Post on 14-Jan-2016
description
transcript
Rule Checking
•SLAM•Checking Temporal Properties of Software with Boolean
ProgramsThomas Ball, Sriram K. Rajamani
Microsoft ResearchPresented by Okan Duzyol
Introduction
• Software Validation: Traditionally done by testing, lately by property checking tools.
• Tools do not typically ensure that the software implements intended functionality correctly.
Background
• The fundamental difficulty in using any kind of static analysis to detect program errors is that the problem is undecidable and equivalent to Turing’s halting problem.
• Earliest static analysis tool that has been widely used is the Unix utility Lint.
Background
• Specification language: Early tools check for common errors that can be characterized at the level of the programming language. Modern tools allow users to state the kind of errors they are looking for.
Background
• Engineering tradeoffs: precision, scalability, soundness, completeness and usability.
• No tool can be both sound and complete.
• Attaching preconditions and postconditions to method boundaries has been widely advocated.
Checking Temporal Properties of Software with Boolean Programs
• Takes a program written in imperative language and targets for a boolean program.
• Checks whether a program obeys a Temporal Property, by checking invariants.
From C to Boolean
• Is [L1,L3,L4,L5,ERR] feasible in B2?Decl {u=M} :=1;L1…..L2…..assert ( ! ( {u=M} & {*M=0}));assert ( ! ( 1 & {*M=0}));
L3…..L4…..L5…..assert ( ! ( {u=M} & !{*M=0}));assert ( ! ( 1 & !0);
ERR is not reachable
Goal: Validate temporal safety properties using model checking
Microsoft Research
Motivation
• Large-scale software – many components, many programmers
• Integration testing– Impossible– Ineffective at best
• Fuzzy requirements -> inconsistent implementation
• Consistent requirements -> inconsistent implementation
SLAM Approach
• Modules interact properly…• If program observes temporal safety properties of
interfaces it uses– temporal safety = properties whose violation is witnessed
by a finite execution trace, i.e. path to ERROR state
• State temporal safety properties formally• Automatic verification• Interface compliance checked statically (catch bugs
early)
SLAM Process
prog. P’prog. P
SLIC rule
boolean program
pathpredicates
slic
C2BP
BEBOP
NEWTON
Language for specifying safety properties
Generate abstract boolean program from C code
Model checker
Predicate discover
er
SLAM = A collection of tools
SLIC – Language for specifying safety properties
C2BP – Generate abstract boolean program from C code
BEBOP – Model checking boolean programs
NEWTON – Theorem prover – Refine boolean program
SLAM - formally
1. P’ a C program, Ei={e1,e2,…,en} a set of predicates, apply C2BP to create a boolean program BP(P’,Ei)
2. Apply BEBOP to check whether exists a path pi in BP(P’,Ei) that reaches ERROR state
– if pi not found, terminate with SUCCESS– if pi found go to 3
3. Use NEWTON to check pi feasible– If pi feasible, terminate with FAILURE – If pi not feasible find set Fi of predicates that explains
infeasibility
4. Ei+1= Ei UFi+1 , i=i+1, go to 1
Example – device driverdo {
KeAcquireSpinLock();nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
Prove safety – “something bad does not happen”(lock acquired/released twice)
Step 0 – Property Specificationtypedef {Locked, Unlocked} STATETYPE;typedef {Acq, Rel} MTYPE;
STATETYPE state = Unlocked;
FSM(m : MTYPE){if ((state==Unlocked) && (m==Acq))A: state = Locked;else if ((state==Locked) && (m==Rel))B: state = Unlocked;elseERROR: ;}
SLIC Specification = FSM•Global state•State transitions (events)
Instrumented Program P’
Step 1 - Instrumentationdo {
KeAcquireSpinLock();C: FSM(Acq);
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();
D: FSM(Rel);nPackets++;
}E:} while (nPackets != nPacketsOld);
KeReleaseSpinLock();F: FSM(Rel);
typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE;
STATETYPE state = Unlocked;
FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq))A: state = Locked; else if ((state==Locked) && (m==Rel))B: state = Unlocked; elseERROR: ;}
SLIC Specification
• Step 0 - Specification
• Step 1 - Instrumentation
• Step 2 - Abstraction
• Step 3 - Model Checking
• Step 4 - Theorem Proving
• Step 5 – Predicate discovery
Outline
manual
automated
Abstraction• Abstract Interpretation• In
– C program P – set of predicates E={e1,e2,…,en}
• Out – abstract boolean program BP(P,E) with n
boolean variables V={b1,b2,…,bn}
• Boolean program (C-like) – all vars have type bool– control nondeterminism (*)– only call by value
