The Software Model Checker BLAST
|
|
- Audrey Campbell
- 6 years ago
- Views:
Transcription
1 The Software Model Checker BLAST BLAST 2.0 Team: Dirk Beyer, Tom Henzinger, Ranjit Jhala, and Rupak Majumdar Guest Lecture in Viktor Kuncak s Verification Class,
2 Motivation Software stands for - Functionality -Flexibility - Affordability in today s products and infrastructures. Practice: - Vulnerability - Obstacle to redesign - Cost overruns - Buggy, brittle, insecure, and not interoperable.
3 French Guyana, June 4, 1996 $600 million software failure
4 Mars, December 3, 1999 Crashed due to uninitialized variable
5 Mars, July 4, 1997 Lost contact due to priority inversion bug
6 Something reliable Uptime: 68 years
7
8 Our Application Areas Verification of systems code Locking disciplines Interface specifications Temporal properties Require path-sensitive analysis Swamped by false positives Really hard to check
9 Specifying and Checking Properties of Programs Goals Defect detection Partial validation Properties Memory safety Temporal safety Security Many (mature) techniques - Automated deduction - Program analysis - Type checking - Model checking Many projects Bandera, Blast, ESC-Java, FeaVer, JPF, LClint, OSQ, PolyScope, PREfix, SLAM, TVLA, Verisoft, xgcc,
10 Property Checking Programmer gives partial specifications Code checked for consistency with spec Different from program correctness Specifications are not complete Are there actually complete specs? - Look for problems that occur often
11 Property 1: Double Locking lock unlock unlock lock An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock. Calls to lock and unlock must alternate.
12 Property 2: Drop Root Privilege [Chen-Dean-Wagner 02] User applications must not run with root privilege When execv is called, must have suid 0
13 Property 3 : IRP Handler IRP accessible MPR2 start NP MPR3 synch not pending returned CallDriver MPR1 NP MPR completion Skip prop completion no prop completion SKIP1 CallDriver PPC N/A CallDriver CallDriver Complete request CallDriver SKIP2 IPC DC N/A synch return child status return not Pend MPR3 CallDriver start P synch MPR1 MPR2not pending returned NP MPR completion Mark Pending Skip prop completion no prop completion CallDriver SKIP1 PPC N/A CallDriver CallDriver Complete request SKIP2 IPC CallDriver DC return Pending [Fahndrich]
14 Does a given usage rule hold? Undecidable! Equivalent to the halting problem Restricted computable versions are prohibitively expensive (PSPACE) Why bother? Just because a problem is undecidable, it doesn t go away!
15 Running Example Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return; unlock lock unlock lock
16 What a program really is State Transition pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: Example Example ( ) { 1: 1: do{ do{ lock(); lock(); old old = new; new; q = q->next; 2: 2: if if (q (q!=!= NULL){ NULL){ 3: 3: q->data q->data = new; new; unlock(); new new ++; ++; 4: 4: while(new!=!= old); old); 5: 5: unlock unlock (); (); return; pc lock old new q a 4 a a 5 a 6 a 0x133a
17 The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula
18 Representing States as Formulas [F] states satisfying F {s s ² F F FO fmla over prog. vars [F 1 ] Å [F 2 ] F 1 Æ F 2 [F 1 ] [F 2 ] F 1 Ç F 2 [F] F [F 1 ] [F 2 ] F 1 implies F 2 i.e. F 1 Æ F 2 unsatisfiable
19 Idea 1: Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite
20 Abstract States and Transitions State pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x133a Theorem Prover lock old=new lock old=new
21 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x133a Theorem Prover Existential Lifting lock old=new lock old=new
22 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x133a lock old=new lock old=new
23 Analyze Abstraction Analyze finite graph Over Approximate: Safe System Safe No false negatives Problem Spurious counterexamples
24 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!
25 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction Imprecision due to merge
26 Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01] 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe
27 Software Model Checking CProgram Abstract Yes Safe BLAST Property Refine No Trace
28 Lazy Abstraction CProgram spec.opt Instrumented C file With ERROR label BLAST Yes Safe Property No Trace
29 Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 100 s, #States ~ 2 100, #Reach ~ 1000 s
30 Solution1: Only Abstract Reachable States Safe Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Build abstraction during search
