daniel jackson

1
daniel jackson
logic,models analysis
2
my green eggs and ham

• two languages in any analysis
• first order relational logic
• models in their own right

3
plan of talk

• Alloy, a RISC notation
• models of software
• analysis reduced to SAT
• finding bugs with constraints
• Not in this order

4
object model diagram
5
lightweight formal methods

• focus
• high risk issues
• structural aspect
• light notation
• minimal syntax, pure ascii
• simple semantics
• integrated graphical/textual
• light analysis
• fully automatic, interactive speed
• concrete output (instances counters)
• declarative style
• incrementality views
• essential properties

6
why modelling improves designs

• ?rapid experimentation
• ?articulating essence
• ?simplifying design
• ?catching showstopper bugs

7
first-order relational logic

• predicate logic relational logic
• all x S(x) -gt (T(x) U(x)) S in (T U)
• all x, y S(x) R(x,y) -gt T(y) S.R in T
• all x some y loves (y, x) all x some y
  x in y.loves
• cant express no x x in x.R

Ceilings and Floors demo
8
checking assertions
3 attrs,vals, recs
selectscope
runcheck
fixmodel
incrscope
counter?
N
Y
N
N
real?
slow?
Y
Y
propfails
propholds
9
small scope hypothesis

bugscaught
90
most bugs can be caught by considering only small
instances
scope
4
10
how analyzer works

• what you learned in CS 101
• 3-SAT first NP-c problem
• to show a problem is hard
• reduce SAT to it
• what we know now
• SAT is usually easy
• to show a problem is easy
• reduce it to SAT
• key to reduction
• consider finite scope type ? ?

small scope hypothesis most interesting
caseshave illustrationsin small scopes
11
architecture
alloyproblem
alloyresult
translateproblem
translatesolution
mapping
scope
booleanformula
booleansolution
SATsolver
12
SAT solvers

• in theory
• 3-SAT is NP-complete
• in practice
• solvers work well for lt1000 variables and
  lt100,000 clauses
• usually give small models

13
example

• problem
• a, b S
• p S -gt T
• ! (a b).p in (a.p b.p)
• translation in scope of 2
• formula becomes
• ((a0??b0 ? p00) ? (a1??b1 ? p10) ? ((a0 ?
  p00) ? (a1 ? p10)) ?? ((b0 ? p00) ?
  (b1 ? p10))) ?
• a model is
• a0 , ?a1 , ?b0 , b1 , p00 , ?p01 , p10 , ?p11

• mapping function ?
• set to vector of bool var
• a a0 a1
• b b0 b1
• relation to matrix
• p p00 p01 , p10 p11
• final result
• S S0, S1
• T T0, T1
• p (S0, T0), (S1, T0)
• a S0
• b S1

14
example

• a procedure
• class List List next
• void insert (List first, List rest) first.next
  rest
• an assertion
• insert Acyclic (rest) -gt Acyclic (first)
• where Acyclic (l List) no x l.next x in
  x.next
• how insert is translated
• (first.next rest) ? (all x x ! first -gt
  x.next x.next) ? (rest rest)
• a counterexample
• first rest L1next next L1 -gt L1

15
what Alcoa does

• alcoa formula, scope ? env
• does not always succeed (ie, may return nothing)
• properties
• termination always, with deterministic solvers
• soundness alcoa (F, k) ? Modelsk (F)
• relative completeness Modelsk (F) ? ? alcoa
  (F, k) succeeds
• non-properties
• minimality alcoa (F, k) not the smallest model
  of F in k
• completeness Models (F) ? ? alcoa (F, k)
  succeeds
• so counterexamples are real, but cant prove
  theorems

16
scope monotonicity

• Alcoa is scope monotonic
• alcoa (F, k) succeeds ? alcoa (F, k1) succeeds
• if scope of 7 fails, no need to try 6, 5,
• because models are scope monotonic
• Modelsk (F) ? Modelsk1 (F)

17
translation scheme

• represent
• set as vector of bool var
• a a0 a1
• b b0 b1
• relation as matrix
• p p00 p01 , p10 p11
• translate
• set expr to vector of bool formula
• XT a - bi XT ai ? ?XT bi
• XT a . bi ?j. XT aj ? XT bji
• relational expr to matrix of bool formula
• formula to bool formulas

18
translation

• a a0 a1
• b b0 b1
• p p00 p01 , p10 p11
• a b a0 ??b0 a1 ? ?b1
• (a b).p (a0 ??b0 ? p00) ? (a1 ? ?b1 ? p10)
• a.p (a0 ? p00) ? (a1 ? p10) (a0 ? p01) ? (a1
  ? p11)
• b.p (b0 ? p00) ? (b1 ? p10) (b0 ? p01) ? (b1
  ? p11)
• a.p b.p ((a0 ? p00) ? (a1 ? p10)) ?? ((b0 ?
  p00) ? (b1 ? p10))
• ! (a b).p in (a.p b.p) ? (((a0??b0 ? p00) ?
  (a1??b1 ? p10) ? ((a0 ? p00) ? (a1 ? p10)) ??
  ((b0 ? p00) ? (b1 ? p10)))) ?

