© 2012 Carnegie Mellon University Introduction to CBMC Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel November.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Pointers.
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Programming Languages and Paradigms The C Programming Language.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.
Pointer applications. Arrays and pointers Name of an array is a pointer constant to the first element whose value cannot be changed Address and name refer.
Kernighan/Ritchie: Kelley/Pohl:
© 2011 Carnegie Mellon University Time Bounded Analysis of Real-Time Systems Arie Gurfinkel, Sagar Chaki, and Ofer Strichman Software Engineering Institute.
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
Compiler Construction
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Honors Compilers An Introduction to Algol-68S Jan 24 th 2002.
Run-time Environment and Program Organization
1 Lab Session-III CSIT-120 Spring 2001 Revising Previous session Data input and output While loop Exercise Limits and Bounds GOTO SLIDE 13 Lab session.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Cs164 Prof. Bodik, Fall Symbol Tables and Static Checks Lecture 14.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
Daniel Kroening and Ofer Strichman Decision Procedure
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
ROBOTC Software Introduction. ROBOTC Software ROBOTC developed specifically for classrooms and competitions Complete programming solution for VEX Cortex.
1 COMP 2130 Introduction to Computer Systems Computing Science Thompson Rivers University.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
1 Lab Session-III CSIT-120 Fall 2000 Revising Previous session Data input and output While loop Exercise Limits and Bounds Session III-B (starts on slide.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.
Programming Language C++ Xulong Peng CSC415 Programming Languages.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.
Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.
Pointers OVERVIEW.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
CS Midterm Study Guide Fall General topics Definitions and rules Technical names of things Syntax of C++ constructs Meaning of C++ constructs.
CMP-MX21: Lecture 4 Selections Steve Hordley. Overview 1. The if-else selection in JAVA 2. More useful JAVA operators 4. Other selection constructs in.
Implementing Subprograms What actions must take place when subprograms are called and when they terminate? –calling a subprogram has several associated.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Slides created by: Professor Ian G. Harris Hello World #include main() { printf(“Hello, world.\n”); }  #include is a compiler directive to include (concatenate)
Model Checking C Programs Zijiang (James) Yang Department of Computer Science Western Michigan University In collaboration with NEC Laboratories America.
 In the java programming language, a keyword is one of 50 reserved words which have a predefined meaning in the language; because of this,
CSE 332: C++ Statements C++ Statements In C++ statements are basic units of execution –Each ends with ; (can use expressions to compute values) –Statements.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
2: Basics Basics Programming C# © 2003 DevelopMentor, Inc. 12/1/2003.
Pointers1 WHAT IS A POINTER? Simply stated, a pointer is an address. A running program consists of three parts: execution stack, code, and data. They are.
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Lucas Bang Lecture 11: Pointers.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Chapter 15 Running Time Analysis. Topics Orders of Magnitude and Big-Oh Notation Running Time Analysis of Algorithms –Counting Statements –Evaluating.
LINKED LISTS.
CSE 332: C++ Exceptions Motivation for C++ Exceptions Void Number:: operator/= (const double denom) { if (denom == 0.0) { // what to do here? } m_value.
DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.
Dynamic Allocation in C
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
SS 2017 Software Verification Bounded Model Checking, Outlook
C Basics.
Introduction to Software Verification
Secure Coding Rules for C++ Copyright © Curt Hill
Chapter 7 Additional Control Structures
Over-Approximating Boolean Programs with Unbounded Thread Creation
NASA Secure Coding Rules
Presentation transcript:

© 2012 Carnegie Mellon University Introduction to CBMC Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel November 19, 2012 based on slides by Daniel Kroening

2 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use a SAT-solver to find whether there exists an execution that violates the claim. Program Claim Analysis Engine SAT Solver UNSAT (no counterexample found) SAT (counterexample exists) CNF

3 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Programs and Claims Arbitrary ANSI-C programs With bitvector arithmetic, dynamic memory, pointers, … Simple Safety Claims Array bound checks (i.e., buffer overflow) Division by zero Pointer checks (i.e., NULL pointer dereference) Arithmetic overflow User supplied assertions (i.e., assert (i > j) ) etc

4 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Why use a SAT Solver? SAT Solvers are very efficient Analysis is completely automated Analysis as good as the underlying SAT solver Allows support for many features of a programming language bitwise operations, pointer arithmetic, dynamic memory, type casts

5 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University A (very) simple example (1) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 7 || w == 9) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 7 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 7, w != 9 y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 7, w != 9 ProgramConstraints UNSAT no counterexample assertion always holds!