31 Solution2: Don t Refine Error-Free Regions Error Free Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions
32 Key Idea: Reachability Tree Initial 1 2 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds.
33 Key Idea: Reachability Tree Initial 1 2 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free
34 Key Idea: Reachability Tree Initial 1 2 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates Rebuild subtree with new preds. Error Free SAFE S1: Only Abstract Reachable States S2: Don t refine error-free regions
35 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK 1 Predicates: LOCK Reachability Tree
36 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); lock() old = new q=q->next 1 2 LOCK LOCK 1 2 Predicates: LOCK Reachability Tree
37 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); [q!=null] LOCK LOCK LOCK Predicates: LOCK Reachability Tree
38 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); q->data = new unlock() new LOCK LOCK LOCK LOCK Predicates: LOCK Reachability Tree
39 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK LOCK LOCK 4 LOCK [new==old] 5 5 LOCK Predicates: LOCK Reachability Tree
40 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK LOCK LOCK 4 LOCK Predicates: LOCK unlock() 5 LOCK LOCK Reachability Tree
41 Analyze Counterexample Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK LOCK LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] 5 5 LOCK unlock() Predicates: LOCK LOCK Reachability Tree
42 Analyze Counterexample Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); Predicates: LOCK LOCK LOCK LOCK LOCK LOCK LOCK old = new new++ [new==old] Inconsistent new == old Reachability Tree
43 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK 1 Predicates: LOCK, new==old Reachability Tree
44 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK, new==old 2 LOCK lock() old = new q=q->next 1 2 Predicates: LOCK, new==old Reachability Tree
45 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK LOCK, new==old 2 LOCK, new==old 3 q->data = new unlock() LOCK, new = old 4 new Predicates: LOCK, new==old Reachability Tree
46 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3 LOCK, new = old 4 [new==old] 1 LOCK Predicates: LOCK, new==old Reachability Tree
47 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3 LOCK, new = old 4 1 [new!=old] LOCK Predicates: LOCK, new==old LOCK, new == old Reachability Tree
48 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old LOCK, new==old LOCK SAFE LOCK, new = old 4 4 LOCK, new=old Predicates: LOCK, new==old 1 LOCK, new == old 5 LOCK, new==old Reachability Tree
49 Key Idea: Reachability Tree Initial 1 2 Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates Rebuild subtree with new preds. Error Free SAFE S1: Only Abstract Reachable States S2: Don t refine error-free regions
50 Lazy Abstraction CProgram Abstract Yes Safe Property Refine No Trace Problem: Abstraction is Expensive Solution: 1. Abstract reachable states, 2. Avoid refining error-free regions Key Idea: Reachability Tree
51 Technical Details Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK Q. How to find predicates LOCK, new==old 2? LOCK, new==old LOCK, new = old LOCK, new=old SAFE Refinement Predicates: LOCK, new==old LOCK, new == old LOCK, new==old
52 #Predicates grows with program size T F T while(1){ 1: if (p 1 ) lock() ; if (p 1 ) unlock() ; 2: if (p 2 ) lock() ; if (p 2 ) unlock() ; n: if (p n ) lock() ; if (p n ) unlock() ; Tracking lock not enough Problem: p 1,,p n needed for verification Exponential reachable abstract states
53 #Predicates grows with program size while(1){ 1: if (p 1 ) lock() ; if (p 1 ) unlock() ; 2: if (p 2 ) lock() ; if (p 2 ) unlock() ; n: if (p n ) lock() ; if (p n ) unlock() ; LOCK LOCK, p 1 LOCK, p 1 LOCK, p 1 LOCK, p 1 LOCK p 1 p 2 p 1 p 2 p 1 p 2 p 1 p 2 2 n Abstract States Problem: p 1,,p n needed for verification Exponential reachable abstract states
54 Predicates useful locally p 1 p 2 p n while(1){ 1: if (p 1 ) lock() ; if (p 1 ) unlock() ; 2: if (p 2 ) lock() ; if (p 2 ) unlock() ; n: if (p n ) lock() ; if (p n ) unlock() ; LOCK LOCK, p 1 LOCK, p 1 LOCK, LOCK p 1 LOCK LOCK, p 1 LOCK, p 2 LOCK, p 2 LOCK 2n Abstract States Solution: Use predicates only where needed Using Counterexamples: Q1. Find predicates Q2. Find where predicates are needed
55 Lazy Abstraction CProgram Abstract Yes Safe Property Refine No Trace Problem: #Preds grows w/ Program Size Solution: Localize pred. use, find where preds. needed Ctrex. Trace Refine Pred. Map PC a Preds.
56 Counterexample Traces 1: x = ctr; 2: ctr = ctr + 1; 3: y = ctr; 4: if (x = i-1){ 5: if (y!= i){ ERROR: 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) y = x +1
57 Trace Formulas 1: x = ctr 2: ctr = ctr+1 3: y = ctr 4: assume(x=i-1) 5: assume(y i) Trace 1: x 1 = ctr 0 2: ctr 1 = ctr : y 1 = ctr 1 4: assume(x 1 =i 0-1) 5: assume(y 1 i 0 ) SSA Trace x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Trace Feasibility Formula Thm: Trace is feasible TF is satisfiable
58 The Present State Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) is all the information the executing program has here 5: assume(y i) State 1. after executing trace past (prefix) 2. knows present values of variables 3. makes trace future (suffix) infeasible At pc 4, which predicate on present state shows infeasibility of future?
59 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr 0 +1 Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0
60 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix Predicate implied by TF prefix
61 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 x 1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix 2. has present values of variables Predicate implied by TF prefix on common variables
62 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix 2. has present values of variables 3. makes trace suffix infeasible Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable
63 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix 2. has present values of variables 3. makes trace suffix infeasible Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable
64 Interpolant = Predicate! Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Craig Interpolant [Craig 57] Computable from Proof of Unsat [Krajicek 97] [Pudlak 97] Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 ψ - Interpolate ψ + Φ Æ y 1 i 0 y 1 = x Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable Predicate at 4: y= x+1
65 Interpolant = Predicate! Trace 1: x = ctr 2: ctr = ctr + 1 Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr ψ - 3: y = ctr Æ y 1 = ctr Q. How to compute interpolants 1 Interpolate? Φ 4: assume(x = i-1) Æ x 1 = i 0-1 5: assume(y i) ψ + Predicate at 4: y= x+1 Æ y 1 i 0 y 1 = x Craig Interpolant [Craig 57] Computable from Proof of Unsat [Krajicek 97] [Pudlak 97] Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable
66 Building Predicate Maps Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 ψ - Predicate Map 2: x= ctr Interpolate ψ + x 1 = ctr 0 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i
67 Building Predicate Maps Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 ψ - ψ + Predicate Map 2: x = ctr 3: x= ctr-1 Interpolate x 1 = ctr 1-1 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i
68 Building Predicate Maps Trace 1: x = ctr Trace Formula x 1 = ctr 0 Predicate Map 2: x = ctr 3: x= ctr - 1 4: y= x + 1 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 ψ - ψ + Interpolate y 1 = x 1 +1 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i
69 Building Predicate Maps Trace 1: x = ctr 2: ctr = ctr + 1 Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Predicate Map 2: x = ctr 3: x= ctr - 1 4: y= x + 1 5: y = i 3: y = ctr Æ y 1 = ctr 1 4: assume(x = i-1) Æ x 1 = i 0-1 5: assume(y i) Æ y 1 i 0 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i ψ - ψ + Interpolate y 1 = i 0
70 Local Predicate Use Use predicates needed at location #Preds. grows with program size #Preds per location small Predicate Map 2: x = ctr 3: x= ctr - 1 4: y= x + 1 5: y = i Local Predicate use Ex: 2n states Global Predicate use Ex: 2 n states
71 Property3: Localizing IRP Handler Win NT DDK Program Lines* Previous Time Predicates Time(mins) (mins) Total Average kbfiltr 12k floppy 17k diskprf 14k cdaudio 18k parport 61k DNF parclss 138k DNF * Pre-processed
72 Lazy Abstraction CProgram Abstract Yes Safe Property Refine No Trace Solution: Localize pred. use, find where preds. needed Refine Ctrex. Trace Problem: #Preds grows w/ Program Size Trace Feas Formula Thm Pvr Proof of Unsat Interpolate Pred. Map PC a Preds.
73 Lazy Abstraction: Summary Predicates: Abstract infinite program states Counterexample-guided Refinement: Find predicates tailored to prog, property 1. Abstraction : Expensive Reachability Tree 2. Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation
74 The BLAST Query Language 1. (Possibly Infinite-State) Monitor Automata for Reachability Queries over Program Locations 2. First-Order Imperative Scripting Language for Combining Relations over Program Locations
75 Two-State Locking Monitor GLOBAL int locked; EVENT { PATTERN { init() ACTION { locked = 0; U unlock () lock () unlock () E L lock () EVENT { PATTERN { lock() ASSERT { locked == 0 ACTION { locked = 1; EVENT { PATTERN { unlock() ASSERT { locked == 1 ACTION { locked = 0;
76 Two-State Locking Monitor GLOBAL int locked; EVENT { PATTERN { init() ACTION { locked = 0; EVENT { PATTERN { lock() ASSERT { locked == 0 ACTION { locked = 1; EVENT { PATTERN { unlock() ASSERT { locked == 1 ACTION { locked = 0; lock () U unlock () unlock () E L lock () else REJECT else REJECT
77 Single-Lock Safety Analysis source(l1) := LOC_LABEL(l1, START ); target(l2) := TRUE(l2); error-traces(l1,l2) := REJECT(source,target,monitor); error-locs(l2) := EXISTS(l1,error-traces(l1,l2)); PRINT The following locations are reachable and cause a locking error: ; PRINT error-locs(l2); REJECT(l1,l2,monitor) is the set of all location pairs (l1,l2) such that there is a feasible program trace from l1 to l2 which is rejected by the automaton monitor.
78 Type-State Locking Monitor SHADOW lock_t { int locked; EVENT { PATTERN { init($1) ACTION { $1->locked = 0; EVENT { PATTERN { lock($1) ASSERT { $1->locked == 0 ACTION { $1->locked = 1; EVENT { PATTERN { unlock($1) ASSERT { $1->locked == 1 ACTION { $1->locked = 0;
79 Dead-Code Analysis source(l1) := LOC_LABEL(l1, START ); target(l2) := TRUE(l2); feasible-traces(l1,l2) := ACCEPT(source,target,EMPTY); reached-locs(l2) := feasible-traces(_,l2)); PRINT The following locations are not reachable: ; PRINT!reached-locs(l2);
80 Impact Analysis GLOBAL int defined; INITIAL { defined = 0; EVENT { PATTERN { j = $1; ACTION { defined ++ ; FINAL { defined == 1 else REJECT affected(l1,l2) := ACCEPT(LOC_LHS(l1, j ),LOC_RHS(l2, j ),monitor); PRINT affected(l1,l2);
81 Benefits of Two-Level Specifications 1. Separates properties from programs, while keeping a familiar syntax for writing properties 2. Treats a program as a database of facts that can be queried, and supports macros for traditional temporal-logic specifications 3. Supports the formulation of decomposition strategies for verification tasks 4. Supports the incremental maintenance of properties during program development
82 The BLAST Two-Level Query Language 1. (Possibly Infinite-State) Monitor Automata for Reachability Queries over Program Locations: checked by the BLAST model checking engine 2. First-Order Imperative Scripting Language for Combining Relations over Program Locations: checked by the CrocoPat relational query engine [Beyer, Noack, Lewerentz]
Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies
Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies Tom Henzinger EPFL Three Verification Communities Model checking: -automatic, but inefficient
More informationSMT and Its Application in Software Verification
SMT and Its Application in Software Verification Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer, Sinha, Jhala, and Majumdar Assertion in C int main(){ int x;
More informationModel Checking: An Introduction
Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations
More informationPredicate abstrac,on and interpola,on. Many pictures and examples are borrowed from The So'ware Model Checker BLAST presenta,on.
Predicate abstrac,on and interpola,on Many pictures and examples are borrowed from The So'ware Model Checker BLAST presenta,on. Outline. Predicate abstrac,on the idea in pictures 2. Counter- example guided
More informationDouble Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking
Double Header Model Checking #1 Two Lectures Model Checking SoftwareModel Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationSoftware Verification using Predicate Abstraction and Iterative Refinement: Part 1
using Predicate Abstraction and Iterative Refinement: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 28, 2011 Outline Overview of Model Checking Creating Models
More informationPredicate Abstraction: A Tutorial
Predicate Abstraction: A Tutorial Predicate Abstraction Daniel Kroening May 28 2012 Outline Introduction Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationInformation Flow Analysis via Path Condition Refinement
Information Flow Analysis via Path Condition Refinement Mana Taghdiri, Gregor Snelting, Carsten Sinz Karlsruhe Institute of Technology, Germany FAST September 16, 2010 KIT University of the State of Baden-Wuerttemberg
More informationNested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski POPL University of Freiburg, Germany
Nested Interpolants Matthias Heizmann Jochen Hoenicke Andreas Podelski University of Freiburg, Germany POPL 2010 Result Interpolant-based software model checking for recursive programs avoid construction
More informationAutomata-Theoretic Model Checking of Reactive Systems
Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,
More informationApplications of Craig Interpolants in Model Checking
Applications of Craig Interpolants in Model Checking K. L. McMillan Cadence Berkeley Labs Abstract. A Craig interpolant for a mutually inconsistent pair of formulas (A, B) is a formula that is (1) implied
More informationEFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES
EFFICIENT PREDICATE ABSTRACTION OF PROGRAM SUMMARIES Arie Gurfinkel, Sagar Chaki and Samir Sapra Carnegie Mellon Uni In NFM11 Presented by Nimrod Partush OUTLINE Introduction Predicate Abstraction CEGAR
More informationIC3 and Beyond: Incremental, Inductive Verification
IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder & Summit Middle School IC3 and Beyond: Incremental, Inductive Verification 1/62 Induction Foundation of verification
More informationRefinement of Trace Abstraction
Refinement of Trace Abstraction Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski University of Freiburg, Germany Abstract. We present a new counterexample-guided abstraction refinement scheme.
