Counterexample Generation for Separation-Logic-Based Proofs

Counterexample Generation for Separation-Logic-Based ProofsArlen CoxSamin IshtiaqJosh BerdineChristoph Wintersteiger

2

SLAYER

Abstraction-based Static Analyzer• Uses Separation Logic• Proves Memory Safety of Heap Manipulating Programs

Shape Analysis

Abstraction-based Static Analyzer• Abstract Counterexamples• Failure to prove does not imply that a bug has been found• Even if the bug is real, the counterexample is still abstract

3

SLAYER Results

UNSAFE? SAFE

UNSAFE UNSAFE? SAFE

4

Concrete Counterexamples• If unsafe, return a set of inputs causing failure– Program inputs– Nondeterministic assignments

• Established Techniques– Symbolic Execution (Sage, KLEE)– Bounded Model Checking (CBMC)

5

Symbolic Execution

l := 0

l := *(l+next)return

t := alloc(2)*(t+next) := ll := t

6

Symbolic Execution

l := 0

l := *(l+next)return

t := alloc(2)*(t+next) := ll := t

7

Symbolic Execution

l := 0

l := *(l+next)return

t := alloc(2)*(t+next) := ll := t

8

Symbolic Execution

l := 0

l := *(l+next)return

t := alloc(2)*(t+next) := ll := t

9

Symbolic Execution• Heuristics guide the search• Whole paths are checked before checking

other paths• No guarantees any particular bug will be

found

10

Bounded Model Checking

l := 0

l := *(l+next)return

t := alloc(2)*(t+next) := ll := t

11

Bounded Model Checking

l := 0

12

Bounded Model Checking

l := 0

t := alloc(2)*(t+next) := ll := t

13

Bounded Model Checking

l := 0

l := *(l+next)

t := alloc(2)*(t+next) := ll := t

t := alloc(2)*(t+next) := ll := t

14

Bounded Model Checking

l := 0

l := *(l+next)

t := alloc(2)*(t+next) := ll := t

t := alloc(2)*(t+next) := ll := t

t := alloc(2)*(t+next) := ll := t

l := *(l+next)

l := *(l+next)

return

15

Bounded Model Checking• Complete search up to some depth• Searching all branches may be time consuming• Depth of search may be insufficient• Use failed separation logic proof to prune

branches

16

BMC on Abstract Counterexample• Perform BMC on abstract

counterexample, unrolling loops• Prune any states that are not on

a path to error• Use state constraints to restrict

search(would work for symbolic execution as well)

Abstract State S (constraints)

Abstract State S’ (constraints)

ProgramStatements

ProgramStatements

17

Abstract Counterexample𝑒𝑚𝑝

∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)

𝐸𝑅𝑅𝑂𝑅

t := alloc(2)*(t+next) := ll := t

l := *(l+next)

l := 0

18

Abstract Counterexample𝑒𝑚𝑝

∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)∃𝑘 . 𝑙𝑠𝑘(𝑙 ,0)

𝐸𝑅𝑅𝑂𝑅

t := alloc(2)*(t+next) := ll := t

l := *(l+next)

l := 0

19

Practicalities• Use Z3 to perform BMC• Z3 doesn’t understand separation logic– Weaken formulas to first order

• A different way of encoding BMC– Make Z3 do all of the work– No iteration: give Z3 a single problem

20

Prune and Weakenemp

true

ERROR

t := alloc(2)*(t+next) := ll := t

l := *(l+next)

l := 0First-order

sub-formula

21

BMC Safety Violations• Satisfiable– Array/Structure out of bounds– Access unallocated memory/NULL– Double free– Free of incorrect memory

• Unsatisfiable– No violation within bounds

• Heap size• Unrolling limit

22

Precise Word-Level Memory Model

0

Heap

Alloc

Size 0 0 0 0 0 0 0 0 0

0 1 2 3 4 5 6 7 8 9

23

Precise Word-Level Memory Model

0

Heap

Alloc

Size 0

x

3

x

0

x

0 0 0 0 0 0

alloc(3)0 1 2 3 4 5 6 7 8 9

24

Precise Word-Level Memory Model

0

Heap

Alloc

Size 0

x

3

x

0

17

x

0 0 0 0 0 0

*4 = 170 1 2 3 4 5 6 7 8 9

25

Precise Word-Level Memory Model

0

Heap

Alloc

Size 0 0 0

17

0 0 0 0 0 0

free(2)0 1 2 3 4 5 6 7 8 9

26

Encoding – High Level

𝑖𝑛𝑖𝑡∧ ∀ 𝑡 .𝑡>0∧𝑡<𝑛→𝑡𝑟 (𝑡 ) Assert initial state Transition from state at time to state at time

Use UFBV logic: Quantified bit-vectorswith uninterpreted functions

27

Initial state

- Optional- Optional

28

Transition

29

Encode• Step whole basic block– Eliminates quantifiers based on structure of

program• Use state in encoder– Maximize structure sharing– Reduce quantifiers and uninterpreted functions

30

Encode – Threading State

InitializeState

EncodeStmt

To Error

EncodeStmt

To Error

EncodeStmt

To Error

Store StateTo Successor

…

31

Encode - alloc

32

Encode - store

33

Process Summary

C ProgramSeparation

Logic Analysis

BMC Encoder Z3

SAFEUNSAFE +

COUNTEREXAMPLE

UNSAFE?SMT-LIB

AbstractTransitionSystem

UNSAT

SAT

SLAYER

34

Performance• Equivalent to SLAYER on sample problems• Problems like example < 0.5s• Scalability unknown• Not competitive with Sage or KLEE– Z3 could match or beat Sage or KLEE, though.

35

Z3 Pain Relief• is way slower than (2x)• Eliminate : use last modified index to eliminate these (2x)• Use the new SAT solver (10x)• Use MBQI (sat/unsat vs unknown)• Don’t use Array Theory (sat/unsat vs unknown)• Init doesn’t matter much (±10%)• Eliminate : create explicit conjunction. (30x on small

problems)

36

QUESTIONS?

©2011 Microsoft Corporation. All rights reserved.

38

Array theory?• Array theory is not current– We use quantifiers with uninterpreted functions:

– We don’t want too many quantifiers• Since we’re quantifying over time, keep track of when

updates last occurred.

39

Encoding a basic block (statements updating )