Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language Design and Imple- mentation, 2001

“Can software help programmers write better software?”

Outline  What is model checking  Why it is important  Current state of the art  Challenges in applying model checking to C programs  SLAM project

Outline  What is model checking  Why it is important  Current state of the art  Challenges in applying model checking to C programs  SLAM project

Model Checking  A specific technique of formal verification  Given a model of a system, test automatically whether this model meets a given specification

Formal Verification  Formal Verification Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property  To help mathematically prove the correctness of a software or hardware system

The Model checking problem  Let M be a Kripke structure (i.e., state- transition graph)  Let f be a formula of temporal logic (i.e., the specification)  Find all states s of M such that M,s ├ f

A typical model checking system Figure 1. A typical model checking system

Kripke Structure  A Kripke structure is a type of nondeterministic finite state machine proposed by Saul Kripke, used in model checking Let the set of atomic propositions AP = {p,q}. p and q can model arbitrary boolean properties of the system that the Kripke structure is modelling M may produce a path ρ = s 1,s 2,s 1,s 2,s 3, s 3,s 3,... (potentially infinite) Figure 2. Kripke Structure

How to model-check  Basic Procedure: 1. Describe the system as a finite state model 2. Express properties in temporal logic 3. Formal Verification by automatic exhaustive search over the state space  Use a model checker to check properties

Temporal logic  Used to describe any system of rules for representing propositions in terms of time  Statements in temporal logic: "I am always hungry“ "I will eventually be hungry“ "I will be hungry until I eat something“  Temporal logics describe the ordering of events in time without introducing time explicitly.  The meaning of a temporal logic formula is determined with respect to a labeled state- transition graph or Kripke structure.

Abstraction of model  What if the model is infinite-like ? Using abstraction  Any effort to model check software must first construct an abstract model of the software  Predicate Abstraction- A promising approach to construct abstractions automatically (which will be covered later)

What is a model checker A model checker is a software tool that  given a description of a Kripke model M... ... and a property φ  decides whether M ├ φ  returns “yes” if the property is satisfied,  otherwise returns “no”, and provides a counterexample

What is a model checker Figure 3. The model Checker

Outline  What is model checking  Why it is important  Current state of the art  Challenges in applying model checking to C programs  SLAM project

Why it is important  software bugs are so common that their cost to the American economy alone is $60 billion a year or about 0.6% of gross domestic product (NIST)

Why it is important? Some errors in software systems are expensive:  Space Mission Failed: A bug caused 370- million dollar failure in 1996, which is $514 to $686 million in 2010 (Flight 501) While some are pretty annoying:  “Bill Gates: 5% of Windows Machines Crash More Than Twice A Day”

Outline  What is model checking  Why it is important  Current state of the art  Challenges in applying model checking to C programs  SLAM project

A wide Variety of model checkers Name a few: For C programs:  BLAST (Berkeley)  CMBC (Carnegie Mellon)  CPA checker(U of Passau, Germany)  SLAM(Microsoft Research) Others:  SPIN (Bell Lab, System Software Award-2001)

SLAM  “software (specifications), programming languages, abstraction, and model checking”  SLAM is a program-analysis engine of the SDV tool used to check if clients of an API follow the API’s stateful usage rules  SLAM toolkit, include C2BP, BEBOP, NEWTON is the analysis engine of the SDV tool

SLAM2  The improved version of SLAM  With under 4% false alarms

SDV Static Driver Verifier (SDV): Compile-time verification tool Ships with Windows 7 Driver Kit (WDK) Less than 4% false alarms on real drivers Supports many driver APIs (WDM, KMDF, NDIS, …) Uses SLAM as the verification engine Based on CEGAR loop Boolean abstraction of input C programs API-specific components: environment model API rules in SLIC language

Driver’s Source Code in C Precise API Usage Rules (SLIC) Defects 100% path coverage Rules Static Driver Verifier Environment model Static Driver Verifier Figure 4. SDV

Usage  SDV 2.0 is applied as an automatic and required quality gate for Windows 7 device drivers  SLAM is distributed as part of the Windows Driver Development Kit

Outline  What is model checking  Why it is important  Current state of the art  Challenges in applying model checking to C programs  SLAM project

Challenges in applying model checking to C program  Pointers (alias problem)  Procedures( signature)  unknown values (*)  Lots of predicate states

Outline  What is model checking  Why it is important  Current state of the art  Challenges in applying model checking to C program  SLAM project

SLAM Project SLIC C Program P Instrumented C program P’ C2BP Boolean Program BP(E,P’) Bebop Error Path Feasible No, refine the Predicate, gen- erate new BP Yes, An error found Program Bug Figure 5. The SLAM realization of CEGAR loop

CEGAR  In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms

SLIC  SLIC: Specification Language for Interface Checking  SLIC is a subset of the C language augmented with elements that identify the events of interest.  Next slide, an example of a SLIC language and the instructed C program based on that

Figure 6. To check that a spinlock cannot be acquired without it first being released, and that a spinlock cannot be released twice

Figure 7. The BP of the instructed C program. The first and second iterations of Bebop and Newton

Figure 8. Slic Specification for Proper Usage of Spin Locks, and (b) Its Compilation into C Code. Example 2

Figure 9. (a) A snippet of device driver code P, and (b) program P0 resulting from instrumentation of program P due to Slic specification in Figure 8

Figure 10. The C code of the Slic specification from Figure 1(b) compiled by C2bp into a boolean program.

Figure 11. The two boolean programs created while checking the code from Figure 9 (b)

How well it works Experience of SLAM works on device drivers that have hundred's or thousand’s lines of codes

How well it works There are true errors found in the device driver when running SLAM on them

Conclusion  Slam toolkit outcomes the challenges in applying model checking to C programs  Slam is appropriate to use on large scale C programs and on device drivers written in C  The SDV tool has already been used in model checking device drivers for Windows 7 before they come to market

References  Measure the buying power of US dollar at different times  Bill Gates Talk hines_Crash_More_Than_Twice_A_Day  Symbolic Model Checking  Building a better bug-trap  The SLAM project

Thank you!