Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Transcription

1 Verifying Temporal Properties via Dynamic Program Execution Zhenhua Duan Xidian University, China

2 Main Points Background & Motivation MSVL and Compiler PPTL Unified Program Verification Tool Demo Conclusion and Future Work

3 Background & Motivation We focus on Software model checking in code-level (1) Rechability analysis of bad things int* a; int i=0; if(a==0) goto Err; i= *a; //de-referencing a Err: However, verifiation of other temporal properties such as liveness etc. cannot be supported! Suitable for only safety property verification Two well known ways: CEGAR and bounded model checking Tools: SLAM, BLAST, CPAChecker and CBMC

4 Background & Motivation (2) Model checking temporal properties without executing code (static) Considering all possible behaviors makes small programs have large state-space Tools: Ultmate LTLAutomizer, T2,... Difficult to verify programs in large scale Poor in accuracy with lots of false positives

5 Background & Motivation (3) Model checking temporal properties at run-time Extracting events while executing systems A monitor is designed in advance to check whether the trace violates the desired property Tools: Java PathExplorer, RiTHM, Interaction between systems and monitors incurs extra overhead

6 Background & Motivation Our approach: Verifying full-regular (temporal) properties of programs via dynamic program execution Executing both the program and property

7 Background & Motivation Approach Overview MSVL Program M MSVL Compiler IR KLEE Verification cases MSVL Program M_and_M.exe Verification Results M MSVL Program MSVL Compiler PPTL formula Trans MSVL Program M and M P M

8 Modeling Simulation and Verification Language Modeling Simulation and Verification Language (MSVL) is an executing subset of Projection Temporal Logic (PTL) with framing techniue Data Types: (unsigned) int, float, (unsigned) char, string, array, pointer, struct, union Syntax : Arithmetic expression Boolean expression

9 Modeling Simulation and Verification Language Two kinds of functions in MSVL programs External functions C standard library functions (strcat, strcmp, strlen, strcpy ) MSVL functions MSVL standard library functions (int getline(int len,char s[ ]){ }) MSVL user-defined functions (void f(int x 1, x 2,,x n ){ }) Two kinds of function calls in MSVL programs Black-box call (extern f(e 1,e 2,,e n )) White-box call (only for MSVL functions: f(e 1,e 2,,e n ))

10 Elementary Statements in MSVL Projection Temporal Logic

11 MSVL Normal form of MSVL programs Present components Future components A program Conjunction of state statements An internal program where variables may refer to the previous states Execution of MSVL programs is based on transforming programs into normal forms

12 MSVL Compiler MSVL Program MSVL Frontend Symbol table managing Lexical analysis Syntax analysis Preprocessing Semantic analysis IR generation Developed based on Error handling LLVM IR optimizing Object code generation Object code LLVM Backend

13 MSVL Compiler Case Studies Dining philosophers problem LTL2BA A program for translating LTL formulas to Büchi automata Simple CPU An adder including dereference, decode and execution

14 Propositional Projection Temporal Logic Propositional Projection Temporal Loigc (PPTL) Syntax Semantics An interval σ is a non-empty seuence of states, which can be finite or infinite.

15 Propositional Projection Temporal Logic An interpretation is a triple I = (σ, i, j), where σ is an interval, i is an integer, and j an integer or ω. The satisfaction relation is inductively defined as follows: I = p iff si[p] = true, and p Prop is an atomic proposition p I = P iff i < j and (σ, i+1, j) = P P I = P iff I P I = P Q iff I = P or I = Q

16 Propositional Projection Temporal Logic I = (P 1, P 2,,P m ) prj P, if there exist integers r 0 r 1 r m j such that (σ, r l-1, r l ) = P l, 1 l m, and (σ, 0, σ ) = P for one of the following σ : (a) r m < j and σ = σ (r 0,, r m ) σ(r m+1,, j), or (b) r m = j and σ = σ (r 0,, r h ) for some 0 h m <s 0,s 1,s 2,s 3,s 4 > (0,0,2,2,2,3)=<s 0,s 2,s 3 > (P 1, P 2, P 3 ) prj P P Derived formulas P 1 P 2 P 3

17 Normal Form of PPTL formulas A PPTL formula P is in normal form if, P fj is a PPTL formula without disjuct being the main operator P ei and P cj are true or state formulas of the form: Theorem: Any PPTL formula can be euivalently transformed into its normal form.

18 Labeled Normal Form Graph labeled normal form graphs (LNFG) are constructed based on normal form of PPTL formulas LNFG of a PPTL formula is a 4-tuple CL : non-empty finite set of nodes EL: set of directed edges among CL V 0 : set of initial (root) nodes :, 1 i k, set of nodes with l i being the label. Inf(π): set of nodes which infinitely often occur in path π A path is acceptable if it is finite, or infinite and all the nodes in Inf(π) do not share a same label.

