detecting erroneous assumptions when verifying software
play

Detecting Erroneous Assumptions when verifying software using SMT - PowerPoint PPT Presentation

Aug 13, 2023 •15 likes •455 views

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM 08 (Note: E-version distributed at CAV is the preliminary, not final version) Context

  1. Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM ’08 (Note: E-version distributed at CAV is the preliminary, not final version)

  2. Context • Industrial software verification • Extended static checking – software verification via » user supplied or implicit specifications » creating a verification condition from the code and specifications, and then » validating it (preferably automatically) using a theorem prover – e.g. ESC/Java(2), Key for Java, Spec# for C#, also Mobius project, COQ system, ... – e.g. provers: SIMPLIFY, Yices, CVC3, Z3, PVS, ... 2

  3. Erroneous assumptions are insidious • User written material is subject to error – Explicit assumptions – Method specifications • False assumptions are generally not what was intended • Insidious: hide other errors • If a verification system produces no errors – Everything OK? – Something not being checked? – False assumption hiding an invalid assertion? • Lots of work on this in model checkers; some in automated runtime test analysis 3

  4. Review: translation of programs to VCs • Break up a program into basic blocks – Each block has no branches – Blocks are followed by other blocks • Transform variables into (dynamic) single assignment form • Passify the program by converting all assignments to assumptions (Barnett & Leino, 2005) 4

  5. Basic blocks start: a=b; a = b; if (a == 0) { b = c; return b; block2: block1: } else { assume a != 0; assume a == 0; b = d; b = d; b = c; } $returnValue = b; a = d; return a; block3: a=d; $returnValue = a; return: 5

  6. Dynamic Single Assignment • int a = 0; • a$0 = 0; • int b = 1; • b$0 = 1; • b = a + b; • b$1 = a$0 + b$0; • a = b + a; • a$1 = b$1 + a$0; • Tricky points – arrays and object field assignments – blocks with multiple parents The a$0 etc. are logical variables (quantified over the appropriate domain of values) 6

  7. Passification a = 0; a$0 = 0; b = a; b$0 = a$0; b = a + b; b$1 = a$0 + b$0; assume a$0 == 0; assume b$0 == a$0; assume b$1 == a$0 + b$0; 7

  8. Convert basic block to block equations: Assumptions come from blockA: assume P; assignments assume Q; branch conditions assert R; loop conditions assume S; preconditions goto blockB, postconditions of called methods blockC; explicit user assumptions 8

  9. Convert basic block to block equations: Assertions come from blockA: assume P; implicit checks (e.g. array index) assume Q; loop specifications assert R; postconditions assume S; preconditions of called methods goto blockB, explicit user assertions blockC; 9

  10. Convert basic block to block equations: blockA ≡ blockA: P → assume P; ( Q → assume Q; ( R & ( S → assert R; assume S; (blockB & blockC) ) ) ) goto blockB, blockC; blockB ≡ ... blockC ≡ ... Each block has a (logical) block variable - if true, execution encounters no false assertions - may block at a false assumption 10

  11. ... and block equations to a Verification Condition • ( ( blockA ≡ ... ) • & ( blockB ≡ ... ) • & ... ) => blockA The variable of the starting block This says: for any assignment of values to variables, if the block equations are satisfied, then the program has a valid execution A valid execution allows false assumptions 11

  12. Parallel path form of the VC • (P & Q & R & ... ) => T 1 & (P & Q & S & ... ) => T 2 & (X & Q & ... ) => T 3 & (Z &... ) => T 4 & ... Each conjunct is an execution path: a sequence of assumptions ending in an assertion Lots of common subformulas 12

  13. Parallel path form of the VC • (P & Q & R & ... ) => T 1 & (P & Q & S & ... ) => T 2 & (X & Q & ... ) => T 3 & (Z &... ) => T 4 & ... The VC is true iff each path (trace) either - has a false assumption - has a true assertion 13

  14. Assumptions • assignments System generated: No problems • loop invariants Bad invariants create unprovable assertions • branch/loop conditions as well as bad assumptions • preconditions • called method postconditions • explicit assumptions 14

  15. Assumptions If a branch condition is • assignments always false: dead code • loop invariants Loop condition is always false: • branch/loop conditions not executed or never terminated loop • preconditions • called method postconditions • explicit assumptions 15

  16. Assumptions • assignments • loop invariants • branch/loop conditions • preconditions Contradictory preconditions: any assertion succeeds • called method postconditions • explicit assumptions 16

  17. Assumptions • assignments Contradictory postconditions: • loop invariants any subsequent assertion succeeds • branch/loop conditions Should be caught when the • preconditions called method is verified • called method postconditions • explicit assumptions 17

  18. Assumptions • assignments • loop invariants • branch/loop conditions • preconditions False user assumption: any subsequent • called method postconditions assertion succeeds • explicit assumptions (Might be false just on one path) 18

  19. Assumptions • Need to check for assumptions that are false (given previous assumptions): • false on all paths: preconditions, branch conditions (dead code) • false on some path: user assumptions, called method postconditions 19

  20. Specific path check In a path (P1 & P2 & P3 & P4 & ... ) => T assumption Pk is OK if Need to check each assumption on each path ??? (P1 & ... & Pk) is satisfiable Equivalently (P1 & ... & Pk) => false is invalid 20

  21. Better: check all assumptions in a given path In a path (P1 & P2 & P3 & P4 & ... & Pn) => T One check per path. Still, there may be many paths. all assumptions are OK if Also, some paths are infeasible because of contradictory branch conditions (P1 & ... & Pn) is satisfiable Equivalently (P1 & ... & Pn) => false is invalid 21

  22. Checking within the block equations • block: Insert an extra assertion: • assume P; If VC is still valid, then something is • assume Q; wrong prior to the assertion. • assert false; [ If the assertion provokes a warning assume R; then all is well.] • ... Might as well do the check at the end of the block. Checks that the assumptions are valid on SOME path (not necessarily all paths) 22

  23. Previous work: Janota et al., 2007 • Putting in ‘assert false;’ is a standard manual idiom for checking feasibility of assumptions • Janota et al. automated this in ESC/Java2, along with a search algorithm – optimized for short VCs and few prover invocations • Improvements: – Use incremental satisfiability checks – How to do path specific checks – Use unsatisfiable cores 23

  24. Incremental satisfiability checking • Minimal changes to the VC • Uses the SMT solver’s ability to – push/pop program state – or to retract assertions 24

  25. Incremental satisfiability checking • Put in all the ‘assert’ statements to check assumptions at once. But instead of write (e.g. for check # 17) • block: • block: • assume P; • assume P; • assume Q; • assume Q; • assert false; • assert $$count != 17; assume R; assume R; • ... • ... 25

  26. Incremental satisfiability checking • Then, for the usual SAT check of the VC, check VC & ($$count == 0) • • And then check each assumption N by testing VC & ($$count == N) • • (retract ‘$$count==0’ and assert ‘$$count == N’) 26

  27. Performance question Which is faster: • reformulating the VC and restarting the prover or saving/restoring program state, followed by an incremental SAT check The prover needs to do this internally to facilitate [or backtracking using retract/reassert]? In Yices, enabling this mode is overall less efficient. 27

  28. Path specific checks • Use a conditional assertion: instead of write • block: • block: • assume P; • assume P; • assume Q; • assume Q; • assert false; • assert !Z; assume R; assume R; • ... • ... where Z is true only for the path being checked (it is a conjunction of all the branch conditions for the path) 28

  29. Performance question Which is faster: • reformulating the VC and restarting the prover with just the small VC for a specific path or using incremental checking with the full VC? 29

  30. Even better: avoid path-specific checking @NonNull int[ ] a; ... Postcondition: forall int i: ( (0<i && i<a.length) => sort(a); a[i-1] <= a[i] ) ... (needs to know: j < k => a[j] <= a[k] ) [ Prover does not do induction ] 30

  31. Even better: avoid path-specific checking Could write: Postcondition: forall int i: ( (0<i && i<a.length) => @NonNull int[ ] a; a[i-1] <= a[i] ) ... sort(a); /*@ assume (\forall int j,k; 0<=j && j<=k && k<a.length; a[j] <= a[k]); */ ... (needs to know: j < k => a[j] <= a[k] ) 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Assumptions EDUC 7610 Chapter 16 and 17 Diagnostics (Detecting Irregularities) and

Assumptions EDUC 7610 Chapter 16 and 17 Diagnostics (Detecting Irregularities) and

Assumptions EDUC 7610 Chapter 16 and 17 Diagnostics (Detecting Irregularities) and miscellaneous stuff Tyson S. Barrett, PhD This is one of the most important chapters The regression results validity depend on whether the assumptions

745 views • 33 slides
1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers,

1.06k views • 59 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov Ivannikov Institute For System Programming of RAS ilja.zakharov@ispras.ru Klever Verification Framework Intended for finding bugs in large software