More information3-Valued Abstraction-Refinement
3-Valued Abstraction-Refinement Sharon Shoham Academic College of Tel-Aviv Yaffo 1 Model Checking An efficient procedure that receives: A finite-state model describing a system A temporal logic formula
More informationSoftware Verification with Abstraction-Based Methods
Software Verification with Abstraction-Based Methods Ákos Hajdu PhD student Department of Measurement and Information Systems, Budapest University of Technology and Economics MTA-BME Lendület Cyber-Physical
More informationAutomatic Verification of Parameterized Data Structures
Automatic Verification of Parameterized Data Structures Jyotirmoy V. Deshmukh, E. Allen Emerson and Prateek Gupta The University of Texas at Austin The University of Texas at Austin 1 Outline Motivation
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationSAT-Based Verification with IC3: Foundations and Demands
SAT-Based Verification with IC3: Foundations and Demands Aaron R. Bradley ECEE, CU Boulder & Summit Middle School SAT-Based Verification with IC3:Foundations and Demands 1/55 Induction Foundation of verification
More informationSoftware Verification
Software Verification Grégoire Sutre LaBRI, University of Bordeaux, CNRS, France Summer School on Verification Technology, Systems & Applications September 2008 Grégoire Sutre Software Verification VTSA
More informationFinite-State Model Checking
EECS 219C: Computer-Aided Verification Intro. to Model Checking: Models and Properties Sanjit A. Seshia EECS, UC Berkeley Finite-State Model Checking G(p X q) Temporal logic q p FSM Model Checker Yes,
More informationLecture Notes on Software Model Checking
15-414: Bug Catching: Automated Program Verification Lecture Notes on Software Model Checking Matt Fredrikson André Platzer Carnegie Mellon University Lecture 19 1 Introduction So far we ve focused on
More informationComputer-Aided Program Design
Computer-Aided Program Design Spring 2015, Rice University Unit 3 Swarat Chaudhuri February 5, 2015 Temporal logic Propositional logic is a good language for describing properties of program states. However,
More informationChapter 4: Computation tree logic
INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification
More informationUnderstanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55
Understanding IC3 Aaron R. Bradley ECEE, CU Boulder & Summit Middle School Understanding IC3 1/55 Further Reading This presentation is based on Bradley, A. R. Understanding IC3. In SAT, June 2012. http://theory.stanford.edu/~arbrad
More informationModel Checking & Program Analysis
Model Checking & Program Analysis Markus Müller-Olm Dortmund University Overview Introduction Model Checking Flow Analysis Some Links between MC and FA Conclusion Apology for not giving proper credit to
More informationNested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski. Abstract. 1. Introduction. University of Freiburg, Germany
c ACM 2010. This is the author s version of the work. t is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Principles of Programming
More informationInterpolant-based Transition Relation Approximation
Interpolant-based Transition Relation Approximation Ranjit Jhala and K. L. McMillan 1 University of California, San Diego 2 Cadence Berkeley Labs Abstract. In predicate abstraction, exact image computation
More informationCompositional Reasoning
EECS 219C: Computer-Aided Verification Compositional Reasoning and Learning for Model Generation Sanjit A. Seshia EECS, UC Berkeley Acknowledgments: Avrim Blum Compositional Reasoning S. A. Seshia 2 1
More informationTheorem Proving beyond Deduction
Theorem Proving beyond Deduction Specification and Verification with Higher-Order Logic Arnd Poetzsch-Heffter (Slides by Jens Brandt) Software Technology Group Fachbereich Informatik Technische Universität
More informationRanking Verification Counterexamples: An Invariant guided approach
Ranking Verification Counterexamples: An Invariant guided approach Ansuman Banerjee Indian Statistical Institute Joint work with Pallab Dasgupta, Srobona Mitra and Harish Kumar Complex Systems Everywhere
More informationAutomata-based Verification - III
COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2009 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationLTL Model Checking. Wishnu Prasetya.
LTL Model Checking Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv Overview This pack : Abstract model of programs Temporal properties Verification (via model checking) algorithm Concurrency
More informationTemporal logics and explicit-state model checking. Pierre Wolper Université de Liège
Temporal logics and explicit-state model checking Pierre Wolper Université de Liège 1 Topics to be covered Introducing explicit-state model checking Finite automata on infinite words Temporal Logics and
More informationSymmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago
Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago Model-Checking Concurrent PGM Temporal SPEC Model Checker Yes/No Counter Example Approach Build the global state graph Algorithm
More informationBounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39
Bounded Model Checking with SAT/SMT Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39 Recap: Symbolic Model Checking with BDDs Method used by most industrial strength model checkers:
More informationFormal Verification Techniques. Riccardo Sisto, Politecnico di Torino
Formal Verification Techniques Riccardo Sisto, Politecnico di Torino State exploration State Exploration and Theorem Proving Exhaustive exploration => result is certain (correctness or noncorrectness proof)
More informationPart I. Principles and Techniques
Introduction to Formal Methods Part I. Principles and Techniques Lecturer: JUNBEOM YOO jbyoo@konkuk.ac.kr Introduction Text System and Software Verification : Model-Checking Techniques and Tools In this
More informationIntroduction to Model Checking. Debdeep Mukhopadhyay IIT Madras
Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs? Comprising of three parts Formal Verification techniques consist of three parts: 1. A framework for modeling
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationPLEASE DO NOT REMOVE THIS PAGE
Thank you for downloading this document from the RMIT ResearchR Repository Citation: Liu, H, Wang, D, Huimin, L and Chen, T 2009, 'On the integration of metamorphic testing and model checking', in Hans
More informationAlgorithmic verification
Algorithmic verification Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2018 Outline Overview Model checking Symbolic execution Outline Overview Model checking Symbolic execution Program verification
More informationAxiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs
Review Operational semantics relatively l simple many flavors (small vs. big) not compositional (rule for while) Good for describing language implementation reasoning about properties of the language eg.
