Algorithmic verification

Ahmed Rezine

IDA, Linköpings Universitet

Hösttermin 2018

Outline

Overview

Model checking

Symbolic execution

Outline

Overview

Model checking

Symbolic execution

Program verification and Approximations

We often want to answer whether the program is safe or not (i.e.,has some erroneous reachable configurations or not):

Safe Program Unsafe Program

Program Verification and Approximations

I Finding all configurations or behaviours (and hence errors) ofarbitrary computer programs can be easily reduced to thehalting problem of a Turing machine.

I This problem is proven to be undecidable, i.e., there is noalgorithm that is guaranteed to terminate and to give an exactanswer to the problem.

I An algorithm is sound in the case where each time it reportsthe program is safe wrt. some errors, then the originalprogram is indeed safe wrt. those errors

I An algorithm is complete in the case where each time it isgiven a program that is safe wrt. some errors, then it doesreport it to be safe wrt. those errors

Program Verification and Approximations

I The idea is then to come up with efficient approximations andalgorithms to give correct answers in as many cases aspossible.

Over-approximation Under-approximation

Program Verification and Approximations

I A sound analysis cannot give false negativesI A complete analysis cannot give false positives

False Positive False Negative

In this lecture

We will briefly introduce different types of verification approaches:I Model checking: exhaustive, aims for soundnessI Symbolic execution: partial, aims for completeness

Administrative Aspects:

I The lab sessions might not be enough and you might have towork more

I You will need to write down your answers to each question ona draft.

I You will need to demonstrate (individually) your answers inone of the lab sessions on a computer.

I Once you get the green light, you can write your report in apdf form and send it (in pairs) to the person youdemonstrated for.

I You will get questions in the final exam about this lecture andthe labs.

Outline

Overview

Model checkingCorrectness properties

Symbolic execution

Model checking

I Model checking is a push button verification approachI Given:

I a model M of the system to be verified, andI a correctness property Φ to be checked: absence of deadlocks,

livelocks, starvation, violations of constraints/assertions, etcI The model checking tool returns:

I a counter example in case M does not model Φ, orI a mathematical guaranty that the M does model Φ

Model Checking: Verification vs debugging

I Model checking tools are used both:I To establish correctness of a model M with respect to a

correctness property ΦI More importantly, to find bugs and errors in M early during

the design

M as a Kripke structure

Assume a set of atomic propositions AP. A Kripke structure M isa tuple (S; S0; R; L) where:1. S is a finite set of states2. S0 � S is the set of initial states3. R � S � S is the transition relation s.t. for any s 2 S, R(s; s 0)

holds for some s 0 2 S4. L : S ! 2AP labels each state with the atomic propositions

that hold on it.

Programs as Kripke structures

1 int x = 0;23 void thread (){4 int v = x;5 x = v + 1;6 }78 void main (){9 fork( thread );

10 int u = x;11 x = u + 1;12 join( thread );13 assert (x == 2);14 }

Synchronous circuits as Kripke structures

v 00 = :v0 (1)v 01 = v0 � v1 (2)v 02 = (v0 ^ v1)� v2 (3)

Asynchronous circuits handled using a disjunctive R instead of aconjunctive one like for synchronous circuits.

Synchronous circuits as Kripke structures

v 00 = :v0 (1)v 01 = v0 � v1 (2)v 02 = (v0 ^ v1)� v2 (3)

Asynchronous circuits handled using a disjunctive R instead of aconjunctive one like for synchronous circuits.

Temporal Logics

I Temporal logics are formalisms to describe sequences oftransitions

I Time is not mentioned explicitly (in today’s lecture)I Instead, temporal operators are used to express that certain

states are:I never reachedI eventually reachedI more complex combinations of those

Computation Tree Logic (CTL)

Computation trees are obtained by unwinding the Kripke structure

Computation Tree Logic (CTL)

M; s0 j= EF g M; s0 j= AF g

M; s0 j= EG g M; s0 j= AG g

Outline

Overview

Model checking

Symbolic execution

Testing

I Most common form of software validationI Explores only one possible execution at a timeI For each new value, run a new test.I On a 32 bit machine, if(i==2014) bug() would require 232

different values to make sure there is no bug.I The idea in symbolic testing is to associate symbolic values

to the variables

Symbolic Testing

I Main idea by JC. King in “Symbolic Execution and ProgramTesting” in the 70s

I Use symbolic values instead of concrete onesI Along the path, maintain a Path Constraint (PC) and a

symbolic state (Σ)I PC collects constraints on variables’ values along a path,I Σ associates variables to symbolic expressions,I We get concrete values if PC is satisfiableI The program can be run on these valuesI Negate a condition in the path constraint to get another path

Symbolic Execution: a simple example

I Can we get to the ERROR? explore using SSA forms.I Useful to check array out of bounds, assertion violations, etc.

1 foo(int x,y,z){2 x = y - z;3 if(x==z){4 z = z - 3;5 if (4*z < x + y){6 if (25 > x + y) {7 ...8 }9 else {

10 ERROR ;11 }12 }13 }14 ...

PC1 = truePC2 = PC1 x 7! x0; y 7! y0; z 7! z0PC3 = PC2 ^ x1 = y0 � z0 x 7! y0 � z0; y 7! y0; z 7! z0PC4 = PC3 ^ x1 = z0 x 7! y0 � z0; y 7! y0; z 7! z0PC5 = PC4 ^ z1 = z0 � 3 x 7! y0 � z0; y 7! y0; z 7! z0 � 3PC6 = PC5 ^ 4 � z1 < x1 + y0 x 7! y0 � z0; y 7! y0; z 7! z0 � 3

PC10 = PC6 ^ 25 � x1 + y0 x 7! y0 � z0; y 7! y0; z 7! z0 � 3

PC = (x1 = y0 � z0 ^ x1 = z0 ^ z1 = z0 � 3 ^ 4 � z1 < x1 + y0 ^ 25 � x1 + y0)

Check satisfiability with an SMT solver (e.g.,http://rise4fun.com/Z3)

Symbolic execution today

I Leverages on the impressive advancements for SMT solversI Modern symbolic execution frameworks are not purely

symbolic, and not necessarily static:I They can follow a concrete execution while collecting

constraints along the way, orI They can treat some of the variables concretely, and some

other symbolicallyI This allows them to scale, to handle closed code or complex

queries

Symbolic execution today

I C (actullay llvm) http://klee.github.io/I Java (more than a symbolic executer)

http://babelfish.arc.nasa.gov/trac/jpfI C# (actually .net)

http://research.microsoft.com/en-us/projects/pex/I ...