detecting erroneous assumptions when verifying software
play

Detecting Erroneous Assumptions when verifying software using SMT - PowerPoint PPT Presentation

Aug 13, 2023 •15 likes •455 views

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM 08 (Note: E-version distributed at CAV is the preliminary, not final version) Context

  1. Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM ’08 (Note: E-version distributed at CAV is the preliminary, not final version)

  2. Context • Industrial software verification • Extended static checking – software verification via » user supplied or implicit specifications » creating a verification condition from the code and specifications, and then » validating it (preferably automatically) using a theorem prover – e.g. ESC/Java(2), Key for Java, Spec# for C#, also Mobius project, COQ system, ... – e.g. provers: SIMPLIFY, Yices, CVC3, Z3, PVS, ... 2

  3. Erroneous assumptions are insidious • User written material is subject to error – Explicit assumptions – Method specifications • False assumptions are generally not what was intended • Insidious: hide other errors • If a verification system produces no errors – Everything OK? – Something not being checked? – False assumption hiding an invalid assertion? • Lots of work on this in model checkers; some in automated runtime test analysis 3

  4. Review: translation of programs to VCs • Break up a program into basic blocks – Each block has no branches – Blocks are followed by other blocks • Transform variables into (dynamic) single assignment form • Passify the program by converting all assignments to assumptions (Barnett & Leino, 2005) 4

  5. Basic blocks start: a=b; a = b; if (a == 0) { b = c; return b; block2: block1: } else { assume a != 0; assume a == 0; b = d; b = d; b = c; } $returnValue = b; a = d; return a; block3: a=d; $returnValue = a; return: 5

  6. Dynamic Single Assignment • int a = 0; • a$0 = 0; • int b = 1; • b$0 = 1; • b = a + b; • b$1 = a$0 + b$0; • a = b + a; • a$1 = b$1 + a$0; • Tricky points – arrays and object field assignments – blocks with multiple parents The a$0 etc. are logical variables (quantified over the appropriate domain of values) 6

  7. Passification a = 0; a$0 = 0; b = a; b$0 = a$0; b = a + b; b$1 = a$0 + b$0; assume a$0 == 0; assume b$0 == a$0; assume b$1 == a$0 + b$0; 7

  8. Convert basic block to block equations: Assumptions come from blockA: assume P; assignments assume Q; branch conditions assert R; loop conditions assume S; preconditions goto blockB, postconditions of called methods blockC; explicit user assumptions 8

  9. Convert basic block to block equations: Assertions come from blockA: assume P; implicit checks (e.g. array index) assume Q; loop specifications assert R; postconditions assume S; preconditions of called methods goto blockB, explicit user assertions blockC; 9

  10. Convert basic block to block equations: blockA ≡ blockA: P → assume P; ( Q → assume Q; ( R & ( S → assert R; assume S; (blockB & blockC) ) ) ) goto blockB, blockC; blockB ≡ ... blockC ≡ ... Each block has a (logical) block variable - if true, execution encounters no false assertions - may block at a false assumption 10

  11. ... and block equations to a Verification Condition • ( ( blockA ≡ ... ) • & ( blockB ≡ ... ) • & ... ) => blockA The variable of the starting block This says: for any assignment of values to variables, if the block equations are satisfied, then the program has a valid execution A valid execution allows false assumptions 11

  12. Parallel path form of the VC • (P & Q & R & ... ) => T 1 & (P & Q & S & ... ) => T 2 & (X & Q & ... ) => T 3 & (Z &... ) => T 4 & ... Each conjunct is an execution path: a sequence of assumptions ending in an assertion Lots of common subformulas 12

  13. Parallel path form of the VC • (P & Q & R & ... ) => T 1 & (P & Q & S & ... ) => T 2 & (X & Q & ... ) => T 3 & (Z &... ) => T 4 & ... The VC is true iff each path (trace) either - has a false assumption - has a true assertion 13

