Shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

– Seminar in Software Engineering Cynthia Disenfeld

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

CS162 Week 2 Kyle Dewey. Overview Continuation of Scala Assignment 1 wrap-up Assignment 2a.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Overview of program analysis Mooly Sagiv html://

Computing OverApproximations with Bounded Model Checking Daniel Kroening ETH Zürich.

Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.

Tractable object models Daniel Jackson Software Design Group MIT Laboratory for Computer Science WG 2.9 · Flims · February 7, 2000.

Fun with object modelling Daniel Jackson Software Design Group MIT Laboratory for Computer Science Kansas State University · November 8, 1999.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.

A relational logic, its analysis & application Daniel Jackson, MIT WG 2.3 · Newcastle April 4, 2000.

Analyzing relational logic Daniel Jackson, MIT WG 2.3 · Newcastle April 2000.

Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.

Recognizing safety and liveness Presented by Qian Huang.

1 Formal Methods in SE Abstract Model Specification Lecture # 19.

Daniel jackson static analysis symposium ·santa barbara · june 2k logic,model s& analysis.

ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.

Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.

What’s Ahead for Embedded Software? (Wed) Gilsoo Kim

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

Daniel jackson & sarfraz khurshid lcs retreat ·martha’s vineyard · june 2k unintentional naming.

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.

Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.

Analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

Putting Static Analysis to Work for Verification A Case Study Tal Lev-Ami Thomas Reps Mooly Sagiv Reinhard Wilhelm.

ALLOY: A Formal Methods Tool Glenn Gordon Indiana University of Pennsylvania COSC 481- Formal Methods Dr. W. Oblitey 26 April 2005.

Debugging declarative models using core extraction Robert Seater with Ilya Shlyakhter, Daniel Jackson, Manu Sridharan, Mana Taghdiri December 20, 2005.

Security analysis of COM with Alloy

Further with Hoare Logic Sections 6.12, 6.10, 6.13

Graph-Based Operational Semantics

Closures and Streams cs784(Prasad) L11Clos

Symbolic Implementation of the Best Transformer

Logical architecture refinement

Aspect Validation: Connecting Aspects and Formal Methods

Over-Approximating Boolean Programs with Unbounded Thread Creation

Semantics In Text: Chapter 3.

Predicate Abstraction

Presentation transcript:

shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000

2 why software model checking? want to analyze specs but no commensurate analysis only theorem proving and type checking? formal specifications are write-only model checking offers automation of deep analysis focus on presence not absence of errors rich property language

3 how would model checking differ for software? sequential focus not on concurrency relational state itself is relational essence of Z, RDB, OO incremental & modular global operations declarative style abstract all software is infinite state

4 progress so far nitpick (1995) a model finder for relational calculus exploits inherent symmetry in type structure painful language, didn’t scale (but caught bugs) abstraction? too hard to find abstractions concrete search within finite ‘scope’ alloy/alcoa (1998) richer language (closer to Z, UML) SAT-based analysis scales much better examples architectures (COM, HLA), protocols (IPv6, phones) code (CTAS), metamodels (UML)

5 BART railway problem problem prevent train collisions on same track, or tracks too close mechanism gates before points trains stop at closed gates problem where are gates? is policy safe?

6 sample alloy model model Bart { domain {Segment, Gate, Train} state Segments { succ, overlaps : Segment -> Segment gate : Segment! -> Gate? partition Open, Closed : Gate on : Train -> Segment ! } cond Safety {all s | sole s.overlaps.~on} inv Policy {all s | sole (s.conflicts + s).gate & Open} op TrainsMove (ts : Train) { all t : ts | t.on' in t.on.succ no (ts.on.gate & Closed) all t : Train - ts | t.on = t.on’ } assert PolicyWorks {all t | TrainsMove (t) && Safety -> Safety'} relational state declarative description modular analysis

