CBMC: Bounded Model Checking for ANSI-C Version 1.0, 2010 Outline - PowerPoint PPT Presentation

CBMC: Bounded Model Checking for ANSI-C Version 1.0, 2010

Outline Preliminaries BMC Basics Completeness Solving the Decision Problem CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 2

Preliminaries ◮ We aim at the analysis of programs given in a commodity programming language such as C, C++, or Java ◮ As the first step, we transform the program into a control flow graph (CFG) C/C++ parse parse CFG Source tree frontend CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 3

Example: SHS if ( (0 < = t) && (t < = 79) ) switch ( t / 20 ) { case 0: TEMP2 = ( (B AND C) OR (˜B AND D) ); TEMP3 = ( K 1 ); break ; case 1: TEMP2 = ( (B XOR C XOR D) ); TEMP3 = ( K 2 ); break ; case 2: TEMP2 = ( (B AND C) OR (B AND D) OR (C AND D) ); TEMP3 = ( K 3 ); break ; case 3: TEMP2 = ( B XOR C XOR D ); TEMP3 = ( K 4 ); break ; default : assert(0); } CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 4

Example: SHS if if ( (0 < = t) && (t < = 79) ) 0 ≤ t ≤ 79 switch ( t / 20 ) { switch case 0: TEMP2 = ( (B AND C) OR (˜B AND D) ); TEMP3 = ( K 1 ); break ; case�0 case 1: t/ 20 � = 0 TEMP2 = ( (B XOR C XOR D) ); TEMP3 = ( K 2 ); case�1 break ; t/ 20 � = 1 case 2: TEMP2 = ( (B AND C) OR (B AND D) OR (C AND D) ); case�2 TEMP3 = ( K 3 ); break ; t/ 20 � = 2 case 3: case�3 TEMP2 = ( B XOR C XOR D ); TEMP3 = ( K 4 ); t/ 20 � = 3 break ; default : default assert(0); } CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 4

Bounded Program Analysis Goal: check properties of the form AG p , say assertions. Idea: follow paths through the CFG to an assertion, and build a formula that corresponds to the path CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 5

Example if 0 ≤ t ≤ 79 switch case�0 t/ 20 � = 0 case�1 t/ 20 � = 1 case�2 t/ 20 � = 2 case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 6

Example if 0 ≤ t ≤ 79 switch case�0 t/ 20 � = 0 case�1 t/ 20 � = 1 case�2 t/ 20 � = 2 case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 6

Example if 0 ≤ t ≤ 79 switch case�0 t/ 20 � = 0 0 ≤ t ≤ 79 ∧ t/ 20 � = 0 case�1 ∧ t/ 20 = 1 t/ 20 � = 1 ∧ TEMP2 = B ⊕ C ⊕ D case�2 ∧ TEMP3 = K 2 t/ 20 � = 2 case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 6

Example We pass 0 ≤ t ≤ 79 ∧ t/ 20 � = 0 ∧ t/ 20 = 1 ∧ TEMP2 = B ⊕ C ⊕ D ∧ TEMP3 = K 2 to a decision procedure, and obtain a satisfying assignment, say: t �→ 21 , B �→ 0 , C �→ 0 , D �→ 0 , K 2 �→ 10 , TEMP2 �→ 0 , TEMP3 �→ 10 ✔ It provides the values of any inputs on the path. CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 7

Which Decision Procedures? ◮ We need a decision procedure for an appropriate logic ◮ Bit-vector logic (incl. non-linear arithmetic) ◮ Arrays ◮ Higher-level programming languages also feature lists, sets, and maps ◮ Examples ◮ Z3 (Microsoft) ◮ Yices (SRI) ◮ Boolector CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 8

Enabling Technology: SAT 1,000,000 100,000 10,000 1,000 100 10 1960 1970 1980 1990 2000 2010 number of variables of a typical, practical SAT instance that can be solved by the best solvers in that decade CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 9

Enabling Technology: SAT ◮ propositional SAT solvers have made enourmous progress in the last 10 years ◮ Further scalability improvements in recent years because of efficient word-level reasoning and array decision procedures CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 10

Let’s Look at Another Path if 0 ≤ t ≤ 79 switch case�0 t/ 20 � = 0 case�1 t/ 20 � = 1 case�2 t/ 20 � = 2 case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 11

Let’s Look at Another Path if 0 ≤ t ≤ 79 switch case�0 t/ 20 � = 0 case�1 t/ 20 � = 1 case�2 t/ 20 � = 2 case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 11

