model checking c-programs – an example: integer square root
DESCRIPTION
Model Checking C-Programs – An Example: Integer Square Root. Wenhui Zhang http://lcs.ios.ac.cn/~zwh. Contents. Integer Square Root. Model Checking. Compositional Reasoning. Summary. A Concrete Example of such a Software. start. initialize. s0. Take a number n. in(). s1. - PowerPoint PPT PresentationTRANSCRIPT
Model Checking C-Programs – An Example: Integer Square Root
Wenhui Zhanghttp://lcs.ios.ac.cn/~zwh
Contents
Integer Square Root
Model Checking
Summary
Compositional Reasoning
A Concrete Example of such a Software
Take a number nTake a number n
Output a number mOutput a number m
s2s2
s0s0
initializeinitialize
startstart
s1s1
TransformationTransformation
in()in()
isr(n,k), isk(n,k)isr(n,k), isk(n,k)
Correctness Claim:The ouput is the integer square root of the input
Correctness Claim:The ouput is the integer square root of the input
Correctness Claim:(m*m)<=n;(m*m)+2*m+1>n
Correctness Claim:(m*m)<=n;(m*m)+2*m+1>n
Example: Function main()#include <stdio.h>/********************************************/int in();int isr(int x,int k);int isk(int n,int k);/********************************************/int main(){
int n=0, m=0;int k=1;
printf("INFO: system is now active\n"); while (1) {
n=in();m=isr(n,k);k=isk(n,k);
printf("RESULT: %i\n\n",m);}
}
Example: Function in()int in(){ char c=0; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n");
continue; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin);
if (c=='\n') { return k; }
if (c<'0'||c>'9') {
while (1) { c=getc(stdin); if (c=='\n') break; }
printf("INFO: the input must be 1 or 2 digits\n\n");
continue;
}
if (k<2) k=k*10+(c-'0');
else if (k==2&&c=='0') k=20;
else {
while (1) { c=getc(stdin); if (c=='\n') break; }
printf("INFO: the input number must be in {0,...,20}\n\n");
continue;
}
c=getc(stdin);
if (c!='\n') {
while (1) { c=getc(stdin); if (c=='\n') break; }
printf("INFO: the input must be 1 or 2 digits\n\n");
continue;
}
return k;
}
}
Example: isr() and isk()int isr(int x,int k){ int y1=0; int y2=0; int y3=0; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } return y1;}
int isk(int n,int k){ if (k!=20) { if (k!=n) k=21; else if (k==19) k=0; else k=k+2; } else { k=21; } return k;}
Execution and Interaction#include <stdio.h>/**************************************************/int in();int isr(int x,int k);int isk(int n,int k);/**************************************************/main(int argc, char **argv ){ int n=0,m=0; int k=1;
printf("system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); }}/**************************************************/int isr(int y,int k){ int y1=0; int y2=0; int y3=0; int z=0; int x=y;
y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } z=y1; return z;}/**************************************************/int isk(int n,int k){ if (k!=20) { if (k!=n) k=21; else { if (k==19) k=0; else k=k+2; } } else { k=21; } return k;}/**************************************************/int in(){ char c; int k=0;
while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); /* printf("%i\n",c); */ if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=k*10+(c-'0'); if (k>20) { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; }}/**************************************************/
[zwh@panda 2013cp]$ ./isr1aINFO: system is now activeN: 1RESULT: 1 N: 23INFO: the input number must be in {0,...,20} N: 19RESULT: 4 N: adINFO: the input must be 1 or 2 digits N: 9RESULT: 3 N:
Program Correctness
It looks that the correctness claim holds, according to the sample executions.
Question: Does the claim holds for all input sequences?
In fact, there is an error when the input sequence is:1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4In fact, there is an error when the input sequence is:1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4
The input history may affect the behavior of the software, and it may cause errors in certain cases
Program Correctness
Question: Is the claim correct?
Use model checking!Use model checking!
