finding and understanding bugs in software model checkers
play

Finding and Understanding Bugs in Software Model Checkers Chengyu - PowerPoint PPT Presentation

May 13, 2023 •254 likes •1.41k views

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

  1. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } GetValue(br) GetValue(br) return 0; return 0; } } Actual execution: br=1 Actual execution: br=3 � 37

  2. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } if(br != 1) if(br != 3) __VERIFIER_error(); __VERIFIER_error(); return 0; return 0; } } Actual execution: br=1 Actual execution: br=3 � 37

  3. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } if(br != 1) if(br != 3) __VERIFIER_error(); __VERIFIER_error(); return 0; return 0; } } Test oracle: safe Test oracle: safe � 38

  4. Approach II: Enumerative Counting Reachability (ECR) int main(void){ int main(void){ int a[3] = {1}; int a[3] = {1}; int i = 0; int i = 0; int br = 0; int br = 0; while(i < 3){ while(i < 3){ if(a[i] == 1) { br++; if(a[i] == 1) { br++; …… …… } } i++; i++; } } if(br != 1) if(br != 3) __VERIFIER_error(); __VERIFIER_error(); return 0; return 0; } } Test oracle: safe Test oracle: safe Model checker: unsafe Model checker: safe � 39

  5. Approach • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) � 40

  6. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; while(i < 3){ if(a[i] == 1) { …… } i++; } return 0; } � 41

  7. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } GetValue(br1) GetValue(br2) return 0; } Actual execution: br1=1; br2=3 � 41

  8. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } if(br1 != 3 || br2 != 1) __VERIFIER_error(); return 0; } � 41

  9. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } if(br1 != 3 || br2 != 1) __VERIFIER_error(); return 0; Test oracle: safe } � 41

  10. Approach III: Fused Counting Reachability (FCR) int main(void){ int a[3] = {1}; int i = 0; int br = 0;int br2 = 0; while(i < 3){ br1++; if(a[i] == 1) { br2++; …… } i++; } if(br1 != 3 || br2 != 1) __VERIFIER_error(); return 0; Test oracle: safe } Model checker: unsafe � 41

  11. Approach • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) • Approach III: Fused Counting Reachability (FCR) � 42

  12. Approach find more kinds of bugs • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) • Approach III: Fused Counting Reachability (FCR) � 42

  13. Approach find more kinds of bugs • Approach I: Enumerative Reachability (ER) • Approach II: Enumerative Counting Reachability (ECR) • Approach III: Fused Counting Reachability (FCR) save more time � 42

  14. Evaluation Setup � 43

  15. Evaluation Setup GCC test suite � 43

  16. Evaluation Setup GCC test suite 4,609 Files 219,636 Loc � 43

  17. Evaluation Setup IC3 based GCC test suite 4,609 Files 219,636 Loc � 43

  18. Evaluation Setup IC3 based GCC test suite CEGAR based 4,609 Files 219,636 Loc � 43

  19. Evaluation Setup IC3 based GCC test suite CEGAR based 4,609 Files 219,636 Loc BMC based � 43

  20. Evaluation Setup IC3 based GCC test suite CEGAR based 4,609 Files 219,636 Loc BMC based � 43

  21. RQ1: Can our approaches find bugs? � 44

  22. RQ1: Can our approaches find bugs? � 45

  23. RQ1: Can our approaches find bugs? � 46

  24. RQ1: Can our approaches find bugs? � 47

  25. RQ1: Can our approaches find bugs? � 48

  26. RQ1: Can our approaches find bugs? � 49

  27. RQ1: Can our approaches find bugs? � 50

  28. RQ1: Can our approaches find bugs? � 51

  29. RQ2: How many bugs can be found by each approach? � 52

  30. RQ2: How many bugs can be found by each approach? Approach I 52 � 53

  31. RQ2: How many bugs can be found by each approach? Approach II Approach I 61 52 � 54

  32. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 61 52 � 55

  33. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 61 52 � 56

  34. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 61 52 � 56

  35. RQ2: How many bugs can be found by each approach? Approach II/III Approach I 10 51 1 � 57

  36. Bug#529 in CPAchecker (False negative in approach II/III) void main() { i:0 int i = 0; *(&i):1 while (1) { if (i > 0) { break; } if (i == 0){ *(&i) = *(&i) + 1; } } } � 58

