Universität Paderborn Prof. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert...

Universität PaderbornProf. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert

Verification of parameterised systems

Automatic Predicate Abstraction of C Programs

Shilpa Seshadri

AgendaMotivationIntroductionC2BP AlgorithmSLAM ToolkitFuture WorkConclusionDiscussion

April 18, 2023Automatic Predicate Abstraction of C Programs2

Motivation

Model checking Verification technique for a finite state systemWidely used for validation and debuggingSometimes, State-space explosion limits the use of toolsHence, model checkers operate on abstractions of systems

Software systems are typically infinite state systemsAbstraction is criticalPredicate abstraction of programs is implemented – One

approach Model checking finite state check an abstraction of a

software system

Model Checking

Algorithmic exploration of state space of the system

Several advances in the past decade: symbolic model checkingsymmetry reductionspartial order reductionscompositional model checkingbounded model checking using SAT solvers

Most hardware companies use a model checker in the validation cycle

April 18, 20234 Automatic Predicate Abstraction of C Programs

Abstraction

void add(Object o) { buffer[head] = o; head = (head+1)%size;}

Object take() { … tail=(tail+1)%size; return buffer[tail];}

Program Model CheckerInput

Infinite state Finite state

Abstraction (A simplified view)Abstraction is an effective tool in

verification

Given a transition system, we want to generate an abstract transition system which is easier to analyze

However, we want to make sure thatIf a property holds in the abstract transition

system, it also holds in the original (concrete) transition system

Abstraction (A simplified view)If the property does not hold in the abstract

transition system, what can we do?We can refine the abstract transition

system (split some states that we merged) The refined transition system should still

be an abstraction of the concrete transition system

Then, we can recheck the property again on the refined transition systemIf the property does not hold again, we can

refine again

Abstraction Refinement Loop

ActualProgramActual

ProgramBooleanProgramBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

Abstraction

No erroror bug found

Spuriouscounterexample

Predicate AbstractionAn automated abstraction technique which can

be used to reduce the state space of a program

The basic idea here is to remove some variables from the program by just keeping information about a set of predicates about them

Predicate abstraction is a technique for doing such abstractions automatically

A Very Simple ExampleAssume that we have two integer variables x,yWe want to abstract the program using a single

predicate “x=y”We will divide the states of the program to two:

1. The states where “x=y” is true2. The states where “x=y” is false, i.e., “xy”

We will then merge all the states in the same set

This is an abstraction Basically, we forget everything except the

value of the predicate “x=y”

A Very Simple ExampleWe will represent the predicate “x=y” as the boolean

variable B in the abstract program “B=true” will mean “x=y” and “B=false” will mean “xy”

Assume that we want to abstract the following program which contains only one statement:

y := y+1

Predicate Abstraction, Step 1Calculate preconditions based on the predicate

y := y + 1 {x = y}

y := y + 1 {x y} {x y + 1}

{x = y + 1}

precondition for B being false afterexecuting the statement y:=y+1

precondition for B being true afterexecuting the statement y:=y+1

Using our temporal logic notationwe can say something like:{x=y+1} AX{x=y}

Again, using our temporal logic notation:{x≠y+1} AX{x≠y}

Predicate Abstraction, Step 2Use decision procedures to determine if the

predicates used for abstraction imply any of the preconditions

x = y x = y + 1 ? No

x y x = y + 1 ? No

x = y x y + 1 ? Yes

x y x y + 1 ? No

Predicate Abstraction, Step 3Generate abstract code

IF B THEN B := false ELSE B := true | false

y := y + 1

Predicate abstraction wrt the predicate “x=y”

y := y + 1 {x = y}

y := y + 1 {x y} {x y + 1}

{x = y + 1}

1) Computepreconditions

x = y x = y + 1 ? No

x y x = y + 1 ? No

x = y x y + 1 ? Yes

x y x y + 1 ? No2) Checkimplications

3) Generateabstract code

Automatic Predicate Abstraction

1st proposed by Graf & Saidi & reflected in T Ball’s work

Concrete states are mapped to abstract states under a finite set of predicates

Designed and implemented forFinite state systemsInfinite state systems specified as

