finding and understanding bugs in software model checkers
play

Finding and Understanding Bugs in Software Model Checkers Chengyu - PowerPoint PPT Presentation

May 13, 2023 •254 likes •1.41k views

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

  1. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } GetValue(br) GetValue(br) return 0; return 0; } } Actual execution: br=1 Actual execution: br=3 � 37

  2. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } if(br != 1) if(br != 3) __VERIFIER_error(); __VERIFIER_error(); return 0; return 0; } } Actual execution: br=1 Actual execution: br=3 � 37

  3. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } if(br != 1) if(br != 3) __VERIFIER_error(); __VERIFIER_error(); return 0; return 0; } } Test oracle: safe Test oracle: safe � 38

  4. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } if(br != 1) if(br != 3) __VERIFIER_error(); __VERIFIER_error(); return 0; return 0; } } Test oracle: safe Test oracle: safe Model checker: unsafe Model checker: safe � 39

  5. Approach • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) � 40

  6. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } � 41

  7. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } GetValue(br1) GetValue(br2) return 0; } Actual execution: br1=1; br2=3 � 41

  8. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } if(br1 != 3 || br2 != 1) __VERIFIER_error(); return 0; } � 41

  9. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } if(br1 != 3 || br2 != 1) __VERIFIER_error(); return 0; Test oracle: safe } � 41

  10. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } if(br1 != 3 || br2 != 1) __VERIFIER_error(); return 0; Test oracle: safe } Model checker: unsafe � 41

  11. Approach • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) • Approach III: Fused Counting Reachability (FCR) � 42

  12. Approach find more kinds of bugs • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) • Approach III: Fused Counting Reachability (FCR) � 42

  13. Approach find more kinds of bugs • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) • Approach III: Fused Counting Reachability (FCR) save more time � 42

  14. Evaluation Setup � 43

  15. Evaluation Setup GCC test suite � 43

  16. Evaluation Setup GCC test suite 4,609 Files 219,636 Loc � 43

  17. Evaluation Setup IC3 based GCC test suite 4,609 Files 219,636 Loc � 43

  18. Evaluation Setup IC3 based GCC test suite CEGAR based 4,609 Files 219,636 Loc � 43

  19. Evaluation Setup IC3 based GCC test suite CEGAR based 4,609 Files 219,636 Loc BMC based � 43

  20. Evaluation Setup IC3 based GCC test suite CEGAR based 4,609 Files 219,636 Loc BMC based � 43

  21. RQ1: Can our approaches find bugs? � 44

  22. RQ1: Can our approaches find bugs? � 45

  23. RQ1: Can our approaches find bugs? � 46

  24. RQ1: Can our approaches find bugs? � 47

  25. RQ1: Can our approaches find bugs? � 48

  26. RQ1: Can our approaches find bugs? � 49

  27. RQ1: Can our approaches find bugs? � 50

  28. RQ1: Can our approaches find bugs? � 51

  29. RQ2: How many bugs can be found by each approach? � 52

  30. RQ2: How many bugs can be found by each approach? Approach I 52 � 53

  31. RQ2: How many bugs can be found by each approach? Approach II Approach I 61 52 � 54

  32. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 61 52 � 55

  33. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 61 52 � 56

  34. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 61 52 � 56

  35. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 10 51 1 � 57

  36. Bug#529 in CPAchecker (False negative in approach II/III) void main() { i:0 int i = 0; *(&i):1 while (1) { if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } � 58

  37. Bug#529 in CPAchecker (False negative in approach II/III) void main() { i:0 int i = 0; int br = 0; *(&i):1 while (1) { if (i > 0) { br++; break; } if (i == 0){ *(&i) = *(&i) + 1; } } Test oracle: safe if(br != 1) __VERIFIER_error(); } � 58

  38. Bug#529 in CPAchecker (False negative in approach II/III) void main() { i:0 int i = 0; int br = 0; *(&i):1 while (1) { if (i > 0) { br++; break; } if (i == 0){ *(&i) = *(&i) + 1; } } Test oracle: safe if(br != 1) Buggy model checker: safe __VERIFIER_error(); } � 58

