A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

Slides:

Advertisements

Similar presentations

Model Checking From Tools to Theory University of Pennsylvania

Advertisements

1 Verification by Model Checking. 2 Part 1 : Motivation.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

CS6133 Software Specification and Verification

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Logics, Automata, and Algorithms for Analysis of Structured Programs Rajeev Alur University of Pennsylvania Marktoberdorf Summer School, August 2006.

A temporal logic for calls and returns P. Madhusudan University of Pennsylvania Joint work with Rajeev Alur and Kousha Etessami Talk at HCES 2004, Philadelphia.

Review of the automata-theoretic approach to model-checking.

Witness and Counterexample Li Tan Oct. 15, 2002.

Prof. Aiken CS 294 Lecture 11 Program Analysis. Prof. Aiken CS 294 Lecture 12 The Purpose of this Course How are the following related? –Program analysis.

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Nested Words and Trees Rajeev Alur University of Pennsylvania Joint work with S.Chaudhuri & P.Madhusudan Games Workshop, Cambridge, UK, July 2006.

Introduction to Software Testing Chapter 9.4 Model-Based Grammars Paul Ammann & Jeff Offutt

Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.

Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Languages of nested trees Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan)

Visibly Pushdown Languages Philippe Giabbanelli CMPT 894 – Spring 2008.

Scope-bounded Multistack Pushdown Systems: - fixed-point - sequentialization - tree-width 1 Salvatore La Torre Gennaro Parlato (U. Salerno, Italy) (U.

Algorithmic Software Verification III. Finite state games and pushdown automata.

Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.

Four Lectures on Model Checking Tom Henzinger University of California, Berkeley.

Regular Model Checking Made Simple and Efficient P. Abdulla, B. Jonsson, M. Nilsson and J. d’Orso Uppsala University.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

1Computer Sciences Department. Book: INTRODUCTION TO THE THEORY OF COMPUTATION, SECOND EDITION, by: MICHAEL SIPSER Reference 3Computer Sciences Department.

Algorithmic Software Verification Rajeev Alur University of Pennsylvania ARO Review, May 2005.

Verification & Validation By: Amir Masoud Gharehbaghi

Overview of course CS598MP Spring’05. Modeling FSM, PDA Emptiness of PDA Games on FSMs Binary Decision Diagrams CTL bisimulations Mu-calculus Model-check.

1Computer Sciences Department. Book: INTRODUCTION TO THE THEORY OF COMPUTATION, SECOND EDITION, by: MICHAEL SIPSER Reference 3Computer Sciences Department.

Foundation of Computing Systems

Symbolic Algorithms for Infinite-state Systems Rupak Majumdar (UC Berkeley) Joint work with Luca de Alfaro (UC Santa Cruz) Thomas A. Henzinger (UC Berkeley)

1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.

Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Model Checking Lecture 1: Specification Tom Henzinger.

6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.

Basic concepts of Model Checking

Data Flow Analysis Suman Jana

University of Pennsylvania Joint work with S.Chaudhuri & P.Madhusudan

Adding Nesting Structure to Words

University Of Virginia

CSEP590 – Model Checking and Automated Verification

Over-Approximating Boolean Programs with Unbounded Thread Creation

Formal Methods in software development

Formal Methods in software development

Presentation transcript:

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

Software model-checking Code Abstraction Specification Model checker Yes/No Model M (pushdown for interprocedural; finite-state for intraprocedural) Logical formula (f) Does M satisfy f? mu-calculus, LTL, CTL… Flow sensitive

Logics for software model-checking mu-calculus Canonical temporal logic Fixpoints over sets of states Suitable for symbolic implementation Equivalent to alternating tree automata Decidable model-checking on pushdown systems LTL CTL Is the mu-calculus the best specification logic for procedural programs?

Problem #1 The mu-calculus cannot capture all properties of interest in pushdown models. call ret local write(v ) Reachability: Is write(v) reachable? In mu-calculus, Local reachability: Is write(v) reachable in the current context?

