Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research"— Presentation transcript:

1 Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/

2 Outline Overview Status and Demo Secrets –Leaping loops –Fast predicate abstraction –Predicate generating genie Conclusions –more “secrets”

3 Source Code Testing Development Precise API Usage Rules (SLIC) Software Model Checking Read for understanding New API rules Drive testing tools Defects 100% path coverage Rules Static Driver Verifier

4 SLAM – Software Model Checking Counterexample-driven refinement for C –model = boolean programs –model creation (c2bp) –model checking (bebop) –model refinement (newton) SLAM toolkit –build on MSR program analysis infrastructure

5 prog. P’ prog. P SLIC rules The SLAM Process boolean program path predicates slic c2bp bebop newton

6 SLIC Finite state language for stating rules –monitors behavior of C code –temporal safety properties (security automata) –familiar C syntax Suitable for expressing control-dominated properties –e.g. proper sequence of events –can encode data values inside state

7 State Machine for Locking UnlockedLocked Error Rel Acq Rel state { enum {Locked,Unlocked} s = Unlocked; } KeAcquireSpinLock.entry { if (s==Locked) abort; else s = Locked; } KeReleaseSpinLock.entry { if (s==Unlocked) abort; else s = Unlocked; } Locking Rule in SLIC

8 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Does this code obey the locking rule?

9 do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

10 do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L U U U E nPackets = C nPacketsOld = C nPackets = C+1 C+1 != C

11 do { KeAcquireSpinLock(); nPacketsOld = nPackets; b := true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b := b? false : *; } } while (nPackets != nPacketsOld);// !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) U L L L L U L U U U E b : (nPacketsOld == nPackets)

12 do { KeAcquireSpinLock(); b := true; if(*){ KeReleaseSpinLock(); b := b? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

13 Example do { KeAcquireSpinLock(); b := true; if(*){ KeReleaseSpinLock(); b := b? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

14 SLAM 2002 Status March –Bill Gates review May –Windows committed to hire two people with model checking background to support Static Driver Verifier (SDV) Byron Cook (Prover, OGI) Vladimir Levin (Bell Labs, FormalCheck) July –running SLAM on 100+ drivers, 20+ properties September 3 –released SDV-1.00 to Windows

15 Demo

16 SLAM Secrets –Leaping loops –Fast predicate abstraction –Predicate generating genie

17 Leaping Loops Most loops fill/access arrays –are a pain for counter-example-driven refinement –loop predicates usually are irrelevant Example: is foo called twice in a row? if (y==0) foo(); for(i = 0; i<100; i++) if (a[i]) y=y+1; if (y==1) foo(); Many infeasible paths to eliminate due to loop predicate i<100

18 Goal: eliminate irrelevant loop predicates if (y==0) foo(); for(i = 0; i<100 ;i++) if (a[i]) y=y+1; if (y==1) foo(); y==0 entry foo() y==1 foo() i<100 a[i] y=y+1 Control dependence graph foo() y==0 entry foo() y==1 foo() i<100 a[i] y=y+1 y==0 entry foo() y==1 foo() i<100 a[i] y=y+1 if (y==0) foo(); for(i = 0; * ;i++) if (a[i]) y=y+1; if (y==1) foo();

19 Results Without apriori loop abstraction –SLAM sometimes runs out of resources or time –many refinements of irrelevant loops to find feasible counterexample With abstraction –SLAM always has terminated –few false negatives

20 SLAM Secrets –Leaping loops –Fast predicate abstraction –Predicate generating genie

21 c2bp: Predicate Abstraction for C Programs Given P : a C program E = {e 1,...,e n }, e i pure boolean expression Produce a boolean program B same control-flow structure as P only vars are 3-valued booleans {b 1,...,b n } properties true of B are true of P

22 Assignment Example Statement in P: Predicates in E: y=y+1; {x==y} Weakest Precondition: wp( y=y+1, x==y) = x==y+1 wp( y=y+1, x!=y) = x!=y+1 Strengthenings: S(x==y+1) = false Boolean abstraction of y=y+1: b = b ? false : *; S(x!=y+1) = x==y

23 Strengthening S(e) is the best predicate over {e 1,...,e n } that implies e: a minterm m is a conjunction d 1 ^...^d n –d i = e i or d i = !e i S(e) =  m, where m  e use decision procedures (theorem prover) to check implication –O(2 n ) calls in worst-case

24 Statement Abstraction b i = S(wp(s, e i )) ? true : S(wp(s, !e i )) ? false : *;

25 Fast Predicate Abstraction Predicate abstraction requires many calls to theorem prover to compute S(e) –for each minterm m over predicates in E does m imply e? Idea: –compute set of minterms m that imply e directly via theorem prover data structures

