1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
ISBN Chapter 3 Describing Syntax and Semantics.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 1 Software Model Checking via Iterative Abstraction Refinement.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
A Type System for Expressive Security Policies David Walker Cornell University.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Describing Syntax and Semantics
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
CS 363 Comparative Programming Languages Semantics.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.
Reasoning about programs March CSE 403, Winter 2011, Brun.
ISBN Chapter 3 Describing Semantics.
Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.
1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Array Size Arrays use static allocation of space. That is, when the array is created, we must specify the size of the array, e.g., int[] grades = new int[100];
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Reasoning about code CSE 331 University of Washington.
Programming Languages 2nd edition Tucker and Noonan
Hoare-style program verification
Java Modeling Language (JML)
The Zoo of Software Security Techniques
Gradual Verification Seamlessly and flexibly combine static and dynamic verification by drawing on the general principles from abstract interpretation.
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs

2 Software Reliability Testing –dominant methodology –costly –test coverage problem Static checking –combats test coverage by considering all paths –Type systems –very effective for certain type errors –Extended Static Checking –targets errors missed by type systems

3 Extended Static Checking Targets errors not caught by type system –array bounds errors –division by zero –null dereference –assertions –API usage rules don’t write to a closed file don’t acquire a lock you already hold –method preconditions, postconditions –object invariants

4 ESC/Java Example class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() ); } } } invariant den != 0; requires d != 0; Warning: possible division by zero Warning: invariant possibly not established Warning: precondition possibly not established

5 ESC/Java Experience Tested on 40+ KLOC (Java front end, web crawler,...) Finds software defects! Useful educational tool Annotation cost significant –100 annotations per KLOC –3 programmer-hours per KLOC Annotation overhead significantly limits widespread use of extended static checking Why do we need these annotations?

6 ESC/Java Architecture The translator “understands” the semantics of Java. An error condition is a logical formula that, ideally, is satisfiable if and only if the program contains an error. The satisfiability checker is invisible to users. Satisfying assignments are turned into precise warning messages. ESC/Java Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages Index out of bounds on line 218 Method does not preserve object invariant on line 223

7 Generating Error Conditions Error condition ( x =0) )  (  (x =0) ) Code if (x < 0) { x := -x; } assert x >= 0; Source code translated into error condition Error condition should be satisfiable if code may fail an assertion p = q  f’ = store(f, p, 3)  select(f’, q) = 0 p := q; p.f := 3; assert q.f != 0;

8 Error Condition Logic terms t ::= x | f(t) constraints c ::= p(t) formulae e ::= c |  c | e  e | e  e |  y. e theories of equality, linear arithmetic, select+store some heuristics for universal quantification logic cannot express iteration or recursion

9 ESC/Java Architecture The translator uses specifications to “translate away” procedure calls The error condition is expressed in first-order logic with theories; it cannot express recursion Indicates: Bad program Bad specification Insufficient spec ESC/Java Program + procedure specifications Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages Method does not establish postcondition Index out of bounds on line 218

10 Verifun Checker “Annotation-free” Extended Static Checker Statically check assertions, API usage rules,... No need for annotations –no loop invariants –no procedure specifications Uses extended logic that can encode recursion

11 Query: Given d, is e satisfiable? Constraint Logic Programming –[Jaffar and Lassez, POPL’87] –Efficient implementations! Error Condition Logic terms t ::= x | f(t) constraints c ::= p(t) formulae e ::= c |  c | e  e | e  e |  y. e theories for equality, linear arithmetic, select+store | r(t) user-defined relation symbols r definitions d ::= r(x) :- e

12 Error Conditions in CLP int fact(int i) { if (i == 0) return 1; int t = fact(i-1); assert t > 0; return i*t; } Emain() :- Efact(j) void main() { int j = readInt(); fact(j); } Tfact(i, r) :- ( i = 0  r = 1)  ( i != 0  Tfact(i-1,t)  t>0  r=i*t ) Efact(i) :- i != 0  ( Efact(i-1)  (Tfact(i-1, t)  t <= 0 )) Transfer relation Tfact(pre-state,post-state) relates pre and post states of executions of fact Error relation Efact(pre-state) describes pre-states from which fact may go wrong CLP has least fixpoint semantics CLP Query: Is Emain() satisfiable?

13 Program correctnessCLP satisfiability Imperative Software Constraint Logic Programming Bounded software model checking Efficient implementations –Sicstus Prolog (depth-first)

14 Rational Example class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() ); } } }

15 Error Condition for Rational in CLP t_rat(AllocPtr, Num, Den, N, D, This, AllocPtrp, Nump, Denp) :- AllocPtrp is AllocPtr+1, This = AllocPtrp, aset(This,Den,D,Denp), aset(This,Num,N,Nump). t_readInt(R). e_trunc(This, Num, Den) :- aref(This,Den,D), {D = 0}. e_loop(I, This, Num, Den) :- e_trunc(This, Num, Den). e_loop(I, This, Num, Den) :- {I<10000, Ip=I+1}, e_loop(Ip,This, Num, Den). e_main :- AllocPtr = 0, ;; no objs allocated new_array(Num), ;; initialise arrays encoding fields Num new_array(Den), ;; and Den t_readInt(D), t_readInt(N), {D =\= 0}, t_rat(AllocPtr, Num, Den, D, N, This, AllocPtrp, Nump, Denp), e_loop(0, This, Nump, Denp).

16 Checking Rational with CLP Get error condition, a constraint-logic program Feed into CLP implementation (SICStus Prolog) –explicitly explores all paths through EC –symbolically considers all data values, eg, for n,d using theory of linear arithmetic –quickly finds that the EC is satisfiable –gives satisfying derivation for EC –can convert to program execution trace that crashes with division-by-zero error

17 Checking Factorial with CLP Feed EC into CLP implementation (SICStus Prolog) –explicitly explores all paths through EC –infinitely many paths –all paths are ok –CLP implementation diverges! Can modify error condition to bound recursion depth Automatic bounded model checking for software –efficient symbolic analysis for linear arithmetic,...

18 Program correctnessCLP satisfiability Imperative Software Constraint Logic Programming Bounded software model checking Predicate abstraction & counter-example driven predicate refinement –SLAM, BLAST Efficient implementations –Sicstus Prolog (depth-first) –Tableau methods –Subsumption CLP implementation technique –Avoids considering all paths –Verifun CLP satisfiability checker under development

19 Verifun Architecture Uses predicate abstraction and counter-example driven predicate refinement to check satisfiability of EC, without exploring all paths Error message includes an execution trace that violates desired correctness property. Verifun Program (without annotations) Translator Error condition (CLP) Satisfiability Checker for CLP Satisfying CLP derivation Post-processor Error trace

20 Unit of Development Programmers work on “unit of development” Interfaces between such units must be specified –reasonable to make specifications formal Use Verifun to check unit of development with respect to its specification

21 Related Work Program checking –Stanford Pascal Verifier –ESC/M3, ESC/Java –SLAM, BLAST –(many, many non-EC approaches) Automatic theorem proving –Simplify, SVC, CVC Constraint Logic Programming –[Jaffar and Lassez, POPL’87], SICStus Prolog, …

22 Summary Deep connection between –correctness of imperative programs with pointers, heap allocation, aliasing,... –satisfiability of CLP queries Verifun Checker –annotation-free extended static checker –statically check assertions, API usage rules,... –interprocedural ECs are constraint logic programs.

23 The End

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.