Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver Verifier Airbus applies the Astrée Static Analyzer This Week: Building up to SDV Verify properties or find bugs in software Take an important program (e.g., a device driver) Merge it with a property (e.g., no deads) Transform the result into a boolean program Use a model checker to exhaustively explore the resulting state space Result : program provably satisfies property Result : program violates property right here on line 9,76! Take-Home Message Model Checking There are complete courses in model checking (see ECEN 9, Prof. Somenzi). Model Checking by Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Symbolic Model Checking by Ken McMillan. We will skim. Model checking is the exhaustive exploration of the state space of a system, typically to see if an error state is reachable. It produces concrete counterexamples. The state explosion problem refers to the large number of states in the model. 6
Keywords Model checking is an automated technique Model checking verifies transition systems Model checking verifies temporal properties Model checking falsifies by generating counterexamples Verification vs. Falsification What is verification? What is falsification? A model checker is a program that checks if a (transition) system satisfies a (temporal) property 7 8 Verification vs. Falsification An automated verification tool can report that the system is verified (with a proof); or that the system was not verified. When the system was not verified, it would be helpful to explain why. Model checkers can output an error counterexample: a concrete execution scenario that demonstrates the error. Can view a model checker as a falsification tool The main goal is to find bugs So what can we verify or falsify? Software Model Checking via Counterexample Guided Abstraction Refinement There are easily dozens of papers. We will skim. 9 Key Terms Counterexample guided abstraction refinement (CEGAR) A successful software model-checking approach. Sometimes called Iterative Abstraction Refinement. SLAM = The first CEGAR project/tool. Developed at MSR Lazy Abstraction = CEGAR optimization Used in the BLAST tool from Berkeley. What is Counterexample Guided Abstraction Refinement (CEGAR)? Verification by Model Checking? Theorem Proving? Dataflow Analysis or Program Analysis?
Verification Verification by Model Checking un : while(new!= old); : un Is this program correct? What does correct mean? How do we determine if a program is correct? un : while(new!= old); : un. (Finite State) Program. State Transition Graph. Reachability - Program Finite state model - State explosion + State exploration + Counterexamples Precise [SPIN,SMV,Bandera,JPF] Verification by Theorem Proving Verification by Theorem Proving un : while(new!= old); : un. Loop Invariants. Logical Formulas. Check Validity Invariant: Æ new = old Ç Æ new old un : while(new!= old); : un. Loop Invariants. Logical Formulas. Check Validity - Loop invariants - Multithreaded programs + Behaviors encoded in logic + Decision procedures Precise [ESC, PCC] 6 Verification by Program Analysis Combining Strengths un : while(new!= old); : un. Dataflow Facts. Constraint System. Solve Constraints - Imprecision: fixed facts + Abstraction + Type/Flow analyses Scalable [Cqual, ESP] 7 Theorem Proving - Need loop invariants (will find automatically) + Behaviors encoded in logic (used to refine abstraction) + Theorem provers (used to compute successors, refine abstraction) SLAM Model Checking Program Analysis - Imprecise (will be precise) + Abstraction (will shrink the state space we must explore) - Finite-state model, state explosion (will find small good model) + State space exploration (used to get a path sensitive analysis) + Counterexamples (used to find relevant facts, refine abstraction) 8
Revisiting SLAM Input: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use s correctly, not I am a webserver Output: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec 9 Revisiting SLAM Input: Program and Specification Standard C Program (pointers, procedures) Specification = Partial Correctness Given as a finite state machine (typestate) I use s correctly, not I am a webserver Output: Verified or Counterexample Verified = program does not violate spec Can come with proof! Counterexample = concrete bug instance A path through the program that violates the spec 0 Property : Double Locking First Question? un un So what can we verify or falsify? An attempt to re-acquire an acquired or release a released will cause a dead. Calls to and un must alternate. Property : Drop Root Privilege Property : IRP Handler start NP MPR synch NP MPR CallDriver completion MPR MPR IRP accessible SKIP CallDriver SKIP Skip CallDriver IPC prop CallDriver PPC completion Complete request DC no prop synch completion CallDriver N/A N/A return child status return not Pend [Chen-Wagner-Dean 0] User applications must not run with root privilege When execv is called, must have suid 0 start P Mark Pending CallDriver SKIP SKIP Skip CallDriver IPC synch MPR NP prop CallDriver PPC MPR completion Complete CallDriver completion MPR MPR request DC no prop completion CallDriver N/A return Pending [Fahndrich]
