Automatically Validating Temporal Safety Properties of Interfaces

Thomas BallSriram K. Rajamani

http://research.microsoft.com/slam/

Outline What is SLAM?

Show and tell SLAM on Win2000 floppy driver

SLAM tools and process Automatic abstraction State-based search Counterexample-driven refinement

Discussion Related work Current status of SLAM Future work

Checking API Usage

Application

C lib | DLL |

COM |…

API

Does an application follow the “proper usage” rules of an API?

Temporal safety properties

Something “bad” does not happen Eg. A lock is never released without

first being acquired

Defined in the 70’s. [Lamport][Alpern-Schneider]

One Application: Win2000 Device Drivers

Device Driver

NT Kernel

NTddk.h

Does a device driver acquire and release spin locks properly?

Device Drivers and SLAM

Device Driver

API

Rules

NTddk.h

State MachineFor Locking

Unlocked Locked Error

U

L L

U

SLIC Locking Property (simplified)

state {

int locked = 0;

}

KeAcquireSpinLock.call {

if (locked==1) abort;

else locked = 1;

}

KeReleaseSpinLock.call {

if (locked==0) abort;

else locked = 0;

}

do { //get the write lock

KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; request = devExt->WriteListHeadVa;

if(request && request->status){devExt->WriteListHeadVa = request->Next;

KeReleaseSpinLock(&devExt->writeListLock);

irp = request->irp;if(request->status > 0){

irp->IoStatus.Status = STATUS_SUCCESS;irp->IoStatus.Information = request->Status;}

else{irp->IoStatus.Status = STATUS_UNSUCCESSFUL;irp->IoStatus.Information = request->Status;

}SmartDevFreeBlock(request);IoCompleteRequest(irp, IO_NO_INCREMENT);nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock(&devExt->writeListLock);

Question:Is locking protocol

respected?

Safety to Reachability

prog P

SLICspec S

prog P’instrument

Program P satisfies specification S

Label ERROR is not reachable in P’

do { //get the write lock

KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);

nPacketsOld = nPackets; request = devExt->WriteListHeadVa;

if(request && request->status){devExt->WriteListHeadVa = request->Next;

KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt-

>writeListLock);irp = request->irp;if(request->status > 0){

irp->IoStatus.Status = STATUS_SUCCESS;irp->IoStatus.Information = request->Status;}

else{irp->IoStatus.Status = STATUS_UNSUCCESSFUL;irp->IoStatus.Information = request->Status;

}SmartDevFreeBlock(request);IoCompleteRequest(irp, IO_NO_INCREMENT);nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);

int locked = 0;

void Error_Routine() { ERROR: assert(0);}

void KeAcquireSpinLock_call () {

if (locked==1) Error_Routine();

else locked = 1;}

void KeReleaseSpinLock_call () {

if (locked==0) Error_Routine();

else locked = 0;}

Question:Is locking protocol

respected?

Equivalently:Is label ERROR reachable?

Instrumented Driver

Demo

Outline What is SLAM?

Show and tell SLAM on floppy driver

SLAM tools and process State-based search Automatic abstraction Counterexample-driven refinement

Discussion Related work Current status of SLAM Future work

State-based Searchdo { //get the write lock

KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);

nPacketsOld = nPackets; request = devExt->WriteListHeadVa;

if(request && request->status){devExt->WriteListHeadVa = request->Next;

KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt-

>writeListLock);...nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);

A Boolean Program Abstraction

do //get the write lock

KeAcquireSpinLock_call(); b := true; // npacketsOld = npackets;

if (*) then

KeReleaseSpinLock_call();

if (*) then

else

fi

b := b ? false : *; // npackets++;

fiwhile ( !b );

KeReleaseSpinLock_call();

Boolean variable b represents the condition (nPacketsOld == nPackets)

b

b

b

b

b

!b

!b

SLAM Components

Prepass SLIC compiler and

instrumentation tool

Core C2bp

predicate abstraction of C Bebop

model checking of boolean programs

Newton predicate discovery

Error display DHTML GUI

Reuse AST toolkit GOLF

value flow analysis points-to analysis

BDD libraries CMU CUDD

Decision procedures Simplify Vampyre

C program

Boolean program

c2bp

bebop

Fail, p

Pass

newton

GOLF

SLIC

CFG + VFG

predicates

Error GUI

Spec.

predicates

c2bp

Automatic predicate abstraction of C What is the predicate language?

Pure C boolean expressions Input: a C program P and set of predicates E Output: a boolean program c2bp(P,E) that is

a sound abstraction of P a precise abstraction of P

Difficulties procedures pointers

Bebop

Reachability analysis of boolean programs

Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis Explicit representation of control flow Implicit representation of reachable states via BDDs

Complexity of algorithm is O( E 2n)

E = size of interprocedural control flow graph

n = max. number of variables in the scope of any label

Newton

Symbolically executes (interprocedural) path in C program

Checks for path infeasibility using decision procedures

If infeasibility detected Find weak(est) condition implying the

infeasibility Obtains new predicates

Key Ideas of SLAM

State-based search Small state machines – large programs Exploit locality of scoping to scale

Automated discovery of abstractions Analysis of counterexamples

Global reasoning GOLF (flow-insensitive) model checking (abstract path/flow-sensitive) symbolic execution (concrete path-sensitive)

Local reasoning predicate abstraction/decision procedures

Outline What is SLAM?

Show and tell SLAM on floppy driver

SLAM tools and process Automatic abstraction State-based search Counterexample-driven refinement

Discussion Related work Current status of SLAM Future directions

Related Work

VCGen based tools ESC-Java [Leino-Nelson-et al.] Proof-Carrying Code [Lee-Necula] PREfix [Pincus-et al.]

Model Checking of Software Using an abstract model

Bandera [Hatcliff-Dwyer-et al.] FeaVer [Holzmann] FLAVERS [Clarke-Osterweil-et al.] Metal [Engler]

By gaining control over the scheduler Java Path Finder [Visser-et al.] Verisoft [Godefroid] Java model checker [Stoller]

Related Work Model checkers

Temporal logic model checking [Clarke-Emerson][Sifakis][Vardi-Wolper]

Symbolic model checking BDDs [Bryant] SMV [McMillan, Clarke]

Model checking of Hiearchical FSMs [Alur,Grosu], [Alur, Yannakakis, et al.], [Benedikt,Godefroid,Reps]

Abstract Interpretation [Cousot-Cousot]

Program Analysis shape analysis [Sagiv-Reps-Wilhelm]

Predicate Abstraction [Graf-Saidi][Das-Dill-Park]

Dataflow analysis=Model Checking + Abstract Interpretation [Steffen-Schmidt]

Counterexample driven refinement [Kurshan, Clarke-Grumberg-Jha-Lu-Veith]

Temporal safety property checking as type checking [DeLine-Fahndrich]

Current Status of SLAM

Project started in January 2000 Toolkit now functional on C code

found first real bug in production code in March 2001

Needs more work on: performance scope

function pointers exception handling

specification language user interface

Future Directions New Models

boolean programs lack expressivity

The Heap pointer logics recursive types

Concurrency predicate abstraction for an Owicki/Gries-style logic?

Scaling reinvestigate assume/guarantee for software

SLAM Papers The SLAM Process

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. Rajamani, SPIN 2001

The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani, CAV 2001 Boolean Programs: A Model and Process for Software Analysis, Thomas

Ball, Sriram K. Rajamani, MSR Technical Report 2000-14

Boolean Programs Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball,

Sriram K. Rajamani, PASTE 2001 Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball,

Sriram K. Rajamani, SPIN 2000.

Predicate Abstraction of C Programs Automatic Predicate Abstraction of C Programs, Thomas Ball, Rupak

Majumdar, Todd Millstein, Sriram K. Rajamani, PLDI 2001 Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K.

Rajamani, MSR Technical Report 2001-10 Boolean and Cartesian Abstractions for Model Checking C Programs,

Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001

Concurrency Parameterized Verification of Multithreaded Software Libraries,  Thomas

Ball, Sagar Chaki, Sriram K. Rajamani, TACAS 2001

Thanks to…

Sagar Chaki (CMU) Rupak Majumdar (UC Berkeley) Todd Millstein (U Washington) Andreas Podelski (MPI) Members of Software Productivity

Tools group and PPRC

Summary

Fully automated way to check temporal safety properties of software interfaces

Tools are based on novel ideas interprocedural dataflow with BDDs (bebop) predicate abstraction of C (c2bp) predicate discovery (newton)

Demonstration on Windows 2000 device drivers

Software Productivity ToolsMicrosoft Research

http://research.microsoft.com/slam/

State MachineFor Irp Handling

init

pending

Error

IoMarkIrpPending

return:status != STATUS_PENDING

complete

IoCompleteRequest

return: status == STATUS_PENDING

IRP Complete/Pending Rulestate {

enum {Init, Complete,

Pending} s = Init;

}

IoCompleteRequest.call{

if ( s != Init) abort;

else s = Complete;

}

IoMarkIrpPending.call{

if( s != Init) abort;

else s = Pending;

}

Dispatch.exit{

if (s == Complete) {

if ($return == STATUS_PENDING)

abort;

} else if (s == Pending) {

if( $return != STATUS_PENDING)

abort;

}

}