Boolean and Cartesian Abstraction for Model Checking C Programs

1
Boolean and Cartesian Abstraction for Model
Checking C Programs

• Thomas Ball
• Andreas Podelski
• Sriram K. Rajamani

http//research.microsoft.com/slam/
2
Overview

• The SLAM Toolkit
• Predicate Abstraction of C Programs
• Related Work
• Conclusions

3
The SLAM Toolkit
Application
SLIC Specification
4

• do
• //get the write lock
• KeAcquireSpinLock(devExt-gtwriteListLock)
• nPacketsOld nPackets
• request devExt-gtWriteListHeadVa
• if(request request-gtstatus)
• devExt-gtWriteListHeadVa request-gtNext
• KeReleaseSpinLock(devExt-gtwriteListLock)
• irp request-gtirp
• if(request-gtstatus gt 0)
• irp-gtIoStatus.Status STATUS_SUCCESS
• irp-gtIoStatus.Information request-gtStatus
• else
• irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
• irp-gtIoStatus.Information request-gtStatus
• SmartDevFreeBlock(request)

Question Is locking protocol respected?
5
SLIC Locking Property

• state
• int locked 0
• KeAcquireSpinLock.call
• if (locked1) abort
• else locked 1
• KeReleaseSpinLock.call
• if (locked0) abort
• else locked 0

6
Safety to Reachability
prog P
instrument
prog P
SLIC spec S
Program P satisfies specification S ? Label ERROR
is not reachable in P
7
Instrumented Driver

• do
• //get the write lock
• KeAcquireSpinLock_call()
• KeAcquireSpinLock(devExt-gtwriteListLock)
• nPacketsOld nPackets
• request devExt-gtWriteListHeadVa
• if(request request-gtstatus)
• devExt-gtWriteListHeadVa request-gtNext
• KeReleaseSpinLock_call()
• KeReleaseSpinLock(devExt-gtwriteListLock)
• irp request-gtirp
• if(request-gtstatus gt 0)
• irp-gtIoStatus.Status STATUS_SUCCESS
• irp-gtIoStatus.Information request-gtStatus
• else
• irp-gtIoStatus.Status STATUS_UNSUCCESSFUL

Question Is locking protocol respected?
int locked 0 void Error_Routine() ERROR
assert(0) void KeAcquireSpinLock_call ()
if (locked1) Error_Routine() else locked
1 void KeReleaseSpinLock_call () if
(locked0) Error_Routine() else locked 0
Equivalently Is label ERROR reachable?
8
Predicates from instrumentation
B
C2bp
Is ERROR reachable?
Bebop
P
Is ERROR reachable?
Newton
9
Demo!
10
C2bp in action
/b nPacketsOldnPackets / do
KeAcquireSpinLock_call() b true
if () then KeReleaseSpinLock_call()
if () then else fi b
b ? false fi while ( !b )
KeReleaseSpinLock_call()

do //get the write lock KeAcquireSpinLock_
call() KeAcquireSpinLock(devExt-gtwriteListLock
) nPacketsOld nPackets request
devExt-gtWriteListHeadVa if(request
request-gtstatus) devExt-gtWriteListHeadVa
request-gtNext KeReleaseSpinLock_call()
KeReleaseSpinLock(devExt-gtwriteListLock) ir
p request-gtirp if(request-gtstatus gt
0) irp-gtIoStatus.Status STATUS_SUCCESS i
rp-gtIoStatus.Information request-gtStatus
else irp-gtIoStatus.Status
STATUS_UNSUCCESSFUL irp-gtIoStatus.Information
request-gtStatus SmartDevFreeBlock(request
) IoCompleteRequest(irp, IO_NO_INCREMENT) nP
ackets while (nPackets !
nPacketsOld) KeReleaseSpinLock_call() KeReleaseS
pinLock(devExt-gtwriteListLock)
11
Boolean Programs

• C programs in which the only type is boolean
• No pointers, integers, floats, chars, etc.
• Procedures with call-by-value parameter passing
• Non-deterministic choice operator
• if () then A else B fi

12
C2bp Predicate Abstraction of C Programs

• What is the predicate language?
• Pure C boolean expressions
• Given program P and predicates E, c2bp produces
  boolean program B(P,E)
• PLDI 2001, Ball, Majumdar, Millstein, Rajamani
• Model check B(P,E) with bebop
• Uses BDDs to represent statement semantics set
  of reachable states at each program point
• SPIN 2000, Ball, Rajamani