  39. RQ3: How much time does each approach consume? � 59

  40. RQ3: How much time does each approach consume? � 60

  41. RQ3: How much time does each approach consume? � 61

  42. RQ3: How much time does each approach consume? Save 89% of time � 62

  43. RQ3: How much time does each approach consume? Approach II/III Approach I 10 51 1 � 63

  44. Assorted Bug Samples • C standard library • Front-end • Language feature • Memory model • Configuration • Pointer alias • Third-party component https://github.com/MCFuzzer/MCFuzz/issues � 64

  45. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 65

  46. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) d = c&&e = 1 __VERIFIER_error(); } Test oracle: unsafe int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 66

  47. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); __CPAchecker_TMP_0 = c&&e } d = __CPAchecker_TMP_0 int main(){ int d = 0; Test oracle: unsafe int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 67

  48. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); d = __CPAchecker_TMP_0 } __CPAchecker_TMP_0 = c&&e int main(){ int d = 0; Test oracle: unsafe int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 67

  49. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); d = __CPAchecker_TMP_0 } __CPAchecker_TMP_0 = c&&e int main(){ int d = 0; Test oracle: unsafe int c = 4; int e = 2; : safe f (d=c&&e, 1); return 0; } � 67

  50. Example: Language feature related bug in CBMC x struct { int a:4; int :4; 2 u 3 4 int b:4; int c:4; } x = { 2,3,4 }; a _ b c int main (){ if (x.b != 3) “Unnamed members of objects of __VERIFIER_error(); structure type do not return 0; participate in initialization.” } —— C standard Test oracle: safe � 68

  51. Example: Language feature related bug in CBMC x struct { int a:4; int :4; 2 3 4 u int b:4; int c:4; } x = { 2,3,4 }; a _ b c int main (){ if (x.b != 3) “Unnamed members of objects of __VERIFIER_error(); structure type do not return 0; participate in initialization.” } —— C standard Test oracle: safe � 69

  52. Example: Language feature related bug in CBMC x struct { int a:4; int :4; 2 3 4 u int b:4; int c:4; } x = { 2,3,4 }; a _ b c int main (){ if (x.b != 3) “Unnamed members of objects of __VERIFIER_error(); structure type do not return 0; participate in initialization.” } —— C standard Test oracle: safe : unsafe � 69

  53. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; } � 70

  54. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ test (7, 6, 1); sea pf file.c test (-7, -6, 1); return 0; } � 71

  55. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ test (7, 6, 1); sea pf file.c test (-7, -6, 1); return 0; } : unsafe � 71

  56. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ sea pf test (7, 6, 1); test (-7, -6, 1); —inline file.c return 0; } � 72

  57. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ sea pf test (7, 6, 1); test (-7, -6, 1); —inline file.c return 0; } : safe � 72

  58. Evaluation on SV-COMP benchmarks � 73

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University

Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University

Introduction to Model Learning Applications Theory &amp; Tools for Model Learning Conclusions and Future Work Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University Nijmegen RV 2018, Limassol, November 2018

1.15k views • 77 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016 Motivation Model checkers return error traces but no evidence when they say yes Complex tools Goal: improve trustworthiness

809 views • 47 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the Quality Checkers project happen? The quality checkers project has been jointly funded by: Northamptonshire Learning Disability Partnership

749 views • 21 slides
The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in January. There were interviews in February. The Great Quality Checkers Paul C Paul B Tom Victor Mike Karl John Sandra Paul G Debbie Alex

368 views • 14 slides
Finite State Automaton Transitions System makes one step from one state to another A finite

Finite State Automaton Transitions System makes one step from one state to another A finite

CISC853: Contents 1. A few words about concurrency CISC422/853: Formal Methods 2. Modeling: How to describe behaviour of a software system? in Software Engineering: finite automata 3. Intro to 2 software model checkers Computer-Aided

224 views • 11 slides
Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with Andrzej Wsowski and Claus Brabrand FOSD Meeting 2014 1 / 28 Agenda 40 variability bugs in Linux: A Qualitative Study (10m) Method Example

540 views • 36 slides
Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael Ferdman, Peter Milder FPGA Accelerates Model Checking Model checking ensures system correctness By exploring all states of a system Hours

814 views • 37 slides
Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of

Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of

Institute of Software Technology tugraz Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of Software Technology Graz University of Technology, Austria MT CPS Workshop Vienna, 11 Apr 2016 B.K.

