# Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

## Presentation on theme: "Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research."— Presentation transcript:

α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research

α ϒ ʎ …… Satistiability Modulo Theories SAT = Boolean sort, Boolean connectives Decidable in NP SMT = SAT + decidable theories Decidable in NP if all theories are in NP *

α ϒ ʎ …… Satistiability Modulo Theories Examples of theories: – Linear Arithmetic – Uninterpreted functions – Fixed-size bitvectors – Arrays – Etc.

α ϒ ʎ …… Reachability Modulo Theories // variables var x: int var M: int  int // assignments x := expr // procedures call foo(x); // conditions assume expr assert expr SMT Finite number of variables (possibly arrays) Finite number of procedures RMT: Is there an execution that violates an assertion?

α ϒ ʎ …… Example 1 assert false;

α ϒ ʎ …… Example 2

α ϒ ʎ …… RMT Searches for Bugs – Undecidable, but recursively enumerable – Search for proofs: not recursively enumerable Single-procedure RMT – In NP Bounded recursion RMT – Decidable – NEXPTIME-complete

α ϒ ʎ …… RMT Single-Procedure RMT: NP  f (w, x, y, z) holds iff f(w) can return (x,y,z)

α ϒ ʎ …… RMT Single-Procedure RMT: NP L1: assume c(L1) L2: assume c(L1) L3: assume c(L1) b(L1) == c(L1)  (b(L2)  b(L3)) b(L1) == c(L1)  (b(L2)  b(L3)) E(L1)

α ϒ ʎ …… Bounded RMT

α ϒ ʎ …… Static Inlining Given: Bounded RMT Find: An assertion violation foo bar baz foo barbaz foo barbazbar baz foo … ……… Expensive, even if assertion is simple Runs out of memory in VC construction Expensive, even if assertion is simple Runs out of memory in VC construction Recursion bound

α ϒ ʎ …… Stratified Inlining procedure main() { x := e1; y := e2; if(*) { call foo(x); } assume y == 5; … call y := bar(); assert y == 5; } procedure main() { x := e1; y := e2; if(*) { call foo(x); } assume y == 5; … call y := bar(); assert y == 5; } Q: Violate assert without going into calls? A: If yes, then “Unsafe” A: If no, then continue Q: Violate assert assuming calls can do anything? A: If no, then “Safe” A: If yes, inline all procedures on the trace Repeat … havoc globals havoc y, globals inline bar

α ϒ ʎ …… Stratified Inlining Inline on demand foo barbaz foo barbazbar baz foo bar assume false summaries foo Z3 false summ -ary

α ϒ ʎ …… Stratified vs. Static Inlining

α ϒ ʎ …… Corral Architecture

α ϒ ʎ …… Variable Abstraction Not all variables would be relevant for the given assertions – G: All (global) variables – T: Tracked variables – Drop writes to (G – T) – Make reads to (G – T) non-deterministic

α ϒ ʎ …… Variable Abstraction Untracked variables can take any value x := e x := e tracked(x) && tracked(e) x := * tracked(x) && tracked(e) skip tracked(x) assert e assert e tracked(e) assert false tracked(e) [Kurshan ‘94]

α ϒ ʎ …… Refinement Current set: T ⊆ G – Abstract(Program, T) has a buggy trace   is spurious – Abstract( , T) is feasible, Abstract( , G) is infeasible What is the smallest set T’ to track such that: – T ⊆ T’ – Abstract( , T’) is infeasible SAT UNSAT ??

α ϒ ʎ …… Refinement Naïve algorithm: linear scan of (G – T) Our algorithm: divide-and-conquer – Best case: log |G – T| – Worst case: 2 * |G – T| – Complexity: O(a log |G – T|) where a is the extension to T

α ϒ ʎ …… Refinement Parametric Abstraction – Introduce Boolean constant b v for each v ∊ (G – T) x := y + 1 if(b x && b y ) { x := y + 1; } else if(b x && b y ) { x := *; } else { skip; }

α ϒ ʎ …… Refinement MINIMAL-UNSAT-CORE F F F F F F F F F F F F F F F F F F T T T T T T T T T T T T T T T T T T SAT UNSAT

α ϒ ʎ …… Refinement Let Refine(T,D) be the minimum extension to T that doesn’t intersect with D – That is: T  Refine(T,D)  G - D Algorithm: 1.Let P1, P2 = Partition(G – T – D) 2.S1 = Refine(T  P2, D) 3.Return Refine(T  (S1  P1), D  (S1 - P1))

α ϒ ʎ …… Refinement F F T T F F F F F F F F F F F F F F F F F F F F F F F F F F F F SAT UNSAT F F F F F F F F T T T T T T T T F F T T F F F F T T T T T T T T Partition and freeze Recurse F F T T F F F F F F F F T T T T Switch partition

α ϒ ʎ …… Example: a = 1 F F F F F F F F F F F F F F F F F F F F F F F F T T T T T T T T F F F F F F F F F F F F F F F F F F F F F F F F T T T T T T T T 1 F F F F F F F F F F F F T T F F log(n/2) T T F F F F F F T T T T T T T T T T F F F F F F F F F F F F F F T T F F F F F F F F F F F F F F 1

