Automatically Validating Temporal Safety Properties of Interfaces

1
Automatically Validating Temporal Safety
Properties of Interfaces

• Thomas Ball and Sriram K. Rajamani
• Software Productivity Tools, Microsoft Research

Presented for CMSC631 by Iulian Neamtiu
2
SLAM Project, Microsoft Research
http//research.microsoft.com/slam/

• Goal Validate temporal safety properties using
  model checking

3
(No Transcript)
4
Motivation

• Large-scale software many components, many
  programmers
• Integration testing
• Impossible
• Ineffective at best
• Fuzzy requirements -gt inconsistent implementation
• Consistent requirements -gt inconsistent
  implementation (Jim Larus)

5
SLAM Approach

• Modules interact properly
• If program observes temporal safety properties of
  interfaces it uses
• temporal safety properties whose violation is
  witnessed by a finite execution trace, i.e. path
  to ERROR state
• State temporal safety properties formally
• Automatic verification
• Interface compliance checked statically (catch
  bugs early)

6
SLAM Process
Generate abstract boolean program from C code
Model checker
boolean program
C2BP
prog. P
prog. P
slic
BEBOP
SLIC rule
predicates
path
NEWTON
Predicate discoverer
Language for specifying safety properties
7
SLAM - formally

• P a C program, Eie1,e2,,en a set of
  predicates, apply C2BP to create a boolean
  program BP(P,Ei)
• Apply BEBOP to check whether exists a path pi in
  BP(P,Ei) that reaches ERROR state
• if pi not found, terminate with SUCCESS
• if pi found go to 3
• Use NEWTON to check pi feasible
• If pi feasible, terminate with FAILURE
• If pi not feasible find set Fi of predicates
  that explains infeasibility
• Ei1 Ei UFi1 , ii1, go to 1

8
Example device driver

• do
• KeAcquireSpinLock()
• nPacketsOld nPackets
• if(request)
• request request-gtNext
• KeReleaseSpinLock()
• nPackets
• while (nPackets ! nPacketsOld)
• KeReleaseSpinLock()

Prove safety something bad does not
happen (lock acquired/released twice)
9
Step 0 Property Specification
typedef Locked, Unlocked STATETYPE typedef
Acq, Rel MTYPE STATETYPE state
Unlocked FSM(m MTYPE) if ((stateUnlocked)
(mAcq)) A state Locked else if
((stateLocked) (mRel)) B state
Unlocked else ERROR

• SLIC Specification FSM
• Global state
• State transitions (events)

10
Step 1 - Instrumentation

• do
• KeAcquireSpinLock()
• C FSM(Acq)
• nPacketsOld nPackets
• if(request)
• request request-gtNext
• KeReleaseSpinLock()
• D FSM(Rel)
• nPackets
• E
• while (nPackets ! nPacketsOld)
• KeReleaseSpinLock()
• F FSM(Rel)

typedef Locked, Unlocked STATETYPE typedef
Acq, Rel MTYPE STATETYPE state
Unlocked FSM(m MTYPE) if
((stateUnlocked) (mAcq)) A state
Locked else if ((stateLocked)
(mRel)) B state Unlocked else ERROR
Instrumented Program P
Program P
SLIC Specification
11
Outline

• Step 0 - Specification
• Step 1 - Instrumentation
• Step 2 - Abstraction
• Step 3 - Model Checking
• Step 4 - Theorem Proving
• Step 5 Predicate discovery

manual
automated
12
Abstraction

• Abstract Interpretation
• In
• C program P
• set of predicates Ee1,e2,,en
• Out
• abstract boolean program BP(P,E) with n boolean
  variables Vb1,b2,,bn
• Boolean program (C-like)
• all vars have type bool
• control nondeterminism ()
• only call by value

13
Step 2 Abstraction (C2BP)
typedef Locked, Unlocked STATETYPE typedef
Acq, Rel MTYPE STATETYPE state
Unlocked FSM(m MTYPE) if
((stateUnlocked) (mAcq)) A state
Locked else if ((stateLocked)
(mRel)) B state Unlocked else ERROR
decl stateLocked, stateUnlocked void
FSM(mAcq,mRel) if (stateUnlocked
mAcq) A stateLocked, stateUnlocked
1,0 else if (stateLocked mRel) B
stateLocked, stateUnlocked
0,1 else ERROR
14
Step 2 Abstraction (C2BP)

