Title: TemporalSafety Proofs for Systems Code
1Temporal-Safety Proofs for Systems Code
- Thomas A. Henzinger Ranjit Jhala Rupak
Majumdar - George Necula Westley Weimer Grégoire Sutre
- UC Berkeley
2Reliability Trust
- Reliability (verification)
- Check that the system is bug free
- Low level systems code
- Locking disciplines, interface specs,
- Temporal, path-sensitive properties
- Model checking
- Trust (certification)
- Questionable code written by third parties
- device drivers, mobile code
- Model checkers are buggy (!)
- Simply, efficiently checkable
- avoid redoing verification
3Our Work
- Verification making model checking scale
- Lazy Abstraction POPL 02
- Certification
- Proof carrying code based mechanism
- PCC requires annotations
- Lazy Abstraction
- Automatically generates annotations
- Provides a small decomposition of the proof
- BLAST
- Verifying/certifying device drivers
4Verification
5Verification Abstraction-Refinement
Abstract
Is model unsafe ?
Check
Refine
Why infeasible ?
Infeasible
Kurshan et al, Clarke et al, SLAM,...
6Model Checking Abstraction
- Partition the state space
- Existentially lift transition relation
7Model Checking Abstraction
- Problem Abstraction too coarse
- Solution Refine abstraction
Init
ERROR STATES
8Model Checking Abstraction
- Problem Abstraction too coarse
- Solution Refine abstraction
Init
ERROR STATES
9Abstract Only Where Required
- Abstraction is very expensive
- Why abstract regions that are never visited ?
- On-the-fly abstraction driven by the search
Init
ERROR STATES
10Refine Only Where Required
- Why be precise everywhere ?
- Dont refine error-free regions
Init
ERROR STATES
ERROR FREE
11Refine Only Where Required
- Why be precise everywhere ?
- Dont refine error-free regions
- Different precision for different regions
- Local Refinement driven by the search
Init
ERROR STATES
ERROR FREE
12Benefits of Lazy Abstraction
- Abstract only where required
- Reachable state space maybe very sparse
- Construct the abstraction on-the-fly
- Use greater precision only where required
- Different precisions/abstractions for different
regions - Refine locally
- Reuse work from earlier phases
- Batch-oriented ) lose work from previous runs
- Integrate the three phases
13Example
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
14ExampleCFA
lock() old new
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
15ExampleCFA
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
16Step 1 Search
1
LOCK0
lock() old new
gt
unlock()
Set of predicates LOCK0, LOCK1
17Step 2 Analyze Counterexample
Q When can
States at node n Rn
Err
LOCK0
18Step 2 Analyze Counterexample
lock() old new
LOCK0 Æ new old
newold
LOCK0
unlock()
19Step 2 Analyze Counterexample
LOCK0 Æ new1 new
LOCK1 Æ new1 old
LOCK1 Æ new 1 old
LOCK0 Æ new old
LOCK0
Track the predicate new old
LOCK0
20Step 3 Resume Search
lock() old new
newold
new!old
Set of predicates LOCK0, LOCK1, new old
21Step 3 Resume Search
Set of predicates LOCK0, LOCK1, new old
LOCK0 Æ new old
22Predicate Discovery
- Information lost in substitution
- Keep substitutions explicit
- Ask a proof of unsatisfiability
- Pick predicates appearing in proof
23Local Refinement
Example ( ) 0 if () 6 do
got_lock 0 7 if
() 8 lock()
got_lock 9
if (got_lock) 10
unlock() 11 while
() 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
6 do got_lock 0 7
if () 8
lock() got_lock
9 if (got_lock) 10
unlock() 11
while ()
1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5 unlock ()
return
24Local Refinement
Search on left subtree not repeated
Different abstractions for subtrees
Refine right subtree only
25Leaves Covered (Reuse work)
0
Leaves covered Avoid repeating search
when paths merge
LOCK0 Æ
COVERED !
26Certification
27What is a Certificate ?
- Proof Carrying Code (PCC)
- Annotations
- Loop invariants, func. Precondition/Postcondition
- Validity of VC guarantees correctness
- Certificate Annotations Proof of VC
- Consumer reconstructs VC, checks proof
28Annotations VCs
- Annotations
- For each cntrl location q, invariant I(q)
- Verification condition
- Init µ I(q0)
Start set includes initial states
Error location is not reached
- For each edge q !op q
- POST(I(q),op) µ I(q)
States closed under post
29Invariants grow on Trees
1
LOCK0
Ç LOCK0 Æ new old
LOCK0 Æ new old
4
Ç LOCK1 Æ newold
5
LOCK1 Æ newold
Invariants
30Proving the VC
- Each condition dischargeable automatically
(Vampyre, CVC ) - Tree yields a small decomposition
- Entire proof can be extracted from model
checkers data structures
31BLAST
- Berkeley Lazy Abstraction Software verification
Tool - 10K Lines of Ocaml
- Analyze Linux/Windows Device Drivers
LAZY ABSTRACTION
32BLAST
- All of C modeled except
- Function pointers
- Recursive functions
- Logical Model of memory
- Pointer arithmetic imprecise
- Fragile on heap dependant properties
- Safety checking
- Checks if a given label is reachable in the C
program - Monitor automata specified in C
33Experiments
Prf Size (bytes)
Total Time(sec)
Active Preds
Total Preds
Lines
Program
Pred. Disc. Time(sec)
253
0.01
4.5
5
5
18131
ide.c
Linux Lock 3 state
179
0.01
0.5
2
2
23539
qpmouse.c
0.03
20.93
2
2
17736
aha152x.c
403.33
428.63
4
5
16506
tlan.c
156787
540
1398
45
85
17798
cdaudio.c
1565
2086
37
62
17386
floppy.c
60129
17
395
44
93
fixed
5
64
40
54
12131
kbflter.c
Windows DDK IRP 22 state
165
256
35
48
7619
0.38
10
34
37
fixed
3.34
54
46
57
17372
mouclass.c
102967
519
1980
50
193
61781
parport.c
34Conclusions
- Lazy Abstraction
- Reachability Tree yields certificate
- Implemented BLAST
- Finds (only) real bugs in large device drivers
- and gives proofs for correct ones !
- Future work
- Smarter abstractions
- Program analysis for model reduction
- Recursive functions
-
35BLAST
Berkeley Lazy Abstraction Software Tool
www.eecs.berkeley.edu/tah/blast/