shape analysis with SAT Daniel Jackson

1
shape analysis with SATDaniel Jackson
Mandana VaziriSoftware Design Group, MIT
LCSSchloss Ringberg February 21, 2000
2
why software model checking?

• want to analyze specs but
• no commensurate analysis
• only theorem proving and type checking?
• formal specifications are write-only
• model checking offers
• automation of deep analysis
• focus on presence not absence of errors
• rich property language

3
how would model checking differ for software?

• sequential
• focus not on concurrency
• relational
• state itself is relational
• essence of Z, RDB, OO
• incremental modular
• global operations
• declarative style
• abstract
• all software is infinite state

4
progress so far

• nitpick (1995)
• a model finder for relational calculus
• exploits inherent symmetry in type structure
• painful language, didnt scale (but caught bugs)
• abstraction?
• too hard to find abstractions
• concrete search within finite scope
• alloy/alcoa (1998)
• richer language (closer to Z, UML)
• SAT-based analysis scales much better
• examples
• architectures (COM, HLA), protocols (IPv6,
  phones)
• code (CTAS), metamodels (UML)

5
BART railway problem

• problem
• prevent train collisions
• on same track, or tracks too close
• mechanism
• gates before points
• trains stop at closed gates
• problem
• where are gates?
• is policy safe?

6
sample alloy model

• model Bart
• domain Segment, Gate, Train
• state Segments
• succ, overlaps Segment -gt Segment
• gate Segment! -gt Gate?
• partition Open, Closed Gate
• on Train -gt Segment !
• cond Safety all s sole s.overlaps.on
• inv Policy all s sole (s.conflicts s).gate
  Open
• op TrainsMove (ts Train)
• all t ts t.on' in t.on.succ
• no (ts.on.gate Closed)
• all t Train - ts t.on t.on
• assert PolicyWorks all t TrainsMove (t)
  Safety -gt Safety'

7
alcoa alloy constraint analyzer

• how Alcoa is used
• start with minimal description
• consistent? (too many constraints?)
• consequences? (too few?)
• what analysis involves
• finding models of relational formula
• for op, sample transition
• for negation of assertion, counter
• scope
• limit elements in basic types
• in scope of 3, 29 values / relation

FSE 96 (BDDs)FSE 98 (WalkSAT)1999 (SATO)
8
analyzing code

• idea
• treat procedure as operation to check with Alcoa
• compose from declarative specs of statements
• combine paths with disjunction
• features
• expressive property language
• no need to adapt analysis to properties
• counterexample is trace of states
• modular use spec in place of code
• unsound small scope, few unrollings

9
example

• a procedure
• class List List next
• void insert (List first, List rest) first.next
  rest
• an assertion
• insert Acyclic (rest) -gt Acyclic (first)
• where Acyclic (l List) no x l.next x in
  x.next
• how insert is translated
• (first.next rest) ? (all x x ! first -gt
  x.next x.next) ? (rest rest)
• a counterexample
• first rest L1next next L1 -gt L1

10
programming language

• procedures classes
• program classdecl procdecl
• classdecl class class class field ,
• procdecl class proc ( class var , ) stmt
• statements
• stmt var term term . field term
  return term while
  pred stmt if pred stmt
  stmt stmt stmt
• terms predicates
• term null var term . field
• pred term term ! pred pred pred

11
formula language

• declarations
• sigdecl sig sig type type , state
  compdecl
• compdecl set expr mult relation expr
  mult -gt expr mult
• mult ! ?
• expressions
• expr set type relation
  expr expr expr expr expr - expr expr .
  expr expr expr expr
  v formula
• formulas
• formula expr expr expr in expr
  all v formula some v formula
  ! formula formula formula
• let v be expr formula

12
modelling state

• for each procedure
• sig State type Object state
• for each class C
• state C Object
• for each arg or var v of class C
• state v C ?
• for each field f in class C of class D
• state f C -gt D ?

example class List List next void insert (List
first, List rest) first.next rest
translation sig insertState type Object
state first, rest List ? , next
List -gt List ? op insert ()
first.next rest all x x ! first -gt
x.next x.next rest rest
13
sequential composition

• state shorthands
• represent pre-state, post-state by structures pre
  and post of sig State
• c and c are short for pre c and post c
• composition sugar
• F G is short for some s State (let post be
  s F) ? (let pre be s G)
• example
• statements a b.next c a.next
• formulas a b.next c a.next
• desugar to (post a) (pre b) . (pre
  next) (post c)
  (pre a) . (pre next)
• desugar some s State
  (s a) (pre b) . (pre next)
  ? (post c)
  (s a) . (s next)
• resugar some s State (s a) b.next ?
  c (s a) . (s next)

14
translation scheme

• Java statement to logical formula
• Sn stmt ? formula
• n is loop iters
• Java term to set/relation expression
• E term ? expr
• Java predicate to formula
• P pred ? formula

