Scalable Program Verification by Lazy Abstraction

Size: px

Start display at page:

Download "Scalable Program Verification by Lazy Abstraction"

Teresa Mitchell
5 years ago
Views:

1 Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley ars, July, 997 Lost contact due to real-time priority inversion bug ars, December, 999 Crashed due to uninitialized variable

2 French Guyana, June, 996 $600 million software failure Something Uptime: 67 Reliable years

3 Why don t Bridges Crash? Abstraction Building Blocks. Relevant facts* 2. odel. Analysis * w.r.t. property of interest Bridges echanics ass, Tensile Strength Free Body Diagram Solve Equations Programs Logic??? Contributions CProgram Property Search [POPL 02] BLAST Refine [POPL 0] Yes No Safe Trace

4 Property : Double Locking lock unlock unlock lock An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock. Calls to lock and unlock must alternate. Property 2: Drop Root Privilege [Chen-Dean-Wagner 02] User applications must not run with root privilege When execv is called, must have suid 0

5 Property : IRP Handler IRP accessible PR start NP synch not pending returned CallDriver PR2 PR NP PR completion Skip prop completion no prop completion SKIP CallDriver SKIP2 PPC N/A CallDriver CallDriver Complete request CallDriver IPC DC N/A synch return child status return not Pend PR CallDriver start P synch PR PR2not pending returned NP PR completion ark Pending Skip prop completion no prop completion CallDriver SKIP SKIP2 PPC N/A CallDriver CallDriver Complete request IPC CallDriver DC return Pending [Fahndrich] Property : Data Races x:= x+ x x:= x-5 A data race on x is a state where:. Two threads can access x 2. One of the accesses is a write There should be no races on shared variables

6 Contributions Program Property BLAST Yes No Safe Trace Sequential Programs Counterex.-Guided Abstraction-Refinement For large programs, complex properties New Algorithms: Abstraction [POPL 02],Refinement [POPL 0] Property : Double Locking (Linux/Windows Drivers) Property 2: Drop Root Privilege (Linux Daemons ~59kloc) Precise: No false Errors Property : IRP Handler (NT Drivers ~0Kloc) Large Programs Contributions Program Property BLAST Yes No Safe Trace ultithreaded Programs New models for thread interactions New algorithms to compute models and Verify multithreaded programs [CAV 0] [PLDI 0] Property : Data Races Linux/Windows Drivers Sensor Network Apps. (TinyOS/NesC) ~0kloc Arbitrarily many threads Any synchronization mechanisms Real counterexamples, Safety Proofs

7 Plan. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs ultithreaded Programs. Future Work Example un : while(new!= old); return; unlock lock unlock lock

8 What a program really is State Transition pc lock old new q a a a 5 a 5 a 0xa : un new++; : un : while(new!= old); return; pc a lock a old a 5 new a 6 q a 0xa The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula

9 Idea : Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent erged into one abstract state #abstract states is finite [Graf-Saidi 97] Abstract States and Transitions State pc lock old new q a a a 5 a 5 a 0xa : un new++; : pc a lock a old a 5 new a 6 q a 0xa Theorem Prover lock old=new : lock : old=new

10 Abstraction State pc lock old new q a a a 5 a 5 a 0xa : un new++; : pc a lock a old a 5 new a 6 q a 0xa Theorem Prover Existential Lifting lock old=new : lock : old=new Abstraction State pc lock old new q a a a 5 a 5 a 0xa : un new++; : pc a lock a old a 5 new a 6 q a 0xa lock old=new : lock : old=new

11 Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction! [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]

12 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Imprecision Build refined due abstraction to merge [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0] Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample. Repeat search Till real counterexample or system proved safe

13 Plan. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs [POPL 02] [POPL0] ultithreaded Programs. Future Work Scaling Sequential Verification CProgram Property Abstract [POPL 02] BLAST Refine [POPL 0] Yes No Safe Trace

14 Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 00 s, #States ~ 2 00, #Reach ~ 000 s Solution: Only Abstract Reachable States Safe Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Build abstraction during search

15 Solution2: Don t Refine Error-Free Regions Error Free Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions Key Idea: Reachability Tree Initial 2 Unroll Abstraction. Pick tree-node (=abs. state) 2. Add children (=abs. successors). On re-visiting abs. state, cut-off 5 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds.

