Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. MSR Presented by Xin Li.

Slides:

Advertisements

Similar presentations

Advanced programming tools at Microsoft

Advertisements

The Static Driver Verifier Research Platform

The SLAM Project: Debugging System Software via Static Analysis

Demand-driven inference of loop invariants in a theorem prover

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Verification of parameterised systems

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Synergy: A New Algorithm for Property Checking

Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research

SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.

Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.

Software Model Checking with SLAM Thomas Ball Testing, Verification and Measurement Sriram K. Rajamani Software Productivity Tools Microsoft Research

Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.

Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,

Mining Windows Kernel API Rules Jinlin Yang 09/28/2005CS696.

Lecture #11 Software Model Checking: automating the search for abstractions Thomas Ball Testing, Verification and Measurement Microsoft Research.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.

Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan.

Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.

SLAM :Software Model Checking From Theory To Practice Sriram K. Rajamani Software Productivity Tools Microsoft Research.

Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani.

Newton: A tool for generating abstract explanations of infeasibility1 The Problem P (C Program) BP (Boolean Program of P) CFG(P) CFG(BP)

Thomas Ball Sriram K. Rajamani

Use of Models in Analysis and Design Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.

11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University

SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.

The Yogi Project Software property checking via static analysis and testing Aditya V. Nori, Sriram K. Rajamani, Sai Deep Tetali, Aditya V. Thakur Microsoft.

1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from

Counter Example Guided Refinement CEGAR Mooly Sagiv.

#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.

The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Having a BLAST with SLAM

runtime verification Brief Overview Grigore Rosu

Software Model Checking with SLAM

Symbolic Implementation of the Best Transformer

Abstraction, Verification & Refinement

Predicate Abstraction

Course: CS60030 Formal Systems

Presentation transcript:

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. MSR Presented by Xin Li

Outline Overview Project Components History Challenges Boolean Programs and Rules Example Abstraction Model Checking Refinement Complexity Conclusion

Source Code Testing Development Precise API Usage Rules (SLIC) Software Model Checking Read for understanding New API rules Drive testing tools Defects 100% path coverage Rules Static Driver Verifier

SDV X Result Static Driver Verifier Rules SLAM OS model driver.h driver.c Driver sources other.h

What is SLAM? SLAM is a software model checking Microsoft Research MSR Goal: Check automatically C programs (system software) against safety properties using model checking. Present property violations as error traces in the source code. Application domain: device drivers Used internally inside Windows for driver verification. Planned to be released for third-party driver developer.

SLAM – Software Model Checking Given a safety property to check on a C program P, the SLAM process iteratively refines a boolean program abstraction of P using three tools: C2bp: predicate abstraction, abstracts P into boolean program BP(P,E) with respect of predicates E over P Bebop: tool for model checking boolean programs, determine if ERROR is reachable in BP(P,E) Newton: discovers additional predicates to refine boolean program by analyzing feasibility of paths in P

SLAM - History Initial discussions: Thomas Ball, Sriram K. Microsoft Research MSR First technical report January 2000 Spring 2000 Bebop model checker Summer 2000 Initial c2bp implementation Model checked a safety property of an NT driver Hand instrumented code/predicates discovered by hand Autumn 2000 Predicate discovery (Newton) Checked properties of drivers from DDK Hand instrumented code/automatic discovery of predicates Winter 2000 SLIC specification language Spring 2001 Found first real error in production code Total automation (manual model specifications) TACAS 2001: Boolean and Cartesian Abstractions for Model Checking C Programs, April 2001, Genoa, Italy.

Static Driver Verifier - History Research Prototype SLAMProduction Tool SDV March 2002 Bill Gates Review Mai 2002 Windows committed to hire two Ph.D.s in model checking to support Static Driver Verifier Autumn 2002 Joint Project between MSR and Windows Initial release of SDV 1.0 to Windows (friends and family) (SLAM engine, interface usage rules, kernel model, GUI and scripts) April 2003 wide release of SDV 1.2 to Windows (any internal driver developer) November 2003 SDV 1.3 released at Driver Developer Conference (better integration, more rules, better models) Since 2004 SDV fully transferred to Windows (6 full-time positions) Public release planned for end of 2004

A Brief History of Microsoft Richness Win16 Win32 COM MFC Components Services APIs Windows 3.0

Bebop Model Checker

Model Checking Challenges Thousands of lines of code Recursive procedures Infinite Control Infinite Data SLAM Solutions: Boolean transformation Predicate Abstraction

Boolean Programs C program, but only boolean variables Boolean variables represent finite sets of dataflow facts All C control-flow primitives (condition, loops, …) No pointers Procedures with call-by-value parameter passing Non-deterministic choice operator * do { b = true; if (*){ b = b ? false : *; } } while (!b); do { deviceNoOld = deviceNo; more = devices->Next; if (more){ deviceNo++; } } while (deviceNoOld != deviceNo);

SLIC Low-level specification language Specifies temporal safety properties/rules Defines state machine, that monitors behavior of a C program Atomic propositions of a SLIC specification are boolean functions Suitable for expressing control-dominated properties e.g. proper sequence of events can encode data values inside state

abort; } else { locked=1; } ReleaseLock.call { if (locked==0) { abort; } else { locked=0; } UnlockedLockedError U L L Usage Rule for Locking State Machine U SLIC int locked = 0; AcquireLock.call { if (locked==1) {

prog. P’ prog. P SLIC rule The SLAM Process boolean program path predicates slic c2bp bebop newton

