Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan Duzyol

Introduction Software Validation: Traditionally done by testing, lately by property checking tools. Tools do not typically ensure that the software implements intended functionality correctly.

Background The fundamental difficulty in using any kind of static analysis to detect program errors is that the problem is undecidable and equivalent to Turing’s halting problem. Earliest static analysis tool that has been widely used is the Unix utility Lint.

Background Specification language: Early tools check for common errors that can be characterized at the level of the programming language. Modern tools allow users to state the kind of errors they are looking for.

Background Engineering tradeoffs: precision, scalability, soundness, completeness and usability. No tool can be both sound and complete. Attaching preconditions and postconditions to method boundaries has been widely advocated.

Checking Temporal Properties of Software with Boolean Programs Takes a program written in imperative language and targets for a boolean program. Checks whether a program obeys a Temporal Property, by checking invariants.

From C to Boolean

Is [L1,L3,L4,L5,ERR] feasible in B2? Decl {u=M} :=1; L1….. L2….. assert ( ! ( {u=M} & {*M=0})); assert ( ! ( 1 & {*M=0})); L3….. L4….. L5….. assert ( ! ( {u=M} & !{*M=0})); assert ( ! ( 1 & !0); ERR is not reachable

Goal: Validate temporal safety properties using model checking Microsoft Research

Motivation Large-scale software – many components, many programmers Integration testing –Impossible –Ineffective at best Fuzzy requirements -> inconsistent implementation Consistent requirements -> inconsistent implementation

SLAM Approach Modules interact properly… If program observes temporal safety properties of interfaces it uses –temporal safety = properties whose violation is witnessed by a finite execution trace, i.e. path to ERROR state State temporal safety properties formally Automatic verification Interface compliance checked statically (catch bugs early)

SLAM Process prog. P’ prog. P SLIC rule boolean program path predicates slic C2BP BEBOP NEWTON Language for specifying safety properties Generate abstract boolean program from C code Model checker Predicate discoverer

SLAM = A collection of tools SLIC –Language for specifying safety properties C2BP –Generate abstract boolean program from C code BEBOP –Model checking boolean programs NEWTON –Theorem prover –Refine boolean program

SLAM - formally 1.P’ a C program, E i ={e 1,e 2,…,e n } a set of predicates, apply C2BP to create a boolean program BP(P’,E i ) 2.Apply BEBOP to check whether exists a path p i in BP(P’,E i ) that reaches ERROR state –if p i not found, terminate with SUCCESS –if p i found go to 3 3.Use NEWTON to check p i feasible –If p i feasible, terminate with FAILURE –If p i not feasible find set F i of predicates that explains infeasibility 4.E i+1 = E i UF i+1, i=i+1, go to 1

Example – device driver do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Prove safety – “something bad does not happen” (lock acquired/released twice)

Step 0 – Property Specification typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } SLIC Specification = FSM Global state State transitions (events)

Instrumented Program P’ Step 1 - Instrumentation do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E:E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } SLIC Specification

Step 0 - Specification Step 1 - Instrumentation Step 2 - Abstraction Step 3 - Model Checking Step 4 - Theorem Proving Step 5 – Predicate discovery Outline manual automated

Abstraction Abstract Interpretation In –C program P –set of predicates E={e 1,e 2,…,e n } Out –abstract boolean program BP(P,E) with n boolean variables V={b 1,b 2,…,b n } Boolean program (C-like) –all vars have type bool –control nondeterminism (*) –only call by value

Step 2 – Abstraction (C2BP) typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } decl {state==Locked, state==Unlocked}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; }

Instrumented Program P’ Step 2 – Abstraction (C2BP) do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); Boolean Program BP(P’,E 0 ) do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1);

Step 3 - Model Checking (BEBOP) Boolean Program BP(P’,E 0 ) do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1); decl {state==Locked, state==Unlocked}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; } Is there a path that leads to ERROR ?YES [C,A,E,C,ERROR ]

do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); Step 4 – Theorem Proving (NEWTON) typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } Is path [C,A,E,C] feasible ?NO // nPacketsOld==nPackets, nPacketsOld != nPackets

Step 5 – Predicate Discovery (NEWTON) b: {nPackets == nPacketsOld}; do { skip; b:=1; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; b:=0; } E: } while (!b); skip; F: FSM(0,1); do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1); Boolean Program BP(P’,E 0 )Boolean Program BP(P’,E 1 )

Step 3 - Model Checking (BEBOP) do { skip; b:=1; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; b:=0; } E: } while (!b); skip; F: FSM(0,1); decl {state==Locked, state==Unlocked}; decl b: {nPackets==nPacketsOld}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; } Is there a path that leads to ERROR ?NO

C2BP From a C program P and a set of predicates E={e 1,e 2,…,e n } create an abstract boolean program BP(P,E) which has n boolean variables V={b 1,b 2,…,b n } Determine for each statement s in P and predicate e i in E how the execution of s can affect the truth value of e i –if it doesn’t, s->skip

C2BP cont’d Static analysis –alias –logical model: p, p+i same object –interprocedural –side-effects (conservative)

BEBOP Essentially a model checker Interprocedural dataflow analysis -> reachable states Uses BDDs to represent state/transfer functions ERROR state reachability reduces to vertex reachability on the CFG of the boolean program BP which is decidable

NEWTON Predicate discoverer / Theorem prover –walk error path p found by BEBOP –compute conditions (predicate values) along p –if algorithm terminates inconsistence detected (  =!  ), add  to list of predicates, repeat whole process else report p as witness

Results NT device drivers –Max LOC –<10 user-supplied predicates, tens-hundreds inferred –< iterations –672 runs daily, 607 terminate within 20 minutes

SLAM SpecificationSLIC Sound Complete Scalability (LOC)10,000 Refinement Spurious errorsVery Few

Conclusions SLAM = process for checking temporal safety properties Formally state safety properties that interface clients must observe Fully automated validation (iterative refinement) Sound; if process terminates either SUCCESS or FAILURE (w/counterexample) reported Accurate (few false positives) - Poor scalability

References: Automatic Property Checking for Software: Past, Present and Future; Sriram K. Rajamani, Checking Temporal Properties of Software with Boolean Programs; Thomas Ball, Sriram Rajamani Automatically Validating Temporal Safety Properties of Interfaces; Thomas Ball, Sriram Rajamani

Thank You Questions ?