Having a BLAST with SLAM

Size: px

Start display at page:

Download "Having a BLAST with SLAM"

Marshall Fitzgerald
6 years ago
Views:

1 Having a BLAST with SLAM #

2 #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim.

3 #3 SLAM Overview INPUT: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use locks correctly, not I am a webserver OUTPUT: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec

4 # Take-Home Message SLAM is a software model checker. It abstracts C programs to boolean programs and model-checks the boolean programs. No errors in the boolean program implies no errors in the original. An error in the boolean program may be a real bug. Or SLAM may refine the abstraction and start again.

5 #5 Property : Double Locking lock unlock unlock lock An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock. Calls to lock and unlock must alternate.

6 Property 2: Drop Root Privilege [Chen-Dean-Wagner 02] User applications must not run with root privilege When execv is called, must have suid 0 #6

7 Property 3 : IRP Handler IRP accessible MPR2 start NP MPR3 synch not pending returned CallDriver MPR NP MPR completion Skip prop completion no prop completion SKIP CallDriver PPC N/A CallDriver CallDriver Complete request CallDriver SKIP2 IPC DC N/A synch return child status return not Pend MPR3 CallDriver start P synch MPR MPR2not pending returned NP MPR completion Mark Pending Skip prop completion CallDriver SKIP PPC CallDriver CallDriver Complete request SKIP2 IPC DC return Pending no prop completion N/A CallDriver [Fahndrich] #7

8 #8 Example SLAM Input Example ( ) { : do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; : while(new!= old); 5: unlock (); return; unlock lock unlock lock

9 #9 SLAM in a Nutshell SLAM(Program p, Spec s) = Program q = incorporate_spec(p,s); mutable PredicateSet abs = { ; while true do BooleanProgram b = abstract(q,abs); match model_check(b) with No_Error! printf( no bug ); exit(0) Counterexample(c)! if is_valid_path(c, p) then printf( real bug ); exit() else abs Ã abs [ new_preds(c) done // program // slic // c2bp // bebop // newton // newton

10 Incorporating Specs Example ( ) { : : do{ lock(); old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new ++; : : while(new!=!= old); 5: 5: unlock (); return; lock unlock 0 unlock ERR lock Example ( ) { : do{ if if L= goto ERR; else L=; old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; if if L=0 goto ERR; else L=0; new ++; : while(new!= old); 5: if if L=0 goto ERR; else L=0; Original program return; violates spec iff ERR: abort(); new program reaches ERR #0

11 Program As Labeled Transition System State Transition pc lock old new q x33a 3: 3: unlock(); new++; : pc lock old new q 5 6 0x33a Example ( ) { : : do do { lock(); old old = new; new; q = q->next; 2: 2: if if (q (q!=!= NULL){ NULL){ 3: 3: q->data = new; new; unlock(); new new ++; ++; : : while(new!=!= old); old); 5: 5: unlock unlock (); (); return; #

12 The Safety Verification Problem Error (e.g., states with PC = Err) Safe States (never reach Error) Initial Is there a path from an initial to an error state? Problem: Infinite state graph (old=, old=2, old= ) Solution : Set of states ' logical formula #2

13 Representing [Sets of States] as Formulas [F] states satisfying F {s s ² F F FO fmla over prog. vars [F ] Å [F 2 ] F Æ F 2 [F ] [ [F 2 ] F Ç F 2 [F] : F [F ] µ [F 2 ] F ) F 2 i.e. F Æ: F 2 unsatisfiable #3

14 # Idea : Predicate Abstraction Predicates on program state: lock (i.e., lock=true) old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite Thus model-checking the abstraction will be feasible!

