1 / 31

Model Checking C Programs: Integer Square Root Example

This document provides an example of model checking for a C program that calculates the integer square root. It describes the program structure, including functions for input, computation, and verification of the correctness claim. The claim states that the output is the integer square root of the input, verified by mathematical conditions. The implementation includes error handling for invalid inputs and demonstrates how model checking techniques can ensure the correctness of the program under various input sequences. The findings highlight potential issues in execution based on input history.

salali
Download Presentation

Model Checking C Programs: Integer Square Root Example

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking C-Programs – An Example: Integer Square Root Wenhui Zhang http://lcs.ios.ac.cn/~zwh

  2. Contents Integer Square Root Model Checking Compositional Reasoning Summary

  3. A Concrete Example of such a Software start initialize s0 Take a number n in() s1 Transformation isr(n,k), isk(n,k) s2 Correctness Claim: The ouput is the integer square root of the input Correctness Claim: (m*m)<=n; (m*m)+2*m+1>n Output a number m

  4. Example: Function main() #include <stdio.h> /********************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /********************************************/ int main() { int n=0, m=0; int k=1; printf("INFO: system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); } }

  5. Example: Function in() int in() { char c=0; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (k<2) k=k*10+(c-'0'); else if (k==2&&c=='0') k=20; else { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; } }

  6. Example: isr() and isk() int isr(int x,int k) { int y1=0; int y2=0; int y3=0; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } return y1; } intisk(intn,int k) { if (k!=20) { if (k!=n) k=21; else if (k==19) k=0; else k=k+2; } else { k=21; } return k; }

  7. Execution and Interaction #include <stdio.h> /**************************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /**************************************************/ main(int argc, char **argv ) { int n=0,m=0; int k=1; printf("system is now active\n"); while (1) { n=in(); m=isr(n,k); k=isk(n,k); printf("RESULT: %i\n\n",m); } } /**************************************************/ int isr(int y,int k) { int y1=0; int y2=0; int y3=0; int z=0; int x=y; y1=0; y2=1; y3=1; if (x==2||(x>2&&k==20)) x=x-1; while (y3<=x) { y1=y1+1; y2=y2+2; y3=y3+y2; } z=y1; return z; } /**************************************************/ int isk(int n,int k) { if (k!=20) { if (k!=n) k=21; else { if (k==19) k=0; else k=k+2; } } else { k=21; } return k; } /**************************************************/ int in() { char c; int k=0; while (1) { k=0; putc('N',stdout); putc(':',stdout); putc(9,stdout); c=getc(stdin); /* printf("%i\n",c); */ if (c=='\n') { printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=c-'0'; c=getc(stdin); if (c=='\n') { return k; } if (c<'0'||c>'9') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } k=k*10+(c-'0'); if (k>20) { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input number must be in {0,...,20}\n\n"); continue; } c=getc(stdin); if (c!='\n') { while (1) { c=getc(stdin); if (c=='\n') break; } printf("INFO: the input must be 1 or 2 digits\n\n"); continue; } return k; } } /**************************************************/ [zwh@panda 2013cp]$ ./isr1a INFO: system is now active N: 1 RESULT: 1 N: 23 INFO: the input number must be in {0,...,20} N: 19 RESULT: 4 N: ad INFO: the input must be 1 or 2 digits N: 9 RESULT: 3 N:

  8. Program Correctness It looks that the correctness claim holds, according to the sample executions. Question: Does the claim holds for all input sequences? In fact, there is an error when the input sequence is: 1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4 The input history may affect the behavior of the software, and it may cause errors in certain cases

  9. Program Correctness Question: Is the claim correct? Use model checking!

  10. Contents Integer Square Root Model Checking Compositional Reasoning Summary

  11. Modeling and Model Checking • Model Checking with VERDS • http://lcs.ios.ac.cn/~zwh/verds • Input to VERDS • VVM (VERDS verification model) • Modeling Language • VML (VERDS modeling langauge)

  12. Verification Process Automatic Translator C Program Model Properties VERDS Model Checker

  13. Correctness Claim (isr1a.sp) (at line 17): ((m*m)<=n)&&((m*m)+2*m+1>n)

  14. Model Checking [zwh@panda 2013cp]$ ../verds -c isr1a.c -sp isr1a.sp VERSION: verds 1.43 - JAN 2013 FILE: isr1a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 326 ---------- time = 326 bound = 1 time = 326 ---------- time = 326 . . . . bound =105 time = 675 ---------- time = 675 The property is false, preparing files ... CONCLUSION: FALSE (time=3985 sec) ./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667 . . bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files ... CONCLUSION: FALSE (time=3156)

