View
217
Download
0
Category
Preview:
Citation preview
Universität PaderbornProf. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert
Verification of parameterised systems
Automatic Predicate Abstraction of C Programs
Shilpa Seshadri
AgendaMotivationIntroductionC2BP AlgorithmSLAM ToolkitFuture WorkConclusionDiscussion
April 18, 2023Automatic Predicate Abstraction of C Programs2
Motivation
April 18, 2023Automatic Predicate Abstraction of C Programs3
Model checking Verification technique for a finite state systemWidely used for validation and debuggingSometimes, State-space explosion limits the use of toolsHence, model checkers operate on abstractions of systems
Software systems are typically infinite state systemsAbstraction is criticalPredicate abstraction of programs is implemented – One
approach Model checking finite state check an abstraction of a
software system
Model Checking
Algorithmic exploration of state space of the system
Several advances in the past decade: symbolic model checkingsymmetry reductionspartial order reductionscompositional model checkingbounded model checking using SAT solvers
Most hardware companies use a model checker in the validation cycle
April 18, 20234 Automatic Predicate Abstraction of C Programs
April 18, 2023Automatic Predicate Abstraction of C Programs5
Abstraction
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Program Model CheckerInput
Infinite state Finite state
Abstraction (A simplified view)Abstraction is an effective tool in
verification
Given a transition system, we want to generate an abstract transition system which is easier to analyze
However, we want to make sure thatIf a property holds in the abstract transition
system, it also holds in the original (concrete) transition system
April 18, 20236 Automatic Predicate Abstraction of C Programs
Abstraction (A simplified view)If the property does not hold in the abstract
transition system, what can we do?We can refine the abstract transition
system (split some states that we merged) The refined transition system should still
be an abstraction of the concrete transition system
Then, we can recheck the property again on the refined transition systemIf the property does not hold again, we can
refine again
April 18, 20237 Automatic Predicate Abstraction of C Programs
Abstraction Refinement Loop
ActualProgramActual
ProgramBooleanProgramBooleanProgram
ModelChecker
Abstraction refinement
VerificationInitial
Abstraction
No erroror bug found
Spuriouscounterexample
April 18, 20238 Automatic Predicate Abstraction of C Programs
Predicate AbstractionAn automated abstraction technique which can
be used to reduce the state space of a program
The basic idea here is to remove some variables from the program by just keeping information about a set of predicates about them
Predicate abstraction is a technique for doing such abstractions automatically
April 18, 20239 Automatic Predicate Abstraction of C Programs
A Very Simple ExampleAssume that we have two integer variables x,yWe want to abstract the program using a single
predicate “x=y”We will divide the states of the program to two:
1. The states where “x=y” is true2. The states where “x=y” is false, i.e., “xy”
We will then merge all the states in the same set
This is an abstraction Basically, we forget everything except the
value of the predicate “x=y”
April 18, 202310 Automatic Predicate Abstraction of C Programs
A Very Simple ExampleWe will represent the predicate “x=y” as the boolean
variable B in the abstract program “B=true” will mean “x=y” and “B=false” will mean “xy”
Assume that we want to abstract the following program which contains only one statement:
y := y+1
April 18, 202311 Automatic Predicate Abstraction of C Programs
Predicate Abstraction, Step 1Calculate preconditions based on the predicate
y := y + 1 {x = y}
y := y + 1 {x y} {x y + 1}
{x = y + 1}
precondition for B being false afterexecuting the statement y:=y+1
precondition for B being true afterexecuting the statement y:=y+1
Using our temporal logic notationwe can say something like:{x=y+1} AX{x=y}
Again, using our temporal logic notation:{x≠y+1} AX{x≠y}
April 18, 202312 Automatic Predicate Abstraction of C Programs
Predicate Abstraction, Step 2Use decision procedures to determine if the
predicates used for abstraction imply any of the preconditions
x = y x = y + 1 ? No
x y x = y + 1 ? No
x = y x y + 1 ? Yes
x y x y + 1 ? No
April 18, 202313 Automatic Predicate Abstraction of C Programs
Predicate Abstraction, Step 3Generate abstract code
IF B THEN B := false ELSE B := true | false
y := y + 1
Predicate abstraction wrt the predicate “x=y”
y := y + 1 {x = y}
y := y + 1 {x y} {x y + 1}
{x = y + 1}
1) Computepreconditions
x = y x = y + 1 ? No
x y x = y + 1 ? No
x = y x y + 1 ? Yes
x y x y + 1 ? No2) Checkimplications
3) Generateabstract code
April 18, 202314 Automatic Predicate Abstraction of C Programs
Automatic Predicate Abstraction
April 18, 2023Automatic Predicate Abstraction of C Programs15
1st proposed by Graf & Saidi & reflected in T Ball’s work
Concrete states are mapped to abstract states under a finite set of predicates
Designed and implemented forFinite state systemsInfinite state systems specified as
Guarded CommandsNot implemented for a programming
language such as C
16
Predicate Abstraction of C (c2bp)Performs automatic predicate abstraction of
C programsInput: a C program P and set of predicates
Epredicate = pure C boolean expression
