Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verification of parameterised systems

Published byMargaret Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "Verification of parameterised systems"— Presentation transcript:

1 Verification of parameterised systems
Automatic Predicate Abstraction of C Programs Shilpa Seshadri Universität Paderborn Prof. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert

2 Agenda Motivation Introduction C2BP Algorithm SLAM Toolkit Future Work
Conclusion Discussion Automatic Predicate Abstraction of C Programs April 15, 2017

3 Motivation Model checking
Verification technique for a finite state system Widely used for validation and debugging Sometimes, State-space explosion limits the use of tools Hence, model checkers operate on abstractions of systems Software systems are typically infinite state systems Abstraction is critical Predicate abstraction of programs is implemented – One approach Model checking finite state  check an abstraction of a software system Automatic Predicate Abstraction of C Programs April 15, 2017

4 Model Checking Algorithmic exploration of state space of the system
Several advances in the past decade: symbolic model checking symmetry reductions partial order reductions compositional model checking bounded model checking using SAT solvers Most hardware companies use a model checker in the validation cycle Automatic Predicate Abstraction of C Programs April 15, 2017

5 Abstraction Model Checker Input Program Infinite state Finite state
void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { tail=(tail+1)%size; return buffer[tail]; Program Infinite state Finite state Automatic Predicate Abstraction of C Programs April 15, 2017

6 Abstraction (A simplified view)
Abstraction is an effective tool in verification Given a transition system, we want to generate an abstract transition system which is easier to analyze However, we want to make sure that If a property holds in the abstract transition system, it also holds in the original (concrete) transition system Automatic Predicate Abstraction of C Programs April 15, 2017

7 Abstraction (A simplified view)
If the property does not hold in the abstract transition system, what can we do? We can refine the abstract transition system (split some states that we merged) The refined transition system should still be an abstraction of the concrete transition system Then, we can recheck the property again on the refined transition system If the property does not hold again, we can refine again Automatic Predicate Abstraction of C Programs April 15, 2017

8 Abstraction Refinement Loop
No error or bug found Initial Abstraction Verification Actual Program Model Checker Boolean Program Spurious counterexample Abstraction refinement Automatic Predicate Abstraction of C Programs April 15, 2017

9 Predicate Abstraction
An automated abstraction technique which can be used to reduce the state space of a program The basic idea here is to remove some variables from the program by just keeping information about a set of predicates about them Predicate abstraction is a technique for doing such abstractions automatically Automatic Predicate Abstraction of C Programs April 15, 2017

10 A Very Simple Example Assume that we have two integer variables x,y
We want to abstract the program using a single predicate “x=y” We will divide the states of the program to two: The states where “x=y” is true The states where “x=y” is false, i.e., “xy” We will then merge all the states in the same set This is an abstraction Basically, we forget everything except the value of the predicate “x=y” Automatic Predicate Abstraction of C Programs April 15, 2017

11 A Very Simple Example We will represent the predicate “x=y” as the boolean variable B in the abstract program “B=true” will mean “x=y” and “B=false” will mean “xy” Assume that we want to abstract the following program which contains only one statement: y := y+1 Automatic Predicate Abstraction of C Programs April 15, 2017

12 Predicate Abstraction, Step 1
Calculate preconditions based on the predicate {x = y + 1} y := y + 1 {x = y} Using our temporal logic notation we can say something like: {x=y+1}  AX{x=y} precondition for B being true after executing the statement y:=y+1 {x  y + 1} y := y + 1 {x  y} Again, using our temporal logic notation: {x≠y+1}  AX{x≠y} precondition for B being false after executing the statement y:=y+1 Automatic Predicate Abstraction of C Programs April 15, 2017

13 Predicate Abstraction, Step 2
Use decision procedures to determine if the predicates used for abstraction imply any of the preconditions x = y  x = y + 1 ? No x  y  x = y + 1 ? No x = y  x  y + 1 ? Yes x  y  x  y + 1 ? No Automatic Predicate Abstraction of C Programs April 15, 2017

14 Predicate Abstraction, Step 3
Generate abstract code Predicate abstraction wrt the predicate “x=y” IF B THEN B := false ELSE B := true | false y := y + 1 1) Compute preconditions 3) Generate abstract code x = y  x = y + 1 ? No {x = y + 1} y := y + 1 {x = y} x  y  x = y + 1 ? No {x  y + 1} y := y + 1 {x  y} x = y  x  y + 1 ? Yes 2) Check implications x  y  x  y + 1 ? No Automatic Predicate Abstraction of C Programs April 15, 2017

15 Automatic Predicate Abstraction
1st proposed by Graf & Saidi & reflected in T Ball’s work Concrete states are mapped to abstract states under a finite set of predicates Designed and implemented for Finite state systems Infinite state systems specified as Guarded Commands Not implemented for a programming language such as C Automatic Predicate Abstraction of C Programs April 15, 2017

