Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang

Slides:



Advertisements
Similar presentations
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Advertisements

并发模型的验证 ( 例子 ). 2 互斥协议模型:示意图 x==0||t==0 t0 x=1,t=0 t1 t2 y==0||t==1 t3 x=0 s0 y=1,t=1 s1 s2 s3 y=0 初始状态 s0 t0 x=0 y=0 t=0.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Expressions and Statements. 2 Contents Side effects: expressions and statements Expression notations Expression evaluation orders Conditional statements.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.
FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
Expanding Predefined Types Karl Schnaitter November 30, 2004.
CS1 Lesson 3 Expressions and Interactivity CS1 -- John Cole1.
Luca de Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley Compositional Methods for Probabilistic Systems.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
1 Module 12 Computation and Configurations –Formal Definition –Important Terms –Examples.
Modeling Software Systems Lecture 2 Book: Chapter 4.
Module 12 Computation and Configurations Formal Definition Examples.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.
Reading and Writing Mathematical Proofs
Principles of programming languages 2: Answers for exercises
Chapter 4 JavaScript and Dynamic Web pages. Objectives Static Web pages Dynamic Web pages JavaScript Variables Assignments. JavaScript Functions –(prompt(“”,””)
Do Now: Pass out calculators. 1. Compare and contrast factoring: 6x 2 – x – 2 with factoring x 2 – x – 2 Factor both of the problems above. Write a few.
Chapter 13 Recursion. Learning Objectives Recursive void Functions – Tracing recursive calls – Infinite recursion, overflows Recursive Functions that.
CS 261 – Data Structures Preconditions, Postconditions & Assert.
CS 363 Comparative Programming Languages Semantics.
Program Correctness. 2 Program Verification An object is a finite state machine: –Its attribute values are its state. –Its methods optionally: Transition.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
C++ Basics C++ is a high-level, general purpose, object-oriented programming language.
Algorithm Design.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
1 FFT Using External Storage. Sung-Ju Kang Department of Physics Kangwon National University You might have to compute the Fourier transform of a really.
Verifying Programs with BDDs Topics Representing Boolean functions with Binary Decision Diagrams Application to program verification class-bdd.ppt
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Reading from a file, Sorting, and a little Searching Data Structures and Algorithms CS 244 Brent M. Dingle, Ph.D. Department of Mathematics, Statistics,
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Int fact (int n) { If (n == 0) return 1; else return n * fact (n – 1); } 5 void main () { Int Sum; : Sum = fact (5); : } Factorial Program Using Recursion.
Liang, Introduction to Programming with C++, Second Edition, (c) 2010 Pearson Education, Inc. All rights reserved Chapter 4 Loops.
Engr 0012 (04-1) LecNotes Engr 0012 (04-1) LecNotes Contrasting MATLAB with C MATLABC language Workspace - interactive computation No real.
1 Building a program in C: Preprocessor, Compilation and Linkage.
Advanced Algorithms Analysis and Design By Dr. Nazir Ahmad Zafar Dr Nazir A. Zafar Advanced Algorithms Analysis and Design.
White-Box Testing Statement coverage Branch coverage Path coverage
Software Engineering Algorithms, Compilers, & Lifecycle.
Control Structures: Examples. for-loop example Q: If a=1, b=3, and x=7, what is the value of x when the loop terminates? A: x=1 for(k=a; k
Maitrayee Mukerji. INPUT MEMORY PROCESS OUTPUT DATA INFO.
Lab 7 Control-Flow Testing
Basic concepts of C++ Presented by Prof. Satyajit De
Functional Verification III
Types CSCE 314 Spring 2016.
MT262A Review.
Software Testing.
Specifications What? Not how!.
Formal Methods in Software Engineering 1
Functional Verification III
Software Testing (Lecture 11-a)
Aspect Validation: Connecting Aspects and Formal Methods
Lecture 5 Floyd-Hoare Style Verification
Reasoning about Loops, Conclusion
PPT1: How failures come to be
Model Checking Concurrent Systems – An Example: Mutual Exclusion
Formal Methods in software development
Functional Verification III
Functional Verification III
Class Greeting.
Program Verification with Hoare Logic
CSE 1020:Software Development
BLAST: A Software Verification Tool for C programs
Presentation transcript:

Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang

Contents Integer Square Root Model Checking Summary Compositional Reasoning

A Concrete Example of such a Software Take a number n Output a number m s2 s0 initialize start s1 Transformation in() isr(n,k), isk(n,k) Correctness Claim: The ouput is the integer square root of the input Correctness Claim: The ouput is the integer square root of the input Correctness Claim: (m*m)<=n; (m*m)+2*m+1>n Correctness Claim: (m*m)<=n; (m*m)+2*m+1>n

Example: Function main() #include /********************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /********************************************/ int main() { int n=0, m=0; int k=1; printf("INFO: system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); }

Example: Function in() int in() { char c=0; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (k<2) k=k*10+(c-'0'); else if (k==2&&c=='0') k=20; else { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; }

Example: isr() and isk() int isr(int x,int k) { int y1=0; int y2=0; int y3=0; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } return y1; } int isk(int n,int k) { if (k!=20) { if (k!=n) k=21; else if (k==19) k=0; else k=k+2; } else { k=21; } return k; }