Output: a boolean program BP(P,E) that isa sound abstraction of Pa precise (boolean) abstraction of P
Resultsseparate compilation (predicate abstraction) in
presence of procedures and pointers
April 18, 2023Automatic Predicate Abstraction of C Programs
17
Predicate abstraction by C2BP
program P
Booleanprogram BP(P,E)
C2BP
predicates E
April 18, 2023Automatic Predicate Abstraction of C Programs
Boolean program BP(P, E):
April 18, 2023Automatic Predicate Abstraction of C Programs18
a C program with bool as type- plus some additional constructs- same control structure as P
GivenP : a C programE = {e1,...,en} : set of C boolean
expressions over the variables in PNo side effects, no procedure calls
Produces a boolean program BSame control-flow structure as PProperties true of B are true of P
19
Formal Properties of C2BPsoundness
B has a superset of the feasible paths in PIf {ei} is true (false) at some point on a path
in B, then ei is true (false) at that point along a corresponding path in P
complexity linear in size of programexponential in number of predicates
April 18, 2023Automatic Predicate Abstraction of C Programs
BEBOP model checker
April 18, 2023Automatic Predicate Abstraction of C Programs20
A Symbolic Model Checker for Boolean Programs
Performs inter procedural dataflow analysis using binary decision diagrams (BDDs)
Used to analyze the boolean programBased on Context-free Language (CFL)
reachability (see Glossary)
What is SLAM?SLAM is a software model checking project at
Microsoft ResearchGoal: Automatically check C programs (system
software) against safety properties using model checking
Safety property – “something good happens” . An example: a lock is never released without first being acquired
Application domain: device drivers
Counterexample-driven refinementterminates in practice
April 18, 202321 Automatic Predicate Abstraction of C Programs
22
SLAMInput
API usage rulesclient C source code “as is”
Analysiscreate, explore and refine boolean
program abstractions
OutputError traces (minimize noise)Verification (soundness)
April 18, 2023Automatic Predicate Abstraction of C Programs
Source Code
TestingDevelopment
PreciseAPI Usage Rules
(SLIC)
Software Model Checking
Read forunderstanding
New API rules
Drive testingtools
Defects
100% pathcoverage
Rules
Static Driver VerifierStatic Driver Verifier
April 18, 202323Automatic Predicate Abstraction of C Programs
SLAM ToolkitSLAM toolkit was developed to find errors in
windows device driversWindows device drivers are required to interact
with the windows kernel according to certain interface rules
SLAM toolkit has an interface specification language called SLIC (Specification Language for Interface Checking) which is used for writing these interface rules
The SLAM toolkit instruments the driver code with assertions based on these interface rules
April 18, 202324 Automatic Predicate Abstraction of C Programs
25
Windows Device Drivers & SLICKernel presents a very complex interface to
driverstack of driversNT kernel multi-threaded
Correct API usage described by finite state protocols
SLICFinite state language for stating rulesmonitors behavior of C codetemporal safety propertiesfamiliar C syntax
April 18, 2023Automatic Predicate Abstraction of C Programs
NewtonGiven an error path p in boolean program B, it
checksis p a feasible path of the corresponding C
program?Yes: found an errorNo: find predicates that explain the
infeasibility
Uses the same interfaces to the theorem provers as c2bp.
April 18, 202326 Automatic Predicate Abstraction of C Programs
How SLAM does it
Model checking a C program is not feasible!
Still model checking is very effective on model level ...
Idea: automatically extract an (abstract) model from C source.
But even this is hard: which aspects should be retained and hidden?? how to extract??
Idea: Start with a very abstract model, whose extraction is
quite trivial. Incrementally refine the abstraction as needed.April 18, 2023Automatic Predicate Abstraction of C Programs27
Sequential C program
Finite state machines
Source code
FSM
modelchecker
Traditional approach
April 18, 202328 Automatic Predicate Abstraction of C Programs
Sequential C program
Finite state machines
Source code
FSM
abstraction
modelchecker
C data structures, pointers,procedure calls, parameter passing,scoping,control flow
Boolean program
Data flow analysis implemented using BDDs
SLAM
Push down model
April 18, 202329 Automatic Predicate Abstraction of C Programs
30
SLAM Soundness
Idea: SLAM constructs sound abstractions!
Therefore, theorem:
Every possible execution path of P is a possible execution path of A.
Therefore, theorem :
If A is a constructed abstraction of P, A preserves P’s control structure.
paths(P) paths(A)
So, if A satisfies the SLIC spec; so does P !
April 18, 2023Automatic Predicate Abstraction of C Programs
31
SLAM completeness
Unfortunately, the reverse of the previous theorem is generally not true
an execution path (including an error path) in A may not be
an execution path in P
so, an error found in A may be a false error
If A produces false errors, we can try to refine it (to make it more precise) to a new model A’ ; so an A’ such that:
(suggesting an iterative procedure....)
paths(P) paths(A’) paths(A)
April 18, 2023Automatic Predicate Abstraction of C Programs
SLAM main iteration32
Instrument Program
Abstraction
is feasible in P ? Model checking:A |= φ ?