Example SLAM Input SLAM in a Nutshell un : while(new!= old); : un un un SLAM(Program p, Spec s) = Program q = incorporate_spec(p,s); PredicateSet abs = { ; while true do BooleanProgram b = abstract(q,abs); match model_check(b) with No_Error print( no bug ); exit(0) Counterexample(c) if is_valid_path(c, p) then print( real bug ); exit() else abs abs new_preds(c) done // slic // cbp // bebop // newton // newton 6 Incorporating Specs Incorporating Specs un : while(new!= old); : un un 0 un ERR Ideas? #7 un : while(new!= old); : un un 0 un ERR if L= goto ERR; else L=; if L=0 goto ERR; else L=0; : while(new!= old); : if L=0 goto ERR; else L=0; Original program violates spec iff ERR: abort(); new program reaches ERR #8 Program As Labeled Transition System The Safety Verification Problem State Transition pc a a old a new a : un new++; : q a 0xa un : while(new!= old); : un pc a a old a new a 6 q a 0xa 9 Initial Error (e.g., states with PC = Err) Is there a path from an initial to an error state? Problem? Infinite state graph (old=, old=, old= ) Solution? Set of states logical formula Safe States (never reach Error) 0
Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F [F ] [F ] F Æ F [F ] [F ] FO formula over program vars Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F [F ] [F ] F Æ F [F ] [F ] F Ç F FO formula over program vars [F] [F] F [F ] [F ] [F ] [F ] F F i.e. F Æ Æ F unsatisfiable i.e. F Æ Æ F unsatisfiable Having a BLAST with SLAM Meeting, CSCI 7, Fall 00 Announcements Please label blog entries with the relevant class date (e.g., 9- ) This will help me keep track of the minimum commenting requirement I read all posts but may not respond to all of them. Soundness and Completeness Review 6
Example SLAM Input Program As Labeled Transition System un : while(new!= old); : un un un 7 State Transition pc a a old a new a : un new++; : q a 0xa un : while(new!= old); : un pc a a old a new a 6 q a 0xa 8 The Safety Verification Problem Error (e.g., states with PC = Err) Representing [Sets of States] as Formulas [F] states satisfyingf {s s F F FO formula over program vars Initial Is there a path from an initial to an error state? Problem? Infinite state graph (old=, old=, old= ) Solution? Set of states logical formula Safe States (never reach Error) 9 [F ] [F ] F Æ F [F ] [F ] F Ç F [F] F [F ] [F ] F F 0 Idea : Predicate Abstraction On to Software Model Checking Predicates on program state: old = new (i.e., =true) States satisfying same predicates are equivalent Merged into one abstract state Why? Num of abstract states is finite Thus model-checking the abstraction will be feasible! 7
Abstract States and Transitions Abstraction State Transition State c Transition c pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa old=new Theorem Prover old=new old=new Existential Lifting (i.e., A A iff c A. c A. c c ) A A Theorem Prover old=new Abstraction Analyze Abstraction State Transition pc a a old a new a q a 0xa : un new++; : pc a a old a new a 6 q a 0xa Analyze finite graph Over Approximate Safe System Safe No false negatives old=new Theorem Prover old=new Problem Spurious counterexamples false positives 6 Idea : Counterexample-Guided Refinement Idea : Counterexample-Guided Refinement Solution Use spurious counterexamples to refine abstraction! Solution Use spurious counterexamples to refine abstraction!. Add predicates to distinguish states across cut. Build refined abstraction Imprecision due to merge 7 8 8
Iterative Abstraction-Refinement Problem: Abstraction is Expensive Why? Solution Use spurious counterexamples to refine abstraction! [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]. Add predicates to distinguish states across cut. Build refined abstraction eliminates counterexample. Repeat search until real counterexample or system proved safe 9 Problem #abstract states = #predicates Exponential Thm. Prover queries Reachable Observe Fraction of state space reachable #Preds ~ 00 s, #States ~ 00, #Reach ~ 000 s 0 Solution: Only Abstract Reachable States Solution: Don t Refine Error-Free Regions Safe Error Free Problem #abstract states = #predicates Exponential Thm. Prover queries Solution Build abstraction during search Problem #abstract states = #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions Key Idea for Solutions? 9