Let’s Look at Another Path if 0 ≤ t ≤ 79 switch 0 ≤ t ≤ 79 case�0 ∧ t/ 20 � = 0 t/ 20 � = 0 ∧ t/ 20 � = 1 case�1 ∧ t/ 20 � = 2 t/ 20 � = 1 ∧ t/ 20 � = 3 case�2 t/ 20 � = 2 case�3 t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 11

Let’s Look at Another Path if 0 ≤ t ≤ 79 switch 0 ≤ t ≤ 79 case�0 ∧ t/ 20 � = 0 t/ 20 � = 0 ∧ t/ 20 � = 1 case�1 ∧ t/ 20 � = 2 t/ 20 � = 1 ∧ t/ 20 � = 3 case�2 t/ 20 � = 2 That is UNSAT, so the assertion is case�3 unreachable. t/ 20 � = 3 default CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 11

What If a Variable is Assigned Twice? Rename appropriately: x=0; x = 0 if (y > =0) ∧ y ≥ 0 x++; ∧ x = x + 1 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 12

What If a Variable is Assigned Twice? Rename appropriately: x=0; x 1 = 0 if (y > =0) ∧ y 0 ≥ 0 x++; ∧ x 1 = x 0 + 1 This is a special case of SSA (static single assignment) CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 12

Pointers How do we handle dereferencing in the program? CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 13

Pointers How do we handle dereferencing in the program? int ∗ p; p 1 = & DO1 p=malloc( sizeof ( int ) ∗ 5); ∧ DO1 1 = ( λi. ... i = 1?100 : DO1 0 [ i ]) p[1]=100; Track a ‘may-point-to’ abstract state while simulating! CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 13

Scalability of Path Search Let’s consider the following CFG: L1 L2 L3 L4 This is a loop with an if inside. CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 14

Scalability of Path Search Let’s consider the following CFG: L1 L2 L3 L4 This is a loop with an if inside. Q: how many paths for n iterations? CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 14

Bounded Model Checking ◮ Bounded Model Checking (BMC) is the most successful formal validation technique in the hardware industry ◮ Advantages: ✔ Fully automatic ✔ Robust ✔ Lots of subtle bugs found ◮ Idea: only look for bugs up to specific depth ◮ Good for many applications, e.g., embedded systems CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 15

Transition Systems Definition: A transition system is a triple ( S, S 0 , T ) with ◮ set of states S , ◮ a set of initial states S 0 ⊂ S , and ◮ a transition relation T ⊂ ( S × S ) . The set S 0 and the relation T can be written as their characteristic functions. CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 16

Unwinding a Transition System Q: How do we avoid the exponential path explosion? We just ”concatenate” the transition relation T : S 0 t CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 17

Unwinding a Transition System Q: How do we avoid the exponential path explosion? We just ”concatenate” the transition relation T : S 0 ∧ T ✲ t t CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 17

Unwinding a Transition System Q: How do we avoid the exponential path explosion? We just ”concatenate” the transition relation T : T ✲ t S 0 ∧ T ∧ ✲ t t CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 17

Unwinding a Transition System Q: How do we avoid the exponential path explosion? We just ”concatenate” the transition relation T : T ✲ t S 0 ∧ T ∧ ∧ ∧ T ✲ ✲ . . . t t t t CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 17

Unwinding a Transition System Q: How do we avoid the exponential path explosion? We just ”concatenate” the transition relation T : T ✲ t S 0 ∧ T ∧ ∧ ∧ T ✲ ✲ . . . t t t t s 0 s 1 s 2 s k − 1 s k CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 17

Unwinding a Transition System As formula: k − 1 � S 0 ( s 0 ) ∧ T ( s i , s i +1 ) i =0 Satisfying assignments for this formula are traces through the transition system CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 18

Example T ⊆ N 0 × N 0 T ( s, s ′ ) ⇐ ⇒ s ′ .x = s.x + 1 . . . and let S 0 ( s ) ⇐ ⇒ s.x = 0 ∨ s.x = 1 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 19

Example T ⊆ N 0 × N 0 T ( s, s ′ ) ⇐ ⇒ s ′ .x = s.x + 1 . . . and let S 0 ( s ) ⇐ ⇒ s.x = 0 ∨ s.x = 1 An unwinding for depth 4: ( s 0 .x = 0 ∨ s 0 .x = 1) ∧ s 1 .x = s 0 .x + 1 ∧ s 2 .x = s 1 .x + 1 ∧ s 3 .x = s 2 .x + 1 ∧ s 4 .x = s 3 .x + 1 CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 19

Checking Reachability Properties Suppose we want to check a property of the form AG p . CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/ 20