cbmc-4.5/0000755000175000017500000000000012206365330012054 5ustar michaelmichaelcbmc-4.5/scripts/0000755000175000017500000000000012206365330013543 5ustar michaelmichaelcbmc-4.5/scripts/vcxproj.10000644000175000017500000000751512161645772015343 0ustar michaelmichael Debug Win32 Release Win32 {A183117E-485E-4E32-8A61-3CB7A2FC56F6} Win32Proj cprover Application true Unicode Application false true Unicode true false NotUsing Level3 Disabled WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions);STL_HASH_TR1;HAVE_MINISAT2 $(ProjectDir);$(ProjectDir)/../minisat-2.2.0 Console true Level3 NotUsing MaxSpeed true true WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions);STL_HASH_TR1;HAVE_MINISAT2 $(ProjectDir);$(ProjectDir)/../minisat-2.2.0 Console true true true cbmc-4.5/scripts/generate_vcxproj0000755000175000017500000000446112157414522017046 0ustar michaelmichaeldest=../src if ! [ -e $dest/Makefile ] ; then echo Makefile not found ; exit 1; fi echo Generating Visual Studio Project files in $dest function doit { echo Generating $dest/$1.vcxproj cat vcxproj.1 > $dest/$1.vcxproj # this collects all the files needed echo " " >> $dest/$1.vcxproj for dir in $dirs ; do sources="`(cd $dest/$dir; make sources)`" for s in $sources ; do echo " " >> $dest/$1.vcxproj done done echo " " >> $dest/$1.vcxproj echo " " >> $dest/$1.vcxproj echo " " >> $dest/$1.vcxproj cat vcxproj.2 >> $dest/$1.vcxproj echo Generating $dest/$1.vcxproj.filters # this produces nice "filters" (folders) echo "" > $dest/$1.vcxproj.filters echo "" >> $dest/$1.vcxproj.filters echo " " >> $dest/$1.vcxproj.filters for dir in $dirs ; do sources="`(cd $dest/$dir; make sources)`" for s in $sources ; do echo " ${dir}" >> $dest/$1.vcxproj.filters done done echo " minisat2" >> $dest/$1.vcxproj.filters echo " minisat2" >> $dest/$1.vcxproj.filters echo " " >> $dest/$1.vcxproj.filters for dir in $dirs minisat2 ; do echo " " >> $dest/$1.vcxproj.filters done echo "" >> $dest/$1.vcxproj.filters } dirs="big-int langapi util ansi-c assembler cpp java_bytecode xmllang solvers goto-symex analyses pointer-analysis goto-programs linking cbmc" doit cbmc dirs="big-int langapi util ansi-c assembler cpp java_bytecode xmllang solvers goto-symex analyses pointer-analysis goto-programs linking goto-cc" doit goto-cc dirs="big-int langapi util ansi-c assembler cpp java_bytecode xmllang solvers goto-symex analyses pointer-analysis goto-programs linking goto-instrument" doit goto-instrument cbmc-4.5/scripts/vcxproj.20000644000175000017500000000020312157326633015324 0ustar michaelmichael cbmc-4.5/scripts/make-rpm0000644000175000017500000000042711573425106015206 0ustar michaelmichael#!/bin/bash svn export http://svn.cprover.org/svn/cbmc mv cbmc cbmc-3.9 tar czf cbmc-3.9.tar.gz cbmc-3.9 wget http://www.minisat.se/downloads/minisat-2.2.0.tar.gz mkdir $HOME/rpmbuild/SOURCES mv cbmc-3.9.tar.gz minisat-2.2.0.tar.gz $HOME/rpmbuild/SOURCES rpmbuild -qa cbmc.spec cbmc-4.5/scripts/cbmc.spec0000644000175000017500000000224611573425106015333 0ustar michaelmichaelName: cbmc Version: 3.9 Release: 1%{?dist} Summary: bounded model checker for C and C++ programs Group: Applications License: BSD 4-clause URL: http://www.cprover.org Source0: http://www.minisat.se/downloads/minisat-2.2.0.tar.gz Source1: cbmc-3.9.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: gcc %description CBMC generates traces that demonstrate how an assertion can be violated, or proves that the assertion cannot be violated within a given number of loop iterations. %prep %setup -q -c cbmc+minisat %setup -q -c cbmc+minisat -T -D -a 1 %build mv minisat minisat-2.2.0 cd minisat-2.2.0 make MROOT=$PWD -C simp cd .. make -C cbmc-3.9/trunk/src/big-int make -C cbmc-3.9/trunk/src/util make -C cbmc-3.9/trunk/src %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT mkdir -p %{buildroot}/%{_bindir} for b in goto-cc goto-instrument cbmc ; do cp cbmc-3.9/trunk/src/$b/$b %{buildroot}/%{_bindir} ; done strip %{buildroot}/%{_bindir}/* %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc %{_bindir}/goto-cc %{_bindir}/goto-instrument %{_bindir}/cbmc %changelog cbmc-4.5/scripts/minisat-2.2.0-patch0000644000175000017500000000302512155540312016662 0ustar michaelmichaeldiff -rupN minisat-2.2.0/mtl/IntTypes.h minisat-2.2.0.patched/mtl/IntTypes.h --- minisat-2.2.0/mtl/IntTypes.h 2010-07-10 17:07:36.000000000 +0100 +++ minisat-2.2.0.patched/mtl/IntTypes.h 2011-07-15 12:05:38.144000000 +0100 @@ -31,7 +31,9 @@ OF OR IN CONNECTION WITH THE SOFTWARE OR #else # include +#ifndef _MSC_VER # include +#endif #endif diff -rupN minisat-2.2.0/utils/ParseUtils.h minisat-2.2.0.patched/utils/ParseUtils.h --- minisat-2.2.0/utils/ParseUtils.h 2010-07-10 17:07:36.000000000 +0100 +++ minisat-2.2.0.patched/utils/ParseUtils.h 2011-07-15 12:06:14.362750000 +0100 @@ -24,7 +24,7 @@ OF OR IN CONNECTION WITH THE SOFTWARE OR #include #include -#include +//#include namespace Minisat { @@ -35,7 +35,7 @@ static const int buffer_size = 1048576; class StreamBuffer { - gzFile in; + //gzFile in; unsigned char buf[buffer_size]; int pos; int size; @@ -43,10 +43,10 @@ class StreamBuffer { void assureLookahead() { if (pos >= size) { pos = 0; - size = gzread(in, buf, sizeof(buf)); } } + /*size = gzread(in, buf, sizeof(buf));*/ } } public: - explicit StreamBuffer(gzFile i) : in(i), pos(0), size(0) { assureLookahead(); } + //explicit StreamBuffer(gzFile i) : in(i), pos(0), size(0) { assureLookahead(); } int operator * () const { return (pos >= size) ? EOF : buf[pos]; } void operator ++ () { pos++; assureLookahead(); } cbmc-4.5/COMPILING0000644000175000017500000000642212161645672013336 0ustar michaelmichaelWhat architecture? ------------------ CPROVER compiles in the following environments: - Linux - MacOS X - Cygwin (We recommend g++-3. Don't use the i686-pc-mingw32-g++ cross compiler.) - Microsoft's Visual Studio 2010 or 2012 (older versions won't work) The rest of this document is split up into three parts: compilation on Linux, MacOS, Windows. Please read the section appropriate for your machine. COMPILATION ON LINUX -------------------- We assume that you have a Debian/Ubuntu-like distribution. 0) You need a C/C++ compiler, Flex and Bison, and GNU make. The GNU Make needs to be version 3.81 or higher. Do apt-get install g++ gcc flex bison make subversion libz-dev libwww-perl patch WARNING: g++ 4.5.x has been observed to mis-optimize code in MiniSat with -O3. Use a different version (or -O1). 1) You need a SAT solver (in source). We recommend MiniSat2. Do cd src make minisat2-download 2) Type cd src; make - that should do it. COMPILATION ON MACOS X ---------------------- Follow these instructions: 0) You need a C/C++ compiler, Flex and Bison, and GNU make. To this end, install the XCode command-line utilities (installing XCode is not enough). These are available at https://developer.apple.com/downloads/ 1) You need a SAT solver (in source). We recommend MiniSat2. Do cd src make minisat2-download 2) Type cd src; make - that should do it. COMPILATION ON WINDOWS ---------------------- There are two options: compilation using g++ from Cygwin, or using Visual Studio's compiler. As Cygwin has significant overhead during process creation, we advise you use Visual Studio. Follow these instructions: 0) You need a C/C++ compiler, Flex and Bison, GNU tar, gzip2, GNU make, and patch. The GNU Make needs to be version 3.81 or higher. If you don't already have the above, we recommend you install Cygwin. WARNING: g++ 4.5.x has been observed to mis-optimize code in MiniSat with -O3. Use a different version (or -O1). 1) You need a SAT solver (in source). We recommend MiniSat2. Using a browser, download from http://minisat.se/downloads/minisat-2.2.0.tar.gz and then unpack with tar xfz minisat-2.2.0.tar.gz mv minisat minisat-2.2.0 cd minisat-2.2.0 patch -p1 < scripts/minisat-2.2.0-patch The patch removes the dependency on zlib and prevents a problem with a header file that is often unavailable on Windows. 2) Adjust src/config.inc for the paths to item 1). 3A) To compile with Cygwin, install the mingw compilers, and adjust the second line of config.inc to say BUILD_ENV = MinGW 3B) To compile with Visual Studio, make sure you have at least Visual Studio 10, and adjust the second line of config.inc to say BUILD_ENV = MSVC Open the Visual Studio Command prompt, and then run the make.exe from Cygwin from in there. 4) Type cd src; make - that should do it. Note that "nmake" is not expected to work. Use "make". (Optional) A Visual Studio project file can be generated with the script "generate_vcxproj" that is in the subdirectory "scripts". The project file is helpful for GUI-based tasks, e.g., the class viewer, debugging, etc., and can be used for building with MSBuild. Note that you still need to run flex/bison using "make generated_files" before opening the project. cbmc-4.5/CHANGELOG0000644000175000017500000000350412074524422013272 0ustar michaelmichael4.3 === Floating-point arithmetic now takes the rounding mode into account, which can be changed dynamically. goto-gcc generates hybrid executables on Linux, containing both machine code and the CFG. Limited support for Spec#-style quantifiers added. Pointer-checks no longer use a heavy-weight alias analysis. Limited support for some x86 and ARM inline assembly constructs. 4.2 === goto-cc now passes all command line options to the gcc preprocessor. The MacOS binaries are now signed. The C/C++ front-end has been tested and fixed for the Visual Studio 2012 header files. The man-page has been elaborated. Support for the C99 complex type and gcc's vector type has been added. Various built-ins for x86 MMX and SSE instructions have been added. Support for various C11 features has been added. Support for various built-in primitives has been added, in particular for the __sync_* commands. New feature: --all-claims now reports the status of all claims; the verification continues even if a counterexample is found. This feature uses incremental SAT. The counterexample beautification (--beautify) now uses incremental SAT. Numerous improvements to SMT1 and SMT2 interfaces. Support for further SAT solvers (PRECOSAT, PICOSAT, LINGELING) 4.1 === The support for low-level accesses to dynamically allocated data structures and "integer addressed memory" (usually memory-mapped I/O) has been further improved. Numerous improvements to the SMT back-ends. Specifically, support through the SMT1 path for Boolector and Z3 has been improved; support for MathSAT has been added. In combination with the very latest version of MathSAT, CBMC now also supports an SMT2 flow (use --mathsat --smt2 to activate this). 4.0 === Better support for low-level accesses to dynamically allocated data structures. Numerous front-end improvements. cbmc-4.5/LICENSE0000644000175000017500000000374411561505745013102 0ustar michaelmichael(C) 2001-2011, Daniel Kroening, Edmund Clarke, Computer Science Department, Oxford University Computer Systems Institute, ETH Zurich Computer Science Department, Carnegie Mellon University All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Daniel Kroening, Edmund Clarke, Computer Science Department, Oxford University Computer Systems Institute, ETH Zurich Computer Science Department, Carnegie Mellon University 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS `AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. cbmc-4.5/doc/0000755000175000017500000000000012206365330012621 5ustar michaelmichaelcbmc-4.5/doc/man/0000755000175000017500000000000012206365330013374 5ustar michaelmichaelcbmc-4.5/doc/man/cbmc.10000644000175000017500000001406612155275225014377 0ustar michaelmichael.\" Process this file with .\" groff -man -Tascii cbmc.1 .\" .TH CBMC 1 "MARCH 2012" "cbmc-4.1" "User Manual" .SH NAME cbmc \- Bounded Model Checker for C/C++ and Java programs .SH SYNOPSIS .B cbmc [--claim \fIclaim-nr\fB] \fIfile.c\fB ... .B cbmc [--show-claims] \fIfile.c\fB ... .B cbmc [--all-claims] \fIfile.c\fB ... .B goto-cc [-I \fIinclude-path\fB] [-c] \fIfile.c\fB [-o \fIoutfile.o\fB] .B goto-instrument \fIinfile\fB \fIoutfile\fR .PP Only the most useful options are listed here; see below for the remainder. .SH DESCRIPTION \fBcbmc\fR generates traces that demonstrate how an assertion can be violated, or proves that the assertion cannot be violated within a given number of loop iterations. CBMC can read source-code directly, or a goto-binary generated by goto-cc. Java programs are given as class files. Without any further options, cbmc checks all properties (automatically generated or user-specificed) found in the program. If any of the properties can be violated, a counterexample is printed and the analysis is aborted. The analysis can be restricted to a particular claim with the \-\-claim option. The verification result for all claims can be obtained by means of the \-\-all-claims option. \fBgoto-cc\fR reads source code, and generates a goto-binary. It's command-line interface is designed to mimic that of .BR gcc (1). Note in particular that \fBgoto-cc\fR distinguishes between compiling and linking phases, just as gcc does. \fBcbmc\fR expects a goto-binary for which linking has been completed. \fBgoto-instrument\fR reads a goto-binary, performs a given program transformation, and then writes the resulting program as goto-binary on disc. The usual flow is to (1) translate source into a goto-binary using goto-cc, then (2) perform instrumentation with goto-instrument, and finally (3) perform the analysis with cbmc. .SH OPTIONS .SS "FRONTEND OPTIONS (cbmc and goto-cc)" .IP "-I path" Set include path (C/C++) .IP "-D macro" Define preprocessor macro (C/C++) .IP --preprocess Stop after preprocessing .IP --show-symbol-table Show symbol table .IP --show-goto-functions Show goto program .SS "ARCHITECTURAL OPTIONS (cbmc and goto-cc)" \fBcbmc\fR by default uses architectural settings that match those of the machine \fBcbmc\fR is executed on, i.e., the settings below are only needed when verifying software that is meant to run on a different architecture or OS. \fBgoto-cc\fR generates a goto-binary for a particular architecture, i.e., the architecture cannot be changed after the goto-binary is generated. .IP "--16, --32, --64" Set width of int .IP "--LP64, --ILP64, --LLP64, --ILP32, --LP32" Set width of int, long and pointers .IP --little-endian Allow little-endian word-byte conversions .IP --big-endian Allow big-endian word-byte conversions .IP --unsigned-char Make "char" unsigned by default .IP --arch Set target architecture .IP --os Set target operating system .IP --no-arch Don't set up an architecture .IP --no-library Disable built-in abstract C library .IP "--round-to-nearest, --round-to-plus-inf, --round-to-minus-inf, --round-to-zero" IEEE floating point rounding mode (default is round to nearest) .SS "PROGRAM INSTRUMENTATION OPTIONS (cbmc and goto-instrument)" Both \fBcbmc\fR and \fBgoto-instrument\fR can generate assertions that catch specific common errors, as listed below. .IP --bounds-check Enable array bounds checks .IP --div-by-zero-check Enable division by zero checks .IP --pointer-check Enable pointer checks .IP --signed-overflow-check Enable arithmetic over- and underflow checks for signed integer arithmetic .IP --unsigned-overflow-check Enable arithmetic over- and underflow checks for unsigned integer arithmetic .IP --nan-check Check floating-point computations for NaN .IP --no-assertions Ignore user-provided assertions .IP --no-assumptions Ignore user-provided assumptions .IP "--error-label label" Check that the given label is unreachable .SS "PROGRAM INSTRUMENTATION OPTIONS (goto-instrument only)" \fBgoto-instrument\fR supports further, more complex, program transformations. .IP --nondet-volatile Makes reads from volatile variables non-deterministic .IP "--isr function" Instruments an interrupt service routine with the given name .IP --mmio Instruments memory-mapped I/O .IP --nondet-static Variables with static lifetime are initialized non-deretministically .IP --dump-c Output ANSI-C source code instead of a goto binary. .SS "BMC OPTIONS (cbmc)" .IP --all-claims Report status of all claims .IP --show-claims Only show claims .IP --show-loops Show the loops in the program .IP --cover-assertions Check which assertions are reachable .IP "--function name" Set main function name .IP "--claim nr" Only check specific claim .IP --program-only Only show program expression .IP "--depth nr " Limit search depth .IP "--unwind nr " Unwind loops nr times .IP "--unwindset L:B,..." Unwind loop L with a bound of B (use \-\-show\-loops to get the loop IDs) .IP --show-vcc Show the verification conditions .IP --slice-formula Remove assignments unrelated to property .IP --no-unwinding-assertions Do not generate unwinding assertions .IP --no-pretty-names Do not simplify identifiers .SS "BACKEND OPTIONS (cbmc)" .IP --dimacs Generate CNF in DIMACS format for use by external SAT solvers .IP --beautify-greedy Beautify the counterexample (greedy heuristic) .IP --smt1 Output subgoals in SMT1 syntax (experimental) .IP --smt2 Output subgoals in SMT2 syntax (experimental) .IP --boolector Use Boolector (experimental) .IP --mathsat Use MathSAT (experimental) .IP --cvc Use CVC3 (experimental) .IP --yices Use Yices (experimental) .IP --z3 Use Z3 (experimental) .IP --refine Use refinement procedure (experimental) .IP "--outfile filename" Output formula to given file .IP --arrays-uf-never Never turn arrays into uninterpreted functions .IP --arrays-uf-always Always turn arrays into uninterpreted functions .SH ENVIRONMENT CBMC does not regognize any environment variables. Note, however, that the preprocessor used by CBMC will use environment variables to locate header files. GOTO-CC aims to accept all environment variables that GCC does. .SH COPYRIGHT 2001-2012, Daniel Kroening, Edmund Clarke cbmc-4.5/doc/slides/0000755000175000017500000000000012206365330014104 5ustar michaelmichaelcbmc-4.5/doc/slides/cbmc-latex-beamer/0000755000175000017500000000000012206365330017354 5ustar michaelmichaelcbmc-4.5/doc/slides/cbmc-latex-beamer/unrolling-cfg.mp0000644000175000017500000000150712165264216022470 0ustar michaelmichaelinput boxes vardef connect(suffix s, t)= drawarrow s..t cutbefore fullcircle scaled 3pt shifted s cutafter fullcircle scaled 3pt shifted t; drawdot s withpen pencircle scaled 3pt; drawdot t withpen pencircle scaled 3pt; enddef; ystep = 0.9cm; beginfig (0) % Control flow graph defaultscale:=9pt/fontsize defaultfont; z[1] = (1.2cm,3*ystep); z[2] = (0.4cm,2*ystep); z[3] = (2.0cm,2*ystep); z[4] = (1.2cm,1*ystep); label.top ("L1", z[1]+(0,.1cm)); dotlabel.top ("", z[1]); dotlabel.lft ("L2", z[2]); dotlabel.rt ("L3", z[3]); dotlabel.bot ("L4", z[4]); connect(z[1], z[2]); connect(z[1], z[3]); connect(z[2], z[4]); connect(z[3], z[4]); drawarrow z[4]..