Key Idea: Key Idea: Initial Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Initial 6 Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 7 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free 6 Key Idea: Build-and-Search Initial Unroll Abstraction. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off 6 7 8 - Learn new predicates 8 - Rebuild subtree with new preds. Find min infeasible suffix un :while(new!= old); :un Error Free SAFE S: Only Abstract Reachable States S: Don t refine error-free regions 7 Predicates: 8 Build-and-Search Build-and-Search un :while(new!= old); :un () old = new q=q->next un :while(new!= old); :un [q!=null] Predicates: 9 Predicates: 60 0
Build-and-Search Build-and-Search un :while(new!= old); :un q->data = new un() new++ un :while(new!= old); :un [new==old] Predicates: 6 Predicates: 6 Build-and-Search Analyze Counterexample un :while(new!= old); :un un :while(new!= old); :un () old = new q=q->next [q!=null] q->data = new un() new++ [new==old] un() un() Predicates: 6 Predicates: 6 Analyze Counterexample Repeat Build-and-Search un :while(new!= old); :un old = new new++ un :while(new!= old); :un Predicates: [new==old] Inconsistent new == old 6 66
Repeat Build-and-Search Repeat Build-and-Search un :while(new!= old); :un, new==old () old = new q=q->next un :while(new!= old); :un, new==old, new==old, new = old q->data = new un() new++ 67 68 Repeat Build-and-Search Repeat Build-and-Search un :while(new!= old); :un, new==old, new==old un :while(new!= old); :un, new==old, new==old, new = old, new = old [new==old] [new!=old], new == old 69 70 Repeat Build-and-Search Key Idea: un :while(new!= old); :un, new==old, new==old, new = old, new == old, new==old, new=old SAFE 7. Pick tree-node (=abs. state). Add children (=abs. successors). On re-visiting abs. state, cut-off 6 7 8 - Learn new predicates 8 - Rebuild subtree with new preds. Error Free SAFE Initial Unroll Abstraction Find min infeasible suffix S: Only Abstract Reachable States S: Don t refine error-free regions 7
Two Handwaves Two Handwaves un to compute, new==old successors? Q. How :while(new!= old); :un, new==old SAFE q->data = new un(), new = old new++, new=old Q. How to find predicates?, new == old Refinement Predicates:, new==old old, new==old 7 un to compute, new==old successors? Q. How :while(new!= old); :un, new==old SAFE q->data = new un(), new = old new++, new=old, new == old, new==old 7 Weakest Preconditions Weakest Preconditions WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] WP(P,OP) Weakest formula P s.t. if P is true before OP then P is true after OP OP [WP(P, OP)] [P] Assign x=e P[e/x] P new+ = old new = old new=new+ 7 76 How to compute successor? How to compute successor? un :while(new!= old); :un, new==old, new == old For each p F OP? Check if p is true (or false) after OP Q: When is p true after OP? - If WP(p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP(p, OP) un :while(new!= old); :un, new==old For each p F OP? Check if p is true (or false) after OP Q: When is p false after OP? - If WP( p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP( p, OP) 77 78
How to compute successor? Advanced SLAM/BLAST un :while(new!= old); :un Predicate: new == old True? False?, new==old, new == old For each p F OP? Check if p is true (or false) after OP Q: When is p false after OP? - If WP( p, OP) is true before OP! - We know F is true before OP - Thm. Pvr. Query: F WP( p, OP) (, new==old) (new + = old) NO (, new==old) (new + old) YES 79 Too Many Predicates - Use Predicates Locally Counter-Examples - Craig Interpolants Procedures - Summaries Concurrency - Thread-Context Reasoning 80 SLAM Summary Bonus: SLAM/BLAST Weakness ) Instrument Program With Safety Policy ) Predicates = { ) Abstract Program With Predicates Use Weakest Preconditions and Theorem Prover Calls ) Model-Check Resulting Boolean Program Use Symbolic Model Checking ) Error State Not Reachable? Original Program Has No Errors: Done! 6) Check Counterexample Feasibility Use Symbolic Execution 7) Counterexample Is Feasible? Real Bug: Done! 8) Counterexample Is Not Feasible? ) Find New Predicates (Refine Abstraction) ) Goto Line 8 : F() { : int x=0; : : x++; : while (x 88); 6: if (x < 77) 7: 8: Preds = {, Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0, Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0, x+=88 Path = 67 [x=0, x+ 88, x+<77] Preds = {x=0,x+=88,x+=88 Path = 67 Result: the predicates count the loop iterations 8