Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center

Abstraction and Modular Reasoning Abstraction and Modular Reasoning for the Verification of Softwarefor the Verification of Software

Corina Pasareanu

NASA Ames Research Center

OutlineOutline

Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract

Counter-example Analysis (joint work with the Bandera team)

NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)

Model Checking (joint work with Willem Visser)– Assumption Generation for Component Verification

(joint work with Dimitra Giannakopoulou and Howard Barringer)

OutlineOutline


Counter-example Analysis


Model Checking – Assumption Generation for Component Verification

Finite-state VerificationFinite-state Verification

OKFinite-state system

Specification

Verification tool

or

Error trace

Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…

Finite-State VerificationFinite-State Verification

Effective for analyzing properties of hardware systems

Widespread success and adoption in industry

Recent years have seen many efforts to apply those techniques to software

Limited success due to the enormous state spaces associated with most software systems

Abstraction: the key to scaling upAbstraction: the key to scaling up

Originalsystem

symbolic state

Abstract system

represents a set of states

abstraction

Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system

Goals of our work …Goals of our work …

Develop multiple forms of tool support for abstraction that is…

… applicable to program source code… largely automated… usable by non-experts

Evaluate the effectiveness of this tool support through…

… implementation in the Bandera toolset… application to real multi-threaded Java programs

Data Type AbstractionData Type Abstraction

int x = 0;if (x == 0) x = x + 1;

Data domains

(n<0) : NEG(n==0): ZERO(n>0) : POS

Signs

NEG POSZERO

int

Code

Signs x = ZERO;if (Signs.eq(x,ZERO)) x = Signs.add(x,POS);

Collapses data domains via abstract interpretation:

Abstraction in BanderaAbstraction in Bandera

AbstractionLibrary

VariableConcrete Type

Abstract Type

Inferred Type

Object

xydonecount

ob

intintbool

Buffer

int….

SignsSignsSigns

intbool

….PointBuffer

Program Abstract CodeGenerator

AbstractedProgram

BASLCompiler

BanderaAbstractionSpecificationLanguage

AbstractionDefinition

PVS

Definition of Abstractions in BASLDefinition of Abstractions in BASLabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };

abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end

operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_) -> {NEG,ZERO,POS}; /* case (POS,NEG),(NEG,POS) */ end

AutomaticGeneration

Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2)

Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2)

Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2)

Proof obligations submitted to PVS...

Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}

Compiling BASL DefinitionsCompiling BASL Definitions

abstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };

abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end

operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end

public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abs(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; }

public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ }

Compiled

Abstract Counter-example AnalysisAbstract Counter-example Analysis

Example:x = -2; if(x + 2 == 0) then ...x = NEG; if(Signs.eq(Signs.add(x,POS),ZERO)) then ... {NEG,ZERO,POS}

For an abstracted program, a counter-example may be infeasible because:– Over-approximation introduced by abstraction

Our SolutionsOur Solutions

Choice-bounded State Space Search– “on-the-fly”, during model checking

Abstract Counter-example Guided Concrete Simulation

– Exploit implementations of abstractions for Java programs

– Effective in practice– Implemented in Java PathFinder tool

““Choose”-free state space searchChoose”-free state space search

Theorem [Saidi:SAS’00] Every path in the abstracted program where all

assignments are deterministic is a path in the concrete program.

Bias the model checker– to look only at paths that do not include

instructions that introduce non-determinism JPF model checker modified

– to detect non-deterministic choice (i.e. calls to Bandera.choose()); backtrack from those points

Choice-bounded SearchChoice-bounded Search

choose()

XX

Detectable ViolationUndetectable Violation

State space searched

Case Study: DEOS Kernel (NASA Ames)Case Study: DEOS Kernel (NASA Ames) Honeywell Dynamic Enforcement Operating System (DEOS)

– A real time operating system for integrated modular avionics

– Non-trivial concurrent program (1433 lines of code, 20 classes, 6 threads)

– Written in C++, translated into Java and Promela

– With a known bug Verification of the system exhausted 4 Gigabytes of memory without

completion; abstraction needed

Abstracted using data type abstraction Checked using JPF and SPIN Defect detected using choice-bounded search

Conclusion and Future Research DirectionsConclusion and Future Research Directions

Tool support for abstraction enables verification of real properties of real programs

Extend abstraction support for objects– Heap abstractions to handle an unbounded

number of dynamically allocated objects– Handle recursive procedures, unbounded

number of processes Extend automation

– For selection and refinement based on counter-example analysis

OutlineOutline




Model Checking – Assumption Generation for Component Verification

Java Path Finder (NASA Ames)Java Path Finder (NASA Ames)

Model checker for Java programs Built on top of a custom made Java Virtual

Machine Checks for deadlock and violation of

assertions; LTL properties Support for abstraction:

– Predicate abstraction– Bandera’s data abstraction

Heuristic search

Symbolic ExecutionSymbolic Execution

void test(int n){[1] if (n > 0) {[2] n = n + 1;[3] if (n < 3)[4] ... }[5] ... }

Code

Uses “symbolic names” to represent program inputs

1n:SPC:true

3n:S+1PC:S>0

2n:SPC:S>0 5

n:SPC:S<=0

...

5n:S+1PC:S>0 & S+1>=34

n:S+1PC:S>0 & S+1<3

... ...

Symbolic execution tree(PC=“path condition”)

Symbolic Execution and JPF: ApplicationsSymbolic Execution and JPF: Applications

Extends JPF with a new form of abstraction

Test case generationAbstract counter-example analysis

and refinementSymbolic execution of multithreaded

programsParameter synthesis …

Implementation in JPFImplementation in JPF

Easy:– Uses Bandera’s type abstraction– Uses Omega library (Java version)

• Manipulates sets of linear constraints over integer variables

Can be used as a “symbolic execution tool with backtracking”

Good for finding counter-examples No state matching!

(Possible) Implementation(Possible) Implementation

void test(int n) { if (n > 0) { n = n + 1; ... }

public class SymVal { public SymVal() { ... } public SymVal(int n) { ... } public SymVal(SymVal s1, SymVal s2,

String ops) { ... } ... }

public class SymOps { public SymVal add(SymVal s1, SymVal s2){ return new SymVal(s1,s2,’+’); }

public bool gt(SymVal s1, SymVal s2) { bool result = Verify.chooseBool(); if(result) { // “true”

PC.addCondition(s1,s2,’>’); } else { // “false”

PC.addCondition(s1,s2,’<=‘); } PC.simplify(); return result; } ... }

Code

PathCondition PC; // =“true”

void test(SymVal n) { n = new SymVal(); if(SymOps.gt(n,new SymVal(0)){ n=SymOps.add(n,new SymVal(1)); ... }

Problem: ConvergenceProblem: Convergence

Symbolic execution tree

void test(int n) {[1] int x = 0;[2] while(x < n)[3] x = x + 1;[4] }

Code1

n:SPC:true

2n:S,x:0PC:true

2n:S,x:1PC:0<S

4n:S,x:1PC:0<S & 1>=S3

n:S,x:1PC:0<S & 1<S

3n:S,x:0PC:0<S 4

n:S,x:0PC:0>=S

....

Problem: ConvergenceProblem: Convergence

Limit the search depth of MC Unwind loops a fixed number of times

(similar to Bounded MC?) Discover “simple and practical” widening

techniques Acceleration techniques Heuristics? Combine with “predicate abstraction” …

Solutions?

Relation to Bounded MCRelation to Bounded MC

Extend BMC with symbolic variables?

Widening for C programs?…

OutlineOutline




Model Checking– Assumption Generation for Component Verification

Assumption Generation for Component VerificationAssumption Generation for Component Verification

Problem:

Component Environment

Property ? Environment Assumption ?

The “weakest” assumption A for component C: for all environments E,

E |= A E || C |= P

ApplicationsApplications

Support for modular verification– Compositional verification– Property decomposition

Run-time monitoring of the environment

Component retrievalSub-module construction …

ImplementationImplementation

In Labeled Transition Systems Analyzer (LTSA) tool - Imperial college– Supports compositional reachability analysis

based on software architecture– Incremental system design and verification:

• Component abstraction (hiding of internal actions)• Minimization wrt. observational equivalence

– Both components and properties expressed as labeled transition systems

Interface actions

E.acquire

E.release

W.acquire

W.acquire

Mutex:

Example: A System and A PropertyExample: A System and A Property

W.acquire

W.release

W.enterCS

W.exitCS

Writer:

E.enterCS

E.exitCS

W.enterCS

W.exitCS

Mutual Exclusion Property:

||

W.enterCS

E.enterCS

E.exitCS

W.exitCS

E.exitCS

W.enterCS

W.exitCS

E.enterCS

||

Assumption GenerationAssumption Generation

Step 1: composition, hiding of internal actions and minimization

Step 2: backward reachability

with error state

Step 3: property extraction

(sub-set construction

and completion)

Property true!

(all environments)

Property false!

(all environments)

Assumption

Composite SystemComposite System

E.enterCS

E.exitCS

E.acquire

E.release

E.exitCS

E.release

E.enterCS

E.exitCS

E.exitCS

E.enterCS

E.enterCS

E.enterCS

E.release

Backward Error Propagation (with Backward Error Propagation (with ))

E.enterCS

E.exitCS

E.acquire

E.release

E.exitCS

E.release

E.enterCS

E.exitCS

E.exitCS

E.enterCS

E.enterCS

E.enterCS

E.release

Backward Error Propagation (with Backward Error Propagation (with ))

E.enterCS

E.release

E.exitCS

E.release

E.enterCS

E.exitCS

E.exitCS

E.enterCS

E.enterCS

E.release

Property ExtractionProperty Extraction

E.acquire

E.release

E.enterCS

E.exitCS

E.enterCS

E.release

E.exitCSE.enterCS

E.exitCS

E.acquire

E.release E.acquire

E.acquire, E.release

E.enterCS, E.exitCS

Generated AssumptionGenerated Assumption

E.acquire

E.release

E.enterCS

E.exitCS

E.acquire

E.release E.acquire

E.acquire, E.release

E.enterCS, E.exitCS

Directions for Future WorkDirections for Future Work

Liveness /fairnessExtend to other frameworks

– LTL checking (since we are interested only in error behaviors)

Is the sub-set construction needed?Study other forms of composition …

Documents

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center