Presentation is loading. Please wait.

Presentation is loading. Please wait.

SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)"— Presentation transcript:

1 SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)

2 SLAM in 60 seconds Question: does program meet safety policy? –If not, give a counter-example 1. Instrument C program with policy 2. Abstract C program to boolean program 3. Model-check boolean program 4. Is resulting error trace feasible? 5. If not, refine abstraction, goto 2

3 C program Boolean program c2bp bebop Fail, p Pass newton GOLF SLIC CFG + VFG predicates Error GUI Spec. predicates

4 The Cunning Plan Study SLAM termination Make SLAM scale to real programs Come up with interesting specifications Run SLAM on device drivers Find bugs Retire to a life of luxury, resting on laurels

5 SLAM Termination If abstract interpretation with widening terminates, will SLAM with widening terminate as well? Answer: Yes. Andreas Podelski finished this before I arrived …

6 5 Secrets to Scaling SLAM Don’t fork() 1 theorem prover per query Don’t cache theorem prover results Do cache theorem prover results (even between iterations) Do store the CFG, don’t re-parse Don’t use algorithms that require exponential stack space

7 Specify, specify, specify SLAM specifications (“slic”) –are like monitors –instrument function calls, returns –can mimic a sort of type state A week or two after I arrived, Manuel Fandrich wrote up a lovely IO spec

8 MPR3 CallDriver MPR completion synch not pending returned SKIP2 IPC CallDriver Skip return child status DC Complete request return not Pend PPC prop completion CallDriver N/A no prop completion CallDriver start NP return Pending NP MPR1 MPR completion SKIP2 IPC CallDriver DC Complete request PPC prop completion CallDriver N?A no prop completion CallDriver start P Mark Pending IRP accessible N/A synch SKIP1 CallDriver SKIP1 Skip MPR2 MPR1 NP MPR3 CallDriver not pending returned MPR2 synch

9 SLAMzilla vs. moNThra “Classic” SLAM does not scale –25 iterations on floppy.c (for a simpler spec) –each iter adds a few predicates, repeats work –see “Lazy Abstraction” / BLAST project “Classic” SLAM vs. NT: either SLAM –has an internal error –fails to terminate –exhausts virtual memory

10 Iterative Predicate Generation Normally SLAM starts with all predicates mentioned in the spec Must rediscover “unintersting” predicates Example: x = y; if (x == FAILURE) abort(); One iteration just to get “ y == FAILURE ”

11 Value Flow Idea Run some Value Flow algorithm on instrumented program See what values can flow into final important “ if ” statements Generate those predicates in advance Rejoice as SLAM actually terminates

12 The Magic Bullet Theory For a restricted subset of C Find enough predicates So that SLAM terminates correctly In just 1 iteration If real program not in restricted subset of C, iterate to find remaining predicates

13 How restricted? v 1 = v 2 v = i// (i  Z) if (*) stmt 1 else stmt 2 v 1 = fun(v 2, …) return v abortif(v 1  v 2 )// some relop sometimes v 1 = v 2  v 3 // some binops

14 “Simple” Example foo(int a, int b) abortif(a  b) pick(int s) int v; if (*) v = s; else v = 4; return v bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

15 Value Flow Graph 2 3 4 5 xz sv c y p d a qb Recall the goal: Decide if a  b

16 The Lofty Ideal If we knew the final values of a and b (e.g., “3” and “5”) we could decide a  b Walk back in the graph from a Take every edge “x  z”, “2  x” Add the predicates “x == z”, “2 == x” Do the same for b Voila!

17 Theory and Practice 2 3 4 5 xz sv c y p d a qb p==a c==p z==c x==z 2==x 3==x Let’s try it on the a branch …

18 The Root of the Problem 2 3 4 5 xz sv c y p d a qb p==a// Bad (no scope) c==p // OK z==c // Bad (no scope) x==z // OK 2==x // OK 3==x // OK Let’s try it on the a branch …

19 Scoping Things Out There is no scope in which “z == c” is a valid predicate. But this predicate is necessary! Solution: link all ground terms to c bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

20 Value Flow Revised 2 3 4 5 xz sv c y p d a qb Red  represents function calls and returns (crossing scopes)

21 Value Flow Fixup 2 3 4 5 xz sv c y p d a qb Concentrating just on z  c, conceptually add 3  c and 2  c, thus adding “3==c” and “2==c”

22 Fixup Bonanza 2 3 4 5 xz sv c y p d a qb

23 Why does it work? There is no scope in which “z == c” is a valid predicate. However… If we know “z==2” or “z==3” We can easily prove “c==2” or “c==3” at the call-site And “c==2 & z==2” implies “c==z” bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

24 This is Weak It relies on having a constant, finite set of “ground terms” (like “2” and “3”) It will generate many more predicates than necessary (it ignores control-flow) a  b only works if the result is a ground term that reaches a or b (e.g., no *p) But we have iteration to pick up the pieces

25 Extensions If we know more about the predicate a  b, we can do better: a  b, a < b, etc. –Run algorithm as before, generate “x  5” instead of “x == 5”, keep “v i == v j ” a = 5 –Run algorithm as before, ignore actual set of ground terms, always generate “v i == 5”

26 Variable Equality (a==b) 2 3 4 5 xz sv c y p d a qb Consider the intersection of the ground terms: “a==3” and “b==3”, etc., should suffice, right? Sadly, no.

27 Results?  Floppy driver (1 bug) (3 iterations instead of 25)  6500 lines, simple spec  21 global predicates  741 local predicates  72 max local in scope  Battery driver (2 bugs) (8 iterations instead of crashing)  2410 lines, that complex spec  18 global predicates  137 local predicates  24 max local in scope

28 SLAM-PCC Perhaps not of general interest Verify bprog=c2bp(preds,cprog) –requires O(|CFG|*2 |preds| ) proofs Verify final result: –Standard VCGen(cprog,property) –Get loop invariants, function pre-post from model checker

29 Questions?

Download ppt "SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)"

Similar presentations

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.

Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.
Situation Calculus for Action Descriptions We talked about STRIPS representations for actions. Another common representation is called the Situation Calculus.

Situation Calculus for Action Descriptions We talked about STRIPS representations for actions. Another common representation is called the Situation Calculus.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.

Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.

A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Similar presentations

Ads by Google