More informationModel Checking. Boris Feigin March 9, University College London
b.feigin@cs.ucl.ac.uk University College London March 9, 2005 Outline 1 2 Techniques Symbolic 3 Software 4 Vs. Deductive Verification Summary Further Reading In a nutshell... Model checking is a collection
More informationAutomata, Logic and Games: Theory and Application
Automata, Logic and Games: Theory and Application 1. Büchi Automata and S1S Luke Ong University of Oxford TACL Summer School University of Salerno, 14-19 June 2015 Luke Ong Büchi Automata & S1S 14-19 June
More informationNon-Monotonic Refinement of Control Abstraction for Concurrent Programs
Non-Monotonic Refinement of Control Abstraction for Concurrent Programs Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko Technische Universität München Abstract. Verification based on abstraction
More informationAutomata-based Verification - III
CS3172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20/22: email: howard.barringer@manchester.ac.uk March 2005 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationor simply: IC3 A Simplified Description
Incremental Construction of Inductive Clauses for Indubitable Correctness or simply: IC3 A Simplified Description Based on SAT-Based Model Checking without Unrolling Aaron Bradley, VMCAI 2011 Efficient
More informationSanjit A. Seshia EECS, UC Berkeley
EECS 219C: Computer-Aided Verification Explicit-State Model Checking: Additional Material Sanjit A. Seshia EECS, UC Berkeley Acknowledgments: G. Holzmann Checking if M satisfies : Steps 1. Compute Buchi
More informationOverview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?
Computer Engineering and Networks Overview Discrete Event Systems Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two circuits
More informationThe Impact of Craig s Interpolation Theorem. in Computer Science
The Impact of Craig s Interpolation Theorem in Computer Science Cesare Tinelli tinelli@cs.uiowa.edu The University of Iowa Berkeley, May 2007 p.1/28 The Role of Logic in Computer Science Mathematical logic
More informationStatic Program Analysis
Static Program Analysis Xiangyu Zhang The slides are compiled from Alex Aiken s Michael D. Ernst s Sorin Lerner s A Scary Outline Type-based analysis Data-flow analysis Abstract interpretation Theorem
More informationPredicate Abstraction and Refinement for Verifying Multi-Threaded Programs
Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs Ashutosh Gupta Corneliu Popeea Andrey Rybalchenko Institut für Informatik, Technische Universität München Germany {guptaa,popeea,rybal}@in.tum.de
More informationDeductive Verification
Deductive Verification Mooly Sagiv Slides from Zvonimir Rakamaric First-Order Logic A formal notation for mathematics, with expressions involving Propositional symbols Predicates Functions and constant
More informationCS 4700: Foundations of Artificial Intelligence
CS 4700: Foundations of Artificial Intelligence Bart Selman selman@cs.cornell.edu Module: Knowledge, Reasoning, and Planning Part 2 Logical Agents R&N: Chapter 7 1 Illustrative example: Wumpus World (Somewhat
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Lecture 6: Axiomatic Semantics Deriv. Rules for Hoare Logic `{A} c {B} Rules for each language construct ` {A} c 1 {B} ` {B} c 2 {C} ` {A} skip
More informationLecture Notes on Emptiness Checking, LTL Büchi Automata
15-414: Bug Catching: Automated Program Verification Lecture Notes on Emptiness Checking, LTL Büchi Automata Matt Fredrikson André Platzer Carnegie Mellon University Lecture 18 1 Introduction We ve seen
More informationLinear-time Temporal Logic
Linear-time Temporal Logic Pedro Cabalar Department of Computer Science University of Corunna, SPAIN cabalar@udc.es 2015/2016 P. Cabalar ( Department Linear oftemporal Computer Logic Science University
More informationCSE507. Course Introduction. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 courses.cs.washington.edu/courses/cse507/14au/ Course Introduction Emina Torlak emina@cs.washington.edu Today What is this course about? Course logistics Review
More informationSAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang
SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments Requirements for SAT solvers in the Real World Fast & Robust Given a problem instance, we want to solve it quickly Reliable
More informationConstraint Solving for Program Verification: Theory and Practice by Example
Constraint Solving for Program Verification: Theory and Practice by Example Andrey Rybalchenko Technische Universität München Abstract. Program verification relies on the construction of auxiliary assertions
