Software Model Checking with SLAM

About This Presentation

Title:

Software Model Checking with SLAM

Description:

Sagar Chaki, Todd Millstein, Rupak Majumdar (2000) Satyaki Das, Wes Weimer, ... Byron Cook, Vladimir Levin, Abdullah Ustuner. Outline. Part I: Overview (30 min) ... – PowerPoint PPT presentation

Number of Views:114

Avg rating:3.0/5.0

Slides: 99

Provided by: thoma425

Category:

more less

Transcript and Presenter's Notes

Title: Software Model Checking with SLAM

1
Software Model Checking withSLAM

Thomas Ball
Testing, Verification and Measurement
Sriram K. Rajamani
Software Productivity Tools
Microsoft Research
http//research.microsoft.com/slam/

2
People behind SLAM

Summer interns
Sagar Chaki, Todd Millstein, Rupak Majumdar
(2000)
Satyaki Das, Wes Weimer, Robby (2001)
Jakob Lichtenberg, Mayur Naik (2002)
Visitors
Giorgio Delzanno, Andreas Podelski, Stefan
Schwoon
Windows Partners
Byron Cook, Vladimir Levin, Abdullah Ustuner

3
Outline

Part I Overview (30 min)
overview of SLAM process
demonstration (Static Driver Verifier)
lessons learned
Part II Basic SLAM (1 hour)
foundations
basic algorithms (no pointers)
Part III Advanced Topics (30 min)
pointers procedures
imprecision in aliasing and mod analysis

4
Part I Overview of SLAM
5
What is SLAM?

SLAM is a software model checking project at
Microsoft Research
Goal Check C programs (system software) against
safety properties using model checking
Application domain device drivers
Starting to be used internally inside Windows
Working on making this into a product

6
Rules
Static Driver Verifier
Development
Testing
Source Code
7
SLAM Software Model Checking

SLAM innovations
boolean programs a new model for software
model creation (c2bp)
model checking (bebop)
model refinement (newton)
SLAM toolkit
built on MSR program analysis infrastructure

8
SLIC

Finite state language for stating rules
monitors behavior of C code
temporal safety properties (security automata)
familiar C syntax
Suitable for expressing control-dominated
properties
e.g. proper sequence of events
can encode data values inside state

9
State Machine for Locking
Rel
Acq
Unlocked
Locked
Rel
Acq
Error
10
The SLAM Process
boolean program
c2bp
prog. P
prog. P
slic
bebop
SLIC rule
predicates
path
newton
11
Example
Does this code obey the locking rule?
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while (nPackets ! nPacketsOld) KeRelease
SpinLock()
12
Example
Model checking boolean program (bebop)
do KeAcquireSpinLock() if() KeRe
leaseSpinLock() while () KeReleaseSpin
Lock()
U
L
L
L
U
L
U
L
U
U
E
13
Example
Is error path feasible in C program? (newton)
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while (nPackets ! nPacketsOld) KeRelease
SpinLock()
U
L
L
L
U
L
U
L
U
U
E
14
Example
Add new predicate to boolean program (c2bp)
b (nPacketsOld nPackets)
do KeAcquireSpinLock() nPacketsOld
nPackets b true if(request) request
request-gtNext KeReleaseSpinLock() nPackets
b b ? false while (nPackets !
nPacketsOld) !b KeReleaseSpinLock()
U
L
L
L
U
L
U
L
U
U
E
15
Example
Model checking refined boolean program (bebop)
b (nPacketsOld nPackets)
do KeAcquireSpinLock() b true
if() KeReleaseSpinLock() b b ?
false while ( !b ) KeReleaseSpinLock
()
U
L
b
L
b
L
b
U
b
!b
L
U
b
L
U
b
U
E
16
Example
Model checking refined boolean program (bebop)
b (nPacketsOld nPackets)
do KeAcquireSpinLock() b true
if() KeReleaseSpinLock() b b ?
false while ( !b ) KeReleaseSpinLock
()
U
L
b
L
b
L
b
U
b
!b
L
U
b
L
b
U
17
Observations about SLAM

Automatic discovery of invariants
driven by property and a finite set of (false)
execution paths
predicates are not invariants, but observations
abstraction model checking computes inductive
invariants (boolean combinations of observations)
A hybrid dynamic/static analysis
newton executes path through C code symbolically
c2bpbebop explore all paths through abstraction
A new form of program slicing
program code and data not relevant to property
are dropped
non-determinism allows slices to have more
behaviors

