1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from

1

Automatically Validating Temporal Safety Properties of

Interfaces- Overview of SLAM

Parts of the slides are from http://research.microsoft.com/slam/presentations/spin2001.ppt

2

Checking API Usage

Application

C lib | DLL | COM |…

API

Does an application follow the “proper usage” rules of an API?

3

Temporal safety properties• Something “bad” does not happen

– Eg. A lock is never released without first being acquired

Unlocked Locked Error

U

L L

U

4

C program

Boolean program

c2bp

bebop

Fail, p

Pass

newton

SLIC

InstrumentedC program

predicates

Error

Spec.

predicates

Big picture of SLAM process

5

SLIC spec for Spinlock

enum { Unlocked=0, Locked=1 } state = Unlocked;

KeAcquireSpinLock.call { if (state==Locked) abort; else state = Locked;}KeReleaseSpinLock.call { if (state==Unlocked) abort; else state = Unlocked;}

Unlocked Locked Error

U

L L

U

6

Target program to validatedo {

KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; request = devExt->WriteListHeadVa;if(request && request->status){

devExt->WriteListHeadVa = request->Next;

KeReleaseSpinLock(&devExt->writeListLock);irp = request->irp;if(request->status > 0){

irp->IoStatus.Status = STATUS_SUCCESS;irp->IoStatus.Information = request->Status;

} else{irp->IoStatus.Status = STATUS_UNSUCCESSFUL;irp->IoStatus.Information = request->Status;

}SmartDevFreeBlock(request);IoCompleteRequest(irp, IO_NO_INCREMENT);nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock(&devExt->writeListLock);

Question:Is locking protocol respected?

7

Safety to Reachability

Program P

SLICspec S

SLIC

Program P satisfies specification S

Label ERROR is not reachable in P’

InstrumentedProgram P’

8

do {KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; request = devExt->WriteListHeadVa;if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++;}

} while (nPackets != nPacketsOld);KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);

enum { Unlocked=0, Locked } state = Unlocked;

void slic_abort() { ERROR:}void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); else state = Locked;}void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked;}


Equivalently:Is label ERROR reachable?

Instrumented Program

9

C program

Boolean program

c2bp

bebop

Fail, p

Pass

newton

SLIC


predicates

Error

Spec.

predicates


10

Predicate abstraction by C2BP

Instrumentedprogram P’

Booleanprogram BP(P’,E0)

C2BP

Initialpredicates E0

state==Locked, state==Unlocked

11

do {KeAcquireSpinLock_call(); skip;skip; skip;if(*){ skip; KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; skip;}

} while (*);KeReleaseSpinLock_call();skip;

decl {state==Locked},{state==Unlocked} := F,T;

void slic_abort() { ERROR:}

void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F;}

void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T;}



Initial boolean Program

12

Model-check by BEBOPdo {

KeAcquireSpinLock_call(); skip;skip; skip;if(*){ skip; KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; skip;}

} while (*);KeReleaseSpinLock_call();skip;





{state==Unlocked}Æ :{state==Locked}

:{state==Unlocked}Æ{state==Locked}

reached ERROR label

13

The execution path to blame!

do {KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; // s1request = devExt->WriteListHeadVa; // s2if(request && request->status){ // s3 devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++;}

} while (nPackets != nPacketsOld); // s4KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);

enum { Unlocked=0, Locked } state = Unlocked;

void slic_abort() { ERROR: // s6}void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); // s5 else state = Locked; // s0}void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked;}

s0: state = Locked; s1: nPacketsOld = nPackets; s2: request = devExt->WriteListHeadVa;s3: assume(!request);s4: assume(nPackets != nPacketsOld);s5: assume(state==Locked);s6: ERROR:

14

Time for NEWTONs0: state = Locked; s1: nPacketsOld = nPackets; s2: request = devExt->WriteListHeadVa;s3: assume(!request);s4: assume(nPackets != nPacketsOld);s5: assume(state==Locked);s6: ERROR:

Location Value Dependencies

0. state Locked ()

1. nPackets ()

2. nPacketsOld 1

3. devExt ()

4. ->WriteListHeadVa 3

5. request 3, 4

Conditions Dependencies

!( ) 5

( != ) 1, 2

New predicate!nPackets==nPacketsOld

15

C program

Boolean program

c2bp

bebop

Fail, p

Pass

newton

SLIC


predicates

Error

Spec.

predicates


16

do {KeAcquireSpinLock_call(); skip;b := T; // nPackets = nPacketsOld;skip;if(*){ skip; KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; b := b ? F : *; // nPackets++;}

} while(!b); // while (nPackets!=nPacketsOld);KeReleaseSpinLock_call();skip;

Variable b represents (nPackets==nPacketsOld)


void slic_abort() { ERROR:}void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F;}void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T;}



The second boolean Program

17

Model-check again by BEBOPdo {

KeAcquireSpinLock_call(); skip;b := T; skip;if(*){ skip;

KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; b := b ? F : *; }

} while(!b);KeReleaseSpinLock_call();skip;

*





{state==Unlocked}Æ :{state==Locked}

:{state==Unlocked}Æ{state==Locked}

reached ERROR label

*T

T

T

F

18

C program

Boolean program

c2bp

bebop

Fail, p

Pass

newton

SLIC


predicates

Error

Spec.

predicates


19

C2BP

• Automatic predicate abstraction of C• What is the predicate language?

– Pure C boolean expressions• Input: a C program P and set of predicates E• Output: a boolean program C2BP(P,E) that is

– a sound abstraction of P– a precise abstraction of P

• Difficulties– procedures– pointers

20

BEBOP

Reachability analysis of boolean programs

Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis Explicit representation of control flow Implicit representation of reachable states via BDDs

21

NEWTON• Symbolically executes (interprocedural) path in C

program

• Checks for path infeasibility using decision procedures (theorem provers: Simplify, Vampyre)

• If infeasibility detected– Find weak(est) condition implying the infeasibility– Obtains new predicates

22

Contributions• Use of boolean programs for program

abstractions• C2BP : the first automatic predicate

abstraction tool for a full-scale language• BEBOP : the first model checker to handle

procedure calls using inter-procedural DFA• Global analysis only on the boolean

program abstractions : scalable…?

23

Defects• Defects of SLAM

– Uses a logical memory model• Assumes for all i,j : p[i] = p[j]

– No guarantee on the termination of iterative refinement

• Defects of the paper– No experimental results

(describes their experiences only)

Documents

1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from