handling unbounded loops with esbmc 1 20
play

Handling Unbounded Loops with ESBMC 1.20 Jeremy Morse, Lucas - PowerPoint PPT Presentation

Dec 22, 2023 •225 likes •475 views

Handling Unbounded Loops with ESBMC 1.20 Jeremy Morse, Lucas Cordeiro Denis Nicole, Bernd Fischer ESBMC: SMT-based BMC of single- and multi-threaded software exploits SMT solvers and their background theories: optimized encodings for

  1. Handling Unbounded Loops with ESBMC 1.20 Jeremy Morse, Lucas Cordeiro Denis Nicole, Bernd Fischer

  2. ESBMC: SMT-based BMC of single- and multi-threaded software • exploits SMT solvers and their background theories: – optimized encodings for pointers, bit operations, unions and arithmetic over- and underflow – efficient search methods (non-chronological backtracking, conflict clauses learning) conflict clauses learning) • supports verifying multi-threaded software that uses pthreads threading library – interleaves only at “visible” instructions – lazy exploration of the reachability tree – optional context-bound • derived from CBMC

  3. ESBMC Verification Support • built-in properties: – arithmetic under- and overflow – pointer safety – array bounds – division by zero – memory leaks – memory leaks – atomicity and order violations – deadlocks – data races • user-specified assertions (__ESBMC_assume, __ESBMC_assert) • built-in scheduling functions (__ESBMC_atomic_begin, __ESBMC_atomic_end, __ESBMC_yield)

  4. Differences to ESBMC 1.17 • ESBMC 1.20 is largely a bugfixing release: – memory handling – internal data structure (replaced CBMC’s string-based accessor functions) – Z3 encoding (replaced the name equivalence used in the pointer representation) pointer representation) • improved our pthread-handling and added missing sequence points (pthread join-function) • produces a smaller number of false results – score improvement of more than 25% – overall verification time reduced by about 25%

  5. Induction-Based Verification k -induction checks... • base case ( base k ): find a counter-example with up to k loop unwindings (plain BMC) • forward condition ( fwd k ): check that P holds in all states reachable within k unwindings • inductive step ( step k ): check that whenever P holds for k unwindings, it also holds after next unwinding – havoc state – run k iterations – assume invariant – run final iteration ⇒ iterative deepening if inconclusive

  6. The k -induction algorithm k =initial bound while true do if base k then return trace s[0..k] else if fwd k else if fwd k return true else if step k then return true end if k=k+1 end

  7. The k -induction algorithm inserts unwinding k =initial bound assumption after while true do each loop if base k then return trace s[0..k] else if fwd k else if fwd k return true else if step k then return true end if k=k+1 end

  8. The k -induction algorithm inserts unwinding k =initial bound assumption after while true do each loop if base k then inserts unwinding return trace s[0..k] assertion after each else if fwd k else if fwd k loop loop return true else if step k then return true end if k=k+1 end

  9. The k -induction algorithm inserts unwinding k =initial bound assumption after while true do each loop if base k then inserts unwinding return trace s[0..k] assertion after each else if fwd k else if fwd k loop loop return true else if step k then havoc variables that return true occur in the loop’s termination condition end if k=k+1 end

  10. The k -induction algorithm inserts unwinding k =initial bound assumption after while true do each loop if base k then inserts unwinding return trace s[0..k] assertion after each else if fwd k else if fwd k loop loop return true else if step k then havoc variables that return true occur in the loop’s termination condition end if k=k+1 unable to falsify or end prove the property

  11. Running example n = ∑ for n ≥ 1 = S a na Prove that n = 1 i unsigned int nondet_uint(); int main() { unsigned int i, n=nondet_uint(), sn=0; assume (n>=1); assume (n>=1); for (i=1; i<=n; i++) sn = sn + a; assert (sn==n*a); }

  12. Running example: base case Insert an unwinding assumption consisting of the termination condition after the loop – find a counter-example with k loop unwindings unsigned int nondet_uint(); int main() { int main() { unsigned int i, n=nondet_uint(), sn=0; assume (n>=1); for (i=1; i<=n; i++) sn = sn + a; assume (i>n); assert (sn==n*a); }

  13. Running example: forward condition Insert an unwinding assertion consisting of the termination condition after the loop – check that P holds in all states reachable with k unwindings unsigned int nondet_uint(); int main() { int main() { unsigned int i, n=nondet_uint(), sn=0; assume (n>=1); for (i=1; i<=n; i++) sn = sn + a; assert (i>n); assert (sn==n*a); }

