Upload
carter-sampson
View
37
Download
0
Embed Size (px)
DESCRIPTION
Automatically Validating Temporal Safety Properties of Interfaces. Thomas Ball Sriram K. Rajamani. http://research.microsoft.com/slam/. Outline. What is SLAM? Show and tell SLAM on Win2000 floppy driver SLAM tools and process Automatic abstraction State-based search - PowerPoint PPT Presentation
Citation preview
Automatically Validating Temporal Safety Properties of Interfaces
Thomas BallSriram K. Rajamani
http://research.microsoft.com/slam/
Outline What is SLAM?
Show and tell SLAM on Win2000 floppy driver
SLAM tools and process Automatic abstraction State-based search Counterexample-driven refinement
Discussion Related work Current status of SLAM Future work
Checking API Usage
Application
C lib | DLL |
COM |…
API
Does an application follow the “proper usage” rules of an API?
Temporal safety properties
Something “bad” does not happen Eg. A lock is never released without
first being acquired
Defined in the 70’s. [Lamport][Alpern-Schneider]
One Application: Win2000 Device Drivers
Device Driver
NT Kernel
NTddk.h
Does a device driver acquire and release spin locks properly?
SLIC Locking Property (simplified)
state {
int locked = 0;
}
KeAcquireSpinLock.call {
if (locked==1) abort;
else locked = 1;
}
KeReleaseSpinLock.call {
if (locked==0) abort;
else locked = 0;
}
do { //get the write lock
KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; request = devExt->WriteListHeadVa;
if(request && request->status){devExt->WriteListHeadVa = request->Next;
KeReleaseSpinLock(&devExt->writeListLock);
irp = request->irp;if(request->status > 0){
irp->IoStatus.Status = STATUS_SUCCESS;irp->IoStatus.Information = request->Status;}
else{irp->IoStatus.Status = STATUS_UNSUCCESSFUL;irp->IoStatus.Information = request->Status;
}SmartDevFreeBlock(request);IoCompleteRequest(irp, IO_NO_INCREMENT);nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock(&devExt->writeListLock);
Question:Is locking protocol
respected?
Safety to Reachability
prog P
SLICspec S
prog P’instrument
Program P satisfies specification S
Label ERROR is not reachable in P’
do { //get the write lock
KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);
nPacketsOld = nPackets; request = devExt->WriteListHeadVa;
if(request && request->status){devExt->WriteListHeadVa = request->Next;
KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt-
>writeListLock);irp = request->irp;if(request->status > 0){
irp->IoStatus.Status = STATUS_SUCCESS;irp->IoStatus.Information = request->Status;}
else{irp->IoStatus.Status = STATUS_UNSUCCESSFUL;irp->IoStatus.Information = request->Status;
}SmartDevFreeBlock(request);IoCompleteRequest(irp, IO_NO_INCREMENT);nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);
int locked = 0;
void Error_Routine() { ERROR: assert(0);}
void KeAcquireSpinLock_call () {
if (locked==1) Error_Routine();
else locked = 1;}
void KeReleaseSpinLock_call () {
if (locked==0) Error_Routine();
else locked = 0;}
Question:Is locking protocol
respected?
Equivalently:Is label ERROR reachable?
Instrumented Driver
Outline What is SLAM?
Show and tell SLAM on floppy driver
SLAM tools and process State-based search Automatic abstraction Counterexample-driven refinement
Discussion Related work Current status of SLAM Future work
State-based Searchdo { //get the write lock
KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);
nPacketsOld = nPackets; request = devExt->WriteListHeadVa;
if(request && request->status){devExt->WriteListHeadVa = request->Next;
KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt-
>writeListLock);...nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);
A Boolean Program Abstraction
do //get the write lock
KeAcquireSpinLock_call(); b := true; // npacketsOld = npackets;
if (*) then
KeReleaseSpinLock_call();
if (*) then
else
fi
b := b ? false : *; // npackets++;
fiwhile ( !b );
KeReleaseSpinLock_call();
Boolean variable b represents the condition (nPacketsOld == nPackets)
b
b
b
b
b
!b
!b
SLAM Components
Prepass SLIC compiler and
instrumentation tool
Core C2bp
predicate abstraction of C Bebop
model checking of boolean programs
Newton predicate discovery
Error display DHTML GUI
Reuse AST toolkit GOLF
value flow analysis points-to analysis
BDD libraries CMU CUDD
Decision procedures Simplify Vampyre
C program
Boolean program
c2bp
bebop
Fail, p
Pass
newton
GOLF
SLIC
CFG + VFG
predicates
Error GUI
Spec.
predicates
c2bp
Automatic predicate abstraction of C What is the predicate language?
Pure C boolean expressions Input: a C program P and set of predicates E Output: a boolean program c2bp(P,E) that is
a sound abstraction of P a precise abstraction of P
Difficulties procedures pointers
Bebop
Reachability analysis of boolean programs
Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis Explicit representation of control flow Implicit representation of reachable states via BDDs
Complexity of algorithm is O( E 2n)
E = size of interprocedural control flow graph
n = max. number of variables in the scope of any label
Newton
Symbolically executes (interprocedural) path in C program
Checks for path infeasibility using decision procedures
If infeasibility detected Find weak(est) condition implying the
infeasibility Obtains new predicates
Key Ideas of SLAM
State-based search Small state machines – large programs Exploit locality of scoping to scale
Automated discovery of abstractions Analysis of counterexamples
Global reasoning GOLF (flow-insensitive) model checking (abstract path/flow-sensitive) symbolic execution (concrete path-sensitive)
Local reasoning predicate abstraction/decision procedures
Outline What is SLAM?
Show and tell SLAM on floppy driver
SLAM tools and process Automatic abstraction State-based search Counterexample-driven refinement
Discussion Related work Current status of SLAM Future directions
Related Work
VCGen based tools ESC-Java [Leino-Nelson-et al.] Proof-Carrying Code [Lee-Necula] PREfix [Pincus-et al.]
Model Checking of Software Using an abstract model
Bandera [Hatcliff-Dwyer-et al.] FeaVer [Holzmann] FLAVERS [Clarke-Osterweil-et al.] Metal [Engler]
By gaining control over the scheduler Java Path Finder [Visser-et al.] Verisoft [Godefroid] Java model checker [Stoller]
Related Work Model checkers
Temporal logic model checking [Clarke-Emerson][Sifakis][Vardi-Wolper]
Symbolic model checking BDDs [Bryant] SMV [McMillan, Clarke]
Model checking of Hiearchical FSMs [Alur,Grosu], [Alur, Yannakakis, et al.], [Benedikt,Godefroid,Reps]
Abstract Interpretation [Cousot-Cousot]
Program Analysis shape analysis [Sagiv-Reps-Wilhelm]
Predicate Abstraction [Graf-Saidi][Das-Dill-Park]
Dataflow analysis=Model Checking + Abstract Interpretation [Steffen-Schmidt]
Counterexample driven refinement [Kurshan, Clarke-Grumberg-Jha-Lu-Veith]
Temporal safety property checking as type checking [DeLine-Fahndrich]
Current Status of SLAM
Project started in January 2000 Toolkit now functional on C code
found first real bug in production code in March 2001
Needs more work on: performance scope
function pointers exception handling
specification language user interface
Future Directions New Models
boolean programs lack expressivity
The Heap pointer logics recursive types
Concurrency predicate abstraction for an Owicki/Gries-style logic?
Scaling reinvestigate assume/guarantee for software
SLAM Papers The SLAM Process
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. Rajamani, SPIN 2001
The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani, CAV 2001 Boolean Programs: A Model and Process for Software Analysis, Thomas
Ball, Sriram K. Rajamani, MSR Technical Report 2000-14
Boolean Programs Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball,
Sriram K. Rajamani, PASTE 2001 Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball,
Sriram K. Rajamani, SPIN 2000.
Predicate Abstraction of C Programs Automatic Predicate Abstraction of C Programs, Thomas Ball, Rupak
Majumdar, Todd Millstein, Sriram K. Rajamani, PLDI 2001 Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K.
Rajamani, MSR Technical Report 2001-10 Boolean and Cartesian Abstractions for Model Checking C Programs,
Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001
Concurrency Parameterized Verification of Multithreaded Software Libraries, Thomas
Ball, Sagar Chaki, Sriram K. Rajamani, TACAS 2001
Thanks to…
Sagar Chaki (CMU) Rupak Majumdar (UC Berkeley) Todd Millstein (U Washington) Andreas Podelski (MPI) Members of Software Productivity
Tools group and PPRC
Summary
Fully automated way to check temporal safety properties of software interfaces
Tools are based on novel ideas interprocedural dataflow with BDDs (bebop) predicate abstraction of C (c2bp) predicate discovery (newton)
Demonstration on Windows 2000 device drivers
State MachineFor Irp Handling
init
pending
Error
IoMarkIrpPending
return:status != STATUS_PENDING
complete
IoCompleteRequest
return: status == STATUS_PENDING
IRP Complete/Pending Rulestate {
enum {Init, Complete,
Pending} s = Init;
}
IoCompleteRequest.call{
if ( s != Init) abort;
else s = Complete;
}
IoMarkIrpPending.call{
if( s != Init) abort;
else s = Pending;
}
Dispatch.exit{
if (s == Complete) {
if ($return == STATUS_PENDING)
abort;
} else if (s == Pending) {
if( $return != STATUS_PENDING)
abort;
}
}