algorithmic verification comp 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · the...
TRANSCRIPT
![Page 1: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/1.jpg)
2018 © Franck Cassez
The Skink Static Analysis ToolFranck Cassez, Anthony Sloane,
Matthew Roberts, Pongsak Suvanpong
http://science.mq.edu.au/~fcassez/home.html
![Page 2: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/2.jpg)
2018 © Franck Cassez April 2018
Program Analysis
!2
1 var i:int;2 assume i >= 0;3 while (i >= 0) do4 i = i - 1;5 assert (i + 1 >= 0);6 done;
Incorrect Correct
Incorrect (warning)
True Positive
False Positive
Correct (No warning)
False Negative
True Negative
Grand Truth
Analysis Result
![Page 3: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/3.jpg)
2018 © Franck Cassez April 2018
Commercial Static Analysers
!3
53%47%
Asterisk Wireshark
67%
33%
False Positive True Positive
NIST SATE V Workshop, 2014
30 selected bug reports
![Page 4: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/4.jpg)
2018 © Franck Cassez April 2018
Results Juliet Test Suite (NIST)
!4
Divide-by-zero CWE 369
22%
21%58%
45%55%
FalseNeg FalsePos TruePos
NULL-pointer deref CWE 476
Array-out-of-bounds CWE 124, 126
24%
3%
72%
Juliet test suite: known programs status
![Page 5: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/5.jpg)
2018 © Franck Cassez April 2018
Static Analysis: Challenges
!5
![Page 6: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/6.jpg)
2018 © Franck Cassez April 2018
Skink
!6
Static analyser Skink
LLVM-IR programbug
witness test
no bug formal proofSpec
Refinement of trace abstraction
?
![Page 7: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/7.jpg)
2018 © Franck Cassez April 2018
Intra-procedural Analysis
!7
1 var i:int;2 assume i >= 0;3 while (i >= 0) do4 i = i - 1;5 assert (i + 1 >= 0);6 done;
![Page 8: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/8.jpg)
2018 © Franck Cassez April 2018
Refinement of Trace Abstraction
!8
True
True
True
True
True
Czczizcyi3°
is . a
False t
C1c3i1(c5c3i1)-c4
![Page 9: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/9.jpg)
2018 © Franck Cassez April 2018
Refinement of Trace Abstraction Refinement
!9
Heizmann, M., Hoenicke, J., Podelski, A., Refinement of trace abstraction Static Analysis Symposium, 2009.
L(A) = ?? Is t feasible?
No error in P Error in P
A := CFG(P)
Yes
No, let t 2 L(A)
Yes
L(A) := L(A) \ L(ITA(t))
![Page 10: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/10.jpg)
2018 © Franck Cassez April 2018
Inter-procedural
!10
1 proc main() : (n) {2 assume(m >= 1);3 n = inc(1, m);4 assert(n >= 0);5 }67 proc inc(p,q) : (r) {8 assert(p >= 0);9 if (p >= 1)
10 r = q + 1;11 else12 r = q;13 endif;14 }
1 proc main() : (n) {2 assume(m >= 1);3 n = inc(1, m);4 assert(n >= 0);5 }67 proc inc(p,q) : (r) {8 assert(p >= 0);9 if (p >= 1)
10 r = q + 1;11 else12 r = q;13 endif;14 }
Analysis of program code. Cassez, F.; and Müller, C. September~12 2017. US Patent 9,760,469
Summary-Based Inter-Procedural Analysis via Modular Trace Refinement. Cassez, F.; Müller, C.; and Burnett, K. In 34th International Conference on Foundation of Software Technology and Theoretical Computer Science, FSTTCS 2014, December 15-17, 2014, New Delhi, India, pages 545--556, 2014.