15 #5 Abstract States and Transitions State pc lock old new q x33a 3: 3: unlock(); new++; : pc lock old new q 5 6 0x33a lock old=new Theorem Prover : lock : old=new

16 Abstraction State c c 2 pc lock old new q x33a 3: 3: unlock(); new++; : pc lock old new q 5 6 0x33a A A 2 Existential Lifting (i.e., A!A 2 iff 9c 2A. 9c 2 2A 2. c!c 2 ) lock old=new Theorem Prover : lock : old=new #6

17 #7 Abstraction State pc lock old new q x33a 3: 3: unlock(); new++; : pc lock old new q 5 6 0x33a lock old=new : lock : old=new

18 #8 Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples

19 #9 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!

20 #20 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Build refined abstraction Imprecision due to merge

21 #2 Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 0]. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Untill real counterexample or system proved safe

22 #22 Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 00 s, #States ~ 2 00, #Reach ~ 000 s

23 #23 Solution: Only Abstract Reachable States Safe Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Build abstraction during search

24 #2 Solution2: Don t Refine Error-Free Regions Error Free Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions

25 Q: Books (70 / 82) In T.S. Eliot's 939 Old Possum's Book Of Pratical Cats, this "mystery cat is called the hidden paw / for he's a master criminal who can defy the law."

26 Q: Computer Science This American Turing award winner is sometimes called the father of analysis of algorithms, and is known for popularizing asymptotic notation, creating TeX, and codeveloping a popular a string search algorithm. His most famous work is The Art of Computer Programming.

27 #27 Key Idea: Reachability Tree Initial 2 Unroll Abstraction. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds.

28 #28 Key Idea: Reachability Tree Initial 2 Unroll Abstraction. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free

29 #29 Key Idea: Reachability Tree Initial 2 Unroll. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. Error Free SAFE S: Only Abstract Reachable States S2: Don t refine error-free regions

30 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); : LOCK Predicates: LOCK Reachability Tree #30

31 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); lock() old = new q=q->next 2 : LOCK LOCK 2 Predicates: LOCK Reachability Tree #3

32 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); [q!=null] 3 2 LOCK : LOCK LOCK 2 3 Predicates: LOCK Reachability Tree #32

33 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); q->data = new unlock() new LOCK : LOCK : LOCK LOCK 2 3 Predicates: LOCK Reachability Tree #33

34 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); 3 2 LOCK : LOCK : LOCK LOCK [new==old] 5 5 : LOCK 2 3 Predicates: LOCK Reachability Tree #3

35 Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); 3 2 LOCK : LOCK : LOCK LOCK Predicates: LOCK 5 : LOCK unlock() : LOCK Reachability Tree #35

36 Analyze Counterexample Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); 3 2 LOCK : LOCK : LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] 5 5 : LOCK unlock() 2 3 Predicates: LOCK : LOCK Reachability Tree #36

37 Analyze Counterexample Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); Predicates: LOCK LOCK : LOCK : LOCK : LOCK : LOCK LOCK old = new new++ [new==old] Inconsistent new == old Reachability Tree #37

38 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); : LOCK Predicates: LOCK, new==old Reachability Tree #38

39 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 : LOCK lock() old = new q=q->next 2 Predicates: LOCK, new==old Reachability Tree #39

40 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3 : LOCK, : new = old : LOCK q->data = new unlock() new Predicates: LOCK, new==old Reachability Tree #0

41 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3 : LOCK, : new = old [new==old] : LOCK 2 3 Predicates: LOCK, new==old Reachability Tree #

42 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); : LOCK LOCK, new==old 2 LOCK, new==old 3 : LOCK, : new = old [new!=old] 2 3 Predicates: LOCK, new==old : LOCK, : new == old Reachability Tree #2

43 Repeat Build-and-Search Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old LOCK, new==old 3 : LOCK, : new = old 2 : LOCK LOCK, new=old SAFE Predicates: LOCK, new==old : LOCK, : new == old 5 : LOCK, new==old Reachability Tree #3

44 # Key Idea: Reachability Tree Initial 2 Unroll. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. Error Free SAFE S: Only Abstract Reachable States S2: Don t refine error-free regions

45 Two handwaves Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old LOCK, new==old 3 : LOCK, : new = old 2 : LOCK LOCK, new=old SAFE Predicates: LOCK, new==old : LOCK, : new == old 5 : LOCK, new==old Reachability Tree #5

