Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM."— Presentation transcript:

1 1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM T.J. Watson Research Center

2 2 Lightweight Specification  "correct usage" rules a client must follow  "call open() before read()" Certification does the client program satisfy the lightweight specification? Verification of Safety Properties Component a library with cleanly encapsulated state Client a program that uses the library The Canvas Project (IBM Watson and Tel Aviv) (Component Annotation, Verification and Stuff)

3 3 Quick Overview: Fine Grained Heap Abstraction Heap H Precise...... but often too expensive

4 4 Quick Overview: Separation & Heterogeneous Abstraction Fine-grained abstraction Coarse abstraction

5 5 Separation: The Intuition InputStream ins1 = new InputStream(); InputStream ins2 = new InputStream();... if (?) { ins1.close();... } if (?) { ins2.close();... } … Problem: verify that InputStreams are used correctly: not read after they are closed. Possible states: (1) ins1: open; ins2: open (2) ins1: open; ins2: closed (3) ins1: closed; ins2: open (4) ins1: closed; ins2: closed

6 6 Separation: The Intuition InputStream ins1 = new InputStream(); InputStream ins2 = new InputStream();... if (?) { ins1.close();... } if (?) { ins2.close();... } … Sub-problems: (1)verify that ins1 is used correctly (2)verify that ins2 is used correctly Possible states (sub-problem 1) (1)ins1: open (2)ins1: closed Possible states (sub-problem 2) (1)ins2: open (2)ins2: closed

7 7 Separation: The Intuition Basic idea of separation is not new  independent attribute analysis vs. relational analysis  e.g. conventional (compiler) dataflow analyses  e.g. ESP (PLDI 2002) exploits separation

8 8 Our Contribution: Separation + Heap Analysis Separation for heap analysis integrated with verification Heterogeneous abstraction for heaps Separation for first-order safety properties Separation strategies More focused separation individual object vs. allocation-site

9 9 Heap (Pointer) Analysis Dynamic object creation (heap allocation) is the primary source of unbounded program state Creating a bounded representation of a potentially unbounded heap is a key aspect of program analysis  by merging multiple objects into a “summary” object  e.g., merge all objects allocated at same allocation site into one summary object

10 10 A Common Approach to Pointer Analysis in Software Verification Break verification problem into two phases  Preprocessing phase – separate points-to analysis typically no distinction between objects allocated at same site  Verification phase – verification using points-to results May lose precision  May lose ability to perform strong updates  May produce false alarms Program Property Pointer Analysis Verification Analysis

11 11 Loss of Precision in Two-Phase Approach f = new InputStream(); f.read(); f.close(); Verify f is not read after it is closed Straightforward...

12 12 Loss of Precision in Two-Phase Approach while (?) { f = new InputStream(); f.read(); f.close(); } f1 f closed False alarm! “read may be erroneous”

13 13 The TVLA Approach TVLA is a flexible (parametric) system for abstract interpretation and verification 1.parametric heap (i.e., pointer) analysis  user can specify criterion for merging heap-allocated objects  user can specify criterion for merging shape graphs 2.verification integrated with heap analysis  heap analysis (merging criterion) can adapt to verification Program Property Front end First-Order Transition Sys Abstract Interpretation

14 14 while (?) { f = new InputStream(); f.read(); f.close(); } The TVLA Approach: An Example f closed f f f … Concrete States f closed f f Abstract States

15 15 Fine Grained Heap Abstraction Heap H Precise...... but often too expensive

16 16 Separation & Heterogeneous Abstraction Fine-grained abstraction Coarse abstraction

17 17 Outline of Our Approach  Decompose verification problem into a set of subproblems  Adapt abstraction to each subproblem

18 18 Outline of Our Approach  Decompose verification problem into a set of subproblems Analysis-user specifies a separation strategy  Adapt abstraction to each subproblem  Heterogeneous abstraction

19 19 Example – Input Streams InputStream ins1 = getInputStream(); InputStream ins2 = getInputStream(); InputStream ins3 = getInputStream(); InputStream ins4 = getInputStream(); InputStream ins = ins1; if (?) { ins1.close(); ins = ins2; } if (?) { ins2.close(); ins = ins3; } if (?) { ins3.close(); ins = ins4; } int val = ins.read(); …

20 20 Separation Strategies choose some i : InputStream() site[1] ins1 site[1] ins2ins3ins4 site[1] ins2 site[1] ins1ins3ins4 site[1] ins3 site[1] ins1ins2ins4 site[1] ins4 site[1] ins1ins2ins3 Without separation site[1] ins1 site[1] ins2 site[1] ins3 site[1] ins4ins1 site[1] ins2ins3ins4 Abstraction 1 (expensive)Abstraction 2 (imprecise) Abstract state after creation of all four InputStream: (with separation)