16 Predicate Abstraction of C (c2bp)
Performs automatic predicate abstraction of C programs Input: a C program P and set of predicates E predicate = pure C boolean expression Output: a boolean program BP(P,E) that is a sound abstraction of P a precise (boolean) abstraction of P Results separate compilation (predicate abstraction) in presence of procedures and pointers ET 15 Automatic Predicate Abstraction of C Programs April 15, 2017

17 Predicate abstraction by C2BP
program P C2BP Boolean program BP(P,E) predicates E Automatic Predicate Abstraction of C Programs April 15, 2017

18 Boolean program BP(P, E):
a C program with bool as type - plus some additional constructs same control structure as P Given P : a C program E = {e1,...,en} : set of C boolean expressions over the variables in P No side effects, no procedure calls Produces a boolean program B Same control-flow structure as P Properties true of B are true of P Automatic Predicate Abstraction of C Programs April 15, 2017

19 Formal Properties of C2BP
soundness B has a superset of the feasible paths in P If {ei} is true (false) at some point on a path in B, then ei is true (false) at that point along a corresponding path in P complexity linear in size of program exponential in number of predicates Automatic Predicate Abstraction of C Programs April 15, 2017

20 BEBOP model checker A Symbolic Model Checker for Boolean Programs
Performs inter procedural dataflow analysis using binary decision diagrams (BDDs) Used to analyze the boolean program Based on Context-free Language (CFL) reachability (see Glossary) Automatic Predicate Abstraction of C Programs April 15, 2017

21 What is SLAM? Counterexample-driven refinement
SLAM is a software model checking project at Microsoft Research Goal: Automatically check C programs (system software) against safety properties using model checking Safety property – “something good happens” . An example: a lock is never released without first being acquired Application domain: device drivers Counterexample-driven refinement terminates in practice Keep this short!!! Automatic Predicate Abstraction of C Programs April 15, 2017

22 SLAM Input Analysis Output API usage rules
client C source code “as is” Analysis create, explore and refine boolean program abstractions Output Error traces (minimize noise) Verification (soundness) ET 8 Automatic Predicate Abstraction of C Programs April 15, 2017

23 Source Code Rules Static Driver Verifier Development Testing Precise
API Usage Rules (SLIC) Software Model Checking Read for understanding New API rules Drive testing tools Rules Static Driver Verifier Defects 100% path coverage Development Testing elapsed time: 2 Source Code April 15, 2017 Automatic Predicate Abstraction of C Programs

24 SLAM Toolkit SLAM toolkit was developed to find errors in windows device drivers Windows device drivers are required to interact with the windows kernel according to certain interface rules SLAM toolkit has an interface specification language called SLIC (Specification Language for Interface Checking) which is used for writing these interface rules The SLAM toolkit instruments the driver code with assertions based on these interface rules Automatic Predicate Abstraction of C Programs April 15, 2017

25 Windows Device Drivers & SLIC
Kernel presents a very complex interface to driver stack of drivers NT kernel multi-threaded Correct API usage described by finite state protocols SLIC Finite state language for stating rules monitors behavior of C code temporal safety properties familiar C syntax elapsed time: 4 Automatic Predicate Abstraction of C Programs April 15, 2017

26 Newton Given an error path p in boolean program B, it checks
is p a feasible path of the corresponding C program? Yes: found an error No: find predicates that explain the infeasibility Uses the same interfaces to the theorem provers as c2bp. Automatic Predicate Abstraction of C Programs April 15, 2017

27 How SLAM does it Model checking a C program is not feasible! Still model checking is very effective on model level ... Idea: automatically extract an (abstract) model from C source. But even this is hard: which aspects should be retained and hidden?? how to extract?? Idea: Start with a very abstract model, whose extraction is quite trivial. Incrementally refine the abstraction as needed. Automatic Predicate Abstraction of C Programs April 15, 2017

28 Traditional approach FSM Finite state machines Source code
model checker FSM Finite state machines Source code Sequential C program Automatic Predicate Abstraction of C Programs April 15, 2017

29 SLAM Data flow analysis implemented using BDDs Push down model
checker Data flow analysis implemented using BDDs Push down model Finite state machines Boolean program FSM abstraction C data structures, pointers, procedure calls, parameter passing, scoping,control flow Source code Sequential C program Automatic Predicate Abstraction of C Programs April 15, 2017

30 SLAM Soundness Idea: SLAM constructs sound abstractions!
Therefore, theorem: Every possible execution path of P is a possible execution path of A. Therefore, theorem : If A is a constructed abstraction of P, A preserves P’s control structure. paths(P)  paths(A) So, if A satisfies the SLIC spec; so does P ! Automatic Predicate Abstraction of C Programs April 15, 2017

31 SLAM completeness Unfortunately, the reverse of the previous theorem is generally not true  an execution path (including an error path) in A may not be an execution path in P so, an error found in A may be a false error If A produces false errors, we can try to refine it (to make it more precise) to a new model A’ ; so an A’ such that: (suggesting an iterative procedure....) paths(P)  paths(A’)  paths(A) Automatic Predicate Abstraction of C Programs April 15, 2017

