Presentation is loading. Please wait.

Presentation is loading. Please wait.

Having a BLAST with SLAM

Published byBenjamin Dickerson Modified over 6 years ago

Similar presentations

Presentation on theme: "Having a BLAST with SLAM"— Presentation transcript:

1 Having a BLAST with SLAM

2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement
There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim.

3 SLAM Overview INPUT: Program and Specification
Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) “I use locks correctly”, not “I am a webserver” OUTPUT: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec

4 Take-Home Message SLAM is a software model checker. It abstracts C programs to boolean programs and model-checks the boolean programs. No errors in the boolean program implies no errors in the original. An error in the boolean program may be a real bug. Or SLAM may refine the abstraction and start again.

5 Property 1: Double Locking
unlock unlock lock “An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.” Calls to lock and unlock must alternate.

6 Property 2: Drop Root Privilege
[Chen-Dean-Wagner ’02] “User applications must not run with root privilege” When execv is called, must have suid  0

7 Property 3 : IRP Handler [Fahndrich] MPR3 CallDriver MPR completion
synch not pending returned SKIP2 IPC Skip return child status DC Complete request not Pend PPC prop N/A no prop start NP Pending NP MPR1 start P Mark Pending IRP accessible SKIP1 MPR2 [Fahndrich]

8 Example SLAM Input Example ( ) { 1: do{ lock(); old = new;
q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; lock unlock unlock lock

9 SLAM in a Nutshell SLAM(Program p, Spec s) = // program
Program q = incorporate_spec(p,s); // slic mutable PredicateSet abs = { }; while true do BooleanProgram b = abstract(q,abs); // c2bp match model_check(b) with // bebop | No_Error ! printf(“no bug”); exit(0) | Counterexample(c) ! if is_valid_path(c, p) then // newton printf(“real bug”); exit(1) else abs à abs [ new_preds(c) // newton done

10 Incorporating Specs 1 Example ( ) { 1: do{ if L=1 goto ERR; else L=1;
lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; Example ( ) { 1: do{ if L=1 goto ERR; else L=1; old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; if L=0 goto ERR; else L=0; new ++; } 4: } while(new != old); 5: if L=0 goto ERR; return; ERR: abort(); lock 1 Original program violates spec iff new program reaches ERR unlock unlock ERR lock

11 Program As Labeled Transition System
State Transition pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a Example ( ) { 1: do { lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; }

12 The Safety Verification Problem
Error (e.g., states with PC = Err) Safe States (never reach Error) Initial Is there a path from an initial to an error state ? Problem: Infinite state graph (old=1, old=2, old=…) Solution : Set of states ' logical formula

13 Representing [Sets of States] as Formulas
states satisfying F {s | s ² F } F FO fmla over prog. vars [F1] Å [F2] F1 Æ F2 [F1] [ [F2] F1 Ç F2 [F] : F May be do this through an example [F1] µ [F2] F1 ) F2 i.e. F1Æ: F2 unsatisfiable 13

14 Idea 1: Predicate Abstraction
Predicates on program state: lock (i.e., lock=true) old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite Thus model-checking the abstraction will be feasible!

15 Abstract States and Transitions
pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a Theorem Prover lock old=new : lock : old=new

16 Abstraction State Existential Lifting c1 c2 A1 A2 Theorem Prover lock
pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a A1 A2 Theorem Prover lock old=new : lock : old=new Existential Lifting (i.e., A1!A2 iff 9c12A1. 9c22A2. c1!c2)

17 Abstraction State lock : lock old=new : old=new 3: unlock(); new++;
pc lock old new q  3  5  0x133a 3: unlock(); new++; 4:} … pc lock old new q  4  5  6  0x133a lock old=new : lock : old=new

18 Analyze Abstraction Problem Analyze finite graph No false negatives
Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples

19 Idea 2: Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine abstraction!

20 Idea 2: Counterex.-Guided Refinement
Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction Imprecision due to merge

21 Iterative Abstraction-Refinement
Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Untill real counterexample or system proved safe [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]

22 Problem: Abstraction is Expensive
Reachable Problem #abstract states = 2#predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 100’s, #States ~ 2100 , #Reach ~ 1000’s

23 Solution1: Only Abstract Reachable States
Safe Solution Build abstraction during search Problem #abstract states = 2#predicates Exponential Thm. Prover queries

24 Solution2: Don’t Refine Error-Free Regions
Problem #abstract states = 2#predicates Exponential Thm. Prover queries Solution Don’t refine error-free regions

25 Q: Books (704 / 842) In T.S. Eliot's 1939 Old Possum's Book Of Pratical Cats, this "mystery cat is called the hidden paw / for he's a master criminal who can defy the law."