18
Part I Demo
Static Driver Verifier results
19
Part I Lessons Learned
20
SLAM

Boolean program model has proved itself
Successful for domain of device drivers
control-dominated safety properties
few boolean variables needed to do proof or find
real counterexamples
Counterexample-driven refinement
terminates in practice
incompleteness of theorem prover not an issue

21
What is hard?

Abstracting
from a language with pointers (C)
to one without pointers (boolean programs)
All side effects need to be modeled by copying
(as in dataflow)
Open environment problem

22
What stayed fixed?

Boolean program model
Basic tool flow
Repercussions
newton has to copy between scopes
c2bp has to model side-effects by value-result
finite depth precision on the heap is all boolean
programs can do

23
What changed?

Interface between newton and c2bp
We now use predicates for doing more things
refine alias precision via aliasing predicates
newton helps resolve pointer aliasing imprecision
in c2bp

24
Scaling SLAM

Largest driver we have processed has 60K lines
of code
Largest abstractions we have analyzed have
several hundred boolean variables
Routinely get results after 20-30 iterations
Out of 672 runs we do daily, 607 terminate within
20 minutes

25
Scale and SLAM components

Out of 67 runs that time out, tools that take
longest time
bebop 50, c2bp 10, newton 5, constrain 2
C2bp
fast predicate abstraction (fastF) and
incremental predicate abstraction (constrain)
re-use across iterations
Newton
biggest problems are due to scope-copying
Bebop
biggest issue is no re-use across iterations
solution in the works

26
SLAM Status

2000-2001
foundations, algorithms, prototyping
papers in CAV, PLDI, POPL, SPIN, TACAS
March 2002
Bill Gates review
May 2002
Windows committed to hire two people with model
checking background to support Static Driver
Verifier (SLAMdriver rules)
July 2002
running SLAM on 100 drivers, 20 properties
September 3, 2002
made initial release of SDV to Windows (friends
and family)
April 1, 2003
made wide release of SDV to Windows (any internal
driver developer)

27
Part II Basic SLAM
28
C-
Types ? void bool int ref ?
Expressions e c x e1 op e2 x
x LExpression l x
x Declaration d ? x1,x2
,,xn Statements s skip goto L1,L2
Ln L s
assume(e)
l e l
f (e1 ,e2 ,,en )
return x
s1 s2 sn Procedures p
? f (x1 ?1,x2 ?2,,xn ?n
) Program g d1 d2 dn p1
p2 pn
29
C--
Types ? void bool
int Expressions e c x e1 op
e2 LExpression l
x Declaration d ? x1,x2
,,xn Statements s skip goto L1,L2
Ln L s
assume(e)
l e f (e1
,e2 ,,en ) return
s1 s2
sn Procedures p f (x1
?1,x2 ?2,,xn ?n ) Program g
d1 d2 dn p1 p2 pn
30
BP
Types ? void bool Expressions e
c x e1 op e2 LExpression l
x Declaration d ? x1,x2
,,xn Statements s skip goto L1,L2
Ln L s
assume(e)
l e f (e1
,e2 ,,en ) return
s1 s2
sn Procedures p f (x1
?1,x2 ?2,,xn ?n ) Program g
d1 d2 dn p1 p2 pn
31
Syntactic sugar
goto L1, L2 L1 assume(e) S1
goto L3 L2 assume(!e) S2 goto
L3 L3 S3
if (e) S1 else S2 S3
32
Example, in C

void cmp (int a , int b)
if (a b)
g 0
else
g 1

int g main(int x, int y) cmp(x, y) if
(!g) if (x ! y) assert(0)

33
Example, in C--

void cmp(int a , int b)
goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return

int g main(int x, int y) cmp(x, y)
assume(!g) assume(x ! y) assert(0)
34
The SLAM Process
boolean program
c2bp
prog. P
prog. P
slic
bebop
SLIC rule
predicates
path
newton
35
c2bp Predicate Abstraction for C Programs

Given
P a C program
F e1,...,en
each ei a pure boolean expression
each ei represents set of states for which ei is
true
Produce a boolean program B(P,F)
same control-flow structure as P
boolean vars b1,...,bn to match e1,...,en
properties true of B(P,F) are true of P

36
Assumptions

Given
P a C program
F e1,...,en
each ei a pure boolean expression
each ei represents set of states for which ei is
true
Assume each ei uses either
only globals (global predicate)
local variables from some procedure (local
predicate for that procedure)
Mixed predicates
predicates using both local variables and global
variables
complicate return processing
covered in advanced topics

37
C2bp Algorithm

Performs modular abstraction
abstracts each procedure in isolation
Within each procedure, abstracts each statement
in isolation
no control-flow analysis
no need for loop invariants

void cmp (int a , int b)
goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return

int g main(int x, int y) cmp(x, y)
assume(!g) assume(x ! y) assert(0)
Preds xy g0
ab
39

void cmp (int a , int b)
goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return

int g main(int x, int y) cmp(x, y)
assume(!g) assume(x ! y) assert(0)
void cmp ( ab )
decl g0 main( xy )
Preds xy g0
ab
40

void equal (int a , int b)
goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return

int g main(int x, int y) cmp(x, y)
assume(!g) assume(x ! y) assert(0)
void cmp ( ab ) goto L1, L2 L1
assume( ab ) g0 T
return L2 assume( !ab )
g0 F return
decl g0 main( xy ) cmp( xy
) assume( g0 ) assume( !xy )
assert(0)
Preds xy g0
ab
41
C--
Types ? void bool
int Expressions e c x e1 op
e2 LExpression l x
Declaration d ? x1,x2
,,xn Statements s skip goto L1,L2
Ln L s
assume(e)

l e f (e1
,e2 ,,en )
return
s1 s2 sn Procedures
p f (x1 ?1,x2
?2,,xn ?n ) Program g
d1 d2 dn p1 p2 pn
42
Abstracting Assigns via WP

Statement yy1 and F ylt4, ylt5
ylt4, ylt5 ((!ylt5 !ylt4) ? F ),
ylt4
WP(xe,Q) Qx -gt e
WP(yy1, ylt5)
(ylt5) y -gt y1
(y1lt5)
(ylt4)

43
WP Problem

WP(s, ei) not always expressible via e1,...,en
Example
F x0, x1, xlt5
WP( xx1 , xlt5 ) xlt4
Best possible x0 x1

44
Abstracting Expressions via F

F e1,...,en
ImpliesF(e)
best boolean function over F that implies e
ImpliedByF(e)
best boolean function over F implied by e
ImpliedByF(e) !ImpliesF(!e)

45
ImpliesF(e) and ImpliedByF(e)
46
Computing ImpliesF(e)

minterm m d1 ... dn
where di ei or di !ei
ImpliesF(e)
disjunction of all minterms that imply e
Naïve approach
generate all 2n possible minterms
for each minterm m, use decision procedure to
check validity of each implication m?e
Many optimizations possible

47
Abstracting Assignments

if ImpliesF(WP(s, ei)) is true before s then
ei is true after s
if ImpliesF(WP(s, !ei)) is true before s then
ei is false after s
ei ImpliesF(WP(s, ei)) ? true
ImpliesF(WP(s, !ei)) ? false

48
Assignment Example
Statement in P Predicates in E y y1
xy
Weakest Precondition WP(yy1, xy) xy1
ImpliesF( xy1 ) false ImpliesF( x!y1
) xy
Abstraction of assignment in B xy xy
? false
49
Absracting Assumes

WP( assume(e) , Q) e?Q
assume(e) is abstracted to
assume( ImpliedByF(e) )
Example
F x2, xlt5
assume(x lt 2) is abstracted to
assume( xlt5 !x2 )

50
Abstracting Procedures

Each predicate in F is annotated as being either
global or local to a particular procedure
Procedures abstracted in two passes
a signature is produced for each procedure in
isolation
procedure calls are abstracted given the callees
signatures

51
Abstracting a procedure call

Procedure call
a sequence of assignments from actuals to formals
see assignment abstraction
Procedure return
NOP for C-- with assumption that all predicates
mention either only globals or only locals
with pointers and with mixed predicates
Most complicated part of c2bp
Covered in the advanced topics section

void cmp (int a , int b)
Goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return

int g main(int x, int y) cmp(x, y)
assume(!g) assume(x ! y) assert(0)
void cmp ( ab ) Goto L1, L2 L1
assume( ab ) g0 T
return L2 assume( !ab )
g0 F return
decl g0 main( xy ) cmp( xy
) assume( g0 ) assume( !xy )
assert(0)
xy g0 ab
53
Precision

For program P and E e1,...,en, there exist
two ideal abstractions
Boolean(P,E) most precise abstraction
Cartesian(P,E) less precise abtraction, where
each boolean variable is updated independently
See Ball-Podelski-Rajamani, TACAS 00
Theory
with an ideal theorem prover, c2bp can compute
Cartesian(P,E)
Practice
c2bp computes a less precise abstraction than
Cartesian(P,E)
we use Das/Dills technique to incrementally
improve precision
with an ideal theorem prover, the combination
of c2bp Das/Dill can compute Boolean(P,E)

54
The SLAM Process
boolean program
c2bp
prog. P
prog. P
slic
bebop
SLIC rule
predicates
path
newton
55
Bebop

Model checker for boolean programs
Based on CFL reachability
Sharir-Pnueli 81 Reps-Sagiv-Horwitz 95
Iterative addition of edges to graph
path edges ltentry,d1gt ? ltv,d2gt
summary edges ltcall,d1gt ? ltret,d2gt

56
Symbolic CFL reachability

Partition path edges by their target
PE(v) ltd1,d2gt ltentry,d1gt ? ltv,d2gt
What is ltd1,d2gt for boolean programs?
A bit-vector!
What is PE(v)?
A set of bit-vectors
Use a BDD (attached to v) to represent PE(v)

57
BDDs
void cmp ( e2 ) 5Goto L1, L2 6L1
assume( e2 ) 7 gz T goto L3 8L2
assume( !e2 ) 9gz F goto L3 10 L3
return

Canonical representation of
boolean functions
set of (fixed-length) bitvectors
binary relations over finite domains
Efficient algorithms for common dataflow
operations
transfer function
join/meet
subsumption test

58
decl gz main( e ) 1 equal( e ) 2
assume( gz ) 3 assume( !e ) 4
assert(F)
gzgz ee
ee gze
ee gz1 e1
e2e
void cmp ( e2 ) 5Goto L1, L2 6L1
assume( e2 ) 7 gz T goto L3
8L2 assume( !e2 ) 9gz F goto L3
10 L3 return
gzgz e2e2
gzgz e2e2 e2T
e2e2 e2T gzT
gzgz e2e2 e2F
e2e2 e2F gzF
e2e2 gze2
59
Bebop summary

Explicit representation of CFG
Implicit representation of path edges and summary
edges
Generation of hierarchical error traces
Complexity O(E 2O(N))
E is the size of the CFG
N is the max. number of variables in scope

60
The SLAM Process
boolean program
c2bp
prog. P
prog. P
slic
bebop
SLIC rule
predicates
path
newton
61
Newton

Given an error path p in boolean program B
is p a feasible path of the corresponding C
program?
Yes found an error
No find predicates that explain the
infeasibility
uses the same interfaces to the theorem provers
as c2bp.

62
Newton

Execute path symbolically
Check conditions for inconsistency using theorem
prover (satisfiability)
After detecting inconsistency
minimize inconsistent conditions
traverse dependencies
obtain predicates

63
Symbolic simulation for C--

Domains
variables names in the program
values constants symbols
State of the simulator has 3 components
store map from variables to values
conditions predicates over symbols
history past valuations of the store

64
Symbolic simulation Algorithm

Input path p
For each statement s in p do
match s with
Assign(x,e)
let val Eval(e) in
if (Storex) is defined then
Historyx Historyx ? Storex
Storex val
Assume(e)
let val Eval(e) in
Cond Cond and val
let result CheckConsistency(Cond) in
if (result inconsistent) then
GenerateInconsistentPredicates()
End
Say Path p is feasible

65
Symbolic Simulation Caveats

Procedure calls
add a stack to the simulator
push and pop stack frames on calls and returns
implement mappings to keep values in scope at
calls and returns
Dependencies
for each condition or store, keep track of which
values where used to generate this value
traverse dependency during predicate generation

void cmp (int a , int b)
Goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return

int g main(int x, int y) cmp(x, y)
assume(!g) assume(x ! y) assert(0)
67

void cmp (int a , int b)
Goto L1, L2
L1 assume(ab)
g 0
return
L2 assume(a!b)
g 1
return