Thomas Ball Sriram K. Rajamani

Checking API Usage Application C lib | DLL | COM |… API Does an application follow the “proper usage” rules of an API?

One Application: W2k Device Drivers Device Driver NT Kernel IO Manager API Does a device driver acquire and release spin locks properly?

Device Drivers and SLAM Device Driver API Rules (SLIC) IO Manager Interface

State Machine For Locking UnlockedLockedError U L L U state { int locked = 0; } Lock.call { if (locked==1) abort; else locked = 1; } UnLock.call { if (locked==0) abort; else locked = 0; }

Demo

State Machine For Irp Handling init pending Error IoMarkIrpPending return:status != STATUS_PENDING complete IoCompleteRequest return: status == STATUS_PENDING

IRP Complete/Pending Rule state { enum {Init, Complete, Pending} s = Init; } IoCompleteRequest.call{ if ( s != Init) abort; else s = Complete; } IoMarkIrpPending.call{ if( s != Init) abort; else s = Pending; } Dispatch.exit{ if (s == Complete) { if ($return == STATUS_PENDING) abort; } else if (s == Pending) { if( $return != STATUS_PENDING) abort; }

Goal: Run the state machine through all paths in the program Problem: Too many paths! Solution: State based search Problem : False alarms! Solution : Better abstraction

False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); b b b b b b !b

False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); b b b b b b !b

C program Boolean program c2bp bebop Fail, p Pass newton GOLF SLIC CFG + VFG predicates Error GUI Spec. predicates

Key Ideas Inexpensive whole program analysis (GOLF) Local abstraction step to produce an abstraction for the property of interest (c2bp) State-based search on the abstraction (bebop) Automated refinement of abstractions (newton)

Bebop  Performs reachability analysis of boolean programs  Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis  Explicit representation of control flow  Implicit representation of reachable states via BDDs  Complexity of algorithm is O( E  2 n ) E = size of interprocedural control flow graph n = max. number of variables in the scope of any label

c2bp: Automatic Predicate Abstraction of C  What is the predicate language? Pure C boolean expressions  Input: a C program P and set of predicates E  Output: a boolean program c2bp(P,E) that is a sound abstraction of P a precise abstraction of P  Difficulties procedures pointers

C2bp Philosophy  Computing a precise Boolean abstraction is too expensive unnecessary for C deterministic concrete semantics  Exploit ideas from program analysis and symbolic model checking Off-line computation of abstract transfer function Attribute (predicate) independence Disjunctive completion Focus operation Static partitioning of states by control points Implicit representation of stack in boolean program

c2bp(P,E) Statement in P: s : nPackets = nPackets+1; Predicates in E: e : (nPacketsOld==nPackets) Weakest Precondition: pre(s,e): nPacketsOld==nPackets+1 Strengthened WP: F(pre(s,e)): false

c2bp(P,E) Statement in P: s : nPackets = nPackets+1; Predicates in E: e : (nPacketsOld==nPackets) Weakest Precondition: pre(s,!e): !(nPacketsOld==nPackets+1) Strengthened WP: F(pre(s,!e)): e

c2bp(P,E) bool choose(bool pos,bool neg) = true if pos=true false if neg=true * pos=neg=false choose not well defined for pos=neg=true In general, given statement s and predicates { e1,…, en }: {e1},…,{en} := choose(F(pre(s,e1),F(pre(s,!e1))), …, choose(F(pre(s,en),F(pre(s,!en))); O(2n*2 n )O(2n*n c )

WP and pointers Statement in P: s : *p = *p + 1 Predicates in E: e : (x==2) WP: WP(s,e): x==2 ???

Morris’ Axiom of Assignment Statement in P: s : *p = *p + 1 Predicates in E: e : (x==2) WP: WP(s,e): ((p!=&x) and x==2) or ((p==&x) and x==1)

WP and pointers Statement in P: s : *p = *p + 1 Predicates in E: e : (x==2) WP: WP(s,e): x==2 if we can show p can never point to x, using points-to-analysis

c2bp  Processes one statement at a time Assignments, conditionals, procedure call/return  Computes WP and strengthens it theorem prover (Simplify,Vampyre)  Alias queries one-level flow flow-insensitive PTA of Das [PLDI’00]

c2bp Soundness:  have to consider aliasing  have to consider side effects of procedure calls [Ball-Majumdar-Millstein-Rajamani PLDI 01] [Ball-Millstein-Rajamani, Tech-report] Precision:  formalized declaratively as an abstract interpretation [Ball-Podelski-Rajamani TACAS 01]