32 SLAM main iteration Program P Instrument Program Property φ
Instrumented program P' Initial predicates Abstraction No. Then refine the abstraction Abstraction A of P' is  feasible in P ? Model checking: A |= φ ? violation by an error path  yes! But verification is generally undecidable; hence this iteration may not terminate. no violation Property φ is invalid Property φ is valid Automatic Predicate Abstraction of C Programs April 15, 2017

33 Pointers and SLAM Abstracting from a language with pointers (C) to one without pointers (boolean programs) is a challenge With pointers, C supports call by reference Strictly speaking, C supports only call by value With pointers and the address-of operator, one can simulate call-by- reference Boolean programs support only call-by-value-result SLAM mimics call-by-reference with call-by-value-result Extra complications: address operator (&) in C multiple levels of pointer dereference in C Automatic Predicate Abstraction of C Programs April 15, 2017

34 Challenges of predicate abstraction
Pointers: two related sub-problems treated in a uniform way assignments through de-referenced pointers in original C- program pointers & pointer-dereferences in the predicates for the abstraction Procedures: allow procedural abstraction in Boolean programs. They also have: global variables procedures with local variables call-by-value parameter passing procedural abstraction – signatures constructed in isolation Automatic Predicate Abstraction of C Programs April 15, 2017

35 Cont’d … Procedure calls: abstraction process is challenging in the presence of pointers after a call the caller must conservatively update local state modified by procedure sound and precise approach that takes side-effects into account Unknown values: it is not always possible to determine the effect of a statement in the C-program in terms of the input predicate set E such non-determinism handled in BP via non-deterministic control expression ‘*’ which allows to implicitly express 3- valued domain for boolean variables Automatic Predicate Abstraction of C Programs April 15, 2017

36 Assumption over a C-program:
All inter-procedural control flow is by if and goto All expressions are free of side-effects & short-circuit evaluation All expressions do not contain multiple pointer dereferences (e.g. **p) Function calls occur at topmost level of expressions Automatic Predicate Abstraction of C Programs April 15, 2017

37 Weakest Precondition For a statement ‘s’ and a predicate ‘φ’ , let WP(s, φ) denote the weakest liberal precondition of φ with respect to ‘s’ For assignment statement, By definition WP(x = e, φ) is φ with all occurrences of x replaced with e, denoted φ[e/x] For example WP(x=x+1, x<5) = (x+1) < 5 = (x<4) Given S and Q, what is the weakest P’ satisfying {P’} S {Q} ? P' is called the weakest precondition of S with respect to Q, written WP(S, Q) to check {P} S {Q}, check P  P’ C2BP uses decision procedures (i.e., a theorem prover) to strengthen the weakest precondition Automatic Predicate Abstraction of C Programs April 15, 2017

38 SLAM Future Work More impact More features More languages
Static Driver Verifier (internal, external) More features Heap abstractions Concurrency More languages C# and CIL Automatic Predicate Abstraction of C Programs April 15, 2017

39 Predicate abstraction overview
PA Problem: given (P, E) where P is a C-program E = {φ1, …, φn} is a set of pure boolean C-expressions over variables and constants of the C-language Compute BP(P, E) which is a boolean program that has some control structure as P contains only boolean variables V = {b1, …, bn} where bi = {φi} represents predicate φi guaranteed to be an abstraction of P (superset of traces modulo …) Automatic Predicate Abstraction of C Programs April 15, 2017

40 SLAM – Software Model Checking
SLAM innovations boolean programs: a new model for software model creation (c2bp) model checking (bebop) model refinement (newton) SLAM toolkit built on MSR program analysis infrastructure SLAM is Microsoft’s fully automated tool to verify the correctness of C programs More info: Keep this short!!! Automatic Predicate Abstraction of C Programs April 15, 2017

41 Glossary Model checking
Checking properties by systematic exploration of the state-space of a model. Properties are usually specified as state machines, or using temporal logics Safety properties Properties whose violation can be witnessed by a finite run of the system. The most common safety properties are invariants Reachability Specialization of model checking to invariant checking. Properties are specified as invariants. Most common use of model checking. Safety properties can be reduced to reachability. Boolean programs “C”-like programs with only boolean variables. Invariant checking and reachability is decidable for boolean programs. Predicate A Boolean expression over the state-space of the program eg. (x < 5) Predicate abstraction A technique to construct a boolean model from a system using a given set of predicates. Each predicate is represented by a boolean variable in the model. Weakest precondition The weakest precondition of a set of states S with respect to a statement T is the largest set of states from which executing T, when terminating, always results in a state in S. Automatic Predicate Abstraction of C Programs April 15, 2017

42 Thank You for your Attention!
Questions are welcome Automatic Predicate Abstraction of C Programs April 15, 2017

Download ppt "Verification of parameterised systems"

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Timed Automata.

Timed Automata.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google