Having a BLAST with SLAM

Similar documents
Having a BLAST with SLAM

Having a BLAST with SLAM

Having a BLAST with SLAM

Scalable Program Verification by Lazy Abstraction

Software Model Checking with Abstraction Refinement

CS 510/13. Predicate Abstraction

Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement. Having a BLAST with SLAM. Combining Strengths. SLAM Overview SLAM

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Software Model Checking. Xiangyu Zhang

Counterexample Guided Abstraction Refinement in Blast

Static Program Analysis

Predicate Abstraction Daniel Kroening 1

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

On Reasoning about Finite Sets in Software Checking

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Verifying Multithreaded Software with Impact

Software Model Checking. From Programs to Kripke Structures

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

Predicate Refinement Heuristics in Program Verification with CEGAR

More on Verification and Model Checking

Program Static Analysis. Overview

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Proofs from Tests. Nels E. Beckman, Aditya V. Nori, Sriram K. Rajamani, Robert J. Simmons, SaiDeep Tetali, Aditya V. Thakur

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

F-Soft: Software Verification Platform

The software model checker BLAST

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Introduction to Axiomatic Semantics (1/2)

Model Checking with Abstract State Matching

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

TRACER: A Symbolic Execution Tool for Verification

Towards a Software Model Checker for ML. Naoki Kobayashi Tohoku University

Introduction to Axiomatic Semantics (1/2)

Formal Systems Tutorial Hybrid System Modeling, Program Analysis

Lecture 2: Symbolic Model Checking With SAT

Introduction to Axiomatic Semantics

Software Model Checking with SLAM

A Survey of Automated Techniques for Formal Software Verification

Proofs from Tests. Sriram K. Rajamani. Nels E. Beckman. Aditya V. Nori. Robert J. Simmons.

Configurable Software Model Checking

Predicate Abstraction of ANSI C Programs using SAT Λ

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

Finite State Verification. CSCE Lecture 14-02/25/2016

An Eclipse Plug-in for Model Checking

Symbolic and Concolic Execution of Programs

The Pointer Assertion Logic Engine

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

Formal Verification by Model Checking

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

Automatically Validating Temporal Safety Properties of Interfaces

Static program checking and verification

Verifying Concurrent Programs

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

Using Build-Integrated Static Checking to Preserve Correctness Invariants

Unbounded Symbolic Execution for Program Verification

Subsumer-First: Steering Symbolic Reachability Analysis

Program Analysis and Constraint Programming

Program Verification. Aarti Gupta

Finite State Verification. CSCE Lecture 21-03/28/2017

Model Checking with Automata An Overview

Binary Decision Diagrams and Symbolic Model Checking

Proc. ISoLA 2018, c Springer

Model Checking: Back and Forth Between Hardware and Software

Interpolation-based Software Verification with Wolverine

System Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine

Program verification. Generalities about software Verification Model Checking. September 20, 2016

Formal Verification of Synchronization Issues in SpecC Description with Automatic Abstraction

Tree Interpolation in Vampire

Proof Carrying Code(PCC)

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Program Verification (6EC version only)

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Symbolic Evaluation/Execution

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Abstract Interpretation

Abstraction Refinement for Quantified Array Assertions

Abstraction Learning

Bounded Model Checking Of C Programs: CBMC Tool Overview

Formal Verification at Higher Levels of Abstraction

SYNERGY : A New Algorithm for Property Checking

Predicate Abstraction with Adjustable-Block Encoding

Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT

Compiler Construction 2016/2017 Loop Optimizations

Permissive Interfaces

Checking Memory Safety with Blast

Model Checking Embedded C Software using k-induction and Invariants

A Gentle Introduction to Program Analysis

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*

Applications of Program analysis in Model-Based Design

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Reading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

Predicate Abstraction and Refinement Techniques for Verifying Verilog

Transcription:

Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver Verifier Airbus applies the Astrée Static Analyzer This Week: Building up to SDV Verify properties or find bugs in software Take an important program (e.g., a device driver) Merge it with a property (e.g., no deads) Transform the result into a boolean program Use a model checker to exhaustively explore the resulting state space Result : program provably satisfies property Result : program violates property right here on line 9,76! Take-Home Message Model Checking There are complete courses in model checking (see ECEN 9, Prof. Somenzi). Model Checking by Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Symbolic Model Checking by Ken McMillan. We will skim. Model checking is the exhaustive exploration of the state space of a system, typically to see if an error state is reachable. It produces concrete counterexamples. The state explosion problem refers to the large number of states in the model. 6

Keywords Model checking is an automated technique Model checking verifies transition systems Model checking verifies temporal properties Model checking falsifies by generating counterexamples Verification vs. Falsification What is verification? What is falsification? A model checker is a program that checks if a (transition) system satisfies a (temporal) property 7 8 Verification vs. Falsification An automated verification tool can report that the system is verified (with a proof); or that the system was not verified. When the system was not verified, it would be helpful to explain why. Model checkers can output an error counterexample: a concrete execution scenario that demonstrates the error. Can view a model checker as a falsification tool The main goal is to find bugs So what can we verify or falsify? Software Model Checking via Counterexample Guided Abstraction Refinement There are easily dozens of papers. We will skim. 9 Key Terms Counterexample guided abstraction refinement (CEGAR) A successful software model-checking approach. Sometimes called Iterative Abstraction Refinement. SLAM = The first CEGAR project/tool. Developed at MSR Lazy Abstraction = CEGAR optimization Used in the BLAST tool from Berkeley. What is Counterexample Guided Abstraction Refinement (CEGAR)? Verification by Model Checking? Theorem Proving? Dataflow Analysis or Program Analysis?

Verification Verification by Model Checking un : while(new!= old); : un Is this program correct? What does correct mean? How do we determine if a program is correct? un : while(new!= old); : un. (Finite State) Program. State Transition Graph. Reachability - Program Finite state model - State explosion + State exploration + Counterexamples Precise [SPIN,SMV,Bandera,JPF] Verification by Theorem Proving Verification by Theorem Proving un : while(new!= old); : un. Loop Invariants. Logical Formulas. Check Validity Invariant: Æ new = old Ç Æ new old un : while(new!= old); : un. Loop Invariants. Logical Formulas. Check Validity - Loop invariants - Multithreaded programs + Behaviors encoded in logic + Decision procedures Precise [ESC, PCC] 6 Verification by Program Analysis Combining Strengths un : while(new!= old); : un. Dataflow Facts. Constraint System. Solve Constraints - Imprecision: fixed facts + Abstraction + Type/Flow analyses Scalable [Cqual, ESP] 7 Theorem Proving - Need loop invariants (will find automatically) + Behaviors encoded in logic (used to refine abstraction) + Theorem provers (used to compute successors, refine abstraction) SLAM Model Checking Program Analysis - Imprecise (will be precise) + Abstraction (will shrink the state space we must explore) - Finite-state model, state explosion (will find small good model) + State space exploration (used to get a path sensitive analysis) + Counterexamples (used to find relevant facts, refine abstraction) 8

Revisiting SLAM Input: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use s correctly, not I am a webserver Output: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec 9 Revisiting SLAM Input: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use s correctly, not I am a webserver Output: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec 0 Property : Double Locking First Question? un un So what can we verify or falsify? An attempt to re-acquire an acquired or release a released will cause a dead. Calls to and un must alternate. Property : Drop Root Privilege Property : IRP Handler start NP MPR synch NP MPR CallDriver completion MPR MPR IRP accessible SKIP CallDriver SKIP Skip CallDriver IPC prop CallDriver PPC completion Complete request DC no prop synch completion CallDriver N/A N/A return child status return not Pend [Chen-Wagner-Dean 0] User applications must not run with root privilege When execv is called, must have suid 0 start P Mark Pending CallDriver SKIP SKIP Skip CallDriver IPC synch MPR NP prop CallDriver PPC MPR completion Complete CallDriver completion MPR MPR request DC no prop completion CallDriver N/A return Pending [Fahndrich]