16 Key Idea: Reachability Tree Initial 2 Unroll Abstraction. Pick tree-node (=abs. state) 2. Add children (=abs. successors). On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free Key Idea: Reachability Tree Initial 2 Unroll. Pick tree-node (=abs. state) 2. Add children (=abs. successors). On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. Error Free SAFE S: Only Abstract Reachable States S2: Don t refine error-free regions

17 Build-and-Search un :while(new!= old); Predicates Reachability Tree Build-and-Search un :while(new!= old); lock() old = new q=q->next 2 LOCK 2 Predicates Reachability Tree

18 Build-and-Search un :while(new!= old); [q!=null] 2 LOCK LOCK 2 Predicates Reachability Tree Build-and-Search un :while(new!= old); q->data = new unlock() new++ 2 LOCK LOCK 2 Predicates Reachability Tree

19 Build-and-Search un :while(new!= old); 2 LOCK LOCK 5 [new==old] 5 2 Predicates Reachability Tree Build-and-Search un :while(new!= old); 2 LOCK LOCK 5 2 Predicates 5 unlock() Reachability Tree

20 Analyze Counterexample un :while(new!= old); 2 LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] 5 5 unlock() 2 Predicates Reachability Tree Analyze Counterexample un :while(new!= old); 2 5 Predicates 5 2 LOCK LOCK old = new new++ [new==old] Inconsistent new == old Reachability Tree

21 Repeat Build-and-Search un :while(new!= old); Predicates, new==old Reachability Tree Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 lock() old = new q=q->next 2 Predicates, new==old Reachability Tree

22 Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 LOCK, new==old, : new = old q->data = new unlock() new++ 2 Predicates, new==old Reachability Tree Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 LOCK, new==old, : new = old [new==old] 2 Predicates, new==old Reachability Tree

23 Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 LOCK, new==old, : new = old [new!=old] 2 Predicates, new==old, : new == old Reachability Tree Repeat Build-and-Search un :while(new!= old); LOCK, new==old LOCK, new==old 2 SAFE, : new = old LOCK, new=old 5 2 Predicates, new==old, : new == old 5, new==old Reachability Tree

24 Scaling Sequential Verification CProgram Abstract [POPL 02] Yes Safe Property Refine No Trace Problem: Abstraction is Expensive Solution:. Abstract reachable states, 2. Avoid refining error-free regions Key Idea: Reachability Tree Property: Results IRP Handler Win NT DDK Program Lines* Previous Time(mins) Time (mins) Predicates Total Average kbfiltr 2k floppy 7k diskprf k cdaudio 8k parport 6k DNF parclss 8k DNF * Pre-processed

25 Analyzing Programs Abstraction Building Blocks. Relevant facts* 2. odel. Analysis Programs Logic Predicates Reach Tree Search * w.r.t. property of interest Plan. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs [POPL 02, POPL 0] ultithreaded Programs. Future Work

26 ultithreaded Programs Thread x Thread Shared emory Curse of Interleaving Non-deterministic scheduling Exponentially many behaviors Errors are hard to detect, reproduce, eliminate Testing exercises a tiny fraction of possible behaviours Data Races x:= x+ x x:= x-5 A data race on x is a state where: Two threads can access x One of the accesses is a write Unpredictable, undesirable program

Brute Force Approach odel Checking: Explore (abstract) State Space The curse of Interleavings #Control Combinations = m.n 250,000 if 500 lines/thread, ignoring predicates,,5,,k threads?

27 Brute Force Approach odel Checking: Explore (abstract) State Space The curse of Interleavings #Control Combinations = m.n 250,000 if 500 lines/thread, ignoring predicates,,5,,k threads? Unbounded threads? A Thread-odular Approach Key Idea: Summarize each thread Interactions with others w.r.t. property while(){ atomic{ old := s; if(s==0){ s :=; if(old==0){ x++; s :=0; s,x s=0 s 0 s= [PLDI 0] s Automaton on predicates on global variables

28 A Thread-odular Approach Analysis Time» Thread Summary Problem: Find Summary which:. [Scalability] is small 2. [Verification] has all behaviors of thread Verify (Thread Other s Summary) safe safe Control Combinations: Thread Summary Small (if summary is small)

29 Check that Summaries are Valid µ µ safe safe Thread-odular Verification µ µ safe safe Assume-Guarantee [Owicki-Gries 7] [Jones 8] [Stark 85] [Abadi-Lamport 9] [Alur-Henzinger 96] [cillan 97] [Flanagan-Qadeer 0] safe Q: Finding Summaries?

30 Data Races in NesC Programs [PLDI 0] PL for Networked Embedded Systems [Gay et al. 0] TinyOS Sensor Networks Applications Interrupts fire events, which fire other events or post tasks which run asynchronously Race-freedom important Non-trivial synchronization idioms Flow-based analysis Compiled to C Case Study: sense.nc [PLDI 0] atomic{ old:= state; if(state==0){ state:=; if(old==0){ x++; Interrupt fires old := state if (state ==0){ state := If (old == 0){ about to write x Interrupt 2 fires state := 0 Interrupt handler disables interrupt 2 BLAST finds information - proves no races Interrupt fires old := state if (state ==0){ state := If (old == 0){ about to write x

31 Analyzing Programs Abstraction Building Blocks. Relevant facts* 2. odel. Analysis Programs Logic Predicates Reach Tree Search ultithreaded Predicates Summary Thread-odular * w.r.t. property of interest

Having a BLAST with SLAM

Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement