Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Slides:



Advertisements
Similar presentations
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Advertisements

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Abstraction of Source Code (from Bandera lectures and talks)
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center.
Client and Server Verification for Web Services Using Interface Grammars Graham Huges, Tevfik Bultan, Muath Alkhalaf Department of Computer Science University.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu, October, 2001 Thesis Committee: Matthew Dwyer, Major Advisor David.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Using Model-Checking to Debug Device Firmware Sanjeev Kumar Microprocessor Research Labs, Intel Kai Li Princeton University.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
CS527 Topics in Software Engineering (Software Testing and Analysis) Darko Marinov September 9, 2010.
Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng.
Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem.
1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Towards a Compositional SPIN Corina Păsăreanu QSS, NASA Ames Research Center Dimitra Giannakopoulou RIACS/USRA, NASA Ames Research Center.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
jFuzz – Java based Whitebox Fuzzing
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Concrete Model Checking with Abstract Matching and Refinement Corina Păsăreanu QSS, NASA Ames Research Center Radek Pelánek Masaryk University, Brno, Czech.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
24 September 2002© Willem Visser Program Model Checking Enabling Technology Abstraction void add(Object o) { buffer[head] = o; head = (head+1)%size;
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova.
Formal methods: Lecture
Types for Programs and Proofs
Model Checking Java Programs (Java PathFinder)
Abstraction of Source Code
Abstraction Data type based abstractions
runtime verification Brief Overview Grigore Rosu
Specifying Multithreaded Java semantics for Program Verification
Over-Approximating Boolean Programs with Unbounded Thread Creation
Automatic Test Generation SymCrete
A Refinement Calculus for Promela
Abstraction, Verification & Refinement
Predicate Abstraction
Presentation transcript:

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center

Outline Bandera Project (Kansas Sate University): –Tool Support for Program Abstraction and Abstract Counter-example Analysis (joint work with the Bandera team) NASA Ames Projects: –Combining Symbolic Execution with (Explicit State) Model Checking (joint work with Willem Visser) –Assumption Generation for Component Verification (joint work with Dimitra Giannakopoulou and Howard Barringer)

Outline Bandera Project (Kansas Sate University): –Tool Support for Program Abstraction and Abstract Counter-example Analysis NASA Ames Projects: –Combining Symbolic Execution with (Explicit State) Model Checking –Assumption Generation for Component Verification

Finite-state Verification OK Finite-state system Specification Verification tool  or Error trace Line 5: … Line 12: … Line 15:… Line 21:… Line 25:… Line 27:… … Line 41:… Line 47:…

Finite-State Verification Effective for analyzing properties of hardware systems Widespread success and adoption in industry Recent years have seen many efforts to apply those techniques to software Limited success due to the enormous state spaces associated with most software systems

Abstraction: the key to scaling up Original system symbolic state Abstract system represents a set of states abstraction Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system

Goals of our work … Develop multiple forms of tool support for abstraction that is… … applicable to program source code … largely automated … usable by non-experts Evaluate the effectiveness of this tool support through… … implementation in the Bandera toolset … application to real multi-threaded Java programs

Data Type Abstraction int x = 0; if (x == 0) x = x + 1; Data domains (n<0) : NEG (n==0): ZERO (n>0) : POS Signs NEGPOSZERO int Code Signs x = ZERO; if (Signs.eq(x,ZERO)) x = Signs.add(x,POS); Collapses data domains via abstract interpretation:

Abstraction in Bandera Abstraction Library Variable Concrete Type Abstract Type Inferred Type Object x y done count o b int bool Buffer int …. Signs int bool …. Point Buffer Program Abstract Code Generator Abstracted Program BASL Compiler Bandera Abstraction Specification Language Abstraction Definition PVS

