Presentation is loading. Please wait.

Presentation is loading. Please wait.

Thomas Ball Sriram K. Rajamani

Published byAdelia Small Modified over 8 years ago

Similar presentations

Presentation on theme: "Thomas Ball Sriram K. Rajamani"— Presentation transcript:

1 Thomas Ball Sriram K. Rajamani http://research.microsoft.com/slam/ http://msrweb/slam

2 Checking API Usage Application C lib | DLL | COM |… API Does an application follow the “proper usage” rules of an API?

3 One Application: W2k Device Drivers Device Driver NT Kernel IO Manager API Does a device driver acquire and release spin locks properly?

4 Device Drivers and SLAM Device Driver API Rules (SLIC) IO Manager Interface

5 State Machine For Locking UnlockedLockedError U L L U state { int locked = 0; } Lock.call { if (locked==1) abort; else locked = 1; } UnLock.call { if (locked==0) abort; else locked = 0; }

6 Demo

7 State Machine For Irp Handling init pending Error IoMarkIrpPending return:status != STATUS_PENDING complete IoCompleteRequest return: status == STATUS_PENDING

8 IRP Complete/Pending Rule state { enum {Init, Complete, Pending} s = Init; } IoCompleteRequest.call{ if ( s != Init) abort; else s = Complete; } IoMarkIrpPending.call{ if( s != Init) abort; else s = Pending; } Dispatch.exit{ if (s == Complete) { if ($return == STATUS_PENDING) abort; } else if (s == Pending) { if( $return != STATUS_PENDING) abort; }

9 Goal: Run the state machine through all paths in the program Problem: Too many paths! Solution: State based search Problem : False alarms! Solution : Better abstraction

10 False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

11 False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

12 False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld); KeReleaseSpinLock();

13 False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); b b b b b b !b

14 False alarm do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); b b b b b b !b

15 C program Boolean program c2bp bebop Fail, p Pass newton GOLF SLIC CFG + VFG predicates Error GUI Spec. predicates

16 Key Ideas Inexpensive whole program analysis (GOLF) Local abstraction step to produce an abstraction for the property of interest (c2bp) State-based search on the abstraction (bebop) Automated refinement of abstractions (newton)

17 Bebop  Performs reachability analysis of boolean programs  Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis  Explicit representation of control flow  Implicit representation of reachable states via BDDs  Complexity of algorithm is O( E  2 n ) E = size of interprocedural control flow graph n = max. number of variables in the scope of any label

18 c2bp: Automatic Predicate Abstraction of C  What is the predicate language? Pure C boolean expressions  Input: a C program P and set of predicates E  Output: a boolean program c2bp(P,E) that is a sound abstraction of P a precise abstraction of P  Difficulties procedures pointers

19 C2bp Philosophy  Computing a precise Boolean abstraction is too expensive unnecessary for C deterministic concrete semantics  Exploit ideas from program analysis and symbolic model checking Off-line computation of abstract transfer function Attribute (predicate) independence Disjunctive completion Focus operation Static partitioning of states by control points Implicit representation of stack in boolean program

20 c2bp(P,E) Statement in P: s : nPackets = nPackets+1; Predicates in E: e : (nPacketsOld==nPackets) Weakest Precondition: pre(s,e): nPacketsOld==nPackets+1 Strengthened WP: F(pre(s,e)): false

21 c2bp(P,E) Statement in P: s : nPackets = nPackets+1; Predicates in E: e : (nPacketsOld==nPackets) Weakest Precondition: pre(s,!e): !(nPacketsOld==nPackets+1) Strengthened WP: F(pre(s,!e)): e

22 c2bp(P,E) bool choose(bool pos,bool neg) = true if pos=true false if neg=true * pos=neg=false choose not well defined for pos=neg=true In general, given statement s and predicates { e1,…, en }: {e1},…,{en} := choose(F(pre(s,e1),F(pre(s,!e1))), …, choose(F(pre(s,en),F(pre(s,!en))); O(2n*2 n )O(2n*n c )

23 WP and pointers Statement in P: s : *p = *p + 1 Predicates in E: e : (x==2) WP: WP(s,e): x==2 ???

24 Morris’ Axiom of Assignment Statement in P: s : *p = *p + 1 Predicates in E: e : (x==2) WP: WP(s,e): ((p!=&x) and x==2) or ((p==&x) and x==1)

25 WP and pointers Statement in P: s : *p = *p + 1 Predicates in E: e : (x==2) WP: WP(s,e): x==2 if we can show p can never point to x, using points-to-analysis

26 c2bp  Processes one statement at a time Assignments, conditionals, procedure call/return  Computes WP and strengthens it theorem prover (Simplify,Vampyre)  Alias queries one-level flow flow-insensitive PTA of Das [PLDI’00]

27 c2bp Soundness:  have to consider aliasing  have to consider side effects of procedure calls [Ball-Majumdar-Millstein-Rajamani PLDI 01] [Ball-Millstein-Rajamani, Tech-report] Precision:  formalized declaratively as an abstract interpretation [Ball-Podelski-Rajamani TACAS 01]