  14. Running example: inductive step Havoc (only) the variables that occur in the loop’s termination and branch conditions unsigned int nondet_uint(); typedef struct state { unsigned int i, n, sn; } statet; } statet; int main() { unsigned int i, n=nondet_uint(), sn=0, k; assume (n>=1); statet cs, s[n]; cs.i=nondet_uint(); cs.sn=nondet_uint(); cs.n=n;

  15. Running example: inductive step Havoc (only) the variables that occur in the loop’s termination and branch conditions unsigned int nondet_uint(); define the type of the typedef struct state { program state unsigned int i, n, sn; } statet; } statet; int main() { unsigned int i, n=nondet_uint(), sn=0, k; assume (n>=1); statet cs, s[n]; cs.i=nondet_uint(); cs.sn=nondet_uint(); cs.n=n;

  16. Running example: inductive step Havoc (only) the variables that occur in the loop’s termination and branch conditions unsigned int nondet_uint(); define the type of the typedef struct state { program state unsigned int i, n, sn; } statet; } statet; int main() { state vector unsigned int i, n=nondet_uint(), sn=0, k; assume (n>=1); statet cs, s[n]; cs.i=nondet_uint(); cs.sn=nondet_uint(); cs.n=n;

  17. Running example: inductive step Havoc (only) the variables that occur in the loop’s termination and branch conditions unsigned int nondet_uint(); define the type of the typedef struct state { program state unsigned int i, n, sn; } statet; } statet; int main() { state vector unsigned int i, n=nondet_uint(), sn=0, k; assume (n>=1); statet cs, s[n]; cs.i=nondet_uint(); explore all possible cs.sn=nondet_uint(); values implicitly cs.n=n;

  18. Running example: inductive step ESBMC is called to verify the assertions where the first arbitrary state is emulated by nondeterminism. for (i=1; i<=n; i++) { s[i-1]=cs; sn = sn + a; cs.i=i; cs.i=i; cs.sn=sn; cs.n=n; assume (s[i-1]!=cs); } assume (i>n); assert (sn == n*a); }

  19. Running example: inductive step ESBMC is called to verify the assertions where the first arbitrary state is emulated by nondeterminism. capture the state cs for (i=1; i<=n; i++) { s[i-1]=cs; before the iteration sn = sn + a; cs.i=i; cs.i=i; cs.sn=sn; cs.n=n; assume (s[i-1]!=cs); } assume (i>n); assert (sn == n*a); }

  20. Running example: inductive step ESBMC is called to verify the assertions where the first arbitrary state is emulated by nondeterminism. capture the state cs for (i=1; i<=n; i++) { s[i-1]=cs; before the iteration sn = sn + a; cs.i=i; cs.i=i; capture the state cs cs.sn=sn; after the iteration cs.n=n; assume (s[i-1]!=cs); } assume (i>n); assert (sn == n*a); }

  21. Running example: inductive step ESBMC is called to verify the assertions where the first arbitrary state is emulated by nondeterminism. capture the state cs for (i=1; i<=n; i++) { s[i-1]=cs; before the iteration sn = sn + a; cs.i=i; cs.i=i; capture the state cs cs.sn=sn; after the iteration cs.n=n; assume (s[i-1]!=cs); constraints are } included by means assume (i>n); of assumptions assert (sn == n*a); }

  22. Running example: inductive step ESBMC is called to verify the assertions where the first arbitrary state is emulated by nondeterminism. capture the state cs for (i=1; i<=n; i++) { s[i-1]=cs; before the iteration sn = sn + a; cs.i=i; cs.i=i; capture the state cs cs.sn=sn; after the iteration cs.n=n; assume (s[i-1]!=cs); constraints are } included by means assume (i>n); of assumptions assert (sn == n*a); insert unwinding } assumption

  23. Strengths: • robust context-bounded model checker for multi- threaded C code • combines plain BMC with k-induction – k -induction by itself is by far not as strong as plain BMC ⇒ although it produced substantially fewer false results

  24. Strengths: • robust context-bounded model checker for multi- threaded C code • combines plain BMC with k-induction – k -induction by itself is by far not as strong as plain BMC ⇒ although it produced substantially fewer false results Weaknesses: Weaknesses: • scalability (like other BMCs...) – loop unrolling – interleavings • pointer handling and points-to analysis – exposed by excessive typecasts in the CIL-converted code – better memory model in progress

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EXCEPTION HANDLING, DEBUGGING, AND INDEFINITE LOOPS CSSE 120 Rose Hulman Institute of

EXCEPTION HANDLING, DEBUGGING, AND INDEFINITE LOOPS CSSE 120 Rose Hulman Institute of

