1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
Verification of parameterised systems
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Software Engineering Testing Lecture 4 ASPI8-4 Anders P. Ravn, Feb 2004.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research
SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.
Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Automated Tools for Software Reliability Suhabe Bugrara Stanford University.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.
Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
SLAM :Software Model Checking From Theory To Practice Sriram K. Rajamani Software Productivity Tools Microsoft Research.
Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani.
Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)
Thomas Ball Sriram K. Rajamani
Use of Models in Analysis and Design Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. MSR Presented by Xin Li.
Recognizing safety and liveness Presented by Qian Huang.
Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.
Verification & Validation By: Amir Masoud Gharehbaghi
The Yogi Project Software property checking via static analysis and testing Aditya V. Nori, Sriram K. Rajamani, Sai Deep Tetali, Aditya V. Thakur Microsoft.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
Verifying Regular Behavior of C modules Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Formal methods: Lecture
Having a BLAST with SLAM
Over-Approximating Boolean Programs with Unbounded Thread Creation
Abstractions from Proofs
Predicate Abstraction
Course: CS60030 Formal Systems
Presentation transcript:

1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from

2 Checking API Usage Application C lib | DLL | COM |… API Does an application follow the “proper usage” rules of an API?

3 Temporal safety properties Something “bad” does not happen –Eg. A lock is never released without first being acquired Unlocked Locked Error U LL U

4 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

5 SLIC spec for Spinlock enum { Unlocked=0, Locked=1 } state = Unlocked; KeAcquireSpinLock.call { if (state==Locked) abort; else state = Locked; } KeReleaseSpinLock.call { if (state==Unlocked) abort; else state = Unlocked; } Unlocked Locked Error U LL U

6 Target program to validate do { KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(&devExt->writeListLock); Question: Is locking protocol respected?

7 Safety to Reachability Program P SLIC spec S SLIC Program P satisfies specification S  Label ERROR is not reachable in P’ Instrumented Program P’

8 do { KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); enum { Unlocked=0, Locked } state = Unlocked; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); else state = Locked; } void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked; } Question: Is locking protocol respected? Equivalently: Is label ERROR reachable? Instrumented Program

9 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

10 Predicate abstraction by C2BP Instrumented program P’ Boolean program BP(P’,E0) C2BP Initial predicates E0 state==Locked, state==Unlocked

11 do { KeAcquireSpinLock_call(); skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; } } while (*); KeReleaseSpinLock_call(); skip; decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } Question: Is locking protocol respected? Equivalently: Is label ERROR reachable? Initial boolean Program

12 Model-check by BEBOP do { KeAcquireSpinLock_call(); skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; } } while (*); KeReleaseSpinLock_call(); skip; decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } {state==Unlocked}Æ :{state==Locked} :{state==Unlocked}Æ{state==Locked} reached ERROR label

13 The execution path to blame! do { KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; // s1 request = devExt->WriteListHeadVa; // s2 if(request && request->status){ // s3 devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); // s4 KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); enum { Unlocked=0, Locked } state = Unlocked; void slic_abort() { ERROR: // s6 } void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); // s5 else state = Locked; // s0 } void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked; } s0: state = Locked; s1: nPacketsOld = nPackets; s2: request = devExt->WriteListHeadVa; s3: assume(!request); s4: assume(nPackets != nPacketsOld); s5: assume(state==Locked); s6: ERROR:

14 Time for NEWTON s0:state = Locked; s1:nPacketsOld = nPackets; s2:request = devExt->WriteListHeadVa; s3:assume(!request); s4:assume(nPackets != nPacketsOld); s5:assume(state==Locked); s6:ERROR: LocationValueDependencies 0. stateLocked() 1. nPackets  () 2. nPacketsOld  1 3. devExt  () 4.  ->WriteListHeadVa  3 5. request  3, 4 ConditionsDependencies !(  )5 (  !=  )1, 2 New predicate! nPackets==nPacketsOld

15 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

16 do { KeAcquireSpinLock_call(); skip; b := T; // nPackets = nPacketsOld; skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; b := b ? F : *; // nPackets++; } } while(!b); // while (nPackets!=nPacketsOld); KeReleaseSpinLock_call(); skip; Variable b represents (nPackets==nPacketsOld) decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } Question: Is locking protocol respected? Equivalently: Is label ERROR reachable? The second boolean Program

17 Model-check again by BEBOP do { KeAcquireSpinLock_call(); skip; b := T; skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; b := b ? F : *; } } while(!b); KeReleaseSpinLock_call(); skip; * decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } {state==Unlocked}Æ :{state==Locked} :{state==Unlocked}Æ{state==Locked} reached ERROR label * T T T F

18 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

19 C2BP Automatic predicate abstraction of C What is the predicate language? –Pure C boolean expressions Input: a C program P and set of predicates E Output: a boolean program C2BP(P,E) that is –a sound abstraction of P –a precise abstraction of P Difficulties –procedures –pointers

20 BEBOP  Reachability analysis of boolean programs  Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis  Explicit representation of control flow  Implicit representation of reachable states via BDDs

21 NEWTON Symbolically executes (interprocedural) path in C program Checks for path infeasibility using decision procedures (theorem provers: Simplify, Vampyre) If infeasibility detected –Find weak(est) condition implying the infeasibility –Obtains new predicates

22 Contributions Use of boolean programs for program abstractions C2BP : the first automatic predicate abstraction tool for a full-scale language BEBOP : the first model checker to handle procedure calls using inter-procedural DFA Global analysis only on the boolean program abstractions : scalable…?

23 Defects Defects of SLAM –Uses a logical memory model Assumes for all i,j : p[i] = p[j] –No guarantee on the termination of iterative refinement Defects of the paper –No experimental results (describes their experiences only)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.