(3cm,ypart 0.5[z[4],z[1]])..z[1] cutbefore fullcircle scaled 3pt shifted z[4] cutafter fullcircle scaled 3pt shifted z[1]; endfig; end. cbmc-4.5/doc/slides/cbmc-latex-beamer/arrow.pdf0000644000175000017500000000667312165263510021216 0ustar michaelmichael%PDF-1.3 % 2 0 obj << /Length 4 0 R /Filter /FlateDecode >> stream x+TT(c}\C|@1 endstream endobj 4 0 obj 23 endobj 1 0 obj << /Type /Page /Parent 7 0 R /Resources 3 0 R /Contents 2 0 R /MediaBox [0 0 59 48] >> endobj 3 0 obj << /ProcSet [ /PDF ] /XObject << /Fm1 5 0 R >> >> endobj 5 0 obj << /Length 8 0 R /Type /XObject /Subtype /Form /FormType 1 /BBox [0 0 59 48] /Resources 6 0 R /Filter /FlateDecode >> stream xڭn0 Ew} ޏ9|@v[$%e+9 zkڼ<"}-a:(`~Fə@@֢́$+I}> ɑ``j~O.$%.KErJwWy]7]۽6Ck+lng)՚F_ʠEe*\ѵHR05,{Lk_ޡ@UXީTJ> /ExtGState << /Gs2 12 0 R /Gs1 13 0 R /Gs3 14 0 R >> /XObject << /Im1 10 0 R >> >> endobj 10 0 obj << /Length 11 0 R /Type /XObject /Subtype /Image /Width 945 /Height 1 /ColorSpace 9 0 R /BitsPerComponent 8 /Filter /FlateDecode >> stream xڝORQ[-fnZ[skmfYjDFH( " WHϩv{y9۞i묳D#hiYUGISE5))D))T2x,):D/sT鄤W#dJceUb Y&|Xb"`"~@+v7;b;o Pp@:}`k6}',/ 6r`9[`YXQ3L`7̊|X-o]UL%`tX.5\S{⬃ǎ xhPc_g)b=lݵQkF]#ue ^۟ kh .EhbGPp=ALL}4&3/;#YFk3W/ _4eut> endobj 13 0 obj << /Type /ExtGState /SM 0.02 >> endobj 14 0 obj << /Type /ExtGState /SA true >> endobj 15 0 obj << /Length 16 0 R /N 3 /Alternate /DeviceRGB /Filter /FlateDecode >> stream x}OHQǿ%Be&RNW`oʶkξn%B.A1XI:b]"(73ڃ73{@](mzy(;>7PA+Xf$vlqd}䜛] UƬxiO:bM1Wg>q[ 2M'"()Y'ld4䗉2'&Sg^}8&w֚, \V:kݤ;iR;;\u?V\\C9u(JI]BSs_ QP5Fz׋G%t{3qWD0vz \}\$um+٬C;X9:Y^gB,\ACioci]g(L;z9AnI ꭰ4Iݠx#{zwAj}΅Q=8m (o{1cd5Ugҷtlaȱi"\.5汔^8tph0k!~D Thd6챖:>f&mxA4L&%kiĔ?Cqոm&/By#Ց%i'W:XlErr'=_ܗ)i7Ҭ,F|Nٮͯ6rm^ UHW5;?Ͱh endstream endobj 16 0 obj 706 endobj 9 0 obj [ /ICCBased 15 0 R ] endobj 7 0 obj << /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 1 0 R ] >> endobj 17 0 obj << /Type /Catalog /Pages 7 0 R >> endobj 18 0 obj << /CreationDate (D:20070108152819+01'00') /ModDate (D:20070108152819+01'00') /Producer (Mac OS X 10.4.8 Quartz PDFContext) >> endobj xref 0 19 0000000000 00000 n 0000000137 00000 n 0000000022 00000 n 0000000239 00000 n 0000000119 00000 n 0000000304 00000 n 0000000844 00000 n 0000002701 00000 n 0000000825 00000 n 0000002665 00000 n 0000001016 00000 n 0000001674 00000 n 0000001694 00000 n 0000001740 00000 n 0000001788 00000 n 0000001836 00000 n 0000002645 00000 n 0000002784 00000 n 0000002834 00000 n trailer << /Size 19 /Root 17 0 R /Info 18 0 R /ID [ <4895f2e10a0d51c999b1d58eaae056b4> <4895f2e10a0d51c999b1d58eaae056b4> ] >> startxref 2977 %%EOF cbmc-4.5/doc/slides/cbmc-latex-beamer/gradient_box_yellow.pdf0000644000175000017500000001077512165263510024122 0ustar michaelmichael%PDF-1.3 % 2 0 obj << /Length 4 0 R /Filter /FlateDecode >> stream x+TT(c}\C|@1 endstream endobj 4 0 obj 23 endobj 1 0 obj << /Type /Page /Parent 7 0 R /Resources 3 0 R /Contents 2 0 R /MediaBox [0 0 241 59] >> endobj 3 0 obj << /ProcSet [ /PDF ] /XObject << /Fm1 5 0 R >> >> endobj 5 0 obj << /Length 8 0 R /Type /XObject /Subtype /Form /FormType 1 /BBox [0 0 241 59] /Resources 6 0 R /Filter /FlateDecode >> stream x];n1 D=\!էN+`ar)#m1m8aAa!&XaiR +>wo~;Y} CH-bD3Еׁ > /ExtGState << /Gs2 12 0 R /Gs1 13 0 R >> /XObject << /Im1 10 0 R >> >> endobj 10 0 obj << /Length 11 0 R /Type /XObject /Subtype /Image /Width 256 /Height 256 /ColorSpace 9 0 R /BitsPerComponent 8 /Filter /FlateDecode >> stream xRTYờs9ZBCwO{ wCw]{dݡvm=COn멢̶-zmPbKE/RjkuQf[Eo׽Sn{u}PaGE}RigE}QeWE_}SmwuPcOu?RkoEQg_Eם(:YwEԝ): ?01?????0q???8??0 ??'?㟄`~O0 㟂`S ~O0"?/0K㟆`~O02㟁`3~0Y? ?g?,㟃`s~0+  ?0?#nhu6ux}~_ߧ]߀?uo00oO*&9;&?=_7?-}z0& - H᯻ mG)wQ H?ះB? 6~C}?? :<_p(  ~+79?PVj PPR;7VjGwo3"_o3"_o?7 / ?~C?0o_:?pKJ-ÿ> endobj 13 0 obj << /Type /ExtGState /SM 0.02 >> endobj 14 0 obj << /Length 15 0 R /N 3 /Alternate /DeviceRGB /Filter /FlateDecode >> stream x}OHQǿ%Be&RNW`oʶkξn%B.A1XI:b]"(73ڃ73{@](mzy(;>7PA+Xf$vlqd}䜛] UƬxiO:bM1Wg>q[ 2M'"()Y'ld4䗉2'&Sg^}8&w֚, \V:kݤ;iR;;\u?V\\C9u(JI]BSs_ QP5Fz׋G%t{3qWD0vz \}\$um+٬C;X9:Y^gB,\ACioci]g(L;z9AnI ꭰ4Iݠx#{zwAj}΅Q=8m (o{1cd5Ugҷtlaȱi"\.5汔^8tph0k!~D Thd6챖:>f&mxA4L&%kiĔ?Cqոm&/By#Ց%i'W:XlErr'=_ܗ)i7Ҭ,F|Nٮͯ6rm^ UHW5;?Ͱh endstream endobj 15 0 obj 706 endobj 9 0 obj [ /ICCBased 14 0 R ] endobj 7 0 obj << /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 1 0 R ] >> endobj 16 0 obj << /Type /Catalog /Pages 7 0 R >> endobj 17 0 obj << /CreationDate (D:20070114184543+01'00') /ModDate (D:20070114184543+01'00') /Producer (Mac OS X 10.4.8 Quartz PDFContext) >> endobj xref 0 18 0000000000 00000 n 0000000137 00000 n 0000000022 00000 n 0000000240 00000 n 0000000119 00000 n 0000000305 00000 n 0000000671 00000 n 0000003811 00000 n 0000000652 00000 n 0000003775 00000 n 0000000831 00000 n 0000002831 00000 n 0000002852 00000 n 0000002898 00000 n 0000002946 00000 n 0000003755 00000 n 0000003894 00000 n 0000003944 00000 n trailer << /Size 18 /Root 16 0 R /Info 17 0 R /ID [ ] >> startxref 4087 %%EOF cbmc-4.5/doc/slides/cbmc-latex-beamer/bmc-loop.mp0000644000175000017500000000476412145230215021430 0ustar michaelmichaelinput rboxes verbatimtex %&latex \documentclass{article} \usepackage{times} \begin{document} etex rbox_radius := 3bp; diamond_radius := 5bp; beginfig(1) rboxit.unroll (btex $\matrix{\mathrm{Unroll}\cr\mathrm{transition~function}\cr k~\mathrm{times}}$ etex); rboxit.check (btex $\matrix{\mathrm{Check~for}\cr\mathrm{counterexample}}$ etex); rboxit.checkct (btex $\matrix{\mathrm{Compare~}k\mathrm{~to}\cr\mathrm{completeness}\cr\mathrm{threshold}}$ etex); rboxit.increase (btex $\matrix{\mathrm{Increase}\cr k~\mathrm{by~one}}$ etex); unroll.c = (0,2cm); check.c = (4cm,2cm); checkct.c = (4cm,0); increase.c = (0,0); unroll.se - unroll.nw = check.se - check.nw = checkct.se - checkct.nw = increase.se - increase.nw; drawboxed (unroll, check, checkct, increase); pair diamok; diamok = ((xpart check.ne)+12pt,1cm); draw diamok+(0,diamond_radius)--diamok+(diamond_radius,0)--diamok+(0,-diamond_radius)--diamok+(-diamond_radius,0)--cycle; drawarrow (.5[unroll.nw,unroll.ne])..0.5[unroll.c,check.c] shifted (0,1cm)..(.5[check.nw,check.ne]) cutbefore bpath.unroll cutafter bpath.check; drawarrow .5[check.ne,check.se]..(.5[check.ne,check.se] shifted (4pt,-4pt))..diamok+(0,diamond_radius) cutbefore bpath.check; drawarrow diamok+(0,-diamond_radius)..(.5[checkct.ne,checkct.se] shifted (4pt,4pt))..(.5[checkct.ne,checkct.se]) cutafter bpath.checkct; drawarrow diamok+(diamond_radius,0)--diamok+(diamond_radius+2cm,0); label.top (btex [error found] etex, diamok+(diamond_radius+1cm,0)); label.rt (btex report etex, diamok+(diamond_radius+2cm,0)); pair diamnok; diamnok = (2cm,(ypart checkct.sw)-12pt); draw diamnok+(0,diamond_radius)--diamnok+(diamond_radius,0)--diamnok+(0,-diamond_radius)--diamnok+(-diamond_radius,0)--cycle; drawarrow (.5[checkct.se,checkct.sw])..(.5[checkct.se,checkct.sw] shifted (-4pt,-2pt))..diamnok+(diamond_radius,0) cutbefore bpath.checkct; drawarrow diamnok+(-diamond_radius,0)..(.5[increase.se,increase.sw] shifted (4pt,-2pt))..(.5[increase.se,increase.sw]) cutafter bpath.increase; drawarrow (.5[increase.nw,increase.sw])..(.5[unroll.sw,increase.nw]-(10pt,0)) ..(.5[unroll.nw,unroll.sw]); drawarrow diamnok+(0,-diamond_radius)--diamnok+(0,-diamond_radius-1cm); label.rt (btex [reached] etex, diamnok+(0,-diamond_radius-0.5cm)); label.bot (btex OK etex, diamnok+(0,-diamond_radius-1cm)); drawarrow unroll.nw+(-0.5cm,0.5cm)--unroll.nw cutafter bpath.unroll; label.top (btex C program etex, unroll.nw+(-0.5cm,0.5cm)); endfig; end. cbmc-4.5/doc/slides/cbmc-latex-beamer/cbmc-slides.tex0000644000175000017500000011310012165263533022265 0ustar michaelmichael\input{header} \title{CBMC: Bounded Model Checking for ANSI-C} \date{Version 1.0, 2010} % LTL \def\TEMPOP#1{\mathrm{\bf #1}} \def\X{\TEMPOP{X}} \def\F{\TEMPOP{F}} \def\E{\TEMPOP{E}} \def\A{\TEMPOP{A}} \def\G{\TEMPOP{G}} \def\U{\mathrel{\TEMPOP{U}}} \def\R{\mathrel{\TEMPOP{R}}} \begin{document} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \frame[plain]{\titlepage} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Outline} \setcounter{tocdepth}{1} \tableofcontents \setcounter{tocdepth}{2} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \section{Preliminaries} \begin{frame} \frametitle{Preliminaries} \begin{itemize} \item We aim at the analysis of programs given in a commodity programming language such as C, C++, or Java \vfill \item As the first step, we transform the program into a \emph{control flow graph} (CFG) \end{itemize} \vfill \begin{center} \scalebox{.75}{\input{frontend.xfigtex}} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \lstset{language=C,basicstyle=\rmfamily\tiny,escapechar=\$,columns=flexible} \begin{frame}[fragile] \frametitle{Example: SHS} \begin{columns} \begin{column}{.7\textwidth} \begin{lstlisting}[language=C, basicstyle=\rmfamily\tiny,escapechar=\$,columns=flexible] if ( (0 <= t) && (t <= 79) ) switch ( t / 20 ) { case 0: TEMP2 = ( (B AND C) OR (~B AND D) ); TEMP3 = ( K_1 ); break; case 1: TEMP2 = ( (B XOR C XOR D) ); TEMP3 = ( K_2 ); break; case 2: TEMP2 = ( (B AND C) OR (B AND D) OR (C AND D) ); TEMP3 = ( K_3 ); break; case 3: TEMP2 = ( B XOR C XOR D ); TEMP3 = ( K_4 ); break; default: ${\colorbox{tabutter}{\rmfamily assert(0);}}$ } \end{lstlisting} \end{column} \begin{column}{.3\textwidth} \pause \includegraphics{sha-example-0} \end{column} \end{columns} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Bounded Program Analysis} Goal: check properties of the form $\A\G p$,\\ say assertions. \vfill Idea: {\color{ta3skyblue}follow paths through the CFG} to an assertion,\\ and build a formula that corresponds to the path \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Example} \begin{columns} \begin{column}{.3\textwidth} \only<1| handout:0>{\includegraphics{sha-example-0}}% \only<2->{\includegraphics{sha-example-1}} \end{column} \begin{column}{.1\textwidth} \pause\pause \includegraphics[width=\textwidth]{arrow} \end{column} \begin{column}{.6\textwidth} $\begin{array}{ll} & 0 \le t \le 79 \\ \land & t/20\not=0 \\ \land & t/20=1 \\ \land & \mathit{TEMP2}=B \oplus C \oplus D \\ \land & \mathit{TEMP3}=K\_2 \end{array}$ \end{column} \end{columns} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Example} We pass \[ \begin{array}{ll} & 0 \le t \le 79 \\ \land & t/20\not=0 \\ \land & t/20=1 \\ \land & \mathit{TEMP2}=B \oplus C \oplus D \\ \land & \mathit{TEMP3}=K\_2 \end{array} \] to a decision procedure, and obtain a \alert{satisfying assignment},\\ say: \[ \begin{array}{c} t\mapsto 21,\, B\mapsto 0,\, C\mapsto 0,\, D\mapsto 0,\, K\_2\mapsto 10,\\ \mathit{TEMP2}\mapsto 0,\, \mathit{TEMP3}\mapsto 10 \end{array}\] \vfill \mycheck~It provides the values of any inputs on the path. \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Which Decision Procedures?} \begin{itemize} \item We need a decision procedure for an appropriate logic \begin{itemize} \item Bit-vector logic (incl.~non-linear arithmetic) \item Arrays \item Higher-level programming languages also feature\\ lists, sets, and maps \end{itemize} \vfill \item Examples \begin{itemize} \item \href{http://research.microsoft.com/en-us/um/redmond/projects/z3/} {Z3 (Microsoft)} \item \href{http://yices.csl.sri.com/}{Yices (SRI)} \item \href{http://fmv.jku.at/boolector/}{Boolector} \end{itemize} \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \subsection{Enabling Technology: SAT} \begin{frame} \frametitle{Enabling Technology: SAT} \begin{center} \includegraphics[width=\textwidth]{sa-sat-progress}\\ number of variables of a typical, practical SAT instance\\ that can be solved by the best solvers in that decade \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Enabling Technology: SAT} \begin{itemize} \item propositional SAT solvers have made enourmous progress in the last 10 years \vfill \item Further scalability improvements in recent years because of efficient {\color{ta3skyblue}word-level reasoning} and {\color{ta3skyblue}array decision procedures} \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Let's Look at Another Path} \begin{columns} \begin{column}{.3\textwidth} \only<1| handout:0>{\includegraphics{sha-example-0}}% \only<2->{\includegraphics{sha-example-2}} \end{column} \begin{column}{.1\textwidth} \pause\pause \includegraphics[width=\textwidth]{arrow} \end{column} \begin{column}{.6\textwidth} $\begin{array}{ll} & 0 \le t \le 79 \\ \land & t/20\not=0 \\ \land & t/20\not=1 \\ \land & t/20\not=2 \\ \land & t/20\not=3 \end{array}$\\[2ex] \pause That is UNSAT, so the assertion is unreachable. \end{column} \end{columns} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame}[fragile] \frametitle{What If a Variable is Assigned Twice?} \begin{columns} \begin{column}{.3\textwidth} \begin{lstlisting}[language=C,basicstyle=\rmfamily,escapechar=\$,columns=flexible] x=0; if(y>=0) x++; \end{lstlisting} \end{column} \begin{column}{.1\textwidth} \includegraphics[width=\textwidth]{arrow} \end{column} \begin{column}{.5\textwidth} Rename appropriately: \[\begin{array}{ll} & x\only<2>{\alert{_1}}=0 \\ \land & y\only<2>{\alert{_0}}\ge 0 \\ \land & x\only<2>{\alert{_1}}=x\only<2>{\alert{_0}}+1 \end{array}\] \end{column} \end{columns} \pause \vfill \begin{center} This is a special case of \emph{SSA} (static single assignment) \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame}[fragile] \frametitle{Pointers} How do we handle dereferencing in the program? \pause\vfill \begin{columns} \begin{column}{.4\textwidth} \begin{lstlisting}[language=C,basicstyle=\rmfamily,escapechar=\$,columns=flexible] int *p; p=malloc(sizeof(int)*5); ... p[1]=100; \end{lstlisting} \end{column} \begin{column}{.1\textwidth} \includegraphics[width=\textwidth]{arrow} \end{column} \begin{column}{.5\textwidth} $\begin{array}{ll} & p_1=\&\mathit{DO1} \\ \land & \mathit{DO1}_1 = (\lambda i. \\ &i=1?100: \mathit{DO1}_0[i]) \end{array}$ \end{column} \end{columns} \vfill Track a `may-point-to' abstract state while simulating! \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Scalability of Path Search} Let's consider the following CFG: \begin{center} \includegraphics{unrolling-cfg-0} \end{center} This is a loop with an {\tt if} inside. \vfill \pause {\color{ta3scarletred}Q: how many paths for $n$ iterations?} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \section{BMC Basics} \begin{frame} \frametitle{Bounded Model Checking} \begin{itemize} \item Bounded Model Checking (BMC) is the most successful formal validation technique in the \emph{hardware} industry \vfill \item Advantages: \begin{itemize} \item[\mycheck] \alert{Fully automatic} \item[\mycheck] \alert{Robust} \item[\mycheck] \alert{Lots of subtle bugs found} \end{itemize} \vfill \item Idea: only look for bugs \alert{up to specific depth} \vfill \item Good for many applications, e.g., embedded systems \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Transition Systems} Definition: A transition system is a triple $(S, S_0, T)$ with % \begin{itemize} \item set of states $S$, \item a set of initial states $S_0\subset S$, and \item a transition relation $T \subset (S\times S)$. \end{itemize} \vfill The set $S_0$ and the relation $T$ can be written as their characteristic functions. \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \subsection{Unwinding a Transition System} \begin{frame} \frametitle{Unwinding a Transition System} Q: How do we avoid the exponential path explosion? \vfill We just "{\color{ta3chameleon}concatenate}" the transition relation $T$: \begin{center} \begin{picture}(170,30) \put(5,10){\circle*{5}} \put(5,15){\makebox[0cm][c]{\small $S_0$}} \pause \put(10,10){\vector(1,0){30}} \put(15,15){\makebox[0cm][c]{\small $\wedge$}} \put(25,15){\makebox[0cm][c]{\small $T$}} \put(45,10){\circle*{5}} \pause \put(45,15){\makebox[0cm][c]{\small $\wedge$}} \put(65,15){\makebox[0cm][c]{\small $T$}} \put(50,10){\vector(1,0){30}} \put(85,10){\circle*{5}} \pause \put(105,10){\makebox[0cm][c]{\small $\ldots$}} \put(85,15){\makebox[0cm][c]{\small $\wedge$}} \put(125,10){\circle*{5}} \put(130,10){\vector(1,0){30}} \put(145,15){\makebox[0cm][c]{\small $T$}} \put(125,15){\makebox[0cm][c]{\small $\wedge$}} \put(165,10){\circle*{5}} \pause \put(5,0){\makebox[0cm][c]{\small $s_0$}} \put(45,0){\makebox[0cm][c]{\small $s_1$}} \put(85,0){\makebox[0cm][c]{\small $s_2$}} \put(125,0){\makebox[0cm][c]{\small $s_{k-1}$}} \put(165,0){\makebox[0cm][c]{\small $s_k$}} \end{picture} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding a Transition System} As formula: \[ S_0(s_0) \land \bigwedge_{i=0}^{k-1} T(s_i,s_{i+1}) \] \vfill Satisfying assignments for this formula are \alert{traces} through the transition system \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Example} \[ T \subseteq \mathds{N}_0 \times \mathds{N}_0 \] \[ T(s,s') \iff s'.x=s.x+1 \] \ldots and let $S_0(s)\iff s.x=0 \vee s.x=1$ \vfill \pause An unwinding for depth 4: % \[\begin{array}{ll} & (s_0.x=0 \vee s_0.x=1)\\ \land & s_1.x=s_0.x+1 \\ \land & s_2.x=s_1.x+1 \\ \land & s_3.x=s_2.x+1 \\ \land & s_4.x=s_3.x+1 \end{array}\] \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Checking Reachability Properties} Suppose we want to check a property of the form $\A\G p$. \vfill \pause We then want at \alert{least one state} $s_i$ to satisfy $\neg p$: \[ S_0(s_0) \land \bigwedge_{i=0}^{k-1} T(s_i,s_{i+1}) \quad\land\quad \bigvee_{i=0}^k \neg p(s_i) \] \vfill Satisfying assignments are \alert{counterexamples} for the $\A\G p$ property \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \subsection{Unwinding Software} \begin{frame} \frametitle{Unwinding Software} We can do exactly that for our transition relation for software. \vfill E.g., for a program with 5 locations, 6 unwindings: \begin{center} \includegraphics[scale=.8]{unrolling-3} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding Software} Problem: obviously, most of the formula is never 'used',\\ as only few sequences of PCs correspond to a path. \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding Software} Example: \begin{center} \begin{tabular}{ccc} \raisebox{.1cm}{\includegraphics{unrolling-0}} &\raisebox{2cm}{\onslide<2>{\includegraphics[scale=.5]{arrow}}} &\onslide<2>{\includegraphics[scale=.8]{unrolling-4}} \\ CFG & & \onslide<2>{unrolling} \end{tabular} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding Software} Optimization:\\ {\color{ta3skyblue}don't generate the parts of the formula that are not 'reachable'} \begin{center} \begin{tabular}{ccc} \raisebox{.1cm}{\includegraphics{unrolling-0}} &\raisebox{2cm}{\onslide<2>{\includegraphics[scale=.5]{arrow}}} &\onslide<2>{\includegraphics[scale=.8]{unrolling-1}} \\ CFG & & \onslide<2>{unrolling} \end{tabular} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding Software} Problem: \begin{center} \begin{tabular}{ccc} \includegraphics{unrolling-full-0} &\raisebox{2cm}{\includegraphics[scale=.5]{arrow}} &\includegraphics[scale=.8]{unrolling-full-1} \\ CFG & & unrolling \end{tabular} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding Software} \begin{itemize} \item Unwinding $T$ with bound $k$ results in a formula of size \[ |T| \cdot k \] \vfill \item If we assume a $k$ that is only linear in $|T|$,\\ we get get a formula with size $O(|T|^2)$ \vfill \item Can we do better? \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unrolling Loops} Idea: do {\color{ta3chameleon}exactly one location} in each timeframe: \begin{center} \begin{tabular}{ccc} \raisebox{.1cm}{\includegraphics{unrolling-0}} &\raisebox{2cm}{\onslide<2>{\includegraphics[scale=.5]{arrow}}} &\onslide<2>{\includegraphics[scale=.8]{unrolling-2}} \\ CFG & & \onslide<2>{unrolling} \end{tabular} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unrolling Loops} \begin{itemize} \item[\mycheck] More effective use of the formula size \vfill \item[\mycheck] Graph has fewer merge nodes,\\ the formula is easier for the solvers \vfill \item[\myfail] Not all paths of length $k$ are encoded\\ $\rightarrow$ the bound needs to be larger \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \lstset{language=C,basicstyle=\rmfamily,escapechar=\$,columns=flexible} \begin{frame} \frametitle{Unrolling Loops} This essentially amounts to unwinding loops: \begin{center} \colorbox{tabutter!50!white}{ \begin{picture}(200,170) \put(0,0){\makebox(200,160)[tl]{\begin{minipage}[t]{\textwidth} \only<1| handout:0>{% \hspace*{0cm} \lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;! }% \only<2| handout:0>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{0cm} \lstinline!