Automated Software Analysis Andreas Podelski University of Freiburg - - PowerPoint PPT Presentation

Automated Software Analysis

Andreas Podelski University of Freiburg Germany

1 Dienstag, 12. Juli 16

• new paradigm for automatic verification
• given a program P,

learn a set of correct programs P1 , ... , Pn check whether every behavior of P is covered: P ⊆ P1 ⋃ ... ⋃ Pn

• program = automaton,

check = inclusion between automata

• safety and liveness for

sequential/concurrent/parametrized programs

2 Dienstag, 12. Juli 16

program P P is correct P is incorrect AP ⊆ A1 ∪ · · · ∪ An ? w ∈ Σ∗\CORRECT ? no take w such that w ∈ AP\A1 ∪ · · · ∪ An yes construct An+1 such that

• 1. w ∈ An+1
• 2. An+1 ⊆ Σ∗\CORRECT

yes no

w infeasible?

{ infeasible traces }

3 Dienstag, 12. Juli 16

Home Video Themen Forum English DER SPIEGEL SPIEGEL TV Abo Shop

Schlagzeilen Wetter TV-Programm mehr ▼

WIRTSCHAFT

Suche Kurse Login | Registrierung

Politik Wirtschaft Panorama Sport Kultur Netzwelt Wissenschaft Gesundheit einestages Karriere Uni Reise Auto Stil

Nachrichten > Wirtschaft > Staat & Soziales > Abgasaffäre bei Volkswagen > Bosch weist Mitschuld an VW-Abgasaffäre von sich

VW-Abgas-Affäre: Bosch weist Mitschuld von sich

Die Technik für die umstrittenen Dieselmodelle in der VW-Abgas-Affäre lieferte Bosch. Doch an der Manipulation will das Unternehmen nicht beteiligt gewesen sein: Die Verantwortung liege allein beim Autobauer.

4 Dienstag, 12. Juli 16

global int len; // length of array global int array(len) : tasks; // array of tasks global int next; // position of next available task block global lock m; // lock protecting next thread T: local int : c; // position of current task local int : end; // position of last task in acquired block // acquire block of tasks 1 lock(m); 2 if(next + 10 <= len) 3 { c := next; next := next + 10; end := next; } 4 else 5 { c := next; next := next + 10; end := len; } 6 unlock(m); // perform block of tasks 7 while (c < end): 8 tasks[c] := 0; // mark task c as started . . . // work on the task c 9 tasks[c] := 1; // mark task c as finished 10 assert(tasks[c] == 1); // no other thread has started task c 11 c := c + 1;

5 Dienstag, 12. Juli 16

thread T: local int : c; // position of current task local int : end; // position of last task in acquired block // acquire block of tasks 1 lock(m); 2 if(next + 10 <= len) 3 { c := next; next := next + 10; end := next; } 4 else 5 { c := next; next := next + 10; end := len; } 6 unlock(m);

c(1) end(1) c(2) end(2) c(35) end(35) len next

. . . . . .

c(3) end(34) threads have acquired block of tasks have not yet started working 1, 2, . . . , 35

6 Dienstag, 12. Juli 16

global int len; // length of array global int array(len) : tasks; // array of tasks global int next; // position of next available task block global lock m; // lock protecting next thread T: local int : c; // position of current task local int : end; // position of last task in acquired block // acquire block of tasks 1 lock(m); 2 if(next + 10 <= len) 3 { c := next; next := next + 10; end := next; } 4 else 5 { c := next; next := next + 10; end := len; } 6 unlock(m); // perform block of tasks 7 while (c < end): 8 tasks[c] := 0; // mark task c as started . . . // work on the task c 9 tasks[c] := 1; // mark task c as finished 10 assert(tasks[c] == 1); // no other thread has started task c 11 c := c + 1;

7 Dienstag, 12. Juli 16

Next ...

• learn correct programs from unsatisfiability proofs
• learn correct programs from Hoare triples

8 Dienstag, 12. Juli 16

• learn correct programs from unsatisfiability proofs
• learn correct programs from Hoare triples

9 Dienstag, 12. Juli 16

`0: assume p != 0; `1: while(n >= 0) { `2:

assert p != 0; if(n == 0)

{ `3:

p := 0;

} `4:

n--;

}

correct?

