Software Verification with Blast

1
Software Verification with Blast

• Thomas A. Henzinger, Ranjit Jhala, Rupak
  Majumdar,
• George Necula, Grégoire Sutre, Wes Weimer
• UC Berkeley

2
Motivation

• Verification of systems code
• Locking disciplines
• Interface specifications
• Essential for correct operation
• High rate of bugs
• Temporal properties
• Require path-sensitive analysis
• Swamped by false positives
• Really hard to check

3
Model Checking

• Doesnt scale to low level implementations
• Can only model check abstractions
• Requires human intervention
• Abstract Check Refine Loop
• Microsoft SLAM Project
• Clarke et. al. 00, Saidi 00

4
Abstract-Check-Refine Loop
Abstract
Is model unsafe ?
Check
Refine
Why infeasible ?
Infeasible
5
Model Checking 101

• Keep searching successors until
• Hit error states report bug !
• Add no new successors report safe
• Could take a long time

Init
ERROR STATES
SYSTEMS STATE SPACE
6
Model Checking Abstraction

• Problem Far too many states
• Iterations dont terminate !
• Solution Abstract

7
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction
• Make boxes smaller

Init

ERROR STATES
8
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction
• Make boxes smaller

Init

ERROR STATES
9
Abstract Only Where Required

• Abstraction is very expensive
• Why abstract regions that are never visited ?

• On-the-fly abstraction driven by the search

Init
ERROR STATES
10
Refine Only Where Required

• Why be precise everywhere ?
• Dont refine error-free regions

Init
ERROR STATES
ERROR FREE

11
Refine Only Where Required

• Why be precise everywhere ?
• Dont refine error-free regions

• Different precision for different regions
• Local Refinement driven by the search

Init
ERROR STATES
ERROR FREE

12
How to improve

• Abstract only where required
• Reachable state space is very sparse
• Construct the abstraction on-the-fly
• Use greater precision only where required
• Different precisions/abstractions for different
  regions
• Refine locally
• Reuse work from earlier phases
• Batch-oriented ) lose work from previous runs
• Integrate the three phases
• Exploit control flow structure

13
Example
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
Q Is Error Reachable ?
14
ExampleCFA
1
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
15
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
got_lock0
gt
gt
lock() got_lock
got_lock ! 0
got_lock 0
unlock()
gt
gt
16
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
Q Is Error Reachable ?
17
Step 1 Search
gt
lock() old new
gt
unlock() new
newold
Set of predicates LOCK0, LOCK1
unlock()
18
Step 2 Analyze Counterexample
Q When can
States that can wp( gt,ops) States at node n
Rn ) check Rn Æ wp( gt,ops) ? ?
19
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
lock() old new
LOCK1 Æ new1 old
gt
LOCK1 Æ new 1 old
unlock() new
LOCK0 Æ new old
newold
LOCK0
unlock()
LOCK0
Rn Æ wp (gt,ops) ? ?
20
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
lock() old new
LOCK1 Æ new1 old
gt
LOCK1 Æ new 1 old
unlock() new
LOCK0 Æ new old
Track the predicate new old
newold
LOCK0
unlock()
LOCK0
21
Step 3 Resume search
1
LOCK0
lock() old new
gt
unlock() new
Set of predicates LOCK0, LOCK1
newold
new!old
New predicate new old,
22
Step 3 Resume search
gt
new!old
newold
Set of predicates LOCK0, LOCK1
unlock()
LOCK0 Æ new old
New predicate new old
23
ExampleCFA
Example ( ) 1 if () 7 do
got_lock 0 8 if
() 9 lock()
got_lock 10
if (got_lock) 11
unlock() 12 while
() 2 do lock()
old new 3 if () 4
unlock() new
5 while ( new ! old) 6
unlock () return
got_lock0
gt
gt
lock() got_lock
got_lock ! 0
got_lock 0
unlock()
gt
gt
24
Step 4 Search Right Branch
Set of predicates LOCK0, LOCK1
New predicate (from trace) got_lock 0
25
Leaves Covered (Reuse work)
Leaves covered Avoid repeating search
when paths merge
LOCK0 Æ
COVERED !
26
Different Abstractions
Different predicates for different parts of
state space
Local refinement Preserves work on left tree
got_lock 0
new old
27
Reachability Tree
1
LOCK0
7
2
LOCK0
LOCK0
8
LOCK0 Æ got_lock0
3
LOCK1 Æ new old
9
LOCK0 Æ got_lock0
10
4
LOCK1 Æ new old
LOCK1 Æ got_lock!0
10
LOCK1 Æ newold
LOCK0 Æ new old
5
12
5
11
11
?
6
2
1
?
12
?
12
?
LOCK0 Æ got_lock0
2
8
28
Invariants
1
LOCK0
Regions in the tree are invariants Invariant Inv
(n) for node n Disjunction of all node-n
regions in the tree
2
LOCK0
3
LOCK1 Æ new old
4
LOCK1 Æ new old
Inv (5) is LOCK0 Æ new old Ç LOCK1 Æ
newold Inv (6) is LOCK1 Æ newold
LOCK1 Æ newold
LOCK0 Æ new old
5
5
6
2
1
?
?
29
Proof Generation

