SMT-Based Bounded Model Checking ffoorr EEmmbbeeddddeedd AANNSSII--CC SSooffttwwaarree Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva [email protected] Bounded Model Checking (BMC) Basic Idea: check negation of given property up to given depth property ¬ϕ ∨ ¬ϕ ∨ ¬ϕ ∨ ¬ϕ ∨ ¬ϕ 0 1 2 k-1 k . . . transition M M M M M system 0 1 2 k-1 k bound ccoouunntteerreexxaammppllee ttrraaccee • transition system M unrolled k times – for programs: unroll loops, unfold arrays, … • translated into verification condition ψ such that ψψψψ satisfiable iff ϕϕϕϕ has counterexample of max. depth k • has been applied successfully to verify (embedded) software SAT-based CBMC [D. Kroening] implements BMC for ANSI-C/C++ programs using SAT-solvers: unroll program k times C/C++ parse IRep source tree tree verification SAT BMC conditions solver scan and typecheck and pprrooppeerrttiieess ppaarrssee ccoonnvveerrtt ttoo SSSSAA check satisfiability using a SAT solver SAT-based CBMC [D. Kroening] implements BMC for ANSI-C/C++ programs using SAT-solvers: unroll program k times C/C++ parse IRep source tree tree verification SAT BMC conditions solver scan and typecheck and pprrooppeerrttiieess ppaarrssee ccoonnvveerrtt ttoo SSSSAA check satisfiability using a SAT solver ⇒⇒⇒⇒ Problems (due to bit-blasting): conversion to propositional form • complex expressions lead to large propositional formulae • high-level information is lost Encoding of x == a + b • represent x, a, b by n independent propositional variables each • represent addition by logical circuit • represent equality by equivalences on propositional variables Objective of this work Exploit SMT to improve BMC of embedded software • exploit background theories of SMT solvers • provide suitable encodings for – pointers – bit operations – unions – arithmetic over- and underflow • build an SMT-based BMC tool for full ANSI-C – build on top of CBMC front-end – use several third-party SMT solvers as back-ends • evaluate ESBMC over embedded software applications Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories (⇒ building-in operators). Theory Example EEqquuaalliittyy xx ==xx ∧∧ ¬¬ ((xx ==xx )) ⇒⇒ ¬¬((xx ==xx )) 11 22 11 33 11 33 Bit-vectors (b >> i) & 1 = 1 Linear arithmetic (4y + 3y ≥ 4) ∨ (y – 3y ≤ 3) 1 2 2 3 Arrays (j = k ∧ a[k]=2) ⇒ a[j]=2 Combined theories (j ≤ k ∧ a[j]=2) ⇒ a[i] < 3 Satisfiability Modulo Theories (2) • Given – a decidable ∑-theory T – a quantifier-free formula ϕ ϕϕϕϕ is T-satisfiable iff T ∪ {ϕ} is satisfiable, i.e., there exists a structure that satisfies both formula and sentences of T •• GGiivveenn – a set Γ {ϕ} of first-order formulae over T ∪ ϕϕϕϕ is a T-consequence of ΓΓΓΓ (Γ ⊧⊧⊧⊧ ϕ) iff every model of T ∪ Γ T is also a model of ϕ • Checking Γ ⊧⊧⊧⊧ ϕ can be reduced in the usual way to T checking the T-satisfiability of Γ {¬ϕ} ∪ Software BMC using ESBMC • program modelled as state transition system int main() { int a[2], i, x; – state: program counter and program variables if (x==0) – derived from control-flow graph a[i]=0; else – checked safety properties give extra nodes a[i+2]=1; • program unrolled up to given bounds assert(a[i+1]==1); } – number of loop iterations –– ssiizzee ooff aarrrraayyss • unrolled program optimized to reduce blow-up – constant folding crucial – forward substitutions Software BMC using ESBMC • program modelled as state transition system int main() { int a[2], i, x; – state: program counter and program variables if (x==0) – derived from control-flow graph a[i]=0; else – checked safety properties give extra nodes a[i+2]=1; • program unrolled up to given bounds assert(a[i+1]==1); } – number of loop iterations –– ssiizzee ooff aarrrraayyss • unrolled program optimized to reduce blow-up – constant folding g = x == 0 1 1 crucial a = a WITH [i :=0] – forward substitutions 1 0 0 a = a 2 0 • front-end converts unrolled and a = a WITH [2+i :=1] 3 2 0 a = g ? a : a optimized program into SSA 4 1 1 3 t = a [1+i ] == 1 1 4 0 Software BMC using ESBMC • program modelled as state transition system int main() { int a[2], i, x; – state: program counter and program variables if (x==0) – derived from control-flow graph a[i]=0; else – checked safety properties give extra nodes a[i+2]=1; • program unrolled up to given bounds assert(a[i+1]==1); } – number of loop iterations –– ssiizzee ooff aarrrraayyss • unrolled program optimized to reduce blow-up g :=(x =0)  – constant folding 1 1   ∧a :=store(a ,i ,0) crucial  1 0 0  – forward substitutions C:=∧a :=a   2 0  ∧a :=store(a ,2+i ,1) 3 2 0 • front-end converts unrolled and   ∧a :=ite(g ,a ,a )  4 1 1 3 optimized program into SSA i ≥0∧i <2  0 0   ∧2+i ≥0∧2+i <2 • extraction of constraints C and properties P P:= 0 0  ∧1+i ≥0∧1+i <2   0 0  – specific to selected SMT solver, uses theories ∧select(a ,i +1)=1  4 0 • satisfiability check of C ∧ ¬P