28 On-line Abstraction: State = Bit Vector each abstract step during model checking requires O(2 n ) theorem prover queries bb post bb n k

29 On-line Abstraction: Set of States = Single Tri-vector each abstract step during model checking  c  b requires O(2n) theorem prover queries cc cc bb post bb

30 SLAM - Off-line Abstraction: Set of States = Set of Tri-vectors each abstract step during model checking requires O(2n*k) operations, k=O(2 n ) c2bpbebop

31 c2bp Number of theorem prover calls: Worst case : O(|P|. 2 |E| ) Practice: O(|P|. |E| 3 )

32 Newton  Symbolically executes (interprocedural) path in C program  Checks for path infeasibility using decision procedures  If infeasibility detected Minimizes inconsistent conditions Obtains new predicates

33 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : Conditions :

34 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  Conditions :

35 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) Conditions :

36 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  Conditions :

37 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) Conditions :

38 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions :

39 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions : !  (5)

40 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions : !  (5)  !=  (1,2)

41 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) (3)devExt:  (4)  ->WLHeadVa:  (3) (5) request:  (3,4) Conditions :  !=  (1,2)

42 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Store : (1)nPacketsOld:  (2)nPackets:  (1) Conditions :  !=  (1,2)

43 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Predicates: (nPacketsOld ==  ) (nPackets ==  ) (  !=  )

44 Example nPackets = nPacketsOld; request = devExt->WLHeadVa; assume(!request); assume(nPackets != nPacketsOld); Predicates: (nPacketsOld != nPackets)

45 Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : Conditions :

46 Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : (1)x :  (2) y :  Conditions :  >  (1,2)

47 Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : (1)x :  (3) y :  - 1 (2) Conditions :  >  (1,2) History : (2) y : 

48 Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Store : (1)x :  (3) y :  - 1 (2) Conditions :  >  (1,2) !(  >  -1 ) (1,3) History : (2) y : 

49 Example (2) assume(x > y); y := y - 1; assume ( !(x > y)); Predicates : y ==  y ==  - 1 x > 

50 Related Work  VCGen based tools ESC-Java [Leino-Nelson-et al.] Proof-Carrying Code [Lee-Necula] PREfix [Pincus-et al.]  Model Checking of Software Using an abstract model Bandera [Hatcliff-Dwyer-et al.] FeaVer [Holzmann] FLAVERS [Clarke-Osterweil-et al.] Metal [Engler] By gaining control over the scheduler Java Path Finder [Visser-et al.] Verisoft [Godefroid] Java model checker [Stoller]

51 Related Work  Model checkers Temporal logic model checking [Clarke-Emerson][Sifakis][Vardi-Wolper] Symbolic model checking BDDs [Bryant] SMV [McMillan, Clarke] Model checking of Hiearchical FSMs [Alur,Grosu], [Alur, Yannakakis, et al.], [Benedikt,Godefroid,Reps]  Abstract Interpretation [Cousot-Cousot]  Program Analysis shape analysis [Sagiv-Reps-Wilhelm]  Predicate Abstraction [Graf-Saidi][Das-Dill-Park]  Dataflow analysis=Model Checking + Abstract Interpretation [Steffen-Schmidt]  Counterexample driven refinement [Kurshan, Clarke-Grumberg-Jha-Lu-Veith ]  Temporal safety property checking as type checking [DeLine-Fahndrich]  ESP [Das]

52 Future Directions  New Models boolean programs lack expressivity  The Heap pointer logics recursive types  Concurrency predicate abstraction for an Owicki/Gries-style logic?  Scaling reinvestigate assume/guarantee for software

53 SLAM Papers  The SLAM Process Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. Rajamani, SPIN 2001 The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani, CAV 2001 Boolean Programs: A Model and Process for Software Analysis, Thomas Ball, Sriram K. Rajamani, MSR Technical Report 2000-14  Boolean Programs Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball, Sriram K. Rajamani, PASTE 2001 Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball, Sriram K. Rajamani, SPIN 2000.  Predicate Abstraction of C Programs Automatic Predicate Abstraction of C Programs, Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani, PLDI 2001 Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K. Rajamani, MSR Technical Report 2001-10 Boolean and Cartesian Abstractions for Model Checking C Programs, Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001  Concurrency Parameterized Verification of Multithreaded Software Libraries, Thomas Ball, Sagar Chaki, Sriram K. Rajamani, TACAS 2001

54 Thanks to…  Sagar Chaki (CMU)  Rupak Majumdar (UC Berkeley)  Todd Millstein (U Washington)  Andreas Podelski(MPI)  Members of Software Productivity Tools group and PPRC

55 Summary  Fully automated way to check temporal safety properties of software interfaces  Tools are based on novel ideas interprocedural dataflow with BDDs (bebop) predicate abstraction of C (c2bp) predicate discovery (newton)  Demonstration on Windows 2000 device drivers

56 Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/ http://msrweb/slam/

Download ppt "Thomas Ball Sriram K. Rajamani"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.

Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
Verification of parameterised systems

Verification of parameterised systems
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Similar presentations

Ads by Google