Upload
alycia-thorington
View
215
Download
3
Embed Size (px)
Citation preview
Abstraction and Modular Reasoning Abstraction and Modular Reasoning for the Verification of Softwarefor the Verification of Software
Corina Pasareanu
NASA Ames Research Center
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis (joint work with the Bandera team)
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking (joint work with Willem Visser)– Assumption Generation for Component Verification
(joint work with Dimitra Giannakopoulou and Howard Barringer)
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking – Assumption Generation for Component Verification
Finite-state VerificationFinite-state Verification
OKFinite-state system
Specification
Verification tool
or
Error trace
Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…
Finite-State VerificationFinite-State Verification
Effective for analyzing properties of hardware systems
Widespread success and adoption in industry
Recent years have seen many efforts to apply those techniques to software
Limited success due to the enormous state spaces associated with most software systems
Abstraction: the key to scaling upAbstraction: the key to scaling up
Originalsystem
symbolic state
Abstract system
represents a set of states
abstraction
Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system
Goals of our work …Goals of our work …
Develop multiple forms of tool support for abstraction that is…
… applicable to program source code… largely automated… usable by non-experts
Evaluate the effectiveness of this tool support through…
… implementation in the Bandera toolset… application to real multi-threaded Java programs
Data Type AbstractionData Type Abstraction
int x = 0;if (x == 0) x = x + 1;
Data domains
(n<0) : NEG(n==0): ZERO(n>0) : POS
Signs
NEG POSZERO
int
Code
Signs x = ZERO;if (Signs.eq(x,ZERO)) x = Signs.add(x,POS);
Collapses data domains via abstract interpretation:
Abstraction in BanderaAbstraction in Bandera
AbstractionLibrary
VariableConcrete Type
Abstract Type
Inferred Type
Object
xydonecount
ob
intintbool
Buffer
int….
SignsSignsSigns
intbool
….PointBuffer
Program Abstract CodeGenerator
AbstractedProgram
BASLCompiler
BanderaAbstractionSpecificationLanguage
AbstractionDefinition
PVS
Definition of Abstractions in BASLDefinition of Abstractions in BASLabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };
abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end
operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_) -> {NEG,ZERO,POS}; /* case (POS,NEG),(NEG,POS) */ end
AutomaticGeneration
Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2)
Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2)
Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2)
Proof obligations submitted to PVS...
Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}
Compiling BASL DefinitionsCompiling BASL Definitions
abstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };
abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end
operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end
public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abs(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; }
public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ }
Compiled
Abstract Counter-example AnalysisAbstract Counter-example Analysis
Example:x = -2; if(x + 2 == 0) then ...x = NEG; if(Signs.eq(Signs.add(x,POS),ZERO)) then ... {NEG,ZERO,POS}
For an abstracted program, a counter-example may be infeasible because:– Over-approximation introduced by abstraction
Our SolutionsOur Solutions
Choice-bounded State Space Search– “on-the-fly”, during model checking
Abstract Counter-example Guided Concrete Simulation
– Exploit implementations of abstractions for Java programs
– Effective in practice– Implemented in Java PathFinder tool
““Choose”-free state space searchChoose”-free state space search
Theorem [Saidi:SAS’00] Every path in the abstracted program where all
assignments are deterministic is a path in the concrete program.
Bias the model checker– to look only at paths that do not include
instructions that introduce non-determinism JPF model checker modified
– to detect non-deterministic choice (i.e. calls to Bandera.choose()); backtrack from those points
Choice-bounded SearchChoice-bounded Search
choose()
XX
Detectable ViolationUndetectable Violation
State space searched
Case Study: DEOS Kernel (NASA Ames)Case Study: DEOS Kernel (NASA Ames) Honeywell Dynamic Enforcement Operating System (DEOS)
– A real time operating system for integrated modular avionics
– Non-trivial concurrent program (1433 lines of code, 20 classes, 6 threads)
– Written in C++, translated into Java and Promela
– With a known bug Verification of the system exhausted 4 Gigabytes of memory without
completion; abstraction needed
Abstracted using data type abstraction Checked using JPF and SPIN Defect detected using choice-bounded search
Conclusion and Future Research DirectionsConclusion and Future Research Directions
Tool support for abstraction enables verification of real properties of real programs
Extend abstraction support for objects– Heap abstractions to handle an unbounded
number of dynamically allocated objects– Handle recursive procedures, unbounded
number of processes Extend automation
– For selection and refinement based on counter-example analysis
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking – Assumption Generation for Component Verification
Java Path Finder (NASA Ames)Java Path Finder (NASA Ames)
Model checker for Java programs Built on top of a custom made Java Virtual
Machine Checks for deadlock and violation of
assertions; LTL properties Support for abstraction:
– Predicate abstraction– Bandera’s data abstraction
Heuristic search
Symbolic ExecutionSymbolic Execution
void test(int n){[1] if (n > 0) {[2] n = n + 1;[3] if (n < 3)[4] ... }[5] ... }
Code
Uses “symbolic names” to represent program inputs
1n:SPC:true
3n:S+1PC:S>0
2n:SPC:S>0 5
n:SPC:S<=0
...