  37. Bug#529 in CPAchecker (False negative in approach II/III) void main() { i:0 int i = 0; int br = 0; *(&i):1 while (1) { if (i > 0) { br++; break; } if (i == 0){ *(&i) = *(&i) + 1; } } Test oracle: safe if(br != 1) __VERIFIER_error(); } � 58

  38. Bug#529 in CPAchecker (False negative in approach II/III) void main() { i:0 int i = 0; int br = 0; *(&i):1 while (1) { if (i > 0) { br++; break; } if (i == 0){ *(&i) = *(&i) + 1; } } Test oracle: safe if(br != 1) Buggy model checker: safe __VERIFIER_error(); } � 58

  39. RQ3: How much time does each approach consume? � 59

  40. RQ3: How much time does each approach consume? � 60

  41. RQ3: How much time does each approach consume? � 61

  42. RQ3: How much time does each approach consume? Save 89% of time � 62

  43. RQ3: How much time does each approach consume? Approach II/III Approach I 10 51 1 � 63

  44. Assorted Bug Samples • C standard library • Front-end • Language feature • Memory model • Configuration • Pointer alias • Third-party component https://github.com/MCFuzzer/MCFuzz/issues � 64

  45. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); } int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 65

  46. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) d = c&&e = 1 __VERIFIER_error(); } Test oracle: unsafe int main(){ int d = 0; int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 66

  47. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); __CPAchecker_TMP_0 = c&&e } d = __CPAchecker_TMP_0 int main(){ int d = 0; Test oracle: unsafe int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 67

  48. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); d = __CPAchecker_TMP_0 } __CPAchecker_TMP_0 = c&&e int main(){ int d = 0; Test oracle: unsafe int c = 4; int e = 2; f (d=c&&e, 1); return 0; } � 67

  49. Example: Front-end related bug in CPAchecker void f(int a, int b){ if (a == b) __VERIFIER_error(); d = __CPAchecker_TMP_0 } __CPAchecker_TMP_0 = c&&e int main(){ int d = 0; Test oracle: unsafe int c = 4; int e = 2; : safe f (d=c&&e, 1); return 0; } � 67

  50. Example: Language feature related bug in CBMC x struct { int a:4; int :4; 2 u 3 4 int b:4; int c:4; } x = { 2,3,4 }; a _ b c int main (){ if (x.b != 3) “Unnamed members of objects of __VERIFIER_error(); structure type do not return 0; participate in initialization.” } —— C standard Test oracle: safe � 68

  51. Example: Language feature related bug in CBMC x struct { int a:4; int :4; 2 3 4 u int b:4; int c:4; } x = { 2,3,4 }; a _ b c int main (){ if (x.b != 3) “Unnamed members of objects of __VERIFIER_error(); structure type do not return 0; participate in initialization.” } —— C standard Test oracle: safe � 69

  52. Example: Language feature related bug in CBMC x struct { int a:4; int :4; 2 3 4 u int b:4; int c:4; } x = { 2,3,4 }; a _ b c int main (){ if (x.b != 3) “Unnamed members of objects of __VERIFIER_error(); structure type do not return 0; participate in initialization.” } —— C standard Test oracle: safe : unsafe � 69

  53. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ test (7, 6, 1); test (-7, -6, 1); return 0; } � 70

  54. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ test (7, 6, 1); sea pf file.c test (-7, -6, 1); return 0; } � 71

  55. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ test (7, 6, 1); sea pf file.c test (-7, -6, 1); return 0; } : unsafe � 71

