Verifying Regular Behavior of C modules - PowerPoint PPT Presentation

About This Presentation

Title:

Verifying Regular Behavior of C modules

Description:

We use the FSP syntax to describe FLTSs ... Glibc pthread source code. int pthread_mutex_lock() { case PTHREAD_MUTEX_RECURSIVE_NP: ... – PowerPoint PPT presentation

Number of Views:21

Avg rating:3.0/5.0

Slides: 27

Provided by: csC76

Learn more at: http://www.cs.cmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Verifying Regular Behavior of C modules

1
Verifying Regular Behavior of C modules

Sagar Chaki, Edmund Clarke, Alex Groce, CMU
Somesh Jha, Wisconsin

2
Regular Behavior

Expressed as Finite Labeled Transition Systems
(FLTS)
Locking protocols
We use the FSP syntax to describe FLTSs
Concurrency State Models and Java Programs
Jeff Magee, Jeff Kramer - Wiley

3
Regular Behavior LockUnlock

U (lock -gt L return -gt S),
L (unlock -gt U).

4
C Module PCI device driver

void example()
do
KeAcquireSpinLock() //event lock
nPackets nPacketsOld
if(cond)
KeReleaseSpinLock() //event unlock
nPackets
while(nPackets ! nPacketsOld)
KeReleaseSpinLock() //event unlock

5
Our Goal

To show that LockUnlock simulates the PCI driver
Need to keep track of the predicate (nPackets
nPacketsOld)
Flow-insensitive analysis will fail
Provide diagnostic feedback in case the
simulation does not exist

6
POSIX pthread Spec

pthread_mutex_lock()
Acquires lock and returns 0
Increments user count on lock and returns 0
Returns non-zero error code

U
U
lock
ret_zero
U
inc_count
U
ret_err
7
Glibc pthread source code

int pthread_mutex_lock()
case PTHREAD_MUTEX_RECURSIVE_NP
self thread_self()
if (mutex-gt__m_owner self)
mutex-gt__m_count //inc_count
return 0 //ret_zero
pthread_lock(mutex-gt__m_lock, self) //lock
mutex-gt__m_owner self
mutex-gt__m_count 0
return 0 //ret_zero

8
C module

Collection of C procedure definitions
The pthread library
Designated main procedure
The pthread_mutex_lock function
We are interested in behavior observed during an
invocation of main

9
C module

For each procedure called, one of two things must
be available
Definition of procedure
Information about behavior observed during
invocation of procedure

10
Verification

Check that every possible behavior of main is
also a behavior of the FLTS
Trace-containment
In practice it is sufficient to check for a
stronger condition viz. simulation
FLTS main

11
FLTS Definition

Fix an alphabet S
Assume S contains special symbol e
Three-tuple ltQ,I,dgt
Q finite set of states
I initial state
d transition relation over Q X S X Q

12
Example
13
Simulation

FLTSs ltQ1,I1,d1gt,ltQ2,I2,d2gt
Relation Q1 X Q2 is simulation if
Init For all t ? I2 exists s ? I1 s.t. s t
Step s t and (t,a,t) ? d2 gt exists s s.t.
(s,a,s) ? d1 and s t
Stutter s t and (t,e,t) ? d2 gt s t OR
exists s s.t. (s,e,s) ? d1 and s t

14
Overall method

Step 1 Compute relation R that satisfies
conditions 2 and 3
Step 2 Check that R satisfies condition 1 as well

15
Step 1

Start with R Q1 X Q2
Iteratively refine R using condition 2 and 3 till
a fixed point is reached
If (s,t) ? R and if (t,a,t) ? d2 then remove
(s,t) if there does not exist s s.t. (s,a,s) ?
d1 and (s,t) ? R

16
Example
lock
U,L,S
V
lock
U,L,S
e
U,L,S
L
U
unlock
e
return
M
S
U,L,S
U,L,S
17
Example
lock
U,L,S
V
lock
U,L,S
e
U
L
U
unlock
e
return
M
S
U,L,S
U,L,S
18
Example
lock
U
V
lock
U,L,S
e
U
L
U
unlock
e
return
M
S
U,L,S
U,L,S
19
Example
lock
U
V
lock
U,L,S
e
U
L
U
unlock
e
return
M
S
L
U,L,S
20
Example
lock
U
V
lock
L
e
U
L
U
unlock
e
return
M
S
L
U,L,S
21
FLTS from C module

Based on a set of predicates
Each state of the FLTS consists of a control
location of the C module and a valuation to the
predicates
Non-context-sensitive
Weakest preconditions and theorem proving are
used to compute the transitions on-the-fly

22
Predicates and Property