Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from

Published byDiane Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from"— Presentation transcript:

1 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from http://research.microsoft.com/slam/presentations/spin2001.ppt

2 2 Checking API Usage Application C lib | DLL | COM |… API Does an application follow the “proper usage” rules of an API?

3 3 Temporal safety properties Something “bad” does not happen –Eg. A lock is never released without first being acquired Unlocked Locked Error U LL U

4 4 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

5 5 SLIC spec for Spinlock enum { Unlocked=0, Locked=1 } state = Unlocked; KeAcquireSpinLock.call { if (state==Locked) abort; else state = Locked; } KeReleaseSpinLock.call { if (state==Unlocked) abort; else state = Unlocked; } Unlocked Locked Error U LL U

6 6 Target program to validate do { KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(&devExt->writeListLock); Question: Is locking protocol respected?

7 7 Safety to Reachability Program P SLIC spec S SLIC Program P satisfies specification S  Label ERROR is not reachable in P’ Instrumented Program P’

8 8 do { KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); enum { Unlocked=0, Locked } state = Unlocked; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); else state = Locked; } void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked; } Question: Is locking protocol respected? Equivalently: Is label ERROR reachable? Instrumented Program

9 9 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

10 10 Predicate abstraction by C2BP Instrumented program P’ Boolean program BP(P’,E0) C2BP Initial predicates E0 state==Locked, state==Unlocked

11 11 do { KeAcquireSpinLock_call(); skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; } } while (*); KeReleaseSpinLock_call(); skip; decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } Question: Is locking protocol respected? Equivalently: Is label ERROR reachable? Initial boolean Program

12 12 Model-check by BEBOP do { KeAcquireSpinLock_call(); skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; } } while (*); KeReleaseSpinLock_call(); skip; decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } {state==Unlocked}Æ :{state==Locked} :{state==Unlocked}Æ{state==Locked} reached ERROR label

13 13 The execution path to blame! do { KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; // s1 request = devExt->WriteListHeadVa; // s2 if(request && request->status){ // s3 devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); // s4 KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); enum { Unlocked=0, Locked } state = Unlocked; void slic_abort() { ERROR: // s6 } void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); // s5 else state = Locked; // s0 } void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked; } s0: state = Locked; s1: nPacketsOld = nPackets; s2: request = devExt->WriteListHeadVa; s3: assume(!request); s4: assume(nPackets != nPacketsOld); s5: assume(state==Locked); s6: ERROR:

14 14 Time for NEWTON s0:state = Locked; s1:nPacketsOld = nPackets; s2:request = devExt->WriteListHeadVa; s3:assume(!request); s4:assume(nPackets != nPacketsOld); s5:assume(state==Locked); s6:ERROR: LocationValueDependencies 0. stateLocked() 1. nPackets  () 2. nPacketsOld  1 3. devExt  () 4.  ->WriteListHeadVa  3 5. request  3, 4 ConditionsDependencies !(  )5 (  !=  )1, 2 New predicate! nPackets==nPacketsOld

15 15 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

16 16 do { KeAcquireSpinLock_call(); skip; b := T; // nPackets = nPacketsOld; skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; b := b ? F : *; // nPackets++; } } while(!b); // while (nPackets!=nPacketsOld); KeReleaseSpinLock_call(); skip; Variable b represents (nPackets==nPacketsOld) decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } Question: Is locking protocol respected? Equivalently: Is label ERROR reachable? The second boolean Program

17 17 Model-check again by BEBOP do { KeAcquireSpinLock_call(); skip; b := T; skip; if(*){ skip; KeReleaseSpinLock_call(); skip; if(*){ skip; } else { skip; } skip; b := b ? F : *; } } while(!b); KeReleaseSpinLock_call(); skip; * decl {state==Locked},{state==Unlocked} := F,T; void slic_abort() { ERROR: } void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F; } void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T; } {state==Unlocked}Æ :{state==Locked} :{state==Unlocked}Æ{state==Locked} reached ERROR label * T T T F

18 18 C program Boolean program c2bp bebop Fail, p Pass newton SLIC Instrumented C program predicates Error Spec. predicates Big picture of SLAM process

19 19 C2BP Automatic predicate abstraction of C What is the predicate language? –Pure C boolean expressions Input: a C program P and set of predicates E Output: a boolean program C2BP(P,E) that is –a sound abstraction of P –a precise abstraction of P Difficulties –procedures –pointers

20 20 BEBOP  Reachability analysis of boolean programs  Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis  Explicit representation of control flow  Implicit representation of reachable states via BDDs

21 21 NEWTON Symbolically executes (interprocedural) path in C program Checks for path infeasibility using decision procedures (theorem provers: Simplify, Vampyre) If infeasibility detected –Find weak(est) condition implying the infeasibility –Obtains new predicates

22 22 Contributions Use of boolean programs for program abstractions C2BP : the first automatic predicate abstraction tool for a full-scale language BEBOP : the first model checker to handle procedure calls using inter-procedural DFA Global analysis only on the boolean program abstractions : scalable…?

23 23 Defects Defects of SLAM –Uses a logical memory model Assumes for all i,j : p[i] = p[j] –No guarantee on the termination of iterative refinement Defects of the paper –No experimental results (describes their experiences only)

Download ppt "1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from"

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from

1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
Verification of parameterised systems

Verification of parameterised systems
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Similar presentations

Ads by Google