21 21 Example – Input Streams InputStream ins1 = getInputStream(); InputStream ins2 = getInputStream(); InputStream ins3 = getInputStream(); InputStream ins4 = getInputStream(); InputStream ins = ins1; if (?) { ins1.close(); ins = ins2; } if (?) { ins2.close(); ins = ins3; } if (?) { ins3.close(); ins = ins4; } int val = ins.read(); … closed site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 … … site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 closed site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 … closed site[1] ins1 closed site[1] ins2 closed site[1] ins3 site[1] ins4ins … … …

22 22 Example – Input Streams InputStream ins1 = getInputStream(); InputStream ins2 = getInputStream(); InputStream ins3 = getInputStream(); InputStream ins4 = getInputStream(); InputStream ins = ins1; if (?) { ins1.close(); ins = ins2; } if (?) { ins2.close(); ins = ins3; } if (?) { ins3.close(); ins = ins4; } int val = ins.read(); … closed site[1] ins1ins site[1] ins2ins3ins4 site[1] ins1ins site[1] ins2ins3ins4 site[1] ins1ins site[1] ins2ins3ins4 site[1] ins1ins closed = 1/2 site[1] ins2ins3ins4 closed site[1] ins1 closed=1/2 site[1] ins2ins3ins4ins

23 23 First-Order Safety Properties Involve multiple correlated objects  e.g., JDBC Problem can be decomposed into sub-problems in several different ways Different separation granularity Different efficiency, different precision... ResultSet rs2 = stmt2.executeQuery(...);... ResultSet minRs2 = stmt2.executeQuery(...)... rs2.next();

24 24 Example: JDBC Specification Class Connection { Set statements; … } class Statement { boolean closed; ResultSet myResultSet; Connection myConnection; Statement(Connection c) { closed = false; myConnection = c; myResultSet = null; } ResultSet executeQuery(String qry) { requires !closed; if (myResultSet != null) myResultSet.closed = true; myResultSet = new ResultSet(this); return myResultSet; } … } class ResultSet { boolean closed; Statement ownerStmt; ResultSet(Statement s) { closed = false ; ownerStmt = s; } void close() { closed = true; } boolean next() { requires !closed; }

25 25 Single Choice Separation choose some c : Connection() choose all s : Statement(x) / x == c choose all r : ResultSet(y) / y == s con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2 con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2

26 26 Multiple Choice Separation choose some c : Connection() choose some s : Statement(x) / x == c choose some r : ResultSet(y) / y == s con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2 con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2 + 6 more

27 27 Strategy Implementation separation strategy + program + property  compiled into TVLA input  using instrumentation predicates  details in paper

28 28 Prototype Implementation Implemented over TVLA Applied to several example programs  Up to 5000 lines of Java Used to verify  Absence of concurrent modification exception (CME)  JDBC API conformance  IOStreams API conformance Improved performance In some cases improved precision

29 29

30 30

31 31 Other Issues Objects chosen for verification Objects relevant for verification (for chosen object)  Identified via reachability  User hints via separation strategy

32 32 Related Work Demand-driven analysis  hard for heap analysis Program slicing  an approach to demand-driven analysis  simple slicing can be an effective optimization  precise slicing (for heap) is hard Client-driven pointer analysis (Guyer & Lin, SAS 2003) Counter-example guided abstraction refinement

33 33 Verification: Recent Work ESC/Modula-3, ESC/Java (CC ’98,...) MC (OSDI 2000,...) Bandera (ICSE 2000,...) SLAM (SPIN 2001,...) Vault (PLDI 2001,...) BLAST (POPL 2002,...) ESP (PLDI 2002,...) Foster, Terauchi and Aiken (PLDI 2002,...)... several others...

34 34 Some tasks are best done by machine, while others are best done by human insight; and a properly designed system will find the right balance. D. Knuth The End It is of highest importance... to be able to recognize out of a number of facts which are incidental and which vital... Otherwise your energy and attention must be dissipated instead of being concentrated. Arthur Conan Doyle

Download ppt "1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.

Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.

Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
1 E. Yahav School of Computer Science Tel-Aviv University Typestate Verification: Abstraction Techniques and Complexity Results J. Field, D. Goyal, G.

1 E. Yahav School of Computer Science Tel-Aviv University Typestate Verification: Abstraction Techniques and Complexity Results J. Field, D. Goyal, G.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.

1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.

Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.

Similar presentations

Ads by Google