More informationComputation Tree Logic (CTL) & Basic Model Checking Algorithms
Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking
More informationConstraint Solving for Program Verification: Theory and Practice by Example
Constraint Solving for Program Verification: Theory and Practice by Example Andrey Rybalchenko Technische Universität München Abstract. Program verification relies on the construction of auxiliary assertions
More informationAxiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements
Axiomatic Semantics: Verification Conditions Meeting 12, CSCI 5535, Spring 2009 Announcements Homework 4 is due tonight Wed forum: papers on automated testing using symbolic execution 2 Questions? Review
More informationCTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking
CTL Model checking Assumptions:. finite number of processes, each having a finite number of finite-valued variables.. finite length of CTL formula Problem:Determine whether formula f 0 is true in a finite
More informationFAIRNESS FOR INFINITE STATE SYSTEMS
FAIRNESS FOR INFINITE STATE SYSTEMS Heidy Khlaaf University College London 1 FORMAL VERIFICATION Formal verification is the process of establishing whether a system satisfies some requirements (properties),
More informationProbabilistic Model Checking and Strategy Synthesis for Robot Navigation
Probabilistic Model Checking and Strategy Synthesis for Robot Navigation Dave Parker University of Birmingham (joint work with Bruno Lacerda, Nick Hawes) AIMS CDT, Oxford, May 2015 Overview Probabilistic
More informationModel for reactive systems/software
Temporal Logics CS 5219 Abhik Roychoudhury National University of Singapore The big picture Software/ Sys. to be built (Dream) Properties to Satisfy (caution) Today s lecture System Model (Rough Idea)
More informationPlanning Under Uncertainty II
Planning Under Uncertainty II Intelligent Robotics 2014/15 Bruno Lacerda Announcement No class next Monday - 17/11/2014 2 Previous Lecture Approach to cope with uncertainty on outcome of actions Markov
More informationStatic Program Analysis
Static Program Analysis Lecture 16: Abstract Interpretation VI (Counterexample-Guided Abstraction Refinement) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de
More informationIvy: Safety Verification by Interactive Generalization
Ivy: Safety Verification by Interactive Generalization Oded Padon Verification Day 1-June-2016 [PLDI 16] Oded Padon, Kenneth McMillan, Aurojit Panda, Mooly Sagiv, Sharon Shoham. Ivy: Safety Verification
More informationVinter: A Vampire-Based Tool for Interpolation
Vinter: A Vampire-Based Tool for Interpolation Kryštof Hoder 1, Andreas Holzer 2, Laura Kovács 2, and Andrei Voronkov 1 1 University of Manchester 2 TU Vienna Abstract. This paper describes the Vinter
More informationComplexity and algorithms for monomial and clausal predicate abstraction
Complexity and algorithms for monomial and clausal predicate abstraction Shuvendu K. Lahiri and Shaz Qadeer Microsoft Research Abstract. In this paper, we investigate the asymptotic complexity of various
More informationCIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Specification Patterns Copyright 2001-2002, Matt Dwyer, John Hatcliff, Robby. The syllabus and all lectures for this
More informationModel Checking with CTL. Presented by Jason Simas
Model Checking with CTL Presented by Jason Simas Model Checking with CTL Based Upon: Logic in Computer Science. Huth and Ryan. 2000. (148-215) Model Checking. Clarke, Grumberg and Peled. 1999. (1-26) Content
More informationPropositional Calculus - Deductive Systems
Propositional Calculus - Deductive Systems Moonzoo Kim CS Division of EECS Dept. KAIST moonzoo@cs.kaist.ac.kr http://pswlab.kaist.ac.kr/courses/cs402-07 1 Deductive proofs (1/3) Suppose we want to know
More informationCTL satisfability via tableau A C++ implementation
CTL satisfability via tableau A C++ implementation Nicola Prezza April 30, 2015 Outline 1 Introduction 2 Parsing 3 Data structures 4 Initial sets of labels and edges 5 Cull 6 Examples and benchmarks The
More informationQuantum Computing Approach to V&V of Complex Systems Overview
Quantum Computing Approach to V&V of Complex Systems Overview Summary of Quantum Enabled V&V Technology June, 04 Todd Belote Chris Elliott Flight Controls / VMS Integration Discussion Layout I. Quantum
More informationRelative Completeness of Abstraction Refinement for Software Model Checking
Relative Completeness of Abstraction Refinement for Software Model Checking Thomas Ball 1, Andreas Podelski 2, and Sriram K. Rajamani 1 1 Microsoft Research 2 Max-Planck-Institut für Informatik Abstract.
