CBMC: Bounded Model Checking for ANSI-C Preliminaries BMC Basics - PDF document

Outline CBMC: Bounded Model Checking for ANSI-C Preliminaries BMC Basics Completeness Version 1.0, 2010 Solving the Decision Problem CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 2 Preliminaries Example: SHS if if ( (0 < = t) && (t < = 79) ) ◮ We aim at the analysis of programs given in a commodity 0 ≤ t ≤ 79 switch ( t / 20 ) { programming language such as C, C++, or Java switch case 0: TEMP2 = ( (B AND C) OR (˜B AND D) ); TEMP3 = ( K 1 ); break ; ◮ As the first step, we transform the program into a control case�0 case 1: flow graph (CFG) t/ 20 � = 0 TEMP2 = ( (B XOR C XOR D) ); TEMP3 = ( K 2 ); case�1 break ; t/ 20 � = 1 case 2: TEMP2 = ( (B AND C) OR (B AND D) OR (C AND D) ); case�2 TEMP3 = ( K 3 ); break ; t/ 20 � = 2 C/C++ parse parse case 3: CFG TEMP2 = ( B XOR C XOR D ); case�3 Source tree TEMP3 = ( K 4 ); t/ 20 � = 3 break ; default : default frontend assert(0); } CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 3 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 4 Bounded Program Analysis Example if 0 ≤ t ≤ 79 switch Goal: check properties of the form AG p , case�0 say assertions. t/ 20 � = 0 0 ≤ t ≤ 79 ∧ t/ 20 � = 0 case�1 ∧ t/ 20 = 1 t/ 20 � = 1 ∧ TEMP2 = B ⊕ C ⊕ D case�2 Idea: follow paths through the CFG to an assertion, ∧ TEMP3 = K 2 t/ 20 � = 2 and build a formula that corresponds to the path case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 5 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 6

Example Which Decision Procedures? We pass ◮ We need a decision procedure for an appropriate logic 0 ≤ t ≤ 79 ◮ Bit-vector logic (incl. non-linear arithmetic) ∧ t/ 20 � = 0 ◮ Arrays ∧ t/ 20 = 1 ◮ Higher-level programming languages also feature ∧ TEMP2 = B ⊕ C ⊕ D lists, sets, and maps ∧ TEMP3 = K 2 to a decision procedure, and obtain a satisfying assignment, say: ◮ Examples t �→ 21 , B �→ 0 , C �→ 0 , D �→ 0 , K 2 �→ 10 , ◮ Z3 (Microsoft) TEMP2 �→ 0 , TEMP3 �→ 10 ◮ Yices (SRI) ◮ Boolector ✔ It provides the values of any inputs on the path. CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 7 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 8 Enabling Technology: SAT Enabling Technology: SAT 1,000,000 100,000 ◮ propositional SAT solvers have made enourmous progress 10,000 in the last 10 years 1,000 100 ◮ Further scalability improvements in recent years because 10 of efficient word-level reasoning and array decision procedures 1960 1970 1980 1990 2000 2010 number of variables of a typical, practical SAT instance that can be solved by the best solvers in that decade CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 9 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 10 Let’s Look at Another Path What If a Variable is Assigned Twice? if 0 ≤ t ≤ 79 switch Rename appropriately: x=0; 0 ≤ t ≤ 79 x 1 = 0 case�0 if (y > =0) ∧ t/ 20 � = 0 ∧ y 0 ≥ 0 t/ 20 � = 0 x++; ∧ t/ 20 � = 1 ∧ x 1 = x 0 + 1 case�1 ∧ t/ 20 � = 2 t/ 20 � = 1 ∧ t/ 20 � = 3 case�2 t/ 20 � = 2 That is UNSAT, so the assertion is case�3 This is a special case of SSA (static single assignment) unreachable. t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 11 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 12

Pointers Scalability of Path Search Let’s consider the following CFG: How do we handle dereferencing in the program? L1 int ∗ p; L2 L3 p 1 = & DO1 p=malloc( sizeof ( int ) ∗ 5); ∧ DO1 1 = ( λi. ... i = 1?100 : DO1 0 [ i ]) L4 p[1]=100; This is a loop with an if inside. Track a ‘may-point-to’ abstract state while simulating! Q: how many paths for n iterations? CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 13 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 14 Bounded Model Checking Transition Systems ◮ Bounded Model Checking (BMC) is the most successful formal validation technique in the hardware industry Definition: A transition system is a triple ( S, S 0 , T ) with ◮ set of states S , ◮ Advantages: ◮ a set of initial states S 0 ⊂ S , and ✔ Fully automatic ◮ a transition relation T ⊂ ( S × S ) . ✔ Robust ✔ Lots of subtle bugs found ◮ Idea: only look for bugs up to specific depth The set S 0 and the relation T can be written as their characteristic functions. ◮ Good for many applications, e.g., embedded systems CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 15 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 16 Unwinding a Transition System Unwinding a Transition System Q: How do we avoid the exponential path explosion? As formula: k − 1 � S 0 ( s 0 ) ∧ T ( s i , s i +1 ) i =0 We just ”concatenate” the transition relation T : T ✲ t S 0 ∧ T ∧ ∧ ∧ T ✲ ✲ . . . Satisfying assignments for this formula are traces through the t t t t s 0 s 1 s 2 s k − 1 s k transition system CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 17 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 18