EXCEPTION HANDLING, DEBUGGING, AND INDEFINITE LOOPS CSSE 120 Rose Hulman Institute of Technology Conditional Program Execution Programs (scripts) Modules designed to run directly (not imported) Libraries Modules imported and

825 views • 18 slides
Handling Loops in Bounded Model Checking of C Programs via k- Induction Lucas Cordeiro Joint

Handling Loops in Bounded Model Checking of C Programs via k- Induction Lucas Cordeiro Joint

Handling Loops in Bounded Model Checking of C Programs via k- Induction Lucas Cordeiro Joint work with Jeremy Morse, Mikhail Ramalho, Herberto Rocha, Hussama Ismail, Raimundo Barreto, Denis Nicole, and Bernd Fischer Bounded Model Checking

553 views • 37 slides
Tutorial 3 Loops Side Effects 1 CS 136 Spring 2020 Tutorial 3 Loops: for loops &amp;

Tutorial 3 Loops Side Effects 1 CS 136 Spring 2020 Tutorial 3 Loops: for loops &amp;

Tutorial 3 Loops Side Effects 1 CS 136 Spring 2020 Tutorial 3 Loops: for loops &amp; while loops Using a loop to solve a problem is called iteration . while is similar to if statements but while repeatedly loops back and

457 views • 8 slides
Loops! Flow of Control: Loops (Savitch, Chapter 4) TOPICS while Loops do while

Loops! Flow of Control: Loops (Savitch, Chapter 4) TOPICS while Loops do while

Loops! Flow of Control: Loops (Savitch, Chapter 4) TOPICS while Loops do while Loops for Loops break Statement continue Statement CS 160, Fall Semester 2012 2 An Example While Loop

446 views • 11 slides
LOOPS Loops Loops Loops! How can we repeat a piece of code without having to write it out over

LOOPS Loops Loops Loops! How can we repeat a piece of code without having to write it out over

Session 6 LOOPS Loops Loops Loops! How can we repeat a piece of code without having to write it out over and over?! With loops! The Game Loop For Loop vs. While Loop For Loops While Loops Start/End are Known Start/End not Always Clear

301 views • 26 slides
Building Java Programs Chapter 5 Lecture 11: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 11: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 11: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 (Slides adapted from Stuart Reges, Hlne Martin, and Marty Stepp) 1 2 Methods using charAt Write a method

795 views • 20 slides
Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 1 2 A deceptive problem... Write a method printLetters that prints each letter from a word separated by commas. For

545 views • 20 slides
Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 1 2 A deceptive problem... Write a method printLetters that prints each letter from a word separated by commas. For

516 views • 22 slides
ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop

ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop

Systems Architecture ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop initialisation init i) body body ii) increment or inc iii) decrement dec exit condition

1k views • 61 slides
Topic 5 for loops and nested loops Always to see the general in the particular is the very

Topic 5 for loops and nested loops Always to see the general in the particular is the very

Topic 5 for loops and nested loops Always to see the general in the particular is the very foundation of genius. - Arthur Schopenhauer Based on slides by Marty Stepp and Stuart Reges from http://www.buildingjavaprograms.com/ 1 Repetition

879 views • 39 slides
Loops! Loops! Loops! Lecture 5 COP 3014 Fall 2020 September 17, 2020 Repetition Statements

Loops! Loops! Loops! Lecture 5 COP 3014 Fall 2020 September 17, 2020 Repetition Statements

Loops! Loops! Loops! Lecture 5 COP 3014 Fall 2020 September 17, 2020 Repetition Statements Repetition statements are called loops, and are used to repeat the same code mulitple times in succession. The number of repetitions is based on

284 views • 15 slides
Loops! Loops! Loops! Lecture 10 COP 3014 Spring 2017 January 31, 2017 Repetition Statements

Loops! Loops! Loops! Lecture 10 COP 3014 Spring 2017 January 31, 2017 Repetition Statements

Loops! Loops! Loops! Lecture 10 COP 3014 Spring 2017 January 31, 2017 Repetition Statements Repetition statements are called loops, and are used to repeat the same code mulitple times in succession. The number of repetitions is based on

167 views • 15 slides
Loops Simone Campanoni simonec@eecs.northwestern.edu Outline Loops Identify loops

Loops Simone Campanoni simonec@eecs.northwestern.edu Outline Loops Identify loops

Loops Simone Campanoni simonec@eecs.northwestern.edu Outline Loops Identify loops Induction variables Loop normalization Impact of optimized code to program Code transformation 1 second 10 seconds How much did we optimize the

1.13k views • 87 slides
Building Java Programs Chapter 5 Lecture 10: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 10: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 10: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 1 String methods Method name Description indexOf( str ) index where the start of the given string appears in this string (-1 if