7 alcoa: alloy constraint analyzer how Alcoa is used start with minimal description consistent? (too many constraints?) consequences? (too few?) what analysis involves finding models of relational formula for op, sample transition for negation of assertion, counter scope limit #elements in basic types in scope of 3, 2^9 values / relation reduce map back MAPPING SAT PROBLEM SAT SOLUTION SAT solver DESIGN PROBLEM DESIGN ANALYSIS FSE 96 (BDDs) FSE 98 (WalkSAT) 1999 (SATO)

8 analyzing code idea treat procedure as operation to check with Alcoa compose from declarative specs of statements combine paths with disjunction features expressive property language no need to adapt analysis to properties counterexample is trace of states modular – use spec in place of code unsound – small scope, few unrollings

9 example a procedure class List {List next} void insert (List first, List rest) {first.next = rest} an assertion insert && Acyclic (rest) -> Acyclic’ (first) where Acyclic (l : List) {no x : l.*next | x in x.+next} how insert is translated (first.next’ = rest)  (all x | x != first -> x.next = x.next’)  (rest’ = rest) a counterexample first = rest = L1 next = { } next’ = {L1 -> L1}

10 programming language procedures & classes program ::= classdecl* procdecl* classdecl ::= class class { class field, } procdecl ::= class proc ( class var, ) { stmt } statements stmt ::= var = term | term. field = term | return term | while pred { stmt } | if pred stmt stmt | stmt ; stmt terms & predicates term ::= null | var | term. field pred ::= term == term | ! pred | pred && pred

11 formula language declarations sigdecl ::= sig sig { type { type, } state { compdecl } } compdecl ::= set : expr mult | relation : expr mult -> expr mult mult ::= ! | ? | + expressions expr ::= set | type | relation | expr + expr | expr & expr | expr - expr | expr. expr | ~ expr | * expr | + expr | { v | formula } formulas formula ::= expr = expr | expr in expr | all v | formula | some v | formula | ! formula | formula && formula | let v be expr | formula

12 modelling state for each procedure sig State { type { Object } state { … } } for each class C state { C : Object } for each arg or var v of class C state { v : C ? } for each field f in class C of class D state { f : C -> D ? } example class List {List next} void insert (List first, List rest) { first.next = rest } translation sig insertState { type {Object} state {first, rest : List ?, next : List -> List ? } op insert () { first.next’ = rest all x | x != first -> x.next = x.next’ rest’ = rest } }

13 sequential composition state shorthands represent pre-state, post-state by structures pre and post of sig State c and c’ are short for pre :: c and post :: c composition sugar F ; G is short for some s : State | (let post be s | F)  (let pre be s | G) example statements a = b.next ; c = a.next formulasa’ = b.next ; c’ = a.next desugar to ::(post :: a) = (pre :: b). (pre :: next) ; (post :: c) = (pre :: a). (pre :: next) desugar ;some s : State | (s :: a) = (pre :: b). (pre :: next)  (post :: c) = (s :: a). (s :: next) resugarsome s : State | (s :: a) = b.next  c’ = (s :: a). (s :: next)

14 translation scheme Java statement to logical formula S n : stmt  formula n is # loop iters Java term to set/relation expression E : term  expr Java predicate to formula P : pred  formula

15 translation rules statements S  a ; b  = S  a  ; S  b  S  if p a b  = (P  p   S  a  )  (! P  p   S  b  ) S i  while p { a }  = (P  p   S  a  ; S i-1  while p { a }  )  Close (! P  p  ) S 0  while p { a }  = Close (! P  p  ) S  v = t  = Close (v’ = E  t  ) S  t.f = u  = Close (E  t . f’ = E  u   all x | x != E  t  -> x.f = x. f’) expressions E  v  = v E  t.f  = E  t . f predicates P  t == u  = (E  t  = E  u  ) P  !p  = ! P  p  Close (F) = F && v’ = v && all x | x.f = x.f’ (all v, f not appearing primed in F)