  14. Assumptions • assignments System generated: No problems • loop invariants Bad invariants create unprovable assertions • branch/loop conditions as well as bad assumptions • preconditions • called method postconditions • explicit assumptions 14

  15. Assumptions If a branch condition is • assignments always false: dead code • loop invariants Loop condition is always false: • branch/loop conditions not executed or never terminated loop • preconditions • called method postconditions • explicit assumptions 15

  16. Assumptions • assignments • loop invariants • branch/loop conditions • preconditions Contradictory preconditions: any assertion succeeds • called method postconditions • explicit assumptions 16

  17. Assumptions • assignments Contradictory postconditions: • loop invariants any subsequent assertion succeeds • branch/loop conditions Should be caught when the • preconditions called method is verified • called method postconditions • explicit assumptions 17

  18. Assumptions • assignments • loop invariants • branch/loop conditions • preconditions False user assumption: any subsequent • called method postconditions assertion succeeds • explicit assumptions (Might be false just on one path) 18

  19. Assumptions • Need to check for assumptions that are false (given previous assumptions): • false on all paths: preconditions, branch conditions (dead code) • false on some path: user assumptions, called method postconditions 19

  20. Specific path check In a path (P1 & P2 & P3 & P4 & ... ) => T assumption Pk is OK if Need to check each assumption on each path ??? (P1 & ... & Pk) is satisfiable Equivalently (P1 & ... & Pk) => false is invalid 20

  21. Better: check all assumptions in a given path In a path (P1 & P2 & P3 & P4 & ... & Pn) => T One check per path. Still, there may be many paths. all assumptions are OK if Also, some paths are infeasible because of contradictory branch conditions (P1 & ... & Pn) is satisfiable Equivalently (P1 & ... & Pn) => false is invalid 21

  22. Checking within the block equations • block: Insert an extra assertion: • assume P; If VC is still valid, then something is • assume Q; wrong prior to the assertion. • assert false; [ If the assertion provokes a warning assume R; then all is well.] • ... Might as well do the check at the end of the block. Checks that the assumptions are valid on SOME path (not necessarily all paths) 22

  23. Previous work: Janota et al., 2007 • Putting in ‘assert false;’ is a standard manual idiom for checking feasibility of assumptions • Janota et al. automated this in ESC/Java2, along with a search algorithm – optimized for short VCs and few prover invocations • Improvements: – Use incremental satisfiability checks – How to do path specific checks – Use unsatisfiable cores 23

  24. Incremental satisfiability checking • Minimal changes to the VC • Uses the SMT solver’s ability to – push/pop program state – or to retract assertions 24

  25. Incremental satisfiability checking • Put in all the ‘assert’ statements to check assumptions at once. But instead of write (e.g. for check # 17) • block: • block: • assume P; • assume P; • assume Q; • assume Q; • assert false; • assert $$count != 17; assume R; assume R; • ... • ... 25

  26. Incremental satisfiability checking • Then, for the usual SAT check of the VC, check VC & ($$count == 0) • • And then check each assumption N by testing VC & ($$count == N) • • (retract ‘$$count==0’ and assert ‘$$count == N’) 26

  27. Performance question Which is faster: • reformulating the VC and restarting the prover or saving/restoring program state, followed by an incremental SAT check The prover needs to do this internally to facilitate [or backtracking using retract/reassert]? In Yices, enabling this mode is overall less efficient. 27

  28. Path specific checks • Use a conditional assertion: instead of write • block: • block: • assume P; • assume P; • assume Q; • assume Q; • assert false; • assert !Z; assume R; assume R; • ... • ... where Z is true only for the path being checked (it is a conjunction of all the branch conditions for the path) 28

  29. Performance question Which is faster: • reformulating the VC and restarting the prover with just the small VC for a specific path or using incremental checking with the full VC? 29