Example SLAM Input SLAM in a Nutshell un : while(new!= old); : un un un SLAM(Program p, Spec s) = Program q = incorporate_spec(p,s); PredicateSet abs = { ; while true do BooleanProgram b = abstract(q,abs); match model_check(b) with No_Error print( no bug ); exit(0) Counterexample(c) if is_valid_path(c, p) then print( real bug ); exit() else abs abs new_preds(c) done // slic // cbp // bebop // newton // newton 6 Incorporating Specs Incorporating Specs un : while(new!= old); : un un 0 un ERR Ideas? #7 un : while(new!= old); : un un 0 un ERR if L= goto ERR; else L=; if L=0 goto ERR; else L=0; : while(new!= old); : if L=0 goto ERR; else L=0; Original program violates spec iff ERR: abort(); new program reaches ERR #8 Program As Labeled Transition System The Safety Verification Problem State Transition pc a a old a new a : un new++; : q a 0xa un : while(new!= old); : un pc a a old a new a 6 q a 0xa 9 Initial Error (e.g., states with PC = Err) Is there a path from an initial to an error state? Problem? Infinite state graph (old=, old=, old= ) Solution? Set of states logical formula Safe States (never reach Error) 0

Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F [F ] [F ] F Æ F [F ] [F ] FO formula over program vars Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F [F ] [F ] F Æ F [F ] [F ] F Ç F FO formula over program vars [F] [F] F [F ] [F ] [F ] [F ] F F i.e. F Æ Æ F unsatisfiable i.e. F Æ Æ F unsatisfiable Having a BLAST with SLAM Meeting, CSCI 7, Fall 00 Announcements Please label blog entries with the relevant class date (e.g., 9- ) This will help me keep track of the minimum commenting requirement I read all posts but may not respond to all of them. Soundness and Completeness Review 6

Example SLAM Input Program As Labeled Transition System un : while(new!= old); : un un un 7 State Transition pc a a old a new a : un new++; : q a 0xa un : while(new!= old); : un pc a a old a new a 6 q a 0xa 8 The Safety Verification Problem Error (e.g., states with PC = Err) Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F FO formula over program vars Initial Is there a path from an initial to an error state? Problem? Infinite state graph (old=, old=, old= ) Solution? Set of states logical formula Safe States (never reach Error) 9 [F ] [F ] F Æ F [F ] [F ] F Ç F [F] F [F ] [F ] F F 0 Idea : Predicate Abstraction On to Software Model Checking Predicates on program state: old = new (i.e., =true) States satisfying same predicates are equivalent Merged into one abstract state Why? Num of abstract states is finite Thus model-checking the abstraction will be feasible! 7

Abstract States and Transitions Abstraction State Transition State c Transition c pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa old=new Theorem Prover old=new old=new Existential Lifting (i.e., A A iff c A. c A. c c ) A A Theorem Prover old=new Abstraction Analyze Abstraction State Transition pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa Analyze finite graph Over Approximate Safe System Safe No false negatives old=new Theorem Prover old=new Problem Spurious counterexamples false positives 6 Idea : Counterexample-Guided Refinement Idea : Counterexample-Guided Refinement Solution Use spurious counterexamples to refine abstraction! Solution Use spurious counterexamples to refine abstraction!. Add predicates to distinguish states across cut. Build refined abstraction Imprecision due to merge 7 8 8

Iterative Abstraction-Refinement Problem: Abstraction is Expensive Why? Solution Use spurious counterexamples to refine abstraction! [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]. Add predicates to distinguish states across cut. Build refined abstraction eliminates counterexample. Repeat search until real counterexample or system proved safe 9 Problem #abstract states = #predicates Exponential Thm. Prover queries Reachable Observe Fraction of state space reachable #Preds ~ 00 s, #States ~ 00, #Reach ~ 000 s 0 Solution: Only Abstract Reachable States Solution: Don t Refine Error-Free Regions Safe Error Free Problem #abstract states = #predicates Exponential Thm. Prover queries Solution Build abstraction during search Problem #abstract states = #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions Key Idea for Solutions? 9