19 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 p n 1 n 2 NF(n 0 ) = ( ( ) ((p;) ) ) p ( ( ) (true;) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (true;) ((p;) )

20 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 p p n 1 n 2 NF(n 1 ) = ( ( ) ((p;) ) ) p ( ( ) (true;) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (true;) ((p;) )

21 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 Rewrite n 2 with fin label p p n 1 n 2 l 1 n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (fin(l 1 );) ((p;) )

22 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) n 0 Rewrite n 2 with fin label p NF(n 2 ) = p ( ( ) ((p;) ) ) n 1 n 2 l 1 ( ( ) (fin(l 1 );) ((p;) ) ) n 0 : ( ) ((p;) ) n 1 : ( ) ((p;) ) n 2 : ( ) (fin(l 1 );) ((p;) )

23 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 0 p p n 1 n 2 l 1

24 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 0 p p n 1 n 2 l 1 Path π =< n 0,, n 1, p, (n 2, ) ω > Nodes that occur infinitely often have the same label l 1 Unacceptable

25 Labeled Normal Form Graph Example LNFG of ( ) ((p;) ) CL = {n 0, n 1, n 2 } EL = { <n 0,, n 1 >, <n 0, p, n 2 >, <n 1,, n 1 >, <n 1, p, n 2 >, <n 2,, n 1 >, <n 2,, n 2 > } V 0 = {n 0 } n 1 n 0 p p n 2 l 1 Path π =< n 0,, n 1, p, (n 2, ) ω > Nodes that occur infinitely often have the same label l 1 Unacceptable Path π =< n 0, p, (n 2,, n 1, p ) ω > Nodes that occur infinitely often do not have a same label Acceptable

26 From PPTL to MSVL Use a uniue integer to represent each of nodes in the LNFG 1 p p 2 3

27 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 Global Variable CuNode:presenting the node explored at the current state. The first node to be explored is a root node (CuNode <==1)

28 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

29 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

30 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

31 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each node i, the following program pattern is created: if(cunode=i)then{ M } M is another program pattern w.r.t all the edges starting from i

32 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced

33 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced

34 From PPTL to MSVL Program pattern 1 p p 2 3 l 1 For each edge from i to j with the label being p, program if(p) then{cunode:=j}else{false} is produced

35 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

36 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

37 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

38 Verification as Dynamic Program Execution Example: Traffic Light EW= SN= EW= SN= N EW= SN= EW= SN= EW= SN=y 5 W E frame(ew,sn,f) and ( char EW and char SN and int f<==0 while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) S

39 Verification as Dynamic Program Execution Whether M violates P? Program M frame(ew,sn,f) and ( char EW and char SN and int f<==0 and while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) Desired Property P 1 e1: true e2: (EW= SN=) (EW= SN=) e1 e3 e4 e3: true e2 e4: (EW= SN=) (EW= SN=) e5: true 2 4 e5 e10 e6: EW= SN= e11 e7: EW= SN= e6 e12 e8: true 3 e9: true e7 e8 e9 e10: true e11: EW= SN= e12: EW= SN= MSVL Program frame(ew,sn,f) and ( char EW and char SN and int f<==0 and while(!f) { EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and skip; EW<== and SN<== and (f<==0 and skip or f<==1 and empty) } ) and CuNode<==1 and while(more) { if(cunode=1)then{ CuNode:=2 or if((ew= and SN=) or (EW= and SN=)) then{cunode:=3}else{false} or CuNode:=4 } else { if(cunode=2)then{ L={l 1 } and ( CuNode:=2 or if(ew= and SN=) then{node:=3}else {false})} else{ if(cunode=3)then{cunode:=3} else{ if(cunode=4) then{ L={l 2 } and ( CuNode:=4 or if(ew= and SN=) then {CuNode:=3}else{false}) }else{false}}}} }; if(cunode=1) then{ } else { if(cunode=2)then{ } else{ if(cunode=3)then{ } else{ if(cunode=4)then{ }else{false}}} } M P

40 Verification as Dynamic Program Execution EW SN An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > A finite execution in M A finite path in LNFG of P All executions in M and P 1,1 2,2 2,4 3,2 3,4 4,2 4,4 1,4 1,2 2,3 5 3,3 Finite: A finite execution in M and P 1,1 2,2 3,2 4,2 5,5 5,5 4,3 1,3 EW SN

41 EW SN Verification as Dynamic Program Execution An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > All executions in M and P An infinite execution in M An infinite path in LNFG of P ,2 4,2 2,2 1,2 3,3 1,1 2,3 2,4 1,4 3,4 4,4 Infinite: EW SN An infinite execution in M and P 1,1 2,2 3,3 4,3 1,3 2,3 5 5,5 4,3 1,3

42 EW SN Verification as Dynamic Program Execution An execution of an MSVL program is seuences of states σ =< s 0, s 1,... > All executions in M and P Infinite: An infinite execution in M EW SN An infinite execution in M and P An infinite path in LNFG of P 1,1 2,2 3,2 4,2 1, ,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4