Guarded CommandsNot implemented for a programming

language such as C

Predicate Abstraction of C (c2bp)Performs automatic predicate abstraction of

C programsInput: a C program P and set of predicates

Epredicate = pure C boolean expression

Output: a boolean program BP(P,E) that isa sound abstraction of Pa precise (boolean) abstraction of P

Resultsseparate compilation (predicate abstraction) in

presence of procedures and pointers

April 18, 2023Automatic Predicate Abstraction of C Programs

Predicate abstraction by C2BP

program P

Booleanprogram BP(P,E)

predicates E

Boolean program BP(P, E):

a C program with bool as type- plus some additional constructs- same control structure as P

GivenP : a C programE = {e1,...,en} : set of C boolean

expressions over the variables in PNo side effects, no procedure calls

Produces a boolean program BSame control-flow structure as PProperties true of B are true of P

Formal Properties of C2BPsoundness

B has a superset of the feasible paths in PIf {ei} is true (false) at some point on a path

in B, then ei is true (false) at that point along a corresponding path in P

complexity linear in size of programexponential in number of predicates

BEBOP model checker

A Symbolic Model Checker for Boolean Programs

Performs inter procedural dataflow analysis using binary decision diagrams (BDDs)

Used to analyze the boolean programBased on Context-free Language (CFL)

reachability (see Glossary)

What is SLAM?SLAM is a software model checking project at

Microsoft ResearchGoal: Automatically check C programs (system

software) against safety properties using model checking

Safety property – “something good happens” . An example: a lock is never released without first being acquired

Application domain: device drivers

Counterexample-driven refinementterminates in practice

SLAMInput

API usage rulesclient C source code “as is”

Analysiscreate, explore and refine boolean

program abstractions

OutputError traces (minimize noise)Verification (soundness)

Source Code

TestingDevelopment

PreciseAPI Usage Rules

(SLIC)

Software Model Checking

Read forunderstanding

New API rules

Drive testingtools

Defects

100% pathcoverage

Static Driver VerifierStatic Driver Verifier

SLAM ToolkitSLAM toolkit was developed to find errors in

windows device driversWindows device drivers are required to interact

with the windows kernel according to certain interface rules

SLAM toolkit has an interface specification language called SLIC (Specification Language for Interface Checking) which is used for writing these interface rules

The SLAM toolkit instruments the driver code with assertions based on these interface rules

Windows Device Drivers & SLICKernel presents a very complex interface to

driverstack of driversNT kernel multi-threaded

Correct API usage described by finite state protocols

SLICFinite state language for stating rulesmonitors behavior of C codetemporal safety propertiesfamiliar C syntax

NewtonGiven an error path p in boolean program B, it

checksis p a feasible path of the corresponding C

program?Yes: found an errorNo: find predicates that explain the

infeasibility

Uses the same interfaces to the theorem provers as c2bp.

How SLAM does it

Model checking a C program is not feasible!

Still model checking is very effective on model level ...

Idea: automatically extract an (abstract) model from C source.

But even this is hard: which aspects should be retained and hidden?? how to extract??

Idea: Start with a very abstract model, whose extraction is

quite trivial. Incrementally refine the abstraction as needed.April 18, 2023Automatic Predicate Abstraction of C Programs27

Sequential C program

Finite state machines

Source code

modelchecker

Traditional approach

Sequential C program

Finite state machines

Source code

abstraction

modelchecker

C data structures, pointers,procedure calls, parameter passing,scoping,control flow

Boolean program

Data flow analysis implemented using BDDs

Push down model

SLAM Soundness

Idea: SLAM constructs sound abstractions!

Therefore, theorem:

Every possible execution path of P is a possible execution path of A.

Therefore, theorem :

If A is a constructed abstraction of P, A preserves P’s control structure.

paths(P) paths(A)

So, if A satisfies the SLIC spec; so does P !

SLAM completeness

Unfortunately, the reverse of the previous theorem is generally not true

an execution path (including an error path) in A may not be

an execution path in P

so, an error found in A may be a false error

If A produces false errors, we can try to refine it (to make it more precise) to a new model A’ ; so an A’ such that:

(suggesting an iterative procedure....)

paths(P) paths(A’) paths(A)

SLAM main iteration32

Instrument Program

Abstraction

is feasible in P ? Model checking:A |= φ ?