• do
• KeAcquireSpinLock()
• C FSM(Acq)
• nPacketsOld nPackets
• if(request)
• request request-gtNext
• KeReleaseSpinLock()
• D FSM(Rel)
• nPackets
• E
• while (nPackets ! nPacketsOld)
• KeReleaseSpinLock()
• F FSM(Rel)

do skip C FSM(1,0) skip if()
skip skip D FSM(0,1) skip E
while () skip F FSM(0,1)
Instrumented Program P
Boolean Program BP(P,E0)
15
Step 3 - Model Checking (BEBOP)
do skip C FSM(1,0) skip if()
skip skip D FSM(0,1) skip E
while () skip F FSM(0,1)
decl stateLocked, stateUnlocked void
FSM(mAcq,mRel) if (stateUnlocked
mAcq) A stateLocked, stateUnlocked
1,0 else if (stateLocked mRel) B
stateLocked, stateUnlocked
0,1 else ERROR
1
3
4
2
Boolean Program BP(P,E0)
Is there a path that leads to ERROR ?
YES C,A,E,C,ERROR
16
Step 4 Theorem Proving (NEWTON)

• do
• KeAcquireSpinLock()
• C FSM(Acq)
• nPacketsOld nPackets
• if(request)
• request request-gtNext
• KeReleaseSpinLock()
• D FSM(Rel)
• nPackets
• E
• while (nPackets ! nPacketsOld)
• KeReleaseSpinLock()
• F FSM(Rel)

typedef Locked, Unlocked STATETYPE typedef
Acq, Rel MTYPE STATETYPE state
Unlocked FSM(m MTYPE) if
((stateUnlocked) (mAcq)) A state
Locked else if ((stateLocked)
(mRel)) B state Unlocked else ERROR
// nPacketsOldnPackets, nPacketsOld ! nPackets
Is path C,A,E,C feasible ?
NO
17
Step 5 Predicate Discovery (NEWTON)
b nPackets nPacketsOld do skip
b1 C FSM(1,0) skip if()
skip skip D FSM(0,1) skip
b0 E while (!b) skip F FSM(0,1)
do skip C FSM(1,0) skip
if() skip skip D FSM(0,1)
skip E while () skip F FSM(0,1)
Boolean Program BP(P,E0)
Boolean Program BP(P,E1)
18
Step 3 - Model Checking (BEBOP)
do skip b1 C FSM(1,0) skip
if() skip skip D FSM(0,1)
skip b0 E while (!b) skip F
FSM(0,1)
decl stateLocked, stateUnlocked decl b
nPacketsnPacketsOld void FSM(mAcq,mRel
) if (stateUnlocked mAcq) A
stateLocked, stateUnlocked 1,0 else if
(stateLocked mRel) B stateLocked,
stateUnlocked 0,1 else ERROR
Is there a path that leads to ERROR ?
NO
19
C2BP

• From a C program P and a set of predicates
  Ee1,e2,,en create an abstract boolean program
  BP(P,E) which has n boolean variables
  Vb1,b2,,bn
• Determine for each statement s in P and predicate
  ei in E how the execution of s can affect the
  truth value of ei
• if it doesnt, s-gtskip

20
C2BP contd

• Static analysis
• alias
• logical model p, pi same object
• interprocedural
• side-effects (conservative)

21
BEBOP

• Essentially a model checker
• Interprocedural dataflow analysis -gt reachable
  states
• Uses BDDs to represent state/transfer functions
• ERROR state reachability reduces to vertex
  reachability on the CFG of the boolean program BP
  which is decidable

22
NEWTON

• Predicate discoverer / Theorem prover
• walk error path p found by BEBOP
• compute conditions (predicate values) along p
• if algorithm terminates
• inconsistence detected (? !?), add ? to list of
  predicates, repeat whole process
• else report p as witness

23
Results

• NT device drivers
• Max 60000 LOC
• lt10 user-supplied predicates, tens-hundreds
  inferred
• lt 20-30 iterations
• 672 runs daily, 607 terminate within 20 minutes

24
SLAM vs Metacompilation (Engler et al.)
25
Conclusions

• SLAM process for checking temporal safety
  properties
• Formally state safety properties that interface
  clients must observe
• Fully automated validation (iterative refinement)
• Sound if process terminates either SUCCESS or
  FAILURE (w/counterexample) reported
• Accurate (few false positives)

• - Poor scalability

26
Thank You

• Questions ?

27

• Complexity
• O(Px2E) worst case
• In practice O(E3)

28
SLAM A collection of tools

• SLIC
• Language for specifying safety properties
• C2BP
• Generate abstract boolean program from C code
• BEBOP
• Model checking boolean programs
• NEWTON
• Theorem prover
• Refine boolean program

29
(No Transcript)