19
tricks

• quantifiers
• could expand into conjunctions
• but how to make modular?
• translate formula into tree indexed on var
• avoiding blowup
• solvers expect CNF
• standard var intro tricks
• symmetry
• all our domains are uninterpreted
• many equivalent assignments
• add symmetry-breaking predicates

20
how (not) to delete

• class List List next Val val
• void static delete (List p, Val v) List
  prev null while (p ! NULL) if
  (p.val v) prev.next p.next
  return else
  prev p p p.next

21
specifying delete

• as Alloy model
• domain List, Val
• state
• next List -gt List?
• val List -gt Val?
• p List? , v Val?

22
specifying delete

• // 1 no cells added p.next in p.next
• // 2 no cell with value v after
• no cp.nextc.valv
• // 3 cells with value v removed
• p.next p.next c c.val v
• // 4 no cells mutated
• all cc.valc.val
• // 5 no cycles introduced
• no cl.nextc in c.next -gt no cp.nextc in
  c.next

23
counterexample

• DomainsList P0Val V0SetsE01
  traversedE12 (null)E13 traversedE34
  traversedE45 traversedE52 traversedE36
  (null)E67 (null)E78 (null)E82 (null)p
  P0

p1 P0prev P0prev1 (null)prev2
(null)prev (null)v V0Relationsnext
next1 val P0 -gt V0next next1
val P0 -gt V0Skolem constantsc P0
24
hacking delete (1)

• counter 1 first cell has value v
• cond Mask p.val ! v
• assert DeleteCode Mask -gt DeleteSpec

25
hacking delete (2)

• counter 2 two cells with value v
• cond RI all x sole c p.next c.val x
• assert DeleteCode Mask RI -gt DeleteSpec
• assert DeleteCode RI -gt RI

Now there are no counter-examples
26
step 1 unroll control flow graph
void static delete (List p, Val v) List
prev null while (p ! NULL) if
(p.val v) prev.next p.next
return else
prev p p p.next

27
step 2 encode control flow

• E01 -gt E12 E13E13 -gt E34 E36E34 -gt
  E45E45 -gt E52E36 -gt E67E67 -gt E78E78 -gt E82

28
step 3 encode dataflow

• E36 -gt p3.val3 ! v3
• E45 -gtprev4.next5 p4.next4
• E78 -gt p8 p7.next7

29
frame conditions

• must say what doesnt change
• so add p6 p7
• but
• dont need a different p at each node
• share vars across paths
• eliminates most frame conditions
• Alternative ways to model state model
  variables as atoms with stack vars -gt values

30
example
31
example
Pre Code !post
32
Checking null dereferences

• NullDerefsj NullderefsI o o
  Refse Ee
• Refse set of expressions denoting objects
  whose fields are dereferenced when e is
  evaluated.
• Now, check at end of program that NullDerefs

33
sample results

• on Sagiv Dors suite of small list procedures
• reverse, rotate, delete, insert, merge
• wrote partial specs (eg, set containment on
  cells)
• predefined specs for null deref, cyclic list
  creation
• anomalies found
• 1 unrolling
• scope of 1
• lt 1 second
• specs checked
• 3 unrollings
• scope of 3
• lt 12 seconds

34
promising?

• nice features
• expressive specs
• counterexample traces
• easily instrumented
• compositionality
• specs for missing code
• summarize code with formula
• analysis properties
• code formula same for all specs
• exploit advances in SAT

35
summary

• Alloy, a tiny logic of sets relations
• declarative models, not abstract programs
• analysis based on SAT
• translating code to Alloy

36
related work

• checking against logic
• Sagiv, Reps Wilhelms PSA sound but can give
  spurious counterexamples no concrete trace
• Extended Static Checker
• Model checking focuses on temporal
  properties,Alloy on structural properties
• using constraints
• Ernst, Kautz, Selman co planning
• Biere et al linear temporal logic
• Podelskis array bounds
• extracting models from code
• SLAMs boolean programs
• Banderas automata

37

• You do not like them.So you say.Try them! Try
  them!And you may.Try them and you may, I say.

sdg.lcs.mit.edu/alloy