13
SLAM History

• Winter 99
• Defined initial framework and algorithms WAV00
• Bebop model checker SPIN00
• Summer 00
• Initial c2bp implementation PLDI01
• Model checked a safety property of an NT driver
• Hand instrumented code/predicates discovered by
  hand
• Autumn 00
• Predicate discovery (newton)
• Checked properties of drivers from DDK SPIN01
• Hand instrumented code/automatic discovery of
  predicates
• Winter 00
• SLIC specification language
• Found first real error in production code
• Total automation

14
Overview

• The SLAM Toolkit
• Predicate Abstraction of C Programs
• Related Work
• Conclusions

15
Predicate Abstraction of C

• Challenges
• Unbounded data
• integers, floats, strings, the heap
• Procedures (recursion)
• Destructive update (esp. through pointers)
• Opportunities
• Sequential (not concurrent) behavior

16
Predicate Abstraction in Model Checking

• Special purpose specification languages
• Guarded commands
• Concurrency
• non-deterministic interleaving semantics
• No procedural abstraction/recursion
• No pointers
• Explicit representation of sets of abstract
  states
• Embedding of infinite system into a finite system
  via on-line boolean abstraction

17
C2bp Philosophy

• Computing a precise Boolean abstraction is
• too expensive
• unnecessary for C
• deterministic concrete semantics
• Exploit ideas from program analysis and symbolic
  model checking
• Off-line computation of abstract transfer
  function
• Attribute (predicate) independence
• Disjunctive completion
• Focus operation
• Static partitioning of states by control points
• Implicit representation of stack in boolean
  program

18
c2bp(P,E)
Predicates in E e (nPacketsOldnPackets)

• Statement in P
• s nPackets nPackets1

Weakest Precondition pre(s,e)
nPacketsOldnPackets1
Strengthened WP F(pre(s,e)) false
19
c2bp(P,E)
Predicates in E e (nPacketsOldnPackets)

• Statement in P
• s nPackets nPackets1

Weakest Precondition pre(s,!e)
!(nPacketsOldnPackets1)
Strengthened WP F(pre(s,!e)) e
20
c2bp(P,E)
In general, given statement s and predicates e1
,, en
e1,,en choose(F(pre(s,e1),F(pre(s,!
e1))), , choose(F(pre(s,en),F(pre(s,!en)))
O(2n2n)
O(2nnc)
bool choose(bool pos,bool neg) true if
postrue false if negtrue
posnegfalse choose not well defined for
posnegtrue
21
On-line AbstractionState Bit Vector
?b
n
post
k
?b
each abstract step during model checking
requires O(2n) theorem prover queries
22
On-line AbstractionSet of States Single
Tri-vector
?b
?c
post
?b
?c
each abstract step during model checking ?c?b
requires O(2n) theorem prover queries
23
SLAM - Off-line AbstractionSet of States Set
of Tri-vectors
c2bp
bebop
each abstract step during model checking
requires O(2nk) operations, kO(2n )
24
Disjunctive Completion

• Represent sets with BDDs

25
Focus achieved naturally with BDDs
States
Transfer function 101, 010 (b2b2
b1!b2)

b1 !b2 if (b1b2) assert(false)
01, 10
26
Determinism (1)
xlt5 y5 0 0
xgt5 and yltgt5
x y
xlt5 y5 0 0 1 0
xlt5 y5 0
xy and yltgt5
if (x!y) Error()
27
Determinism (2)
xy y5 0 0
xltgt5 and yltgt5
x y
xy y5 1 0
xy and yltgt5
if (x!y) Error()
28
Overview

• The SLAM Toolkit
• Predicate Abstraction of C Programs
• Related Work
• Conclusions

29
Related Work

• Predicate Abstraction
• Graf,Saidi
• Cousot,Cousot
• Das, Dill, Park
• Program Analysis
• Shape analysis Sagiv, Reps, Wilhelm
• Predicate (boolean) abstraction cartesian
  abstraction
• Focus operation to gain precision
• More expressive logic
• Manual creation of predicate transfer functions
• Attribute independence

30
Conclusions

• Many issues to address to get a precise and
  efficient predicate abstraction algorithm for a
  programming language
• C2bp tool the first automated predicate
  abstraction tool for C
• Procedures
• Pointers
• Formalized as combination of Boolean and
  Cartesian abstractions