10 Dienstag, 12. Juli 16

`0: assume p != 0; `1: while(n >= 0) { `2:

assert p != 0; if(n == 0)

{ `3:

p := 0;

} `4:

n--;

} `0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

`5:

11 Dienstag, 12. Juli 16

`0: assume p != 0; `1: while(n >= 0) { `2:

assert p != 0; if(n == 0)

{ `3:

p := 0;

} `4:

n--;

} `0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

`5:

12 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

automaton

alphabet: {statements}

13 Dienstag, 12. Juli 16

`0: assume p != 0; `1: while(n >= 0) { `2:

assert p != 0; if(n == 0)

{ `3:

p := 0;

} `4:

n--;

} `0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

no execution violates assertion = no execution reaches error location

`5:

14 Dienstag, 12. Juli 16

validity of assert statement non-reachability of error location validity of safety property validity of invariant infeasibility of control flow traces partial correctness partial correctness for pre/postcondition (true, false) all inter-reducible:

15 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

(p != 0) (n >= 0) (p == 0)

16 Dienstag, 12. Juli 16

infeasible trace

x := 1 ; x == -1 ; x == 1 ; x == -1 ;

unsatisfiable formula

x0 = 1 ∧ x0 = −1 x = 1 ∧ x = −1

17 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

(p != 0) (n >= 0) (p == 0) (p != 0) (p==0)

18 Dienstag, 12. Juli 16

(p != 0) (p==0)

19 Dienstag, 12. Juli 16

q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 }

(p != 0) (p==0)

20 Dienstag, 12. Juli 16

q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 }

(p != 0) (p==0)

21 Dienstag, 12. Juli 16

q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 }

(p != 0) (p==0)

22 Dienstag, 12. Juli 16

q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 }

(p != 0) (p==0)

23 Dienstag, 12. Juli 16

q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 }

all error traces of program have the same proof as sample trace (same unsatisfiable core of unsatisfiability proof)

correct program (error location is not reachable) (p != 0) (n >= 0) (p == 0)

24 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0 q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 }

?

⊆

does a proof exist for every error trace ?

25 Dienstag, 12. Juli 16

program P P is correct P is incorrect AP ⊆ A1 ∪ · · · ∪ An ? w ∈ Σ∗\CORRECT ? no take w such that w ∈ AP\A1 ∪ · · · ∪ An yes construct An+1 such that

• 1. w ∈ An+1
• 2. An+1 ⊆ Σ∗\CORRECT

yes no

w infeasible?

{ infeasible traces }

26 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

new trace:

27 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

(p != 0) (n >= 0) (n == 0) (p := 0) (n--) (n >= 0) (p == 0)

new trace:

27 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

(n == 0) (n--) (n >= 0)

28 Dienstag, 12. Juli 16

`0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

(p != 0) (n >= 0) (n == 0) (p := 0) (n--) (n >= 0) (p == 0) (n == 0) (n--) (n >= 0)

28 Dienstag, 12. Juli 16

(n == 0) (n--) (n >= 0)

29 Dienstag, 12. Juli 16

p0 p1 p2 p3 n == 0 n-- n >= 0 Σ Σ\{ n-- } Σ\{ n-- } Σ

(n == 0) (n--) (n >= 0)

30 Dienstag, 12. Juli 16

p0 p1 p2 p3 n == 0 n-- n >= 0 Σ Σ\{ n-- } Σ\{ n-- } Σ

(n == 0) (n--) (n >= 0)

31 Dienstag, 12. Juli 16

p0 p1 p2 p3 n == 0 n-- n >= 0 Σ Σ\{ n-- } Σ\{ n-- } Σ

program constructed from unsatisfiability proof all traces with the same unsatisfiability proof

32 Dienstag, 12. Juli 16

p0 p1 p2 p3 n == 0 n-- n >= 0 Σ Σ\{ n-- } Σ\{ n-- } Σ

program constructed from unsatisfiability proof all traces with the same unsatisfiability proof (p != 0) (n >= 0) (n == 0) (p := 0) (n--) (n >= 0) (p == 0)

32 Dienstag, 12. Juli 16

q0 q1 q2 Σ Σ p != 0 p == 0 Σ\{ p := 0 } p0 p1 p2 p3 n == 0 n-- n >= 0 Σ Σ\{ n-- } Σ\{ n-- } Σ `0 `1 `2 `3 `4 `5 `err p != 0 n >= 0 n == 0 p := 0 n != 0 p == 0 n-- n < 0

⋃

?

⊆

does a proof exist for every trace ?

33 Dienstag, 12. Juli 16

program P P is correct P is incorrect AP ⊆ A1 ∪ · · · ∪ An ? w ∈ Σ∗\CORRECT ? no take w such that w ∈ AP\A1 ∪ · · · ∪ An yes construct An+1 such that

• 1. w ∈ An+1
• 2. An+1 ⊆ Σ∗\CORRECT

yes no

w infeasible?

