Embed Size (px)
Citation preview
26.8.2004
Model Checking C++
Daniel Kroening
26.8.2004 Daniel Kroening 2
Warning!
No new research in this talkTalk is about doing existing stufffor different language only
You might consider this trivial and nod off
!
26.8.2004 Daniel Kroening 3
Example from NASA JPLclass RCPNAM{public:RCPNAM(); //!< DND for STRICT protocol.~RCPNAM(); //!< Decr cntr, delete if zero.RCPNAM(RCPNOD* p); //!< New ptr at given object.RCPNOD* operator->();RCPNOD& operator*();RCPNAM(const RCPNAM& rhs); //!< Copy of existing RCPNAM.[…]RCPNAM& operator=(const RCPNAM& rhs); //!< Assign to existing RCPNAM.int nullp(){return ref_ == 0;}; //!< DND for STRICT.[…]public:RCPNOD* ref_;static RCPNOD* copyAndInc(const RCPNOD*const* p,int RCPNOD::*cntr);
};
26.8.2004 Daniel Kroening 4
Example from NASA JPL
Want to verify the code that goes into spaceContainer class with reference countingConcurrentMostly low-level, performance-orientedC and C++Uses assembly-language constructs foratomic accesses to pointers and counters
26.8.2004 Daniel Kroening 5
Example from NASA JPL
Verification:Extensive testingSPIN failed
Main challenge: pointers and referencesHow many threads are enough?
26.8.2004 Daniel Kroening 6
Outline
1. Frontend• What’s so hard about C++?• Parsing, Type Checking• STL
2. Backend• Verification Backends• Dynamic Objects
26.8.2004 Daniel Kroening 7
What’s so hard about C++?
Existing model checkers:compile, and work on binaryInfrastructure is difficult
Parsing is complicated (LRk)Complex name resolution rules(namespaces, templates, class hierarchy, overloading)
But: there are tools that flatten C++ to C
26.8.2004 Daniel Kroening 8
Why C++?
Main advantage of C++:
Encapsulation of complex data structuresin template libraries
Also main challenge whenmodel checking C++
26.8.2004 Daniel Kroening 9
What’s so hard about C++?
What kind of C++ are we going to see?Heavy use of references and pointersClass/Module hierarchyOverloadingTemplatesnew/delete
26.8.2004 Daniel Kroening 10
Model Extraction for C++
ParserParser
Type CheckerType Checker
CFG-GeneratorCFG-Generator
Backend
. . .
Frontend
26.8.2004 Daniel Kroening 11
Type Checker
Parse tree to symbol tableBoth represented as DAGsAlgorithm:1. Expand templates2. Resolve overloading3. Class hierarchy4. Annotate each sub-expression with type
26.8.2004 Daniel Kroening 12
Type Checker
cpp::f(9_reference(7_subtype=8_signedbv(5_width=2_32)))type: code
* arguments:0: argument
* type: reference* subtype: signedbv
* width: 32* return_type: empty
value: code* statement: block* type: code
* arguments:0: argument
* type: reference* subtype: signedbv
* width: 32* return_type: empty
void f(int &r){}
26.8.2004 Daniel Kroening 13
Control Flow Graph
Symbol table to Control Flow Graph (CFG)Essentially a guarded GOTO program,but with direct function callsvirtual methods and virtual classes andfunction pointers require alias analysis
26.8.2004 Daniel Kroening 14
Alias Analysis
ForReferencesPointersvirtual tables
Fixed-point iteration on the CFG→Interleaved with the computation of the CFG
Control flow sensitive (concurrency!)Field sensitive
26.8.2004 Daniel Kroening 15
Alias Analysis
int var;
void f() {var=1;
}
void g() {var=2;
}
int main() {bool c;void (*p)()=c?f:g;(*p)();
}
MAIN:INIT var = 0;main()
cpp::main():p = c ? f() : g();(*p)();
cpp::main()::1::p = { &f, &g }
26.8.2004 Daniel Kroening 16
Alias Analysis
int var;
void f() {var=1;
}
void g() {var=2;
}
int main() {bool c;void (*p)()=c?f:g;(*p)();
}
MAIN:INIT var = 0;main();
cpp::f():var = 1;
cpp::g():var = 2;
cpp::main():p = c ? f : g;IF p != &g THEN GOTO 1g();GOTO 2
1: f();2: SKIP
26.8.2004 Daniel Kroening 17
STL
Standard Template LibraryEncapsulates complex data structures and algorithms
typedef std::hash_map<std::string, symbolt, string_hash> symbolst;
. . .
typedef std::vector<nodet> nodest;
26.8.2004 Daniel Kroening 18
STL
“Interesting” programs using STLhave > 1000 data structuresFlatten to C?
STL implementation highly complex and optimizedDon’t want to verify STL together with program
Let’s assume STL is correct
26.8.2004 Daniel Kroening 19
Model Extraction for C++
ParserParser
Type CheckerType Checker
CFG-GeneratorCFG-Generator
Backend
. . .
Frontend
26.8.2004 Daniel Kroening 20
Model Extraction with the STL
ParserParser
Type CheckerType Checker
CFG-GeneratorCFG-Generator
Backend
. . .
Frontend
Inject modifications of class definitions
26.8.2004 Daniel Kroening 21
Abstract STL
Manually written abstractions of common STL data types
std::vectorstd::liststd::setstd::map
Catch errors when using STLCatch errors in program thatdepend on data in containers
26.8.2004 Daniel Kroening 22
STL
typedef std::vector<…> T;T v;
v.push_back(…);v.reserve(2);
T::const_iterator it=v.begin();
x=*it;
v.push_back(…);
x=*it;
26.8.2004 Daniel Kroening 23
Predicate Abstraction
Predicate Abstraction is a successful method to verify programs
C/C++Program
with threads
ConcurrentBooleanProgram
ModelChecker
VerificationInitialAbstraction
No erroror bug found
Simulator
Propertyholds
Simulationsuccessful
Bug foundRefinement
26.8.2004 Daniel Kroening 24
Dynamic Objects
C++ code tends to make excessive use of dynamic objectsAlgorithm:
Allow * and & in predicates,including pointer arithmeticNew: also have quantifiers ∀, ∃Maintain active bit α(o)and object size state variablesFlow control-sensitive points-to analysis
26.8.2004 Daniel Kroening 25
Dynamic Objectsstruct s {
s *n;int i;
} *p;...p=new s;p->n=new s;p->n->i=p->i+1;
α(*p)α(*p), α(*(p->n))p->n->i=p->i+1
Postconditions
−α(*p)α(*p),α(*(p->n))
Preconditions
26.8.2004 Daniel Kroening 26
Questions?