Definition of Abstractions in BASL abstraction Signs abstracts int begin TOKENS = { NEG, ZERO, POS }; abstract(n) begin n {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end operator + add begin (NEG, NEG) -> {NEG} ; (NEG, ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS, ZERO) -> {POS} ; (POS, POS) -> {POS} ; (_,_) -> {NEG,ZERO,POS}; /* case (POS,NEG),(NEG,POS) */ end Automatic Generation Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2) Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2) Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2) Proof obligations submitted to PVS... Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}

Compiling BASL Definitions abstraction Signs abstracts int begin TOKENS = { NEG, ZERO, POS }; abstract(n) begin n {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end operator + add begin (NEG, NEG) -> {NEG} ; (NEG, ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS, ZERO) -> {POS} ; (POS, POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abs(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; } public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ } Compiled

Abstract Counter-example Analysis Example: x = -2; if(x + 2 == 0) then... x = NEG; if(Signs.eq(Signs.add(x,POS),ZERO)) then... {NEG,ZERO,POS} For an abstracted program, a counter-example may be infeasible because: –Over-approximation introduced by abstraction

Our Solutions Choice-bounded State Space Search –“on-the-fly”, during model checking Abstract Counter-example Guided Concrete Simulation –Exploit implementations of abstractions for Java programs –Effective in practice –Implemented in Java PathFinder tool

“Choose”-free state space search Theorem [Saidi:SAS’00] Every path in the abstracted program where all assignments are deterministic is a path in the concrete program. Bias the model checker –to look only at paths that do not include instructions that introduce non-determinism JPF model checker modified –to detect non-deterministic choice (i.e. calls to Bandera.choose()); backtrack from those points

Choice-bounded Search choose() X X Detectable Violation Undetectable Violation State space searched

Counter-example guided simulation (?) Use abstract counter-example to guide simulation of concrete program Why it works: –Correspondence between concrete and abstracted program –Unique initial concrete state (Java defines default initial values for all data)

Case Study: DEOS Kernel (NASA Ames) Honeywell Dynamic Enforcement Operating System (DEOS) –A real time operating system for integrated modular avionics –Non-trivial concurrent program (1433 lines of code, 20 classes, 6 threads) –Written in C++, translated into Java and Promela –With a known bug Verification of the system exhausted 4 Gigabytes of memory without completion; abstraction needed Abstracted using data type abstraction Checked using JPF and SPIN Defect detected using choice-bounded search

Conclusion and Future Research Directions Tool support for abstraction enables verification of real properties of real programs Extend abstraction support for objects –Heap abstractions to handle an unbounded number of dynamically allocated objects –Handle recursive procedures, unbounded number of processes Extend automation –For selection and refinement based on counter- example analysis

Outline Bandera Project (Kansas Sate University): –Tool Support for Program Abstraction and Abstract Counter-example Analysis NASA Ames Projects: –Combining Symbolic Execution with (Explicit State) Model Checking –Assumption Generation for Component Verification

Java Path Finder (NASA Ames) Model checker for Java programs Built on top of a custom made Java Virtual Machine Checks for deadlock and violation of assertions; LTL properties Support for abstraction: –Predicate abstraction –Bandera’s data abstraction Heuristic search

Symbolic Execution void test(int n){ [1] if (n > 0) { [2] n = n + 1; [3] if (n < 3) [4]... } [5]... } Code Uses “symbolic names” to represent program inputs 1 n:S PC:true 3 n:S+1 PC:S>0 2 n:S PC:S>0 5 n:S PC:S<= n:S+1 PC:S>0 & S+1>=3 4 n:S+1 PC:S>0 & S+1<3... Symbolic execution tree (PC=“path condition”)

Symbolic Execution and JPF: Applications Extends JPF with a new form of abstraction Test case generation Abstract counter-example analysis and refinement Symbolic execution of multithreaded programs Parameter synthesis …

Implementation in JPF Easy: –Uses Bandera’s type abstraction –Uses Omega library (Java version) Manipulates sets of linear constraints over integer variables Can be used as a “symbolic execution tool with backtracking” Good for finding counter-examples No state matching!

