Automated Software Analysis Andreas Podelski University of Freiburg - PowerPoint PPT Presentation

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli 16 1

• new paradigm for automatic verification • given a program P , learn a set of correct programs P 1 , ... , P n check whether every behavior of P is covered: P ⊆ P 1 ⋃ ... ⋃ P n • program = automaton, check = inclusion between automata • safety and liveness for sequential/concurrent/parametrized programs Dienstag, 12. Juli 16 2

program P construct A n +1 such that 1. w ∈ A n +1 { infeasible traces } 2. A n +1 ⊆ Σ ∗ \ C ORRECT yes w infeasible? w ∈ Σ ∗ \ C ORRECT ? A P ⊆ A 1 ∪ · · · ∪ A n ? no yes no take w such that w ∈ A P \A 1 ∪ · · · ∪ A n P is correct P is incorrect Dienstag, 12. Juli 16 3

Home Video Themen Forum English DER SPIEGEL SPIEGEL TV Abo Shop Schlagzeilen Wetter TV-Programm mehr ▼ Login | Registrierung WIRTSCHAFT Suche Kurse Politik Wirtschaft Panorama Sport Kultur Netzwelt Wissenschaft Gesundheit einestages Karriere Uni Reise Auto Stil Nachrichten > Wirtschaft > Staat & Soziales > Abgasaffäre bei Volkswagen > Bosch weist Mitschuld an VW-Abgasaffäre von sich VW-Abgas-Affäre: Bosch weist Mitschuld von sich Die Technik für die umstrittenen Dieselmodelle in der VW-Abgas-Affäre lieferte Bosch. Doch an der Manipulation will das Unternehmen nicht beteiligt gewesen sein: Die Verantwortung liege allein beim Autobauer. Dienstag, 12. Juli 16 4

global int len; // length of array global int array(len) : tasks; // array of tasks global int next; // position of next available task block global lock m; // lock protecting next thread T: local int : c; // position of current task local int : end; // position of last task in acquired block // acquire block of tasks 1 lock(m); 2 if(next + 10 < = len) 3 { c := next; next := next + 10; end := next; } 4 else 5 { c := next; next := next + 10; end := len; } 6 unlock(m); // perform block of tasks 7 while (c < end): 8 tasks[c] := 0; // mark task c as started . . . // work on the task c 9 tasks[c] := 1; // mark task c as finished 10 assert(tasks[c] == 1); // no other thread has started task c 11 c := c + 1; Dienstag, 12. Juli 16 5

thread T: local int : c; // position of current task local int : end; // position of last task in acquired block // acquire block of tasks 1 lock(m); 2 if(next + 10 < = len) 3 { c := next; next := next + 10; end := next; } 4 else 5 { c := next; next := next + 10; end := len; } 6 unlock(m); end(1) end(35) end ( 34 ) end(2) len . . . . . . c(1) c(2) c(3) c(35) next threads 1 , 2 , . . . , 35 have acquired block of tasks have not yet started working Dienstag, 12. Juli 16 6

global int len; // length of array global int array(len) : tasks; // array of tasks global int next; // position of next available task block global lock m; // lock protecting next thread T: local int : c; // position of current task local int : end; // position of last task in acquired block // acquire block of tasks 1 lock(m); 2 if(next + 10 < = len) 3 { c := next; next := next + 10; end := next; } 4 else 5 { c := next; next := next + 10; end := len; } 6 unlock(m); // perform block of tasks 7 while (c < end): 8 tasks[c] := 0; // mark task c as started . . . // work on the task c 9 tasks[c] := 1; // mark task c as finished 10 assert(tasks[c] == 1); // no other thread has started task c 11 c := c + 1; Dienstag, 12. Juli 16 7

Next ... • learn correct programs from unsatisfiability proofs • learn correct programs from Hoare triples Dienstag, 12. Juli 16 8

• learn correct programs from unsatisfiability proofs • learn correct programs from Hoare triples Dienstag, 12. Juli 16 9

` 0 : assume p != 0; correct? ` 1 : while(n >= 0) { assert p != 0; ` 2 : if(n == 0) { p := 0; ` 3 : } n--; ` 4 : } Dienstag, 12. Juli 16 10