\}! }% \only<3| handout:0>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{1.5cm}{\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!\}!\\ \hspace*{0cm} \lstinline!\}! }% \only<4| handout:1>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1.5cm}{\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1.5cm}\lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{2cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!\}!\\ \hspace*{.5cm} \lstinline!\}!\\ \hspace*{0cm} \lstinline!\}! }% \only<5| handout:0>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1.5cm}{\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1.5cm}\lstinline!assume(!\alert{!cond}\lstinline!);!\\ \hspace*{2cm} \\ \hspace*{1cm} \lstinline!\}!\\ \hspace*{.5cm} \lstinline!\}!\\ \hspace*{0cm} \lstinline!\}! }% \end{minipage}}} \end{picture}} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \section{Completeness} \begin{frame} \frametitle{Completeness} BMC, as discussed so far, is incomplete.\\ It only refutes, and does not prove. \vfill How can we fix this? \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{comment} \begin{frame} \frametitle{Completeness: Overview} We will see two techniques for making BMC for software complete: \vfill \begin{enumerate} \item Unwinding assertions \vfill \item $k$-induction \end{enumerate} \end{frame} \end{comment} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \subsection{Unwinding Assertions} \begin{frame} \frametitle{Unwinding Assertions} Let's revisit the loop unwinding idea: \begin{center} \colorbox{tabutter!50!white}{ \begin{picture}(200,170) \put(0,0){\makebox(200,160)[tl]{\begin{minipage}[t]{\textwidth} \only<1| handout:0>{% \hspace*{0cm} \lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;! }% \only<2| handout:0>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{0cm} \lstinline!\}! }% \only<3| handout:0>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{1.5cm}{\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!\}!\\ \hspace*{0cm} \lstinline!\}! }% \only<4| handout:1>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1.5cm}{\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1.5cm}\lstinline!while(!\alert{cond}\lstinline!)!\\ \hspace*{2cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!\}!\\ \hspace*{.5cm} \lstinline!\}!\\ \hspace*{0cm} \lstinline!\}! }% \only<5| handout:0>{% \hspace*{0cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{.5cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{.5cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1cm} {\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1cm} \lstinline!if(!\alert{cond}\lstinline!) \{!\\ \hspace*{1.5cm}{\color{ta3chameleon}Body}\lstinline!;!\\ \hspace*{1.5cm}\lstinline!assert(!\alert{!cond}\lstinline!);!\\ \hspace*{2cm} \\ \hspace*{1cm} \lstinline!\}!\\ \hspace*{.5cm} \lstinline!\}!\\ \hspace*{0cm} \lstinline!\}! }% \end{minipage}}} \end{picture}} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Unwinding Assertions} \begin{itemize} \item We replace the assumption we have used earlier to cut off paths by an assertion \vfill \item[\mycheck] This allows us to \alert{prove that we have done enough unwinding} \vfill \item This is a proof of a high-level worst-case execution time (WCET) \vfill \item Very appropriate for embedded software \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{comment} \subsection{k-induction} \begin{frame} \frametitle{$k$-induction} \end{frame} \end{comment} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{CBMC Toolflow: Summary} \begin{enumerate} \item Parse, build CFG \vfill \item Unwind CFG, form formula \vfill \item Formula is solved by SAT/SMT \end{enumerate} \vfill \begin{center} \scalebox{.5}{\input{cbmc-flow.xfigtex}} \end{center} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \section{Solving the Decision Problem} \begin{frame} \frametitle{Solving the Decision Problem} Suppose we have used some unwinding, and have built the formula. \vfill For bit-vector arithmetic, the standard way of deciding satisfiability of the formula is \emph{flattening},\\ followed by a call to a propositional SAT solver. \vfill In the SMT context: SMT-$\mathcal{BV}$ \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Bit-vector Flattening} \begin{itemize} \item This is easy for the bit-wise operators. \vfill \item Denote the Boolean variable for bit $i$ of term $t$ by \alert{$\mu(t)_i$}. \vfill \item Example for $a \,|_{[l]}\, b$: % \[ \bigwedge_{i=0}^{l-1} (\mu(t)_i=(a_i\vee b_i)) \] (read $x=y$ over bits as $x \iff y$) \pause \vfill \item We can transform this into CNF using Tseitin's method. \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Flattening Bit-Vector Arithmetic} How to flatten \alert{$a+b$}? \pause \vspace*{1ex} $\longrightarrow$ we can build a \emph{circuit} that adds them! \vfill \begin{columns} \begin{column}{1.5cm} \scalebox{0.75}{ \setlength{\unitlength}{0.00083333in} % {\renewcommand{\dashlinestretch}{30} \begin{picture}(624,1710)(0,-10) \path(162,525)(162,225) \put(140,700){\makebox(0,0)[lb]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(499,1500){\makebox(0,0)[lb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}i}}} \put(262,1500){\makebox(0,0)[lb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}b}}} \put(28,1500){\makebox(0,0)[lb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}a}}} \put(407,0){\makebox(0,0)[lb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}s}}} \put(86,0){\makebox(0,0)[lb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}o}}} \path(87,1425)(87,1125) \path(312,1425)(312,1125) \path(537,1425)(537,1125) \path(462,525)(462,225) \path(12,1125)(612,1125)(612,525)(12,525)(12,1125) \end{picture}}} \end{column} \begin{column}{9cm} \begin{block}{Full Adder} $\begin{array}{r@{\quad}c@{\quad}l@{\quad}c@{\quad}l} s &\equiv& (a + b + i \;) \mathrel{\mathrm{mod}} 2 &\equiv& a \oplus b \oplus i \\[1.5ex] \mathit{o} &\equiv& (a + b + i\;) \mathrel{\mathrm{div}} 2 &\equiv& a \cdot b + a \cdot i + b \cdot i \end{array}$ \end{block} \end{column} \end{columns} \vfill The full adder in CNF: % \[\begin{array}{l} ( a \lor b \lor \neg o) \land ( a \lor \neg b \lor i \lor \neg o) \land ( a \lor \neg b \lor \neg i \lor o) \land\\ (\neg a \lor b \lor i \lor \neg o) \land (\neg a \lor b \lor \neg i \lor o) \land (\neg a \lor \neg b \lor o) \end{array}\] \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Flattening Bit-Vector Arithmetic} Ok, this is good for one bit! How about more? \pause \vspace*{2ex} \begin{block}{8-Bit ripple carry adder (RCA)} \begin{center} \scalebox{0.65}{ \setlength{\unitlength}{0.00083333in} {\renewcommand{\dashlinestretch}{30} \begin{picture}(7640,1785)(0,-10) \path(3214,1425)(3214,1125) \path(6289,525)(6289,225) \path(5914,1425)(5914,1125) \path(6139,1425)(6139,1125) \path(5989,525)(5989,375)(5689,375) (5689,1275)(5464,1275)(5464,1125) \path(5389,525)(5389,225) \path(5014,1425)(5014,1125) \path(5239,1425)(5239,1125) \path(7189,525)(7189,225) \path(6814,1425)(6814,1125) \path(7039,1425)(7039,1125) \path(6889,525)(6889,375)(6589,375) (6589,1275)(6364,1275)(6364,1125) \path(7189,1125)(7189,1275)(7489,1275) \path(589,525)(589,375)(289,375) \path(889,525)(889,225) \path(739,1425)(739,1125) \path(1489,525)(1489,375)(1189,375) (1189,1275)(964,1275)(964,1125) \path(1789,525)(1789,225) \path(1639,1425)(1639,1125) \path(2389,525)(2389,375)(2089,375) (2089,1275)(1864,1275)(1864,1125) \path(2689,525)(2689,225) \path(2539,1425)(2539,1125) \path(3289,525)(3289,375)(2989,375) (2989,1275)(2764,1275)(2764,1125) \path(3589,525)(3589,225) \path(3439,1425)(3439,1125) \path(4189,525)(4189,375)(3889,375) (3889,1275)(3664,1275)(3664,1125) \path(4489,525)(4489,225) \path(4339,1425)(4339,1125) \path(5089,525)(5089,375)(4789,375) (4789,1275)(4564,1275)(4564,1125) \path(439,1125)(1039,1125)(1039,525) (439,525)(439,1125) \path(1339,1125)(1939,1125)(1939,525) (1339,525)(1339,1125) \path(1414,1425)(1414,1125) \path(514,1425)(514,1125) \path(2239,1125)(2839,1125)(2839,525) (2239,525)(2239,1125) \path(3139,1125)(3739,1125)(3739,525) (3139,525)(3139,1125) \path(4114,1425)(4114,1125) \path(4939,1125)(5539,1125)(5539,525) (4939,525)(4939,1125) \path(4039,1125)(4639,1125)(4639,525) (4039,525)(4039,1125) \path(5839,1125)(6439,1125)(6439,525) (5839,525)(5839,1125) \path(6739,1125)(7339,1125)(7339,525) (6739,525)(6739,1125) \put(7564,1200){\makebox(0,0)[lb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$i$}}} \put(739,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(1639,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(2539,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(3439,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(4339,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(5239,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(6139,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(7039,705){\makebox(0,0)[b]{{\SetFigFont{20}{24.0}{\sfdefault}{\mddefault}{\updefault}FA}}} \put(514,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_7$}}} \put(739,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_7$}}} \put(1414,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_6$}}} \put(1639,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_6$}}} \put(2314,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_5$}}} \put(2539,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_5$}}} \put(3214,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_4$}}} \put(3439,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_4$}}} \put(4114,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_3$}}} \put(4339,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_3$}}} \put(5014,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_2$}}} \put(5239,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_2$}}} \put(5914,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_1$}}} \put(6139,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_1$}}} \put(6814,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$a_0$}}} \put(7039,1500){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$b_0$}}} \put(139,331){\makebox(0,0)[rb]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$o$}}} \put(889,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_7$}}} \put(1789,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_6$}}} \put(2689,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_5$}}} \put(3589,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_4$}}} \put(4489,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_3$}}} \put(5389,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_2$}}} \put(6289,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_1$}}} \put(7189,0){\makebox(0,0)[b]{{\SetFigFont{17}{20.4}{\rmdefault}{\mddefault}{\itdefault}$s_0$}}} \path(2314,1425)(2314,1125) \end{picture}}} \end{center} \end{block} \begin{itemize} \item Also called \emph{carry chain adder} \item Adds $l$ variables \item Adds $6\cdot l$ clauses \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \subsection{Incremental Flattening} \begin{frame} \frametitle{Multipliers} \begin{itemize} \item \alert{Multipliers} result in very hard formulas \vfill \item Example: % \[ a\cdot b=c \,\land\, b\cdot a\not =c \,\land\, xy \] CNF: About 11000 variables,\\ \alert{unsolvable} for current SAT solvers \vfill \item Similar problems with division, modulo \vfill \item Q: Why is this hard? \pause \item Q: How do we fix this? \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Incremental Flattening} \begin{center} \begin{picture}(270,150) \put(60,150){\vector(0,-1){10}} \put(60,120){\makebox[0cm][c]{\includegraphics[height=20pt,width=90pt]{gradient_box_yellow}}} \put(60,127){\makebox[0cm][c]{$\varphi_f:=\varphi_\mathit{sk}$, $F:=\emptyset$}} \onslide<2->{ \put(60,120){\vector(0,-1){60}} \put(60,40){\makebox[0cm][c]{\includegraphics[height=20pt,width=90pt]{gradient_box_red}}} \put(60,47){\makebox[0cm][c]{Is $\varphi_f$ SAT?}} } \onslide<3->{ \put(60,40){\vector(0,-1){30}} \put(62,20){No!} \put(60,0){\makebox[0cm][c]{\color{tascarletred}UNSAT}} } \onslide<4->{ \put(105,50){\vector(1,0){45}} \put(115,52){Yes!} \put(150,40){\includegraphics[height=20pt,width=80pt]{gradient_box_green}} \put(190,47){\makebox[0cm][c]{compute $I$}} } \onslide<5->{ \put(190,40){\vector(0,-1){30}} \put(192,20){$I=\emptyset$} \put(190,0){\makebox[0cm][c]{\color{tascarletred}SAT}} } \onslide<6->{ \put(190,60){\vector(0,1){20}} \put(192,65){$I\not=\emptyset$} \put(120,80){\includegraphics[height=40pt,width=140pt]{gradient_box_yellow}} \put(190,108){\makebox[0cm][c]{Pick $F'\subseteq(I\setminus F)$}} \put(190,96){\makebox[0cm][c]{$F:=F\cup F'$}} \put(190,85){\makebox[0cm][c]{$\varphi_f:=\varphi_f \land \textsc{Constraint}(F)$}} \put(120,100){\vector(-1,0){60}} } \end{picture} \end{center} \onslide<1->{$\varphi_\mathit{sk}$: Boolean part of $\varphi$\\ $F$: set of terms that are in the encoding\\} \onslide<4->{$I$: set of terms that are inconsistent with the current assignment} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \begin{frame} \frametitle{Incremental Flattening} \begin{itemize} \item Idea: add 'easy' parts of the formula first \vfill \item Only add hard parts when needed \vfill \item $\varphi_f$ only gets stronger -- use an \alert{incremental SAT solver} \end{itemize} \end{frame} % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ % ------------------------------------------------------------------------ \end{document} cbmc-4.5/doc/slides/cbmc-latex-beamer/cbmc-logo-medium.png0000644000175000017500000000653712145230215023210 0ustar michaelmichaelPNG  IHDR*jPLTE1199)))))111199911119))))!!!!))))11193!!!!))!!)594BBBJJJJJJJBRRZZURRZXkcckgcckhss{wss{uJFBBBJRVSWBGDZVVZJhkcfgvxs{ywcckxxk޼ܾ綄ᵉﶄ컇۾羥řؗ։ȇÄɊڊ؆Ś˔Ϝ͖؜Ԕ՜ݘååǥʥȪ֧͵̽ǷƵ˵ϵ̽Ͻȼսӷíǭ̭ĥةԥխۭ߭ۥߵ۵ݺ׹AW pHYsttfx tEXtComment* IDATxY}l[WMc'Nn+$ViNB!!@]ƐX5QUCh@B+&X3"?e)BC&h/aRPVBӯ$ubpιw]){Ͽw?=ױLMߦb= 2}EDgכNBb0˵XqmhB@` pG 0'`g@0K' 3*XZFؙ!Tqf|ͣTH$#\T:sВפH^$$x;0@"%!y@ $% !@H d![uARmhtBg_zzz@6Ck $ؙνtK`Q|؈vf'0:gBAx2î:S֏}p󐃪 Ty֢:cNy~ ~:4Wv̱yp5#易5-ž@ zāܼ vH_Γ6AT/rGiӗ{XxKKzp\SӀzYq@h+'W&p@ o ڗ&-i)wp< 8[yٌi)+h!AW\+`߸짠ttS2ECMMgK0Cf_hpSpbL+^|;]=CCF_z; ^EKKwtyr=14!eNb8 7  PRt]rI T8qW<^Fޖd2I+ު0NUü$#2Xr,Zf*x)& TU䕕ҝ٬4 4uY}=3a2|F80LքjG 9q\*FX󂍜 E,up^I1w{mR緶rW}H&\oV`TF橸jǪm)?.sT/L?"mT|MCdhq .. [ť]<3An{o\@t*M+i7gnH eQLkVw}N}! >P S.O,TbJ^A+^S&\r8F[[n%~IՕp~=rg3ݼrvwuɃaGxWHbYU>{a8 .:Տ5Surr=[(mkH'rT@I~=T)"ܹ85nQr)*nQ\BnhrM2;(__Crc!C%l :/ƽ]LnUx{WMKěq>?M(iջGnw+M&gܨ]rŇ-.URoWr?!qdxLڭʝRøFލ mx;IA>-yyl7NWb[yk-D*AѠ\cvn-n@vr뢃>!ڋ̳sG-z D~m++wh9 yx5c^ض \aw?#d4kHy>MƳ^OI .גH8R{Z&ծ^.5Z kl F5n>1iׄUFi^$#22,kmˌ,4tPBSq~E\N՗+wLiux÷GE\&`䟢543=t/X >_j:xu?ɟxHuɈQ %1/Lp,a*|K-Ƥ5Mm+W+W EnBk ls.TIENDB`cbmc-4.5/doc/slides/cbmc-latex-beamer/do_figures0000755000175000017500000000056612165264216021444 0ustar michaelmichael#!/bin/bash FIG="cbmc-flow.fig frontend.fig" for a in ${FIG} ; do fig2dev -L pdftex $a > `echo $a | sed s/.fig/.pdf/` done for a in ${FIG} ; do fig2dev -L pdftex_t -p `echo $a | sed s/.fig/.pdf/` $a > `echo $a | sed s/.fig/.xfigtex/` done MP="bmc-loop.mp unrolling-cfg.mp unrolling.mp sha-example.mp unrolling-full.mp" for a in ${MP} ; do mptopdf --rawmp $a done cbmc-4.5/doc/slides/cbmc-latex-beamer/gradient_box_green.pdf0000644000175000017500000001240512165263510023677 0ustar michaelmichael%PDF-1.3 % 2 0 obj << /Length 4 0 R /Filter /FlateDecode >> stream x+TT(c}\C|@1 endstream endobj 4 0 obj 23 endobj 1 0 obj << /Type /Page /Parent 7 0 R /Resources 3 0 R /Contents 2 0 R /MediaBox [0 0 241 59] >> endobj 3 0 obj << /ProcSet [ /PDF ] /XObject << /Fm1 5 0 R >> >> endobj 5 0 obj << /Length 8 0 R /Type /XObject /Subtype /Form /FormType 1 /BBox [0 0 241 59] /Resources 6 0 R /Filter /FlateDecode >> stream xeP9n@ ){Nå*?@HR)&fgkWLX`̒Zf&QNYx??956G#dbP*մ#M$F{V~9s.8xC*AOŘsx%zݵWI9n#񒚌;9yxY^a(K^ endstream endobj 8 0 obj 191 endobj 6 0 obj << /ProcSet [ /PDF /ImageB /ImageC /ImageI ] /ColorSpace << /Cs1 9 0 R >> /ExtGState << /Gs2 12 0 R /Gs1 13 0 R >> /XObject << /Im1 10 0 R >> >> endobj 10 0 obj << /Length 11 0 R /Type /XObject /Subtype /Image /Width 256 /Height 256 /ColorSpace 9 0 R /BitsPerComponent 8 /Filter /FlateDecode >> stream xuo\gHRM=8!cljNb;-l2{=ޑ7 f3s_~:z ό3JflU%[oSڶdJY2sfjwHcjGSjS;Eunv#GRiҞ{F{wojʒ/,;PTvPVrh/?\Qq:tGUuSӝ64uzꌚ3ԙ5gjRg9[3unkϿ`jYIu.𢺋u'']RRuYeW+TWͻJ]=jukԵU-N]zuC ƦMM7%-L[o֤ZnSܮXtNuW]w{ߣ]ro}mjᎇ#KQ.}4iYcSw>|B=zjSOgV<]znsIIw?^yAz%rUWW5׼{Cz-ڷӽwU@J T`iPRP*.W-~~?m+J?mW?m+{-~~l?mů~[ ů~[s:ů~[?m+?m?-}.o?ޯ?m^~W-~~W-~[A#o?oF?