Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Software Verification

Published byJodie Page Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Software Verification"— Presentation transcript:

1 Introduction to Software Verification
Orna Grumberg Lectures Material winter

2 Lecture 10 Bounded Model Checking (continued) CBMC
Efficient SAT solvers

3 Bounded (SAT-based) Model Checking

4 Bounded model checking (BMC) for checking AGp
Given A finite system M A safety property AGp A bound k Determine Does M contain a counterexample to p of k transitions (or fewer) ?

5 BMC for checking =EFp
Build a propositional formula fMk describing all prefixes of length k of paths of M from an initial state Build a propositional formula fk describing all prefixes of length k of paths satisfying  If (fMk  fk ) is satisfiable, return the satisfying assignment as a counterexample Otherwise, increase k and return to 2.

6 BMC for checking =EFp
fMk (V0,…,Vk) = INIT(V0)  i=0,…k-1 R(Vi,Vi+1) fk (V0,…,Vk) = Vi=0…k p(Vi)

7 BMC for checking AFp (=EGp)
Is there an infinite path in M From an initial state all of its states satisfying p Over k+1 states ? Must be a lasso

8 BMC for checking AFp (=EGp)
An infinite path in M, from an initial state, over k+1 states, all satisfying p: fMk (V0,…,Vk) = INIT(V0)  i=0,…k-1 R(Vi,Vi+1)  Vi=0,…k-1 (Vk=Vi) Vk=Vi means bitwise equality: j=0,…n (vkj  vij) fk (V0,…,Vk) = i=0,…k p (Vi)

9 Bounded model checking
Can handle all of LTL formulas Can be used for verification by choosing k which is large enough Need bound on length of the shortest counterexample. diameter bound. The diameter is the maximum length of the shortest path between any two states. Using such k is often not practical due to the size of the model Computing worst case diameter is exponential. Obtaining better bounds is sometimes possible, but generally intractable.

10 SAT-based verification
Induction Interpolation IC3

11 CBMC: C Bounded Model Checker Bounded Model Checking of C programs
Based on slides by Arie Gurfinkel

12 A (very) simple example (1)
Presentation Title 9/15/2018 A (very) simple example (1) Program Constraints int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 7 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 7, w != 9 UNSAT no counterexample assertion always holds! True if x!=0 © 2006 Carnegie Mellon University

13 A (very) simple example (2)
Presentation Title 9/15/2018 A (very) simple example (2) Program Constraints int x; int y=8,z=0,w=0; if (x) z = y – 1; else w = y + 1; assert (z == 5 || w == 9) y = 8, z = x ? y – 1 : 0, w = x ? 0 :y + 1, z != 5, w != 9 SAT counterexample found! y = 8, x = 1, w = 0, z = 7 © 2006 Carnegie Mellon University

14 How does CBMC work Transform a program into a set of equations
Presentation Title 9/15/2018 How does CBMC work Transform a program into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Bit-blast Solve with a SAT Solver Convert SAT assignment into a counterexample © 2006 Carnegie Mellon University

15 CBMC: Bounded Model Checker for C A tool by D. Kroening/Oxford
goto-program C Program Static Analysis Parser equations SAFE UNSAT SAT solver CNF CNF-gen SAT UNSAFE + CEX CEX-gen CBMC

16 Example: Sufficient Loop Unwinding
Presentation Title 9/15/2018 Example: Sufficient Loop Unwinding void f(...) { j = 1 while (j <= 2) j = j + 1; Remainder; } void f(...) { j = 1 if(j <= 2) { j = j + 1; assert(!(j <= 2)); } Remainder; unwind = 3 assert(!(j <= 2)) unwinding assertion © 2006 Carnegie Mellon University

17 Example: Insufficient Loop Unwinding
Presentation Title 9/15/2018 Example: Insufficient Loop Unwinding void f(...) { j = 1 while (j <= 10) j = j + 1; Remainder; } void f(...) { j = 1 if(j <= 10) { j = j + 1; assert(!(j <= 10)); } Remainder; unwind = 3 © 2006 Carnegie Mellon University

18 Transforming Loop-Free Programs Into Equations (2)
Presentation Title 9/15/2018 Transforming Loop-Free Programs Into Equations (2) When a variable is assigned multiple times, use a new variable for the LHS of each assignment Program SSA Program x = x+y; x = x*2; a[i] = 100; x1 = x0+y0; x2 = x1*2; a1[i0] = 100; Single Static Assignment (SSA) © 2006 Carnegie Mellon University

19 What about conditionals?
Presentation Title 9/15/2018 What about conditionals? Program SSA Program if (v) x = y; else x = z; w = x; if (v0) x1 = y0; else x2 = z0 ; x3 = v0 ? x1 : x2; w1 = x3; For each join point, add new variables with selectors © 2006 Carnegie Mellon University

20 Example valid? ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3)
Presentation Title 9/15/2018 Example ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3)  (y4=7  y4=9) valid? © 2006 Carnegie Mellon University

21 Example Unsat? ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3)
Presentation Title 9/15/2018 Example ( y1 = 8 y2 = y1 – 1 y3 = y1 + 1 y4 = x0 ? y2 : y3) (y4=7  y4=9) Unsat? © 2006 Carnegie Mellon University