` 0 ` 0 : assume p != 0; p != 0 ` 1 : while(n >= 0) { assert p != 0; ` 1 ` 5 n < 0 ` 2 : if(n == 0) n >= 0 { p := 0; ` 3 : n-- ` 2 p == 0 ` err } n == 0 n--; ` 4 : n != 0 ` 3 } p := 0 ` 5 : ` 4 Dienstag, 12. Juli 16 11

` 0 ` 0 : assume p != 0; p != 0 ` 1 : while(n >= 0) { assert p != 0; ` 1 ` 5 n < 0 ` 2 : if(n == 0) n >= 0 { p := 0; ` 3 : n-- ` 2 p == 0 ` err } n == 0 n--; ` 4 : n != 0 ` 3 } p := 0 ` 5 : ` 4 Dienstag, 12. Juli 16 12

` 0 p != 0 ` 1 ` 5 n < 0 automaton n >= 0 alphabet: {statements} ` 2 ` err n-- p == 0 n == 0 n != 0 ` 3 p := 0 ` 4 Dienstag, 12. Juli 16 13

` 0 ` 0 : assume p != 0; p != 0 ` 1 : while(n >= 0) { assert p != 0; ` 1 ` 5 n < 0 ` 2 : if(n == 0) n >= 0 { p := 0; ` 3 : n-- ` 2 p == 0 ` err } n == 0 n--; ` 4 : n != 0 ` 3 } p := 0 ` 5 : ` 4 no execution violates assertion = no execution reaches error location Dienstag, 12. Juli 16 14

all inter-reducible: validity of assert statement non-reachability of error location validity of safety property validity of invariant infeasibility of control flow traces partial correctness partial correctness for pre/postcondition ( true , false ) Dienstag, 12. Juli 16 15

` 0 p != 0 ` 1 ` 5 n < 0 (p != 0) n >= 0 (n >= 0) (p == 0) ` 2 ` err n-- p == 0 n == 0 n != 0 ` 3 p := 0 ` 4 Dienstag, 12. Juli 16 16

unsatisfiable formula infeasible trace x == 1 ; x == -1 ; x = 1 ∧ x = − 1 x 0 = 1 ∧ x 0 = − 1 x := 1 ; x == -1 ; Dienstag, 12. Juli 16 17

` 0 p != 0 ` 1 ` 5 n < 0 ( p != 0) (p != 0) n >= 0 (n >= 0) (p == 0) (p==0) ` 2 ` err n-- p == 0 n == 0 n != 0 ` 3 p := 0 ` 4 Dienstag, 12. Juli 16 18

( p != 0) (p==0) Dienstag, 12. Juli 16 19

Σ q 0 p != 0 ( p != 0) Σ \{ p := 0 } q 1 (p==0) p == 0 Σ q 2 Dienstag, 12. Juli 16 20

Σ q 0 p != 0 ( p != 0) Σ \{ p := 0 } q 1 (p==0) p == 0 Σ q 2 Dienstag, 12. Juli 16 21

Σ q 0 p != 0 ( p != 0) Σ \{ p := 0 } q 1 (p==0) p == 0 Σ q 2 Dienstag, 12. Juli 16 22

Σ q 0 p != 0 ( p != 0) Σ \{ p := 0 } q 1 (p==0) p == 0 Σ q 2 Dienstag, 12. Juli 16 23

correct program (error location is not reachable) Σ q 0 p != 0 (p != 0) (n >= 0) Σ \{ p := 0 } q 1 (p == 0) p == 0 Σ q 2 all error traces of program have the same proof as sample trace (same unsatisfiable core of unsatisfiability proof) Dienstag, 12. Juli 16 24