Contents
Integer Square Root
Model Checking
Summary
Compositional Reasoning
Modeling and Model Checking
• Model Checking with VERDS– http://lcs.ios.ac.cn/~zwh/verds
• Input to VERDS – VVM (VERDS verification model)
• Modeling Language– VML (VERDS modeling langauge)
Verification Process
C ProgramC Program ModelModelAutomaticTranslatorAutomaticTranslator
VERDSModel Checker
VERDSModel Checker
PropertiesProperties
(at line 17): ((m*m)<=n)&&((m*m)+2*m+1>n)
Correctness Claim (isr1a.sp)
Model Checking
./verds –c isr.c –sp isr.spVERSION: verds 1.42 - DEC 2012FILE: isr.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 667---------- time = 667..bound =105 time = 1068---------- time = 1068The property is false, preparing files ...CONCLUSION: FALSE (time=3156)
[zwh@panda 2013cp]$ ../verds -c isr1a.c -sp isr1a.spVERSION: verds 1.43 - JAN 2013FILE: isr1a.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 326---------- time = 326bound = 1 time = 326---------- time = 326....bound =105 time = 675---------- time = 675The property is false, preparing files ...CONCLUSION: FALSE (time=3985 sec)
Verification Process
C ProgramC Program ModelModelAutomaticTranslatorAutomaticTranslator
VERDSModel Checker
VERDSModel Checker
PropertiesProperties
Negative ConclusionNegative
Conclusion
Error TraceError Trace
Error Trace (isr1a.cex)--- STATE 0 ---n =0m =0k =1pc =0--- TRANS 1 ------ STATE 1 ---n =0m =0k =1pc =1--- TRANS 2 ------ STATE 2 ---n =0m =0k =1pc =2--- TRANS 3 ------ STATE 3 ---n =1m =0k =1pc =3………
--- STATE 102 ---n =18m =4k =20pc =2--- TRANS 3 ------ STATE 103 ---n =4m =4k =20pc =3--- TRANS 4 ------ STATE 104 ---n =4m =1k =20pc =4--- TRANS 5 ------ STATE 105 ---n =4m =1k =21pc =5
Analysis of the Error Trace• An error occurred with the following sequence of
inputs:1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4
• Confirmation of the error by testing
• Correction to the program is made
Correction: Function main()#include <stdio.h>/********************************************/int in();int isr(int x,int k);int isk(int n,int k);/********************************************/int main(){
int n=0, m=0;int k=1;
printf("INFO: system is now active\n"); while (1) {
n=in();k=isk(n,k);m=isr(n,k);
printf("RESULT: %i\n\n",m);}
}
Verification of the Corrected One
./verds –c isr.c –sp isr.spVERSION: verds 1.42 - DEC 2012FILE: isr.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 667---------- time = 667..bound =105 time = 1068---------- time = 1068The property is false, preparing files ...CONCLUSION: FALSE (time=3156)
[zwh@panda 2013cp]$ ../verds -c isr2a.c -sp isr1a.spVERSION: verds 1.43 - JAN 2013FILE: isr2a.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 276---------- time = 276bound = 1 time = 276---------- time = 276....bound =105 time = 607---------- time = 607CONCLUSION: TRUE (time=607 sec)
Verification of the Corrected One
C ProgramC Program ModelModelAutomaticTranslatorAutomaticTranslator
VERDSModel Checker
VERDSModel Checker
Positive Conclusion
Positive Conclusion
PropertiesProperties
Contents
Integer Square Root
Model Checking
Summary
Compositional Reasoning
Verification Times
Number of called functions
Verification Time (sec)
3 607
Use of Assumption-Guarantee• Each function is augmented with a pair of assumption-
guarantee as follows (isr2a.fsp):
FUNCTION
z=isk(x,y)
ASSUMPTION
0<=x&&x<=20;
GUARANTEE
(!(z==20)||x=18);
FUNCTION
z=in()
ASSUMPTIONTRUE;
GUARANTEE
0<=z&&z<=20;
Verification Process (A/G)
C ProgramC Program ModelModelAutomaticTranslatorAutomaticTranslator
VERDSModel Checker
VERDSModel Checker
PropertiesProperties A/GSpecification
A/GSpecification
Verification Subgoals
../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp
../verds -ck in -Dint=i5 isr2a.vvm
../verds -ck isk -Dint=i5 isr2a.vvm
102 verification subgoals, one for main(), and one for each of the functions.
Verification of the Corrected One
./verds –c isr.c –sp isr.spVERSION: verds 1.42 - DEC 2012FILE: isr.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 667---------- time = 667..bound =105 time = 1068---------- time = 1068The property is false, preparing files ...CONCLUSION: FALSE (time=3156)
[zwh@panda 2013cp]$ ../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fspVERSION: verds 1.43 - JAN 2013FILE: isr2a.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 75---------- time = 75bound = 1 time = 75---------- time = 75bound = 2 time = 75---------- time = 75....bound = 11 time = 82---------- time = 82CONCLUSION: TRUE (time=82 sec)
Verification of the Corrected One
./verds –c isr.c –sp isr.spVERSION: verds 1.42 - DEC 2012FILE: isr.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 667---------- time = 667..bound =105 time = 1068---------- time = 1068The property is false, preparing files ...CONCLUSION: FALSE (time=3156)
[zwh@panda 2013cp]$ ../verds -Dint=i5 -ck in isr2a.vvmVERSION: verds 1.43 - JAN 2013FILE: isr2a.vvmbound = 0 time = 31---------- time = 31bound = 1 time = 31---------- time = 31INFO: A/G=1CONCLUSION: TRUE (time=34 sec)
Verification of the Corrected One
./verds –c isr.c –sp isr.spVERSION: verds 1.42 - DEC 2012FILE: isr.vvmPROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n )))bound = 0 time = 667---------- time = 667..bound =105 time = 1068---------- time = 1068The property is false, preparing files ...CONCLUSION: FALSE (time=3156)
[zwh@panda 2013cp]$ ../verds -Dint=i5 -ck isk isr2a.vvmVERSION: verds 1.43 - JAN 2013FILE: isr2a.vvmbound = 0 time = 32---------- time = 32bound = 1 time = 32---------- time = 32INFO: A/G=1CONCLUSION: TRUE (time=37 sec)
Verification Times
Verification Subgoal Verification Time (sec)
main() with A/G 82
in() 34
isk() 37
Sum 153
• Original task with model checking time = 607 seconds• 3 tasks with model checking time < 100 for each• Original task with model checking time = 607 seconds• 3 tasks with model checking time < 100 for each
Contents
Integer Square Root
Model Checking
Summary
Compositional Reasoning
Questions?