Model Checking Software with Boolean Programs - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Model Checking Software with Boolean Programs

Description:

Model for representing abstractions of imperative programs in C, C#, ... Explicit stack representation is bad. Implicitly represent stack instead. Similar to ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 29
Provided by: tba3
Category:

less

Transcript and Presenter's Notes

Title: Model Checking Software with Boolean Programs


1
Model Checking Software with Boolean Programs
Thomas Ball Sriram K. Rajamani
Rupak Majumdar Todd Millstein
http//research.microsoft.com/slam/
2
Hardware Verification
Temporal Safety Properties
Toolset (Model checker)
System Components
3
SLAM Linking Designs to Implementations
Temporal Safety Properties
Toolset
System Components
4
Outline
  • What is the model schema?
  • Boolean programs
  • How do we model-check the model?
  • Bebop
  • How do we discover the model?
  • Iterative refinement
  • Future Directions

5
Boolean Programs
  • Model for representing abstractions of imperative
    programs in C, C, Java, etc.
  • Features
  • Boolean variables
  • Control-flow sequencing, conditionals, looping,
    GOTOs
  • Procedures
  • Call-by-value parameter passing
  • Recursion
  • Control non-determinism

6
Model schema Boolean programs
  • bool x,y
  • 1 while (true)
  • 2 if(x y)
  • 3 y !x
  • else
  • 4 x !x
  • 5 y !y
  • 6 if (?) break
  • 7 if(x y)
  • 8 assert (false)
  • Intent Each boolean variable represents a
    predicate
  • (i lt j)
  • (pi) ( (int) p j)
  • (p ? T), where T is a shape type that
    describes acyclic linked lists
  • Cousot-CousotGraf-Saidi

7
Reachability
bool x,y 1 while (true) 2 if(x y)
3 y !x else 4 x
!x 5 y !y 6 if (?) break
7 if(x y) 8 assert (false)
State (label, valuation to variables) Finite
number of states! Can compute reachable states
using model checking
8
Inter-procedural case
  • Explicit stack representation is bad
  • Implicitly represent stack instead
  • Similar to
  • model checking push-down automata
  • interprocedural dataflow analysis
  • Hopcroft-Ullman Sharir-Pnueli Steffen
    Knoop-Steffen Reps-Horwitz-SagivBouajjani-Esp
    arza-Maler Esparza-Hansel-Rossmanith-Schwoon

9
Results (1)
  • Reachability in boolean programs can be reduced
    to context-free language reachability
  • Symbolic version of Reps-Horwitz-Sagiv, POPL95
    interprocedural data flow analysis
  • Complexity of algorithm is O( E ? 2n)
  • E size of interprocedural control flow graph
  • n max. number of variables in the scope of
    any label

10
Results (2)
  • Program variables control flow
  • Exploit locality of variable scoping
  • Use standard compiler optimizations
  • Bebop uses hybrid representation
  • Explicit representation of control flow
  • Implicit representation of reachable states via
    BDDs
  • Hierarchical trace generation

11
  • do
  • //get the write lock
  • KeAcquireSpinLock(devExt-gtwriteListLock)
  • nPacketsOld nPackets
  • request devExt-gtWriteListHeadVa
  • if(request request-gtstatus)
  • devExt-gtWriteListHeadVa request-gtNext
  • KeReleaseSpinLock(devExt-gtwriteListLock)
  • irp request-gtirp
  • if(request-gtstatus gt 0)
  • irp-gtIoStatus.Status STATUS_SUCCESS
  • irp-gtIoStatus.Information request-gtStatus
  • else
  • irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
  • irp-gtIoStatus.Information request-gtStatus
  • SmartDevFreeBlock(request)

12
  • do
  • //get the write lock
  • KeAcquireSpinLock(devExt-gtwriteListLock)
  • nPacketsOld nPackets
  • request devExt-gtWriteListHeadVa
  • if(request request-gtstatus)
  • devExt-gtWriteListHeadVa request-gtNext
  • KeReleaseSpinLock(devExt-gtwriteListLock)
  • irp request-gtirp
  • if(request-gtstatus gt 0)
  • irp-gtIoStatus.Status STATUS_SUCCESS
  • irp-gtIoStatus.Information request-gtStatus
  • else
  • irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
  • irp-gtIoStatus.Information request-gtStatus
  • SmartDevFreeBlock(request)

Question Is locking protocol respected?
Dynamic Analysis Dont know
Traditional Static Analysis Dont know
13
  • do
  • //get the write lock
  • KeAcquireSpinLock(devExt-gtwriteListLock)
    FSM(Acquire)
  • nPacketsOld nPackets
  • request devExt-gtWriteListHeadVa
  • if(request request-gtstatus)
  • devExt-gtWriteListHeadVa request-gtNext
  • KeReleaseSpinLock(devExt-gtwriteListLock)
  • FSM(Release)
  • irp request-gtirp
  • if(request-gtstatus gt 0)
  • irp-gtIoStatus.Status STATUS_SUCCESS
  • irp-gtIoStatus.Information request-gtStatus
  • else
  • irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
  • irp-gtIoStatus.Information request-gtStatus

do FSM(Acquire) if()
FSM(Release) if() else
while() FSM(Release)

