Embed Size (px)
Citation preview
1
Automatic Software Model Checking
via
Constraint Logic Programming
Cormac FlanaganSystems Research Center
HP Labs
2
Software Reliability
• Testing– dominant methodology– costly– test coverage problem
• Static checking– combats test coverage by considering all
paths – Type systems– very effective for certain type errors
– Extended Static Checking– targets errors missed by type systems
3
Extended Static Checking
• Targets errors not caught by type system– array bounds errors– division by zero– null dereference– assertions– API usage rules
• don’t write to a closed file• don’t acquire a lock you already hold
– method preconditions, postconditions– object invariants
4
ESC/Java Exampleclass Rational { int num, den;
Rational(int n, int d) { num = n; den = d; }
int trunc() { return num/den; }
public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() );} } }
//@ invariant den != 0;
//@ requires d != 0;
Warning: possible division by zero
Warning: invariant possibly not established
Warning: preconditionpossibly not established
5
ESC/Java Experience
• Tested on 40+ KLOC (Java front end, web crawler, ...)
• Finds software defects!
• Useful educational tool
• Annotation cost significant
– 100 annotations per KLOC
– 3 programmer-hours per KLOC
• Annotation overhead significantly limits widespread use of extended static checking
• Why do we need these annotations?
6
ESC/Java Architecture
The translator “understands” the semantics of Java.
An error condition is a logical formula that, ideally, is satisfiable if and only if the program contains an error.
The satisfiability checker is invisible to users.
Satisfying assignments are turned into precise warning messages.
ESC/JavaJava program + Annotations
Translator
Error conditions
Satisfiability checker
Satisfying assignment
Post-processor
Warning messagesIndex out of bounds on line 218Index out of bounds on line 218Method does not preserve object invariant on line 223Method does not preserve object invariant on line 223
7
Generating Error Conditions
Error condition
( x<0 x’=-x (x’>=0) )
((x<0) (x>=0) )
Code
if (x < 0) { x := -x; } //@ assert x >= 0;
• Source code translated into error condition• Error condition should be satisfiable if code
may fail an assertion
p = q
f’ = store(f, p, 3)
select(f’, q) = 0
p := q;p.f := 3;//@ assert q.f != 0;
8
Error Condition Logic
• terms t ::= x | f(t)• constraints c ::= p(t)• formulae e ::= c | c | e e | e e | y. e
• theories of equality, linear arithmetic, select+store
• some heuristics for universal quantification
• logic cannot express iteration or recursion
9
ESC/Java Architecture
The translator uses specifications to “translate away” procedure calls
The error condition is expressed in first-order logic with theories; it cannot express recursion
Indicates: Bad program Bad specification Insufficient spec
ESC/Java
Program +
procedure specifications
Translator
Error conditions
Satisfiability checker
Satisfying assignment
Post-processor
Warning messages
Method does not establish postconditionMethod does not establish postconditionIndex out of bounds on line 218Index out of bounds on line 218
10
Verifun Checker
• “Annotation-free” Extended Static Checker• Statically check assertions, API usage rules, ...• No need for annotations
– no loop invariants – no procedure specifications
• Uses extended logic that can encode recursion
11
• Query: Given d, is e satisfiable?
• Constraint Logic Programming – [Jaffar and Lassez, POPL’87]– Efficient implementations!
Error Condition Logic
• terms t ::= x | f(t)• constraints c ::= p(t)• formulae e ::= c | c | e e | e e | y. e • theories for equality, linear arithmetic, select+store
| r(t)
• user-defined relation symbols r• definitions d ::= r(x) :- e
12
Error Conditions in CLP int fact(int i) { if (i == 0) return 1; int t = fact(i-1); assert t > 0; return i*t;}
Emain() :- Efact(j)
void main() { int j = readInt(); fact(j);}
Tfact(i, r) :- ( i = 0 r = 1) ( i != 0 Tfact(i-1,t) t>0 r=i*t )
Efact(i) :- i != 0 ( Efact(i-1) (Tfact(i-1, t) t <= 0 ))
• Transfer relation Tfact(pre-state,post-state) relates pre and post states of executions of fact
• Error relation Efact(pre-state) describes pre-states from which fact may go wrong
• CLP has least fixpoint semantics• CLP Query: Is Emain() satisfiable?