6 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University A (very) simple example (2) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 5 || w == 9) int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 5 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 5, w != 9 y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 5, w != 9 ProgramConstraints SAT counterexample found! y = 8, x = 1, w = 0, z = 7

7 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University What about loops?! SAT Solver can only explore finite length executions! Loops must be bounded (i.e., the analysis is incomplete) Program Claim Analysis Engine SAT Solver UNSAT (no counterexample of bound n is found) SAT (counterexample exists) CNF Bound (n)

8 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University CBMC: C Bounded Model Checker Developed at CMU by Daniel Kroening and Ed Clarke Available at: On Ubuntu: apt-get install cbmc with source code Supported platforms: Windows, Linux, OSX Has a command line, Eclipse CDT, and Visual Studio interfaces Scales to programs with over 30K LOC Found previously unknown bugs in MS Windows device drivers

9 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University CBMC: Supported Language Features ANSI-C is a low level language, not meant for verification but for efficiency Complex language features, such as Bit vector operators (shifting, and, or,…) Pointers, pointer arithmetic Dynamic memory allocation: malloc/free Dynamic data types: char s[n] Side effects float / double Non-determinism

© 2012 Carnegie Mellon University DEMO

11 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Using CBMC from Command Line To see the list of claims cbmc --show-claims -I include file.c To check a single claim cbmc --unwind n --claim x –I include file.c For help cbmc --help

12 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University How does it work Transform a programs into a set of equations 1. Simplify control flow 2. Unwind all of the loops 3. Convert into Single Static Assignment (SSA) 4. Convert into equations 5. Bit-blast 6. Solve with a SAT Solver 7. Convert SAT assignment into a counterexample

13 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University CBMC: Bounded Model Checker for C A tool by D. Kroening/Oxford and Ed Clarke/CMU Parser Static Analysis CNF-gen SAT solver CEX-gen CBMC C Program SAFE UNSAFE + CEX SAT UNSATCNF goto- program equations

14 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Control Flow Simplifications All side effect are removed e.g., j=i++ becomes j=i;i=i+1 Control Flow is made explicit continue, break replaced by goto All loops are simplified into one form for, do while replaced by while

15 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Loop Unwinding All loops are unwound can use different unwinding bounds for different loops to check whether unwinding is sufficient special “unwinding assertion” claims are added If a program satisfies all of its claims and all unwinding assertions then it is correct! Same for backward goto jumps and recursive functions

16 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Loop Unwinding while() loops are unwound iteratively Break / continue replaced by goto void f(...) {... while(cond) { Body; } Remainder; } void f(...) {... while(cond) { Body; } Remainder; }

17 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Loop Unwinding while() loops are unwound iteratively Break / continue replaced by goto void f(...) {... if(cond) { Body; while(cond) { Body; } Remainder; } void f(...) {... if(cond) { Body; while(cond) { Body; } Remainder; }

18 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Loop Unwinding while() loops are unwound iteratively Break / continue replaced by goto void f(...) {... if(cond) { Body; if(cond) { Body; while(cond) { Body; } Remainder; } void f(...) {... if(cond) { Body; if(cond) { Body; while(cond) { Body; } Remainder; }

19 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; } Remainder; } void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; while(cond) { Body; } Remainder; }

20 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Unwinding assertion while() loops are unwound iteratively Break / continue replaced by goto Assertion inserted after last iteration: violated if program runs longer than bound permits Positive correctness result! void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; assert(!cond); } Remainder; } void f(...) {... if(cond) { Body; if(cond) { Body; if(cond) { Body; assert(!cond); } Remainder; } Unwinding assertion

21 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Example: Sufficient Loop Unwinding void f(...) { j = 1 if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; assert(!(j <= 2)); } Remainder; } void f(...) { j = 1 if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; if(j <= 2) { j = j + 1; assert(!(j <= 2)); } Remainder; } void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; } void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; } unwind = 3

22 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Example: Insufficient Loop Unwinding void f(...) { j = 1 if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; assert(!(j <= 10)); } Remainder; } void f(...) { j = 1 if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; if(j <= 10) { j = j + 1; assert(!(j <= 10)); } Remainder; } void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; } void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; } unwind = 3

23 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Transforming Loop-Free Programs Into Equations (1) Easy to transform when every variable is only assigned once! x = a; y = x + 1; z = y – 1; x = a; y = x + 1; z = y – 1; ProgramConstraints x = a && y = x + 1 && z = y – 1 && x = a && y = x + 1 && z = y – 1 &&

24 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Transforming Loop-Free Programs Into Equations (2) When a variable is assigned multiple times, use a new variable for the RHS of each assignment ProgramSSA Program

25 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University What about conditionals? ProgramSSA Program if (v) x = y; x = y;else x = z; x = z; w = x; if (v) x = y; x = y;else x = z; x = z; w = x; if (v 0 ) x 0 = y 0 ; x 0 = y 0 ;else x 1 = z 0 ; x 1 = z 0 ; w 1 = x?? ; if (v 0 ) x 0 = y 0 ; x 0 = y 0 ;else x 1 = z 0 ; x 1 = z 0 ; w 1 = x?? ; What should ‘x’ be?