14
  • do
  • //get the write lock
  • KeAcquireSpinLock(devExt-gtwriteListLock)
    FSM(Acquire)
  • nPacketsOld nPackets
  • request devExt-gtWriteListHeadVa
  • if(request request-gtstatus)
  • devExt-gtWriteListHeadVa request-gtNext
  • KeReleaseSpinLock(devExt-gtwriteListLock)
  • FSM(Release)
  • irp request-gtirp
  • if(request-gtstatus gt 0)
  • irp-gtIoStatus.Status STATUS_SUCCESS
  • irp-gtIoStatus.Information request-gtStatus
  • else
  • irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
  • irp-gtIoStatus.Information request-gtStatus

do FSM(Acquire) (2) if()
FSM(Release) if() else
while() FSM(Release)

15
  • do
  • //get the write lock
  • KeAcquireSpinLock(devExt-gtwriteListLock)
    FSM(Acquire)
  • nPacketsOld nPackets
  • request devExt-gtWriteListHeadVa
  • if(request request-gtstatus)
  • devExt-gtWriteListHeadVa request-gtNext
  • KeReleaseSpinLock(devExt-gtwriteListLock)
  • FSM(Release)
  • irp request-gtirp
  • if(request-gtstatus gt 0)
  • irp-gtIoStatus.Status STATUS_SUCCESS
  • irp-gtIoStatus.Information request-gtStatus
  • else
  • irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
  • irp-gtIoStatus.Information request-gtStatus

do FSM(Acquire) (2) if()
FSM(Release) if() else
while() FSM(Release)

16
/bnPacketsOldnPackets / do
FSM(Acquire) b 1 if()
FSM(Release) if() else
b b ? 0 while( !b )
FSM(Release)
do //get the write lock KeAcquireSpinLock(
devExt-gtwriteListLock) FSM(Acquire)
nPacketsOld nPackets request
devExt-gtWriteListHeadVa if(request
request-gtstatus) devExt-gtWriteListHeadVa
request-gtNext KeReleaseSpinLock(devExt-gtwriteL
istLock) FSM(Release) irp
request-gtirp if(request-gtstatus gt
0) irp-gtIoStatus.Status STATUS_SUCCESS i
rp-gtIoStatus.Information request-gtStatus
else irp-gtIoStatus.Status
STATUS_UNSUCCESSFUL irp-gtIoStatus.Information
request-gtStatus SmartDevFreeBlock(request
) IoCompleteRequest(irp, IO_NO_INCREMENT) nP
ackets while (nPackets !
nPacketsOld) KeReleaseSpinLock(devExt-gtwriteLis
tLock) FSM(Release)
17
P
Is L reachable in P?
Model checker
Abstractor
Path Simulator
18
Discover and Refine Abstractions on Demand
  • Given a reachability query in program P
  • Check reachability on the boolean program
    abstraction B of P with bebop
  • Use path simulation ( ) on P to discover
    spurious counterexamples (in B)
  • Use C predicate abstractor (c2bp) to refine B

simcl
sexC
19
Summary Technical
  • Boolean Programs
  • a model for representing program abstractions
  • Bebop
  • reachability analysis for boolean programs
  • or, a path-sensitive dataflow engine
  • Iterative refinement of Boolean programs
  • use of path simulation (simcl) and automated
    predicate abstraction (c2bp)
  • generate abstract explanations of path
    infeasibility

20
Making Analysis Influential
  • Show the analysis addresses a significant problem
  • Check correctness of Device Driver Code
  • Convince us it really works
  • Demonstrate on real code bases
  • http//www.microsoft.com/ddk

21
Future DirectionsShort Term
  • Summer
  • Model check a safety property of an NT driver
  • Autumn
  • Specification language
  • Generate source-level instrumentation directly
    from specification
  • Winter
  • Model check many drivers automatically, driven by
    a single specification

22
Long Term
  • Tackle new domains
  • Network protocols
  • Protocols for fault-tolerant computing
  • ComApps components
  • Extensions to framework
  • Concurrency (Ball-Chaki-Rajamani)
  • Heap data structures

23
The Device Driver Challenge
  • Device Driver Code
  • http//www.microsoft.com/ddk/
  • Device Drivers, Deconstructed
  • Description of interfaces/abstractions
  • Catalog of temporal properties
  • Ball DeLine Rajamani
  • Coming, January 2001

24
Open Problems
  • Specification language and automatic annotation
    of source programs
  • Engler00
  • Generation of abstract predicates by widening

25
Conclusions
  • Bring reliability guarantees of hardware to
    system software
  • Encourage use of specification by linking specs
    to code via analysis
  • Build tools to enable design for reliability and
    testing

26
  • Software Productivity Tools
  • Microsoft Research
  • http//research.microsoft.com/slam/

27
Open Questions
  • Which analyses are right for which problems?
  • How to get difficult analyses to scale well?
  • Are there soundness/completeness tradeoffs?
  • How can static analysis / common design patterns
    help guide state space search?

28
Open Questions (2)
  • Are there opportunities to combine analyses?
  • Can we use a cheap flow-insensitive algorithm to
    focus a more expensive algorithm on juicy places?
  • Can we use expensive local path-sensitive
    algorithms to improve global flow-insensitive
    algorithms?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Model Checking Software with Boolean Programs" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!