⊆ ` 0 Σ q 0 p != 0 p != 0 ` 1 ` 5 n < 0 ? n >= 0 Σ \{ p := 0 } q 1 ` 2 ` err n-- p == 0 n == 0 p == 0 n != 0 ` 3 p := 0 ` 4 Σ q 2 does a proof exist for every error trace ? Dienstag, 12. Juli 16 25

program P construct A n +1 such that 1. w ∈ A n +1 { infeasible traces } 2. A n +1 ⊆ Σ ∗ \ C ORRECT yes w infeasible? w ∈ Σ ∗ \ C ORRECT ? A P ⊆ A 1 ∪ · · · ∪ A n ? no yes no take w such that w ∈ A P \A 1 ∪ · · · ∪ A n P is correct P is incorrect Dienstag, 12. Juli 16 26

new trace: ` 0 p != 0 ` 1 ` 5 n < 0 n >= 0 ` 2 ` err n-- p == 0 n == 0 n != 0 ` 3 p := 0 ` 4 Dienstag, 12. Juli 16 27

new trace: ` 0 p != 0 (p != 0) ` 1 ` 5 n < 0 (n >= 0) (n == 0) n >= 0 (p := 0) (n--) ` 2 ` err n-- p == 0 n == 0 (n >= 0) n != 0 ` 3 (p == 0) p := 0 ` 4 Dienstag, 12. Juli 16 27

` 0 p != 0 ` 1 ` 5 n < 0 ( n == 0) n >= 0 (n--) ` 2 ` err n-- p == 0 n == 0 (n >= 0) n != 0 ` 3 p := 0 ` 4 Dienstag, 12. Juli 16 28

` 0 p != 0 (p != 0) ` 1 ` 5 n < 0 (n >= 0) ( n == 0) (n == 0) n >= 0 (p := 0) (n--) (n--) ` 2 ` err n-- p == 0 n == 0 (n >= 0) (n >= 0) n != 0 ` 3 (p == 0) p := 0 ` 4 Dienstag, 12. Juli 16 28

( n == 0) (n--) (n >= 0) Dienstag, 12. Juli 16 29

p 0 Σ n == 0 ( n == 0) Σ \{ n-- } p 1 (n--) n-- (n >= 0) Σ \{ n-- } p 2 n >= 0 Σ p 3 Dienstag, 12. Juli 16 30

p 0 Σ n == 0 ( n == 0) Σ \{ n-- } p 1 (n--) n-- (n >= 0) Σ \{ n-- } p 2 n >= 0 Σ p 3 Dienstag, 12. Juli 16 31

program constructed from unsatisfiability proof p 0 Σ n == 0 Σ \{ n-- } p 1 n-- Σ \{ n-- } p 2 n >= 0 Σ p 3 all traces with the same unsatisfiability proof Dienstag, 12. Juli 16 32

program constructed from unsatisfiability proof p 0 Σ n == 0 (p != 0) (n >= 0) Σ \{ n-- } p 1 (n == 0) (p := 0) n-- (n--) (n >= 0) Σ \{ n-- } p 2 (p == 0) n >= 0 Σ p 3 all traces with the same unsatisfiability proof Dienstag, 12. Juli 16 32

⊆ Σ Σ q 0 p 0 ` 0 n == 0 p != 0 p != 0 Σ \{ n-- } ? p 1 ` 1 ` 5 n < 0 ⋃ Σ \{ p := 0 } n-- q 1 n >= 0 Σ \{ n-- } p 2 n-- ` 2 p == 0 ` err p == 0 n == 0 n >= 0 ` 3 n != 0 p := 0 q 2 Σ p 3 Σ ` 4 does a proof exist for every trace ? Dienstag, 12. Juli 16 33

program P construct A n +1 such that 1. w ∈ A n +1 { infeasible traces } 2. A n +1 ⊆ Σ ∗ \ C ORRECT yes w infeasible? w ∈ Σ ∗ \ C ORRECT ? A P ⊆ A 1 ∪ · · · ∪ A n ? no yes no take w such that w ∈ A P \A 1 ∪ · · · ∪ A n P is correct P is incorrect Dienstag, 12. Juli 16 34

previous example: automata from unsatisfiable core (for proof of infeasibility of error trace) add self-loop for each irrelevant statement (does not modify variables in unsatisfiable core) Dienstag, 12. Juli 16 35

automata constructed from unsatisfiable core are not sufficient in general (verification algorithm not complete) Dienstag, 12. Juli 16 36