Execution and Interaction #include /**************************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /**************************************************/ main(int argc, char **argv ) { int n=0,m=0; int k=1; printf("system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); } /**************************************************/ int isr(int y,int k) { int y1=0; int y2=0; int y3=0; int z=0; int x=y; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } z=y1; return z; } /**************************************************/ int isk(int n,int k) { if (k!=20) { if (k!=n) k=21; else { if (k==19) k=0; else k=k+2; } } else { k=21; } return k; } /**************************************************/ int in() { char c; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); /* printf("%i\n",c); */ if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=k*10+(c-'0'); if (k>20) { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; } /**************************************************/ 2013cp]$./isr1a INFO: system is now active N: 1 RESULT: 1 N: 23 INFO: the input number must be in {0,...,20} N: 19 RESULT: 4 N: ad INFO: the input must be 1 or 2 digits N: 9 RESULT: 3 N:

Program Correctness It looks that the correctness claim holds, according to the sample executions. Question: Does the claim holds for all input sequences? In fact, there is an error when the input sequence is: In fact, there is an error when the input sequence is: The input history may affect the behavior of the software, and it may cause errors in certain cases

Program Correctness Question: Is the claim correct? Use model checking!

Contents Integer Square Root Model Checking Summary Compositional Reasoning

Modeling and Model Checking Model Checking with VERDS – Input to VERDS – VVM (VERDS verification model) Modeling Language – VML (VERDS modeling langauge)

Verification Process C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Properties

(at line 17): ((m*m) n) Correctness Claim (isr1a.sp)

Model Checking./verds –c isr.c –sp isr.sp VERSION: verds DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 667. bound =105 time = time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) 2013cp]$../verds -c isr1a.c -sp isr1a.sp VERSION: verds JAN 2013 FILE: isr1a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 326 bound = 1 time = time = 326. bound =105 time = time = 675 The property is false, preparing files... CONCLUSION: FALSE (time=3985 sec)

Verification Process C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Properties Negative Conclusion Negative Conclusion Error Trace

Error Trace (isr1a.cex) --- STATE n =0 m =0 k =1 pc =0 --- TRANS STATE n =0 m =0 k =1 pc =1 --- TRANS STATE n =0 m =0 k =1 pc =2 --- TRANS STATE n =1 m =0 k =1 pc =3 … --- STATE n =18 m =4 k =20 pc =2 --- TRANS STATE n =4 m =4 k =20 pc =3 --- TRANS STATE n =4 m =1 k =20 pc =4 --- TRANS STATE n =4 m =1 k =21 pc =5

Analysis of the Error Trace An error occurred with the following sequence of inputs: Confirmation of the error by testing Correction to the program is made

Correction: Function main() #include /********************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /********************************************/ int main() { int n=0, m=0; int k=1; printf("INFO: system is now active\n"); while (1) { n=in(); k=isk(n,k); m=isr(n,k); printf("RESULT: %i\n\n",m); }

Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 667. bound =105 time = time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) 2013cp]$../verds -c isr2a.c -sp isr1a.sp VERSION: verds JAN 2013 FILE: isr2a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 276 bound = 1 time = time = 276. bound =105 time = time = 607 CONCLUSION: TRUE (time=607 sec)

Verification of the Corrected One C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Positive Conclusion Positive Conclusion Properties

Contents Integer Square Root Model Checking Summary Compositional Reasoning

Verification Times Number of called functionsVerification Time (sec) 3 607

Use of Assumption-Guarantee Each function is augmented with a pair of assumption- guarantee as follows (isr2a.fsp): FUNCTION z=isk(x,y) ASSUMPTION 0<=x&&x<=20; GUARANTEE (!(z==20)||x=18); FUNCTION z=in() ASSUMPTION TRUE; GUARANTEE 0<=z&&z<=20;

Verification Process (A/G) C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Properties A/G Specification A/G Specification

Verification Subgoals../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp../verds -ck in -Dint=i5 isr2a.vvm../verds -ck isk -Dint=i5 isr2a.vvm 102 verification subgoals, one for main(), and one for each of the functions.

Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 667. bound =105 time = time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) 2013cp]$../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp VERSION: verds JAN 2013 FILE: isr2a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 75 bound = 1 time = time = 75 bound = 2 time = time = 75. bound = 11 time = time = 82 CONCLUSION: TRUE (time=82 sec)

Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 667. bound =105 time = time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) 2013cp]$../verds -Dint=i5 -ck in isr2a.vvm VERSION: verds JAN 2013 FILE: isr2a.vvm bound = 0 time = time = 31 bound = 1 time = time = 31 INFO: A/G=1 CONCLUSION: TRUE (time=34 sec)

Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = time = 667. bound =105 time = time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) 2013cp]$../verds -Dint=i5 -ck isk isr2a.vvm VERSION: verds JAN 2013 FILE: isr2a.vvm bound = 0 time = time = 32 bound = 1 time = time = 32 INFO: A/G=1 CONCLUSION: TRUE (time=37 sec)

Verification Times Verification SubgoalVerification Time (sec) main() with A/G82 in()34 isk()37 Sum153 Original task with model checking time = 607 seconds 3 tasks with model checking time < 100 for each Original task with model checking time = 607 seconds 3 tasks with model checking time < 100 for each

Contents Integer Square Root Model Checking Summary Compositional Reasoning

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.