© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute.

Slides:

Advertisements

Similar presentations

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

Advertisements

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2011 Carnegie Mellon University B OXES : Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon University.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.

Interpolants from Z3 proofs Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract interpretation Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.

© 2010 Carnegie Mellon University ® CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. V&V Principles Verification.

© Carnegie Mellon University The CERT Insider Threat Center.

© 2011 Carnegie Mellon University Time Bounded Analysis of Real-Time Systems Arie Gurfinkel, Sagar Chaki, and Ofer Strichman Software Engineering Institute.

© 2010 Carnegie Mellon University Acquisition Implications of SOA Adoption Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

© 2012 Carnegie Mellon University From Underapproximations to Overapproximations and Back! Arie Gurfinkel Software Engineering Institute Carnegie Mellon.

© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.

© 2013 Carnegie Mellon University Static Analysis of Real-Time Embedded Systems with REK Arie Gurfinkel 1 joint work with Sagar Chaki 1, Ofer Strichman.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.

Describing Syntax and Semantics

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract iterpretation Arie Gurfinkel Software Engineering Institute Carnegie.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

© 2010 Carnegie Mellon University Team Software Process.

McLab Tutorial Part 6 – Introduction to the McLab Backends MATLAB-to-MATLAB MATLAB-to-Fortran90 (McFor) McVM with JIT 6/4/2011Backends-

© 2015 Carnegie Mellon University Interpolating Property Directed Reachability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA.

© 2013 Carnegie Mellon University Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki 1, Arie Gurfinkel 1, Ofer Strichman 2 FMCAD,

Conditions and Terms of Use

© 2013 Carnegie Mellon University Vinta: Verification with INTerpolation and Abstract iterpretation Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and.

© 2008 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

© 2014 Carnegie Mellon University Synthesizing Safe Bit-Precise Invariants Arie Gurfinkel (SEI / CMU) Anton Belov (UCD / Synopsys) Joao Marques-Silva (UCD)

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Author Software Engineering Institute

© 2015 Carnegie Mellon University Parametric Symbolic Reachability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie.

SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,

© 2015 Carnegie Mellon University COCOMO 2015 November 17, 2015 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Causal.

1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.

2009/6/30 CAV Quantifier Elimination via Functional Composition Jie-Hong Roland Jiang Dept. of Electrical Eng. / Grad. Inst. of Electronics Eng.

Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.

Secure Software Workforce Development Panel Session

David Svoboda & Aaron Ballman

Author Software Engineering Institute

Michael Spiegel, Esq Timothy Shimeall, Ph.D.

Interpolating Property Directed Reachability

Parametric Symbolic Reachability

Metrics-Focused Analysis of Network Flow Data

Parallelspace PowerPoint Template for ArchiMate® 2.1 version 1.1

Parallelspace PowerPoint Template for ArchiMate® 2.1 version 2.0

Inferring Simple Solutions to Recursion-free Horn Clauses via Sampling

QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation

Verifying Periodic Programs with Priority Inheritance Locks

Presentation transcript:

© 2012 Carnegie Mellon University UFO: Verification with Interpolants and Abstract Interpretation Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon University Aws Albarghouthi, Yi Li and Marsha Chechik University of Toronto TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A A

2 UFO Arie Gurfinkel © 2012 Carnegie Mellon University UFO 2 A framework and a tool for software verification Tightly integrates interpolation- and abstraction-based techniques References: [SAS12] Craig Interpretation [CAV12] UFO: A Framework for Abstraction- and Interpolation-based Software Verification [TACAS12] From Under-approximations to Over-approximations and Back [VMCAI12] Whale: An Interpolation-based Algorithm for Interprocedural Verification Check it out at: Check it out at:

3 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Verification with INTERP and AI uses Cutpoint Graph (CPG) maintains an unrolling of CPG computes disjunctive invariants uses novel powerset widening uses SMT to check for CEX DAG Interpolation for Refinement Guided by AI-computed Invs Fills in “gaps” in AI Abstract Interpretation Abstract Interpretation Refinement Program SAFE (+Invariant) SAFE (+Invariant) UNSAFE (+CEX) UNSAFE (+CEX) Interpolation Unsafe Invariant Strengthening

4 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Implementation in UFO Framework C to LLVM C Program with assertions ARG Constructor Abstract Post Expansion Strategy Refinement Strategy Optimizer Cutpoint Graph SMT interface Mathsat Z3

