1 / 23 Making Bounded Model Checking Interprocedural in (Static Analysis) Style Daniil Stepanov, Marat Akhin, and Mikhail Belyaev Saint Petersburg Polytechnic University, Russia Jetbrains Research, Russia Novemver 9, 2019

2 / 23 Static analysis Static program analysis is the analysis of computer software which is performed without actually executing programs

3 / 23 Interprocedural analysis One of the hardest problems in BMC is interprocedural analysis Standard approach is function inlining An alternative to function inlining is context-sensitive analyses

4 / 23 Related work Craig interpolant for an inconsistent pair of formulas (B, Q) is a formula I such that: • B → I • (I, Q) is also an inconsistent pair of formulae • I contains only uninterpreted symbols common to B and Q External specications • specialized annotation comments • embedded domain-specic language (DSL) • external DSL Another tools: • Saturn - function summaries

5 / 23 Bounded model checking algorithm

6 / 23 Verication example Program: int x; int y=8,z=0,w=0; if (x) z = y - 1; else w = y + 1; assert (z == 7 || w == 9) Constraints: y = 8, z = x ? y -1 : 0, w = x ? 0 : y + 1, z != 7, w != 9 UNSAT. Assert always true

7 / 23 Verication example Program: int x; int y=8,z=0,w=0; if (x) z = y - 1; else w = y + 1; assert (z == 5 || w == 9) Constraints: y = 8, z = x ? y -1 : 0, w = x ? 0 : y + 1, z != 5, w != 9 SAT. Program contains a bug Counterexample: y = 8, x = 1, w = 0, z = 7

8 / 23 Borealis

9 / 23 Program representation

10 / 23 Problem void print_element(int* arr , int num){ printf("arr=%i\n", arr[num]); // Check } void print_next_element(int* arr , int num){ print_element(arr , num + 1); } int main(int argc , char* argv []) { int a[] = {1, 2, 3}; print_element(a, 0); print_next_element(a, 0); return 0; }

11 / 23 Solution Call graph traversal Extraction of information which aects variables from security properties Combining of extracted information

12 / 23 Call graph for program example void print_element(int* arr , int num){ printf("arr=%i\n", arr[num]); } void print_next_element(int* arr , int num){ print_element(arr , num + 1); } int main(int argc , char* argv []) { int a[] = {1, 2, 3}; print_element(a, 0); print_next_element(a, 0); return 0; }

13 / 23 Collect phase Given a function F and its safety property Q, we collecting argument-specic information, which is relevant to Q, from all call sites of F Slicing function w.r.t current query Dealing with recursion Handling of nested calls

14 / 23 Nested call inuence example int get_next_index(int a) { return a + 1; } void print_element(int* arr , int num) { printf("arr=%i\n", arr[num]); } void print_next_element(int* arr , int num) { int idx = get_next_index(num); print_element(arr , idx); } int main(int argc , char* argv []) { int a[] = {1, 2, 3}; print_element(a, 0); print_next_element(a, 0); return 0; }

15 / 23 Merging information void print_element(int* arr , int num){ printf("arr=%i\n", arr[num]); // Check } int main(int argc , char* argv []) { int a[] = {1, 2, 3}; print_element(a, 0); return 0; } Equality predicates at junctions arr = a; num = 0

16 / 23 Resulting PS for example int get_next_index(int a) { return a + 1; } void print_element(int* arr , int num) { printf("arr=%i\n", arr[num]); } void print_next_element(int* arr , int num) { int idx = get_next_index(num); print_element(arr , idx); } int main(int argc , char* argv []) { int a[] = {1, 2, 3}; print_element(a, 0); print_next_element(a, 0); return 0; } main_ %0= alloca (3,(3 * 1)), @I arraydecay1=gep[inbounds ](main_ %0 ,0+0+0), print_next_element_num =0 print_next_element_arr=arraydecay1 )->( @I next_index =( print_next_element_num + 1), print_next_element_call=next_index )->( num=print_next_element_call arr=print_next_element_arr )->( @I idxprom=cast(+ Integer (64), num), @I arrayidx=gep(arr ,0+ idxprom))

17 / 23 Combining phase PS corresponds to a formula of the form P0 ∨ P1 ∨ . . . ∨ Pn Pi - distinct calling context For PS we have to create synthetic variable free_var

18 / 23 Resulting PS example (BEGIN ( @P free_var =0 )->( main_ %0= alloca (3,(3 * 1)), @I main_arraydecay=gep[inbounds ]( main_ %0 ,0+0+0), num=0 arr=main_arraydecay )->( @I idxprom=cast(+ Integer (64), num), @I arrayidx=gep(arr ,0+ idxprom) ), ( @P free_var =1 )->( main_ %0= alloca (3,(3 * 1)), @I main_arraydecay1=gep[inbounds ]( main_ %0 ,0+0+0), print_next_element_num =0 print_next_element_arr=main_arraydecay1 )->( @I get_next_index_add =( print_next_element_num + 1), print_next_element_call=get_next_index_add )->( num=print_next_element_call arr=print_next_element_arr )->( @I idxprom=cast(+ Integer (64), num), @I arrayidx=gep(arr ,0+ idxprom) ) END)

19 / 23 Processing to solver There are 2 equivalent ways of processing it via an SMT solver As one large formula Each small disjunct separately

20 / 23 Testing We tested the prototype in the following congurations: Basic intraprocedural BMC (intra) BMC with full inlining (inline) Our interprocedural BMC approach (inter)

21 / 23 Testing

22 / 23 Conclusion Our main takeaways are as follows: Interprocedural analysis is a bottleneck for BMC The speed of the algorithm depends not so much on the size of the project as the complexity of its internal connections

23 / 23 Contact information {stepanov, akhin, belyaev}@kspt.icc.spbstu.ru Borealis repository: https://bitbucket.org/vorpal-research/borealis