Download presentation
Presentation is loading. Please wait.
1
Model Checking C Programs Zijiang (James) Yang Department of Computer Science Western Michigan University In collaboration with NEC Laboratories America
2
Economic Impact of Software Verification Cost of software bugs to U.S. economy in 2002: $60Billion 80% of software development cost is in debugging Simulation and Testing Effective in discovering bugs in early stages Expensive and not exhaustive! Unpredictable Not exhaustive Unpredictable Not exhaustive Simulation does not scale
3
Legend Testing vs. Formal Verification 1: int foo(int x) { 2: int y = 2*x ; 3: if ( y < 100 ) 4: y += 50 ; 5: if ( y == 50 ) 6: y+=user(-1,6); 7: return y; 8: } 9: … 200200 10 -100 10: int bar (int x) { 11: int y ; 12: assume ( x >= 0 ); 13: y = foo(x) ; 14: assert ( y >= 50 ); 15: return y; 16: } 10 -99 10 0 10 1 10 2 …… 10 49 10 50 10 51 10 100 …… 12 50 12 49 12 51 12 100 12 0 12 1 12 2 ……… 1010 1111 1212 … 1 49 1 50 1 51 1 100 …… 212212 224224 2 49 98 2 50 100 2 51 102 2 100 200 ……… 4 0 50 4 1 52 4 2 54 4 49 148 ……… 13 50 100 13 51 102 13 100 200 … 13 1 52 13 2 54 13 49 148 6 0 53 13 0 53 6 0 54 13 0 54 6 0 55 13 0 55 6 0 56 13 0 56 6 0 52 13 0 52 6 0 51 13 0 51 6 0 50 13 0 50 6 0 49 13 0 49 Simulation Testing line x y
4
Formal Verification Formal verification is the process of systematically checking that system behavior satisfies a given property, both described using formal models. Automated and effective debugging Systematic and exhaustive analysis Scalability is still a problem Effective use requires some expertise Specification Implementation Formal relationship Correctness Design
5
F-Soft: Automated Bug Finder and Correctness Prover F-Soft 1: void pivot_sort(int A[], int n){ 2: int pivot=A[0], low=0, high=n; 3: while ( low < high ) { 4: do { 5: low++ ; 6: } while ( A[low] <= pivot ) ; 7: do { 8: high - - ; 9: } while ( A[high] >= pivot ); 10: swap(&A[low],&A[high]); 11: } 12: } Array Bound Violations? Line 1: n=2, A[0]=10, A[1]=10 Line 2: pivot=10, low=0, high=2 Line 5: low = 1 Line 6: A[low] <= pivot ? YES! Line 3: low < high ? YES! Line 5: low = 2 Line 6: A[low] <= pivot ? Buffer Overflow!!! F-Soft outputs a trace: Software Verification Tool program property correct bug
![F-Soft: Automated Bug Finder and Correctness Prover F-Soft 1: void pivot_sort(int A[], int n){ 2: int pivot=A[0], low=0, high=n; 3: while ( low < high ) { 4: do { 5: low++ ; 6: } while ( A[low] <= pivot ) ; 7: do { 8: high - - ; 9: } while ( A[high] >= pivot ); 10: swap(&A[low],&A[high]); 11: } 12: } Array Bound Violations.](http://images.slideplayer.com./27/8943627/slides/slide_5.jpg "Line 1: n=2, A[0]=10, A[1]=10 Line 2: pivot=10, low=0, high=2 Line 5: low = 1 Line 6: A[low] <= pivot . YES. Line 3: low < high . YES. Line 5: low = 2 Line 6: A[low] <= pivot . Buffer Overflow!!. F-Soft outputs a trace: Software Verification Tool program property correct bug.")
6
Automated F-Soft Software Verification Flow Legend User input Automatic Source code Boolean Analysis Analysis & Refinement Proof Predicate Abstraction Boolean Model Builder Program slicing Range analysis User-specified properties Automated properties Static Analysis Bug Testbench Generator
7
Properties Considered Basic F-Soft mode: Automatically generated standard properties (verification or warning mode) Buffer overflow, array bound violations Use of un-initialized variables NULL pointer dereferencing Alternating locks and unlocks of shared resources File IO handling Division by zero Full mode: User specified properties Software adheres to specification User specified program assertions High-Level System Properties
8
Program Slicing A program slice is a subset of the original code that only contains relevant statements to the computation of interest. Based on static analysis of data and control flow void arithmetic(int *A,int n) { int sum=0, product=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; } original program void arithmetic(int *A,int n) { int sum=0, product=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; } slice with respect to sum
9
Range Analysis Goal: For a C program, automatically find the range and minimal number of bits needed to represent a variable We are first to apply range analysis for verification of software int a; a = (b != 15); for (a = 0; a < 6; a++) { … } a: 32 bits/a: a: 1 bit/a: a: 3 bits/a:
10
Predicate Abstraction Predicate abstraction is powerful technique to reduce system complexity from potentially infinite-state systems to finite domain Predicates are relational expressions over program variables Abstraction using k predicates results in at most 2 k abstract states int x, y ; if ( x>0 ){ … y = x+1 ; … } else { … y = x+2 ; … } bool b x, b y ; if ( b x ){ … b y = T ; … } else { … b y {T,F}; … } Predicate abstraction b x := (x > 0) b y := (y > 0) TF TT FF FT x y Abstract data variables using Booleans.
