CBMC: Bounded Model Checking for ANSI-C

Recommend Documents

Bounded model checking [1] (BMC) is a technique for finding bugs in finite state sys- ... grant 93346/01 (An Automata Theoretic Approach to Software Model ...

Bounded Model Checking - WRLA 2012

Mar 24, 2012 - Objects of class AC1 correspond to components of layer 1, implementing ...... 2 CNRS FEMTO-ST and University of Franche-ComtÃ©, 16 route de ...

Bounded Model Checking for Interpreted Systems ... - CiteSeerX

bounded model checking [PWZ02] to knowledge and time [PL03a]. Bounded .... do point out the fact that there are heuristics that can be applied in particular.

Incremental Bounded Model Checking for Embedded Software ...

Sep 20, 2014 - Tino Teige2, and Tom BienmÃ¼ller2. 1 University of Oxford ...... Hayhurst, K.J., Veerhusen, D.S., Chilenski, J.J., Rierson, L.K.: A practical tutorial.

Concurrent Bounded Model Checking - Quoc-Sang Phan

[15] Patrice Godefroid, Michael Y. Levin, and David A. Molnar. Automated whitebox fuzz testing. ... [33] Ulrich Stern and David L. Dill. Parallelizing the murphi.

Bounded Model Checking Using Satisfiability Solving - CiteSeerX

bounded model checking, do a very fast exploration of the state space, and for ..... for some model checking problems, primarily by substituting SAT procedures.

Estimating Functional Coverage in Bounded Model Checking

In this paper we propose a pragmatic approach for the es- timation of coverage in BMC. ..... It is left to the programmer of the CPU to avoid an address overflow.

Bounded Model Checking Using Satisfiability Solving

ran BMC in a mode in which, for each design block and each AG p specification, ... We did not model the interfaces between the subcircuits on which we ran our ...

Towards completeness in Bounded Model Checking through

This problem remains open: the BMC tools analyze an under- approximation of a program ... going to be refined and the algorithm goes to the next iteration. Our approach is ... analysis to guarantee a practical solution. Unlike in our ..... Classical

On the Completeness of Bounded Model Checking for Threshold ...

model checking, if the number of local states of the concurrent processes ... guards that compare the value of a shared integer variable to a linear combination.

Lazy-CSeq: A Context-Bounded Model Checking Tool for Multi ...

translates a multi-threaded C program into a bounded nondeter- ..... intuitive and require a less steep learning curve, and combined with Python's flexibility it is ...

A Metric Encoding for Bounded Model Checking (extended version)

Jul 27, 2009 - ground material on Metric Temporal Logic and bi-infinite time, ..... Zot is an agile and easily extendible bounded model checker, which can be ...

Forward Analysis and Model Checking for Bounded WSTS

Jul 15, 2010 - A well-structured transition system (WSTS) (Finkel, 1990; Abdulla et al.,. 2000; Finkel and .... Let us prove that âB = D: suppose s is an element of. D, thus that there ..... We will refine the arguments of Lemma 11 in Section 5.2.

Refining the SAT Decision Ordering for Bounded Model Checking

A Boolean formula is satisfiable if and only if there exists a set of assignments that make the formula true. Many modern SAT solvers [17, 20, 13, 8] are based on ...

BDD-versus SAT-based bounded model checking for ... - Springer Link

Aug 31, 2013 - e-mail: [email protected] ... e-mail: [email protected] ... Verification of multi-agent systems (MAS) is an actively developing field of ...

From bounded to unbounded model checking for ... - Semantic Scholar

IOS Press. From bounded to unbounded model checking for temporal epistemic logic. â .... possible global state so that a simple fixed point semantics for them can be given. Still, note that, if .... The operator U stands for Until; the formula Î±UÎ

Efficient Proof Engines for Bounded Model Checking of Hybrid Systems

2 Email: [email protected]. 3 This work ... the Transregional Collaborative Research Center âAutomatic Verification and Analysis of.

Improved Bounded Model Checking for a Fair ... - Semantic Scholar

Xiaowei Huang, Cheng Luo, and Ron van der Meyden. University of New South ... subformulas at all points of such runs, handling the search for a witness for an ...

Efficient Proof Engines for Bounded Model Checking of ... - DTU Orbit

an API to the solver core, providing methods for formula generation, sim- plification, common ..... On the complexity of derivations in propositional calculus. In.

Exploiting Safety Properties in Bounded Model Checking for ... - SSVLAB

sempenha um papel importante para garantir a qualidade geral do produto. O valor dos contra exemplos e propriedades de seguranÃ§a gerados pelos Bounded.

Efficient SAT-based Bounded Model Checking for Software Verification

of the generated software model using an unrolling based on blocks â the block modeling approach .... by customizing the back-end SAT-solver. We use certain ...

Bounded Model Checking for Weak Alternating Bu127 uchi ... - tkk

Keywords: Weak Alternating BÃ¼chi Automata, Bounded Model Checking, PSL, ... shortcomings are in one way or another related to the fact that LTL cannot ...

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Jul 13, 2009 - does not make use of high-level information to simplify the unrolled formula. ..... definition literal is true iff a given clause of the formula. P is true. Hence, in ..... conducted on an otherwise idle Intel Xeon 5160, 3GHz server wi

SMT-Based Context-Bounded Model Checking for ...

We present ESBMC-GPU tool, an extension to the Efficient SMT-Based Context-Bounded Model Checker. (ESBMC), which is aimed at verifying Graphics ...

CBMC: Bounded Model Checking for ANSI-C

Download PDF

6 downloads 227 Views 722KB Size Report

Comment

We aim at the analysis of programs given in a commodity programming language such as C, C++, or Java. ▻ As the first step, we transform the program into a ...

CBMC: Bounded Model Checking for ANSI-C

Version 1.0, 2010

Outline

Preliminaries

BMC Basics

Completeness

Solving the Decision Problem

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

2

Preliminaries I

We aim at the analysis of programs given in a commodity programming language such as C, C++, or Java

I

As the first step, we transform the program into a control flow graph (CFG)

C/C++ parse Source

parse tree

CFG

frontend

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

3

Example: SHS if ( (0 y CNF: About 11000 variables, unsolvable for current SAT solvers

I

Similar problems with division, modulo

I

Q: Why is this hard?

I

Q: How do we fix this?

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

38

Incremental Flattening ?

ϕf := ϕsk , F := ∅

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT?

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT? No! ?

UNSAT ϕsk : Boolean part of ϕ F : set of terms that are in the encoding

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT?

Yes! -

compute I

No! ?

UNSAT ϕsk : Boolean part of ϕ F : set of terms that are in the encoding I: set of terms that are inconsistent with the current assignment CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT?

Yes! -

compute I

No!

I=∅

?

?

UNSAT

SAT

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding I: set of terms that are inconsistent with the current assignment CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

Pick F 0 ⊆ (I \ F ) F := F ∪ F 0 ϕf := ϕf ∧ C ONSTRAINT(F ) 6 I 6= ∅

?

Is ϕf SAT?

Yes! -

compute I

No!

I=∅

?

?

UNSAT

SAT

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding I: set of terms that are inconsistent with the current assignment CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening

I

Idea: add ’easy’ parts of the formula first

I

Only add hard parts when needed

I

ϕf only gets stronger – use an incremental SAT solver

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

40