13
• Program correctness • CLP satisfiability
Imperative Software
Constraint Logic Programming
• Bounded software model checking
• Efficient implementations– Sicstus Prolog (depth-first)
14
Rational Exampleclass Rational { int num, den;
Rational(int n, int d) { num = n; den = d; }
int trunc() { return num/den; }
public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() );} } }
15
Error Condition for Rational in CLPt_rat(AllocPtr, Num, Den, N, D, This, AllocPtrp, Nump, Denp) :-
AllocPtrp is AllocPtr+1,This = AllocPtrp,aset(This,Den,D,Denp),aset(This,Num,N,Nump).
t_readInt(R).
e_trunc(This, Num, Den) :- aref(This,Den,D), {D = 0}.
e_loop(I, This, Num, Den) :- e_trunc(This, Num, Den).e_loop(I, This, Num, Den) :- {I<10000, Ip=I+1}, e_loop(Ip,This, Num, Den).
e_main :- AllocPtr = 0, ;; no objs allocatednew_array(Num), ;; initialise arrays encoding fields Numnew_array(Den), ;; and Dent_readInt(D), t_readInt(N), {D =\= 0},t_rat(AllocPtr, Num, Den, D, N, This, AllocPtrp, Nump, Denp), e_loop(0, This, Nump, Denp).
16
Checking Rational with CLP
• Get error condition, a constraint-logic program• Feed into CLP implementation (SICStus Prolog)
– explicitly explores all paths through EC– symbolically considers all data values, eg, for
n,d• using theory of linear arithmetic
– quickly finds that the EC is satisfiable– gives satisfying derivation for EC– can convert to program execution trace that
crashes with division-by-zero error
17
Checking Factorial with CLP
• Feed EC into CLP implementation (SICStus Prolog)– explicitly explores all paths through EC– infinitely many paths– all paths are ok– CLP implementation diverges!
• Can modify error condition to bound recursion depth• Automatic bounded model checking for software
– efficient symbolic analysis for linear arithmetic, ...
18
• Program correctness • CLP satisfiability
Imperative Software
Constraint Logic Programming
• Bounded software model checking
• Predicate abstraction & counter-example driven predicate refinement– SLAM, BLAST
• Efficient implementations– Sicstus Prolog (depth-first)
– Tableau methods– Subsumption
• CLP implementation technique– Avoids considering all paths – Verifun CLP satisfiability
checker under development
19
Verifun Architecture
Uses predicate abstraction and counter-example driven predicate refinement to check satisfiability of EC, without exploring all paths
Error message includes an execution trace that violates desired correctness property.
Verifun
Program
(without annotations)
Translator
Error condition (CLP)
Satisfiability Checker for CLP
Satisfying CLP derivation
Post-processor
Error trace
20
Unit of Development
• Programmers work on “unit of development”
• Interfaces between such units must be
specified
– reasonable to make specifications formal
• Use Verifun to check unit of development with
respect to its specification
21
Related Work
• Program checking– Stanford Pascal Verifier– ESC/M3, ESC/Java – SLAM, BLAST – (many, many non-EC approaches)
• Automatic theorem proving– Simplify, SVC, CVC
• Constraint Logic Programming– [Jaffar and Lassez, POPL’87], SICStus Prolog,
…
22
Summary
• Deep connection between
– correctness of imperative programs • with pointers, heap allocation, aliasing, ...
– satisfiability of CLP queries
• Verifun Checker
– annotation-free extended static checker
– statically check assertions, API usage rules, ...
– interprocedural ECs are constraint logic programs
• .
23
The End