26 Q: Computer Science This American Turing award winner is sometimes called the “father” of analysis of algorithms, and is known for popularizing asymptotic notation, creating TeX, and co- developing a popular a string search algorithm. His most famous work is The Art of Computer Programming.

27 Key Idea: Reachability Tree
Initial Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 4 5 3

28 Key Idea: Reachability Tree
Initial Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 6 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 4 7 5 3 3 Error Free

29 Key Idea: Reachability Tree
Initial Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 6 Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. 4 5 7 8 3 3 1 8 1 Error Free S1: Only Abstract Reachable States S2: Don’t refine error-free regions SAFE

30 Build-and-Search Reachability Tree Predicates: LOCK 1 1 Example ( ) {
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 1 Reachability Tree Predicates: LOCK

31 Build-and-Search Reachability Tree Predicates: LOCK 1 2 1 2
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); lock() old = new q=q->next 1 : LOCK 2 LOCK 1 2 Reachability Tree Predicates: LOCK

32 Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 1 2 3
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK [q!=NULL] 3 LOCK 1 2 3 Reachability Tree Predicates: LOCK

33 Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 4 1 2 3
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK 3 q->data = new unlock() new++ LOCK 4 : LOCK 4 1 2 3 Reachability Tree Predicates: LOCK

34 Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 5 5 4 1 2
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK 3 LOCK 4 : LOCK [new==old] 5 : LOCK 5 4 1 2 3 Reachability Tree Predicates: LOCK

35 Build-and-Search Reachability Tree Predicates: LOCK 1 2 3 4 5 5 4 1 2
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK 3 LOCK 4 : LOCK 5 : LOCK 5 unlock() 4 : LOCK 1 2 3 Reachability Tree Predicates: LOCK

36 Analyze Counterexample
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK lock() old = new q=q->next 2 LOCK [q!=NULL] 3 LOCK q->data = new unlock() new++ 4 : LOCK [new==old] 5 : LOCK 5 unlock() 4 : LOCK 1 2 3 Reachability Tree Predicates: LOCK

37 Analyze Counterexample
1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK old = new 2 LOCK 3 LOCK new++ 4 : LOCK [new==old] 5 : LOCK 5 Inconsistent 4 : LOCK new == old 1 2 3 Reachability Tree Predicates: LOCK

38 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 1 Reachability Tree Predicates: LOCK, new==old

39 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK lock() old = new q=q->next 2 LOCK , new==old 1 2 Reachability Tree Predicates: LOCK, new==old

40 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old 3 LOCK , new==old q->data = new unlock() new++ 4 : LOCK , : new = old 4 1 2 3 Reachability Tree Predicates: LOCK, new==old

41 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old 3 LOCK , new==old 4 : LOCK , : new = old [new==old] 4 1 2 3 Reachability Tree Predicates: LOCK, new==old

42 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old 3 LOCK , new==old 4 : LOCK , : new = old [new!=old] 1 : LOCK, : new == old 4 4 1 2 3 Reachability Tree Predicates: LOCK, new==old

43 Repeat Build-and-Search
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old SAFE 3 LOCK , new==old 4 4 : LOCK , : new = old LOCK , new=old 1 5 5 : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Reachability Tree Predicates: LOCK, new==old

44 Key Idea: Reachability Tree
Initial Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 6 Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. 4 5 7 8 3 3 1 8 1 Error Free S1: Only Abstract Reachable States S2: Don’t refine error-free regions SAFE