Abstraction A of P'No. Then refine the abstraction
Instrumented program P'Initial predicates
Property φ
Program P
Property φ is invalid Property φ is valid
yes!no violation
violation by an error path
But verification is generally undecidable; hence this iteration may not terminate.
April 18, 2023Automatic Predicate Abstraction of C Programs
Pointers and SLAMAbstracting from a language with pointers (C) to
one without pointers (boolean programs) is a challenge
With pointers, C supports call by referenceStrictly speaking, C supports only call by valueWith pointers and the address-of operator, one can
simulate call-by-reference
Boolean programs support only call-by-value-resultSLAM mimics call-by-reference with call-by-value-result
Extra complications:address operator (&) in Cmultiple levels of pointer dereference in C
April 18, 202333 Automatic Predicate Abstraction of C Programs
Challenges of predicate abstraction
April 18, 2023Automatic Predicate Abstraction of C Programs34
Pointers: two related sub-problems treated in a uniform wayassignments through de-referenced pointers
in original C-programpointers & pointer-dereferences in the
predicates for the abstractionProcedures: allow procedural abstraction in
Boolean programs. They also have:global variablesprocedures with local variablescall-by-value parameter passingprocedural abstraction – signatures
constructed in isolation
Cont’d …
April 18, 2023Automatic Predicate Abstraction of C Programs35
Procedure calls: abstraction process is challenging in the presence of pointersafter a call the caller must conservatively
update local state modified by proceduresound and precise approach that takes
side-effects into accountUnknown values: it is not always possible to
determine the effect of a statement in the C-program in terms of the input predicate set Esuch non-determinism handled in BP via
non-deterministic control expression ‘*’ which allows to implicitly express 3-valued domain for boolean variables
Assumption over a C-program:
April 18, 2023Automatic Predicate Abstraction of C Programs36
All inter-procedural control flow is by if and goto
All expressions are free of side-effects & short-circuit evaluation
All expressions do not contain multiple pointer dereferences (e.g. **p)
Function calls occur at topmost level of expressions
37
Weakest PreconditionFor a statement ‘s’ and a predicate ‘φ’ , let WP(s, φ)
denote the weakest liberal precondition of φ with respect to ‘s’
For assignment statement,By definition WP(x = e, φ) is φ with all occurrences of x
replaced with e, denoted φ[e/x]For example WP(x=x+1, x<5) = (x+1) < 5 = (x<4)
Given S and Q, what is the weakest P’ satisfying {P’} S {Q} ?P' is called the weakest precondition of S with respect to Q, written
WP(S, Q)to check {P} S {Q}, check P P’C2BP uses decision procedures (i.e., a theorem
prover) to strengthen the weakest precondition
April 18, 2023Automatic Predicate Abstraction of C Programs
SLAM Future WorkMore impact
Static Driver Verifier (internal, external)
More featuresHeap abstractionsConcurrency
More languagesC# and CIL
April 18, 2023Automatic Predicate Abstraction of C Programs
38
Predicate abstraction overview
April 18, 2023Automatic Predicate Abstraction of C Programs39
PA Problem: given (P, E) whereP is a C-programE = {φ1, …, φn} is a set of pure boolean
C-expressions over variables and constants of the C-language
Compute BP(P, E) which is a boolean program thathas some control structure as Pcontains only boolean variables V = {b1,
…, bn} where bi = {φi} represents predicate φiguaranteed to be an abstraction of P
(superset of traces modulo …)
SLAM – Software Model Checking
SLAM innovationsboolean programs: a new model for softwaremodel creation (c2bp)model checking (bebop)model refinement (newton)
SLAM toolkitbuilt on MSR program analysis infrastructureSLAM is Microsoft’s fully automated tool to verify
the correctness of C programsMore info:
http://www.research.microsoft.com/slam/ April 18, 202340 Automatic Predicate Abstraction of C Programs
GlossaryModel checking Checking properties by systematic exploration of the state-space of a
model. Properties are usually specified as state machines, or using temporal logics
Safety properties Properties whose violation can be witnessed by a finite run of the system. The most common safety properties are invariants
Reachability Specialization of model checking to invariant checking. Properties are specified as invariants. Most common use of model checking. Safety properties can be reduced to reachability.
Boolean programs “C”-like programs with only boolean variables. Invariant checking and reachability is decidable for boolean programs.
Predicate A Boolean expression over the state-space of the program eg. (x < 5)
Predicate abstraction A technique to construct a boolean model from a system using a given set of predicates. Each predicate is represented by a boolean variable in the model.
Weakest precondition The weakest precondition of a set of states S with respect to a statement T is the largest set of states from which executing T, when terminating, always results in a state in S.
April 18, 202341 Automatic Predicate Abstraction of C Programs
Thank You for your Attention!
April 18, 2023Automatic Predicate Abstraction of C Programs42
Questions are welcome
Recommended