=po_c>o?o ?&'}~O?FF?ogdSW3~µ-j?w7_ӂ?w?s|g<㟾[mĿEfOW} o0>o>gVaV+!~f*O~f/K + YϬ|EA_?#UX;3+O? /\;_|1M}_--y_} 8w$vo?)n*ί: 7_;,~gCuW̚~5ǹ?뛮.=*'~gogF9lWğM~?g ~5!98?sſW =_bcׁF>o_GW~~O ů~[vG?mw=-~{W-~{~O?_?^?=ao?o?Wg5o?o?o?o?~O ~O ?co?~?m?m+O-~{W-~{~O ~Ok^ ~'~~'~~'~~'u?m?m?m?m/-~7?_o_?_G+~{u~O ?_?_?!?=+?=+?=>~'~~~[O?_?a?=+?=+?=+?=+?=1 ~wß~'~~'?F~[į~[į~[į~[į~[cn~Cį~[į~[į~[?o??ğ?]?m?m?m/hY endstream endobj 11 0 obj 2612 endobj 12 0 obj << /Type /ExtGState /OPM 1 >> endobj 13 0 obj << /Type /ExtGState /SM 0.02 >> endobj 14 0 obj << /Length 15 0 R /N 3 /Alternate /DeviceRGB /Filter /FlateDecode >> stream x}OHQǿ%Be&RNW`oʶkξn%B.A1XI:b]"(73ڃ73{@](mzy(;>7PA+Xf$vlqd}䜛] UƬxiO:bM1Wg>q[ 2M'"()Y'ld4䗉2'&Sg^}8&w֚, \V:kݤ;iR;;\u?V\\C9u(JI]BSs_ QP5Fz׋G%t{3qWD0vz \}\$um+٬C;X9:Y^gB,\ACioci]g(L;z9AnI ꭰ4Iݠx#{zwAj}΅Q=8m (o{1cd5Ugҷtlaȱi"\.5汔^8tph0k!~D Thd6챖:>f&mxA4L&%kiĔ?Cqոm&/By#Ց%i'W:XlErr'=_ܗ)i7Ҭ,F|Nٮͯ6rm^ UHW5;?Ͱh endstream endobj 15 0 obj 706 endobj 9 0 obj [ /ICCBased 14 0 R ] endobj 7 0 obj << /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 1 0 R ] >> endobj 16 0 obj << /Type /Catalog /Pages 7 0 R >> endobj 17 0 obj << /CreationDate (D:20070114184550+01'00') /ModDate (D:20070114184550+01'00') /Producer (Mac OS X 10.4.8 Quartz PDFContext) >> endobj xref 0 18 0000000000 00000 n 0000000137 00000 n 0000000022 00000 n 0000000240 00000 n 0000000119 00000 n 0000000305 00000 n 0000000667 00000 n 0000004587 00000 n 0000000648 00000 n 0000004551 00000 n 0000000827 00000 n 0000003607 00000 n 0000003628 00000 n 0000003674 00000 n 0000003722 00000 n 0000004531 00000 n 0000004670 00000 n 0000004720 00000 n trailer << /Size 18 /Root 16 0 R /Info 17 0 R /ID [ ] >> startxref 4863 %%EOF cbmc-4.5/doc/slides/cbmc-latex-beamer/unrolling-full.mp0000644000175000017500000000561312165264216022675 0ustar michaelmichaelinput boxes vardef connect(suffix s, t)= drawarrow s..t cutbefore fullcircle scaled 3pt shifted s cutafter fullcircle scaled 3pt shifted t; drawdot s withpen pencircle scaled 3pt; drawdot t withpen pencircle scaled 3pt; enddef; ystep = 0.9cm; beginfig (0) % Control flow graph defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 4: z[s] = (1.2cm,s*ystep); endfor; dotlabel.ulft ("L1", z[4]); dotlabel.lft ("L2", z[3]); dotlabel.lft ("L3", z[2]); dotlabel.llft ("L4", z[1]); dotlabel.lft ("L5", z[0]); for s=0 step 1 until 3: connect (z[s+1],z[s]); endfor; drawarrow (z[4] shifted (0,0.3cm))..z[4] cutafter fullcircle scaled 3pt shifted z[4]; drawarrow z[3]..(2.2cm,ypart z[3])..z[3] cutbefore fullcircle scaled 3pt shifted z[3] cutafter fullcircle scaled 3pt shifted z[3]; endfig; beginfig (1) % FSOFT unrolling defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 6: for t=1 step 1 until 5: z[5*s+t]=(t*1cm,s*ystep); draw z[5*s+t] withcolor 0.5white withpen pencircle scaled 3pt; % if ((t=3) and ((s=4) or (s=2) or (s=0))): % label.urt ("L"&decimal t, z[5*s+t]) withcolor 0.5white; % elseif ((s=6) and (t=2)): % label.lft ("L"&decimal t, z[5*s+t]) withcolor 0.5white; % else: label.llft ("L"&decimal t, z[5*s+t]) withcolor 0.5white; % fi; endfor; label.lft ("#"&decimal (6-s), (0, s*ystep)); if (not (s=6)): draw (0,(ystep/2)+(s)*ystep)..(5.5cm,(ystep/2)+(s)*ystep) dashed evenly; fi; endfor % drawarrow (z[5*6+1] shifted (0,0.3cm))..z[5*6+1] cutafter fullcircle scaled 3pt shifted z[5*6+1]; connect (z[5*6+1], z[5*5+2]); label.llft ("L1", z[5*6+1]); label.llft ("L2", z[5*5+2]); connect (z[5*5+2], z[5*4+3]); label.llft ("L3", z[5*4+3]); connect (z[5*4+3], z[5*3+4]); label.llft ("L4", z[5*3+4]); connect (z[5*3+4], z[5*2+5]); label.llft ("L5", z[5*2+5]); connect (z[5*5+2], z[5*4+2]); label.llft ("L2", z[5*4+2]); connect (z[5*4+2], z[5*3+3]); label.llft ("L3", z[5*3+3]); connect (z[5*3+3], z[5*2+4]); label.llft ("L4", z[5*2+4]); connect (z[5*2+4], z[5*1+5]); label.llft ("L5", z[5*1+5]); connect (z[5*4+2], z[5*3+2]); label.llft ("L2", z[5*3+2]); connect (z[5*3+2], z[5*2+3]); label.llft ("L3", z[5*2+3]); connect (z[5*2+3], z[5*1+4]); label.llft ("L4", z[5*1+4]); connect (z[5*1+4], z[5*0+5]); label.llft ("L5", z[5*0+5]); connect (z[5*3+2], z[5*2+2]); label.llft ("L2", z[5*2+2]); connect (z[5*2+2], z[5*1+3]); label.llft ("L3", z[5*1+3]); connect (z[5*1+3], z[5*0+4]); label.llft ("L4", z[5*0+4]); connect (z[5*2+2], z[5*1+2]); label.llft ("L2", z[5*1+2]); connect (z[5*1+2], z[5*0+3]); label.llft ("L3", z[5*0+3]); connect (z[5*1+2], z[5*0+2]); label.llft ("L2", z[5*0+2]); % draw z[5*0+3]..(z[5*0+3] shifted (-0.5cm,-(ystep/3))) dashed withdots scaled 0.5; % draw z[5*0+3]..(z[5*0+3] shifted (0.5cm,-(ystep/3))) dashed withdots scaled 0.5; endfig; end. cbmc-4.5/doc/slides/cbmc-latex-beamer/unrolling.mp0000644000175000017500000001212012165264216021724 0ustar michaelmichaelinput boxes vardef connect(suffix s, t)= drawarrow s..t cutbefore fullcircle scaled 3pt shifted s cutafter fullcircle scaled 3pt shifted t; drawdot s withpen pencircle scaled 3pt; drawdot t withpen pencircle scaled 3pt; enddef; vardef connectred(suffix s, t)= drawarrow s..t cutbefore fullcircle scaled 3pt shifted s cutafter fullcircle scaled 3pt shifted t withcolor red; drawdot s withpen pencircle scaled 3pt withcolor red; drawdot t withpen pencircle scaled 3pt withcolor red; enddef; ystep = 0.9cm; beginfig (0) % Control flow graph defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 4: z[s] = (1.2cm,s*ystep); endfor; dotlabel.ulft ("L1", z[4]); dotlabel.lft ("L2", z[3]); dotlabel.lft ("L3", z[2]); dotlabel.llft ("L4", z[1]); dotlabel.lft ("L5", z[0]); for s=0 step 1 until 3: connect (z[s+1],z[s]); endfor; drawarrow (z[4] shifted (0,0.3cm))..z[4] cutafter fullcircle scaled 3pt shifted z[4]; drawarrow z[4]..(0.2cm,ypart 0.5[z[4],z[1]])..z[1] cutbefore fullcircle scaled 3pt shifted z[4] cutafter fullcircle scaled 3pt shifted z[1]; drawarrow z[2]{right}..(2cm,ypart 0.5[z[2],z[3]])..{left}z[3] cutbefore fullcircle scaled 3pt shifted z[2] cutafter fullcircle scaled 3pt shifted z[3]; endfig; beginfig (1) % FSOFT unrolling defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 6: for t=1 step 1 until 5: z[5*s+t]=(t*1cm,s*ystep); draw z[5*s+t] withcolor 0.5white withpen pencircle scaled 3pt; if ((t=3) and ((s=4) or (s=2) or (s=0))): label.urt ("L"&decimal t, z[5*s+t]) withcolor 0.5white; elseif ((s=6) and (t=2)): label.lft ("L"&decimal t, z[5*s+t]) withcolor 0.5white; else: label.llft ("L"&decimal t, z[5*s+t]) withcolor 0.5white; fi; endfor; label.lft ("#"&decimal (6-s), (0, s*ystep)); if (not (s=6)): draw (0,(ystep/2)+(s)*ystep)..(5.5cm,(ystep/2)+(s)*ystep) dashed evenly; fi; endfor drawarrow (z[5*6+1] shifted (0,0.3cm))..z[5*6+1] cutafter fullcircle scaled 3pt shifted z[5*6+1]; connect (z[5*6+1], z[5*5+2]); label.llft ("L1", z[5*6+1]); label.llft ("L2", z[5*5+2]); connect (z[5*6+1], z[5*5+4]); label.llft ("L4", z[5*5+4]); connect (z[5*5+2], z[5*4+3]); label.urt ("L3", z[5*4+3]); connect (z[5*5+4], z[5*4+5]); label.llft ("L5", z[5*4+5]); connect (z[5*4+3], z[5*3+2]); label.llft ("L2", z[5*3+2]); connect (z[5*4+3], z[5*3+4]); label.llft ("L4", z[5*3+4]); connect (z[5*3+2], z[5*2+3]); label.urt ("L3", z[5*2+3]); connect (z[5*3+4], z[5*2+5]); label.llft ("L5", z[5*2+5]); connect (z[5*2+3], z[5*1+2]); label.llft ("L2", z[5*1+2]); connect (z[5*2+3], z[5*1+4]); label.llft ("L4", z[5*1+4]); connect (z[5*1+2], z[5*0+3]); label.urt ("L3", z[5*0+3]); connect (z[5*1+4], z[5*0+5]); label.llft ("L5", z[5*0+5]); draw z[5*0+3]..(z[5*0+3] shifted (-0.5cm,-(ystep/3))) dashed withdots scaled 0.5; draw z[5*0+3]..(z[5*0+3] shifted (0.5cm,-(ystep/3))) dashed withdots scaled 0.5; endfig; beginfig (2) % CBMC unrolling defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 6: z[s]=(1.5cm,s*ystep); label.lft ("#"&decimal (6-s), (0, s*ystep)); if (not (s=6)): draw (0,(ystep/2)+(s)*ystep)..(2.5cm,(ystep/2)+(s)*ystep) dashed evenly; fi; endfor; drawarrow (z[6] shifted (0,0.3cm))..z[6] cutafter fullcircle scaled 3pt shifted z[6]; dotlabel.ulft ("L1", z[6]); dotlabel.lft ("L2", z[5]); dotlabel.lft ("L3", z[4]); dotlabel.lft ("L2", z[3]); dotlabel.lft ("L3", z[2]); dotlabel.llft ("L4", z[1]); dotlabel.lft ("L5", z[0]); drawarrow z[6]..(0.2cm,ypart 0.5[z[6],z[1]])..z[1] cutbefore fullcircle scaled 3pt shifted z[6] cutafter fullcircle scaled 3pt shifted z[1]; for s=0 step 1 until 5: connect (z[s+1], z[s]); endfor; drawarrow z[4]..(2.3cm,ypart 0.5[z[4],z[1]])..z[1] cutbefore fullcircle scaled 3pt shifted z[4] cutafter fullcircle scaled 3pt shifted z[1]; draw z[0]..(z[0] shifted (0,-(ystep/3))) dashed withdots scaled 0.5 withcolor white; endfig; beginfig (3) % Basic unrolling defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 6: for t=1 step 1 until 5: z[5*s+t]=(t*1cm,s*ystep); draw z[5*s+t] withcolor black withpen pencircle scaled 3pt; label.llft ("L"&decimal t, z[5*s+t]) withcolor black; endfor; label.lft ("#"&decimal (6-s), (0, s*ystep)); if (not (s=6)): draw (0,(ystep/2)+(s)*ystep)..(5.5cm,(ystep/2)+(s)*ystep) dashed evenly; fi; endfor endfig; beginfig (4) % Basic unrolling with a path defaultscale:=9pt/fontsize defaultfont; for s=0 step 1 until 6: for t=1 step 1 until 5: z[5*s+t]=(t*1cm,s*ystep); draw z[5*s+t] withcolor black withpen pencircle scaled 3pt; label.llft ("L"&decimal t, z[5*s+t]) withcolor black; endfor; label.lft ("#"&decimal (6-s), (0, s*ystep)); if (not (s=6)): draw (0,(ystep/2)+(s)*ystep)..(5.5cm,(ystep/2)+(s)*ystep) dashed evenly; fi; endfor for s=1 step 1 until 5: connectred (z[5*(s+1)+1], z[5*s+1]); endfor; for s=2 step 1 until 5: connectred (z[5*(s+1)+6-s], z[5*s+7-s]); endfor; endfig; end. cbmc-4.5/doc/slides/cbmc-latex-beamer/cbmc-flow.fig0000644000175000017500000000323612165262735021731 0ustar michaelmichael#FIG 3.2 Produced by xfig version 3.2.5 Landscape Center Inches Letter 100.00 Single -2 1200 2 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 3300 1800 4500 1800 4500 2700 3300 2700 3300 1800 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 5400 1800 6600 1800 6600 2700 5400 2700 5400 1800 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 4500 2250 5400 2250 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 6600 2250 7500 2250 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 7500 1800 8700 1800 8700 2700 7500 2700 7500 1800 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 9600 1800 10800 1800 10800 2700 9600 2700 9600 1800 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 8700 2250 9600 2250 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 11700 900 12900 900 12900 1800 11700 1800 11700 900 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 11700 2700 12900 2700 12900 3600 11700 3600 11700 2700 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 10800 1950 11700 1500 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 10794 2547 11694 2997 4 1 0 49 -1 -1 12 0.0000 4 180 600 3900 2250 C/C++\001 4 1 0 49 -1 -1 12 0.0000 4 150 615 3900 2475 Source\001 4 1 0 49 -1 -1 12 0.0000 4 150 480 4950 2175 parse\001 4 1 0 49 -1 -1 12 0.0000 4 150 480 6000 2250 parse\001 4 1 0 49 -1 -1 12 0.0000 4 120 345 6000 2475 tree\001 4 1 0 49 -1 -1 12 0.0000 4 150 435 8100 2325 CFG\001 4 1 0 49 -1 -1 12 0.0000 4 150 660 10200 2325 formula\001 4 1 0 49 -1 -1 12 0.0000 4 150 630 9150 2175 unwind\001 4 1 0 49 -1 -1 12 0.0000 4 150 435 12300 1425 CNF\001 4 1 0 49 -1 -1 12 0.0000 4 150 705 12300 3375 AUFBV\001 4 1 0 49 -1 -1 12 0.0000 4 150 450 12300 3150 SMT\001 cbmc-4.5/doc/slides/cbmc-latex-beamer/gradient_box_red.pdf0000644000175000017500000001234012165263510023347 0ustar michaelmichael%PDF-1.3 % 2 0 obj << /Length 4 0 R /Filter /FlateDecode >> stream x+TT(c}\C|@1 endstream endobj 4 0 obj 23 endobj 1 0 obj << /Type /Page /Parent 7 0 R /Resources 3 0 R /Contents 2 0 R /MediaBox [0 0 241 59] >> endobj 3 0 obj << /ProcSet [ /PDF ] /XObject << /Fm1 5 0 R >> >> endobj 5 0 obj << /Length 8 0 R /Type /XObject /Subtype /Form /FormType 1 /BBox [0 0 241 59] /Resources 6 0 R /Filter /FlateDecode >> stream xUP91 $DIV@hK8Sdde,8`33K(D*dfaڭˊi:$VXbm2БJ1&ѹjVßUX3GkQKpdY@(,լ;WѮ`lObuL?u`wGWL`{ '.)KH endstream endobj 8 0 obj 192 endobj 6 0 obj << /ProcSet [ /PDF /ImageB /ImageC /ImageI ] /ColorSpace << /Cs1 9 0 R >> /ExtGState << /Gs2 12 0 R /Gs1 13 0 R >> /XObject << /Im1 10 0 R >> >> endobj 10 0 obj << /Length 11 0 R /Type /XObject /Subtype /Image /Width 256 /Height 256 /ColorSpace 9 0 R /BitsPerComponent 8 /Filter /FlateDecode >> stream xUqBkp Hww'נ AcW1,wy΄e3;3;;S\¯N*RIje*X暕Rk]YgJ~ju+WY} 7lQeSYlmifuly[ܲc:ZmM޶۪~vP;v)5ywVvU}wj=y{5yソgy_p:@uASr:Puaw#1{:8uR?x:$uSԩNKx3ԙgRu6쳧sΔs;<5xpW\.P UÆ~"uKԥ.l嗫+PÇw˕WRW_&תS_n!ۍ7tfu-oUvvu?SuԟܣWw_zꡇR?p#GU=~?m??w?'~[~6bo_~Wӟ|/+O=~w?~[~3-~?]??~{-~[s-?σw?3?]? /?o/fsY/~[௖gv/¿5/+_~[=]5r$so&7g {焫{~?[wj/=5s? v#_{ g)~?{]/ׁ?/K?_pϸ?Bal AU_zz8?Ko|K?Y%4& obUs?|\[-~f&~gPgK}-~f~gPgo~f~gVa*,~3O}׉> _#]y_L2J/,~k{]:z_p?sÿlO_{ş*~?k >_3~/n<O{_![o96_V_~CM??Ԩo&?~o^:?ǻw?}{&/~||a>yO?oG?o_~WU~3 >~K~wſ O>?mg~O)~)o?o?~%G?o_~WĿ(?]1c~[ ~K~%E}~%~?]c~[Ŀ8?]g~O)?-??9o?w~K~_?_3'o?$+~?]/K?-??wş?=~[Ŀ䫯~[/+~[?-??|5o?~{O?oi~%~?]o?mg~O)?-?_~W~%~?]/w7ğ?=/7~K~%~?]3'eǃ?o_~W/+~[ğ?mW?~?/+~[_6ao?wş?=~[/+~[?-??~{O?o_~WĿlD?-??~{gD?-??w_7ß?3'o?w~K~4 _7ß??o_~W/+??/լ6 endstream endobj 11 0 obj 2574 endobj 12 0 obj << /Type /ExtGState /OPM 1 >> endobj 13 0 obj << /Type /ExtGState /SM 0.02 >> endobj 14 0 obj << /Length 15 0 R /N 3 /Alternate /DeviceRGB /Filter /FlateDecode >> stream x}OHQǿ%Be&RNW`oʶkξn%B.A1XI:b]"(73ڃ73{@](mzy(;>7PA+Xf$vlqd}䜛] UƬxiO:bM1Wg>q[ 2M'"()Y'ld4䗉2'&Sg^}8&w֚, \V:kݤ;iR;;\u?V\\C9u(JI]BSs_ QP5Fz׋G%t{3qWD0vz \}\$um+٬C;X9:Y^gB,\ACioci]g(L;z9AnI ꭰ4Iݠx#{zwAj}΅Q=8m (o{1cd5Ugҷtlaȱi"\.5汔^8tph0k!~D Thd6챖:>f&mxA4L&%kiĔ?Cqոm&/By#Ց%i'W:XlErr'=_ܗ)i7Ҭ,F|Nٮͯ6rm^ UHW5;?Ͱh endstream endobj 15 0 obj 706 endobj 9 0 obj [ /ICCBased 14 0 R ] endobj 7 0 obj << /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 1 0 R ] >> endobj 16 0 obj << /Type /Catalog /Pages 7 0 R >> endobj 17 0 obj << /CreationDate (D:20070114184546+01'00') /ModDate (D:20070114184546+01'00') /Producer (Mac OS X 10.4.8 Quartz PDFContext) >> endobj xref 0 18 0000000000 00000 n 0000000137 00000 n 0000000022 00000 n 0000000240 00000 n 0000000119 00000 n 0000000305 00000 n 0000000668 00000 n 0000004550 00000 n 0000000649 00000 n 0000004514 00000 n 0000000828 00000 n 0000003570 00000 n 0000003591 00000 n 0000003637 00000 n 0000003685 00000 n 0000004494 00000 n 0000004633 00000 n 0000004683 00000 n trailer << /Size 18 /Root 16 0 R /Info 17 0 R /ID [ <37e32cd6a7305413f84125d6ac7c7347> <37e32cd6a7305413f84125d6ac7c7347> ] >> startxref 4826 %%EOF cbmc-4.5/doc/slides/cbmc-latex-beamer/sha-example.mp0000644000175000017500000000547712165264216022140 0ustar michaelmichaelverbatimtex %&latex \documentclass[10pt]{article} \usepackage{color} \begin{document} etex input boxes vardef connect(suffix s, t)= drawarrow s..t cutbefore fullcircle scaled 3pt shifted s cutafter fullcircle scaled 3pt shifted t; drawdot s withpen pencircle scaled 3pt; drawdot t withpen pencircle scaled 3pt; enddef; vardef connectred(suffix s, t)= drawdot s withpen pencircle scaled 5pt withcolor red; drawdot t withpen pencircle scaled 5pt withcolor red; pickup pencircle scaled 1.1; drawarrow s..t cutbefore fullcircle scaled 5pt shifted s cutafter fullcircle scaled 5pt shifted t withcolor red; pickup pencircle scaled .5; enddef; vardef doall= defaultscale:=9pt/fontsize defaultfont; z[0] = (-.2cm,7*ystep); % if z[1] = ( 0cm,6*ystep); % switch z[2] = (.2cm,5*ystep); % case 0 z[3] = (.4cm,4*ystep); % case 1 z[4] = (.6cm,3*ystep); % case 2 z[5] = (.8cm,2*ystep); % case 3 z[6] = (1cm,1*ystep); % default z[7] = (0cm,0*ystep); % end z[12] = z[2]-(.5cm,.5cm); % case 0 z[13] = z[3]-(.5cm,.5cm); % case 1 z[14] = z[4]-(.5cm,.5cm); % case 2 z[15] = z[5]-(.5cm,.5cm); % case 3 dotlabel.rt ("if", z[0]); dotlabel.rt ("switch", z[1]); dotlabel.rt ("case 0", z[2]); dotlabel.rt ("case 1", z[3]); dotlabel.rt ("case 2", z[4]); dotlabel.rt ("case 3", z[5]); dotlabel.rt ("default", z[6]); dotlabel.rt ("", z[7]); dotlabel.rt ("", z[12]); dotlabel.rt ("", z[13]); dotlabel.rt ("", z[14]); dotlabel.rt ("", z[15]); connect(z[0], z[1]); connect(z[1], z[2]); connect(z[2], z[3]); connect(z[3], z[4]); connect(z[4], z[5]); connect(z[5], z[6]); connect(z[2], z[12]); connect(z[3], z[13]); connect(z[4], z[14]); connect(z[5], z[15]); connect(z[12], z[7]); connect(z[13], z[7]); connect(z[14], z[7]); connect(z[15], z[7]); connect(z[6], z[7]); label.rt (btex \color{blue}\small$0\le t \le 79$ etex, z[0]+(.2cm,-ystep/2)); label.rt (btex \color{blue}\small$t/20\not=0$ etex, z[2]+(.2cm,-ystep/2)); label.rt (btex \color{blue}\small$t/20\not=1$ etex, z[3]+(.2cm,-ystep/2)); label.rt (btex \color{blue}\small$t/20\not=2$ etex, z[4]+(.2cm,-ystep/2)); label.rt (btex \color{blue}\small$t/20\not=3$ etex, z[5]+(.2cm,-ystep/2)); % for the bounding box label ("", z[7]-(0cm,.1cm)); enddef; ystep = 1.0cm; beginfig (0) % Control flow graph of SHA example doall; endfig; beginfig (1) % Control flow graph of SHA example doall; connectred(z[0], z[1]); connectred(z[1], z[2]); connectred(z[2], z[3]); connectred(z[3], z[13]); connectred(z[13],z[7]); endfig; beginfig (2) % Control flow graph of SHA example doall; connectred(z[0], z[1]); connectred(z[1], z[2]); connectred(z[2], z[3]); connectred(z[3], z[4]); connectred(z[4], z[5]); connectred(z[5], z[6]); endfig; verbatimtex \end{document} etex end. cbmc-4.5/doc/slides/cbmc-latex-beamer/sa-sat-progress.pdf0000644000175000017500000000412512145230215023076 0ustar michaelmichael%PDF-1.3 %쏢 5 0 obj <> stream x}Vn7 W2.)m KzwAVIc԰I{6i[ߏO|kkhnhMw+{ߙp)GHݯ}{#}\*[:?Azc%]y~J tA \JrǓ'='rq~Dx܈`HIBO,χ%x [?F`:8ȁǒBXm)m,ZXKw=u_.Hk {z93⎅SRN)v*qVv '"B`)lK! ;'Zq6JG0,l!=Sm**RMz+Y &dʒ0=M#Ĭ^0U kA y}VMꙤZ`.*K;q] ŠГ?8 J~xs/<(T~{ 'ʢ,eI 2Y˨p#"3҆*E{UNڒJ,K_ioٛ] {URsSM=aRG.fV6f噮9Tmf\. ,VcȎVMؐjuEQPĕ1<04)98J kbUTsthyU,7VTGq,6eY]ǰ06ӮBC7g^ӰZaifc^+J YAX<\`D[nNşxMpWJ+/10O~Zۺ (fBʚK#m깁1 3.嚯zP]T_s|lTyD,}h|y >fL=py޿A=9B/6+D>if!.80$=f>7V?dNd.