  15. Verification Process Automatic Translator C Program Model Properties VERDS Model Checker Negative Conclusion Error Trace

  16. Error Trace (isr1a.cex) --- STATE 0 --- n =0 m =0 k =1 pc =0 --- TRANS 1 --- --- STATE 1 --- n =0 m =0 k =1 pc =1 --- TRANS 2 --- --- STATE 2 --- n =0 m =0 k =1 pc =2 --- TRANS 3 --- --- STATE 3 --- n =1 m =0 k =1 pc =3 … … … --- STATE 102 --- n =18 m =4 k =20 pc =2 --- TRANS 3 --- --- STATE 103 --- n =4 m =4 k =20 pc =3 --- TRANS 4 --- --- STATE 104 --- n =4 m =1 k =20 pc =4 --- TRANS 5 --- --- STATE 105 --- n =4 m =1 k =21 pc =5

  17. Analysis of the Error Trace • An error occurred with the following sequence of inputs: 1 3 5 7 9 11 13 15 17 19 0 2 4 6 8 10 12 14 16 18 4 • Confirmation of the error by testing • Correction to the program is made

  18. Correction: Function main() #include <stdio.h> /********************************************/ int in(); int isr(int x,int k); int isk(int n,int k); /********************************************/ int main() { int n=0, m=0; int k=1; printf("INFO: system is now active\n"); while (1) { n=in(); k=isk(n,k); m=isr(n,k); printf("RESULT: %i\n\n",m); } }

  19. Verification of the Corrected One [zwh@panda 2013cp]$ ../verds -c isr2a.c -sp isr1a.sp VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 276 ---------- time = 276 bound = 1 time = 276 ---------- time = 276 . . . . bound =105 time = 607 ---------- time = 607 CONCLUSION: TRUE (time=607 sec) ./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667 . . bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files ... CONCLUSION: FALSE (time=3156)

  20. Verification of the Corrected One Automatic Translator C Program Model Properties VERDS Model Checker Positive Conclusion

  21. Contents Integer Square Root Model Checking Compositional Reasoning Summary

  22. Verification Times

  23. Use of Assumption-Guarantee • Each function is augmented with a pair of assumption-guarantee as follows (isr2a.fsp): FUNCTION z=in() ASSUMPTION TRUE; GUARANTEE 0<=z&&z<=20; FUNCTION z=isk(x,y) ASSUMPTION 0<=x&&x<=20; GUARANTEE (!(z==20)||x=18);

  24. Verification Process (A/G) Automatic Translator C Program Model Properties VERDS Model Checker A/G Specification

  25. Verification Subgoals 102 verification subgoals, one for main(), and one for each of the functions. ../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp ../verds -ck in -Dint=i5 isr2a.vvm ../verds -ck isk -Dint=i5 isr2a.vvm

  26. Verification of the Corrected One [zwh@panda 2013cp]$ ../verds -c isr2a.c -sp isr1a.sp -fsp isr2a.fsp VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 75 ---------- time = 75 bound = 1 time = 75 ---------- time = 75 bound = 2 time = 75 ---------- time = 75 . . . . bound = 11 time = 82 ---------- time = 82 CONCLUSION: TRUE (time=82 sec) ./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667 . . bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files ... CONCLUSION: FALSE (time=3156)

  27. Verification of the Corrected One [zwh@panda 2013cp]$ ../verds -Dint=i5 -ck in isr2a.vvm VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm bound = 0 time = 31 ---------- time = 31 bound = 1 time = 31 ---------- time = 31 INFO: A/G=1 CONCLUSION: TRUE (time=34 sec) ./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667 . . bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files ... CONCLUSION: FALSE (time=3156)

  28. Verification of the Corrected One [zwh@panda 2013cp]$ ../verds -Dint=i5 -ck isk isr2a.vvm VERSION: verds 1.43 - JAN 2013 FILE: isr2a.vvm bound = 0 time = 32 ---------- time = 32 bound = 1 time = 32 ---------- time = 32 INFO: A/G=1 CONCLUSION: TRUE (time=37 sec) ./verds –c isr.c –sp isr.sp VERSION: verds 1.42 - DEC 2012 FILE: isr.vvm PROPERTY: A G (! (pc = 5 )| (((m * m ){ n )& (((m * m )+ ((2 * m )+ 1 ))> n ))) bound = 0 time = 667 ---------- time = 667 . . bound =105 time = 1068 ---------- time = 1068 The property is false, preparing files ... CONCLUSION: FALSE (time=3156)

  29. Verification Times • Original task with model checking time = 607 seconds • 3 tasks with model checking time < 100 for each

  30. Contents Integer Square Root Model Checking Compositional Reasoning Summary

  31. Questions?

More Related