26 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University What about conditionals? For each join point, add new variables with selectors ProgramSSA Program if (v) x = y; x = y;else x = z; x = z; w = x; if (v) x = y; x = y;else x = z; x = z; w = x; if (v 0 ) x 0 = y 0; x 0 = y 0;else x 1 = z 0; x 1 = z 0; x 2 = v 0 ? x 0 : x 1 ; w 1 = x 2 if (v 0 ) x 0 = y 0; x 0 = y 0;else x 1 = z 0; x 1 = z 0; x 2 = v 0 ? x 0 : x 1 ; w 1 = x 2

27 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Adding Unbounded Arrays Arrays are updated “whole array” at a time A[1] = 5; A[2] = 10; A[k] = 20; A 1 =λ i : i == 1 ? 5 : A 0 [i] A 2 =λ i : i == 2 ? 10 : A 1 [i] A 3 =λ i : i == k ? 20 : A 2 [i] Examples: A 2 [2] == 10A 2 [1]==5A 2 [3] == A 0 [3] A 3 [2] == (k==2 ? 20 : 10) Uses only as much space as there are uses of the array!

28 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Example

29 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Pointers While unwinding, record right hand side of assignments to pointers This results in very precise points-to information Separate for each pointer Separate for each instance of each program location Dereferencing operations are expanded into case-split on pointer object (not: offset) Generate assertions on offset and on type Pointer data type assumed to be part of bit-vector logic Consists of pair

30 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Pointer Typecast Example void *p; int i; char c; int main (void) { int input1, intput2, z; p = input1 ? (void*)&i : (void*) &c; if (input2) z = *(int*)p; else z = *(char*)p; } void *p; int i; char c; int main (void) { int input1, intput2, z; p = input1 ? (void*)&i : (void*) &c; if (input2) z = *(int*)p; else z = *(char*)p; }

31 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Dynamic Objects Dynamic Objects: malloc / free Local variables of functions Auxiliary variables for each dynamically allocated object: Size (number of elements) Active bit Type malloc sets size (from parameter) and sets active bit free asserts that active bit is set and clears bit Same for local variables: active bit is cleared upon leaving the function

© 2006 Carnegie Mellon University Modeling with CBMC

33 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University From Programming to Modeling Extend C programming language with 3 modeling features Assertions assert(e) – aborts an execution when e is false, no-op otherwise Non-determinism nondet_int() – returns a non-deterministic integer value Assumptions assume(e) – “ignores” execution when e is false, no-op otherwise void assert (_Bool b) { if (!b) exit(); } int nondet_int () { int x; return x; } void assume (_Bool e) { while (!e) ; }

34 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University Example int x, y; void main (void) { x = nondet_int (); assume (x > 10); y = x + 1; assert (y > x); } int x, y; void main (void) { x = nondet_int (); assume (x > 10); y = x + 1; assert (y > x); } possible overflow assertion fails possible overflow assertion fails

35 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Using nondet for modeling Library spec: “foo is given non-deterministically, but is taken until returned” CMBC stub: int nondet_int (); int is_foo_taken = 0; int grab_foo () { if (!is_foo_taken) is_foo_taken = nondet_int (); return is_foo_taken; } int nondet_int (); int is_foo_taken = 0; int grab_foo () { if (!is_foo_taken) is_foo_taken = nondet_int (); return is_foo_taken; } void return_foo () { is_foo_taken = 0; } void return_foo () { is_foo_taken = 0; }

36 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Assume-Guarantee Reasoning (1) Is foo correct? int foo (int* p) { … } void main(void) { … foo(x); … foo(y); … } int foo (int* p) { … } void main(void) { … foo(x); … foo(y); … } Check by splitting on the argument of foo

37 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Assume-Guarantee Reasoning (2) (A) Is foo correct assuming p is not NULL? int foo (int* p) { __CPROVER_assume(p!=NULL); … } (G)Is foo guaranteed to be called with a non-NULL argument? void main(void) { … assert (x!=NULL);// foo(x); … assert (y!=NULL); //foo(y); …} void main(void) { … assert (x!=NULL);// foo(x); … assert (y!=NULL); //foo(y); …}

38 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University Dangers of unrestricted assumptions Assumptions can lead to vacuous satisfaction if (x > 0) { __CPROVER_assume (x < 0); assert (0); } if (x > 0) { __CPROVER_assume (x < 0); assert (0); } This program is passed by CMBMC! Assume must either be checked with assert or used as an idiom: x = nondet_int (); y = nondet_int (); __CPROVER_assume (x < y); x = nondet_int (); y = nondet_int (); __CPROVER_assume (x < y);