43 Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. EW SN Finite: Verification as Dynamic Program Execution EW SN ,1 2,2 3,2 4,2 5,5 EW= SN= EW= EW= SN= SN= false Feasibility checking(finite) 5 true true 2 EW= SN= 1 3 check true true true false 4 5 3,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 Infeasible 1,3 2,4 1,4 3,4 4,4

44 EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. Infinite: EW SN EW= SN= EW= SN= EW= SN= 5 1,1 2,2 3,3 4,3 1,3 2,3 check true false false true 2 1 EW= SN= Feasibility checking (infinite) ,2 4,2 2,2 1,2 5,5 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4 Infeasible

45 EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. 2,2 Infinite: Feasibility checking (infinite) true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true 5 true 2 true ,2 4,2 1,2 5,5 Feasible 3,3 4,3 1,1 2,3 1,3 2,4 1,4 3,4 4,4

46 EW SN Verification as Dynamic Program Execution Feasible Execution: An execution σ =< s 0, s 1,... > is feasible if for all i, check i true, where check i is a boolean variable representing whether a program state satisfies the desired state formula at state i. 2,2 Infinite: Feasibility checking (infinite) true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true 5 true 2 true ,2 4,2 1,2 Feasible 1,1 2,4 1,4 3,4 4,4 All feasible executions in M and P

47 EW SN Verification as Dynamic Program Execution A feasible execution σ =<s 0, s 1,...> is acceptable if (1) σ is finite; or (2) σ is infinite and no lables are shared by all the states in Inf (σ) true 2 1 true l 2, ,2 4,2 1,2 1,1 2,4 1,4 3,4 4,4 Infinite: Whether a feasible path is acceptable? true 1,1 2,2 3,2 4,2 1,2 EW SN check true true true true = {l 1 } label φ {l 1 } {l 1 } {l 1 } {l 1 } l 1 is shared by all the states in Inf (σ) Unacceptable

48 Verification as Dynamic Program Execution Suppose the model is modified as follows: All feasible executions in M and P 1,1 EW SN Infinite: ,1 2,2 3,3 4,3 1,3 EW SN check true true true true 5 true true A counterexample is found! true = φ label φ l 1 φ φ φ φ l 1 EW= SN= true 5 2,3 3,2 4,2 2,2 1,2 5,5 3,3 4,3 2,3 1,3 2,4 1,4 3,4 4,4 no label is shared by all the states in Inf (σ) Acceptable

49 Implementation MSVL program M PPTL formula UMC4MSVL Construct LNFG M_IR MSVL Compiler M and M M LNFG LNFG2MSVL KLEE M_and_M.exe feasible? yes Verification cases no no acceptable? All cases are verified yes No error found Error

50 Verifying Programs Case Studies Dining philosophers problem liveness property: every philosopher can eat. LTL2BA A software for translating LTL formula to Büchi automata a Büchi automaton is generated with at most n 2 n (n is the number of fairness conditions) states Simple CPU An adder including dereference, decode and execution If the address signal is true, the address is program counter address

51 Translating from C to MSVL C program Preprocessing Twolf (C Program) Lexical analysis ( C:15,912LOC MSVL:32,843LOC) YES Direct translation Syntax analysis Existing corresponding statement in MSVL? NO Semantics guided translation Twolf is selected from the SPEC CPU 2000 Benchmark. It is used in the process of creating the lithography artwork needed for the production of microchips. Post processing MSVL program C library function

52 Translating from Verilog/VHDL to MSVL Verilog/VHDL program Preprocessing Lexical analysis Syntax analysis Semantic analysis IR generation Semantics guided translation SHA (Verilog Program) (Verilog:20,397LOC MSVL:44,583LOC) SHA (Secure Hash Algorithm) is a cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). MSVL program

53 Generating Verification Cases Dynamic Symbolic Execution is used to generate verification cases MSVL program (IR) KLEE execute record path constraint negate a branch condition generate new inputs solve path constraints (SMT solver Z3) yes successful? no Verification cases end

54 Generating Verification Cases Case Studies RERS P15 (RERS Benchmark) A reactive system, where an engine calculates an output depending on the input and current state, and finally writes the output to the standard output Totally, verification cases are generated with KLEE Line Coverage: 41.81% Branch Coverage: 50.70% Property: 24 will never be output later than 22

55 Verifying Programs Verification of (small) programs of Benchmark1 Our method All the four tools can successfully output the verification results. However, UMC4MSVL is more efficient than other three tools.

56 Verifying Programs Verification of larger programs in Benchmark2 Our method Success rate 44% 19% 100% 100% Avg Time(s)

57 Verifying Programs Verification of real-world programs All the programs and properties are successfully verified by UMC4MSVL in seconds. Other three tools fail on these programs.

58 Conclusion and Future Research We proposed a run-time unified model checking approach by executing both programs and properties at the same time. We use dynamic symbolic execution techniue to generate verification cases for achieving higher path coverage. However, the proposed approach is incomplete. In the future: Investigate more strategies for generating better verification cases Planning with MSVL Complier Bug-fixing guided by counterexamples

59 Thanks! & Questions?