• Use the invariants from the tree
• Verification Conditions for correctness
• Pre ) Inv (1)
• Inv (e) false for error node e
• Post (Inv (j), cjk ) ) Inv (k)
• These can be formalized as in PCC

new!old
LOCK0 Æ new old Ç LOCK1 Æ newold
newold

1. Inv (1) contains Pre as disjunct
2. Error node not in tree

30
Proof Generation II
Prove Post ( Inv (i) , cij ) ) Inv (j) Use the
tree to break the proof Post(AÇ B, c) ) D Ç
E becomes Post (A,c) ) D and Post (B,c) ) E
new!old
LOCK0 Æ new old Ç LOCK1 Æ newold
Example Post (Inv (5), newold) ) Inv (6)
newold
Post (LOCK0 Æ newold, newold) )
LOCK1Æ newold
LOCK1 Æ newold
Post(LOCK1 Æ newold, newold) ) LOCK1 Æ
newold
31
Proof Generation II
Prove Post ( Inv (i) , cij ) ) Inv (j) Use the
tree to break the proof Post(AÇ B, c) ) D Ç
E becomes Post (A,c) ) D and Post (B,c) ) E But
these were computed in the forward search!
new!old
LOCK0 Æ new old Ç LOCK1 Æ newold
Example Post (Inv (5), newold) ) Inv (6)
newold
false ) LOCK1Æ newold
LOCK1 Æ newold
LOCK1 Æ newold) LOCK1 Æ newold
32
Lazy abstraction

• For any system, require
• Region representation
• Boolean operations , Å,
• Covering check µ
• post Region ! Approx. succ. Region
• Forward Search
• pre Region ! Exact pred. Region
• Backward counterexample analysis
• focus why a trace is infeasible

33
BLAST

• Berkeley Lazy Abstraction Software verification
  Tool
• 10K Lines of Ocaml
• Analyze Linux/Windows Device Drivers

CIL (C ! CFA)
LAZY ABSTRACTION
REGION STRUCTURE
Vampyre (focus)
Proof Gen (PCC)
Simplify (Post)
BDD Engine (Boolean ops)
34
start NP
CallDriver
SKIP2
SKIP1
return child status
Skip
IPC
CallDriver
synch
MPR3
NP
CallDriver
prop completion
PPC
not pending returned
MPR completion
Complete request
CallDriver
MPR1
MPR2
DC
return not Pend
no prop completion
synch
CallDriver
N/A
N/A
IRP accessible
CallDriver
start P
SKIP2
Mark Pending
SKIP1
Skip
IPC
CallDriver
synch
MPR3
NP
CallDriver
return Pending
prop completion
PPC
not pending returned
MPR completion
Complete request
CallDriver
MPR1
MPR2
DC
no prop completion
CallDriver
N?A
From the SLAM project
35
Experiments

• Windows Drivers (IRP Spec 22 states)

Program Lines Predicates Predicates Time Proof
floppy.c 17386 62 37 35 min
17386 93 44 21 min 60K
parport.c 61781 193 50 33 min 103K
mouclass.c 17352 57 46 1 min
cdaudio.c 17798 85 45 23 min 156K
kbfiltr.c 12131 54 40 1 min
12131 12 8 10 sec 7K
36
Experiments Linux Locking
Program Lines Predicates Predicates Time Proof
ide.c 18131 5 5 4 sec 253
aironet.c 18152 17 11 4 min
aha152x.c 17736 2 2 20 sec
tlan.c 16505 5 4 7 min 405
37
Why Abstract Lazily ?

• Reach set is very sparse
• Abstract on-the-fly
• Only the reachable region
• Requires very fast post
• Exploit Control-Flow Structure
• Free partitioning of state space
• Partition preds different abstractions
• Refine locally dont repeat old work

38
Problems/Future work

• Engineering Issues
• Program analysis
• Partitioning by partial evaluation
• Theory of counterexample driven refinement
• for all linear and branching time logics

39
Predicate Abstraction
Region Representation formulas over predicates
Set of states
Abstract Set P1P2P4 Ç P1 P2 P3 P4
40
Predicate Abstraction

• Box abstract variable valuation
• BoxCover(S) Set of boxes covering S
• Theorem prover used to compute BoxCover

41
Post, Pre
post
post(S)
post(S)

• pre(S,op) s 9s2S. s !op s (Weakest
  Precondition)
• post(S,op) s 9s2S. s !op s (Strongest
  Postcondition)
• Abstract Operators post
• post(S,op) µ post(S,op)
• Concrete Operators pre
• Classical Weakest Precondition

42
Predicate Discovery

• Information lost in substitution
• Keep substitutions explicit
• Ask a proof of unsatisfiability
• Pick predicates appearing in proof

43
Predicate Discovery
Weakest Precondition wp(Y, xe) Y e/x
Explicit WP wp(Y, xe) 9 x. x e Æ Y
x/x
LOCK 0 Æ 9 old new LOCK. old
new Æ LOCK0 Æ new old Æ new
new 1
New Predicates from proof of unsatisfiability
old new, new old, new new 1
44

• BLAST! This is why I hate flying!
• - Jedi Master Obi-Wan Kenobi
• in Episode II Attack of the Clones,
  2002