5 UFO Arie Gurfinkel © 2012 Carnegie Mellon University E L L UFO in a Nutshell 5 Iteration 1 L E L Iteration 2 L E L Imprecise post  UD Explore from root  OD Imprecise post  UD Explore from root  OD L E Unlabeled Pred. abs. label Interpolant label

6 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Secret Sauce UFO Front-End Boxes Abstract Domain DAG Interpolation Parallel

7 UFO Arie Gurfinkel © 2012 Carnegie Mellon University UFO Front End In principle simple, but in practice very messy CIL passes to normalize the code (library functions, uninitialized vars, etc.) llvm-gcc (without optimization) to compile C to LLVM bitcode llvm opt with many standard, custom, and modified optimizations – lower pointers, structures, unions, arrays, etc. to registers – constant propagation + many local optimizations – difficult to preserve intended semantics of the benchmarks – based on very old LLVM 2.6 (newer version of LLVM are “too smart”) Many benchmarks discharged by front-end alone 1,321 SAFE (out of 1,592) and 19 UNSAFE (out of 380) C to LLVM C Program with assertions Optimizer Cutpoint Graph

8 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Boxes Abstract Domain: Semantic View Boxes are “finite union of box values” (alternatively) Boxes are “Boolean formulas over interval constraints” Boxes are “finite union of box values” (alternatively) Boxes are “Boolean formulas over interval constraints”

9 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Linear Decision Diagrams in a Nutshell * x + 2y < 10 z < Linear Decision Diagram decision node decision node true terminal true terminal false edge false edge (x + 2y < 10) OR (x + 2y  10 AND z < 10) Linear Arithmetic Formula Operations Propositional (AND, OR, NOT) Existential Quantification false terminal false terminal true edge true edge Compact Representation Sharing sub-expressions Local numeric reductions Dynamic node reordering * joint work w/ Ofer Strichman

10 UFO Arie Gurfinkel © 2012 Carnegie Mellon University DAG Interpolants: Solving the Refinement Prob. Given a DAG G = (V, E) and a labeling of edges ¼:E  Expr. A DAG Interpolant (if it exists) is a labeling I:V  Expr such that for any path v 0, …, v n, and 0 < k < n, I(v k ) = ITP (¼(v 0 ) Æ … Æ ¼ (v k-1 ), ¼(v k ) Æ … Æ ¼(v n )) 8 (u, v) 2 E. (I(u) Æ ¼ (u, v)) ) I(v) ¼1¼1 ¼2¼2 ¼3¼3 ¼4¼4 ¼5¼5 ¼6¼6 ¼7¼7 ¼8¼8 I1I1 I2I2 I3I3 I4I4 I5I5 I6I6 I7I7 I 2 = ITP (¼ 1, ¼ 8 ) I 2 = ITP (¼ 1, ¼ 2 Æ ¼ 3 Æ ¼ 6 Æ ¼ 7 ) … (I 1 Æ ¼ 1 ) ) I 2 (I 2 Æ ¼ 8 ) ) I 7 (I 2 Æ ¼ 2 ) ) I 3 …

11 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Parallel Verification Strategy Run 7 verification strategies in parallel until a solution is found cpredO3 – all LLVM optimizations + Cartesian Predicate Abstraction bpredO3 – all LLVM optimizations + Boolean PA + 20s TO bigwO3 – all LLVM optimizations + BOXES + non-aggressive widening + 10s TO boxesO3 – all LLVM optimizations + BOXES + aggressive widening boxO3 – all LLVM optimizations + BOX + aggressive widening + 20s TO boxesO0 – minimal LLVM optimizations + BOXES + aggressive widening boxbpredO3 – all LLVM opts + BOX + Boolean PA + aggressive widening + 60s TO

12 UFO Arie Gurfinkel © 2012 Carnegie Mellon University UFO Family Whale [VMCAI12] Interpolation-based interprocedural analysis Interpolants as procedure summaries State/transition interpolation a.k.a. Tree Interpolants Refinement with DAG interpolants Tight integration of interpolation-based verification with predicate abstraction UFO [TACAS12] Vinta [SAS12] Refinement of Abstract Interpretation (AI) AI-guided DAG Interpolation

13 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Thank You!

14 UFO Arie Gurfinkel © 2012 Carnegie Mellon University Contact Information Presenter Arie Gurfinkel RTSS Telephone: U.S. mail: Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web: Customer Relations Telephone: SEI Phone: SEI Fax:

15 UFO Arie Gurfinkel © 2012 Carnegie Mellon University NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at This work was created in the performance of Federal Government Contract Number FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at

© 2012 Carnegie Mellon University THE END