Presentation is loading. Please wait.

Presentation is loading. Please wait.

SS 2017 Software Verification Bounded Model Checking, Outlook

Published byMyrtle Horton Modified over 6 years ago

Similar presentations

Presentation on theme: "SS 2017 Software Verification Bounded Model Checking, Outlook"— Presentation transcript:

1 SS 2017 Software Verification Bounded Model Checking, Outlook
Prof. Dr. Holger Schlingloff 1,2 Dr. Esteban Pavese 1 (1) Institut für Informatik der Humboldt Universität (2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS

2 Recap What does SMT stand for? Is SMT hard to solve?
How can a SMT solver be used for SMC? What is the main problem? How to generate invariants? What is partial order reduction in SMC? What is an ample set? Conditions on ample sets?

3 Bounded Model Checking
Back to the beginning: treat model checking as a boolean satisfiability problem Inductive reasoning: find invariant P such that I[x]  P[x], and P[x] T[x,x´]  P[x´] Now: try to satisfy I[x] T[x,x´] T[x´,x´´] T[x´´,x´´´] T[x´´´,x´´´´]  ... FOL() Recall that FOL() translates temporal formulas into first-order: FOL()= , FOL(p)=p(x), FOL(())=(FOL()(x)FOL()(x)) (U+)=X(X(X(X( ...)..) FOLi(U+)= T[x,x´](FOLi()(x´)FOLi()(x´) (T[x´,x´´](FOLi()(x´´)FOLi()(x´´) ...)..)

4 Basic Idea Instead of exploring all states exhaustively, unroll the transition relation up to a certain fixed bound and search for violations of the property within that bound Transform this search to a Boolean satisfiability problem and solve it using a SMT solver We can define a bounded semantics for temporal logic properties so that if a path satisfies a property based on the bounded semantics, then it satisfies the property based on the unbounded semantics Using this observation, we can show that a counter-example found on a bounded path is guaranteed to be a real counter-example However, not finding a violation using bounded model checking does not guarantee correctness

5 Formally: this formula describes that (w0,w1,...wk) is a maximal path in M. this formula describes that (U+) holds along this path V

6 Resettable Counter Revisited
Consider the following program {c=1; while (T) {if (r  (c==n)) then {c=1} else {c++}} Transition relation [[M]]3:

7 Resettable Counter Revisited
Check the following properties (G*(c≤n)  F*(c=n)) (n>1  G*(c≤n)  F*(c=n)) G*(r  c<n) Satisfiability:

8 Correctness How to determine length k? start with “reasonably small” k
while no satisfying assignment (counterexample) is found, increase k stop if “diameter” of M is reached (again, this is in general undecidable for infinite-state programs) there is no efficient algorithm for identifying the diameter in general again, heuristics can be used

9 Properties of BMC Bounded model checking finds counterexamples fast. This is due to depth first nature of SAT search procedures Counterexamples of minimal length. This feature helps user understand counterexample more easily Often, less space than BDD based approaches; no need for variable ordering heuristics Can be combined with partial order methods

10 Implementations CBMC: bounded model checker for ANSI-C programs (sequential) ESBMC: Efficient SMT-Based Context-Bounded Model Checker (multi-threaded) new version (2016) for CUDA Programs (Nvidia) Benchmarking competitions

11 CBMC Example Original code Unwinding the loop 3 times Unwinding
Thanks to Tevfik Bultan, UCSB, /lectures/SMT-BMC.ppt Original code Unwinding the loop 3 times x=0; while (x < 2) { y=y+x; x++; } x=0; if (x < 2) { y=y+x; x++; } assert (! (x < 2)) Unwinding assertion:

12 From Code to SAT After eliminating loops and recursion, CBMC converts the input program to the static single assignment (SSA) form In SSA each variable appears at the left hand side of an assignment only once This is a standard program transformation that is performed by creating new variables In the resulting program each variable is assigned a value only once and all the branches are forward branches (there is no backward edge in the control flow graph) CBMC generates a Boolean logic formula from the program using bit vectors to represent variables

13 (Another) CBMC-Example
Original code Convert to static single assignment x=x+y; if (x!=1) x=2; else x++; assert(x<=3); x1=x0+y0; if (x1!=1) x2=2; else x3=x1+1; x4=(x1!=1)?x2:x3; assert(x4<=3); Generate constraints C  x1=x0+y0  x2=2  x3=x1+1 (x1!=1  x4=x2  x1=1  x4=x3) P  x4 <= 3 Check if C   P is satisfiable (if it is then the assertion is violated) C   P is converted to boolean logic using a bit vector representation for the integer variables y0,x0,x1,x2,x3,x4

14 Other Software-related Issues
Arrays, pointers Structured data types, lists, sets and bags Methods, parameters Classes, inheritance Type systems

15 Further Topics Abstraction Testing by model checking Hybrid systems
Counter-Example Guided Abstraction Refinement over- and underapproximations Testing by model checking construction of optimal counterexamples Hybrid systems real-valued variables evolving according to diff. equations Strategic Logics multi-player games, concurrent game structures application to collaborative systems Synthesis finding strategies = automatically constructing programs

Download ppt "SS 2017 Software Verification Bounded Model Checking, Outlook"

Similar presentations

Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.

Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Qualitätssicherung von Software (SWQS) Prof. Dr. Holger Schlingloff Humboldt-Universität zu Berlin und Fraunhofer FOKUS 28.5.2013: Modellprüfung II - BDDs.

Qualitätssicherung von Software (SWQS) Prof. Dr. Holger Schlingloff Humboldt-Universität zu Berlin und Fraunhofer FOKUS : Modellprüfung II - BDDs.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
6.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.

Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.
1 Completeness and Complexity of Bounded Model Checking.

1 Completeness and Complexity of Bounded Model Checking.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Similar presentations

Ads by Google