Build summaries – no inlining
![Page 11: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/11.jpg)
2018 © Franck Cassez April 2018
Multiple threads
!11
Verification of Concurrent Programs Using Trace Abstraction Refinement. Cassez, F.; and Ziegler, F. In Logic for Programming, Artificial Intelligence, and Reasoning - 20th International Conference, LPAR-20 2015, Suva, Fiji, November 24-28, 2015, Proceedings, volume 9450, of Lecture Notes in Computer Science, pages 233--248, 2015. Springer LPAR Best paper award
Trace refinement + partial order reduction
![Page 12: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/12.jpg)
2018 © Franck Cassez April 2018 !12
Refinement
Modular Analysis Partial Order
Reduction
Static Analysis: Challenges
![Page 13: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/13.jpg)
2018 © Franck Cassez April 2018
Skink: Tool Architecture
!13
Trace Refinement 2416loc
ScalaLLVM 1000loc ScalaSMT 2044loc Automat 1035loc
Expect 78locKiama 4300loc Sbt-rats 5700loc
, + →
v.t t
FtpZ3 WC4 Tices Mathsat smttnterpd
![Page 14: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/14.jpg)
2018 © Franck Cassez April 2018 !14
SMT-solversWitness Generation
Static Analysis: Challenges
Over Approximation
![Page 15: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/15.jpg)
2018 © Franck Cassez April 2018 !15
Skink@SV-COMP 16, 17, 18
Skink: Static Analysis of Programs in LLVM Intermediate Representation (Competition contribution). Cassez, F.; Sloane, A.; Roberts, M.; Pigram, M.; Suvanpong, P.; and de Aledo Marugán, P. G. In Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017. Proceedings, of LNCS, pages 380--384, 2017. Springer
0
1
2
3
4
5
6
7
2016 2017 2018
Attempted categories
0
50
100
150
200
250
300
350
400
2016 2017 2018
Score
![Page 16: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/16.jpg)
2018 © Franck Cassez April 2018 !16
Current/Ongoing Work
Parallel Analysis
Invariants Synthesis
Machine Learning
Multi-thread Analysis
Security Analysis
Termination Analysis
Proof certificates
Test harness
Code coverage
![Page 17: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/17.jpg)
2018 © Franck Cassez April 2018
Contact Us
!17
http://science.mq.edu.au/~fcassez/home.html
![Page 18: Algorithmic Verification COMP 3153 - wiki.cse.unsw.edu.aucs3153/lectures/lecture-14.pdf · The annotated CFG is used for model checking, ... Take parse tree of formula 3. ... 3 `](https://reader034.vdocuments.net/reader034/viewer/2022042513/5a701ecb7f8b9aa7538bb3ba/html5/thumbnails/18.jpg)
2018 © Franck Cassez April 2018 !18
ReferencesSkink: Static Analysis of Programs in LLVM Intermediate Representation (Competition contribution). Cassez, F.; Sloane, A.; Roberts, M.; Pigram, M.; Suvanpong, P.; and de Aledo Marugán, P. G. In Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017. Proceedings, of LNCS, pages 380--384, 2017. Springer
ScalaSMT: Satisfiability Modulo Theory in Scala. Cassez, F.; and Sloane, A. In SCALA'17, October 23--27, 2017, Vancouver, BC, Canada. Proceedings., 2017.
The Sbt-rats Parser Generator Plugin for Scala. Sloane, A.; Cassez, F.; and Buckley, S. In Proceedings of the 2016 7th ACM SIGPLAN Symposium on Scala, of SCALA 2016, pages 110--113, New York, NY, USA, 2016. ACM
Summary-Based Inter-Procedural Analysis via Modular Trace Refinement. Cassez, F.; Müller, C.; and Burnett, K. In 34th International Conference on Foundation of Software Technology and Theoretical Computer Science, FSTTCS 2014, December 15-17, 2014, New Delhi, India, pages 545--556, 2014.
Verification of Concurrent Programs Using Trace Abstraction Refinement. Cassez, F.; and Ziegler, F. In Davis, M.; Fehnker, A.; McIver, A.; and Voronkov, A., editor(s), Logic for Programming, Artificial Intelligence, and Reasoning - 20th International Conference, LPAR-20 2015, Suva, Fiji, November 24-28, 2015, Proceedings, volume 9450, of Lecture Notes in Computer Science, pages 233--248, 2015. Springer LPAR Best paper award
Analysis of program code. Cassez, F.; and Müller, C. September~12 2017. US Patent 9,760,469
Sloane, A. M. Lightweight language processing in Kiama . In Generative and Transformational Techniques in Software Engineering III. Volume 6491 of Lecture Notes in Computer Science, Springer, 2011.