Abstraction A of P'No. Then refine the abstraction

Instrumented program P'Initial predicates

Property φ

Program P

Property φ is invalid Property φ is valid

yes!no violation

violation by an error path

But verification is generally undecidable; hence this iteration may not terminate.

Pointers and SLAMAbstracting from a language with pointers (C) to

one without pointers (boolean programs) is a challenge

With pointers, C supports call by referenceStrictly speaking, C supports only call by valueWith pointers and the address-of operator, one can

simulate call-by-reference

Boolean programs support only call-by-value-resultSLAM mimics call-by-reference with call-by-value-result

Extra complications:address operator (&) in Cmultiple levels of pointer dereference in C

Challenges of predicate abstraction

Pointers: two related sub-problems treated in a uniform wayassignments through de-referenced pointers

in original C-programpointers & pointer-dereferences in the

predicates for the abstractionProcedures: allow procedural abstraction in

Boolean programs. They also have:global variablesprocedures with local variablescall-by-value parameter passingprocedural abstraction – signatures

constructed in isolation

Cont’d …

Procedure calls: abstraction process is challenging in the presence of pointersafter a call the caller must conservatively

update local state modified by proceduresound and precise approach that takes

side-effects into accountUnknown values: it is not always possible to

determine the effect of a statement in the C-program in terms of the input predicate set Esuch non-determinism handled in BP via

non-deterministic control expression ‘*’ which allows to implicitly express 3-valued domain for boolean variables

Assumption over a C-program:

All inter-procedural control flow is by if and goto

All expressions are free of side-effects & short-circuit evaluation

All expressions do not contain multiple pointer dereferences (e.g. **p)

Function calls occur at topmost level of expressions

Weakest PreconditionFor a statement ‘s’ and a predicate ‘φ’ , let WP(s, φ)

denote the weakest liberal precondition of φ with respect to ‘s’

For assignment statement,By definition WP(x = e, φ) is φ with all occurrences of x

replaced with e, denoted φ[e/x]For example WP(x=x+1, x<5) = (x+1) < 5 = (x<4)

Given S and Q, what is the weakest P’ satisfying {P’} S {Q} ?P' is called the weakest precondition of S with respect to Q, written

WP(S, Q)to check {P} S {Q}, check P P’C2BP uses decision procedures (i.e., a theorem

prover) to strengthen the weakest precondition

SLAM Future WorkMore impact

Static Driver Verifier (internal, external)

More featuresHeap abstractionsConcurrency

More languagesC# and CIL

Predicate abstraction overview

PA Problem: given (P, E) whereP is a C-programE = {φ1, …, φn} is a set of pure boolean

C-expressions over variables and constants of the C-language

Compute BP(P, E) which is a boolean program thathas some control structure as Pcontains only boolean variables V = {b1,

…, bn} where bi = {φi} represents predicate φiguaranteed to be an abstraction of P

(superset of traces modulo …)

SLAM – Software Model Checking

SLAM innovationsboolean programs: a new model for softwaremodel creation (c2bp)model checking (bebop)model refinement (newton)

SLAM toolkitbuilt on MSR program analysis infrastructureSLAM is Microsoft’s fully automated tool to verify

the correctness of C programsMore info:

http://www.research.microsoft.com/slam/ April 18, 202340 Automatic Predicate Abstraction of C Programs

GlossaryModel checking Checking properties by systematic exploration of the state-space of a

model. Properties are usually specified as state machines, or using temporal logics

Safety properties Properties whose violation can be witnessed by a finite run of the system. The most common safety properties are invariants

Reachability Specialization of model checking to invariant checking. Properties are specified as invariants. Most common use of model checking. Safety properties can be reduced to reachability.

Boolean programs “C”-like programs with only boolean variables. Invariant checking and reachability is decidable for boolean programs.

Predicate A Boolean expression over the state-space of the program eg. (x < 5)

Predicate abstraction A technique to construct a boolean model from a system using a given set of predicates. Each predicate is represented by a boolean variable in the model.

Weakest precondition The weakest precondition of a set of states S with respect to a statement T is the largest set of states from which executing T, when terminating, always results in a state in S.

Thank You for your Attention!

