Counterexample Generation for Separation-Logic-Based ProofsArlen CoxSamin IshtiaqJosh BerdineChristoph Wintersteiger
2
SLAYER
Abstraction-based Static Analyzer• Uses Separation Logic• Proves Memory Safety of Heap Manipulating Programs
Shape Analysis
Abstraction-based Static Analyzer• Abstract Counterexamples• Failure to prove does not imply that a bug has been found• Even if the bug is real, the counterexample is still abstract
3
SLAYER Results
UNSAFE? SAFE
UNSAFE UNSAFE? SAFE
4
Concrete Counterexamples• If unsafe, return a set of inputs causing failure– Program inputs– Nondeterministic assignments
• Established Techniques– Symbolic Execution (Sage, KLEE)– Bounded Model Checking (CBMC)
5
Symbolic Execution
l := 0
l := *(l+next)return
t := alloc(2)*(t+next) := ll := t
6
Symbolic Execution
l := 0
l := *(l+next)return
t := alloc(2)*(t+next) := ll := t
7
Symbolic Execution
l := 0
l := *(l+next)return
t := alloc(2)*(t+next) := ll := t
8
Symbolic Execution
l := 0
l := *(l+next)return
t := alloc(2)*(t+next) := ll := t
9
Symbolic Execution• Heuristics guide the search• Whole paths are checked before checking
other paths• No guarantees any particular bug will be
found
10
Bounded Model Checking
l := 0
l := *(l+next)return
t := alloc(2)*(t+next) := ll := t
11
Bounded Model Checking
l := 0
12
Bounded Model Checking
l := 0
t := alloc(2)*(t+next) := ll := t
13
Bounded Model Checking
l := 0
l := *(l+next)
t := alloc(2)*(t+next) := ll := t
t := alloc(2)*(t+next) := ll := t
14
Bounded Model Checking
l := 0
l := *(l+next)
t := alloc(2)*(t+next) := ll := t
t := alloc(2)*(t+next) := ll := t
t := alloc(2)*(t+next) := ll := t
l := *(l+next)
l := *(l+next)
return
15
Bounded Model Checking• Complete search up to some depth• Searching all branches may be time consuming• Depth of search may be insufficient• Use failed separation logic proof to prune
branches
16
BMC on Abstract Counterexample• Perform BMC on abstract
counterexample, unrolling loops• Prune any states that are not on
a path to error• Use state constraints to restrict
search(would work for symbolic execution as well)
Abstract State S (constraints)
Abstract State S’ (constraints)
ProgramStatements
ProgramStatements
17
Abstract Counterexample𝑒𝑚𝑝
∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)
𝐸𝑅𝑅𝑂𝑅
t := alloc(2)*(t+next) := ll := t
l := *(l+next)
l := 0
18
Abstract Counterexample𝑒𝑚𝑝
∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)
𝐸𝑅𝑅𝑂𝑅
t := alloc(2)*(t+next) := ll := t
l := *(l+next)
l := 0
19
Practicalities• Use Z3 to perform BMC• Z3 doesn’t understand separation logic– Weaken formulas to first order
• A different way of encoding BMC– Make Z3 do all of the work– No iteration: give Z3 a single problem
20
Prune and Weakenemp
true
ERROR
t := alloc(2)*(t+next) := ll := t
l := *(l+next)
l := 0First-order
sub-formula
21
BMC Safety Violations• Satisfiable– Array/Structure out of bounds– Access unallocated memory/NULL– Double free– Free of incorrect memory
• Unsatisfiable– No violation within bounds
• Heap size• Unrolling limit
22
Precise Word-Level Memory Model
0
Heap
Alloc
Size 0 0 0 0 0 0 0 0 0
0 1 2 3 4 5 6 7 8 9
23
Precise Word-Level Memory Model
0
Heap
Alloc
Size 0
x
3
x
0
x
0 0 0 0 0 0
alloc(3)0 1 2 3 4 5 6 7 8 9
24
Precise Word-Level Memory Model
0
Heap
Alloc
Size 0
x
3
x
0
17
x
0 0 0 0 0 0
*4 = 170 1 2 3 4 5 6 7 8 9
25
Precise Word-Level Memory Model
0
Heap
Alloc
Size 0 0 0
17
0 0 0 0 0 0
free(2)0 1 2 3 4 5 6 7 8 9
26
Encoding – High Level
𝑖𝑛𝑖𝑡∧ ∀ 𝑡 .𝑡>0∧𝑡<𝑛→𝑡𝑟 (𝑡 ) Assert initial state Transition from state at time to state at time
Use UFBV logic: Quantified bit-vectorswith uninterpreted functions
27
Initial state
- Optional- Optional
28
Transition
29
Encode• Step whole basic block– Eliminates quantifiers based on structure of
program• Use state in encoder– Maximize structure sharing– Reduce quantifiers and uninterpreted functions
30
Encode – Threading State
InitializeState
EncodeStmt
To Error
EncodeStmt
To Error
EncodeStmt
To Error
Store StateTo Successor
…
31
Encode - alloc
32
Encode - store
33
Process Summary
C ProgramSeparation
Logic Analysis
BMC Encoder Z3
SAFEUNSAFE +
COUNTEREXAMPLE
UNSAFE?SMT-LIB
AbstractTransitionSystem
UNSAT
SAT
SLAYER
34
Performance• Equivalent to SLAYER on sample problems• Problems like example < 0.5s• Scalability unknown• Not competitive with Sage or KLEE– Z3 could match or beat Sage or KLEE, though.
35
Z3 Pain Relief• is way slower than (2x)• Eliminate : use last modified index to eliminate these (2x)• Use the new SAT solver (10x)• Use MBQI (sat/unsat vs unknown)• Don’t use Array Theory (sat/unsat vs unknown)• Init doesn’t matter much (±10%)• Eliminate : create explicit conjunction. (30x on small
problems)
36
QUESTIONS?
©2011 Microsoft Corporation. All rights reserved.
38
Array theory?• Array theory is not current– We use quantifiers with uninterpreted functions:
– We don’t want too many quantifiers• Since we’re quantifying over time, keep track of when
updates last occurred.
39
Encoding a basic block (statements updating )