Problem #2 Reachability in mu-calculus: Formula describes a terminating symbolic computation in finite-state systems (intraprocedural analysis). Application: mu-calculus is the “assembly language” in temporal logic model-checkers like NuSMV. What about pushdown models (interprocedural analysis)? Model-checking the mu-calculus on pushdown systems is decidable. But…

Our contributions LTL CTL mu-calculus VP-mu VP-mu: EXPTIME Mu-calculus, CTL: EXPTIME Reachability games: EXPTIME Local, context-sensitive reachability Interprocedural dataflow involving local + global variables Pre/post-conditions Stack inspection Pushdown games Access control Formulas encode symbolic, interprocedural summary computations

Local reachability call ret local write(v ) Is write(v) reachable in the current context? To jump across contexts, specification needs to have a stack. Unfortunately, model-checking pushdown specifications on pushdown models is undecidable.

Visibility; structured trees call ret local p p p q p q foo bar foo bar Tree model = Unfolding of the graph of configurations of a procedural program Node of tree = control state + stack + history Procedure structure visible via an edge labeling p

Summary trees call ret local p s u v Visibility lets us chop a tree into subtrees that summarize contexts. We could jump across contexts if we could reason about concatenation. call ret local Summary s u v Matching returns of s = {u,v}

Logics on subtrees local s u Mu-calculus formulas can be interpreted at subtrees rather than nodes Formulas  sets of subtrees Modalities argue about full subtrees rooted at children Why not a fixpoint calculus where: Formulas  sets of summary trees and modalities argue about concatenation? Enter VP-mu.

Reasoning using summaries local s u s Formulas  sets of summaries Trees are possibly infinite (unmatched paths) call ret

One-step local reachability local s u call ret

Colored summary trees call ret Number of “leaves” is unbounded Solution: assign leaves k colors Colors are defined by formulas on demand

Using colors call q 1

Local reachability call 1 Use a variable X to store sets of summaries Compute a fixpoint of summaries 1 Summaries plugged into computation Symbolic computation Does this remind you of interprocedural dataflow analysis? Reach a leaf colored 1:

The mu-calculus vs VP-mu The mu-calculus: fixpoints over full subtrees VP-mu: fixpoints over summary trees

Global and local program flow Very busy expression e (x): Along all paths, use (e) appears before x is written. If x is local, use local reachability-like spec. If e involves local as well as global variables, track them using a combination of reachability and local reachability.

Other properties Many other context and flow sensitive dataflow properties Pre/post-conditions: If P is satisfied at a call and R holds within its scope, then Q holds on return. Stack inspection: If control reaches an unsafe procedure, then a guaranteeing procedure must be on the stack. If control has ever been in an unsafe procedure, then P must hold so long as control is in a critical procedure. Games where some procedures are owned by Attacker and others are owned by Protector. Access control, stack boundedness…

Model-checking Configuration of an interprocedural control-flow graph : foo bar Node of a tree: bar x u v Stackless summaries: Configuration for matching returns: Enough to consider stackless summaries. But they are finite in number! Same symbolic algorithm as for the mu-calculus (stackless summaries replacing states). History doesn’t matter (no past operator) Stack stays the same between call and matching return

Expressiveness The mu-calculus is contained in VP-mu. CARET (Alur, Etessami, Madhusudan 2004) is contained in VP-mu. Satisfiability of VP-mu is undecidable. Even monadic second- order logic on trees has decidable satisfiability. Subsequent result: VP-mu = visibly pushdown alternating parity tree automata [Visibly pushdown tree languages – Alur, Chaudhuri, Madhusudan. Submitted; draft available on homepage] Analog of equivalence between the mu-calculus and alternating parity tree automata.

Conclusions LTL CTL mu-calculus VP-mu VP-mu: EXPTIME Mu-calculus, CTL: EXPTIME Reachability games: EXPTIME Local, context-sensitive reachability Interprocedural dataflow involving local + global variables Pre/post-conditions Stack inspection Pushdown games Access control Mu-calculus: Intraprocedural fixpoints VP-mu: Interprocedural fixpoints

Current work 1.Modular specifications for static analysis and security. A model-checker for C code applying ideas presented here. 2.A unified theory of visibly pushdown automata, fixpoint calculi over summaries, and quantifier logics.