Loop-Free Programs Into Equations (2) Presentation Title 9/15/2018 Transforming Loop-Free Programs Into Equations (2) When a variable is assigned multiple times, use a new variable for the LHS of each assignment Program SSA Program x = x+y; x = x*2; a[i] = 100; x1 = x0+y0; x2 = x1*2; a1[i0] = 100; Single Static Assignment (SSA) © 2006 Carnegie Mellon University

What about conditionals? Presentation Title 9/15/2018 What about conditionals? Program SSA Program if (v) x = y; else x = z; w = x; if (v0) x1 = y0; else x2 = z0 ; x3 = v0 ? x1 : x2; w1 = x3; For each join point, add new variables with selectors © 2006 Carnegie Mellon University

Example valid? ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3) Presentation Title 9/15/2018 Example ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3)  (y4=7  y4=9) valid? © 2006 Carnegie Mellon University

Example Unsat? ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3) Presentation Title 9/15/2018 Example ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3) (y4=7  y4=9) Unsat? © 2006 Carnegie Mellon University

How does CBMC work Transform a program into a set of equations Presentation Title 9/15/2018 How does CBMC work Transform a program into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Bit-blast Solve with a SAT Solver Convert SAT assignment into a counterexample © 2006 Carnegie Mellon University

Efficient SAT solvers

The SAT Problem Given a propositional formula (v̅), is there a satisfying assignment A for v̅ An assignment is a function from v̅ to {true, false} A is a satisfying assignment if (A(v̅))=true A is called a solution for (v̅ ) A partial assignment assigns a subset of v̅

CNF representation of (v̅) (v̅) is a conjunction of clauses: (v̅) = cl1  cl2  …  cln A clause is a disjunction of literals: cli=(lit1  …  litl) A literal is an atomic proposition or its negation Example: (a  c)  (b  c)  ( a  b  d ) A satisfies (v̅) iff A satisfies all its clauses

Example: (a  c)  (b  c)  ( a  b  d ) Satisfying assignments: A1 = (a=true, b=true, d=true, c=false) A2 = (c=true, a=false, b=true, d=false) CNF formulas Clause does not contain a, a No repetition of literals in clause CNF formulas can be represented as a set of sets of literals

Searching for a satisfying assignment Inefficient way: check each one of the 2n assignments where | v̅ | = n The basis for efficient SAT solving: Davis, Putnam,Logeman, loveland (DPLL) 1960, 1962

First idea: Unit Clause Given a propositional formula (v̅), and a partial assignment A A Unit Clause is a clause with exactly one unassigned literal, while all other literals are false Asserts the value of the unassigned variable a=1 is implied by b=1 and d=0 a = ? b = 1 d = 0 cl = (a  b  d) a = 1

Boolean Constraint Propagation (BCP) BCP: For (v̅) and a partial assignment A, computes all possible implications Based on unit clauses Conflict: a variable gets both 0 and 1 under A

DPLL algorithm Start with an empty partial assignment A If A is complete (no new decision to make), return (SAT, A) Otherwise, extend A with a decision: D=(variable, value) BCP: extend A with all implications of D If (no conflict) go to 2 If (conflict), apply backtracking: Let D=(v,b) be the last decision s.t. (v, !b) has not been checked yet Flip decision D: Remove (v,b), extend A with (v, !b) Undo all implications from D=(v,b) and from flips made after D Return to 4 If no decision to flip, return UNSAT

DPLL algorithm No unassigned variable – SAT Termination No unassigned variable – SAT No decision variable to flip – UNSAT

(bc)  (ad)  (abc)  (ad)  (ace) Decision 1: b=1 BCP: c=1 [ ]  (ad)  [ ]  (ad)  (ace) Decision 2: a=1 BCP: d=0 d=1 Conflict! -Backtrack

(bc)  (ad)  (abc)  (ad)  (ace) Decision 1: b=1 BCP: c=1 [ ]  (ad)  [ ]  (ad)  (ace) Decision 2: a=0

(bc)  (ad)  (abc)  (ad)  (ace) Decision 1: b=1 BCP: c=1 [ ]  [ ]  [ ]  [ ]  (ace) Decision 2: a=0 BCP: e=0 Partial satisfying assignment: b=1,c=1,a=0,e=0

Other solutions to the state-explosion problem Small models replace the full, concrete model: Abstraction Compositional verification Partial order reduction Symmetry