  30. Even better: avoid path-specific checking @NonNull int[ ] a; ... Postcondition: forall int i: ( (0<i && i<a.length) => sort(a); a[i-1] <= a[i] ) ... (needs to know: j < k => a[j] <= a[k] ) [ Prover does not do induction ] 30

  31. Even better: avoid path-specific checking Could write: Postcondition: forall int i: ( (0<i && i<a.length) => @NonNull int[ ] a; a[i-1] <= a[i] ) ... sort(a); /*@ assume (\forall int j,k; 0<=j && j<=k && k<a.length; a[j] <= a[k]); */ ... (needs to know: j < k => a[j] <= a[k] ) 31

Recommend

Assumptions EDUC 7610 Chapter 16 and 17 Diagnostics (Detecting Irregularities) and

Assumptions EDUC 7610 Chapter 16 and 17 Diagnostics (Detecting Irregularities) and

Assumptions EDUC 7610 Chapter 16 and 17 Diagnostics (Detecting Irregularities) and miscellaneous stuff Tyson S. Barrett, PhD This is one of the most important chapters The regression results validity depend on whether the assumptions

745 views • 33 slides
1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers,

1.06k views • 59 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov Ivannikov Institute For System Programming of RAS ilja.zakharov@ispras.ru Klever Verification Framework Intended for finding bugs in large software

546 views • 32 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262 Compliance in Simulink Lukas Murer, Torben Stolte Tanja Hebecker, Michael Lipaczewski Uwe Mhrstdt, Frank Ortmeier Motivation Functional safety

589 views • 21 slides
Change of Supplier Expert Group Meeting 3 1 July 2013 1 Nigel Nash ERRONEOUS TRANSFERS 2

Change of Supplier Expert Group Meeting 3 1 July 2013 1 Nigel Nash ERRONEOUS TRANSFERS 2

Change of Supplier Expert Group Meeting 3 1 July 2013 1 Nigel Nash ERRONEOUS TRANSFERS 2 Recap from previous meeting Our aim is to eradicate/substantially reduce the number of erroneous transfers Current ET rate at around 1% of

497 views • 45 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela

An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela

1/30 An Overview of Techniques for Detecting Software Variability Concepts in Source Code Angela Lozano Universit catholique de Louvain, Belgium Monday 5 December 2011 2/30 Variability Customized and Affordable Maximize reuse of

544 views • 32 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

740 views • 69 slides
Detecting Similar Software Applications Collin McMillan, Mark Grechanik, and Denys Poshyvanyk

Detecting Similar Software Applications Collin McMillan, Mark Grechanik, and Denys Poshyvanyk

Detecting Similar Software Applications Collin McMillan, Mark Grechanik, and Denys Poshyvanyk The College of William and Mary and The University of Illinois at Chicago Find Identical Penmen Finding Similar Web Pages Similar Web Pages For ACM

687 views • 41 slides
scanf erroneous input What if the user types a word, when an integer is required? As already

scanf erroneous input What if the user types a word, when an integer is required? As already

scanf erroneous input What if the user types a word, when an integer is required? As already noted in tutorials: Computer Programming: Skills &amp; Concepts (CP) Apart from the action performed by scanf (reading, or attempting to read, the

378 views • 6 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
A COMPARISON OF RNA HOMOLOGY-DETECTING SOFTWARE Justin Slotman Bioinformatics Masters Thesis

A COMPARISON OF RNA HOMOLOGY-DETECTING SOFTWARE Justin Slotman Bioinformatics Masters Thesis

A COMPARISON OF RNA HOMOLOGY-DETECTING SOFTWARE Justin Slotman Bioinformatics Masters Thesis December 2008 The problem of RNA secondary structure prediction Primary structure does not necessarily imply secondary structure Secondary

668 views • 47 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo

A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo

A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo 2 Julio Mari Ra 1 Universidad Polit 2 IMDEA Software Institute ecnica de Madrid Babel research group raul.alborodo@imdea.org

758 views • 45 slides

More recommend