Key Idea: Key Idea: Initial Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Initial 6 Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 7 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free 6 Key Idea: Build-and-Search Initial Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off 6 7 8 - Learn new predicates 8 - Rebuild subtree with new preds. Find min infeasible suffix un :while(new!= old); :un Error Free SAFE S: Only Abstract Reachable States S: Don t refine error-free regions 7 Predicates: 8 Build-and-Search Build-and-Search un :while(new!= old); :un () old = new q=q->next un :while(new!= old); :un [q!=null] Predicates: 9 Predicates: 60 0

Build-and-Search Build-and-Search un :while(new!= old); :un q->data = new un() new++ un :while(new!= old); :un [new==old] Predicates: 6 Predicates: 6 Build-and-Search Analyze Counterexample un :while(new!= old); :un un :while(new!= old); :un () old = new q=q->next [q!=null] q->data = new un() new++ [new==old] un() un() Predicates: 6 Predicates: 6 Analyze Counterexample Repeat Build-and-Search un :while(new!= old); :un old = new new++ un :while(new!= old); :un Predicates: [new==old] Inconsistent new == old 6 66

Repeat Build-and-Search Repeat Build-and-Search un :while(new!= old); :un, new==old () old = new q=q->next un :while(new!= old); :un, new==old, new==old, new = old q->data = new un() new++ 67 68 Repeat Build-and-Search Repeat Build-and-Search un :while(new!= old); :un, new==old, new==old un :while(new!= old); :un, new==old, new==old, new = old, new = old [new==old] [new!=old], new == old 69 70 Repeat Build-and-Search Key Idea: un :while(new!= old); :un, new==old, new==old, new = old, new == old, new==old, new=old SAFE 7. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off 6 7 8 - Learn new predicates 8 - Rebuild subtree with new preds. Error Free SAFE Initial Unroll Abstraction Find min infeasible suffix S: Only Abstract Reachable States S: Don t refine error-free regions 7

Two Handwaves Two Handwaves un to compute, new==old successors? Q. How :while(new!= old); :un, new==old SAFE q->data = new un(), new = old new++, new=old Q. How to find predicates?, new == old Refinement Predicates:, new==old old, new==old 7 un to compute, new==old successors? Q. How :while(new!= old); :un, new==old SAFE q->data = new un(), new = old new++, new=old, new == old, new==old 7 Weakest Preconditions Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] Assign x=e P[e/x] P new+ = old new = old new=new+ 7 76 How to compute successor? How to compute successor? un :while(new!= old); :un, new==old, new == old For each p F OP? Check if p is true (or false) after OP Q: When is p true after OP? - If WP(p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP(p, OP) un :while(new!= old); :un, new==old For each p F OP? Check if p is true (or false) after OP Q: When is p false after OP? - If WP( p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP( p, OP) 77 78

How to compute successor? Advanced SLAM/BLAST un :while(new!= old); :un Predicate: new == old True? False?, new==old, new == old For each p F OP? Check if p is true (or false) after OP Q: When is p false after OP? - If WP( p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP( p, OP) (, new==old) (new + = old) NO (, new==old) (new + old) YES 79 Too Many Predicates - Use Predicates Locally Counter-Examples - Craig Interpolants Procedures - Summaries Concurrency - Thread-Context Reasoning 80 SLAM Summary Bonus: SLAM/BLAST Weakness ) Instrument Program With Safety Policy ) Predicates = { ) Abstract Program With Predicates Use Weakest Preconditions and Theorem Prover Calls ) Model-Check Resulting Boolean Program Use Symbolic Model Checking ) Error State Not Reachable? Original Program Has No Errors: Done! 6) Check Counterexample Feasibility Use Symbolic Execution 7) Counterexample Is Feasible? Real Bug: Done! 8) Counterexample Is Not Feasible? ) Find New Predicates (Refine Abstraction) ) Goto Line 8 : F() { : int x=0; : : x++; : while (x 88); 6: if (x < 77) 7: 8: Preds = {, Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0, Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0, x+=88 Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0,x+=88,x+=88 Path = 67 Result: the predicates count the loop iterations 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback