Presentation is loading. Please wait.

Presentation is loading. Please wait.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Published byAlanna Williard Modified over 10 years ago

Similar presentations

Presentation on theme: "Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research."— Presentation transcript:

1 α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research

2 α ϒ ʎ …… Satistiability Modulo Theories SAT = Boolean sort, Boolean connectives Decidable in NP SMT = SAT + decidable theories Decidable in NP if all theories are in NP *

3 α ϒ ʎ …… Satistiability Modulo Theories Examples of theories: – Linear Arithmetic – Uninterpreted functions – Fixed-size bitvectors – Arrays – Etc.

4 α ϒ ʎ …… Reachability Modulo Theories // variables var x: int var M: int  int // assignments x := expr // procedures call foo(x); // conditions assume expr assert expr SMT Finite number of variables (possibly arrays) Finite number of procedures RMT: Is there an execution that violates an assertion?

5 α ϒ ʎ …… Example 1 assert false;

6 α ϒ ʎ …… Example 2

7 α ϒ ʎ …… RMT Searches for Bugs – Undecidable, but recursively enumerable – Search for proofs: not recursively enumerable Single-procedure RMT – In NP Bounded recursion RMT – Decidable – NEXPTIME-complete

8 α ϒ ʎ …… RMT Single-Procedure RMT: NP  f (w, x, y, z) holds iff f(w) can return (x,y,z)

9 α ϒ ʎ …… RMT Single-Procedure RMT: NP L1: assume c(L1) L2: assume c(L1) L3: assume c(L1) b(L1) == c(L1)  (b(L2)  b(L3)) b(L1) == c(L1)  (b(L2)  b(L3)) E(L1)

10 α ϒ ʎ …… Bounded RMT

11 α ϒ ʎ …… Static Inlining Given: Bounded RMT Find: An assertion violation foo bar baz foo barbaz foo barbazbar baz foo … ……… Expensive, even if assertion is simple Runs out of memory in VC construction Expensive, even if assertion is simple Runs out of memory in VC construction Recursion bound

12 α ϒ ʎ …… Stratified Inlining procedure main() { x := e1; y := e2; if(*) { call foo(x); } assume y == 5; … call y := bar(); assert y == 5; } procedure main() { x := e1; y := e2; if(*) { call foo(x); } assume y == 5; … call y := bar(); assert y == 5; } Q: Violate assert without going into calls? A: If yes, then “Unsafe” A: If no, then continue Q: Violate assert assuming calls can do anything? A: If no, then “Safe” A: If yes, inline all procedures on the trace Repeat … havoc globals havoc y, globals inline bar

13 α ϒ ʎ …… Stratified Inlining Inline on demand foo barbaz foo barbazbar baz foo bar assume false summaries foo Z3 false summ -ary

14 α ϒ ʎ …… Stratified vs. Static Inlining

15 α ϒ ʎ …… Corral Architecture

16 α ϒ ʎ …… Variable Abstraction Not all variables would be relevant for the given assertions – G: All (global) variables – T: Tracked variables – Drop writes to (G – T) – Make reads to (G – T) non-deterministic

17 α ϒ ʎ …… Variable Abstraction Untracked variables can take any value x := e x := e tracked(x) && tracked(e) x := * tracked(x) && tracked(e) skip tracked(x) assert e assert e tracked(e) assert false tracked(e) [Kurshan ‘94]

18 α ϒ ʎ …… Refinement Current set: T ⊆ G – Abstract(Program, T) has a buggy trace   is spurious – Abstract( , T) is feasible, Abstract( , G) is infeasible What is the smallest set T’ to track such that: – T ⊆ T’ – Abstract( , T’) is infeasible SAT UNSAT ??

19 α ϒ ʎ …… Refinement Naïve algorithm: linear scan of (G – T) Our algorithm: divide-and-conquer – Best case: log |G – T| – Worst case: 2 * |G – T| – Complexity: O(a log |G – T|) where a is the extension to T

20 α ϒ ʎ …… Refinement Parametric Abstraction – Introduce Boolean constant b v for each v ∊ (G – T) x := y + 1 if(b x && b y ) { x := y + 1; } else if(b x && b y ) { x := *; } else { skip; }

21 α ϒ ʎ …… Refinement MINIMAL-UNSAT-CORE F F F F F F F F F F F F F F F F F F T T T T T T T T T T T T T T T T T T SAT UNSAT

22 α ϒ ʎ …… Refinement Let Refine(T,D) be the minimum extension to T that doesn’t intersect with D – That is: T  Refine(T,D)  G - D Algorithm: 1.Let P1, P2 = Partition(G – T – D) 2.S1 = Refine(T  P2, D) 3.Return Refine(T  (S1  P1), D  (S1 - P1))

23 α ϒ ʎ …… Refinement F F T T F F F F F F F F F F F F F F F F F F F F F F F F F F F F SAT UNSAT F F F F F F F F T T T T T T T T F F T T F F F F T T T T T T T T Partition and freeze Recurse F F T T F F F F F F F F T T T T Switch partition

24 α ϒ ʎ …… Example: a = 1 F F F F F F F F F F F F F F F F F F F F F F F F T T T T T T T T F F F F F F F F F F F F F F F F F F F F F F F F T T T T T T T T 1 F F F F F F F F F F F F T T F F log(n/2) T T F F F F F F T T T T T T T T T T F F F F F F F F F F F F F F T T F F F F F F F F F F F F F F 1

25 α ϒ ʎ …… Refinement Results

26 α ϒ ʎ …… C→Boogie Boogie C.NET.NET→Boogie Corral Reachable Unreachable Corral eco-system ?? ??→Boogie

27 α ϒ ʎ …… Device Driver Verification Windows OS Hardware Device Drivers DDI / Kernel API 1500+ DDIs

28 α ϒ ʎ …… Static analysis of Device Drivers Ships with Windows Verify correct DDI usage – Temporal rules: Never call IoCompleteRequest while holding a spin lock. Attempting to complete an IRP while holding a spin lock can cause deadlocks. http://msdn.microsoft.com/en-us/library/ff548343(VS.85).aspx http://msdn.microsoft.com/en-us/library/ff548343(VS.85).aspx – Pre-conditions: Call IoAttachDevice only at IRQL == PASSIVE http://msdn.microsoft.com/en-us/library/windows/hardware/ff547763(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/hardware/ff547763(v=vs.85).aspx Internally, uses verification tools – Pre Windows 8.1: SLAM – Post Windows 8.1: Corral/Yogi Static Driver Verifier

29 α ϒ ʎ …… SDV: Demo

30 α ϒ ʎ …… Corral Replaces SLAM SDV team has tested Corral on 33000 problems and decided to ship Corral in SDV in Windows 8.1 Corral vs. SLAM2 – Lost defects: < 1% – New defects: > 17% – Performance improvement dramatic on larger drivers: Reduction in NURs by 2.5X

31 α ϒ ʎ …… Speedup: SLAM vs. Corral

32 α ϒ ʎ …… Applications GetMeHere! – Debugging.NET applications – Answers one key question: “how can execution get to this point?” Enabling research in security of online services – Discovers security attacks in software models of online services – Innovative mitigation based on symbolic validation of online transactions

33 α ϒ ʎ …… Concurrency // variables var x: int var M: int  int // assignments x := expr // procedures call foo(x); // Threads async call foo(x) RMT: Is there an execution that violates an assertion? Solution: we reduce concurrent RMT to sequential RMT using “sequentialization”

34 α ϒ ʎ …… What is sequentialization? Qadeer-Wu 2004, L-Reps 2008 Given a concurrent program P, construct a sequential program Q such that Q  P A few choices – Drop each occurrence of async-call – Convert each occurrence of async-call to call A sequentialization must capture “interesting” interaction among concurrently-executing tasks

35 α ϒ ʎ …… Parameterized sequentialization Given a concurrent program P, construct a family of programs Q i such that – Q 0  Q 1  Q 2  …  P –  i Q i = P “Interesting” behaviors of P must manifest in Q i for low values of i

36 α ϒ ʎ …… Context-bounding Qadeer-Rehof 2005 Captures a notion of interesting executions in concurrent programs Under-approximation parameterized by K ≥ 0 – executions in which each thread gets at most K contexts to execute – as K  , we get all behaviors Small bounds reveal concurrency Heisenbugs (Musuvathi-Qadeer 2007)

37 α ϒ ʎ …… CBA vs. SMV Bugs: All occurred in 6 context switches or fewer Performance: CBA(K = 7) is 30 times faster than SMV

38 α ϒ ʎ …… Context-bounding is sequentializable L-Reps 2008 For any concurrent program P and K ≥ 0, there is a sequential program Q K that captures all executions of P up to context bound K Simple source-to-source transformation – linear in |P| and K – each global variable is copied K times

39 α ϒ ʎ …… Sequentialization Vectorize the global state (x, y) (x 1, y 1 ) (x k, y k ) (x K, y K ) … … k k (y+1, y) x := y + 1 (x 1, y 1 ) (y k +1, y k ) (x K, y K ) … … k k x k := y k + 1 For statement st, let st[i] be its renaming for the i th copy of shared variables

40 α ϒ ʎ …… Program rewriting if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if st var s: T; (T 1 || T 2 ); var s: T; (T 1 || T 2 ); var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume Consistency } var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume Consistency }

41 α ϒ ʎ …… Sequentialization f1 t1 = c2 assume f3 == t1 f2 t1 f3 t2 f3 t3 f2 t2 f1 f2 t1 = f3 t2 t3 k = 1 k ++ T1( ) k = 1 k ++ T2( ) Theorem: If the concurrent program can go from (s = s init ) to a state (s = s final ) in K context switches per thread then the sequential program can go from (s1 = s init ) to (sK = s final ) s1s2

42 α ϒ ʎ …… Program rewriting if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if st var s: T; (T 1 || T 2 ); assert φ(s) var s: T; (T 1 || T 2 ); assert φ(s) var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume (s1 == c2  …  s{K-1} == cK) assert φ(sK) } var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume (s1 == c2  …  s{K-1} == cK) assert φ(sK) } Speculated state is Input to the program Verify speculated state is valid

43 α ϒ ʎ …… Conclusions Corral is available in open-source form – http://corral.codeplex.com http://corral.codeplex.com – invitation to contribute to the Corral eco-system Research needed to improve scalability – mutable aliasing – indirect control transfer – concurrency What are the new applications?

Download ppt "Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research."

Similar presentations

CHESS : Systematic Testing of Concurrent Programs

CHESS : Systematic Testing of Concurrent Programs
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)

Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.

The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?

Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Similar presentations

Ads by Google