}[SPlo_~'Gۿ^9؝WNvTendstream endobj 6 0 obj 991 endobj 4 0 obj <> /Contents 5 0 R >> endobj 3 0 obj << /Type /Pages /Kids [ 4 0 R ] /Count 1 >> endobj 1 0 obj <> endobj 7 0 obj <>endobj 9 0 obj <> endobj 10 0 obj <> endobj 8 0 obj <> endobj 2 0 obj <>endobj xref 0 11 0000000000 65535 f 0000001313 00000 n 0000001527 00000 n 0000001254 00000 n 0000001095 00000 n 0000000015 00000 n 0000001076 00000 n 0000001361 00000 n 0000001461 00000 n 0000001402 00000 n 0000001431 00000 n trailer << /Size 11 /Root 1 0 R /Info 2 0 R /ID [<0C40C1A3673B7C48EE5D817EDE1D88B6><0C40C1A3673B7C48EE5D817EDE1D88B6>] >> startxref 1760 %%EOF cbmc-4.5/doc/slides/cbmc-latex-beamer/header.tex0000644000175000017500000000756412145230215021335 0ustar michaelmichael\documentclass{beamer} %\documentclass[handout]{beamer} \pdfcompresslevel9 \usepackage{graphicx} \usepackage{epic} \usepackage{epsfig} \usepackage{eepicemu} \usepackage{color} \usepackage{alltt} \usepackage{cancel} \usepackage{hhline} \usepackage{amssymb} \usepackage{verbatim} \usepackage{boxedminipage} \usepackage{listings} \usepackage{helvet} \usepackage{pgf} \usepackage{tikz} \usepackage{xspace} \usepackage{dsfont} \usepackage[noend]{algorithmic} \usepackage{mathrsfs} \usepackage{pifont} \hypersetup{% pdftitle={\inserttitle},% pdfauthor={\insertauthor},% pdfsubject={},% pdfkeywords={}% } \DeclareGraphicsExtensions{.pdftex,.png,.pdf,.jpg} \DeclareGraphicsRule{.pdftex}{pdf}{*}{} \begin{lrbox}{2233} \begin{picture}(0,0) \put(300,-20){\includegraphics[width=2cm]{cbmc-logo-medium}} \end{picture} \end{lrbox} \institute[]{\includegraphics{cbmc-logo-medium}} \usetheme{boxes} \usefonttheme[stillsansseriftext,stillsansserifsmall]{serif} \setbeamerfont{frametitle}{size=\large,series=\bfseries,shape=\sf} \addfootbox{structure}{\,\sf{\bf \insertshorttitle} -- \href{http://www.cprover.org/}{http://www.cprover.org/}\hfill\insertframenumber\,} \addheadbox{structure}{\usebox{2233}} \renewcommand{\implies}{\Rightarrow} \begingroup\makeatletter\ifx\SetFigFont\undefined% \gdef\SetFigFont#1#2#3#4#5{% \reset@font\fontsize{#1}{#2pt}% \fontfamily{#3}\fontseries{#4}\fontshape{#5}% \selectfont}% \fi\endgroup% % COLORS % butter (yellowish) \definecolor{tabutter}{rgb}{0.98824, 0.91373, 0.30980} % #fce94f \definecolor{ta2butter}{rgb}{0.92941, 0.83137, 0} % #edd400 \definecolor{ta3butter}{rgb}{0.76863, 0.62745, 0} % #c4a000 % orange \definecolor{taorange}{rgb}{0.98824, 0.68627, 0.24314} % #fcaf3e \definecolor{ta2orange}{rgb}{0.96078, 0.47451, 0} % #f57900 \definecolor{ta3orange}{rgb}{0.80784, 0.36078, 0} % #ce5c00 % chocolate (brownish) \definecolor{tachocolate}{rgb}{0.91373, 0.72549, 0.43137} % #e9b96e \definecolor{ta2chocolate}{rgb}{0.75686, 0.49020, 0.066667} % #c17d11 \definecolor{ta3chocolate}{rgb}{0.56078, 0.34902, 0.0078431} % #8f5902 % chameleon (greenish) \definecolor{tachameleon}{rgb}{0.54118, 0.88627, 0.20392} % #8ae234 \definecolor{ta2chameleon}{rgb}{0.45098, 0.82353, 0.086275} % #73d216 \definecolor{ta3chameleon}{rgb}{0.30588, 0.60392, 0.023529} % #4e9a06 % sky blue \definecolor{taskyblue}{rgb}{0.44706, 0.56078, 0.81176} % #728fcf \definecolor{ta2skyblue}{rgb}{0.20392, 0.39608, 0.64314} % #3465a4 \definecolor{ta3skyblue}{rgb}{0.12549, 0.29020, 0.52941} % #204a87 % plum (violettish) \definecolor{taplum}{rgb}{0.67843, 0.49804, 0.65882} % #ad7fa8 \definecolor{ta2plum}{rgb}{0.45882, 0.31373, 0.48235} % #75507b \definecolor{ta3plum}{rgb}{0.36078, 0.20784, 0.4} % #5c3566 % scarlet red \definecolor{tascarletred}{rgb}{0.93725, 0.16078, 0.16078} % #ef2929 \definecolor{ta2scarletred}{rgb}{0.8, 0, 0} % #cc0000 \definecolor{ta3scarletred}{rgb}{0.64314, 0, 0} % #a40000 % aluminium \definecolor{taaluminium}{rgb}{0.93333, 0.93333, 0.92549} % #eeeeec \definecolor{ta2aluminium}{rgb}{0.82745, 0.84314, 0.81176} % #d3d7cf \definecolor{ta3aluminium}{rgb}{0.72941, 0.74118, 0.71373} % #babdb6 % gray \definecolor{tagray}{rgb}{0.53333, 0.54118, 0.52157} % #888a85 \definecolor{ta2gray}{rgb}{0.33333, 0.34118, 0.32549} % #555753 \definecolor{ta3gray}{rgb}{0.18039, 0.20392, 0.21176} % #2e3436 % gray \definecolor{tagray}{rgb}{0.53333, 0.54118, 0.52157} % #888a85 \usecolortheme[named=ta3skyblue]{structure} \setbeamercolor{block body}{fg=black,bg=ta3skyblue!10} \setbeamercolor{block title}{fg=black,bg=ta3skyblue!30} \mode{\setbeamercolor{block body}{fg=black,bg=white!90!black}} \mode{\setbeamercolor{block title}{fg=black,bg=white!70!black}} \newcommand{\RETURN}{\STATE \textbf{return}~} %\renewcommand{\ENDIF}{} \newcommand{\power}[1]{\mathscr P({#1})} \newcommand{\mycheck}{{\color{ta3chameleon}\ding{52}}} \newcommand{\myfail}{{\color{ta3scarletred}\ding{56}}} cbmc-4.5/doc/slides/cbmc-latex-beamer/frontend.fig0000644000175000017500000000241712145230215021661 0ustar michaelmichael#FIG 3.2 Produced by xfig version 3.2.5 Landscape Center Inches Letter 100.00 Single -2 1200 2 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 3300 1800 4500 1800 4500 2700 3300 2700 3300 1800 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 5400 1800 6600 1800 6600 2700 5400 2700 5400 1800 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 4500 2250 5400 2250 2 2 0 0 0 0 51 -1 2 0.000 0 0 -1 0 0 5 3375 1875 4575 1875 4575 2775 3375 2775 3375 1875 2 2 0 0 0 0 51 -1 2 0.000 0 0 -1 0 0 5 5475 1875 6675 1875 6675 2775 5475 2775 5475 1875 2 2 0 1 0 7 50 -1 20 0.000 0 0 -1 0 0 5 7200 1800 8400 1800 8400 2700 7200 2700 7200 1800 2 2 0 0 0 0 51 -1 2 0.000 0 0 -1 0 0 5 7275 1875 8475 1875 8475 2775 7275 2775 7275 1875 2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 1 0 2 0 0 1.00 60.00 120.00 6600 2250 7200 2250 2 4 2 2 0 11 52 -1 -1 3.000 0 0 7 0 0 5 8700 3000 3000 3000 3000 1500 8700 1500 8700 3000 4 1 0 49 -1 -1 18 0.0000 6 165 435 6000 2475 tree\001 4 1 0 49 -1 -1 18 0.0000 6 195 795 3900 2475 Source\001 4 1 0 49 -1 -1 18 0.0000 6 195 600 4950 2175 parse\001 4 1 0 49 -1 -1 18 0.0000 6 255 765 3900 2175 C/C++\001 4 1 0 49 -1 -1 18 0.0000 6 195 600 6000 2175 parse\001 4 2 0 49 -1 -1 18 0.0000 6 195 975 8850 3300 frontend\001 4 1 0 49 -1 -1 18 0.0000 6 195 570 7800 2325 CFG\001 cbmc-4.5/doc/html-manual/0000755000175000017500000000000012206365330015040 5ustar michaelmichaelcbmc-4.5/doc/html-manual/cegar-1.png0000644000175000017500000007330512045177247017006 0ustar michaelmichaelPNG  IHDR/iCCPICC Profilexc``2ptqre``+) rwRR` ``\\yy | 2 U +'300%@q9@HR6. r!+ v.z H}:b'A2 vIj^ʢ#ǔTbϼĒZ@! A!ahii "q(v!( cd2f` G1G)I/15C}}sïPo pHYsaa?i IDATx]!AZ [ -R\/Bp .] ŋ+A8 ɽ;>swVfgvvv_~%oBe_} L$&ns }Y@y0^c- y0d[/,᧟ _w}ݻwx߰^{*1ˆߤN ^zRɟ|pM7k/L9a W]uqo>zk/-qYdO?o1=>lXx+|@>SO=utM^-_ǀc00|ͰKX&x 38A J<@۷o9rdX|Zh+ '0 >&^{C=ha7l 6Dy|É꥽-qpHEN@} b~z#*+bAC)?ǀc{10>b4_'&nDbs5Wx7OD>⿉& &kiQPS5'p¨HH2)Lp?iy:N}]vTv•ޣ"Y~|+m:8@c`|J1ICXA nJJ8 0&zKBYbi G5sy94UsAATwbϡuE$Lb~É'?o5}gy|C(XaKp 8] gh0ٳcJ8ZyySxmfgBC5qH[wRewްZk8 A}!8>JF( v@km9Q O!փh{Nh%l=ܣO#)+yc1p t&dB[oMkԪ b\ [6?`v(ΫGF y"Nzc1PJ(ɏ $?x3y$Ew"mY(l2ic6r &lnUk/}G/pUO,pfv JO2i1n'JC\w '8a2 GE bu_6fm:\@r/SMOʖMZ^\"!7D8(/fe$M'MH@!N Ӂh6X˽H1'C'a?{0[#`S|_ZG( T( le jphF (| 8& SۻeIc'0($㥗^&NDqJ(I9oL>ؗbKp Xܪ'PKK^r@1P(DSYbs(7}{7 Dl#rJ!!4ֳ#߫ ({Qp>L}+:>=Ŋ7  G@+b{L't*=V!jˍ78dc^wN1 *G&BP: XTPp@qmE箻2.2nLnNZs($Q)a:蠃c*߄ԋ x17=SiHq}EbS\v|p\Âz~;k3Fix[ #lT (pMpL䢼1xQd_x믇UW].3d=&6~b@hz[tE2JJr9v- M@|}K]˭d34[Vؚ(N|;t?*">nV@qVO>o3/AbD꧄ O)anI7_769+zZh!3գB~ #T_OKHA .A}' QpLr1Al^ q&W {rLJr)?DtD(8PݛY=9 ~?lmYpl)((?_@%a:J{L'f_򃲠xX||p=DUgJ+dd|@ }gK-U I'kT\z]??yw߆7^G)Xug?KI9(WpkM7{(wQʘ;uMu^<Wɋh?XA 4T*A wfmHW?i "Bզ(V9(h^#K%uM&u\V[zh|ME\l;;찀{5VL.zTXoT϶;10殃,E Ul&PI#},]a~0poճ\uPVy ܓ_7Sѓw/WӸ{tM6K˾HeJ|4k^ Gn:kK:& 5.rOձϓ0p|iX0 ǻ&)N>"|eC G1@/~Gj-oǷH~Q}RqT&m wQ@ea/ |"ph> ԭJxbqPχcBt8TNݚM{&cTjҔ;Jlr}%[b\QOMnP*[Ce'z#?7JQBR/3Gi :˝.r3?䓛]ϨLq4k Oo5jYp MB-ůOzW / +2pqWZɟ0z "D;aqg"Y}z?p!!C( x-}-CGw_Ơ>1oaȐ!&JaYp:pM&nu&N$g0Ay.,V(,*h1sv'?;(lkNSj V@5nL@I_“h'OT f/Wgr\ _[Y^(/dqûKy1@{lFfܦj*Olz駭>\{aM6 @z2za) Tп0-FpE'5 JG_ӷ1P ( ->L@><SN9| Wah} \΁^Nkߋ _lq Guԯ/+ SJ^;/VQH bD$\ec{ Çy& E8t6K;w%р,PRHq (?_eq,ӿP},.+`СB1=+$ r4LK9`wy<47 `k F#iÍps1Q vv~!h1g^z%Sm'>L@=7 쳭q"Dkp'x-ԐH88ڂgӶPq3`5)31l)?[m&SD X&dl:7 {v}w) /la|K'x7+XVBY"ɉf8AN;͈ "~)J Ǟ&] Ǎ@VD,b'cppp_KW^|!λ.D-s @S% ?MEw ^p mpV4ӁH|k p]xRO+(ĀJ8LX%Mqsy. (MN9)nph\se\>0y&> (@D|'PMjh NI8 zd?64-C,'1SA pgi&p!px&&eJ!w*#/Vr-F Ið: "Nfd؛ZfeLxjٴѣٴfB<-{G8s=zچ~ `QaCgٯDIw.Li_W8 N Hq=.+QQ2FcSeRt T@CdE fpp "VwppRfA`TJO@0 Y2@!"8&єcS2|#a`L.l>w5״ j+YN#N?pI& !Q'!Jb\CTㆬB;ԟ~G}jun+b\p^ eQYD_GHooV8/%7<7꫌qMG_K|X*7eDE W^ ^ (O:=_:8 ngEد_q`l{ ƟɁI `3!jpmN%;&RHqqc(1h ɃYBH#4nt5Aȏ|j RK5⑶ܔO~J/uKæk0o J[Omy7&5]qWrOgxI;_o3_ JXөx {C\Ƚ\U S/^雕,lpskkxg`X}O%&w{S<͇־` !B3ȯ&%lq sגq Ԃ|KF^ iwhHu&J\~x-8~v*ߔWi)?Uʣ[Ƅ S-0u~5J 'X/ƚ5!w1r4A*A#LqsEؿL0B Us^Lc !(yxv dzE\a8ID eZmLɐQXaܻDxLV)mƀڗFp}׿7va( kV7!?qxN.nKp`"fC:(ԏ%qNJ=ya-瞳8`|#"oSaCP?~yADŽ&6Zp݋1*I`@آLK`Nsgy Ve3v= SLi=UBXϢC$bB`BY 2 !ݻw@L,b .9.D!nKWH"E:XhjI/֐H@]qJY6ZMA@㽥VGq *ؿ J&WVG}&N:8"3!Կ%r+?,yCdВIB%-a"?TSwy•8iۡ1 INC8q1;:}' HQ?@b?Lbq!$?@ϱ(@`1VL n>{)msl?Տ+9 _yb8}5V\O=V "i#姽>b,T @P@ ?W?!-ɇ$IiF֚qSH5{db&!*Su'- 0"Bl P, ŦG9RFmh[D{ - ܏rIı,АW7@b23Fi{W,t+ġOCC>;}qe!5sI} ~ x2_ߤ!&? oسTn1P1B w߱..+R+?#R`baQ9 4ץwDr'ZJ[+SK$wvN h/K13;l%}ƁSbO6"4./$HBHn>~iӾp{]J:.S @]4]IÈN`S? 'v N8ʏoV bɇoV)n +Bx]ͻnҨZƀp^#}D}BO' +E(WχU: N8@=c, %lby@ቒ:CS8ӗsO]Ez]Jzs[y0xWZ򓿾y OGqx4S| W—pS_(Ӿ#Q\p 4x/7}/ G+%%ko/oݭ(~  |해7FO{ oYWw[ Wο[>ZTF~pʓ-¢P(J8Ls=hT6/86o!P / e>}XǘiR8z 7Dh dW-a%|sJvqĨ}NyviLgr_8"H b@?h+k<h{vivr=m U4xJA־SDWLȭ9RB2aZ>v*%N8ԬC1q6BHm)%: ip^n-uaDIX*Z@r/ԏU<"Uʡ&{H;F~1~ mY>G<W. Z#3և bZ_kz{1P=%u4,ZjNqj_Àڡ}4vlx=Ʈuծ}N1ϞVQ~pO (IVԘ[B7ۡЀoJScײkjז>'I` ‰R״UgRH Pr55a;fa\p9F b٤!xسĜZ\e5_}5 _)Oc {(aD-/+{GZBP{:@c`@sRB0y3Tα+(oO-W<[)q˅/疖 13v>e/~w|(2Ѧ'1p T€&^7yIh:&4țoA~)LG/ ϡaL& OzD& 6ucAZ@L - *^fw(qf""w 82,k=hGM-?q::`-;հy C_ZNô,"dqډ-՜ R\9U9z ];1XKbsg۵!{;<*繸|!!";AvgfQ%Ƿc1~) ,^UW]k79X! 9,Z^K'Z@&Ž,NYųQY$_|YN$IxXPH_z1;,ee L7gqK#$fQ#{onheqO-vm- /^k3OQ)ҢP f@ 4-Y4o{ q 8wewe Wk>O "L#Fd;찃qg;S Q;#t6x?CXI?^Eq\ ڻ+z̟p oXa^@BH/rV"gBiE 2PiЈ-up 8% 070op}N=0s%ɤk5:j!P!"q;>"=s称s(` q whI䈘,]7yql5Dz q( p@8w#JBͭՑ?À n=l8Ly9h?& 'D<$(RAVrOPՆٳDXwj(L@NԡP8Eu>̈D/c1``tM0(pмbGZXId"ai{)mIqY|M<#]84/WD>hfs! S_}1p Ԃ&pц@J-*,sZs5ͨ~YgLcQp{\vgtIq/8`WV!F裏s=iq qamy8%U@p 7 H&&pԝ 70f. ַopQGQ*= ./Zϥ^ڬE  awxbCn8jQ/D0?qvZ+W:_}2[%m5vPV)h&0ZB;]$n[A`}  wt9:V# '%o@ꮰ/T)|KI?o~#*N9Ģ#-(ǀc1P pIls0xՅ?GW:͝Bwl,5WroFb2U $XǣMọ>SoO(Qp: rV+p 45-j6#2+G-kF;Za1 [}oC|gH3Mxw)^~ :*0 r7r.]V`D(c1c9b< fD^U?+Ԕ8Wp E !l H(k eEBdFO?[hݞ0 5d/&P fQ3۷ SP/c1P 9DYT5΢IRǝD[neИ'%x7wjy/^XiF]׾7% ýR@!wPKNBꭑTp 8r`{c3HXCªb4yU~.)a\ 雧R8׃x)qHsJ= B@6ؚxbꫯCɑXSс}$?(Y?ǀc  op ʸ RV*GAE#YҗW h($QR 2-'?:">/bXp 5c@K,aKRu t5D(@ViqBpn>;18:p=@R5u$T`ȏ8DǓ_K( :jKa\ Zq=nu~oO(8pݶ^"($Q2O]Ɉk3.%\?NAxjve1,dC%¯:3y6^-qzg] }ڣGjyi()~[4Z-­mZ 7ܰ{`D6묳f- aE qPdMfJ2 \rǘtIkZ zЄÇaoFjw|s'5\cw nk_2.UkX1(dՈ:00j=4c|^yaСa/vqԸ!kz+bV jE}s-jYO~/Z<+& }'-)qRHGMA^vm7#HyFClMZ~JKiW [͏ -P5TR,,}'̘P7jS(GPF~*3O+|[J҃kE(Pf+BcD i_a]*u~TCud P_:#cCTH ;0 0j)i嗦J;?7Bcvd1xmH)HC2UߩNO>qG w;V>ITζx9pOcWwq1жԅJ{ޱu:d(ȵ |\}HL2$6SȗELto~gW^yň;b3̥\{FIK~8ZౣT6I[S^_~ڀ W_}5*^LJ[3K0HO=4kJ 2²_h+ԧ!P;{1nЯ_? $bD b+"1T`|ϷXEB, dYL ? !6Fθ0zф(lrVUx?CXnIܸ Ǐ=*%\2΁_ĉC E"Fs9Tx K?*\VX,`S>p矿T“F QJD+- ,Gmil!HˠwllF2rP|WLBoYP`"<(9; nn2Ex& (3h?^?6}QlYgd?dOS. lymƈ%N!RcQ‚J +;*N$]; ȰE߇#?FDǛma!b|P]s5?03dž9 , bh^"t{ղG}1ݽ QMptʶA61S Ed"q+NE#RC,va#n\d  i3 @¤oMl \ɏ!7;XQ cc'J jc?T'i͓1!I`1 :О?@f/[n]%=#M{;0Ըc8a"QԠғ|w}11)@ PϠCD0-2raZf%U 8%C u(&hߓN:Wp,(BhW"S@F/446ph>.Eп'g bo!~pbv %=!Q! a؇b+ъKHw=l<][oEQFŤ{ !H콠'D:Y!x"_~zkBvaF)#!c `fwΞŞʭ2$}N@gOi\֚# S'x+wT=^G,U{총V/}wg"#2M˕Ɖ+,[ޢ~$pYDZS.E@Y n;.20|o h'rT/E˧o\\ Y8S)R8 ʢv ?,b9qqPe0'Hir(>h/8 WF 1gKs<_wSN18c/—s'j+;V$qu:K uW8^Mm˻9qoDF6]45tTzc1LmHN_LԜ 8p`o[ZT* ~¦K˔k)-k;DQf4T<ؚ=l1PhG(Iᔰh G`cCx>˚lޞl:"|f> Tk+Al JPk|:Uro7cZ\=l"GAwvZv~ 5Q(:p~᫯lV byfVPJ3fepÀGd/rGǯ-9O\x)NkXqT rH7Xr4& ʈN+1"[fu} \)p]wY7J8`:&%d,& Ew#vmÖUla6U} $Vϵ`B`f6gr_(ACkH{p?r?Ŋ=i v*}"=Eza+M9|%%̏ؠAB~l " !BL`1C_<`үXbr@KNxDw n@fq{WMR+F:w#.F.!b2Ц5dc ီ&`fA4ܸ(6f2WZi%\i33QPH}8" &oõ(]m23h2 Cb#?MYiU192fR` :G}dmXwƍ?[Fȭ.p)` E :}d~PwHNHVURw 9@b[ric(4> Z]$5XpjS`@BNC<҉= BK3!h}DNo"θCw}CD nXwaxDd ť)ˏr9N#@ )!l,1\!",]Zt "~!Bi[}%*&Z5i ƻk-d dlC|8-'`p\rIu.OؗbetqǙ(KT["?]h!;8oeE܂& L@B>vƉpp{?(^lejX`pdA! !l@Bcc L'A- o:?qj0<{FY|zq^ZiвKeP6`'+v!b !aQc"AdHdJHB׍ed*CZh5^s@b*3)eIuO뙾+ i">>1 }Z­RQByARo-[8l&~9F_ÝqOQB1\5ߴ-?ĺ%15G㉘)?- Z'I쑩<;u,ZqZK/v>]޲S8pVne#ұ\ZZJ6^4M#}W:>[MʊXZUi>F,tw-mɇKUh 0ޕ.3N_``Pq0q+"ÍO;ӄ@G_t..A坦-w.|+ZTZx0^iQ>q=mW&}Ox']¤qNqFxpGp{q$@5b"-@F<&J5"y r#ZޕV=FO4iSܦ~i*[])ntpi= hbsy[;T:ȒhAU*h ~g gXd&fPA{ } >-0\8F?;!fn]£>ZR#odӖr9&?i:HڬIڃ.ð,(5De B@{oh !nľs. ;EP0k3oX"wj7]Px T :7Fwõ]뎲|j=O[m*˯;WļO>8>Σ謊OV;+}Y&T} iE,$<pp-\Q,f)үq㡒Sn,AKq< ICc C/Yl}g^us\]*"9"{CEe=QؐDơcO(?qAguāq^ @]Q N]N}#)`Y \MƵZdppQEsEm-WEcsjI#0kΘ0?Yށtsz7Jrs?;<f0eRkx=Nmevt$l 7|ӮFćM;WFsޣGtxY h=v }ӶEDGӧ$^Jnt (MVLm[B=>`04y+Q@a$G/{o9t0!D=!4 ^ XX/GE4)DKMH:ǀ:o%ELPAGyI+虔heb":7O8/ əV vک: w%<#GaÆ>N8!y;?4 88G~?.uǍ4La^ e8[R@: ⟎p]a, h׳Oجׅ\BE|&`q3IZ@MԚyr{0EQk'|T9ISN [ɛ}2#D}3UHNK턑8 ANc1PFP)j h2Փ:3>nDF"6i tMm1lfΞՈ]zÍw߱#?[Y|I:qAׯ::m@څw&jMmI:ܚzAv ,Y,ŏ?xjȋ=\1{S-饐=}Oc1бpԱ` %Teq"ne9+B'Os \""piIp~uPJp t (u =6`@ ƒZx"СCJ *".jC9cĊBc/d/w=󕔻a-4~8ûkQy~vU:zʖ#<f+_|a h 8Qjnzkna|j j&h"I%0Kd /|xW_}l ?;]\~ 3 ;oM/ ofWc[ 'иUVY'dITSMeiM-jYf1BJ@H1$p$ dBW^ye8Lv袋4L6h0S~:Kk.#n7xZqB$f3n 7l0#*s9gXi /`aωg}g 6SL1Ex衇JDQDc 0D Y(Wa]v wqGm‹/^/n뮻n8}ga_~_|I}v0 '0.wआ>裰kaXN:%r?ꨣ+b;41o,Mt TĀqzSOfa03ھc =z*?Q7lC {キAKn3G#:[{èQ;q>"$׿5;6;h E AX 7r-Vhf L̕7.D0 $p1^x3!C17MHL6dO=%\: A`F]tѰ+_ߞҘ#CD(@ +|C΋!p)SZt 4 (5KK7Y=t Hp9p- q@&nDvoyXhLSOq@XAD!{-J~pD"vF~& gVʈPJӟfĀ՛Έ J:Pp@dQ:ÌKA=_|q㢞}Y q}S>},?P)DK3k(6@B\D@8∀rۇs 4Sjo!PFEo}ӟd׈͖]vYgAX}jгgpM7Y\8*Дݻ*҇R{W_5h= W\q8 (ѫUs2hv 8Qj B Lfu*(7#FԾ^6l3;"{Yd#.">:>E F|w[<\T}L zO>1T\}Y]<+{a!$6lV駟b?5.p<7b!r!f)a族'? Kx4 +{,wq8;8N҈PX@8T{o/~(}' P)j~bsSXzpp 4(5[7h}{D 7~)D!u/;e[+POH`R[q &tAN"L^ߟ`R[q z%DyD6J=o@ób9@cR3H HLgGi9ݏ'J^0 U1Lk@q !l6Z3T3 Y?wp 8)5N[6tM#7h 3ϳ^{W1ЄpԄ^OUK[(qS _24?@C`RC4csTk\]5Z:N붦Rr8hXs5͜_;% 8Q*_]C}N 10pi&w98'JצMQ#7Ee&€SբhQ \u 8`\[ ereI߫~.1 8Qj )q *基^ɿ? -Mm/_v@F˅_(^nC擏RPSN3τN:)W4w 4(A+ KOݩV/?U7-Wzz~au E&R4MYΏCiWO=TyKӰ?MWi/ rMarS{WR||(d/,PFÀ(?`5jT/J9?|7$ĬG~LLG:wqG/ kҦlaō4G>ߗs`|%Mބ׾e_xJ4GXpIS6x (w~堬L9 ǸO?ԂNھC ,DMo>%mySGpp 4@q( dez=3馛ez1¾^zi{Fao?묳W^9eYUVY%{J|dz^ze}w^ vmAva +EM34Sv=X88IfG={fHjoZ8q/N٣>j~e뭷^/7zlv8gm]F?fs=wZkeq |?o,!ʦvs E?뮻<~K.iOl-,O>1x~x)ix≆wRK-92;2_tEK/E;~g-o~3_7+8p`<.k/z+:b@s=gEqU$WF(jO?}69 . '\sa!Zo&ɷ~;BIx4Xॗ^#{g-vSV&cɘoIyxfJ-pwf oIaVO>9Ovee# Z{{xf[l&9 BNq&܎|y,r;Y/8IEY]H ±@\G;8FN)g}웅Dmذa^M7a@_p/\Fz:_o=9N p"JLLDZS\&^&>&&oT3V٤+d /p9pLeYDp" ?BEKÍDY=^{nH_,Éi"LԂs9;c=8W_}R .z뭳s9GƪE h!CX]#SR'o=6(37CYi*"gܨ?u t+i/ڎ98P` ž, .\g3{;0 Zq)^$M.c%L0=6Ҙgyl"-/&{ cc"$&b@qo+L16R6@RFTz0㟂&qx7I'6lamP"7dO L( l]xr)- J rGM׿B&駟"Ue]J8 _@y9x[}S@vOa]w57?88}WVd"ʯ2!2q߈M2.& 'jKƊ.(iwC@/@&l2:&dtJ@D@Fq+]wdJ\&VcT0 2O=ԥo^L"nL/`W#r&SO=)pW!F ?vdM ܣ2H!*dXv< m;ܚ9ʄ??҃åLԳGD`FtK ĎP@ W+'](Mqz-EVК6c=6/P]:(DaO6Q08clJ~GQ4=ВsZd@ڼp'sSF+ީ ;6|3dlG^ICr)Ǟ^aُ((Ck>0]"Oa8 e!\Z^8ܒ|_ڃJ)؛BaG>"(i[ɶ9b LpIP'N9Pp r^eCHrNvmZ-ؖ%,H - ˰L-0U>yVeYO EŽ)= / ;Aq<M2^eg%v2JI^COJ<:">JW=vgpP+M-% ¦#X,,zy@N)Ԏ%wzV Ad{JcDPNS)^ ^z*Yϰnk^{ˎ3=<^fI=쨤D_JtǨCߗ˥{£[V&&{)xYJܰy<k{ۍx0cl:m\Ġ4PJ~xL]EzSGޛRl6wgEeX`~*v<[`litzA/ Б(N/x[[a^{O>x<.S&!8u~Oc|AGie da>1); if(a[middle]x) low=middle+1; else // a[middle]=x ! return middle; } return -1; } cbmc-4.5/doc/html-manual/refinement.png0000644000175000017500000003467612045177247017733 0ustar michaelmichaelPNG  IHDR?F/iCCPICC Profilexc``2ptqre``+) rwRR` ``\\yy | 2 U +'300%@q9@HR6. r!+ v.z H}:b'A2 vIj^ʢ#ǔTbϼĒZ@! A!ahii "q(v!( cd2f` G1G)I/15C}}sïPo pHYsttfx IDATxEǑ JP ADA2 $,^3((9QsT#|?n>q>]ٚ /=}4|A@")8 OT 1'C  'BJ Og@O|A@(π / )  }bG~,,Dg, 7.xY>Y X sK#G@xo,P<@@x`ISA@<-e =K h[, XT,DbY xD `y'ZA'z4# sƍc= xϚ5KMWxC!q<RNIK6mrsܹ۷Æ 6mZڝ_GZxwzIxa6m ҳ 9ҭ[cǎK;ğѽ{wmĎ{ر_^j t. mZbEwK'!?@$Y&%eÇ=yt}vI… њ[*gnȉq҃@xxxƍ_~e=s<#?Pt%}*eL9|ժ͛HAE`Ϟ=s~w)ZR},XXB t_}U!޿ƍ'Z7pMBS84`( s#Gctҥׯ|[ZdZ W\Y`[ mR`SǎQSr.;KΔ)Ӑ#""37{Xشiʕ+)?~#~zgʘq/n&WA@e4fŜ~qC<\t€/˟3~ 9CI81v+dOq :pj{{(O/^|*ViĥZ„2Ё[ou۶ ㏋/N2e  sXiL${3})_< 1CƌѰTSq RL3fL)#Q [hsG>FxeÒ%@kXNd d.]",THǐUqsu[\G}(w}֫W|yD3f߰Atn>ˉ ݤIߜ8q3Y7f{챟O}_Ԡ/F/] }AE9M4rx'w{.X@Uk\UxYoߺ墥\RճgO5kxѢmLj+8rvxŹQKGR?[Λ7lԡ{bŊKX+YLs ۵s'j3`}AuzKY,+[ٳX ̛;wǎ1>~/s>&5©cM6B6gΜ#\Jƍ#6riK<:>:y͛j_ ,Y~ڵ˙#p̥ 0eԪYT4;y|ԓKV1OdVz="n@dࣾIoFD_pԩyfΜ(7[Tqܸa>YdFaVʓ'޽{q5c eJuM.Ӄ-VV oLf/6ש[n`ŭ[QG؝఍3y|R)\d8;.,cs<.\XNxbHGPtw8 ~f_ h-[FI߬( :LUiCf Di>b>n'2"?ѣbJDmtdz7:Py(7;͛6ugDFbVQ \N_6ɆбXktHlB]squ,\M6Y ҦM+UΝk_/5Dx[\tIEsqS_ګo&qCo?N79zor1 Q[^(u.bi -q f(&>: ` VpEb)qĽ('xOSDcV=)o(4kڔb4xC?D_GƏG~IDf'nHeԖ8cޒ8Qt"W&Ox9C;J7gfX۷oAmJ$={[СC1Y޵\iQwƂc9s.>&obdSUUlTftFZ|VCAZGPR"౜hԦ]'6 lmF nuz AQT@ ,ւ|%mHrhU2q6ȧm6}V 0|Eش1ODj#8o67nޮ]3{QrޒA1O:b qvb\5W!bĺnݺct_`IPń,P6EW(}3vD!"hka5GIL٭v^=扌Ԧc(̬ٳ7|ذ/[W53Jw60&7'#̞3>UT b9k`hSsŝ{|u4nL-ZaWAB6U{_֩O6s6fOLy?9Bj ?a->cJ]KB(@ (U]:ujz]nsJ":4o܆>V0D*1oP˳ic .|/sfc#MHBV: XqyI(Ik#ڐN);vhѼ9[dɐ99$BFi((FrH<+/SVӧ#qs2CaNX>;دKkNeE?ˎ RZl:v蠔a7t/ $ұ}vĔ!)Cy ev_~ɓ'hSI,iӦTW& gnP%|@ry 6@l5 I8͛X:u.mZܼ}XΚ%iF) Ym+! aGJ{5X葻v҈(G._#^V-Ǵ~vD: 7v8r06{Yr% Y_J>;F8ܒ%KeϮc܀X蘶k1TVj.*FtĜr5 +fxžFM!}y!x!$#=O}6 6E}3m >Vv^'MTċ0:FM٣:ώ8ZH,gҥDEfck6JFi0@u2JG9(]@[L2%w8 Jhk |\ vl^A uCN9^빈/tX-[&Eٝ1Ek-ei#zŷ;{FȐx&Ӈ۶mx3}hL&={x&E~Q]mիkн:i_Mb9FicZ(~h3\4K/'v҅zz)fLNڴnMJoqK.4o8tݑ5.mEt#n*7F¸6/,ŋENHmVvUxeSW?62}83yt| Qq޽ 76@ssСk`_Fľ^j@ԩy~믾2 ʘz~X6r!:mr"j+Spi}ٺu1U|*Zρ~q 9ٓ D!@3gμe zl+T0ץK5s)b;[ ւy]S(w2mK )溽\U@>8 1Ѝ7.5O>+Qԫ}ĉu$Ib[N`k#v3fqxb֬Y5}l3fΘQX11&uX<ND&:u@ςv"w$Xx!97^<#rTO;#Qn+Rg~֩[^9Qs"ڰQ#ÖgQBDƑHeEGL2i J}ܹʩ5R'8DS12 A]֏1K(-/D9 .R]x+_x(K6sb&Ą=ԋErg̔@f.=i{kUQ9z3J{4Հhx&MOaC[tQŦ'^%$J'iEIW՗QJkvK^Q+WHOO0c'sfϞݼsc쐚N-UUefcRiQ+ &A"8?@4ɿb'O_ND%/(c >F\Y/D{ɗ?tF`|}^-9R'Lߊ?oJJA,mCիSCǏSpFd|y)0x"9n&%)R%XVMXiEQLb|4zyj`mSƌl}t\ a쥀Ds $\VNnjDGIn,(@  ,,L^;\}4Tg.R9N%:GC361:77 YԩSJoPH Lf^k ޺yQtF͚۸lWCO\gr#f1| -GtFd|vH$cƐ!BЭ[̛79>HeFiޘ71,8D3Vv^J~mLؙ 4ۚ^={*z$ƍXxĉBCf$J",ӓL!#Ş={ΝO2jI鸘/@$zYڳ h;9|F-s8թcG8{С!d۵x5 ӻnWG;?hPH c[CGG v4JАDx<̈`"Ɂ/_Ojxy֯(; K3)IDATϟwFz%6y(w εfhlaEv[q`τ.< 8-_|֭DYOdCE' {vڅVI(MrС.=ƨf=( 7db vH0+_OP f[;T-&Ľ۷/G $l- XhQnaa>OdZI>1g\Z0)C Yx1OCſ;r\# hR[cjX&@UbEz5ea1;v4lN=} g c@ CDztヒ&SՑQ:IҤW^5uVKܵnf׮aƔ8hҸ1@ȉa;wJфI-όXN1}{(c;|`. ԭ[Wlٲ$_veJF4oVM_l@#c`lO0a۶m1U~dV uWj޼9ݼepⰍT8Z9Y~߾C=amc2Jc 35v&F؎Xf9~|:Q )4EE'xB\4Ό[P Vf,hznڼYԈ6)':xifJS(L(cRbRs'4{g]E /ZRR6LG13/_~)f[hѵkĊ 7dY˖ e^svW!!6X[$DuDmR`^>^J}8*#@Q3}txnǎG<.2E vލTOG%fQj5Xϛ;aqƝtQK5:y"#F֭/.yaQlwfmtJ*͚=݂ ׶m[3 y ~QڦM l 8f<8U#:1LV(רei"SNT}})R/6rB?hO?}۽"*/CDM }_~1cF=^D{rxQ:QD;wѼ(:u뢼ĴUF\SEk 7h1aC t"ֈwJS̶,Y⟙TNo. OT2JXla DێLn$<(EJj:T۩5ڵoHxe3i DgM&4g17ibNVTfA!`(B('bRs) Џ`z'w:kk@DQ)" hb. a>H0T~7(aOkqc0T-"`&Kljr}4_d#xr,+EՓ3G%p8p":È=͌)U m5Qq^x=PѼu(IICP)nѢE;l ~<N}2BdB%r㿞=zaC$K*]ҔJ-z1Bx-{YCnݜ h>) hFa$igz1 9FM@踏gg,6 H6mbcǎ!koZnҤIկR0o:t4qd䉸'K,l|%m68K.4]v=2E3ի Q^@i2 <ժW΍a$ayK.ÉÔ,;SoM(:yb98$I2v 2دQ33nO|Hc@)Ո}<y%Q禓'jtCVڵjVZT :w&SdɻIyB^ak eX@2'-VLb?9X&{1dɓ{+@} /Fy-ˠ }JꜨ& dCuJvN>ݦ^rҒ)cFl7IPq3қ7s n!'UX]w@7$Gr4*5j$fOFi< '⴩S'M13&j/!90cHb$DtDJO?%/f 4 kѢq̘4 UltȢ鬁{vl 6P0<$| Rի)N,%zW̘49s3FyyiѤ:y"!hժXѢ%~XԶѯI4*/ gXqj"*tDƎgW7nܘ7GUu S8M>.9$Qй@|uގdf\)Tب X")]p<:9x>Q1 qLihҤN}#""m4W^}aRU"V-ʕ+,PTRޗb|E]f #G*VU11v]:u:suHVv/*zt$qF 3:gΜԱ[߱cGyCʕtcL 7O-sfD{2XŋyO,nʕp6mZouE. %sk׮T_a _t+-̸^R++T$qb K?zHd(S3A4iRBgbO=vR. .1NɑQ-c^)R$#唑QceFa߃'h0l# %xـ+L:MžఽTz=jٳՖ $p|ƍ۷b^BK) 2:+VC@iζmvIXIrebQ_͛;wǎ1>~hye4n^Q¢ kW”qG)n%2CA@!ODW3B/]"xR/@@ O6oN*g>tHH Dֵ[7jCBBoA@D<"+̈z B sA@E@}_ X VA@"(AJOݔOA/VB@xEE@x+ $.:Z۷-]wvUD@v(c Otȏ1bwa˖-.XlD=z:J BDǀ`UVU.o֭5W'o!44tSkV@)S^2LD$qղe˴pIlsԩҥKqz۶maw`FxHr8IzK֠aC"5J6<^Wd*U \0u딯ڵk׹s甯+U9cR n"`pDԽsG]@Yc?;{N{ ݗ_y%Kq!xkԩm8ɒ5X&[} ŋ6L]N˖-SI|/5.mڳOQP{&O̦Ҫ_v;\ӯ_ʕ+9sE+bNɭG+3X^7s,Ђ MvۦҝTt剳g0` qO?!i>tR soݺ5ƛd(46Wf˖-ЖAwؿS֯CѣSL9~Dܹ;}c{AnSL<֭['vl|5kVDDݻw]<s4,n݊H֬Y*BǏ% 'O'OdbjtRB8j[7o0aCBtͯ&Hi{}Oݘ⇲L NJ]Lw\2\4%y8q"ήJ;aDcƌ)5:̎zdF*gΜ١C 5lݻw mFܱ_ )`|% | RfM)"!)]Uܟ5}[n0+?z,3ɛ'ӧigiSF}گo_ J#A\I 4xeϖ u@LR2Y WUꡬ'R٦M'g=ҌbέN( 9*Ȓ/[֠~}Dڠ1Omcm"XBvKϝ?I$Q&ujz?_&OFNwaXʾ[ƦsdCVgȘdbŎ͸Ԕ-WnÆ E#[;H9c@.XtvQN$ʧI&5kRVlL>V-gΜShMphiou:S%8J 1%ڷ_͞35zIF}hBGL>ELq"Ǡ˳V"q CI şZD̃uRs!R꯿7x:.=wz# e 9nI&U>ol0fժU0=N> u3V,rl8BPi1k_K0{H7o@t26:]+Z4l|6pI8sH}m"qqL ϝ={= ՃTX)461 7EԩSϙ=^y?85ΐ!C޼yG;v@>}`bn=ƍ,Y̛;wUx8:Jw\|DK"@ZHUH @"^m 2}j}6\+^L=W*mRoߋ\EO])`qEAUtHJ^(AR>RS#^"