More informationVerification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna
IIT Patna 1 Verification Arijit Mondal Dept. of Computer Science & Engineering Indian Institute of Technology Patna arijit@iitp.ac.in Introduction The goal of verification To ensure 100% correct in functionality
More informationOverview of Topics. Finite Model Theory. Finite Model Theory. Connections to Database Theory. Qing Wang
Overview of Topics Finite Model Theory Part 1: Introduction 1 What is finite model theory? 2 Connections to some areas in CS Qing Wang qing.wang@anu.edu.au Database theory Complexity theory 3 Basic definitions
More informationIntroduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014
Introduction Pedro Cabalar Department of Computer Science University of Corunna, SPAIN cabalar@udc.es 2013/2014 P. Cabalar ( Department Introduction of Computer Science University of Corunna, SPAIN2013/2014
More informationTutorial 1: Modern SMT Solvers and Verification
University of Illinois at Urbana-Champaign Tutorial 1: Modern SMT Solvers and Verification Sayan Mitra Electrical & Computer Engineering Coordinated Science Laboratory University of Illinois at Urbana
More informationA brief introduction to Logic. (slides from
A brief introduction to Logic (slides from http://www.decision-procedures.org/) 1 A Brief Introduction to Logic - Outline Propositional Logic :Syntax Propositional Logic :Semantics Satisfiability and validity
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationIntroduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either
Introduction to Temporal Logic The purpose of temporal logics is to specify properties of dynamic systems. These can be either Desired properites. Often liveness properties like In every infinite run action
More informationAutomated Program Verification and Testing 15414/15614 Fall 2016 Lecture 3: Practical SAT Solving
Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 3: Practical SAT Solving Matt Fredrikson mfredrik@cs.cmu.edu October 17, 2016 Matt Fredrikson SAT Solving 1 / 36 Review: Propositional
More informationInterpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg
Interpolation Seminar Slides Albert-Ludwigs-Universität Freiburg Betim Musa 27 th June 2015 Motivation program add(int a, int b) { var x,i : int; l 0 assume(b 0); l 1 x := a; l 2 i := 0; while(i < b) {
More informationAutomata-Theoretic LTL Model-Checking
Automata-Theoretic LTL Model-Checking Arie Gurfinkel arie@cmu.edu SEI/CMU Automata-Theoretic LTL Model-Checking p.1 LTL - Linear Time Logic (Pn 77) Determines Patterns on Infinite Traces Atomic Propositions
More informationProperty Directed Equivalence via Abstract Simulation. Grigory Fedyukovich, Arie Gurfinkel, and Natasha Sharygina
Property Directed Equivalence via Abstract Simulation Grigory Fedyukovich, Arie Gurfinkel, and Natasha Sharygina CAV, Jul 23, 2016 Motivation / Goals Little Leaks Add Up to Big Bills software safety must
More informationScenario Graphs and Attack Graphs
Scenario Graphs and Attack Graphs Oleg Mikhail Sheyner CMU-CS-04-122 April 14, 2004 School of Computer Science Computer Science Department Carnegie Mellon University Pittsburgh, PA Thesis Committee: Jeannette
More informationAn Interpolating Theorem Prover
An Interpolating Theorem Prover K.L. McMillan Cadence Berkeley Labs Abstract. We present a method of deriving Craig interpolants from proofs in the quantifier-free theory of linear inequality and uninterpreted
More informationNonlinear Control as Program Synthesis (A Starter)
Nonlinear Control as Program Synthesis (A Starter) Sicun Gao MIT December 15, 2014 Preliminaries Definition (L RF ) L RF is the first-order language over the reals that allows arbitrary numerically computable
More informationHoare Logic: Reasoning About Imperative Programs
Hoare Logic: Reasoning About Imperative Programs COMP1600 / COMP6260 Dirk Pattinson Australian National University Semester 2, 2018 Programming Paradigms Functional. (Haskell, SML, OCaml,... ) main paradigm:
More informationSpatial Interpolants
Spatial Interpolants Aws Albargouthi 1, Josh Berdine 2, Byron Cook 3, and Zachary Kincaid 4 University of Wisconsin-Madison 1, Microsoft Research 2, University College London 3, University of Toronto 4
More informationProgram Verification Using Separation Logic
Program Verification Using Separation Logic Cristiano Calcagno Adapted from material by Dino Distefano Lecture 1 Goal of the course Study Separation Logic having automatic verification in mind Learn how
More informationIC3, PDR, and Friends
IC3, PDR, and Friends Arie Gurfinkel Department of Electrical and Computer Engineering University of Waterloo arie.gurfinkel@uwaterloo.ca Abstract. We describe the IC3/PDR algorithms and their various
More informationProving Safety with Trace Automata and Bounded Model Checking
Proving Safety with Trace Automata and Bounded Model Checking Daniel Kroening 1, Matt Lewis 1, and Georg Weissenbacher 2 1 University of Oxford 2 Vienna University of Technology Abstract. Loop under-approximation
More informationPushing to the Top FMCAD 15. Arie Gurfinkel Alexander Ivrii
Pushing to the Top FMCAD 15 Arie Gurfinkel Alexander Ivrii Safety Verification Consider a verification problem (Init, Tr, Bad) The problem is UNSAFE if and only if there exists a path from an Init-state
More information