α ϒ ʎ …… Refinement Results

α ϒ ʎ …… C→Boogie Boogie C.NET.NET→Boogie Corral Reachable Unreachable Corral eco-system ?? ??→Boogie

α ϒ ʎ …… Device Driver Verification Windows OS Hardware Device Drivers DDI / Kernel API 1500+ DDIs

α ϒ ʎ …… Static analysis of Device Drivers Ships with Windows Verify correct DDI usage – Temporal rules: Never call IoCompleteRequest while holding a spin lock. Attempting to complete an IRP while holding a spin lock can cause deadlocks. http://msdn.microsoft.com/en-us/library/ff548343(VS.85).aspx http://msdn.microsoft.com/en-us/library/ff548343(VS.85).aspx – Pre-conditions: Call IoAttachDevice only at IRQL == PASSIVE http://msdn.microsoft.com/en-us/library/windows/hardware/ff547763(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/hardware/ff547763(v=vs.85).aspx Internally, uses verification tools – Pre Windows 8.1: SLAM – Post Windows 8.1: Corral/Yogi Static Driver Verifier

α ϒ ʎ …… SDV: Demo

α ϒ ʎ …… Corral Replaces SLAM SDV team has tested Corral on 33000 problems and decided to ship Corral in SDV in Windows 8.1 Corral vs. SLAM2 – Lost defects: < 1% – New defects: > 17% – Performance improvement dramatic on larger drivers: Reduction in NURs by 2.5X

α ϒ ʎ …… Speedup: SLAM vs. Corral

α ϒ ʎ …… Applications GetMeHere! – Debugging.NET applications – Answers one key question: “how can execution get to this point?” Enabling research in security of online services – Discovers security attacks in software models of online services – Innovative mitigation based on symbolic validation of online transactions

α ϒ ʎ …… Concurrency // variables var x: int var M: int  int // assignments x := expr // procedures call foo(x); // Threads async call foo(x) RMT: Is there an execution that violates an assertion? Solution: we reduce concurrent RMT to sequential RMT using “sequentialization”

α ϒ ʎ …… What is sequentialization? Qadeer-Wu 2004, L-Reps 2008 Given a concurrent program P, construct a sequential program Q such that Q  P A few choices – Drop each occurrence of async-call – Convert each occurrence of async-call to call A sequentialization must capture “interesting” interaction among concurrently-executing tasks

α ϒ ʎ …… Parameterized sequentialization Given a concurrent program P, construct a family of programs Q i such that – Q 0  Q 1  Q 2  …  P –  i Q i = P “Interesting” behaviors of P must manifest in Q i for low values of i

α ϒ ʎ …… Context-bounding Qadeer-Rehof 2005 Captures a notion of interesting executions in concurrent programs Under-approximation parameterized by K ≥ 0 – executions in which each thread gets at most K contexts to execute – as K  , we get all behaviors Small bounds reveal concurrency Heisenbugs (Musuvathi-Qadeer 2007)

α ϒ ʎ …… CBA vs. SMV Bugs: All occurred in 6 context switches or fewer Performance: CBA(K = 7) is 30 times faster than SMV

α ϒ ʎ …… Context-bounding is sequentializable L-Reps 2008 For any concurrent program P and K ≥ 0, there is a sequential program Q K that captures all executions of P up to context bound K Simple source-to-source transformation – linear in |P| and K – each global variable is copied K times

α ϒ ʎ …… Sequentialization Vectorize the global state (x, y) (x 1, y 1 ) (x k, y k ) (x K, y K ) … … k k (y+1, y) x := y + 1 (x 1, y 1 ) (y k +1, y k ) (x K, y K ) … … k k x k := y k + 1 For statement st, let st[i] be its renaming for the i th copy of shared variables

α ϒ ʎ …… Program rewriting if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if st var s: T; (T 1 || T 2 ); var s: T; (T 1 || T 2 ); var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume Consistency } var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume Consistency }

α ϒ ʎ …… Sequentialization f1 t1 = c2 assume f3 == t1 f2 t1 f3 t2 f3 t3 f2 t2 f1 f2 t1 = f3 t2 t3 k = 1 k ++ T1( ) k = 1 k ++ T2( ) Theorem: If the concurrent program can go from (s = s init ) to a state (s = s final ) in K context switches per thread then the sequential program can go from (s1 = s init ) to (sK = s final ) s1s2

α ϒ ʎ …… Program rewriting if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if if(k == 1) then st[1] else if(k == 2) then st[2] … end if if(k ≤ K and *) then k ++ end if st var s: T; (T 1 || T 2 ); assert φ(s) var s: T; (T 1 || T 2 ); assert φ(s) var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume (s1 == c2  …  s{K-1} == cK) assert φ(sK) } var k: int var s1, …, sK: T; proc main(c2, …, cK) { s2 := c2; …; sK := cK; k := 1 T1( ) k := 1 T2( ) assume (s1 == c2  …  s{K-1} == cK) assert φ(sK) } Speculated state is Input to the program Verify speculated state is valid

α ϒ ʎ …… Conclusions Corral is available in open-source form – http://corral.codeplex.com http://corral.codeplex.com – invitation to contribute to the Corral eco-system Research needed to improve scalability – mutable aliasing – indirect control transfer – concurrency What are the new applications?

Download ppt "Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research."

Similar presentations