CPROVER Manual TOC

Hardware and Software Equivalence and Co-Verification

A Small Tutorial

Verilog vs. ANSI-C

We assume that CBMC is installed on your system. If not so, follow these instructions.

The following Verilog module implements a 4-bit counter (counter.v):


module top(input clk);

  reg [3:0] counter;

  initial counter=0;

  always @(posedge clk)
    counter=counter+1;

endmodule

HW-CBMC can take Verilog modules as the one above as additional input. Similar as in co-simulation, the data in the Verilog modules is available to the C program by means of global variables. For the example above, the following C fragment shows the definition of the variable that holds the value of the counter register:

struct module_top {
  unsigned int counter;
};

extern struct module_top top;

Using this definition, the value of the counter register in the Verilog fragment above can be accessed as top.counter. Please note that the name of the variable must match the name of the top module. The C program only has a view of one state of the Verilog model. The Verilog model makes a transition once the function next_timeframe() is called.

As CBMC performs Bounded Model Checking, the number of timeframes available for analysis must be bounded (SATABS has no such restriction). As it is desirable to change the bound to adjust it to the available computing capacity, the bound is given on the command line and not as part of the C program. This makes it easy to use only one C program for arbitrary bounds. The actual bound is available in the C program using the following declaration:

extern const unsigned int bound;

Also note that the fragment above declares a constant variable of struct type. Thus, the C program can only read the trace values and is not able to modify them. We will later on describe how to drive inputs of the Verilog module from within the C program.

As described in previous chapters, assertions can be used to verify properties of the Verilog trace. As an example, the following program checks two values of the trace of the counter module (counter.c):


void next_timeframe();

struct module_top {
  unsigned int counter;
};

extern struct module_top top;

int main() {
  next_timeframe();
  next_timeframe();
  assert(top.counter==2);
  next_timeframe();
  assert(top.counter==3);
}

The following CBMC command line checks these assertions with a bound of 20:

hw-cbmc counter.c counter.v --module top --bound 20

Note that a specific version of CBMC is used, called hw-cbmc. The module name given must match the name of the module in the Verilog file. Multiple Verilog files can be given on the command line.

The --bound parameter is not to be confused with the --unwind parameter. While the --unwind parameter specifies the maximum unwinding depth for loops within the C program, the --bound parameter specifies the number of times the transition relation of the Verilog module is to be unwound.

Counterexamples

For the given example, the verification is successful. If the first assertion is changed to

  assert(top.counter==10);

and the bound on the command line is changed to 6, CBMC will produce a counterexample. CBMC produces two traces: One for the C program, which matches the traces described earlier, and a separate trace for the Verilog module. The values of the registers in the Verilog module are also shown in the C trace as part of the initial state.

Initial State
----------------------------------------------------
  bound=6 (00000000000000000000000000000110)
  counter={ 0, 1, 2, 3, 4, 5, 6 }

Failed assertion: assertion line 6 function main

Transition system state 0
----------------------------------------------------
  counter=0 (0000)

Transition system state 1
----------------------------------------------------
  counter=1 (0001)

Transition system state 2
----------------------------------------------------
  counter=2 (0010)

Transition system state 3
----------------------------------------------------
  counter=3 (0011)

Transition system state 4
----------------------------------------------------
  counter=4 (0100)

Transition system state 5
----------------------------------------------------
  counter=5 (0101)

Transition system state 6
----------------------------------------------------
  counter=6 (0110)

Using the Bound

The following program is using the bound variable to check the counter value in all cycles:


void next_timeframe();
extern const unsigned int bound;

struct module_top {
  unsigned int counter;
};

extern struct module_top top;

int main() {
  unsigned cycle;

  for(cycle=0; cycle<bound; cycle++) {
    assert(top.counter==(cycle & 15));
    next_timeframe();
  }
}

CBMC performs bounds checking, and restricts the number of times that next_timeframe() can be called. SATABS does not re­quire a bound, and thus, next_timeframe() can be called arbitrarily many times.

cbmc-4.5/doc/html-manual/satabs-background.shtml0000644000175000017500000001431012045177247021513 0ustar michaelmichael

CPROVER Manual TOC

SATABS – Predicate Abstraction with SAT

Background

Sound Abstractions

This section provides background information on how SATABS operates. Even for very trivial C programs it is impossible to exhaustively examine their state space (which is potentially unbounded). However, not all details in a C program necessarily contribute to a bug, so it may be sufficient to only examine those parts of the program that are somehow related to a bug.

In practice, many static verification tools (such as lint) try to achieve this goal by applying heuristics. This approach comes at a cost: bugs might be overlooked because the heuristics do not cover all relevant aspects of the program. Therefore, the conclusion that a program is correct whenever such a static verification tool is unable to find an error is invalid.

CEGAR Loop

A more sophisticated approach that has been very successful recently is to generate a sound abstraction of the original program. In this context, soundness refers to the fact that the abstract program contains (at least) all relevant behaviors (i.e., bugs) that are present in the original program. In the Figure above, the first component strips details from the original program. The number of possible behaviors increases as the number of details in the abstract program decreases. Intuitively, the reason is that whenever the model checking tool lacks the information that is necessary to make an accurate decision on whether a branch of an control flow statement can be taken or not, both branches have to be considered.

In the resulting abstract program, a set of concrete states is subsumed by means of a single abstract state. Consider the following figure:

The concrete states x1 and x2 are mapped to an abstract state X, and similarly Y subsumes y1 and y2. However, all transitions that are possible in the concrete program are also possible in the abstract model. The abstract transition XY summarizes the concrete transitions x1y1 and x1x1, and YX corresponds to x1x2. The behavior XYX is feasible in the original program, because it maps to x1x1x2. However, YXY is feasible only in the abstract model.

Spurious Counterexamples

The consequence is that the model checker (component number two in the figure above) possibly reports a spurious counterexample. We call a counterexample spurious whenever it is feasible in the current abstract model but not in the original program. However, whenever the model checker is unable to find an execution trace that violates the given property, we can conclude that there is no such trace in the original program, either.

The feasibility of counterexamples is checked by symbolic simulation (performed by component three in the figure above). If the counterexample is indeed feasible, SATABS found a bug in the original program and reports it to the user.

Automatic Refinement

On the other hand, infeasible counterexamples (that originate from abstract behaviors that result from the omission of details and are not present in the original program) are never reported to the user. Instead, the information is used in order to refine the abstraction such that the spurious counterexample is not part of the refined model anymore. For instance, the reason for the infeasibility of YXY is that neither y1 nor x1 can be reached from x2. Therefore, the abstraction can be refined by partitioning X.

The refinement steps can be illustrated as follows:

Iterative refinement

The first step (1) is to generate a very coarse abstraction with a very small state space. This abstraction is then successively refined (2, 3, ...) until either a feasible counterexample is found or the abstract program is detailed enough to show that there is no path that leads to a violation of the given property. The problem is that this point is not necessarily reached for every input program, i.e., it is possible that the the abstraction refinement loop never terminates. Therefore, SATABS allows to specify an upper bound for the number of iterations.

When this upper bound is reached and no counterexample was found, this does not necessarily mean that there is none. In this case, you cannot make any conclusions at all with respect to the correctness of the input program.

cbmc-4.5/doc/html-manual/api.shtml0000644000175000017500000001522212205470670016667 0ustar michaelmichael

CPROVER Manual TOC

The CPROVER API Reference

The following sections summarize the functions available to programs that are passed to the CPROVER tools.

Functions

__CPROVER_assume, __CPROVER_assert, assert


void __CPROVER_assume(_Bool assumption);
void __CPROVER_assert(_Bool assertion, const char *description);
void assert(_Bool assertion);

The function __CPROVER_assume adds an expression as a constraint to the program. If the expression evaluates to false, the execution aborts without failure. More detail on the use of assumptions is in the section on Assumptions and Assertions.

__CPROVER_same_object, __CPROVER_POINTER_OBJECT, __CPROVER_POINTER_OFFSET, __CPROVER_DYNAMIC_OBJECT


_Bool __CPROVER_same_object(const void *, const void *);
unsigned __CPROVER_POINTER_OBJECT(const void *p);
signed __CPROVER_POINTER_OFFSET(const void *p);
_Bool __CPROVER_DYNAMIC_OBJECT(const void *p);

The function __CPROVER_same_object returns true if the two pointers given as arguments point to the same object. The function __CPROVER_POINTER_OFFSET returns the offset of the given pointer relative to the base address of the object. The function __CPROVER_DYNAMIC_OBJECT returns true if the pointer passed as arguments points to a dynamically allocated object.

__CPROVER_is_zero_string, __CPROVER_zero_string_length, __CPROVER_buffer_size


_Bool __CPROVER_is_zero_string(const void *);
__CPROVER_size_t __CPROVER_zero_string_length(const void *);
__CPROVER_size_t __CPROVER_buffer_size(const void *);

__CPROVER_initialize


void __CPROVER_initialize(void);

The function __CPROVER_initialize computes the initial state of the program. It is called prior to calling the main procedure of the program.

__CPROVER_input, __CPROVER_output


void __CPROVER_input(const char *id, ...);
void __CPROVER_output(const char *id, ...);

The functions __CPROVER_input and __CPROVER_output are used to report an input or output value. Note that they do not generate input or output values. The first argument is a string constant to distinguish multiple inputs and outputs (inputs are typically generated using nondeterminism, as described here). The string constant is followed by an arbitrary number of values of arbitrary types.

__CPROVER_cover


void __CPROVER_cover(_Bool condition);

__CPROVER_isnan, __CPROVER_isfinite, __CPROVER_isfinite, __CPROVER_isfinite, __CPROVER_sign


_Bool __CPROVER_isnan(double f);
_Bool __CPROVER_isfinite(double f);
_Bool __CPROVER_isinf(double f);
_Bool __CPROVER_isnormal(double f);
_Bool __CPROVER_sign(double f);

The function __CPROVER_isnan returns true if the double-precision floating-point number passed as argument is a NaN.

The function __CPROVER_isfinite returns true if the double-precision floating-point number passed as argument is a finite number.

This function __CPROVER_isinf returns true if the double-precision floating-point number passed as argument is plus or minus infinity.

The function __CPROVER_isnormal returns true if the double-precision floating-point number passed as argument is a normal number.

This function __CPROVER_sign returns true if the double-precision floating-point number passed as argument is negative.

__CPROVER_abs, __CPROVER_labs, __CPROVER_fabs, __CPROVER_fabsl, __CPROVER_fabsf


int __CPROVER_abs(int x);
long int __CPROVER_labs(long int x);
double __CPROVER_fabs(double x);
long double __CPROVER_fabsl(long double x);
float __CPROVER_fabsf(float x);

These functions return the absolute value of the given argument.

__CPROVER_array_equal, __CPROVER_array_copy, __CPROVER_array_copy


_Bool __CPROVER_array_equal(const void array1[], const void array2[]);
void __CPROVER_array_copy(const void dest[], const void src[]);
void __CPROVER_array_set(const void dest[], value);

The function __CPROVER_array_equal returns true if the values stored in the given arrays are equal. The function __CPROVER_array_copy copies the contents of the array src to the array dest. The function __CPROVER_array_set initializes the array dest with the given value.

Predefined Types and Symbols

__CPROVER_bitvector


__CPROVER_bitvector [ expression ]

This type is only available in the C frontend. It is used to specify a bit vector with arbitrary but fixed size. The usual integer type modifiers signed and unsigned can be applied. The usual arithmetic promotions will be applied to operands of this type.

__CPROVER_floatbv


__CPROVER_floatbv [ expression ] [ expression ]

This type is only available in the C frontend. It is used to specify an IEEE-754 floating point number with arbitrary but fixed size. The first parameter is the total size (in bits) of the number, and the second is the size (in bits) of the mantissa, or significand.

__CPROVER_size_t

The type of sizeof expressions.

__CPROVER_rounding_mode


extern int __CPROVER_rounding_mode;

This variable contains the IEEE floating-point arithmetic rounding mode.

__CPROVER_constant_infinity_uint

This is a constant that models a large unsigned integer.

__CPROVER_integer, __CPROVER_rational

__CPROVER_integer is an unbounded, signed integer type. __CPROVER_rational is an unbounded, signed rational number type.

__CPROVER_memory


extern unsigned char __CPROVER_memory[];

This array models the contents of integer-addressed memory.

cbmc-4.5/doc/html-manual/hwsw-mapping.shtml0000644000175000017500000000712012045177247020543 0ustar michaelmichael

CPROVER Manual TOC

Hardware and Software Equivalence and Co-Verification

Mapping Variables

Mapping Variables within the Module Hierarchy

Verilog modules are hierarchical. The extern declarations shown above only allow reading the values of signals and registers that are in the top module. In order to read values from sub-modules, CBMC uses structures.

As an example, consider the following Verilog file (hierarchy.v):


module counter(input clk, input [7:0] increment);

  reg [7:0] counter;

  initial counter=0;

  always @(posedge clk)
    counter=counter+increment;

endmodule

module top(input clk);

  counter c1(clk, 1);
  counter c2(clk, 2);

endmodule

The file has two modules: a top module and a counter module. The counter module is instantiated twice within the top module. A reference to the register counter within the C program would be ambiguous, as the two module instances have separate instances of the register. CBMC and SATABS use the following data structures for this example:


void next_timeframe();
extern const unsigned int bound;

struct counter {
  unsigned char increment;
  unsigned char counter;
};

struct module_top {
  struct module_counter c1, c2;
};

extern struct module_top top;

int main() {
  next_timeframe();
  next_timeframe();
  next_timeframe();
  assert(top.c1.counter==3);
  assert(top.c2.counter==6);
}

The main function reads both counter values for cycle 3. A deeper hierarchy (modules in modules) is realized by using additional structure members. Writing these data structures for large Verilog designs is error prone, and thus, HW-CBMC can generate them automatically. The declarations above are generated using the command line

hw-cbmc --gen-interface --module top hierarchy.v

Mapping Verilog Vectors to Arrays or Scalars

In Verilog, a definition such as

  wire [31:0] x;

can be used for arithmetic (as in x+10) and as array of Booleans (as in x[2]). ANSI-C does not allow both, so when mapping variables from Verilog to C, the user has to choose one option for each such variable. As an example, the C declaration

  unsigned int x;

will allow using x in arithmetic expressions, while the C declaration

  __CPROVER_bool x[32];

will allow accessing the individual bits of x using the syntax x[bit]. The --gen-interface option of HW-CBMC will generate the first variant if the vector has the same size as one of the standard integer types, and will use the __CPROVER_bitvector[] type if not so. This choice can be changed by adjusting the declaration accordingly. Note that both SpecC and SystemC offer bit-extraction operators, which means that it unnecessary to use the declaration as array in order to access individual bits of a vector.

cbmc-4.5/doc/html-manual/installation-satabs.shtml0000644000175000017500000001120212045177247022072 0ustar michaelmichael

CPROVER Manual TOC

Installing SATABS

Requirements

SATABS is available for Windows, i86 Linux, and MacOS X. SATABS requires a code pre-processing environment comprising of a suitable preprocessor and an a set of header files.

  1. Linux: the preprocessor and the header files typically come with a package called gcc, which must be installed prior to the installation of SATABS.
  2. Windows: The Windows version of SATABS requires the preprocessor cl.exe, which is part of Visual Studio (including the free Visual Studio Express).
  3. MacOS: Install XCode prior to installing SATABS.

Important note for Windows users: Visual Studio's cl.exe relies on a complex set of environment variables to identify the target architecture and the directories that contain the header files. You must run SATABS from within the Visual Studio Command Prompt.

Note that the distribution files for the Eclipse plugin include the command-line tools. Therefore, if you intend to run SATABS exclusively within Eclipse, you can skip the installation of the command-line tools. However, you still have to install the compiler environment as described above.

Choosing and Installing a Model Checker

You need to install a Model Checker in order to be able to run SATABS. You can choose between following alternatives:
  • Cadence SMV. Available from http://www.kenmcmil.com/smv.html. Cadence SMV is a commercial model checker. The free version that is available on the homepage above must not be used for commercial purposes (read the license agreement thoroughly before you download the tool). The documentation for SMV can be found in the directory where you unzip/untar SMV under ./smv/doc/smv/. Read the installation instructions carefully. The Linux/MacOS versions require setting environment variables. You must add add the directory containing the smv binary (located in ./smv/bin/, relative to the path where you unpacked it) to your PATH environment variable. SATABS uses Cadence SMV by default.

  • NuSMV. Available from http://nusmv.irst.itc.it/. NuSMV is the open source alternative to Cadence SMV. Installation instructions and documentation can be found on the NuSMV homepage. The directory containing the NuSMV binary should be added to your PATH environment variable. Use the option

    --modelchecker nusmv

    to instruct SATABS to use NuSMV.

  • BOPPO. Available from http://www.cprover.org/boppo/. BOPPO is a model checker that uses SAT-solving algorithms. BOPPO relies on a built-in SAT solver and Quantor, a solver for quantified boolean formulas that is currently bundled with BOPPO, but also available separately from http://fmv.jku.at/quantor/. We recommend to add the directories containing both tools to your PATH environment variable. Use the option

    --modelchecker boppo

    when you call SATABS and want it to use BOPPO instead of SMV.

  • BOOM. Available from http://www.cprover.org/boom/. Boom has a number of unique features, including the verification of programs with unbounded thread creation.

Installing SATABS

  1. Download SATABS for your operating system. The binaries are available from http://www.cprover.org/satabs/.
  2. Unzip/untar the archive into a directory of your choice. We recommend to add this directory to your PATH environment variable.

Now you can execute SATABS. Try running SATABS on the small examples presented in the tutorial section. If you use the Cadence SMV model checker, the only command line arguments you have to specify are the names of the files that contain your program.

cbmc-4.5/doc/html-manual/satabs.shtml0000644000175000017500000001464512045177247017411 0ustar michaelmichael

CPROVER Manual TOC

SATABS – Predicate Abstraction with SAT

Overview

This section describes SATABS from the point of view of the user. To learn about the technology implemented in SATABS, read this section.

We assume you have already installed SATABS and the necessary support files on your system. If not so, please follow these instructions.

While users of SATABS almost never have to be concerned about the underlying refinement abstraction algorithms, understanding the classes of properties that can be verified is crucial. Predicate abstraction is most effective when applied to control-flow dominated properties. As an example, reconsider the following program (lock-example-fixed.c):


_Bool nondet_bool();
_Bool LOCK = 0;

_Bool lock() {
  if(nondet_bool()) {
    assert(!LOCK);
    LOCK=1;
    return 1; }

  return 0;
}

void unlock() {
  assert(LOCK);
  LOCK=0;
}

int main() {
  unsigned got_lock = 0;
  int times;

  while(times > 0) {
    if(lock()) {
      got_lock++;
      /* critical section */
    }

    if(got_lock!=0) {
      unlock();
      got_lock--;
    }

    times--;
} }

The two assertions in the program model that the functions lock() and unlock() are called in the right order. Note that the value of times is chosen non-deterministically and is not bounded. The program has no run-time bound, and thus, unwinding the code with CBMC will never terminate.

Working with Claims

The two assertions will give rise to two claims. Each claim is associated to a specific line of code, i.e., a claim is violated when the some condition can become false at the corresponding program location. SATABS will generate a list of all claims for the programs as follows:

satabs lock-example-fixed.c --show-claims

SATABS will list two claims; each claim corresponds to one of the two assertions. We can use SATABS to verify both claims as follows:

satabs lock-example-fixed.c

SATABS will conclude the verification successfully, that is, both assertions hold for execution traces of any length.

By default, SATABS attempts to verify all claims at once. A single claim can be verified (or refuted) by using the --claim id option of SATABS, where id denotes the identifier of the claim in the list obtained by calling SATABS with the --show-claims flag. Whenever a claim is violated, SATABS reports a feasible path that leads to a state in which the condition that corresponds to the violated claim evaluates to false.

Programs that use Libraries

SATABS cannot check programs that use functions that are only available in binary (compiled) form (this restriction is not imposed by the verification algorithms that are used by SATABS – they also work on assembly code). The reason is simply that so far no assembly language frontend is available for SATABS. At the moment, (library) functions for which no C source code is available have to be replaced by stubs. The usage of stubs and harnesses (as known from unit testing) also allows to check more complicated properties (like, for example, whether function fopen is always called before fclose). This technique is explained in detail in the SATABS tutorials.

Unit Testing with SATABS

The example presented here is obviously a toy example and can hardly be used to convince your project manager to use static verification in your next project. Even though we recommend to use formal verification and specification already in the early phases of your project, the sad truth is that in most projects verification (of any kind) is still pushed to the very end of the development cycle. Therefore, this section is dedicated to the verification of legacy code. However, the techniques presented here can also be used for unit testing.

Unit testing is used in most software development projects, and static verification with SATABS can be very well combined with this technique. Unit testing relies on a number test cases that yield the desired code coverage. Such test cases are implemented by a software testing engineer in terms of a test harness (aka test driver) and a set of function stubs. Typically, a slight modification to the test harness allows it to be used with SATABS. Replacing the explicit input values with non-deterministic inputs (as explained in here and here) guarantees that SATABS will try to achieve full path and state coverage (due to the fact that predicate abstraction implicitly detects equivalence classes). However, it is not guaranteed that SATABS terminates in all cases. Keep in mind that you must not make any assumptions about the validity of the claims if SATABS did not run to completion!

Further Reading

cbmc-4.5/doc/html-manual/libraries.shtml0000644000175000017500000000356012045177247020102 0ustar michaelmichael

CPROVER Manual TOC

Build Systems and Libraries

The Problem

Similar to unit testing, the model checking approach requires the user to clearly define what parts of the program should be tested and what the behavior of these parts is. This requirement has following reasons:

  • Despite recent advances, the size of the programs that model checkers can cope with is still restricted.

  • Typically, you want to verify your program and not the libraries or the operating that it uses (the correctness of these libraries and the OS us usually addressed separately).

  • CBMC and SATABS cannot verify binary libraries.

  • CBMC and SATABS does not provide a model for the hardware (e.g., hard disk, input/output devices) the tested program runs on. Since CBMC and SATABS are supposed to examine the behavior of the tested program for all possible inputs and outputs, it is reasonable to model input and output by means of non-deterministic choice.

Further Reading

Existing software projects usually do not come in a single source file that may simply be passed to a model checker, but is a collection of files held together by a build system. The ex­trac­tion of models from such a build system using goto-cc is described here. The ap­pli­ca­tion of goto-cc to the entire Linux kernel is described here. The problem of architectural pa­ram­e­ters (word with, endianness) is explained here.

cbmc-4.5/doc/html-manual/hwsw-inputs.shtml0000644000175000017500000000574512045177247020445 0ustar michaelmichael

CPROVER Manual TOC

Hardware and Software Equivalence and Co-Verification

Synchronizing Inputs

Driving Primary Inputs

The examples in the tutorial are trivial in the sense that the model has only one possible trace. The initial state is deterministic, and there is only one possible transition, so the verification problem can be solved by testing a single run. In contrast, consider the following Verilog module:


module top(input clk, input i);

  reg [3:0] counter;

  initial counter=0;

  always @(posedge clk)
    if(i)
      counter=counter+1;

endmodule

The module above has an input named i. The top-level inputs of the Verilog design have to be generated by the C program. This is done by assigning the desired values to the corresponding struct member, and then calling the set_inputs() function before calling next_timeframe(). Consider the following example:


void next_timeframe();
void set_inputs();
extern const unsigned int bound;

struct module_top {
  unsigned int counter;
  _Bool i;
};

extern struct module_top top;

int main() {
  assert(top.counter==0);

  top.i=1;
  set_inputs(); next_timeframe();
  assert(top.counter==1);

  top.i=1;
  set_inputs(); next_timeframe();
  assert(top.counter==2);

  top.i=0;
  set_inputs(); next_timeframe();
  assert(top.counter==2);
}

As an example, consider a Verilog module that has a signal reset as an input, which is active-low. The following C fragment drives this input to be active in the first cycle, and not active in any subsequent cycle:


  top.resetn=0;
  set_inputs(); next_timeframe();

  for(i=1; i<bound; i++) {
    top.resetn=1;
    set_inputs(); next_timeframe();
  }

Note that the value of the input must be set before calling next_timeframe(). The effect of the input values on values derived in a combinatorial way is immediately visible. The effect on clocked values becomes visible in the next time frame.

Using Nondeterminism

The examples above use particular, constant values to drive the primary inputs. In order to check the behavior of the Verilog model for more than one specific input, use nondeterminism.

cbmc-4.5/doc/html-manual/modeling-floating-point.shtml0000644000175000017500000001254612201373351022644 0ustar michaelmichael

CPROVER Manual TOC

Floating Point

The CPROVER tools support bit-accurate reasoning about IEEE-754 floating-point and fixed-point arithmetic. The C standard contains a number of areas of implementation-defined behaviour with regard to floating-point arithmetic:

  • CPROVER supports C99 Appendix F, and thus, the __STD_IEC_559__ macro is defined. This means that the C float data type maps to IEEE 754 binary32 and double maps to binary64 and operations on them are as specified in IEEE 754.

  • long double can be configured to be binary64, binary128 (quad precision) or a 96 bit type with 15 exponent bits and 80 significant bits. The last is an approximation of Intel's x87 extended precision double data type. As the C standard allows a implementations a fairly wide set of options for long double, it is best avoided for both portable code and bit-precise analysis. The default is to match the build architecture as closely as possible.

  • In CPROVER, floating-point expressions are evaluated at the 'natural precision' (the greatest of the arguments) and not at a higher precision. This corresponds to FLT_EVAL_METHOD set to 0. Note that this is a different policy to some platforms (see below).

  • Expression contraction (for example, converting x * y + c to fma(x,y,c)) is not performed. In effect, the FP_CONTRACT pragma is always off.

  • Constant expressions are evaluated at `run' time wherever possible and so will respect changes in the rounding mode. In effect, the FENV_ACCESS pragma is always off. Note that floating point constants are treated as doubles (unless they are followed by f when they are float) as specified in the C standard. goto-cc supports -fsingle-precision-constant, which allows the (non-standard) treatment of constants as floats.

x86 and Other Platform-specific Issues

Not all platforms have the same implementation-defined behaviour as CPROVER. This can cause mismatches between the verification environment and the execution environment. If this occurs, check the compiler manual for the choices listed above. There are two common cases that can cause these problems: 32-bit x86 code and the use of unsafe optimisations.