16 from formula to counterexample assertion all s, s’ | pre (s)  proc (s,s’) -> post (s, s’) negate some s, s’ | pre (s)  proc (s,s’)  ! post (s, s’) proc (s, s’) is F (s,s’) ; G (s, s’) ; H (s, s’) desugar ; some s1| ((some s0 | F(s, s0)  G (s0, s1))  H (s1, s’) skolemize pre (s)  F (s, s0)  G (s0, s1)  H (s1, s’)  ! post (s, s’) now find model in finite scope obtain counterexample

17 null derefs (1) introduce a null object Null : Object! Null.f = Null (initially for all field relations f) E  null  = Null make field relations total state { f : C -> D ! } define derefs performed in a term Derefs  t.f  = Derefs  t  Derefs  v.f  = v instrument program to collect derefs derefs : Object S  t.f = u  = …  derefs’ = derefs + Derefs  t.f  + Derefs  u 

18 null derefs (2) assert no null derefs pre  S  proc  -> ! Null in derefs’ interpreting results find first state s such that s :: derefs contains Null means null deref in that statement

19 example in full swap procedure List swap (List c) { List p; if (c != null) { p = c ; c = c.next ; p.next = c.next ; c.next = p ; } return c; } translation no derefs  ((c != null  ( p’ = c  c’ = c  all x | x.next’ = x.next ; c’ = c.next  p’ = p  all x | x.next’ = x.next  derefs’ = derefs + c ; p.next’ = c.next  p’ = p  c’ = c  all x | x != p -> x.next’ = x.next  derefs’ = derefs + c + p ; c.next’ = p  p’ = p  c’ = c  all x | x != c -> x.next’ = x.next  derefs’ = derefs + c )  (c = null  p’ = p  c’ = c  all x | x.next’ = x.next  derefs’ = derefs )) ; result = c

20 jumps add continuations S : stmt  formula  formula translation becomes S  a ; b   = S  a  (S  b   ) S  if p a b   = (P  p   S  a   )  (!P  p   S  b   ) S i  while p { a }   = (P  p   S  a  ; S i-1  while p { a }   )  ! P  p    S 0  while p { a }   = ! P  p    S  v = t   = Close (v’ = E  t  ) ;  S  return t   = Close (result = E  t  ) cleaner treatment of null derefs instead of null, make fields partial S  t.f = u   = (some E  t   E  t . f’ = E  u  ;  )  no E  t 

21 a small experiment subject 8 sample list procedures from [Dor, Rodeh, Sagiv 99] merge, delete, search, reverse, etc translated by hand into Alloy properties checked no null derefs, result not null no cycles created set inclusions (eg, for delete, merge) results found bugs identified by [DRS99] and one more for scope of 3, 2 unrollings: a few secs, except for merge

22 sample specs sample properties assert NoNullDerefs {Merge -> Null !in Derefs’} assert NoLoss {Merge -> result.*next = p.*next + q.*next} assert NoCycles {Merge && Acyclic (p) && Acyclic (q) -> Acyclic (result)} counterexample to NoCycles p = O1 q = O1 next = {O1 -> O0} … result = O1 next’ = {O1 -> O1}

23 what next? basic optimizations propagating equality: reduce by factor of #rel? new version of Alcoa (5/00) symmetry & other optimizations new Alloy: signatures, sequence, closure extend to APIs use abstract relations instead eg, Swing objects non termination see whether (state = state’) in some loop iteration global properties check object model invariants eg, every active aircraft is tracked

24 related work shape analysis k-limiting loss of completeness, not soundness Sagiv, Reps, Wilhelm relational state ‘execute’ with transfer functions instrumentation for precision pre-post relationships? model checking Kautz, McAllester & Selman: reachability with SAT Biere, Cimatti, Clarke, Fujita & Zhu: bounded LTL theorem proving ESC : sound but less expressive properties

25 conclusion key ideas a form of testing, but exhaustive within scope rich property language relational formula good match for Java can accommodate partial specs acknowledgments analysis ideas: Rinard tool: Schechter, Shlyakhter SAT solvers: Nelson, Selman, Kautz, Zhang Moore: , 3 hrs -> 1 sec Alcoa! Free while supplies last!