46 Two handwaves Example ( ) { : : do{ do{ lock(); old old = new; : LOCK q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: Q. 3: q->data How = new; to compute successors? unlock(); LOCK, new==old 2 new new ++; ++; :while(new!=!= old); LOCK, new==old 3 5: 5: unlock (); q->data (); = new unlock() : LOCK, : new = old new++ LOCK, new=old SAFE Predicates: LOCK, new==old : LOCK, : new == old 5 : LOCK, new==old Reachability Tree #6

47 Two handwaves Example ( ) { : : do{ do{ lock(); old old = new; : LOCK q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: Q. 3: q->data How = new; to compute successors? unlock(); LOCK, new==old 2 new new ++; ++; :while(new!=!= old); LOCK, new==old 3 5: 5: unlock (); (); : LOCK, : new = old LOCK, new=old SAFE Q. How to find predicates? 5 Refinement : LOCK, new==old 2 3 Predicates: LOCK, new==old : LOCK, : new == old 5 #7

48 Two handwaves Example ( ) { : : do{ do{ lock(); old old = new; : LOCK q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: Q. 3: q->data How = new; to compute successors? unlock(); LOCK, new==old 2 new new ++; ++; :while(new!=!= old); LOCK, new==old 3 5: 5: unlock (); (); : LOCK, : new = old LOCK, new=old SAFE 5 Refinement 2 3 Predicates: LOCK, new==old : LOCK, : new == old 5 : LOCK, new==old #8

49 #9 Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P]

50 #50 Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] Assign x = e P[e/x] P new+ = old new = old new = new+

51 How to compute successor? Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old : LOCK, : new = old 3 F OP? For each p Check if p is true (or false) after OP Q: When is p true after OP? - If WP(p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F ) WP(p, OP) Predicates: LOCK, new==old #5

52 How to compute successor? Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); 7 7 LOCK, new==old 3 F OP? For each p Check if p is true (or false) after OP Q: When is p false after OP? - If WP(: p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F ) WP(: p, OP) Predicates: LOCK, new==old #52

53 How to compute successor? Example ( ) { : : do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; :while(new!=!= old); 5: 5: unlock (); (); Predicate: new==old LOCK, new==old : LOCK, : new = old 3 F OP? For each p Check if p is true (or false) after OP Q: When is p false after OP? - If WP(: p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F ) WP(: p, OP) True? (LOCK, new==old) ) (new + = old) NO False? (LOCK, new==old) ) (new + old) YES #53

54 #5 Advanced SLAM/BLAST Too Many Predicates - Use Predicates Locally Counter-Examples - Craig Interpolants Procedures - Summaries Concurrency - Thread-Context Reasoning

55 #55 SLAM Summary ) Instrument Program With Safety Policy 2) Predicates = { 3) Abstract Program With Predicates Use Weakest Preconditions and Theorem Prover Calls ) Model-Check Resulting Boolean Program Use Symbolic Model Checking 5) Error State Not Reachable? Original Program Has No Errors: Done! 6) Check Counterexample Feasibility Use Symbolic Execution 7) Counterexample Is Feasible? Real Bug: Done! 8) Counterexample Is Not Feasible? ) Find New Predicates (Refine Abstraction) 2) Goto Line 3

56 Optional: SLAM Weakness : F() { 2: int x=0; 3: lock(); : do x++; 5: while (x 88); 6: if (x < 77) 7: lock(); 8: Preds = {, Path = [x=0, :x+ 88, x+<77] Preds = {x=0, Path = [x=0, :x+ 88, x+<77] Preds = {x=0, x+=88 Path = [x=0, :x+2 88, x+2<77] Preds = {x=0,x+=88,x+2=88 Path = Result: the predicates count the loop iterations #56

57 #57 Homework Read Winskel Chapter 2 Read Hoare paper Read Spolsky article

Having a BLAST with SLAM

Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program