Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs."— Presentation transcript:

1 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs

2 2 Software Reliability Testing –dominant methodology –costly –test coverage problem Static checking –combats test coverage by considering all paths –Type systems –very effective for certain type errors –Extended Static Checking –targets errors missed by type systems

3 3 Extended Static Checking Targets errors not caught by type system –array bounds errors –division by zero –null dereference –assertions –API usage rules don’t write to a closed file don’t acquire a lock you already hold –method preconditions, postconditions –object invariants

4 4 ESC/Java Example class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() ); } } } //@ invariant den != 0; //@ requires d != 0; Warning: possible division by zero Warning: invariant possibly not established Warning: precondition possibly not established

5 5 ESC/Java Experience Tested on 40+ KLOC (Java front end, web crawler,...) Finds software defects! Useful educational tool Annotation cost significant –100 annotations per KLOC –3 programmer-hours per KLOC Annotation overhead significantly limits widespread use of extended static checking Why do we need these annotations?

6 6 ESC/Java Architecture The translator “understands” the semantics of Java. An error condition is a logical formula that, ideally, is satisfiable if and only if the program contains an error. The satisfiability checker is invisible to users. Satisfying assignments are turned into precise warning messages. ESC/Java Java program + Annotations Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages Index out of bounds on line 218 Method does not preserve object invariant on line 223

7 7 Generating Error Conditions Error condition ( x =0) )  (  (x =0) ) Code if (x < 0) { x := -x; } //@ assert x >= 0; Source code translated into error condition Error condition should be satisfiable if code may fail an assertion p = q  f’ = store(f, p, 3)  select(f’, q) = 0 p := q; p.f := 3; //@ assert q.f != 0;

8 8 Error Condition Logic terms t ::= x | f(t) constraints c ::= p(t) formulae e ::= c |  c | e  e | e  e |  y. e theories of equality, linear arithmetic, select+store some heuristics for universal quantification logic cannot express iteration or recursion

9 9 ESC/Java Architecture The translator uses specifications to “translate away” procedure calls The error condition is expressed in first-order logic with theories; it cannot express recursion Indicates: Bad program Bad specification Insufficient spec ESC/Java Program + procedure specifications Translator Error conditions Satisfiability checker Satisfying assignment Post-processor Warning messages Method does not establish postcondition Index out of bounds on line 218

10 10 Verifun Checker “Annotation-free” Extended Static Checker Statically check assertions, API usage rules,... No need for annotations –no loop invariants –no procedure specifications Uses extended logic that can encode recursion

11 11 Query: Given d, is e satisfiable? Constraint Logic Programming –[Jaffar and Lassez, POPL’87] –Efficient implementations! Error Condition Logic terms t ::= x | f(t) constraints c ::= p(t) formulae e ::= c |  c | e  e | e  e |  y. e theories for equality, linear arithmetic, select+store | r(t) user-defined relation symbols r definitions d ::= r(x) :- e

12 12 Error Conditions in CLP int fact(int i) { if (i == 0) return 1; int t = fact(i-1); assert t > 0; return i*t; } Emain() :- Efact(j) void main() { int j = readInt(); fact(j); } Tfact(i, r) :- ( i = 0  r = 1)  ( i != 0  Tfact(i-1,t)  t>0  r=i*t ) Efact(i) :- i != 0  ( Efact(i-1)  (Tfact(i-1, t)  t <= 0 )) Transfer relation Tfact(pre-state,post-state) relates pre and post states of executions of fact Error relation Efact(pre-state) describes pre-states from which fact may go wrong CLP has least fixpoint semantics CLP Query: Is Emain() satisfiable?

13 13 Program correctnessCLP satisfiability Imperative Software Constraint Logic Programming Bounded software model checking Efficient implementations –Sicstus Prolog (depth-first)

14 14 Rational Example class Rational { int num, den; Rational(int n, int d) { num = n; den = d; } int trunc() { return num/den; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() ); } } }

15 15 Error Condition for Rational in CLP t_rat(AllocPtr, Num, Den, N, D, This, AllocPtrp, Nump, Denp) :- AllocPtrp is AllocPtr+1, This = AllocPtrp, aset(This,Den,D,Denp), aset(This,Num,N,Nump). t_readInt(R). e_trunc(This, Num, Den) :- aref(This,Den,D), {D = 0}. e_loop(I, This, Num, Den) :- e_trunc(This, Num, Den). e_loop(I, This, Num, Den) :- {I<10000, Ip=I+1}, e_loop(Ip,This, Num, Den). e_main :- AllocPtr = 0, ;; no objs allocated new_array(Num), ;; initialise arrays encoding fields Num new_array(Den), ;; and Den t_readInt(D), t_readInt(N), {D =\= 0}, t_rat(AllocPtr, Num, Den, D, N, This, AllocPtrp, Nump, Denp), e_loop(0, This, Nump, Denp).

16 16 Checking Rational with CLP Get error condition, a constraint-logic program Feed into CLP implementation (SICStus Prolog) –explicitly explores all paths through EC –symbolically considers all data values, eg, for n,d using theory of linear arithmetic –quickly finds that the EC is satisfiable –gives satisfying derivation for EC –can convert to program execution trace that crashes with division-by-zero error

17 17 Checking Factorial with CLP Feed EC into CLP implementation (SICStus Prolog) –explicitly explores all paths through EC –infinitely many paths –all paths are ok –CLP implementation diverges! Can modify error condition to bound recursion depth Automatic bounded model checking for software –efficient symbolic analysis for linear arithmetic,...

18 18 Program correctnessCLP satisfiability Imperative Software Constraint Logic Programming Bounded software model checking Predicate abstraction & counter-example driven predicate refinement –SLAM, BLAST Efficient implementations –Sicstus Prolog (depth-first) –Tableau methods –Subsumption CLP implementation technique –Avoids considering all paths –Verifun CLP satisfiability checker under development

19 19 Verifun Architecture Uses predicate abstraction and counter-example driven predicate refinement to check satisfiability of EC, without exploring all paths Error message includes an execution trace that violates desired correctness property. Verifun Program (without annotations) Translator Error condition (CLP) Satisfiability Checker for CLP Satisfying CLP derivation Post-processor Error trace

20 20 Unit of Development Programmers work on “unit of development” Interfaces between such units must be specified –reasonable to make specifications formal Use Verifun to check unit of development with respect to its specification

21 21 Related Work Program checking –Stanford Pascal Verifier –ESC/M3, ESC/Java –SLAM, BLAST –(many, many non-EC approaches) Automatic theorem proving –Simplify, SVC, CVC Constraint Logic Programming –[Jaffar and Lassez, POPL’87], SICStus Prolog, …

22 22 Summary Deep connection between –correctness of imperative programs with pointers, heap allocation, aliasing,... –satisfiability of CLP queries Verifun Checker –annotation-free extended static checker –statically check assertions, API usage rules,... –interprocedural ECs are constraint logic programs.

23 23 The End

Download ppt "1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages

Similar presentations

Ads by Google