Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang

Published byMyron Hamilton Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang"— Presentation transcript:

1 Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang http://lcs.ios.ac.cn/~zwh

2 Contents Integer Square Root Model Checking Summary Compositional Reasoning

3 A Concrete Example of such a Software Take a number n Output a number m s2 s0 initialize start s1 Transformation in() isr(n,k), isk(n,k) Correctness Claim: The ouput is the integer square root of the input Correctness Claim: The ouput is the integer square root of the input Correctness Claim: (m*m)<=n; (m*m)+2*m+1>n Correctness Claim: (m*m)<=n; (m*m)+2*m+1>n

4 Example: Function main() #include /********************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /********************************************/ int main() { int n=0, m=0; int k=1; printf("INFO: system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); }

5 Example: Function in() int in() { char c=0; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (k<2) k=k*10+(c-'0'); else if (k==2&&c=='0') k=20; else { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; }

6 Example: isr() and isk() int isr(int x,int k) { int y1=0; int y2=0; int y3=0; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } return y1; } int isk(int n,int k) { if (k!=20) { if (k!=n) k=21; else if (k==19) k=0; else k=k+2; } else { k=21; } return k; }

7 Execution and Interaction #include /**************************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /**************************************************/ main(int argc, char **argv ) { int n=0,m=0; int k=1; printf("system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); } /**************************************************/ int isr(int y,int k) { int y1=0; int y2=0; int y3=0; int z=0; int x=y; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } z=y1; return z; } /**************************************************/ int isk(int n,int k) { if (k!=20) { if (k!=n) k=21; else { if (k==19) k=0; else k=k+2; } } else { k=21; } return k; } /**************************************************/ int in() { char c; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); /* printf("%i\n",c); */ if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c '9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=k*10+(c-'0'); if (k>20) { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; } /**************************************************/ [zwh@panda 2013cp]$./isr1a INFO: system is now active N: 1 RESULT: 1 N: 23 INFO: the input number must be in {0,...,20} N: 19 RESULT: 4 N: ad INFO: the input must be 1 or 2 digits N: 9 RESULT: 3 N:

8 Program Correctness It looks that the correctness claim holds, according to the sample executions. Question: Does the claim holds for all input sequences? In fact, there is an error when the input sequence is: 1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4 In fact, there is an error when the input sequence is: 1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4 The input history may affect the behavior of the software, and it may cause errors in certain cases

9 Program Correctness Question: Is the claim correct? Use model checking!

10 Contents Integer Square Root Model Checking Summary Compositional Reasoning

11 Modeling and Model Checking Model Checking with VERDS – http://lcs.ios.ac.cn/~zwh/verds http://lcs.ios.ac.cn/~zwh/verds Input to VERDS – VVM (VERDS verification model) Modeling Language – VML (VERDS modeling langauge)

12 Verification Process C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Properties

13 (at line 17): ((m*m) n) Correctness Claim (isr1a.sp)

14 Model Checking./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667. bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) [zwh@panda 2013cp]$../verds -c isr1a.c -sp isr1a.sp VERSION: verds 1.43 - JAN 2013 FILE: isr1a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 326 ---------- time = 326 bound = 1 time = 326 ---------- time = 326. bound =105 time = 675 ---------- time = 675 The property is false, preparing files... CONCLUSION: FALSE (time=3985 sec)

15 Verification Process C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Properties Negative Conclusion Negative Conclusion Error Trace

16 Error Trace (isr1a.cex) --- STATE 0 --- n =0 m =0 k =1 pc =0 --- TRANS 1 --- --- STATE 1 --- n =0 m =0 k =1 pc =1 --- TRANS 2 --- --- STATE 2 --- n =0 m =0 k =1 pc =2 --- TRANS 3 --- --- STATE 3 --- n =1 m =0 k =1 pc =3 … --- STATE 102 --- n =18 m =4 k =20 pc =2 --- TRANS 3 --- --- STATE 103 --- n =4 m =4 k =20 pc =3 --- TRANS 4 --- --- STATE 104 --- n =4 m =1 k =20 pc =4 --- TRANS 5 --- --- STATE 105 --- n =4 m =1 k =21 pc =5

17 Analysis of the Error Trace An error occurred with the following sequence of inputs: 1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4 Confirmation of the error by testing Correction to the program is made

18 Correction: Function main() #include /********************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /********************************************/ int main() { int n=0, m=0; int k=1; printf("INFO: system is now active\n"); while (1) { n=in(); k=isk(n,k); m=isr(n,k); printf("RESULT: %i\n\n",m); }