Questions are welcome

Universität Paderborn Prof. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert...

Documents

1 Protection of soil carbon content as a climate change mitigation tool Peter Wehrheim Head of Unit, DG CLIMA Unit A2: Climate finance and deforestation

Austrian ournal of Cardiolog Österreichische eitschrift fr ... · PDF fileAnatomie und Planung R. Maier, G. Fürnau, M. Wonisch, F. M. Fruhwald, ... Klinische Abteilung für Kardio-logie,

FROM INSTRUCTION TO COLLABORATIONorcit.eu/wp-content/uploads/2016/09/ORCIT-conference-16-programme1.pdfand professional interpreters Anne Wehrheim, Glossima-Wehrheim, Greece. 5 Friday

Histomorphometric evaluation of Direct Laser Metal Forming ... · an ascending series of alcohol rinses and embedded in a glycolmethacrylate resin (Technovit 7200, VLC, Kulzer, Wehrheim,

Katalog Fa. Ebert · Ludwig Ebert – Fachbetrieb für Betätigungszüge , Mühlenweg 11 a , 61273 Wehrheim-Obernhain Seite 3 Konstruktiver Aufbau Beispiel 1 1 Pressnippel Form C

Arno Wonisch

Eigenprodukte im Online-Handel Von der Werkstatt zum Internet … · 2016. 4. 16. · 3 (C) 2016 Michael Ziegert: Eigenprodukte im Online-Handel, Vortrag 15.April 2016 Eigenprodukte

Introduction - Presbyterian Publishing Corporation Godviews.pdf · By Jack Haberer Study Guide by Carol Wehrheim Introduction T his study guide for GodViews: The Convictions That

Instanton Floer homology with Lagrangian …salamon/PREPRINTS/floer-DSKW...Instanton Floer homology with Lagrangian boundary conditions Dietmar Salamon ETH-Zuric h Katrin Wehrheim

Hrvatski pogledi na odnose između hrvatskoga, …...Branko Tošović, Arno Wonisch (ur.) Hrvatski pogledi na odnose između hrvatskoga, srpskoga i bosanskoga/bošnjačkoga jezika

Karl Richard Ziegert Zivilreligion - Lau Verlag – WillkommenZivilreligion.pdf · OLZOG Karl Richard Ziegert Zivilreligion Der protestantische Verrat an Luther Wie sie in Deutschland

Arno Wonisch Institut für Slawistik der Karl-Franzens-Universität Graz Pronomina im Gralis-Korpus – grammatikalische Eigenschaften 3. Symposium Die grammatikalischen

Technische Informatik SStudienseminar Offenbach WhTechnische Informatik SStudienseminar Offenbach Wh O. Wehrheim 2011 8 5.1 Subtraktion Methode : Komplementäraddition Man kann die

Cédric Ulmer Markus Lauff, Axel Spriestersbach, Thomas Ziegert, Amy Yu

Katrin Wonisch IM07SMDS ~ SS 2010. Seit 1953 gibt es Studien die, die Erwartungen und Sichtweisen dokumentieren Zum 16. Mal herausgegeben Gibt gesellschaftspolitische

TSG Wehrheim Leichtathletik 2014 -Aktive · TSG Wehrheim Leichtathletik 2014 -Aktive Strehl Maximilian ´93 Männer Platzierungen bei Meisterschaften Kreis, Hessische, Regional, Süddeutsche,

EGK 2011: Construction 06 ZIEGERT-ROSWAG-SEILER

A UNIFIED APPROACH TO GLOBAL PROGRAM OPTIMIZATION Proseminar „Programmanalyse”, Prof. Dr. Heike Wehrheim Universität Paderborn, WS 2011/2012

Case of the Day – Thursday MUSCULOSKELETAL MUSCULOSKELETAL Andrew J. Ziegert, MD 1, Kirkland W. Davis 1, MD, Stacy E. Smith, MD 2 Stacy E. Smith, MD 2

Wehrheim v McGovern-Barbash Assoc., LLC › Reporter › pdfs › 2015 › 2015_31608.pdf · Wehrheim v McGovem-Barbash Assoc. Index No. 07-35912 Page 4of5 Ctr., 64 NY2d 851, 487