Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented."— Presentation transcript:

1 Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented for CMSC631 by Iulian Neamtiu

2 2 Goal: Validate temporal safety properties using model checking SLAM Project, Microsoft Research http://research.microsoft.com/slam/

3 3

4 4 Motivation Large-scale software – many components, many programmers Integration testing Impossible Ineffective at best Fuzzy requirements -> inconsistent implementation Consistent requirements -> inconsistent implementation (Jim Larus)

5 5 SLAM Approach Modules interact properly… If program observes temporal safety properties of interfaces it uses temporal safety = properties whose violation is witnessed by a finite execution trace, i.e. path to ERROR state State temporal safety properties formally Automatic verification Interface compliance checked statically (catch bugs early)

6 6 SLAM Process prog. P’ prog. P SLIC rule boolean program path predicates slic C2BP BEBOP NEWTON Language for specifying safety properties Generate abstract boolean program from C code Model checker Predicate discoverer

7 7 SLAM - formally 1. P’ a C program, E i ={e 1,e 2,…,e n } a set of predicates, apply C2BP to create a boolean program BP(P’,E i ) 2. Apply BEBOP to check whether exists a path p i in BP(P’,E i ) that reaches ERROR state if p i not found, terminate with SUCCESS if p i found go to 3 3. Use NEWTON to check p i feasible If p i feasible, terminate with FAILURE If p i not feasible find set F i of predicates that explains infeasibility 4. E i+1 = E i UF i+1, i=i+1, go to 1

8 8 Example – device driver do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Prove safety – “something bad does not happen” (lock acquired/released twice)

9 9 Step 0 – Property Specification typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } SLIC Specification = FSM Global state State transitions (events)

10 10 Instrumented Program P’ Step 1 - Instrumentation do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E:E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } Program PSLIC Specification

11 11 Step 0 - Specification Step 1 - Instrumentation Step 2 - Abstraction Step 3 - Model Checking Step 4 - Theorem Proving Step 5 – Predicate discovery Outline manual automated

12 12 Abstraction Abstract Interpretation In C program P set of predicates E={e 1,e 2,…,e n } Out abstract boolean program BP(P,E) with n boolean variables V={b 1,b 2,…,b n } Boolean program (C-like) all vars have type bool control nondeterminism (*) only call by value

13 13 Step 2 – Abstraction (C2BP) typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } decl {state==Locked, state==Unlocked}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; }

14 14 Instrumented Program P’ Step 2 – Abstraction (C2BP) do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); Boolean Program BP(P’,E 0 ) do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1);

15 15 Step 3 - Model Checking (BEBOP) Boolean Program BP(P’,E 0 ) do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1); decl {state==Locked, state==Unlocked}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; } Is there a path that leads to ERROR ?YES [C,A,E,C,ERROR ] 1 2 3 4

16 16 do { KeAcquireSpinLock(); C: FSM(Acq); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); D: FSM(Rel); nPackets++; } E: } while (nPackets != nPacketsOld); KeReleaseSpinLock(); F: FSM(Rel); Step 4 – Theorem Proving (NEWTON) typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE; STATETYPE state = Unlocked; FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq)) A: state = Locked; else if ((state==Locked) && (m==Rel)) B: state = Unlocked; else ERROR: ; } Is path [C,A,E,C] feasible ?NO // nPacketsOld==nPackets, nPacketsOld != nPackets

17 17 Step 5 – Predicate Discovery (NEWTON) b: {nPackets == nPacketsOld}; do { skip; b:=1; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; b:=0; } E: } while (!b); skip; F: FSM(0,1); do { skip; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; } E: } while (*); skip; F: FSM(0,1); Boolean Program BP(P’,E 0 )Boolean Program BP(P’,E 1 )

18 18 Step 3 - Model Checking (BEBOP) do { skip; b:=1; C: FSM(1,0); skip; if(*){ skip; D: FSM(0,1); skip; b:=0; } E: } while (!b); skip; F: FSM(0,1); decl {state==Locked, state==Unlocked}; decl b: {nPackets==nPacketsOld}; void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq}) A: {state==Locked, state==Unlocked }:=1,0 ; else if ({state==Locked} & {m==Rel}) B: {state==Locked, state==Unlocked }:=0,1; else ERROR: ; } Is there a path that leads to ERROR ?NO

19 19 C2BP From a C program P and a set of predicates E={e 1,e 2,…,e n } create an abstract boolean program BP(P,E) which has n boolean variables V={b 1,b 2,…,b n } Determine for each statement s in P and predicate e i in E how the execution of s can affect the truth value of e i if it doesn’t, s->skip

20 20 C2BP cont’d Static analysis alias logical model: p, p+i same object interprocedural side-effects (conservative)

21 21 BEBOP Essentially a model checker Interprocedural dataflow analysis -> reachable states Uses BDDs to represent state/transfer functions ERROR state reachability reduces to vertex reachability on the CFG of the boolean program BP which is decidable

22 22 NEWTON Predicate discoverer / Theorem prover walk error path p found by BEBOP compute conditions (predicate values) along p if algorithm terminates inconsistence detected (  =!  ), add  to list of predicates, repeat whole process else report p as witness

23 23 Results NT device drivers Max 60000 LOC <10 user-supplied predicates, tens-hundreds inferred < 20-30 iterations 672 runs daily, 607 terminate within 20 minutes

24 24 SLAM vs Metacompilation (Engler et al.) SLAMMetacompilation SpecificationSLICmetal Sound Complete Scalability (LOC)10,0001,000,000 Refinement Spurious errorsVery FewMany

25 25 Conclusions SLAM = process for checking temporal safety properties Formally state safety properties that interface clients must observe Fully automated validation (iterative refinement) Sound; if process terminates either SUCCESS or FAILURE (w/counterexample) reported Accurate (few false positives) - Poor scalability

26 Thank You Questions ?

27 27 Complexity O(|P| x 2 |E| ) worst case In practice O(|E| 3 )

28 28 SLAM = A collection of tools SLIC Language for specifying safety properties C2BP Generate abstract boolean program from C code BEBOP Model checking boolean programs NEWTON Theorem prover Refine boolean program

29 29

Download ppt "Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.

Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
Verification of parameterised systems

Verification of parameterised systems
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.

Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.

Similar presentations

Ads by Google