19 Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667. bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) [zwh@panda 2013cp]$../verds -c isr2a.c -sp isr1a.sp VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 276 ---------- time = 276 bound = 1 time = 276 ---------- time = 276. bound =105 time = 607 ---------- time = 607 CONCLUSION: TRUE (time=607 sec)

20 Verification of the Corrected One C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Positive Conclusion Positive Conclusion Properties

21 Contents Integer Square Root Model Checking Summary Compositional Reasoning

22 Verification Times Number of called functionsVerification Time (sec) 3 607

23 Use of Assumption-Guarantee Each function is augmented with a pair of assumption- guarantee as follows (isr2a.fsp): FUNCTION z=isk(x,y) ASSUMPTION 0<=x&&x<=20; GUARANTEE (!(z==20)||x=18); FUNCTION z=in() ASSUMPTION TRUE; GUARANTEE 0<=z&&z<=20;

24 Verification Process (A/G) C Program Model Automatic Translator Automatic Translator VERDS Model Checker VERDS Model Checker Properties A/G Specification A/G Specification

25 Verification Subgoals../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp../verds -ck in -Dint=i5 isr2a.vvm../verds -ck isk -Dint=i5 isr2a.vvm 102 verification subgoals, one for main(), and one for each of the functions.

26 Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667. bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) [zwh@panda 2013cp]$../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 75 ---------- time = 75 bound = 1 time = 75 ---------- time = 75 bound = 2 time = 75 ---------- time = 75. bound = 11 time = 82 ---------- time = 82 CONCLUSION: TRUE (time=82 sec)

27 Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667. bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) [zwh@panda 2013cp]$../verds -Dint=i5 -ck in isr2a.vvm VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm bound = 0 time = 31 ---------- time = 31 bound = 1 time = 31 ---------- time = 31 INFO: A/G=1 CONCLUSION: TRUE (time=34 sec)

28 Verification of the Corrected One./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667. bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files... CONCLUSION: FALSE (time=3156) [zwh@panda 2013cp]$../verds -Dint=i5 -ck isk isr2a.vvm VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm bound = 0 time = 32 ---------- time = 32 bound = 1 time = 32 ---------- time = 32 INFO: A/G=1 CONCLUSION: TRUE (time=37 sec)

29 Verification Times Verification SubgoalVerification Time (sec) main() with A/G82 in()34 isk()37 Sum153 Original task with model checking time = 607 seconds 3 tasks with model checking time < 100 for each Original task with model checking time = 607 seconds 3 tasks with model checking time < 100 for each

30 Contents Integer Square Root Model Checking Summary Compositional Reasoning

31 Questions?

Download ppt "Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang"

Similar presentations

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
并发模型的验证 ( 例子 ). 2 互斥协议模型:示意图 x==0||t==0 t0 x=1,t=0 t1 t2 y==0||t==1 t3 x=0 s0 y=1,t=1 s1 s2 s3 y=0 初始状态 s0 t0 x=0 y=0 t=0.

并发模型的验证 ( 例子 ). 2 互斥协议模型:示意图 x==0||t==0 t0 x=1,t=0 t1 t2 y==0||t==1 t3 x=0 s0 y=1,t=1 s1 s2 s3 y=0 初始状态 s0 t0 x=0 y=0 t=0.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Expressions and Statements. 2 Contents Side effects: expressions and statements Expression notations Expression evaluation orders Conditional statements.

Expressions and Statements. 2 Contents Side effects: expressions and statements Expression notations Expression evaluation orders Conditional statements.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.

1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.

Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.
FIT1002 2006 1 FIT1002 Computer Programming Unit 19 Testing and Debugging.

FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
Expanding Predefined Types Karl Schnaitter November 30, 2004.

Expanding Predefined Types Karl Schnaitter November 30, 2004.
CS1 Lesson 3 Expressions and Interactivity CS1 -- John Cole1.

CS1 Lesson 3 Expressions and Interactivity CS1 -- John Cole1.
Luca de Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley Compositional Methods for Probabilistic Systems.

Luca de Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley Compositional Methods for Probabilistic Systems.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.

1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
1 Module 12 Computation and Configurations –Formal Definition –Important Terms –Examples.

1 Module 12 Computation and Configurations –Formal Definition –Important Terms –Examples.
Modeling Software Systems Lecture 2 Book: Chapter 4.

Modeling Software Systems Lecture 2 Book: Chapter 4.
Module 12 Computation and Configurations Formal Definition Examples.

Module 12 Computation and Configurations Formal Definition Examples.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.

Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.

MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.

Similar presentations

Ads by Google