Example Checking Reachability Properties Suppose we want to check a property of the form AG p . T ⊆ N 0 × N 0 T ( s, s ′ ) ⇐ ⇒ s ′ .x = s.x + 1 We then want at least one state s i to satisfy ¬ p : . . . and let S 0 ( s ) ⇐ ⇒ s.x = 0 ∨ s.x = 1 k − 1 k An unwinding for depth 4: � � S 0 ( s 0 ) ∧ T ( s i , s i +1 ) ∧ ¬ p ( s i ) i =0 i =0 ( s 0 .x = 0 ∨ s 0 .x = 1) ∧ s 1 .x = s 0 .x + 1 ∧ s 2 .x = s 1 .x + 1 Satisfying assignments are counterexamples for the AG p ∧ s 3 .x = s 2 .x + 1 property ∧ s 4 .x = s 3 .x + 1 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 19 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 20 Unwinding Software Unwinding Software We can do exactly that for our transition relation for software. E.g., for a program with 5 locations, 6 unwindings: #0 L1 L2 L3 L4 L5 Problem: obviously, most of the formula is never ’used’, #1 L1 L2 L3 L4 L5 as only few sequences of PCs correspond to a path. #2 L1 L2 L3 L4 L5 #3 L1 L2 L3 L4 L5 #4 L1 L2 L3 L4 L5 #5 L1 L2 L3 L4 L5 #6 L1 L2 L3 L4 L5 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 21 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 22 Unwinding Software Unwinding Software Optimization: Example: don’t generate the parts of the formula that are not ’reachable’ #0 L1 L2 L3 L4 L5 #0 L2 L1 L1 L1 L3 L4 L5 #1 L1 L2 L3 L4 L5 L1 #1 L1 L2 L2 L3 L4 L4 L5 #2 L1 L2 L3 L4 L5 L2 L3 L3 #2 L1 L2 L4 L5 L5 L2 #3 L1 L2 L3 L4 L5 L3 #3 L1 L2 L2 L3 L4 L4 L5 #4 L3 L1 L2 L3 L4 L5 L3 L3 #4 L1 L2 L4 L5 L5 #5 L4 L1 L2 L3 L4 L5 #5 L4 L1 L2 L2 L3 L4 L4 L5 L5 #6 L1 L2 L3 L4 L5 L3 L3 #6 L5 CFG unrolling L1 L2 L4 L5 L5 CFG unrolling CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 23 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 24

Unwinding Software Unwinding Software Problem: ◮ Unwinding T with bound k results in a formula of size #0 L1 L1 L2 L3 L4 L5 L1 #1 | T | · k L1 L2 L2 L3 L4 L5 #2 L1 L2 L2 L3 L3 L4 L5 L2 #3 L1 L2 L2 L3 L3 L4 L4 L5 ◮ If we assume a k that is only linear in | T | , L3 #4 we get get a formula with size O ( | T | 2 ) L1 L2 L2 L3 L3 L4 L4 L5 L5 #5 L4 L1 L2 L2 L3 L3 L4 L4 L5 L5 #6 L5 L1 L2 L2 L3 L3 L4 L4 L5 L5 ◮ Can we do better? CFG unrolling CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 25 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 26 Unrolling Loops Unrolling Loops Idea: do exactly one location in each timeframe: ✔ More effective use of the formula size L1 #0 L1 #1 L2 #2 L3 ✔ Graph has fewer merge nodes, L2 the formula is easier for the solvers #3 L2 L3 #4 L3 #5 L4 L4 ✘ Not all paths of length k are encoded → the bound needs to be larger #6 L5 L5 CFG unrolling CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 27 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 28 Unrolling Loops Completeness This essentially amounts to unwinding loops: if ( cond ) { BMC, as discussed so far, is incomplete. Body ; It only refutes, and does not prove. if ( cond ) { Body ; if ( cond ) { Body ; while ( cond ) How can we fix this? Body ; } } } CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 29 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 30