Many compilers that target 32-bit x86 platforms employ a different evaluation method. The extended precision format of the x87 unit is used for all computations regardless of their native precision. Most of the time, this results in more accurate results and avoids edge cases. However, it can result in some obscure and difficult to debug behaviour. Checking if the FLT_EVAL_METHOD macro is non-zero (for these platforms it will typically be 2), should warn of these problems. Changing the compiler flags to use the SSE registers will resolve many of them, give a more standards-compliant platform and will likely perform better. Thus it is highly recommended. Use -msse2 -mfpmath=sse to enable this option for GCC. Visual C++ does not have an option to force the exclusive use of SSE instructions, but /arch:SSE2 will pick SSE instructions "when it [the compiler] determines that it is faster to use the SSE/SSE2 instructions" and is thus better than /arch:IA32, which exclusively uses the x87 unit.

The other common cause of discrepancy between CPROVER results and the actual platform are the use of unsafe optimisations. Some higher optimisation levels enable transformations that are unsound with respect to the IEEE-754 standard. Consult the compiler manual and disable any optimisations that are described as unsafe (for example, the GCC options -ffast-math). The options -ffp-contract=off (which replaces -mno-fused-madd), -frounding-math and -fsignaling-nans are needed for GCC to be strictly compliant with IEEE-754.

Math Library

CPROVER implements some of math.h, including fabs, fpclassify and signbit. It has very limited support for elementary functions. Care must be taken when verifying properties that are dependent on these functions as the accuracy of implementations can vary considerably. The C compilers can (and many do) say that the accuracy of these functions is unknown.

Fixed-point Arithmetic

CPROVER also has support for fixed-point types. The --fixedbv flag switches float, double and long double to fixed-point types. The length of these types is platform specific. The upper half of each type is the integer component and the lower half is the fractional part.

cbmc-4.5/doc/html-manual/goto-cc-linux.shtml0000644000175000017500000000560412200722260020577 0ustar michaelmichael

CPROVER Manual TOC

Build Systems and Libraries

Example: Extracting Models from the Linux Kernel

The Linux kernel code consists of more than 11 million lines of low-level C and is frequently used to evaluate static analysis techniques. In the following, we show how to extract models from Linux 2.6.39.

  1. First of all, you will need to make sure you have around 100 GB of free disc space available.

  2. Download the Kernel sources at http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.39.tar.bz2 .

  3. Now do

      bunzip2 linux-2.6.39.tar.bz2
      tar xvf linux-2.6.39.tar
      cd linux-2.6.39

  4. Now ensure that you can actually compile a kernel by doing

      make defconfig
      make

    These steps need to succeed before you can try to extract models from the kernel.

  5. Now compile gcc-wrap.c and put the resulting binary into a directory that is in your PATH variable:

      lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c
      gcc gcc-wrap.c -o gcc-wrap
      cp gcc-wrap ~/bin/

    This assumes that the directory ~/bin exists and is in your PATH variable.

  6. Now change the variable CC in the kernel Makefile as follows:

      CC = ~/bin/gcc-wrap

  7. Now do

      make clean
      make

    This will re-compile the kernel, but this time retaining the preprocessed source files.

  8. You can now compile the preprocessed source files with goto-cc as follows:

      find ./ -name .tmp_*.i > source-file-list
      for a in `cat source-file-list` ; do
        goto-cc -c $a -o $a.gb
      done

    Note that it is important that the word-size of the kernel configuration matches that of goto-cc. Otherwise, compile-time assertions will fail, generating the error message "bit field size is negative". For a kernel configured for a 64-bit word-width, pass the option --64 to goto-cc.

The resulting .gb files can be passed to any of the CPROVER tools.

cbmc-4.5/doc/html-manual/counter.c0000644000175000017500000000035412045177247016676 0ustar michaelmichaelvoid next_timeframe(); struct module_top { unsigned int counter; }; extern const struct module_top top; int main() { next_timeframe(); next_timeframe(); assert(top.counter==2); next_timeframe(); assert(top.counter==3); } cbmc-4.5/doc/html-manual/lock-example-fixed.c0000644000175000017500000000062712045177247020700 0ustar michaelmichael_Bool nondet_bool(); _Bool LOCK = 0; _Bool lock() { if(nondet_bool()) { assert(!LOCK); LOCK=1; return 1; } return 0; } void unlock() { assert(LOCK); LOCK=0; } int main() { unsigned got_lock = 0; int times; while(times > 0) { if(lock()) { got_lock++; /* critical section */ } if(got_lock!=0) { unlock(); got_lock--; } times--; } } cbmc-4.5/doc/html-manual/satabs-tutorials.shtml0000644000175000017500000000100012045177247021412 0ustar michaelmichael

CPROVER Manual TOC

SATABS – Predicate Abstraction with SAT

Tutorials

We provide an introduction to model checking "real" C programs with SATABS using two small examples:

  • An example based on Linux device drivers.
  • An example based on a Mail Transfer Agent.
  • cbmc-4.5/doc/html-manual/satabs-driver.shtml0000644000175000017500000002353212045177247020675 0ustar michaelmichael

    CPROVER Manual TOC

    SATABS – Predicate Abstraction with SAT

    Tutorials

    Example: Reference Counting in Linux Device Drivers

    Microsoft's SLAM toolkit has been successfully used to find bugs in Windows device drivers. SLAM automatically verifies device driver whether a device driver adheres to a set of specifications. SLAM provides a test harness for device drivers that calls the device driver dispatch routines in a non-deterministic order. Therefore, the Model Checker examines all combinations of calls. Motivated by the success this approach, we provide a toy example based on Linux device drivers. For a more complete approach to the verification of Linux device drivers, consider DDVerify.

    Dynamically loadable modules enable the Linux Kernel to load device drivers on demand and to release them when they are not needed anymore. When a device driver is registered, the kernel provides a major number that is used to uniquely identify the device driver. The corresponding device can be accessed through special files in the filesystem; by convention, they are located in the /dev directory. If a process accesses a device file the kernel calls the corresponding open, read and write functions of the device driver. Since a driver must not be released by the kernel as long as it is used by at least one process, the device driver must maintain a usage counter (in more recent Linux kernels, this is done automatically, however, drivers that must maintain backward compatibility have to adjust this counter).

    We provide a skeleton of such a driver. Download the files spec.c, driver.c, driver.h, kdev_t.h, and modules.h.

    The driver contains following functions:

    1. register_chrdev: (in spec.c) Registers a character device. In our implementation, the function sets the variable usecount to zero and returns a major number for this device (a constant, if the user provides 0 as argument for the major number, and the value specified by the user otherwise).


      int usecount;

      int register_chrdev (unsigned int major, const char* name)
      {
        usecount = 0;
        if (major == 0)
          return MAJOR_NUMBER;
        return major;
      }

    2. unregister_chrdev: (in spec.c) Unregisters a character device. This function asserts that the device is not used by any process anymore (we use the macro MOD_IN_USE to check this).


      int unregister_chrdev (unsigned int major, const char* name)
      {
        if (MOD_IN_USE)
          {
          ERROR: assert (0);
          }
        else
          return 0;
      }

    3. dummy_open: (in driver.c) This function increases the usecount. If the device is locked by some other process dummy_open returns -1. Otherwise it locks the device for the caller.

    4. dummy_read: (in driver.c) This function "simulates" a read access to the device. In fact it does nothing, since we are currently not interested in the potential buffer overflow that may result from a call to this function. Note the usage of the function nondet_int: This is an internal SATABS-function that non­determi­nistically returns an arbitrary integer value. The function __CPROVER_assume tells SATABS to ignore all traces that do not adhere to the given assumption. Therefore, whenever the lock is held, dummy_read will return a value between 0 and max. If the lock is not held, then dummy_read returns -1.

    5. dummy_release: (in driver.c) If the lock is held, then dummy_release decreases the usecount, releases the lock, and returns 0. Otherwise, the function returns -1.

    We now want to check if any valid sequence of calls of the dispatch functions (in driver.c) can lead to the violation of the assertion (in spec.c). Obviously, a call to dummy_open that is immediately followed by a call to unregister_chrdev violates the assertion.

    The function main in spec.c gives an example of how these functions are called. First, a character device "dummy" is registered. The major number is stored in the inode structure of the device. The values for the file structure are assigned non-deterministically. We rule out invalid sequences of calls by ensuring that no device is unregistered while it is still locked. We use the following model checking harness for calling the dispatching functions:


          random = nondet_uchar ();
          __CPROVER_assume (0 <= random && random <= 3);

          switch (random)
          {
          case 1:
            rval = dummy_open (&inode, &my_file);
            if (rval == 0)
              lock_held = TRUE;
            break;
          case 2:
            __CPROVER_assume (lock_held);
            count = dummy_read (&my_file, buffer, BUF_SIZE);
            break;
          case 3:
            dummy_release (&inode, &my_file);
            lock_held = FALSE;
            break;
          default:
            break;
          }

    The variable random is assigned non-deterministically. Subsequently, the value of random is restricted to be 0 &le random ≤ 3 by a call to __CPROVER_assume. Whenever the value of random is not in this interval, the corresponding execution trace is simply discarded by SATABS. Depending on the value of random, the harness calls either dummy_open, dummy_read or dummy_close. Therefore, if there is a sequence of calls to these three functions that leads to a violation of the assertion in unregister_chrdev, then SATABS will eventually consider it.

    If we ask SATABS to show us the verification claims with

    satabs driver.c spec.c --show-claims

    for our example, we obtain

    1. Claim unregister_chrdev.1:
          file spec.c line 18 function unregister_chrdev
          MOD_IN_USE in unregister_chrdev
          FALSE

    2. Claim dummy_open.1:
          file driver.c line 15 function dummy_open
          i_rdev mismatch
          (unsigned int)inode->i_rdev >> 8 == (unsigned int)dummy_major

    It seems obvious that the claim dummy_open.1 can never be violated. SATABS confirms this assumption: We call

    satabs driver.c spec.c --claim dummy_open.1

    and SATABS reports VERIFICATION SUCCESSFUL after a few iterations.

    If we try to verify claim unregister_chrdev.1, SATABS reports that the property in line 18 in file spec.c is violated (i.e., the assertion does not hold, therefore the VERIFICATION FAILED). Furthermore, SATABS provides a detailed description of the problem in the form of a counterexample (i.e., an execution trace that violates the property). On this trace, dummy_open is called twice, leading to a usecount of 2. The second call of course fails with rval=-1, but the counter is increased nevertheless:


    int dummy_open (struct inode *inode, struct file *filp)
    {
      __CPROVER_assert(MAJOR (inode->i_rdev) == dummy_major,       "i_rdev mismatch");
      MOD_INC_USE_COUNT;

      if (locked)
        return -1;
      locked = TRUE;

      return 0; /* success */
    }

    Then, dummy_release is called to release the lock on the device. Finally, the loop is left and the call to unregister_chrdev results in a violation of the assertion (since usecount is still 1, even though locked=0).

    cbmc-4.5/doc/html-manual/expr.c0000644000175000017500000000012112045177247016165 0ustar michaelmichaelint *ptr; int main(void) { if (ptr) *ptr = 0; if (!ptr) *ptr = 1; } cbmc-4.5/doc/html-manual/modeling-assertions.shtml0000644000175000017500000001151212045177247022110 0ustar michaelmichael

    CPROVER Manual TOC

    Modeling with Assertions and Assumptions

    Assertions

    Assertions are statements within the program that attempt to capture the programmer's intent. The ANSI-C standard defines a header file assert.h, which offers a macro assert(cond). When executing a statement such as

      assert(p!=NULL);

    the execution is aborted with an error message if the condition evaluates to false, i.e., if p is NULL in the example above. The CPROVER tools can check the validity of the programmer-annotated assertions statically. Specifically, the CPROVER tools will check that the assertions hold for any nondeterministic choice that the program can make. The static assertion checks can be disabled using the --no-assertions command line option.

    In addition, there is a CPROVER-specific way to specify assertions, using the built-in function __CPROVER_assert:

      __CPROVER_assert(p!=NULL, "p is not NULL");

    The (mandatory) string that is passed as the second argument provides an informal description of the assertion. It is shown in the list of claims together with the condition.

    The assertion language of the CPROVER tools is identical to the language used for expressions. Note that nondeterminism can be exploited in order to check a range of choices. As an example, the following code fragment asserts that all elements of the array are zero:

      int a[100], i;

      ...

      i=nondet_uint();
      if(i>=0 && i<100)
        assert(a[i]==0);

    The nondeterministic choice will guess the element of the array that is nonzero. The code fragment above is therefore equivalent to

      int a[100], i;

      ...

      for(i=0; i<100; i++)
        assert(a[i]==0);

    Future CPROVER releases will support explicit quantifiers with a syntax that resembles Spec#:

    __CPROVER_forall { type identifier ; expression }
    __CPROVER_exists { type identifier ; expression }

    Assumptions

    Assumptions are used to restrict nondeterministic choices made by the program. As an example, suppose we wish to model a nondeterministic choice that returns a number from 1 to 100. There is no integer type with this range. We therefore use __CPROVER_assume to restrict the range of a nondeterministically chosen integer:

    unsigned int nondet_uint();

    unsigned int one_to_hundred()
    {
      unsigned int result=nondet_uint();
      __CPROVER_assume(result>=1 && result<=100);
      return result;
    }

    The function above returns the desired integer from 1 to 100. You must ensure that the condition given as an assumption is actually satisfiable by some nondeterministic choice, or otherwise the model checking step will pass vacuously.

    Also note that assumptions are never retroactive: They only affect assertions (or other properties) that follow them in program order. This is best illustrated with an example. In the following fragment, the assumption has no effect on the assertion, which means that the assertion will fail:

      x=nondet_uint();
      assert(x==100);
      __CPROVER_assume(x==100);

    Assumptions do restrict the search space, but only for assertions that follow. As an example, the following program will pass:

    int main() {
      int x;

      __CPROVER_assume(x>=1 && x<=100000);

      x*=-1;

      __CPROVER_assert(x<0, "x is negative");
    }

    Beware that nondeterminism cannot be used to obtain the effect of universal quantification in assumptions. As an example,

    int main() {
      int a[10], x, y;

      x=nondet_int();
      y=nondet_int();
      __CPROVER_assume(x>=0 && x<10 && y>=0 && y<10);

      __CPROVER_assume(a[x]>=0);

      assert(a[y]>=0);
    }

    fails, as there is a choice of x and y which results in a counterexample (any choice in which x and y are different).

    cbmc-4.5/doc/html-manual/footer.inc0000644000175000017500000000007312045177247017042 0ustar michaelmichael
cbmc-4.5/doc/html-manual/goto-cc-variants.shtml0000644000175000017500000000316612062631064021277 0ustar michaelmichael

CPROVER Manual TOC

Build Systems and Libraries

Variants of goto-cc

The goto-cc utility comes in several variants, summarised in the following table.

ExecutableEnvironmentPreprocessor
goto-cc gcc (control-flow graph only) gcc -E
goto-gcc gcc ("hybrid" executable) gcc -E
goto-armcc ARM RVDS armcc -E
goto-cl Visual Studio cl /E
goto-cw Freescale CodeWarrior mwcceppc

The primary difference between the variants is the preprocessor called. Furthermore, the language recognized varies slightly. The variants can be obtained by simply renaming the goto-cc executable. On Linux/MacOS, the variants can be obtained by creating a symbolic link.

The "hybrid" executables contain both the control-flow graph for verification purposes and the usual, executable machine code.

cbmc-4.5/doc/html-manual/goto-cc-apache.shtml0000644000175000017500000000473312045177247020703 0ustar michaelmichael

CPROVER Manual TOC

Build Systems and Libraries

Example: Extracting Models from the Apache HTTPD

The Apache HTTPD is still the most frequently used web server. Together with the relevant libraries, it consists of around 0.4 million lines of C code. In the following, we show how to extract models from Apache HTTPD 2.4.2.

  1. First of all, we download the sources of Apache HTTPD and two supporting libraries and uncompress them:

      lwp-download http://www.mirrorservice.org/sites/ftp.apache.org/apr/apr-1.4.6.tar.bz2
      lwp-download http://www.mirrorservice.org/sites/ftp.apache.org/apr/apr-util-1.4.1.tar.bz2
      lwp-download http://mirror.catn.com/pub/apache/httpd/httpd-2.4.2.tar.bz2

      bunzip2 < apr-1.4.6.tar.bz2 | tar x
      bunzip2 < apr-util-1.4.1.tar.bz2 | tar x
      bunzip2 < httpd-2.4.2.tar.bz2 | tar x

  2. Now compile gcc-wrap.c and put the resulting binary into a directory that is in your PATH variable:

      lwp-download http://www.cprover.org/cprover-manual/gcc-wrap.c
      gcc gcc-wrap.c -o gcc-wrap
      cp gcc-wrap ~/bin/

    This assumes that the directory ~/bin exists and is in your PATH variable.

  3. We now build the sources with gcc:

      (cd apr-1.4.6; ./configure; make CC=gcc-wrap)
      (cd apr-util-1.4.1; ./configure --with-apr=../apr-1.4.6 ; make CC=gcc-wrap)
      (cd httpd-2.4.2; ./configure --with-apr=../apr-1.4.6 --with-apr-util=../apr-util-1.4.1 ; make CC=gcc-wrap)

  4. You can now compile the preprocessed source files with goto-cc as follows:

      find ./ -name *.i > source-file-list
      for a in `cat source-file-list` ; do
        goto-cc -c $a -o $a.gb
      done

The resulting .gb files can be passed to any of the CPROVER tools.

cbmc-4.5/doc/html-manual/installation-plugin.shtml0000644000175000017500000000311112045177247022113 0ustar michaelmichael

CPROVER Manual TOC

Installing the Eclipse Plugin

Requirements

We provide a graphical user interface to CBMC and SATABS, which is realized as a plugin to the Eclipse framework. Eclipse is available at http://www.eclipse.org. We do not provide installation instructions for Eclipse (basically, you only have to download the current version and extract the files to your hard-disk) and assume that you have already installed the current version.

CBMC and SATABS have their own requirements. As an example, both CBMC and SATABS require a suitable preprocessor and a set of header files. As first step, you should therefore follow the installation instructions for CBMC and SATABS.

Important note for Windows users: Visual Studio's cl.exe relies on a complex set of environment variables to identify the target architecture and the directories that contain the header files. You must run Eclipse from within the Visual Studio Command Prompt.

Installing the Eclipse Plugin

The installation instructions for the Eclipse Plugin, including the link to the download site, are available here. This includes a small tutorial on how to use the Eclipse plugin.

cbmc-4.5/doc/html-manual/boop-example/0000755000175000017500000000000012206365330017430 5ustar michaelmichaelcbmc-4.5/doc/html-manual/boop-example/spec.c0000644000175000017500000000254212045177247020542 0ustar michaelmichael#include "driver.h" int usecount; int dummy_major; int register_chrdev (unsigned int major, const char* name) { usecount = 0; if (major == 0) return MAJOR_NUMBER; return major; } int unregister_chrdev (unsigned int major, const char* name) { if (MOD_IN_USE) { ERROR: __CPROVER_assert(0, "MOD_IN_USE in unregister_chrdev"); } else return 0; } int main () { int rval; int size; struct file my_file; char *buffer; /* we do not model this buffer */ struct inode inode; unsigned int count; unsigned char random; int lock_held = 0; dummy_major = register_chrdev (0, "dummy"); inode.i_rdev = dummy_major << MINORBITS; init_module (); /* assign arbitrary values */ my_file.f_mode = nondet_uint (); my_file.f_pos = nondet_uint (); do { random = nondet_uchar (); __CPROVER_assume (0 <= random && random <= 3); switch (random) { case 1: rval = dummy_open (&inode, &my_file); if (rval == 0) lock_held = TRUE; break; case 2: __CPROVER_assume (lock_held); count = dummy_read (&my_file, buffer, BUF_SIZE); break; case 3: dummy_release (&inode, &my_file); lock_held = FALSE; break; default: break; } } while (random || lock_held); cleanup_module (); unregister_chrdev (dummy_major, "dummy"); return 0; } cbmc-4.5/doc/html-manual/boop-example/driver.c0000644000175000017500000000144412045177247021103 0ustar michaelmichael#include "driver.h" extern int dummy_major; int locked; int init_module (void) { locked = FALSE; } void cleanup_module (void) { } int dummy_open (struct inode *inode, struct file *filp) { __CPROVER_assert(MAJOR (inode->i_rdev) == dummy_major, "i_rdev mismatch"); MOD_INC_USE_COUNT; if (locked) return -1; locked = TRUE; return 0; /* success */ } unsigned int dummy_read (struct file *filp, char *buf, int max) { int n; if (locked) { n = nondet_int (); __CPROVER_assume ((n >= 0) && (n <= max)); /* writing to the buffer is not modeled here */ return n; } return -1; } int dummy_release (struct inode *inode, struct file *filp) { if (locked) { MOD_DEC_USE_COUNT; locked = FALSE; return 0; } return -1; } cbmc-4.5/doc/html-manual/boop-example/driver.h0000644000175000017500000000074612045177247021114 0ustar michaelmichael#ifndef __DRIVER_H__ #define __DRIVER_H__ #define MODULE #include "modules.h" #define TRUE 1 #define FALSE 0 #define BUF_SIZE 255 extern int init_module (void); extern void cleanup_module (void); extern int dummy_open (struct inode*, struct file*); extern unsigned int dummy_read (struct file*, char*, int); extern int dummy_release (struct inode*, struct file*); /* Functions for SATABS */ int nondet_int (); unsigned int nondet_uint (); unsigned char nondet_uchar (); #endif cbmc-4.5/doc/html-manual/boop-example/modules.h0000644000175000017500000000065512045177247021270 0ustar michaelmichael#ifndef __MODULES_H__ #define __MODULES_H__ #include "kdev_t.h" extern int usecount; #define MOD_INC_USE_COUNT (usecount = usecount + 1) #define MOD_DEC_USE_COUNT (usecount = usecount - 1) #define MOD_IN_USE (usecount != 0) #define ENODEV 0xf #define MAJOR_NUMBER 42 extern int register_chrdev (unsigned int, const char *); extern int unregister_chrdev (unsigned int, const char *); #endif cbmc-4.5/doc/html-manual/boop-example/kdev_t.h0000644000175000017500000000063612045177247021073 0ustar michaelmichael#ifndef __KDEV_T_H__ #define __KDEV_T_H__ #define MINORBITS 8 typedef unsigned short kdev_t; #define MAJOR(dev) ((dev) >> MINORBITS) #define MINOR(dev) ((dev) % 256) #define NODEV 0 typedef unsigned int mode_t; typedef unsigned int loff_t; struct inode { kdev_t i_rdev; }; struct file { mode_t f_mode; loff_t f_pos; }; struct data { int size; char *content; }; #endif cbmc-4.5/doc/html-manual/states.png0000644000175000017500000002767512045177247017103 0ustar michaelmichaelPNG  IHDR$3/iCCPICC Profilexc``2ptqre``+) rwRR` ``\\yy | 2 U +'300%@q9@HR6. r!+ v.z H}:b'A2 vIj^ʢ#ǔTbϼĒZ@! A!ahii "q(v!( cd2f` G1G)I/15C}}sïPo pHYsgR IDATxw4E`J$ 3H9 dQɈI3G$g8HHs"zK3gwgvvvvߙ?tWWz?UW%JݗEC%J/ lU;$P*$*Jت6PI T`+HU6*Um@AVl* |"?_|W_G}4Xc5_"C0cO0ַc .ՓK_zWn>ȳ.'xR隁F<) ؀ꭷzw{=r}s1IpGW2>Co]L2*@Uwp UO>DPeo͏?X بqf-}Hܨw<3D:zNu~w&$!kL'OFo+i)#O*R7SOIʑ Td%j^x7x`C̀nqqDž߶~ rל>>պvq~dz>sAtMruUk}jfA40Oc~z~ t~꽇m`(>4F=O:tӔ%@s9L3U7a>h<$]}),jK253>*8L6\s2,˺Q44|s1묳"6TO:iz5qUo>y`0vZo{լZ {ZQy# /L}Uw( =SV#IaV[{Ǟyx[1m`c#z'HwbT+{wir2Rhlsi-yvީdIw馋`S[nOIXT/\ .7da:ロMBO1ň0|uu<^~;tX~q'2Zp dJ5KC7|ś%X,Oy lfK-TT`Yz'lz* %S-V\q"g%)~'lPB:IW߲RmK*e`7_TgZfJ+~;<׍`ӟC[o0p/袴")tM~]vxb5\c$|הc$-.BfW^9C_:|]wBᕎe.ar^O?ٵ%`<@}6`]r%#Z.Gb-u:%"gtSy98_z饐hx-Bon8{kQ{ҕ6gRJ8\q|b;,OuYa!)N묳ȑ#u72?袋Ydf5qrQF[Lj4(WZKgk4G~]?~lfAgynS9#T_ b0;H\L8Fff]wEԖ[S;vӖ2`x, _ P-hWW_}5S%7=&ϻzMl 7O>9U^?ߚL1]].S' `cj0ٖgF2,/9 /Dql# e^dr rtP4RT_ 61c?U1{hO뭷`>7}tzM`g)qKz'|2U HlҟY~.U >`bs`JU24 {Oj]vYXZ- }[k2i\Lߖ0cy'͍7h4l-Mg-]4Gud6*~퇙gra&8qcO Jo%Lm+ȰFlTv "1z5%{*-X L+AN&˙ y{8RWy}nST}3FaE;lvܡ=lc]r%1cbJ [M)AB`޲C!mYR,PlAl3k/3a’Z V ~eϴ-05SN%15lPҾČx6E ѷv[Lq K4YF6Z>d ?C:}Ĉ 8(pk1 @u+Wqx衇2cYtoj'Ga'2s٥!mIi?kzq Дqx2Mm2^9BW $5s@=ܩâJIkcIBrIa_kzxšs~Sfbx+#91CAH:`OΖA5<"C- 'BV>#?Glv+mG|.C3eІdl3l T*x/R1iZpCt^=mXSn#N2 n dSjҁM%ް~iR =U.e 6;:Sf uӁM۪$~M6O}=,LqsLO2c?شZ{ZOo7mX꽶AII퓘` ς7ACIt'n D#辦aL"r uP)&i*AM.K3I{ o5q/Rl.*ćz뮻[>bgm'g{8s~Փ &[Z׻n0l\c̎l Y=;ɝ=VY $*`ӅӚRX1(Yr-g`VꪫV]u$e.^MfvF!o.Ky,9$$ȡUxB9:.m dB2[RXPa j_?lNasǒTB/bؚgl s1ok/d4~^]OaX"Nvi1 KC&$*PvS]#= o c UӇvlJ| !dI0FK0zÛ~(O܆o[Fp% zC)H9>I:}4iVa[uCڿ*0,[l!0w@,P?lƓ"G^TMMqDIim]L^ Yv*!}ʝ'hR-BOXc#s`­FU2V*&T<;/!sBĘ]{?״sѹߘ?KLZ Tz=lw#mr'6[x|/EO2Z,بsEtEJ? ig:HfLVnQz=IX8eLpU>77NR#O!o.[sIHC&whC!Tm1!0yKCwnZ$E bmk4F@zꩼX,0ԉ{%֒~/NnL')l?яLUii-N8A+m60j[Q;9򡱤-67|s&;7N9[ʖi-BdKp*[˺V[$1&b%C9 RL<w0ǓN:ɔMx*lHA霽4e9#QϝK>;S(hdS05òZ[wv!Xb0 "B3Dܰv0(N|d "oŬKSg,{[p~%/GP6ɠ[U)> lUQ]l*W9ފu)sVhTx+T%ˬ[Rh& l= o=z ֛J4 l=GW`ɶ[/_x gX1`?o!"6 r7|5裏:&y檥)=aP[;<LBTB*Ւ{|?@Q8!M#qlϝCI9dپ:!>馛f#FєoQY l駟z6gemYD]/aMN4PI|-pbԜEfu u%[᭶Zh!j*ؽ&zy筷iF`ynwe2b@6=!eC~DZ(`5kx34`Puo"3^~=hw}w"pcRGdM'PVx/St!F=yP*C\:vMuڛ~-~) U`@[oc%i[Hgi:9>K.n'}g=˜ nkXAT-ACMc+7Ar،]??Q T.^X28*%2apLIK|g`#Xa^qM7]~˜;eqf*щ&I]fY`CgPl!kUR+, oDMm fF~ =-PUD.;hnr H7 LG ݽ0;=a oNѨ,1ǰ@Z? lL4\pJ儡Cn tG8'16lN2iv~ MI98_~+暋Myx27FUż+o5"k$ww_po'vZN^ƢE,䒵`# ?Xk0[xrTz?o B,57JVc5' ol}=ie7o>G?&uwX-mi -)>3"gy& n0[dakf0ۓO> |xBfRy>)Nkr el^ nuR;YM5X^]{rN: oJ7KE83ƅHU|y繱clgMghu]0;xc|/9HZR5rD\@Y>Y$E+'9U`*}W|u_U`/q oe le,Ux"BVͤ[ͭ[[ [ +%*#R,˗RRIRUGTx_YSUr]UTDw٨]ƥ^-NNOUuXUPފu*5>úC& o{cJ.oo5Dϴ[uPx% oD^*Y؊vVXT`+Lͨ[1uS9= oPYTxv=U`분) o] l]o%^{uV+mr Y8?@xO tڸ;swN)l|4}Y'8:/8M1prp:Ovm~Z਽O?wދ/p 'B;Is:.2^ ?pB%:ɑ% >.қn)8gpM7uMW޶n#cxec/I7v )l mR$}d* .,p_~ q~73G}TbϕW^Y WARLsYuUs=Tuhۇ~Ëe#xߒe~ R#S\wr<}ETxRJ+s9rK-qpJ}R"[f{J"J03c%N;eY\-F'w vi?sc6uQ|<^=L9hqV9{߁Q_X&M7tEiSeǐ xy:5uM[F;Zn1oM(;pΚ -&lv?vN T&8sn0mgJ|Q;BR0QTԻ|v!(IDAT 5\Ob )j_ve"dC4|Hs3`j9L[`'&{e]9.zЬZgˮ-=%\ب0}d)va3qw٘FCf剸8{キ"Y0oWK["v 9`'hZ5:ow4YP-^JyvK_ $׆</ijjB-9S)$YM#L^zҡ~՘fٞb U0c*7f8dM6 mv`Q%6mWoL4!vΆu5EҪ]*6 p%[uI1+k ]H[sS xҫk^dA0<4 Ђ! ctjިw2IEMO?=ǥyt nfVR^M_~dSԻWv܃^`(X]`Ozd6t`c]ǘAf x&:v K`E$t'Ұ n2pC@$5wv 6"G7)`qTg7'6ЉCXCt`K7͹+S=IBIIb9Qʜ $6P reHY6pT$ &8! (&fucHVɉ Qr>eݕ=|oZiJɦi,P6CM\S6w[fͫ2Sg a'u$j"t@pF= }d1[u 6I3Hvouw 7N-*AT-/GX~2[EjyܚySZkȷ9MNOl7Ú hK?YF5jJ.GX6oCm91d۶/{IWMZwy DlnFp"@1mY k[5o:) mʓN:) BkRS96ŰOF-m7}R?WLvIE\i-*+2~1& o{8:JW]x-E)tMWyM{Rm`\9MR!b"wRf>&>YƴHX$84vLSF%f:VՄnjdFGx) ѯ⊭ErԨQonB 93-A4L*8+L 89MLBqb 6#` i 4%#Fe7iZkչ ;#Cy` *Lt058< <=!fuKv!Pl*;E: ē0-PJ$T+~9u @KP)n.uFpam *h,퀺#\M+`#}B$w` )RIV\:| ҫ)*gq W3ՅlVp^SR~gBZLӱ-!O[ jb<)R4к707yλx[FJ`^Ia*+]k$NOH;Sp x |2C,g(6P PgG)Y g!ECf,_EB 㛪׋k+B _qyG-gM)&"J¾x=N;`ba _T>X<4칤nNz>ʁxO5PŁ-0r z)X>]V6CV  ,w[-Vg l)v["z%hItoEȦbQ.Fe]eǼnGOG`ɒYJ&Ի^WZLo4;MܿA:҇ϕ zh(~WF͹ zIy+(G![xvPu: ͦLX z8QC]Czר;FPeul~/y` X QR+z)|E,͌s ͱ/`ðO4WTڀF&IyT:qTf]Sɓ9~0a:5d {('唀cVx3n$ L_4%.R$2ب$JR*J%@TDKqU’H[I*bc%Pm*aI$IIENDB`cbmc-4.5/doc/html-manual/counter.v0000644000175000017500000000017612045177247016723 0ustar michaelmichaelmodule top(input clk); reg [3:0] counter; initial counter=0; always @(posedge clk) counter=counter+1; endmodule cbmc-4.5/doc/html-manual/file1.c0000644000175000017500000000015312045177247016214 0ustar michaelmichaelint puts(const char *s) { } int main(int argc, char **argv) { int i; if(argc>=1) puts(argv[2]); } cbmc-4.5/doc/html-manual/modeling-nondet.shtml0000644000175000017500000000546012131474304021200 0ustar michaelmichael