755 views • 41 slides
Loops Most execution time in most programs is spent in loops: 90/10 is typical CS 4120

Loops Most execution time in most programs is spent in loops: 90/10 is typical CS 4120

Loops Most execution time in most programs is spent in loops: 90/10 is typical CS 4120 Most important targets of optimization: loops Introduction to Compilers Loop optimizations: loop-invariant code motion Andrew Myers

459 views • 3 slides
CPSC 231 - Lab LOOPS Based on Ryan Henry's Slides Loooooooooooo...oooop Sometimes we need to do

CPSC 231 - Lab LOOPS Based on Ryan Henry's Slides Loooooooooooo...oooop Sometimes we need to do

CPSC 231 - Lab LOOPS Based on Ryan Henry's Slides Loooooooooooo...oooop Sometimes we need to do a job repeatedly as long as a specific condition is true. We use loops for this kind of jobs. Types of loops? Simple loops : Keep going if the

457 views • 10 slides
time Markov Models Mohmmadsadegh Mohagheghi And Behrang Chaboki Vali-e-Asr University of

time Markov Models Mohmmadsadegh Mohagheghi And Behrang Chaboki Vali-e-Asr University of

Dirac-based Reduction Techniques for Quantitative Analysis of Discrete- time Markov Models Mohmmadsadegh Mohagheghi And Behrang Chaboki Vali-e-Asr University of Rafsanjan Probabilistic Model Checking Probabilistic Model Checking A Markov

369 views • 17 slides
Correlating Performance, Code Location and Memory Access Harald Servat, Jesus Labarta, Judit

Correlating Performance, Code Location and Memory Access Harald Servat, Jesus Labarta, Judit

Correlating Performance, Code Location and Memory Access Harald Servat, Jesus Labarta, Judit Gimenez Scalable Tools Workshop - Lake Tahoe, Aug 2 nd 2016 1 Folding: instantaneous metric with minimum overhead Combine instrumentation and sampling

477 views • 15 slides
CS 61A Discussion 5 Iterators/Generators and Midterm Review Albert Xu Kaavya Shah Slides:

CS 61A Discussion 5 Iterators/Generators and Midterm Review Albert Xu Kaavya Shah Slides:

CS 61A Discussion 5 Iterators/Generators and Midterm Review Albert Xu Kaavya Shah Slides: albertxu.xyz/teaching/cs61a/ Announcements Iterators, Iterables oh my iterable iterator Iterators, Iterables oh my iterable iterator Iterators,

685 views • 43 slides
Dependence: Theory and Practice Introduction to loop dependence and loop transformation 1 The

Dependence: Theory and Practice Introduction to loop dependence and loop transformation 1 The

Dependence: Theory and Practice Introduction to loop dependence and loop transformation 1 The Big Picture What are our goals? Find independent operations to evaluate in parallel Find operations that reuse the same data What we will

528 views • 15 slides
Python: Recursive Functions Recursive Functions Recall factorial function: Iterative Algorithm

Python: Recursive Functions Recursive Functions Recall factorial function: Iterative Algorithm

Python: Recursive Functions Recursive Functions Recall factorial function: Iterative Algorithm Loop construct (while) can capture computation in a set of state variables that update on each iteration through loop Recursive Functions

376 views • 22 slides
Lecture 14: Iterative Methods and Sparse Linear Algebra David Bindel 10 Mar 2010 Reminder:

Lecture 14: Iterative Methods and Sparse Linear Algebra David Bindel 10 Mar 2010 Reminder:

Lecture 14: Iterative Methods and Sparse Linear Algebra David Bindel 10 Mar 2010 Reminder: World of Linear Algebra Dense methods Direct representation of matrices with simple data structures (no need for indexing data structure)

445 views • 27 slides
Common Patterns and Pitfalls for Implementing Algorithms in Spark Hossein Falaki @mhfalaki

Common Patterns and Pitfalls for Implementing Algorithms in Spark Hossein Falaki @mhfalaki

Common Patterns and Pitfalls for Implementing Algorithms in Spark Hossein Falaki @mhfalaki hossein@databricks.com Challenges of numerical computation over big data When applying any algorithm to big data watch for 1. Correctness 2.

403 views • 29 slides
Dynamic Programming Dynamic Programming Steps. 9 View the problem solution as the result of a

Dynamic Programming Dynamic Programming Steps. 9 View the problem solution as the result of a

Dynamic Programming Dynamic Programming Steps. 9 View the problem solution as the result of a sequence When solving the dynamic programming of decisions. recurrence recursively, be sure to avoid the 9 Obtain a formulation for the

194 views • 7 slides

More recommend