39 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University Example: Prophecy variables int x, y, v; void main (void) { v = nondet_int (); x = v; x = x + 1; y = nondet_int (); assume (v == y); assert (x == y + 1); } int x, y, v; void main (void) { v = nondet_int (); x = v; x = x + 1; y = nondet_int (); assume (v == y); assert (x == y + 1); } v is a prophecy variable it guesses the future value of y v is a prophecy variable it guesses the future value of y assume blocks executions with a wrong guess assume blocks executions with a wrong guess syntactically: x is changed before y semantically: x is changed after y syntactically: x is changed before y semantically: x is changed after y

© 2012 Carnegie Mellon University Context-Bounded Analysis with CBMC

41 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University Context-Bounded Analysis (CBA) Explore all executions of TWO threads that have at most R context- switches (per thread) T1T1 T2T2 Context-Swtich (T 1 preempted by T 2 ) Context-Swtich (T 1 preempted by T 2 ) Context-Swtich (T 2 preempted by T 1 ) Context-Swtich (T 2 preempted by T 1 ) Context-Swtich (T 1 preempted by T 2 ) Context-Swtich (T 1 preempted by T 2 )

42 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University CBA via Sequentialization 1. Reduce concurrent program P to a sequential (non-deterministic) program P’ such that “P has error” iff “P’ has error” 2. Check P’ with CBMC Sequentialization CBMC Two-Thread Concurrent Program in C Sequential Program OK UNSAFE + CEX

43 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University R R Key Idea 1. Divide execution into rounds based on context switches 2. Execute executions of each context separately, starting from a symbolic state 3. Run all parts of Thread 1 first, then all parts of Thread 2 4. Connect executions from Step 2 using assume-statements T1T1 T2T2 Round 0 Round 1 Round 2

44 Introduction to CBMC Arie Gurfinkel © 2011 Carnegie Mellon University Sequentialization in Pictures Guess initial value of each global in each round Execute task bodies T  T  Check that initial value of round i+1 is the final value of round i g[0] g[1] g[2] TT TT TT TT TT TT TT TT TT TT

45 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University CBA Sequentialization in a Nutshel Sequential Program for execution of R rounds (i.e., context switches): 1.for each global variable g, let g[r] be the value of g in round r 2.execute thread bodies sequentially – first thread 1, then thread 2 – for global variables, use g[r] instead of g when running in round r – non-deterministically decide where to context switch – at a context switch jump to a new round (i.e., inc r) 3.check that initial value of round r+1 is the final value of round r 4.check user assertions

46 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University CBA Sequentialization1/2 void main () initShared (); initGlobals(); for t in [0,N) : // for each thread round = 0; T ’ t (); checkAssumptions (); checkAssertions (); void main () initShared (); initGlobals(); for t in [0,N) : // for each thread round = 0; T ’ t (); checkAssumptions (); checkAssertions (); initShared () for each global var g, g[0] = init_value (g); initShared () for each global var g, g[0] = init_value (g); initGlobals () for r in [1,R): //for each round for each global g: g[r] = i_g[r] = nondet(); initGlobals () for r in [1,R): //for each round for each global g: g[r] = i_g[r] = nondet(); checkAssumtpions () for r in [0,R-1): for each global g: assume (g[r] == i_g[r+1]); checkAssumtpions () for r in [0,R-1): for each global g: assume (g[r] == i_g[r+1]); var int round; // current round int g[R], i_g[R]; // global and initial global Bool saved_assert = 1; // local assertions var int round; // current round int g[R], i_g[R]; // global and initial global Bool saved_assert = 1; // local assertions checkAssertions () assert (saved_assert); checkAssertions () assert (saved_assert);

47 Time-Bounded Verification Gurfinkel, Chaki, Strichman © 2011 Carnegie Mellon University CBA Sequentialization: Task Body2/2 void T ’ t () Same as T t, but each statement ‘st’ is replaced with: contextSwitch (t); st[g  g[round]]; and ‘assert(e)’ is replaced with: saved_assert = e; void T ’ t () Same as T t, but each statement ‘st’ is replaced with: contextSwitch (t); st[g  g[round]]; and ‘assert(e)’ is replaced with: saved_assert = e; void contextSwitch () int oldRound; if (nondet ()) return; // non-det do not context switch oldRound = round; round = nondet_int (); assume (oldRound < round <= R-1); void contextSwitch () int oldRound; if (nondet ()) return; // non-det do not context switch oldRound = round; round = nondet_int (); assume (oldRound < round <= R-1); For more details, see Akash Lal and Tom Reps. “Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis”, in Proceedings of Computer Aided Verification, 2008.

48 Introduction to CBMC Arie Gurfinkel © 2012 Carnegie Mellon University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.