  56. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ sea pf test (7, 6, 1); test (-7, -6, 1); —inline file.c return 0; } � 72

  57. Example: Configuration related bug in Seahorn 7/6 == 1 void test(int x,int y, -7/-6 == 1 int q){ if ((x / y) != q ) __VERIFIER_error(); Test oracle: safe } int main (){ sea pf test (7, 6, 1); test (-7, -6, 1); —inline file.c return 0; } : safe � 72

  58. Evaluation on SV-COMP benchmarks � 73

Recommend

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University

Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University

Introduction to Model Learning Applications Theory &amp; Tools for Model Learning Conclusions and Future Work Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University Nijmegen RV 2018, Limassol, November 2018

1.15k views • 77 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016 Motivation Model checkers return error traces but no evidence when they say yes Complex tools Goal: improve trustworthiness

809 views • 47 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the Quality Checkers project happen? The quality checkers project has been jointly funded by: Northamptonshire Learning Disability Partnership

749 views • 21 slides
The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in January. There were interviews in February. The Great Quality Checkers Paul C Paul B Tom Victor Mike Karl John Sandra Paul G Debbie Alex

368 views • 14 slides
Finite State Automaton Transitions System makes one step from one state to another A finite

Finite State Automaton Transitions System makes one step from one state to another A finite

CISC853: Contents 1. A few words about concurrency CISC422/853: Formal Methods 2. Modeling: How to describe behaviour of a software system? in Software Engineering: finite automata 3. Intro to 2 software model checkers Computer-Aided

224 views • 11 slides
Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with Andrzej Wsowski and Claus Brabrand FOSD Meeting 2014 1 / 28 Agenda 40 variability bugs in Linux: A Qualitative Study (10m) Method Example

540 views • 36 slides
Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael Ferdman, Peter Milder FPGA Accelerates Model Checking Model checking ensures system correctness By exploring all states of a system Hours

814 views • 37 slides
Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of

Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of

Institute of Software Technology tugraz Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of Software Technology Graz University of Technology, Austria MT CPS Workshop Vienna, 11 Apr 2016 B.K.

1.49k views • 111 slides
1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make

1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make

1 Making BUGS Open 2 Adopt a module BUGS is a long running software project aiming to make modern MCMC Unique once in a life time opertunity. You can choose which techniques based on graphical models available to applied OpenBUGS module you

327 views • 11 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Static Analysis versus Software Model Checking for bug finding Dawson Englers, Madanlal Musuvathi

Static Analysis versus Software Model Checking for bug finding Dawson Englers, Madanlal Musuvathi

Static Analysis versus Software Model Checking for bug finding Dawson Englers, Madanlal Musuvathi Stanford University, CA, USA Presented By: Prateek Agarwal ETH, Zrich Agenda Goal Aim Scope Methodologies used Meta

418 views • 29 slides
Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di Informatica Universit degli Studi di Salerno Sequentialization Code-to-code translation from a multithreaded program to an equivalent

1.21k views • 58 slides
Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!)

Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!)

Mini-Lecture 9 Testing Test Cases: Finding Errors Bug : Error in a program. (Always expect them!) Debugging : Process of finding bugs and removing them. Testing : Process of analyzing, running program, looking for bugs. Test

365 views • 13 slides
Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and

Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and

1 Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and Shan Lu 2 What are concurrency bugs Synchroniza-on mistakes in mul--threaded programs 3 What are concurrency bugs Synchroniza-on

826 views • 65 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

ICTAC 2018 15 th International Colloquium on Theoretical Aspects of Computing Stellenbosch, South Africa, Oct 19, 2018 Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable Approach Gennaro Parlato

818 views • 59 slides
From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior

From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior

From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior Researcher at TeamT5 Focus on Reverse Engineering / Vulnerability Research MSRC Most Valuable Security Researcher 2019 / 2020 Acknowledged by

1.31k views • 103 slides

More recommend