{ infeasible traces }

34 Dienstag, 12. Juli 16

previous example: automata from unsatisfiable core (for proof of infeasibility of error trace) add self-loop for each irrelevant statement

(does not modify variables in unsatisfiable core)

35 Dienstag, 12. Juli 16

automata constructed from unsatisfiable core are not sufficient in general (verification algorithm not complete)

36 Dienstag, 12. Juli 16

• learn correct programs from unsatisfiability proofs
• learn correct programs from Hoare triples

37 Dienstag, 12. Juli 16

• learn correct programs from unsatisfiability proofs
• learn correct programs from Hoare triples

38 Dienstag, 12. Juli 16

`0: x := 0; `1: y := 0; `2: while(nondet) {x++;} assert(x != -1); assert(y != -1); `0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

39 Dienstag, 12. Juli 16

q0 q1 q2 x:=0 y:=0 x++ y==-1 q0 q1 q2 x:=0 y:=0 x++ x==-1

all behaviors of program P covered by two programs below:

`0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

program P :

40 Dienstag, 12. Juli 16

{ true } x:=0 {x ≥ {x ≥ 0} y:=0 {x ≥ {x ≥ 0} x++ {x ≥ {x ≥ 0} x==-1 { false

`0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

41 Dienstag, 12. Juli 16

{ true } x:=0 {x ≥ {x ≥ 0} y:=0 {x ≥ {x ≥ 0} x++ {x ≥ {x ≥ 0} x==-1 { false

`0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

unsatisfiable core of unsatisfiability proof uses variable X => program constructed from unsatisfiability proof has no self-loop with statement X++ in

42 Dienstag, 12. Juli 16

{ true } x:=0 {x ≥ 0} {x ≥ 0} y:=0 {x ≥ 0} {x ≥ 0} x++ {x ≥ 0} {x ≥ 0} x==-1 { false }

Hoare triples proving infeasibility :

infeasibility ⇔ pre/postcondition pair (true, false)

43 Dienstag, 12. Juli 16

{ true } x:=0 {x ≥ 0} {x ≥ 0} y:=0 {x ≥ 0} {x ≥ 0} x++ {x ≥ 0} {x ≥ 0} x==-1 { false }

q0 q1 q2 x:=0 y:=0 x++ x==-1

Hoare triples ⟼ correct program

⟼

44 Dienstag, 12. Juli 16

correct program construction of correct program from Floyd-Hoare proof

• f infeasibility of trace

(remember: infeasibility ⇔ postcondition false)

control flow graph has one node for each assertion,

• ne edge for each Hoare triple

(“transition back” = loop, in general not self-loop)

45 Dienstag, 12. Juli 16

{ true } x:=0 {x ≥ 0} {x ≥ 0} y:=0 {x ≥ 0} {x ≥ 0} x++ {x ≥ 0} {x ≥ 0} x==-1 { false }

q0 q1 q2 x:=0 y:=0 x++ x==-1

Hoare triples ⟼ automaton

sequencing of Hoare triples run of automaton ⟼ ⟼

46 Dienstag, 12. Juli 16

q0 q1 q2 x:=0 y:=0 x++ y==-1 q0 q1 q2 x:=0 y:=0 x++ x==-1

all behaviors of program P covered by two programs below:

`0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

program P :

47 Dienstag, 12. Juli 16

q0 q1 q2 x:=0 y:=0 x++ y==-1 q0 q1 q2 x:=0 y:=0 x++ x==-1 `0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

., Pex2 ⊆ A1 ∪ A2.

covering check = automata inclusion check

48 Dienstag, 12. Juli 16

{ true } x:=0 { true { true } y:=0 {y {y = 0} x++ {y {y = 0} y==-1 { fa

second trace

`0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

49 Dienstag, 12. Juli 16

automaton from unsatisfiability core

• f infeasibility proof for second trace

} } } }

q0 q1 q2 x:=0 y:=0 x++ y==-1

50 Dienstag, 12. Juli 16

{ true } x:=0 { true } { true } y:=0 {y = 0} {y = 0} x++ {y = 0} {y = 0} y==-1 { false }

Hoare proof for infeasibility of second trace

51 Dienstag, 12. Juli 16

{ true } x:=0 { true } { true } y:=0 {y = 0} {y = 0} x++ {y = 0} {y = 0} y==-1 { false }

q0 q1 q2 x:=0 y:=0 x++ y==-1

automaton from Hoare proof for infeasibility of second trace

52 Dienstag, 12. Juli 16

automaton from unsatisfiable core is a special case of automaton from Hoare triples proof for infeasibility of trace ⇒ Hoare triples/assertions exist “loop invariant: any assertion will do”

• f proof for infeasibility of trace

53 Dienstag, 12. Juli 16

q0 q1 q2 x:=0 y:=0 x++ y==-1 q0 q1 q2 x:=0 y:=0 x++ x==-1 `0 `1 `2 `err x:=0 y:=0 x++ x==-1 y==-1

., Pex2 ⊆ A1 ∪ A2.

correct programs, constructed by Hoare proof or by unsatisfiability proof, sufficient if inclusion check succeeds

54 Dienstag, 12. Juli 16

program P P is correct P is incorrect AP ⊆ A1 ∪ · · · ∪ An ? w ∈ Σ∗\CORRECT ? no take w such that w ∈ AP\A1 ∪ · · · ∪ An yes construct An+1 such that

• 1. w ∈ An+1
• 2. An+1 ⊆ Σ∗\CORRECT

yes no

55 Dienstag, 12. Juli 16