Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft"— Presentation transcript:

1 Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft http://research.microsoft.com/slam/

2 do { //get the write lock AcquireLock(&dev->lock); nPacketsOld = nPackets; request = dev->WriteListHeadVa; if( request && request->status ){ dev->WriteListHeadVa = request->Next; ReleaseLock(&dev->lock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while ( nPackets != nPacketsOld ); ReleaseLock(&dev->lock); Question: Is locking protocol respected? Verifying Temporal Properties of Software

3 do { //get the write lock AcquireLock(&dev->lock); nPacketsOld = nPackets; request = dev->WriteListHeadVa; if( request && request->status ){ dev->WriteListHeadVa = request->Next; ReleaseLock(&dev->lock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); ReleaseLock(&dev->lock);

4 do { AcquireLock(); b = true; if (*) { ReleaseLock(); b = b ? false : *; } } while ( !b ); ReleaseLock(); do { //get the write lock AcquireLock(&dev->lock); nPacketsOld = nPackets; request = dev->WriteListHeadVa; if( request && request->status ){ dev->WriteListHeadVa = request->Next; ReleaseLock(&dev->lock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); ReleaseLock(&dev->lock); Predicate Abstraction

5 C program Boolean program Predicate Abstraction (C2bp) Model Checking (Bebop) [PASTE 2001, Spin 2000] Predicate Discovery (Newton) E = {e 1,...,e n } no yes

6 C2bp: Predicate Abstraction for C Programs Given P : a C program E = {e 1,...,e n } : set of C boolean expressions over the variables in P no side effects, no procedure calls Produce a boolean program B same control-flow structure as P only vars are 3-valued booleans {b 1,...,b n } properties true of B are true of P

7 Contributions C2bp handles the constructs of C pointers, recursion, structs, casts modular abstraction of procedures provably sound successfully applied to verify properties of device drivers

8 C2bp Algorithm operates on intermediate representation contains only assignments, conditionals, procedure calls, gotos abstracts each statement in isolation no control-flow analysis no need for loop invariants

9 Abstracting Assignments replace assn statement s with a parallel assignment to boolean vars in scope: predicate e i is true after s iff wp(s, e i ) is true before s b i = wp(s, e i ) ; example: wp( y=y+1, x==y) = (x==y)[y+1/y] = (x==y+1) but wp(s, e i ) may not be expressible in terms of {e 1,...,e n }...

10 Strengthening S(e) is the best predicate over {e 1,...,e n } that implies e: a minterm is a conjunction d 1 ^... ^ d n, where d i = e i or d i = !e i S(e) = disjunction of all minterms that imply e use decision procedure to check implication

11 Abstracting Assignments S(wp(s, e i )) is true before s implies predicate e i is true after s S(!wp(s, e i )) is true before s implies predicate e i is false after s b i = S(wp(s, e i )) ? true : S(!wp(s, e i )) ? false : *;

12 Assignment Example Statement in P: Predicates in E: y = y+1; {x==y} Weakest Precondition: wp( y=y+1, x==y) = x==y+1 Strengthenings: S(x==y+1) = falseS(x!=y+1)) = x==y Abstraction of s in B: b = b ? false : *;

13 Handling Pointers Weakest Precondition: wp( *p=3, x==5) = x==5 What if *p and x alias? We use Das’s pointer analysis [PLDI 2000] to prune disjuncts representing infeasible alias scenarios. Correct Weakest Precondition: (p==&x && 3==5) || (p!=&x && x==5) Statement in P:Predicates in E: *p = 3; {x==5}

14 Abstracting Conditionals in P: if ( expr ) {...} else {...} in B: if (*) {assume( W(expr) );...} else {assume( W(!expr) );...} weakening : W(expr) = !S(!expr)

15 Handling Procedures each predicate in E is annotated as being either global or local to a particular procedure procedures abstracted in two passes: a signature is produced for each procedure in isolation procedure calls are abstracted given the callees’ signatures

16 Formal Properties soundness [Ball, Millstein & Rajamani, MSR-TR] B has a superset of the feasible paths in P b i is true (false) at some point on a path in B implies e i is true (false) at that point along a corresponding path in P complexity linear in size of program flow analysis deferred to the model checker exponential in number of predicates

17 Experience checked several device drivers for proper usage of locks proper handling of interrupt request packets (IRPs) verified four drivers from the Windows 2000 Driver Development Kit found a bug in IRP handling in a Microsoft- internal floppy device driver ran C2bp on 6500 LOC with 23 predicates in 98 seconds model checking takes under 10 seconds

18 Conclusions C2bp, the first automatic predicate abstractor for C code pointers, procedures, recursion provably sound a necessary step for making software model checking a reality useful for other tasks that require predicate sensitivity http://research.microsoft.com/slam/

19 Predicate-sensitive Alias Analysis prev = NULL; newl = NULL; while (curr) { next = curr->next; if (curr->val > v) { if (prev) prev->next = next; curr->next = newl; L: newl = curr; } else prev = curr; curr = nextCurr; } prev == NULL curr == NULL prev->val > v curr->val > v (curr!=NULL) && ( prev==NULL || (prev->val val >v) ) implies (prev != curr) at label L

Download ppt "Automatic Predicate Abstraction of C Programs Thomas BallMicrosoft Rupak MajumdarUC Berkeley Todd MillsteinU Washington Sriram K. RajamaniMicrosoft"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
1 Automatic Predicate Abstraction of C Programs Parts of the slides are from

1 Automatic Predicate Abstraction of C Programs Parts of the slides are from
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Predicate Transformers

Predicate Transformers
Verification of parameterised systems

Verification of parameterised systems

Similar presentations

Ads by Google