22 How does CBMC work Transform a program into a set of equations
Presentation Title 9/15/2018 How does CBMC work Transform a program into a set of equations Simplify control flow Unwind all of the loops Convert into Single Static Assignment (SSA) Convert into equations Bit-blast Solve with a SAT Solver Convert SAT assignment into a counterexample © 2006 Carnegie Mellon University

23 Efficient SAT solvers

24 The SAT Problem Given a propositional formula (v̅), is there a satisfying assignment A for v̅ An assignment is a function from v̅ to {true, false} A is a satisfying assignment if (A(v̅))=true A is called a solution for (v̅ ) A partial assignment assigns a subset of v̅

25 CNF representation of (v̅)
(v̅) is a conjunction of clauses: (v̅) = cl1  cl2  …  cln A clause is a disjunction of literals: cli=(lit1  …  litl) A literal is an atomic proposition or its negation Example: (a  c)  (b  c)  ( a  b  d ) A satisfies (v̅) iff A satisfies all its clauses

26 Example: (a  c)  (b  c)  ( a  b  d )
Satisfying assignments: A1 = (a=true, b=true, d=true, c=false) A2 = (c=true, a=false, b=true, d=false) CNF formulas Clause does not contain a, a No repetition of literals in clause CNF formulas can be represented as a set of sets of literals

27 Searching for a satisfying assignment
Inefficient way: check each one of the 2n assignments where | v̅ | = n The basis for efficient SAT solving: Davis, Putnam,Logeman, loveland (DPLL) 1960, 1962

28 First idea: Unit Clause
Given a propositional formula (v̅), and a partial assignment A A Unit Clause is a clause with exactly one unassigned literal, while all other literals are false Asserts the value of the unassigned variable a=1 is implied by b=1 and d=0 a = ? b = 1 d = 0 cl = (a  b  d) a = 1

29 Boolean Constraint Propagation (BCP)
BCP: For (v̅) and a partial assignment A, computes all possible implications Based on unit clauses Conflict: a variable gets both 0 and 1 under A

30 DPLL algorithm Start with an empty partial assignment A
If A is complete (no new decision to make), return (SAT, A) Otherwise, extend A with a decision: D=(variable, value) BCP: extend A with all implications of D If (no conflict) go to 2 If (conflict), apply backtracking: Let D=(v,b) be the last decision s.t. (v, !b) has not been checked yet Flip decision D: Remove (v,b), extend A with (v, !b) Undo all implications from D=(v,b) and from flips made after D Return to 4 If no decision to flip, return UNSAT

31 DPLL algorithm No unassigned variable – SAT
Termination No unassigned variable – SAT No decision variable to flip – UNSAT

32 (bc)  (ad)  (abc)  (ad)  (ace)
Decision 1: b=1 BCP: c=1 [ ]  (ad)  [ ]  (ad)  (ace) Decision 2: a=1 BCP: d=0 d=1 Conflict! -Backtrack

33 (bc)  (ad)  (abc)  (ad)  (ace)
Decision 1: b=1 BCP: c=1 [ ]  (ad)  [ ]  (ad)  (ace) Decision 2: a=0

34 (bc)  (ad)  (abc)  (ad)  (ace)
Decision 1: b=1 BCP: c=1 [ ]  [ ]  [ ]  [ ]  (ace) Decision 2: a=0 BCP: e=0 Partial satisfying assignment: b=1,c=1,a=0,e=0

35 Other solutions to the state-explosion problem
Small models replace the full, concrete model: Abstraction Compositional verification Partial order reduction Symmetry

Download ppt "Introduction to Software Verification"

Similar presentations

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.

Automated abstraction refinement II Heuristic aspects Ken McMillan Cadence Berkeley Labs.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Automated Theorem Proving

Automated Theorem Proving
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.
1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.

1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
ECE 667 Synthesis & Verification - SAT 1 ECE 667 ECE 667 Synthesis and Verification of Digital Systems Boolean SAT CNF Representation Slides adopted (with.

ECE 667 Synthesis & Verification - SAT 1 ECE 667 ECE 667 Synthesis and Verification of Digital Systems Boolean SAT CNF Representation Slides adopted (with.
SAT-based Bounded Model Checking

SAT-based Bounded Model Checking
Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.

Proof-based Abstraction Presented by Roman Gershman Ken McMillan, Nina Amla.
1 Boolean Satisfiability in Electronic Design Automation (EDA ) By Kunal P. Ganeshpure.

1 Boolean Satisfiability in Electronic Design Automation (EDA ) By Kunal P. Ganeshpure.
Heuristics for Efficient SAT Solving As implemented in GRASP, Chaff and GSAT.

Heuristics for Efficient SAT Solving As implemented in GRASP, Chaff and GSAT.
Presented by Ed Clarke Slides borrowed from P. Chauhan and C. Bartzis

Presented by Ed Clarke Slides borrowed from P. Chauhan and C. Bartzis
1 Quantified Formulas Acknowledgement: QBF slides borrowed from S. Malik.

1 Quantified Formulas Acknowledgement: QBF slides borrowed from S. Malik.

Similar presentations

Ads by Google