1.49k views • 111 slides
1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make

1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make

1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make modern MCMC Unique once in a life time opertunity. You can choose which techniques based on graphical models available to applied OpenBUGS module you

326 views • 11 slides
Improving Twitter Retrieval by Exploiting Structural Information Zhunchen Luo, Miles

Improving Twitter Retrieval by Exploiting Structural Information Zhunchen Luo, Miles

Improving Twitter Retrieval by Exploiting Structural Information Zhunchen Luo, Miles Osborne, Sasa Petrovic and Ting Wang Twitter Retrieval Most Twitter search systems treat a tweet as a plain text. A tweet

1.27k views • 67 slides
SBND Detector Ting Miao (FNAL) Neutrino - Latin America Workshop April 27, 2016 SBND - S hort- B

SBND Detector Ting Miao (FNAL) Neutrino - Latin America Workshop April 27, 2016 SBND - S hort- B

SBND Detector Ting Miao (FNAL) Neutrino - Latin America Workshop April 27, 2016 SBND - S hort- B aseline N ear D etector A near detector project in the three-detector SBN program Ting Miao Technical Coordinator/Manager A FNAL

912 views • 14 slides
Automatic Outlier Detection: A Bayesian Approach Jo-Anne Ting, University of Southern California

Automatic Outlier Detection: A Bayesian Approach Jo-Anne Ting, University of Southern California

Automatic Outlier Detection: A Bayesian Approach Jo-Anne Ting, University of Southern California Aaron DSouza, Google, Inc. Stefan Schaal, University of Southern California ICRA 2007 April 12, 2007 Outline Motivation Past &amp;

861 views • 21 slides
Budget Kickoff February 27, 2018 1 Governor's Finance Office BUDGET KICKOFF 2019 2021

Budget Kickoff February 27, 2018 1 Governor's Finance Office BUDGET KICKOFF 2019 2021

BUDGET KICKOFF 2019 2021 Executive Budget Budget Kickoff February 27, 2018 1 Governor's Finance Office BUDGET KICKOFF 2019 2021 Executive Budget Questions during the meeting Budget@finance.nv.gov Raise your hand 3x5

1.89k views • 140 slides
MatrixKV: Reducing Write Stalls and Write Amplification in LSM-tree Based KV Stores with a Matrix

MatrixKV: Reducing Write Stalls and Write Amplification in LSM-tree Based KV Stores with a Matrix

MatrixKV: Reducing Write Stalls and Write Amplification in LSM-tree Based KV Stores with a Matrix Container in NVM Ting Yao 1 , Yiwen Zhang 1 , Jiguang Wan 1 , Qiu Cui 2 , Liu Tang 2 , Hong Jiang 3 , Changsheng Xie 1 , and Xubin He 4 1 Huazhong

545 views • 27 slides
Using Derivatives in an Economics Set- ting. LectroCopy makes photocopy machines, and

Using Derivatives in an Economics Set- ting. LectroCopy makes photocopy machines, and

MarginsEcon.nb 1 Using Derivatives in an Economics Set- ting. LectroCopy makes photocopy machines, and sells them to make money. If they make x copy machines per week, then their total costs for that week are given by

252 views • 10 slides
Grid/Clo d Comp ting Grid/Clo d Comp ting Grid/Cloud Computing Grid/Cloud Computing over

Grid/Clo d Comp ting Grid/Clo d Comp ting Grid/Cloud Computing Grid/Cloud Computing over

Grid/Clo d Comp ting Grid/Clo d Comp ting Grid/Cloud Computing Grid/Cloud Computing over Optical Networks over Optical Networks over Optical Networks over Optical Networks - Opportunities &amp; Research Issues Opportunities &amp; Research

405 views • 17 slides
Repairing Four-Atom Conjecture Ting-Ting Nan Advisor: Nigel Boston SP Coding and Information

Repairing Four-Atom Conjecture Ting-Ting Nan Advisor: Nigel Boston SP Coding and Information

Repairing Four-Atom Conjecture Ting-Ting Nan Advisor: Nigel Boston SP Coding and Information School Ting-Ting Nan Repairing Four-Atom Conjecture Figure: Butterfly network. Ting-Ting Nan Repairing Four-Atom Conjecture Entropy Region Entropy

157 views • 5 slides

More recommend