CPROVER Manual TOC

Nondeterminism

Rationale

Programs typically read inputs from an environment. These inputs can take the form of data read from a file, keyboard or network socket, or arguments passed on the command line. It is usually desirable to analyze the program for any choice of these inputs. In Model Checking, inputs are therefore modeled by means of nondeterminism, which means that the value of the input is not specified. The program may follow any computation that results from any choice of inputs.

Sources of Nondeterminism

The CPROVER tools support the following sources of nondeterminism:

  • functions that read inputs from the environments;
  • the thread schedule in concurrent programs;
  • initial values of local-scoped variables and memory allocated with malloc;
  • initial values of variables that are extern in all compilation units;
  • explicit functions for generating nondeterminism.

The CPROVER tools are shipped with a number of stubs for the most commonly used library functions. When executing a statement such as getchar(), a nondeterministic value is chosen instead of reading a character from the keyboard.

When desired, nondeterminism can be introduced explicitly into the program by means of functions that begin with the prefix nondet_. As an example, the following function returns a nondeterministically chosen unsigned short int:

unsigned short int nondet_ushortint();

Note that the body of the function is not defined. The name of the function itself is irrelevant (save for the prefix), but must be unique. Also note that a nondeterministic choice is not to be confused with a probabilistic (or random) choice.

Uninterpreted Functions

It may be necessary to check parts of a program independently. Nondeterminism can be used to over-approximate the behaviour of part of the system which is not being checked. Rather than calling a complex or unrelated function, a nondeterministic stub is used. However, separate calls to the function can return different results, even for the same inputs. If the function output only depends on its inputs then this can introduce spurious errors. To avoid this problem, functions whose names begin with the prefix __CPROVER_uninterpreted_ are treated as uninterpreted functions. Their value is non-deterministic but different invocations will return the same value if their inputs are the same. Note that uninterpreted functions are not supported by all back-end solvers.

cbmc-4.5/doc/html-manual/cbmc-loops.shtml0000644000175000017500000001734612155275225020170 0ustar michaelmichael

CPROVER Manual TOC

CBMC: Bounded Model Checking for C/C++ and Java

Understanding Loop Unwinding

Iteration-based Unwinding

The basic idea of CBMC is to model the computation of the programs up to a particular depth. Technically, this is achieved by a process that essentially amounts to unwinding loops. This concept is best illustrated with a generic example:


int main(int argc, char **argv) {
  while(cond) {
    BODY CODE
  }
}

A BMC instance that will find bugs with up to 5 iterations of the loop would contain 5 copies of the loop body, and essentially corresponds to checking the following loop-free program:


int main(int argc, char **argv) {
  if(cond) {
    BODY CODE COPY 1
    if(cond) {
      BODY CODE COPY 2
      if(cond) {
        BODY CODE COPY 3
        if(cond) {
          BODY CODE COPY 4
          if(cond) {
            BODY CODE COPY 5
          }
        }
      }
    }
  }
}

Note the use of the if statement to prevent the execution of the loop body in the case that the loop ends before 5 iterations are executed. The construction above is meant to produce a program that is trace equivalent with the original programs for those traces that contain up to 5 iterations of the loop.

In many cases, CBMC is able to automatically determine an upper bound on the number of loop iterations. This may even work when the number of loop unwindings is not constant. Consider the following example:


_Bool f();

int main() {
  for(int i=0; i<100; i++) {
    if(f()) break;
  }

  assert(0);
}

One hundred iterations are obviously sufficient for the program above, but note that the loop may abort prematurely depending on the value that is returned by f(). CBMC is nevertheless able to automatically unwind the loop to completion.

This automatic detection of the unwinding bound may fail if the number of loop iterations is highly data-dependent. Furthermore, the number of iterations that are executed by any given loop may be too large or may simply be unbounded. For this case, CBMC offers the command-line option --unwind B, where B denotes a number that corresponds to the maximal number of loop unwindings CBMC performs on any loop.

Setting Separate Unwinding Limits

The setting given with --unwind is used globally, that is, for all loops in the program. In order to set individual limits for the loops, first use

  --show-loops

to obtain a list of all loops in the program. Then identify the loops you need to set a separate bound for, and note their loop ID. Then use

  --unwindset L:B,L:B,...

As an example, consider a program with two loops in the function main:

  --unwindset c::main.0:10,c::main.1:20

This sets a bound of 10 for the first loop, and a bound of 20 for the second loop.

What if the number of unwindings specified is too small? In this case, bugs that require paths that are deeper may be missed. In order to address this problem, CBMC by default inserts checks that the given unwinding bound is actually sufficiently large. These checks are called unwinding assertions. Continuing the generic example above, this unwinding assertion for a bound of 5 corresponds to checking the following loop-free program:


int main(int argc, char **argv) {
  if(cond) {
    BODY CODE COPY 1
    if(cond) {
      BODY CODE COPY 2
      if(cond) {
        BODY CODE COPY 3
        if(cond) {
          BODY CODE COPY 4
          if(cond) {
            BODY CODE COPY 5
            assert(!cond);
          }
        }
      }
    }
  }
}

The unwinding assertions can be verified just like any other generated assertion. If all of them are proven to hold, the given loop bounds are sufficient for the program. This establishes a high-level worst-case execution time (WCET). In order to disable the generation of unwinding assertions, run CBMC with the parameter

  --no-unwinding-assertions

In some cases, it is desirable to cut off very deep loops in favor of code that follows the loop. As an example, consider the following program:


int main() {
  for(int i=0; i<10000; i++) {
    BODY CODE
  }

  assert(0);
}

In the example above, small values of --unwind will prevent that the assertion is reached. If the code in the loop is considered irrelevant to the later assertion, use the option

  --partial-loops

This option will allow paths that execute loops only partially, enabling a counterexample for the assertion above even for small unwinding bounds. The disadvantage of using this option is that the resulting path may be spurious, i.e., may not exist in the original program.

Depth-based Unwinding

The loop-based unwinding bound is not always appropriate. In particular, it is often difficult to control the size of the generated formula when using the --unwind option. The option

  --depth nr

specifies an unwinding bound in terms of the number of instructions that are executed on a given path, irrespectively of the number of loop iterations. Note that CBMC uses the number of instructions in the control-flow graph as the criterion, not the number of instructions in the source code.

cbmc-4.5/doc/html-manual/gcc-wrap.c0000644000175000017500000000441612045177247016725 0ustar michaelmichaelconst char gcc[]="gcc"; #include #include #include #include #include #include #include void run(const char *what, char *const argv[]) { pid_t childpid; /* variable to store the child's pid */ int retval; /* child process: user-provided return code */ /* now create new process */ childpid = fork(); if(childpid>=0) /* fork succeeded */ { if(childpid==0) /* fork() returns 0 to the child process */ { execvp(what, argv); /* usually no return */ fprintf(stderr, "execp %s failed\n", what); exit(1); } else /* fork() returns new pid to the parent process */ { int status; /* parent process: child's exit status */ wait(&status); /* wait for child to exit, and store its status */ int code=WEXITSTATUS(status); if(code!=0) exit(code); } } else /* fork returns -1 on failure */ { perror("fork failed"); /* display error message */ exit(1); } } int main(int argc, char * argv[]) { // First do original call. // on some systems, gcc gets confused if it is not argument 0 // (which normally contains the path to the executable being called). argv[0]=strdup(gcc); run(gcc, argv); // now do preprocessing call char **new_argv=malloc(sizeof(char *)*(argc+1)); _Bool compile=0; _Bool assemble=0; _Bool next_is_o=0; unsigned i; for(i=0; i

CPROVER Manual TOC

Installing CBMC

Requirements

CBMC is available for Windows, i86 Linux, and MacOS X. CBMC requires a code pre-processing environment comprising of a suitable preprocessor and an a set of header files.

  1. Linux: the preprocessor and the header files typically come with a package called gcc, which must be installed prior to the installation of CBMC.

  2. Windows: The Windows version of CBMC requires the preprocessor cl.exe, which is part of Microsoft Visual Studio (including the free Visual Studio 2010 Express).

  3. MacOS: Install the XCode Command Line Utilities prior to installing CBMC. Just installing XCode alone is not enough.

Important note for Windows users: Visual Studio's cl.exe relies on a complex set of environment variables to identify the target architecture and the directories that contain the header files. You must run CBMC from within the Visual Studio Command Prompt.

Note that the distribution files for the Eclipse plugin include the CBMC executable. Therefore, if you intend to run CBMC exclusively within Eclipse, you can skip the installation of the CBMC executable. However, you still have to install the compiler environment as described above.

Installing the CBMC Binaries

  1. Download CBMC for your operating system. The binaries are available from http://www.cprover.org/cbmc/.
  2. Unzip/untar the archive into a directory of your choice. We recommend to add this directory to your PATH environment variable.

You are now ready to use CBMC!

Building CBMC from Source

Alternatively, the CBMC source code is available via SVN. To compile the source code, follow these instructions.

cbmc-4.5/doc/html-manual/goto-cc-visual-studio.shtml0000644000175000017500000000314512045177247022266 0ustar michaelmichael

CPROVER Manual TOC

Build Systems and Libraries

Integration into Visual Studio 2008 to 2012

Visual Studio version 2008 onwards comes with a new XML-based build system called MSBuild. The MSBuild system is also activated when triggering a build from the Visual Studio GUI. The project files created by the Visual Studio GUI are used as input by the MSBuild tool.

The MSBuild system can be used to generate goto-binaries from your Visual Studio project as follows:

  1. Install the goto-cl.exe and goto-link.exe binaries in some directory that is contained in the PATH environment variable.

  2. Add a configuration for the goto-cc build for your project in the configuration manager, named "goto-cc".

  3. Open the Visual Studio Command Prompt (in the Tools menu).

  4. Locate the directory that contains the project. Change into this directory using "CD".

  5. Type

    msbuild /p:CLToolExe=goto-cl.exe /p:LinkToolExe=goto-link.exe
       /p:Flavor=goto-cc /p:Platform=x86

    The platform can be adjusted as required; the "Flavor" given should match the configuration that was created earlier.

Note that the recent versions of goto-cc also support file names with non-ASCII (Unicode) characters on Windows platforms.

cbmc-4.5/doc/html-manual/goto-cc.shtml0000644000175000017500000001200612045177247017454 0ustar michaelmichael

CPROVER Manual TOC

Build Systems and Libraries

Integration into Build Systems with goto-cc

Existing software projects usually do not come in a single source file that may simply be passed to a model checker. They rather come in a multitude of source files in different directories and refer to external libraries and system-wide options. A build system then collects the configuration options from the system and compiles the software according to build rules.

The most prevalent build tool on Unix (-based) systems surely is the make utility. This tool uses build rules given in a Makefile that comes with the software sources. Running software verification tools on projects like these is greatly simplified by a compiler that first collects all the necessary models into a single model file. goto-cc is such a model file extractor, which can seamlessly replace gcc and cl.exe in Makefiles. The normal build system for the project may be used to build the software, but the outcome will be a model file with suitable detail for verification, as opposed to a flat executable program. Note that goto-cc comes in different variants depending on the compilation environment. These variants are described here.

Example: Building wu-ftpd

This example assumes a Unix-like machine.

  1. Download the sources of wu-ftpd from here.

  2. Unpack the sources by running tar xfz wu-ftpd-current.tar.gz

  3. Change to the source directory, by entering, e.g., cd wu-ftpd-2.6.2

  4. Configure the project for verification by running

    ./configure YACC=byacc CC=goto-cc --host=none-none-none
  5. Build the project by running make. This creates multiple model files in the src directory. Among them is a model for the main executable ftpd.

  6. Run a model-checker, e.g., CBMC, on the model file:

    cbmc src/ftpd

    CBMC automatically recognizes that the file is a goto binary.

Important Notes

More elaborate build or configuration scripts often make use of features of the compiler or the system library to detect configuration options automatically, e.g., in a configure script. Replacing gcc by goto-cc at this stage may confuse the script, or detect wrong options. For example, missing library functions do not cause goto-cc to throw an error (only to issue a warning). Because of this, configuration scripts sometimes falsely assume the availability of a system function or library.

In the case of this or similar problems, it is more advisable to configure the project using the normal routine, and replacing the compiler setting manually in the generated Makefiles, e.g., by replacing lines like CC=gcc by CC=goto-cc.

A helpful command that accomplishes this task successfully for many projects is the following:

for i in `find . -name Makefile`; do
  sed -e 's/^\(\s*CC[ \t]*=\)\(.*$\)/\1goto-cc/g' -i $i
done

Here are additional examples on how to use goto-cc:

A description of how to integrate goto-cc into Microsoft's Visual Studio is here.

Linking Libraries

Some software projects come with their own libraries; also, the goal may be to analyze a library by itself. For this purpose it is possible to use goto-cc to link multiple model files into a library of model files. An object file can then be linked against this model library. For this purpose, goto-cc also features a linker mode.

To enable this linker mode, create a link to the goto-cc binary by the name of goto-ld (Linux and Mac) or copy the goto-cc binary to goto-link.exe (Windows). The goto-ld tool can now be used as a seamless replacement for the ld tool present on most Unix (-based) systems and for the link tool on Windows.

The default linker may need to be replaced by goto-ld or goto-link.exe in the build script, which can be achieved in much the same way as replacing the compiler.

cbmc-4.5/doc/html-manual/cbmc.shtml0000644000175000017500000002764312155275225017037 0ustar michaelmichael

CPROVER Manual TOC

CBMC: Bounded Model Checking for C/C++ and Java

A Short Tutorial

First Steps

We assume you have already installed CBMC and the necessary support files on your system. If not so, please follow these instructions.

Like a compiler, CBMC takes the names of .c files as command line arguments. CBMC then translates the program and merges the function definitions from the various .c files, just like a linker. But instead of producing a binary for execution, CBMC performs symbolic simulation on the program.

As an example, consider the following simple program, named file1.c:


int puts(const char *s) { }

int main(int argc, char **argv) {
  int i;
  if(argc>=1)
    puts(argv[2]);
}

Of course, this program is faulty, as the argv array might have only one element, and then the array access argv[2] is out of bounds. Now, run CBMC as follows:

  cbmc file1.c --show-claims --bounds-check --pointer-check

The two options --bounds-check and --pointer-check instruct CBMC to look for errors related to pointers and array bounds. CBMC will print the list of properties it checks. Note that it prints a claim labeled with "array argv upper bound" together with the location of the faulty array access. As you can see, CBMC largely determines the property it needs to check itself. This is realized by means of a preliminary static analysis, which relies on computing a fixed point on various abstract domains. More detail on automatically generated properties is provided here.

Note that automatically generated claims need not necessarily correspond to bugs – these are just potential flaws. Whether one of these claims corresponds to a bug needs to be determined by further analysis.

One option for this analysis is symbolic simulation, which corresponds to a translation of the program into a formula. The formula is then combined with the property. Let's run the symbolic simulation:

  cbmc file1.c --show-vcc --bounds-check --pointer-check

With this option, CBMC performs the symbolic simulation and prints the verification conditions on the screen. A verification condition needs to be proven to be valid by a decision procedure in order to assert that the corresponding property holds. Let's run the decision procedure:

  cbmc file1.c --bounds-check --pointer-check

CBMC transforms the equation you have seen before into CNF and passes it to a SAT solver (more background on this step is in the book on Decision Procedures). CBMC can now detect that the equation is actually not valid, and thus, there is a bug in the program. It prints a counterexample trace, i.e., a program trace that ends in a state which violates the property. In our example, the program trace ends in the faulty array access. It also shows the values the input variables must have for the bug to occur. In this example, argc must be one to trigger the out-of-bounds array access. If you change the branch condition in the example to argc>=2, the bug is fixed and CBMC will report a successful verification run.

Verifying Modules

In the example above, we used a program that starts with a main function. However, CBMC is aimed at embedded software, and these kinds of programs usually have different entry points. Furthermore, CBMC is also useful for verifying program modules. Consider the following example, called file2.c:


int array[10];

int sum() {
  unsigned i, sum;

  sum=0;
  for(i=0; i<10; i++)
    sum+=array[i];
}

In order to set the entry point to the sum function, run

  cbmc file2.c --function sum

Loop Unwinding

You will note that CBMC unwinds the for loop in the program. As CBMC performs Bounded Model Checking, all loops have to have a finite upper run-time bound in order to guarantee that all bugs are found. CBMC actually checks that enough unwinding is performed. As an example, consider the program binsearch.c:


int binsearch(int x) {
  int a[16];
  signed low=0, high=16;

  while(low<high) {
    signed middle=low+((high-low)>>1);

    if(a[middle]<x)
      high=middle;
    else if(a[middle]>x)
      low=middle+1;
    else // a[middle]=x !
      return middle;
  }

  return -1;
}

If you run CBMC on this function, you will notice that the unwinding does not stop on its own. The built-in simplifier is not able to determine a run time bound for this loop. The unwinding bound has to be given as a command line argument:

  cbmc binsearch.c --function binsearch --unwind 6 --bounds-check

CBMC not only verifies the array bounds (note that this actually depends on the result of the right shift), but also checks that enough unwinding is done, i.e., it proves a run-time bound. For any lower unwinding bound, there are traces that require more loop iterations. Thus, CBMC will produce an appropriate counterexample.

Unbounded Loops

CBMC can also be used for programs with unbounded loops. In this case, CBMC is used for bug hunting only; CBMC does not attempt to find all bugs. The following program (lock-example.c) is an example of a program with a user-specified property:


_Bool nondet_bool();
_Bool LOCK = 0;

_Bool lock() {
  if(nondet_bool()) {
    assert(!LOCK);
    LOCK=1;
    return 1; }

  return 0;
}

void unlock() {
  assert(LOCK);
  LOCK=0;
}

int main() {
  unsigned got_lock = 0;
  int times;

  while(times > 0) {
    if(lock()) {
      got_lock++;
      /* critical section */
    }

    if(got_lock!=0)
      unlock();

    got_lock--;
    times--;
} }

The while loop in the main function has no (useful) run-time bound. Thus, a bound has to be set on the amount of unwinding that CBMC performs. There are two ways to do so:

  1. The --unwind command-line parameter can to be used to limit the number of times loops are unwound.
  2. The --depth command-line parameter can be used to limit the number of program steps to be processed.

CBMC can assert whether the arugment to --unwind is large enough to cover all program paths. If the argument is too small, CBMC will detect that not enough unwinding is done and aborts with an unwinding assertion violation. In order to disable this test, run CBMC with the parameter

  --no-unwinding-assertions

Reconsider the example. For a loop unwinding bound of one, no bug is found. But already for a bound of two, CBMC detects a trace that violates an assertion. Without unwinding assertions, or when using the --depth command line switch, CBMC does not prove the program correct, but it can be helpful to find program bugs. The various command line options that CBMC offers for loop unwinding are described in the section on understanding loop unwinding.

A Note About Compilers and the ANSI-C Library

Most C programs make use of functions provided by a library; instances are functions from the standard ANSI-C library such as malloc or printf. The verification of programs that use such functions has two requirements:

  1. Appropriate header files have to be provided. These header files contain declarations of the functions that are to be used.
  2. Appropriate definitions have to be provided.

Most C compilers come with header files for the ANSI-C library functions. We briefly discuss how to obtain/install these library files.

Linux

Linux systems that are able to compile software are usually equipped with the appropriate header files. Consult the documentation of your distribution on how to install the compiler and the header files. First try to compile some significant program before attempting to verify it.

Windows

On Microsoft Windows, CBMC is pre-configured to use the compiler shipped with Microsoft's Visual Studio. Visual Studio Express is sufficient, and is available for download for free from the Microsoft webpage. Visual Studio installs the usual set of header files together with the compiler. However, Visual Studio requires a large set of environment variables for the compiler to function correctly. It is therefore required to run CBMC from the Visual Studio Command Prompt, which can be found in the menu Visual Studio Tools.

Note that in both cases, only header files are available. CBMC only comes with a small set of definitions, which includes functions such as malloc. Detailed information about the built-in definitions is here.

Command Line Interface

This section describes the command line interface of CBMC. Like a C compiler, CBMC takes the names of the .c source files as arguments. Additional options allow to customize the behavior of CBMC. Use cbmc --help to get a full list of the available options.

Structured output can be obtained from CBMC using the option --xml-ui. Any output from CBMC (e.g., counterexamples) will then use an XML representation.

cbmc-4.5/doc/html-manual/header.inc0000644000175000017500000000106012045177247016771 0ustar michaelmichael CPROVER Manual