Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented for CMSC631 by Iulian Neamtiu
2 Goal: Validate temporal safety properties using model checking SLAM Project, Microsoft Research
3
4 Motivation Large-scale software – many components, many programmers Integration testing Impossible Ineffective at best Fuzzy requirements -> inconsistent implementation Consistent requirements -> inconsistent implementation (Jim Larus)
5 SLAM Approach Modules interact properly… If program observes temporal safety properties of interfaces it uses temporal safety = properties whose violation is witnessed by a finite execution trace, i.e. path to ERROR state State temporal safety properties formally Automatic verification Interface compliance checked statically (catch bugs early)
6 SLAM Process prog. P’ prog. P SLIC rule boolean program path predicates slic C2BP BEBOP NEWTON Language for specifying safety properties Generate abstract boolean program from C code Model checker Predicate discoverer
7 SLAM - formally 1. P’ a C program, E i ={e 1,e 2,…,e n } a set of predicates, apply C2BP to create a boolean program BP(P’,E i ) 2. Apply BEBOP to check whether exists a path p i in BP(P’,E i ) that reaches ERROR state if p i not found, terminate with SUCCESS if p i found go to 3 3. Use NEWTON to check p i feasible If p i feasible, terminate with FAILURE If p i not feasible find set F i of predicates that explains infeasibility 4. E i+1 = E i UF i+1, i=i+1, go to 1
8 Example – device driver do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Prove safety – “something bad does not happen” (lock acquired/released twice)
9 Step 0 – Property Specification typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } SLIC Specification = FSM Global state State transitions (events)
10 Instrumented Program P’ Step 1 - Instrumentation do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E:E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } Program PSLIC Specification
11 Step 0 - Specification Step 1 - Instrumentation Step 2 - Abstraction Step 3 - Model Checking Step 4 - Theorem Proving Step 5 – Predicate discovery Outline manual automated
12 Abstraction Abstract Interpretation In C program P set of predicates E={e 1,e 2,…,e n } Out abstract boolean program BP(P,E) with n boolean variables V={b 1,b 2,…,b n } Boolean program (C-like) all vars have type bool control nondeterminism (*) only call by value
13 Step 2 – Abstraction (C2BP) typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } decl {state==Locked, state==Unlocked}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; }
14 Instrumented Program P’ Step 2 – Abstraction (C2BP) do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); Boolean Program BP(P’,E 0 ) do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1);
15 Step 3 - Model Checking (BEBOP) Boolean Program BP(P’,E 0 ) do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1); decl {state==Locked, state==Unlocked}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; } Is there a path that leads to ERROR ?YES [C,A,E,C,ERROR ]
16 do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); Step 4 – Theorem Proving (NEWTON) typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } Is path [C,A,E,C] feasible ?NO // nPacketsOld==nPackets, nPacketsOld != nPackets
17 Step 5 – Predicate Discovery (NEWTON) b: {nPackets == nPacketsOld}; do { skip; b:=1; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; b:=0; } E: } while (!b); skip; F: FSM(0,1); do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1); Boolean Program BP(P’,E 0 )Boolean Program BP(P’,E 1 )
18 Step 3 - Model Checking (BEBOP) do { skip; b:=1; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; b:=0; } E: } while (!b); skip; F: FSM(0,1); decl {state==Locked, state==Unlocked}; decl b: {nPackets==nPacketsOld}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; } Is there a path that leads to ERROR ?NO
19 C2BP From a C program P and a set of predicates E={e 1,e 2,…,e n } create an abstract boolean program BP(P,E) which has n boolean variables V={b 1,b 2,…,b n } Determine for each statement s in P and predicate e i in E how the execution of s can affect the truth value of e i if it doesn’t, s->skip
20 C2BP cont’d Static analysis alias logical model: p, p+i same object interprocedural side-effects (conservative)
21 BEBOP Essentially a model checker Interprocedural dataflow analysis -> reachable states Uses BDDs to represent state/transfer functions ERROR state reachability reduces to vertex reachability on the CFG of the boolean program BP which is decidable
22 NEWTON Predicate discoverer / Theorem prover walk error path p found by BEBOP compute conditions (predicate values) along p if algorithm terminates inconsistence detected ( =! ), add to list of predicates, repeat whole process else report p as witness
23 Results NT device drivers Max LOC <10 user-supplied predicates, tens-hundreds inferred < iterations 672 runs daily, 607 terminate within 20 minutes
24 SLAM vs Metacompilation (Engler et al.) SLAMMetacompilation SpecificationSLICmetal Sound Complete Scalability (LOC)10,0001,000,000 Refinement Spurious errorsVery FewMany
25 Conclusions SLAM = process for checking temporal safety properties Formally state safety properties that interface clients must observe Fully automated validation (iterative refinement) Sound; if process terminates either SUCCESS or FAILURE (w/counterexample) reported Accurate (few false positives) - Poor scalability
Thank You Questions ?
27 Complexity O(|P| x 2 |E| ) worst case In practice O(|E| 3 )
28 SLAM = A collection of tools SLIC Language for specifying safety properties C2BP Generate abstract boolean program from C code BEBOP Model checking boolean programs NEWTON Theorem prover Refine boolean program
29