11
Abstraction Refinement Flow unsafe path safe system abstract abstract system concrete path spurious path refine model forward analysis concrete system analysis engine
12
Control Flow Graph Computation 1: void bar() { 2: int x = 3, y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t -= 3; 14: else 15: t--; 16: return t; 17: } Line 2 Line 3 Line 4 Line 7 (call) Line 5 (call) Lines 11-12,14 Line 13 Line 15 Line 16 Line 5 (return) Line 7 (return)
13
Control Logic Example x<=4 0 12 x>4 34 t>6 t<=6 56 78 !rtr rtr 10 9
14
Control Logic Let N be the number of basic blocks, PC variable needs logN bits Next state logic c i ’= j:vij’=1 (k j p:vpj=1 c p p:vpj=0 c p )
15
Data Logic Simplify assignments in basic blocks Sequential --> parallel Pointers Assume a variable v j Assigned in blocks {b 1 …b k } with expressions {L j1 …L jk } Not assigned in blocks {b k+1 …b N } Next state logic of v j v j ’= i=1,k (c 1 …c n =b i L ji ) i=k+1,N (c 1 …c n =b i v j )
16
Bounded Model Checking (BMC) Search for a bounded length counterexample By unrolling steps of programs, no complete (fixpoint) traversal Formula is satisfiable if and only if a counterexample exists Checked by a SAT solver Step nStep n-1Step 2Step1 Input PS 1 NS 1 =PS 2
17
F-Soft Case Study: Network Protocol PPP Point-to-Point Protocol (PPP) Analyzed LCP (link control protocol) part of PPP that establishes, configures, and tests a data-link connection Specification is given as RFC 1661 Linux implementation contains about 2000 lines of C code Property: Implementation adheres to specification States EventsReq-SentOpened CloseTerm-Req goto Closing Term-Req goto Closing Conf-Ack goto Ack-Rcvdgoto Req- Sent Term-AckConf-Req goto Req- Sent Term-ReqTerm-Ack goto Stopping RFC 1661 static void fsm_rtermack(fsm *f){ switch (f->state) { /* other cases here */ case OPENED: if ( f->callbacks->down) (*f->callbacks->down)(f); /* informing upper layers */ fsm_sconfreq(f,0); break ; } Public implementation Missing: f->state = REQSENT;
18
F-Soft Case Study: Floppy Disk Driver Important property: Does the code obey the locking rules? Rule 1: Only an unlocked resource can be locked. Rule 2: Only a locked resource can be unlocked. VOID FloppyProcessQueuedRequests ( IN OUT PDISKETTE_EXTENSION DisketteExtension) { PLIST_ENTRY headOfList; KeAcquireSpinLock(&DisketteExtension, &oldIrql); while ((headOfList = ExInterlockedRemoveHeadList(…)!=NULL{ currentIrp = CONTAINING_RECORD( headOfList,…); if (IoSetCancelRoutine( currentIrp, NULL)) irpSp = IoGetCurrentIrpStackLocation( currentIrp ); else { … } KeReleaseSpinLock(&DisketteExtension,oldIrql); if (currentIrp) { … } else switch ( irpSp->MajorFunction ) { case IRP_MJ_READ: case IRP_MJ_WRITE: (VOID)FloppyReadWrite( DisketteExtension,currentIrp); break; case IRP_MJ_DEVICE_CONTROL: (VOID)FloppyDeviceControl(DisketteExtension, currentIrp); break; default: … } if (currentIrp) FloppyPageEntireDriver(); KeAcquireSpinLock(&DisketteExtension,&oldIrql); } KeReleaseSpinLock(&DisketteExtension,oldIrql); } Disk driver implementation Property specified using automatically generated code: bool locked=FALSE; void KeAcquireSpinLock(…) { if (locked) abort() ; locked = TRUE; } void KeReleaseSpinLock(…){ if (!locked) abort() ; locked = FALSE ; } void abort() { assert(0); } Automatically generated property monitor
19
F-Soft Case Study: Serial Device Driver Source code from WINDDK 3790 for Windows NT “Plug and Play” compliant serial 16550-based RS-232 driver Lines of code measures 31,930 lines of C source code for this device driver Additionally, > 600,000 lines of C code in included header files Property analyzed for this device driver Alternating use of acquiring and releasing locks Among the 93 API functions Basic F-Soft v0.3 proves 72 API functions correct within a few minutes Improvements expected in follow-up releases
20
Conclusions Software verification can Find tricky bugs otherwise cannot be found by traditional methods improve software development productivity F-Soft provides R&D framework for efficient SW verification Controlling complexity by block-wise program analysis Various techniques to reduce the program sizes Boolean representation of C programs Specialized heuristics for analysis of program model
21
Thank you! Zijiang (James) Yang
Similar presentations