B P Is ERROR reachable? No, explanation Yes Return “Yes”, p Is ERROR reachable? Bebop Yes, path p No Return “No” Is p feasible in P? Newton C2bp Predicates from instrumentation

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example

do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L L U L U U U E

do { KeAcquireSpinLock(); nPacketsOld = nPackets; b = true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) b : (nPacketsOld == nPackets) U L L L L U L U U U E

do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

Example do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

prog. P’ prog. P SLIC rule The SLAM Process boolean program path predicates slic c2bp bebop newton

c2bp: Predicate Abstraction for C Programs Given P : a C program E = {e 1,...,e n }  each e i a pure boolean expression  each e i represents set of states for which e i is true Produce a boolean program B(P,E) same control-flow structure as P boolean vars {b 1,...,b n } to match {e 1,...,e n } properties true of B(P,F) are true of P

C2bp Algorithm Performs modular abstraction  abstracts each procedure in isolation Within each procedure, abstracts each statement in isolation  no control-flow analysis  no need for loop invariants

prog. P’ prog. P SLIC rule The SLAM Process boolean program path predicates slic c2bp bebop newton

Bebop Model checker for boolean programs Based on CFL (context-free language) reachability  [Sharir-Pnueli 81] [Reps-Sagiv-Horwitz 95] Iterative addition of edges to graph  “path edges”:   “summary edges”: 

Bebop: summary  Explicit representation of CFG (control flow graph)  Implicit representation of path edges and summary edges  Generation of hierarchical error traces

prog. P’ prog. P SLIC rule The SLAM Process boolean program path predicates slic c2bp bebop newton

Newton Given an error path p in boolean program B  is p a feasible path of the corresponding C program? Yes: found an error No: find predicates that explain the infeasibility  uses the same interfaces to the theorem provers as c2bp.

Newton Execute path symbolically Check conditions for inconsistency using theorem prover (satisfiability) After detecting inconsistency:  minimize inconsistent conditions  traverse dependencies  obtain predicates

Complexity Worst-case run-time complexity of C2bp and Bebop is linear in the size of the program's control flow graph, and exponential in the number of predicates used in the abstraction. Newton scales linearly with path length. O(|p|), |p|: length of path Complexity: O(E * 2 O(N) ) E is the size of the CFG (control flow graph) N is the max. number of variables in scope

Conclusion Fully automated methodology Novel limitation

References Automatically Validating Temporal Safety Properties of Interfaces, Thomas Ball, Sriram K. Rajamani, SPIN 2001, Workshop on Model Checking of Software, LNCS 2057, May 2001, pp Automatically Validating Temporal Safety Properties of Interfaces (Presentation SPIN 2001) Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball, Sriram K. Rajamani, PASTE Bebop: A Path-sensitive Interprocedural Dataflow Engine (Presentation PASTE 2001) Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball, Sriram K. Rajamani, SPIN 2000 Workshop on Model Checking of Software LNCS 1885, August/September 2000, pp Bebop: A Symbolic Model Checker for Boolean Programs (Presentation SPIN 2000) Boolean and Cartesian Abstractions for Model Checking C Programs, Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001, LNCS 2031, April 2001, pp Boolean and Cartesian Abstraction for Model Checking C Programs (Presentation TACAS 2001) Boolean Programs: A Model and Process for Software Analysis, Thomas Ball, Sriram K. Rajamani, MSR Technical Report Checking Temporal Properties of Software with Boolean Programs, Thomas Ball, Sriram K. Rajamani, Workshop on Advances in Verification (with CAV 2000). From Symptom to Cause: Localizing Errors in Counterexample Traces, Thomas Ball, Mayur Naik, Sriram Rajamani (POPL 2003). From Symptom to Cause: Localizing Errors in Counterexample Traces (Presentation POPL 2003) Generating Abstract Explanations of Spurious Counterexamples in C Programs, Thomas Ball, Sriram K. Rajamani, MSR-TR Parameterized Verification of Multithreaded Software Libraries, Thomas Ball, Sagar Chaki, Sriram K. Rajamani, TACAS 2001, LNCS 2031, April 2001, pp Parameterized Verification of Thread-safe Libraries (Presentation TACAS 2001) Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K. Rajamani, MSR-TR Refining Approximations in Software Predicate Abstraction, Thomas Ball, Byron Cook, Satyaki Das, Sriram K. Rajamani. TACAS Relative Completeness of Abstraction Refinement for Software Model Checking, Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2002, LNCS 2280, April 2002, pp Secrets of Software Model Checking (Presentation SAS 2002) SLIC: A Specification Language for Interface Checking (of C), Thomas Ball, Sriram K. Rajamani, MSR-TR Specifying and Checking Properties of Software (Presentation CSTB's July 2001 Symposium on Fundamentals of Computer Science, July 2001) Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis, Stephen Adams, Thomas Ball, Manuvir Das, Sorin Lerner, Sriram K. Rajamani, Mark Seigle, Westley Weimer. SAS 2002, LNCS The SLAM Project: Debugging System Software via Static Analysis, Thomas Ball, Sriram K. Rajamani, POPL 2002, January 2002, pages 1-3. The SLAM Project: Debugging System Software via Static Analysis (Presentation POPL 2002) The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani, CAV Thank you!