15
translation rules

• statements
• S ? a b ? S ? a ? S ? b ?
• S ? if p a b ? (P ? p ? ? S ? a ?) ? (! P ? p
  ? ? S ? b ?)
• S i ? while p a ? (P ? p ? ? S ? a ? S
  i-1 ? while p a ?) ? Close (! P ? p ?)
• S 0 ? while p a ? Close (! P ? p ?)
• S ? v t ? Close (v E ? t ?)
• S ? t.f u ? Close (E ? t ? . f E ? u ?
  ? all x x ! E ? t ? -gt x.f x. f)
• expressions
• E ? v ? v
• E ? t.f ? E ? t ? . f
• predicates
• P ? t u ? (E ? t ? E ? u ?)
• P ? !p ? ! P ? p ?
• Close (F) F v v all x x.f x.f
  (all v, f not appearing primed in F)

16
from formula to counterexample

• assertion
• all s, s pre (s) ? proc (s,s) -gt post (s, s)
• negate
• some s, s pre (s) ? proc (s,s) ? ! post (s,
  s)
• proc (s, s) is
• F (s,s) G (s, s) H (s, s)
• desugar
• some s1 ((some s0 F(s, s0) ? G (s0, s1)) ? H
  (s1, s)
• skolemize
• pre (s) ? F (s, s0) ? G (s0, s1) ? H (s1, s) ? !
  post (s, s)
• now find model in finite scope
• obtain counterexample lts, s0, s1, sgt

17
null derefs (1)

• introduce a null object
• Null Object!
• Null.f Null (initially for all field
  relations f)
• E ? null ? Null
• make field relations total
• state f C -gt D !
• define derefs performed in a term
• Derefs ? t.f ? Derefs ? t ?
• Derefs ? v.f ? v
• instrument program to collect derefs
• derefs Object
• S ? t.f u ? ? derefs derefs Derefs
  ? t.f ? Derefs ? u ?

18
null derefs (2)

• assert no null derefs
• pre ? S ? proc ? -gt ! Null in derefs
• interpreting results
• find first state s such that s derefs contains
  Null
• means null deref in that statement

19
example in full

• swap procedure
• List swap (List c) List p if (c !
  null)
• p c
• c c.next
• p.next c.next
• c.next p
• return c

translation
no derefs ? ((c ! null ? ( p c
? c c ? all x x.next x.next
c c.next ? p p ? all x
x.next x.next
? derefs derefs c p.next c.next
? p p ? c c
? all x x ! p -gt x.next x.next
? derefs
derefs c p c.next p ? p
p ? c c
? all x x ! c -gt x.next x.next
? derefs derefs c ) ?
(c null ? p p ? c c
? all x
x.next x.next
? derefs derefs )) result c
20
jumps

• add continuations
• S stmt ? formula ? formula
• translation becomes
• S ? a b ? ? S ? a ? (S ? b ? ?)
• S ? if p a b ? ? (P ? p ? ? S ? a ? ?) ? (!P ?
  p ? ? S ? b ? ?)
• S i ? while p a ? ? (P ? p ? ? S ? a ?
  S i-1 ? while p a ? ? ) ? ! P ? p ? ? ?
• S 0 ? while p a ? ? ! P ? p ? ? ?
• S ? v t ? ? Close (v E ? t ?) ?
• S ? return t ? ? Close (result E ? t ?)
• cleaner treatment of null derefs
• instead of null, make fields partial
• S ? t.f u ? ? (some E ? t ? ? E ? t ? . f
  E ? u ? ?) ? no E ? t ?

21
a small experiment

• subject
• 8 sample list procedures from Dor, Rodeh, Sagiv
  99
• merge, delete, search, reverse, etc
• translated by hand into Alloy
• properties checked
• no null derefs, result not null
• no cycles created
• set inclusions (eg, for delete, merge)
• results
• found bugs identified by DRS99 and one more
• for scope of 3, 2 unrollings a few secs, except
  for merge

22
sample specs

• sample properties
• assert NoNullDerefs Merge -gt Null !in Derefs
• assert NoLoss Merge -gt result.next p.next
  q.next
• assert NoCycles Merge Acyclic (p) Acyclic
  (q) -gt Acyclic (result)
• counterexample to NoCycles
• p O1
• q O1
• next O1 -gt O0
• result O1
• next O1 -gt O1

23
what next?

• basic optimizations
• propagating equality reduce by factor of rel?
• new version of Alcoa (5/00)
• symmetry other optimizations
• new Alloy signatures, sequence, closure
• extend to APIs
• use abstract relations instead
• eg, Swing objects
• non termination
• see whether (state state) in some loop
  iteration
• global properties
• check object model invariants
• eg, every active aircraft is tracked

24
related work

• shape analysis
• k-limiting
• loss of completeness, not soundness
• Sagiv, Reps, Wilhelm
• relational state
• execute with transfer functions
• instrumentation for precision
• pre-post relationships?
• model checking
• Kautz, McAllester Selman reachability with SAT
• Biere, Cimatti, Clarke, Fujita Zhu bounded LTL
• theorem proving
• ESC sound but less expressive properties

25
conclusion

• key ideas
• a form of testing, but exhaustive within scope
• rich property language
• relational formula good match for Java
• can accommodate partial specs
• acknowledgments
• analysis ideas Rinard
• tool Schechter, Shlyakhter
• SAT solvers Nelson, Selman, Kautz, Zhang
• Moore 1980-2000, 3 hrs -gt 1 sec

Alcoa! Free while supplies last! http//sdg.lcs.mi
t.edu/alcoa