45 Two handwaves SAFE Reachability Tree Predicates: LOCK, new==old 1 2 3
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK 2 LOCK , new==old SAFE 3 LOCK , new==old 4 4 : LOCK , : new = old LOCK , new=old 1 5 5 : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Reachability Tree Predicates: LOCK, new==old

46 Two handwaves SAFE Q. How to compute “successors” ? Reachability Tree
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK Q. How to compute “successors” ? 2 LOCK , new==old SAFE 3 3 LOCK , new==old LOCK , new==old q->data = new unlock() new++ 4 4 4 : LOCK , : new = old : LOCK , : new = old LOCK , new=old 1 5 5 : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Reachability Tree Predicates: LOCK, new==old

47 Two handwaves SAFE Q. How to compute “successors” ?
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK Q. How to compute “successors” ? 2 LOCK , new==old SAFE 3 LOCK , new==old 4 4 : LOCK , : new = old LOCK , new=old Q. How to find predicates ? 1 5 5 Refinement : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Predicates: LOCK, new==old

48 Two handwaves SAFE Q. How to compute “successors” ? Refinement
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 1 : LOCK Q. How to compute “successors” ? 2 LOCK , new==old SAFE 3 LOCK , new==old 4 4 : LOCK , : new = old LOCK , new=old 1 5 5 Refinement : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Predicates: LOCK, new==old

49 Weakest Preconditions
WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP [WP(P, OP)] OP [P]

50 Weakest Preconditions
WP(P,OP) Weakest formula P’ s.t. if P’ is true before OP then P is true after OP [WP(P, OP)] OP [P] P[e/x] new+1 = old Assign new = new+1 x = e P new = old

51 How to compute successor ?
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 3 LOCK , new==old F OP 4 ? : LOCK , : new = old For each p Check if p is true (or false) after OP Q: When is p true after OP ? - If WP(p, OP) is true before OP ! - We know F is true before OP - Thm. Pvr. Query: F ) WP(p, OP) Predicates: LOCK, new==old

52 How to compute successor ?
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); }7 3 LOCK , new==old F OP 4 ? For each p Check if p is true (or false) after OP Q: When is p false after OP ? - If WP(: p, OP) is true before OP ! - We know F is true before OP - Thm. Pvr. Query: F ) WP(: p, OP) Predicates: LOCK, new==old

53 How to compute successor ?
Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); 3 LOCK , new==old F OP 4 ? : new = old : LOCK , : new = old For each p Check if p is true (or false) after OP Q: When is p false after OP ? - If WP(: p, OP) is true before OP ! - We know F is true before OP - Thm. Pvr. Query: F ) WP(: p, OP) Predicate: new==old True ? (LOCK , new==old) ) (new + 1 = old) NO False ? (LOCK , new==old) ) (new + 1  old) YES

54 Advanced SLAM/BLAST Too Many Predicates - Use Predicates Locally
Counter-Examples - Craig Interpolants Procedures - Summaries Concurrency - Thread-Context Reasoning

55 SLAM Summary Instrument Program With Safety Policy Predicates = { }
Abstract Program With Predicates Use Weakest Preconditions and Theorem Prover Calls Model-Check Resulting Boolean Program Use Symbolic Model Checking Error State Not Reachable? Original Program Has No Errors: Done! Check Counterexample Feasibility Use Symbolic Execution Counterexample Is Feasible? Real Bug: Done! Counterexample Is Not Feasible? Find New Predicates (Refine Abstraction) Goto Line 3

56 Optional: SLAM Weakness
Preds = {}, Path = [x=0, :x+188, x+1<77] Preds = {x=0}, Path = Preds = {x=0, x+1=88} Path = [x=0, :x+288, x+2<77] Preds = {x=0,x+1=88,x+2=88} Path = Result: the predicates “count” the loop iterations 1: F() { 2: int x=0; 3: lock(); 4: do x++; 5: while (x  88); 6: if (x < 77) 7: lock(); 8: }

57 Homework Read Winskel Chapter 2 Read Hoare paper Read Spolsky article

Download ppt "Having a BLAST with SLAM"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.

Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.

Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.

Similar presentations

Ads by Google