5n:S+1PC:S>0 & S+1>=34
n:S+1PC:S>0 & S+1<3
... ...
Symbolic execution tree(PC=“path condition”)
Symbolic Execution and JPF: ApplicationsSymbolic Execution and JPF: Applications
Extends JPF with a new form of abstraction
Test case generationAbstract counter-example analysis
and refinementSymbolic execution of multithreaded
programsParameter synthesis …
Implementation in JPFImplementation in JPF
Easy:– Uses Bandera’s type abstraction– Uses Omega library (Java version)
• Manipulates sets of linear constraints over integer variables
Can be used as a “symbolic execution tool with backtracking”
Good for finding counter-examples No state matching!
(Possible) Implementation(Possible) Implementation
void test(int n) { if (n > 0) { n = n + 1; ... }
public class SymVal { public SymVal() { ... } public SymVal(int n) { ... } public SymVal(SymVal s1, SymVal s2,
String ops) { ... } ... }
public class SymOps { public SymVal add(SymVal s1, SymVal s2){ return new SymVal(s1,s2,’+’); }
public bool gt(SymVal s1, SymVal s2) { bool result = Verify.chooseBool(); if(result) { // “true”
PC.addCondition(s1,s2,’>’); } else { // “false”
PC.addCondition(s1,s2,’<=‘); } PC.simplify(); return result; } ... }
Code
PathCondition PC; // =“true”
void test(SymVal n) { n = new SymVal(); if(SymOps.gt(n,new SymVal(0)){ n=SymOps.add(n,new SymVal(1)); ... }
Problem: ConvergenceProblem: Convergence
Symbolic execution tree
void test(int n) {[1] int x = 0;[2] while(x < n)[3] x = x + 1;[4] }
Code1
n:SPC:true
2n:S,x:0PC:true
2n:S,x:1PC:0<S
4n:S,x:1PC:0<S & 1>=S3
n:S,x:1PC:0<S & 1<S
3n:S,x:0PC:0<S 4
n:S,x:0PC:0>=S
....
Problem: ConvergenceProblem: Convergence
Limit the search depth of MC Unwind loops a fixed number of times
(similar to Bounded MC?) Discover “simple and practical” widening
techniques Acceleration techniques Heuristics? Combine with “predicate abstraction” …
Solutions?
Relation to Bounded MCRelation to Bounded MC
Extend BMC with symbolic variables?
Widening for C programs?…
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking– Assumption Generation for Component Verification
Assumption Generation for Component VerificationAssumption Generation for Component Verification
Problem:
Component Environment
Property ? Environment Assumption ?
The “weakest” assumption A for component C: for all environments E,
E |= A E || C |= P
ApplicationsApplications
Support for modular verification– Compositional verification– Property decomposition
Run-time monitoring of the environment
Component retrievalSub-module construction …
ImplementationImplementation
In Labeled Transition Systems Analyzer (LTSA) tool - Imperial college– Supports compositional reachability analysis
based on software architecture– Incremental system design and verification:
• Component abstraction (hiding of internal actions)• Minimization wrt. observational equivalence
– Both components and properties expressed as labeled transition systems
Interface actions
E.acquire
E.release
W.acquire
W.acquire
Mutex:
Example: A System and A PropertyExample: A System and A Property
W.acquire
W.release
W.enterCS
W.exitCS
Writer:
E.enterCS
E.exitCS
W.enterCS
W.exitCS
Mutual Exclusion Property:
||
W.enterCS
E.enterCS
E.exitCS
W.exitCS
E.exitCS
W.enterCS
W.exitCS
E.enterCS
||
Assumption GenerationAssumption Generation
Step 1: composition, hiding of internal actions and minimization
Step 2: backward reachability
with error state
Step 3: property extraction
(sub-set construction
and completion)
Property true!
(all environments)
Property false!
(all environments)
Assumption
Composite SystemComposite System
E.enterCS
E.exitCS
E.acquire
E.release
E.exitCS
E.release
E.enterCS
E.exitCS
E.exitCS
E.enterCS
E.enterCS
E.enterCS
E.release
Backward Error Propagation (with Backward Error Propagation (with ))
E.enterCS
E.exitCS
E.acquire
E.release
E.exitCS
E.release
E.enterCS
E.exitCS
E.exitCS
E.enterCS
E.enterCS
E.enterCS
E.release
Backward Error Propagation (with Backward Error Propagation (with ))
E.enterCS
E.release
E.exitCS
E.release
E.enterCS
E.exitCS
E.exitCS
E.enterCS
E.enterCS
E.release
Property ExtractionProperty Extraction
E.acquire
E.release
E.enterCS
E.exitCS
E.enterCS
E.release
E.exitCSE.enterCS
E.exitCS
E.acquire
E.release E.acquire
E.acquire, E.release
E.enterCS, E.exitCS
Generated AssumptionGenerated Assumption
E.acquire
E.release
E.enterCS
E.exitCS
E.acquire
E.release E.acquire
E.acquire, E.release
E.enterCS, E.exitCS
Directions for Future WorkDirections for Future Work
Liveness /fairnessExtend to other frameworks
– LTL checking (since we are interested only in error behaviors)
Is the sub-set construction needed?Study other forms of composition …