546 views • 32 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262 Compliance in Simulink Lukas Murer, Torben Stolte Tanja Hebecker, Michael Lipaczewski Uwe Mhrstdt, Frank Ortmeier Motivation Functional safety

589 views • 21 slides
Change of Supplier Expert Group Meeting 3 1 July 2013 1 Nigel Nash ERRONEOUS TRANSFERS 2

Change of Supplier Expert Group Meeting 3 1 July 2013 1 Nigel Nash ERRONEOUS TRANSFERS 2

Change of Supplier Expert Group Meeting 3 1 July 2013 1 Nigel Nash ERRONEOUS TRANSFERS 2 Recap from previous meeting Our aim is to eradicate/substantially reduce the number of erroneous transfers Current ET rate at around 1% of

497 views • 45 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela

An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela

1/30 An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela Lozano Universit catholique de Louvain, Belgium Monday 5 December 2011 2/30 Variability Customized and Affordable Maximize reuse of

544 views • 32 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

740 views • 69 slides
Compliance Q&amp;A A conversation with OMIG The Arc New York May 7, 2019 Saratoga Hilton,

Compliance Q&amp;A A conversation with OMIG The Arc New York May 7, 2019 Saratoga Hilton,

Compliance Q&amp;A A conversation with OMIG The Arc New York May 7, 2019 Saratoga Hilton, Saratoga Springs, NY The Arc New York 2 The Fine Print OMIG acknowledges that this presentation contains ideas and some materials from many

513 views • 32 slides
Data Quality: Where are we on the journey from theory to practice? Angela Bonifati University of

Data Quality: Where are we on the journey from theory to practice? Angela Bonifati University of

Data Quality: Where are we on the journey from theory to practice? Angela Bonifati University of Lyon 1 Liris CNRS, France June 23, 2017 Angela Bonifati Atelier Qualimados@Madics2017 June 23, 2017 1 / 27 Table of contents Big Data

551 views • 37 slides
Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
AI FOR SCIENCE NUMERICAL WEATHER PREDICTION - OVERVIEW David Hall Senior Solutions

AI FOR SCIENCE NUMERICAL WEATHER PREDICTION - OVERVIEW David Hall Senior Solutions

AI FOR SCIENCE NUMERICAL WEATHER PREDICTION - OVERVIEW David Hall Senior Solutions Architect, NVIDIA GTC March 2019 dhall@nvidia.com OVERVIEW NVIDIA GPUs are powering modern supercomputers Using them effectively is increasingly

906 views • 67 slides
Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author: Hojung Bang Affiliation: KAIST Address: 373-1, Kuseong-dong, Yuseong-gu, Daejeon, 305-701, Korea Abstract: In this paper, we summarized our experience

285 views • 6 slides
Development of Critical Systems AUTHORS: P. GRAYDON, J. KNIGHT, E. STRUNK PRESENTED BY: MIKE

Development of Critical Systems AUTHORS: P. GRAYDON, J. KNIGHT, E. STRUNK PRESENTED BY: MIKE

Assurance Based Development of Critical Systems AUTHORS: P. GRAYDON, J. KNIGHT, E. STRUNK PRESENTED BY: MIKE MAKSIMOV 1 Overview 1. Introduction to Assurance Cases 2. Overview of the Problem 3. Assurance Based Development (ABD)

599 views • 37 slides
Asserts and Error Handling Announcements for Today Reading Assignments Reread Chapter 3

Asserts and Error Handling Announcements for Today Reading Assignments Reread Chapter 3

Lecture 11 Asserts and Error Handling Announcements for Today Reading Assignments Reread Chapter 3 Finishing Assignment 1 10.0-10.2, 10.4-10.6 for Tue We are going to score it Get one more chance Sun. Prelim, Oct 17 th

664 views • 40 slides
JavaScript Errors in the Wild: An Empirical Study Frolin S. Ocariza, Jr. 1 Karthik Pattabiraman 1

JavaScript Errors in the Wild: An Empirical Study Frolin S. Ocariza, Jr. 1 Karthik Pattabiraman 1

JavaScript Errors in the Wild: An Empirical Study Frolin S. Ocariza, Jr. 1 Karthik Pattabiraman 1 Benjamin Zorn 2 1 University of British Columbia (UBC), 2 Microsoft Research (MSR) Web 2.0 Application: Amazon.com Third Menu Amazons party

959 views • 32 slides

More recommend