26 Consider Equalities Example –E = { a==b, b==c, c==d, a==c } –S(a==d) Many unhelpful minterms –(a==b) ^ (c==d), etc Equality graph induced by E: abcdabcdabcd (a==c) ^ (c==d)

27 Efficient Implementation of S(e) Graph representation of –equalities –uninterpreted function symbols –inequalities (x < c) Computation of good minterms via CFL- reachability query

28 Example Graph Closure Rules *p*x*y == xy * * x == y  *x == *y *p*xy == x&y == * * x == &y  *x == y

29 Example E = { p==q, &q==x, **x<5 } S(*p<5) pq == &q x == **x 5 < *p < *q == * * q*x == * * *q **x == *

30 The Rest of the Story For predicates not in theory (i.e., x<y+c), call theorem prover as before –limit size of minterms for efficiency Use Das/Dill refinement to deal with approximation introduced by heuristics –implemented by Satyaki Das, summer 2001

31 Results Before fast predicate abstraction –c2bp was bottleneck in SLAM process After fast predicate abstraction –bebop is the bottleneck, as it should be

32 SLAM Secrets –Leaping loops –Fast predicate abstraction –Predicate generating genie

33 The Predicate Generating Genie Fantasy: –if a genie gave SLAM just the right set of predicates, it could terminate in one iteration Reality: –for a restricted subset of C, find enough predicates so that SLAM terminates in just one iteration –if program not in restricted subset, find predicates and then iterate to get remaining predicates

34 Restricted C Language of Equalities v 1 = v 2 v = c// c  Z if (*) stmt 1 else stmt 2 v 1 = fun(v 2, …) return v abortif(v 1  v 2 )//  relop

35 “Simple” Example bar(int c, int d) int p,q; p = c; q = d; foo(p,q) foo(int a, int b) abortif(a  b) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y); pick(int s) int v; if (*) v = s; else v = 4; return v

36 Value Flow Graph 2 3 xzsv 4 5 ycpadqb bar(int c, int d) int p,q; p = c; q = d; foo(p,q) foo(int a, int b) abortif(a  b) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y); pick(int s) int v; if (*) v = s; else v = 4; return v

37 The Idea If we knew the final values of a and b (e.g., “3” and “5”) we could decide a  b Walk back in the graph from a –for each edge “u  v” add predicate “u == v” Do the same for b

38 Theory and Practice 2 3 4 5 xz sv c y p d a qb p==a c==p z==c x==z 2==x 3==x Let’s try it on the a branch …

39 Theory and Practice p==a // bad scope c==p z==c // bad scope x==z 2==x 3==x Let’s try it on the a branch … 2 3 4 5 xz sv c y p d a qb

40 Scoping Things Out There is no scope in which “z == c” is a valid predicate. But this predicate is necessary! Solution: link all ground terms to c bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

41 Constraint Propagation 2 3 4 5 xz sv c y p d a qb Concentrating just on z  c, conceptually add 3  c and 2  c, thus adding “3==c” and “2==c”

42 Why does it work? If we know “z==2” or “z==3” We can easily prove “c==2” or “c==3” at the call-site And “c==2 & z==2” implies “c==z” bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

43 Forward Pointer Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis Stephen Adam, Thomas Ball, Manuvir Das, Sorin Lerner, Sriram K. Rajamani, Mark Seigle, and Westley Weimer SAS talk on Thursday morning

44 Result  Floppy driver (3 iterations instead of 25)  6500 lines, simple spec  21 global predicates  741 local predicates  72 max local in scope

45 Other Technical “Secrets” Program slicing –implementation underway –valuable for getting rid of code that is totally irrelevant to property under consideration Incremental abstraction/model checking –abstraction implemented Boolean program minimization –implementation underway

46 Conclusion: SLAM’s “Secret” to Success Specific problem Safety properties Shoulders & synergies Separation of concerns Summer interns & visitors –Sagar Chaki, Todd Millstein, Rupak Majumdar (2000) –Satyaki Das, Wes Weimer, Robby (2001) –Jakob Lichtenberg, Mayur Naik (2002) –Giorgio Delzanno, Andreas Podelski, Stefan Schwoon

Download ppt "Secrets of Software Model Checking Thomas Ball Sriram K. Rajamani Software Productivity Tools Microsoft Research"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Lecture 08(c) – Predicate Abstraction and SLAM Eran Yahav.

1 Lecture 08(c) – Predicate Abstraction and SLAM Eran Yahav.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Verification of parameterised systems

Verification of parameterised systems
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

Similar presentations

Ads by Google