Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language Design and Imple- mentation, 2001
“Can software help programmers write better software?”
Outline What is model checking Why it is important Current state of the art Challenges in applying model checking to C programs SLAM project
Outline What is model checking Why it is important Current state of the art Challenges in applying model checking to C programs SLAM project
Model Checking A specific technique of formal verification Given a model of a system, test automatically whether this model meets a given specification
Formal Verification Formal Verification Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property To help mathematically prove the correctness of a software or hardware system
The Model checking problem Let M be a Kripke structure (i.e., state- transition graph) Let f be a formula of temporal logic (i.e., the specification) Find all states s of M such that M,s ├ f
A typical model checking system Figure 1. A typical model checking system
Kripke Structure A Kripke structure is a type of nondeterministic finite state machine proposed by Saul Kripke, used in model checking Let the set of atomic propositions AP = {p,q}. p and q can model arbitrary boolean properties of the system that the Kripke structure is modelling M may produce a path ρ = s 1,s 2,s 1,s 2,s 3, s 3,s 3,... (potentially infinite) Figure 2. Kripke Structure
How to model-check Basic Procedure: 1. Describe the system as a finite state model 2. Express properties in temporal logic 3. Formal Verification by automatic exhaustive search over the state space Use a model checker to check properties
Temporal logic Used to describe any system of rules for representing propositions in terms of time Statements in temporal logic: "I am always hungry“ "I will eventually be hungry“ "I will be hungry until I eat something“ Temporal logics describe the ordering of events in time without introducing time explicitly. The meaning of a temporal logic formula is determined with respect to a labeled state- transition graph or Kripke structure.
Abstraction of model What if the model is infinite-like ? Using abstraction Any effort to model check software must first construct an abstract model of the software Predicate Abstraction- A promising approach to construct abstractions automatically (which will be covered later)
What is a model checker A model checker is a software tool that given a description of a Kripke model M... ... and a property φ decides whether M ├ φ returns “yes” if the property is satisfied, otherwise returns “no”, and provides a counterexample
What is a model checker Figure 3. The model Checker
Outline What is model checking Why it is important Current state of the art Challenges in applying model checking to C programs SLAM project
Why it is important software bugs are so common that their cost to the American economy alone is $60 billion a year or about 0.6% of gross domestic product (NIST)
Why it is important? Some errors in software systems are expensive: Space Mission Failed: A bug caused 370- million dollar failure in 1996, which is $514 to $686 million in 2010 (Flight 501) While some are pretty annoying: “Bill Gates: 5% of Windows Machines Crash More Than Twice A Day”
Outline What is model checking Why it is important Current state of the art Challenges in applying model checking to C programs SLAM project
A wide Variety of model checkers Name a few: For C programs: BLAST (Berkeley) CMBC (Carnegie Mellon) CPA checker(U of Passau, Germany) SLAM(Microsoft Research) Others: SPIN (Bell Lab, System Software Award-2001)
SLAM “software (specifications), programming languages, abstraction, and model checking” SLAM is a program-analysis engine of the SDV tool used to check if clients of an API follow the API’s stateful usage rules SLAM toolkit, include C2BP, BEBOP, NEWTON is the analysis engine of the SDV tool
SLAM2 The improved version of SLAM With under 4% false alarms
SDV Static Driver Verifier (SDV): Compile-time verification tool Ships with Windows 7 Driver Kit (WDK) Less than 4% false alarms on real drivers Supports many driver APIs (WDM, KMDF, NDIS, …) Uses SLAM as the verification engine Based on CEGAR loop Boolean abstraction of input C programs API-specific components: environment model API rules in SLIC language
Driver’s Source Code in C Precise API Usage Rules (SLIC) Defects 100% path coverage Rules Static Driver Verifier Environment model Static Driver Verifier Figure 4. SDV
Usage SDV 2.0 is applied as an automatic and required quality gate for Windows 7 device drivers SLAM is distributed as part of the Windows Driver Development Kit
Outline What is model checking Why it is important Current state of the art Challenges in applying model checking to C programs SLAM project
Challenges in applying model checking to C program Pointers (alias problem) Procedures( signature) unknown values (*) Lots of predicate states
Outline What is model checking Why it is important Current state of the art Challenges in applying model checking to C program SLAM project
SLAM Project SLIC C Program P Instrumented C program P’ C2BP Boolean Program BP(E,P’) Bebop Error Path Feasible No, refine the Predicate, gen- erate new BP Yes, An error found Program Bug Figure 5. The SLAM realization of CEGAR loop
CEGAR In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms
SLIC SLIC: Specification Language for Interface Checking SLIC is a subset of the C language augmented with elements that identify the events of interest. Next slide, an example of a SLIC language and the instructed C program based on that
Figure 6. To check that a spinlock cannot be acquired without it first being released, and that a spinlock cannot be released twice
Figure 7. The BP of the instructed C program. The first and second iterations of Bebop and Newton
Figure 8. Slic Specification for Proper Usage of Spin Locks, and (b) Its Compilation into C Code. Example 2
Figure 9. (a) A snippet of device driver code P, and (b) program P0 resulting from instrumentation of program P due to Slic specification in Figure 8
Figure 10. The C code of the Slic specification from Figure 1(b) compiled by C2bp into a boolean program.
Figure 11. The two boolean programs created while checking the code from Figure 9 (b)
How well it works Experience of SLAM works on device drivers that have hundred's or thousand’s lines of codes
How well it works There are true errors found in the device driver when running SLAM on them
Conclusion Slam toolkit outcomes the challenges in applying model checking to C programs Slam is appropriate to use on large scale C programs and on device drivers written in C The SDV tool has already been used in model checking device drivers for Windows 7 before they come to market
References Measure the buying power of US dollar at different times Bill Gates Talk hines_Crash_More_Than_Twice_A_Day Symbolic Model Checking Building a better bug-trap The SLAM project
Thank you!