CBMC: Bounded Model Checking for ANSI-C

Download PDF
6 downloads 227 Views 722KB Size Report
Comment
We aim at the analysis of programs given in a commodity programming language such as C, C++, or Java. ▻ As the first step, we transform the program into a ...
CBMC: Bounded Model Checking for ANSI-C

Version 1.0, 2010

Outline

Preliminaries

BMC Basics

Completeness

Solving the Decision Problem

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

2

Preliminaries I

We aim at the analysis of programs given in a commodity programming language such as C, C++, or Java

I

As the first step, we transform the program into a control flow graph (CFG)

C/C++ parse Source

parse tree

CFG

frontend

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

3

Example: SHS if ( (0 y CNF: About 11000 variables, unsolvable for current SAT solvers

I

Similar problems with division, modulo

I

Q: Why is this hard?

I

Q: How do we fix this?

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

38

Incremental Flattening ?

ϕf := ϕsk , F := ∅

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT?

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT? No! ?

UNSAT ϕsk : Boolean part of ϕ F : set of terms that are in the encoding

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT?

Yes! -

compute I

No! ?

UNSAT ϕsk : Boolean part of ϕ F : set of terms that are in the encoding I: set of terms that are inconsistent with the current assignment CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅

?

Is ϕf SAT?

Yes! -

compute I

No!

I=∅

?

?

UNSAT

SAT

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding I: set of terms that are inconsistent with the current assignment CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening ?

ϕf := ϕsk , F := ∅ 

Pick F 0 ⊆ (I \ F ) F := F ∪ F 0 ϕf := ϕf ∧ C ONSTRAINT(F ) 6 I 6= ∅

?

Is ϕf SAT?

Yes! -

compute I

No!

I=∅

?

?

UNSAT

SAT

ϕsk : Boolean part of ϕ F : set of terms that are in the encoding I: set of terms that are inconsistent with the current assignment CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

39

Incremental Flattening

I

Idea: add ’easy’ parts of the formula first

I

Only add hard parts when needed

I

ϕf only gets stronger – use an incremental SAT solver

CBMC: Bounded Model Checking for ANSI-C – http://www.cprover.org/

40