(Possible) Implementation void test(int n) { if (n > 0) { n = n + 1;... } public class SymVal { public SymVal() {... } public SymVal(int n) {... } public SymVal(SymVal s1, SymVal s2, String ops) {... }... } public class SymOps { public SymVal add(SymVal s1, SymVal s2){ return new SymVal(s1,s2,’+’); } public bool gt(SymVal s1, SymVal s2) { bool result = Verify.chooseBool(); if(result) { // “true” PC.addCondition(s1,s2,’>’); } else { // “false” PC.addCondition(s1,s2,’<=‘); } PC.simplify(); return result; }... } Code PathCondition PC; // =“true” void test(SymVal n) { n = new SymVal(); if(SymOps.gt(n,new SymVal(0)){ n=SymOps.add(n,new SymVal(1));... }

Problem: Convergence Symbolic execution tree void test(int n) { [1] int x = 0; [2] while(x < n) [3] x = x + 1; [4] } Code 1 n:S PC:true 2 n:S,x:0 PC:true 2 n:S,x:1 PC:0<S 4 n:S,x:1 PC:0 =S 3 n:S,x:1 PC:0<S & 1<S 3 n:S,x:0 PC:0<S 4 n:S,x:0 PC:0>=S....

Problem: Convergence Limit the search depth of MC Unwind loops a fixed number of times (similar to Bounded MC?) Discover “simple and practical” widening techniques Acceleration techniques Heuristics? Combine with “predicate abstraction” … Solutions?

Relation to Bounded MC Extend BMC with symbolic variables? Widening for C programs? …

Outline Bandera Project (Kansas Sate University): –Tool Support for Program Abstraction and Abstract Counter-example Analysis NASA Ames Projects: –Combining Symbolic Execution with (Explicit State) Model Checking –Assumption Generation for Component Verification

Assumption Generation for Component Verification Problem: Component Environment Property ? Environment Assumption ? The “weakest” assumption A for component C: for all environments E, E |= A  E || C |= P

Applications Support for modular verification –Compositional verification –Property decomposition Run-time monitoring of the environment Component retrieval Sub-module construction …

Implementation In Labeled Transition Systems Analyzer (LTSA) tool - Imperial college –Supports compositional reachability analysis based on software architecture –Incremental system design and verification: Component abstraction (hiding of internal actions) Minimization wrt. observational equivalence –Both components and properties expressed as labeled transition systems

Interface actions E.acquire E.release W.acquire Mutex: Example: A System and A Property W.acquire W.release W.enterCS W.exitCS Writer: E.enterCS E.exitCS W.enterCS W.exitCS Mutual Exclusion Property: || W.enterCS E.enterCS E.exitCS W.exitCS E.exitCS W.enterCS W.exitCS E.enterCS ||

Assumption Generation Step 1: composition, hiding of internal actions and minimization Step 2: backward reachability with error state Step 3: property extraction (sub-set construction and completion) Property true! (all environments) Property false! (all environments) Assumption

Composite System E.enterCS E.exitCS E.acquire E.release E.exitCS E.release E.enterCS E.exitCS E.enterCS  E.release

Backward Error Propagation (with  ) E.enterCS E.exitCS E.acquire E.release E.exitCS E.release E.enterCS E.exitCS E.enterCS  E.release

Backward Error Propagation (with  ) E.enterCS E.release E.exitCS E.release E.enterCS E.exitCS E.enterCS E.release

Property Extraction E.acquire E.release E.enterCS E.exitCS E.enterCS E.release E.exitCS E.enterCS E.exitCS E.acquire E.release E.acquire E.acquire, E.release E.enterCS, E.exitCS

Generated Assumption E.acquire E.release E.enterCS E.exitCS E.acquire E.release E.acquire E.acquire, E.release E.enterCS, E.exitCS

Directions for Future Work Liveness /fairness Extend to other frameworks –LTL checking (since we are interested only in error behaviors) Is the sub-set construction needed? Study other forms of composition …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.