Step 2 – Abstraction (C2BP)
typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE;
STATETYPE state = Unlocked;
FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq))A: state = Locked; else if ((state==Locked) && (m==Rel))B: state = Unlocked; elseERROR: ;}
decl {state==Locked, state==Unlocked};
void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq})A: {state==Locked, state==Unlocked }:=1,0;else if ({state==Locked} & {m==Rel})B: {state==Locked, state==Unlocked }:=0,1;elseERROR: ;}
Instrumented Program P’
Step 2 – Abstraction (C2BP)do {
KeAcquireSpinLock();C: FSM(Acq);
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();
D: FSM(Rel);nPackets++;
}E:} while (nPackets != nPacketsOld);
KeReleaseSpinLock();F: FSM(Rel);
Boolean Program BP(P’,E0)
do { skip;
C: FSM(1,0); skip;
if(*){ skip; skip;
D: FSM(0,1); skip;
}E:} while (*);
skip;F: FSM(0,1);
Step 3 - Model Checking (BEBOP)
Boolean Program BP(P’,E0)
do { skip;
C: FSM(1,0); skip;
if(*){ skip; skip;
D: FSM(0,1); skip;
}E:} while (*);
skip;F: FSM(0,1);
decl {state==Locked, state==Unlocked};
void FSM({m==Acq,m==Rel}){
if ({state==Unlocked} & {m==Acq})A: {state==Locked, state==Unlocked }:=1,0;
else if ({state==Locked} & {m==Rel})B: {state==Locked, state==Unlocked }:=0,1;
elseERROR: ;}
Is there a path that leads to ERROR ? YES [C,A,E,C,ERROR ]
1
2
3
4
do {KeAcquireSpinLock();
C: FSM(Acq);nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();
D: FSM(Rel);nPackets++;
}E:} while (nPackets != nPacketsOld);
KeReleaseSpinLock();F: FSM(Rel);
Step 4 – Theorem Proving (NEWTON)
typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE;
STATETYPE state = Unlocked;
FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq))A: state = Locked; else if ((state==Locked) && (m==Rel))B: state = Unlocked; elseERROR: ;}
Is path [C,A,E,C] feasible ? NO
// nPacketsOld==nPackets, nPacketsOld != nPackets
Step 5 – Predicate Discovery (NEWTON)b: {nPackets == nPacketsOld};do {
skip; b:=1;C: FSM(1,0);
skip;
if(*){ skip; skip;
D: FSM(0,1); skip; b:=0;
}E:} while (!b);
skip;F: FSM(0,1);
do { skip;
C: FSM(1,0); skip;
if(*){ skip; skip;
D: FSM(0,1); skip;
}E:} while (*);
skip;F: FSM(0,1);
Boolean Program BP(P’,E0) Boolean Program BP(P’,E1)
Step 3 - Model Checking (BEBOP)do {
skip; b:=1;
C: FSM(1,0); skip;
if(*){ skip; skip;
D: FSM(0,1); skip; b:=0;
}E:} while (!b);
skip;F: FSM(0,1);
decl {state==Locked, state==Unlocked};decl b: {nPackets==nPacketsOld};
void FSM({m==Acq,m==Rel}){
if ({state==Unlocked} & {m==Acq})A: {state==Locked, state==Unlocked }:=1,0;
else if ({state==Locked} & {m==Rel})B: {state==Locked, state==Unlocked }:=0,1;
elseERROR: ;}
Is there a path that leads to ERROR ? NO
C2BP
• From a C program P and a set of predicates E={e1,e2,…,en} create an abstract boolean program BP(P,E) which has n boolean variables V={b1,b2,…,bn}
• Determine for each statement s in P and predicate ei in E how the execution of s can affect the truth value of ei
– if it doesn’t, s->skip
C2BP cont’d
• Static analysis– alias – logical model: p, p+i same object – interprocedural – side-effects (conservative)
BEBOP
• Essentially a model checker
• Interprocedural dataflow analysis -> reachable states
• Uses BDDs to represent state/transfer functions
• ERROR state reachability reduces to vertex reachability on the CFG of the boolean program BP which is decidable
NEWTON
Predicate discoverer / Theorem prover– walk error path p found by BEBOP– compute conditions (predicate values) along p– if algorithm terminates
• inconsistence detected ( =!), add to list of predicates, repeat whole process
• else report p as witness
Results
NT device drivers – Max 60000 LOC– <10 user-supplied predicates, tens-hundreds
inferred– < 20-30 iterations– 672 runs daily, 607 terminate within 20
minutes
SLAM
SLAM
Specification SLIC
Sound
Complete
Scalability (LOC) 10,000
Refinement
Spurious errors Very Few
Conclusions
• SLAM = process for checking temporal safety properties
• Formally state safety properties that interface clients must observe
• Fully automated validation (iterative refinement)• Sound; if process terminates either SUCCESS
or FAILURE (w/counterexample) reported• Accurate (few false positives)
- Poor scalability
References:
• Automatic Property Checking for Software: Past, Present and Future; Sriram K. Rajamani,
• Checking Temporal Properties of Software with Boolean Programs; Thomas Ball, Sriram Rajamani
• Automatically Validating Temporal Safety Properties of Interfaces; Thomas Ball, Sriram Rajamani
Thank You
Questions ?