On-line Abstraction: State = Bit Vector each abstract step during model checking requires O(2 n ) theorem prover queries bb post bb n k

On-line Abstraction: Set of States = Single Tri-vector each abstract step during model checking  c  b requires O(2n) theorem prover queries cc cc bb post bb

SLAM - Off-line Abstraction: Set of States = Set of Tri-vectors each abstract step during model checking requires O(2n*k) operations, k=O(2 n ) c2bpbebop

c2bp Number of theorem prover calls: Worst case : O(|P|. 2 |E| ) Practice: O(|P|. |E| 3 )

Newton  Symbolically executes (interprocedural) path in C program  Checks for path infeasibility using decision procedures  If infeasibility detected Minimizes inconsistent conditions Obtains new predicates

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : Conditions :

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  Conditions :

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) Conditions :

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  Conditions :

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) Conditions :

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions :

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions : !  (5)

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions : !  (5)  !=  (1,2)

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions :  !=  (1,2)

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) Conditions :  !=  (1,2)

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Predicates: (nPacketsOld ==  ) (nPackets ==  ) (  !=  )

Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Predicates: (nPacketsOld != nPackets)

Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : Conditions :

Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : (1)x :  (2) y :  Conditions :  >  (1,2)

Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : (1)x :  (3) y :  - 1 (2) Conditions :  >  (1,2) History : (2) y : 

Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : (1)x :  (3) y :  - 1 (2) Conditions :  >  (1,2) !(  >  -1 ) (1,3) History : (2) y : 

Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Predicates : y ==  y ==  - 1 x > 

Related Work  VCGen based tools ESC-Java [Leino-Nelson-et al.] Proof-Carrying Code [Lee-Necula] PREfix [Pincus-et al.]  Model Checking of Software Using an abstract model Bandera [Hatcliff-Dwyer-et al.] FeaVer [Holzmann] FLAVERS [Clarke-Osterweil-et al.] Metal [Engler] By gaining control over the scheduler Java Path Finder [Visser-et al.] Verisoft [Godefroid] Java model checker [Stoller]

Related Work  Model checkers Temporal logic model checking [Clarke-Emerson][Sifakis][Vardi-Wolper] Symbolic model checking BDDs [Bryant] SMV [McMillan, Clarke] Model checking of Hiearchical FSMs [Alur,Grosu], [Alur, Yannakakis, et al.], [Benedikt,Godefroid,Reps]  Abstract Interpretation [Cousot-Cousot]  Program Analysis shape analysis [Sagiv-Reps-Wilhelm]  Predicate Abstraction [Graf-Saidi][Das-Dill-Park]  Dataflow analysis=Model Checking + Abstract Interpretation [Steffen-Schmidt]  Counterexample driven refinement [Kurshan, Clarke-Grumberg-Jha-Lu-Veith ]  Temporal safety property checking as type checking [DeLine-Fahndrich]  ESP [Das]

Future Directions  New Models boolean programs lack expressivity  The Heap pointer logics recursive types  Concurrency predicate abstraction for an Owicki/Gries-style logic?  Scaling reinvestigate assume/guarantee for software

SLAM Papers  The SLAM Process Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. Rajamani, SPIN 2001 The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani, CAV 2001 Boolean Programs: A Model and Process for Software Analysis, Thomas Ball, Sriram K. Rajamani, MSR Technical Report  Boolean Programs Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball, Sriram K. Rajamani, PASTE 2001 Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball, Sriram K. Rajamani, SPIN  Predicate Abstraction of C Programs Automatic Predicate Abstraction of C Programs, Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani, PLDI 2001 Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K. Rajamani, MSR Technical Report Boolean and Cartesian Abstractions for Model Checking C Programs, Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001  Concurrency Parameterized Verification of Multithreaded Software Libraries, Thomas Ball, Sagar Chaki, Sriram K. Rajamani, TACAS 2001

Thanks to…  Sagar Chaki (CMU)  Rupak Majumdar (UC Berkeley)  Todd Millstein (U Washington)  Andreas Podelski(MPI)  Members of Software Productivity Tools group and PPRC

Summary  Fully automated way to check temporal safety properties of software interfaces  Tools are based on novel ideas interprocedural dataflow with BDDs (bebop) predicate abstraction of C (c2bp) predicate discovery (newton)  Demonstration on Windows 2000 device drivers

Software Productivity Tools Microsoft Research