Universität Paderborn Prof. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert Verification of parameterised systems Automatic Predicate Abstraction

Universität PaderbornProf. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert

Verification of parameterised systems

Automatic Predicate Abstraction of C Programs

Shilpa Seshadri

AgendaMotivationIntroductionC2BP AlgorithmSLAM ToolkitFuture WorkConclusionDiscussion

April 18, 2023Automatic Predicate Abstraction of C Programs2

Motivation


Model checking Verification technique for a finite state systemWidely used for validation and debuggingSometimes, State-space explosion limits the use of toolsHence, model checkers operate on abstractions of systems

Software systems are typically infinite state systemsAbstraction is criticalPredicate abstraction of programs is implemented – One

approach Model checking finite state check an abstraction of a

software system

Model Checking

Algorithmic exploration of state space of the system

Several advances in the past decade: symbolic model checkingsymmetry reductionspartial order reductionscompositional model checkingbounded model checking using SAT solvers

Most hardware companies use a model checker in the validation cycle

April 18, 20234 Automatic Predicate Abstraction of C Programs


Abstraction

void add(Object o) { buffer[head] = o; head = (head+1)%size;}

Object take() { … tail=(tail+1)%size; return buffer[tail];}

Program Model CheckerInput

Infinite state Finite state

Abstraction (A simplified view)Abstraction is an effective tool in

verification

Given a transition system, we want to generate an abstract transition system which is easier to analyze

However, we want to make sure thatIf a property holds in the abstract transition

system, it also holds in the original (concrete) transition system


Abstraction (A simplified view)If the property does not hold in the abstract

transition system, what can we do?We can refine the abstract transition

system (split some states that we merged) The refined transition system should still

be an abstraction of the concrete transition system

Then, we can recheck the property again on the refined transition systemIf the property does not hold again, we can

refine again


Abstraction Refinement Loop

ActualProgramActual

ProgramBooleanProgramBooleanProgram

ModelChecker

Abstraction refinement

VerificationInitial

Abstraction

No erroror bug found

Spuriouscounterexample


Predicate AbstractionAn automated abstraction technique which can

be used to reduce the state space of a program

The basic idea here is to remove some variables from the program by just keeping information about a set of predicates about them

Predicate abstraction is a technique for doing such abstractions automatically


A Very Simple ExampleAssume that we have two integer variables x,yWe want to abstract the program using a single

predicate “x=y”We will divide the states of the program to two:

1. The states where “x=y” is true2. The states where “x=y” is false, i.e., “xy”

We will then merge all the states in the same set

This is an abstraction Basically, we forget everything except the

value of the predicate “x=y”


A Very Simple ExampleWe will represent the predicate “x=y” as the boolean

variable B in the abstract program “B=true” will mean “x=y” and “B=false” will mean “xy”

Assume that we want to abstract the following program which contains only one statement:

y := y+1


Predicate Abstraction, Step 1Calculate preconditions based on the predicate

y := y + 1 {x = y}

y := y + 1 {x y} {x y + 1}

{x = y + 1}

precondition for B being false afterexecuting the statement y:=y+1

precondition for B being true afterexecuting the statement y:=y+1

Using our temporal logic notationwe can say something like:{x=y+1} AX{x=y}

Again, using our temporal logic notation:{x≠y+1} AX{x≠y}


Predicate Abstraction, Step 2Use decision procedures to determine if the

predicates used for abstraction imply any of the preconditions

x = y x = y + 1 ? No

x y x = y + 1 ? No

x = y x y + 1 ? Yes

x y x y + 1 ? No


Predicate Abstraction, Step 3Generate abstract code

IF B THEN B := false ELSE B := true | false

y := y + 1

Predicate abstraction wrt the predicate “x=y”

y := y + 1 {x = y}

y := y + 1 {x y} {x y + 1}

{x = y + 1}

1) Computepreconditions

x = y x = y + 1 ? No

x y x = y + 1 ? No

x = y x y + 1 ? Yes

x y x y + 1 ? No2) Checkimplications

3) Generateabstract code


Automatic Predicate Abstraction


1st proposed by Graf & Saidi & reflected in T Ball’s work

Concrete states are mapped to abstract states under a finite set of predicates

Designed and implemented forFinite state systemsInfinite state systems specified as

Guarded CommandsNot implemented for a programming

language such as C

16

Predicate Abstraction of C (c2bp)Performs automatic predicate abstraction of

C programsInput: a C program P and set of predicates

Epredicate = pure C boolean expression

Output: a boolean program BP(P,E) that isa sound abstraction of Pa precise (boolean) abstraction of P

Resultsseparate compilation (predicate abstraction) in

presence of procedures and pointers

April 18, 2023Automatic Predicate Abstraction of C Programs

17

Predicate abstraction by C2BP

program P

Booleanprogram BP(P,E)

C2BP

predicates E


Boolean program BP(P, E):


a C program with bool as type- plus some additional constructs- same control structure as P

GivenP : a C programE = {e1,...,en} : set of C boolean

expressions over the variables in PNo side effects, no procedure calls

Produces a boolean program BSame control-flow structure as PProperties true of B are true of P

19

Formal Properties of C2BPsoundness

B has a superset of the feasible paths in PIf {ei} is true (false) at some point on a path

in B, then ei is true (false) at that point along a corresponding path in P

complexity linear in size of programexponential in number of predicates


BEBOP model checker


A Symbolic Model Checker for Boolean Programs

Performs inter procedural dataflow analysis using binary decision diagrams (BDDs)

Used to analyze the boolean programBased on Context-free Language (CFL)

reachability (see Glossary)

What is SLAM?SLAM is a software model checking project at

Microsoft ResearchGoal: Automatically check C programs (system

software) against safety properties using model checking

Safety property – “something good happens” . An example: a lock is never released without first being acquired

Application domain: device drivers

Counterexample-driven refinementterminates in practice


22

SLAMInput

API usage rulesclient C source code “as is”

Analysiscreate, explore and refine boolean

program abstractions

OutputError traces (minimize noise)Verification (soundness)


Source Code

TestingDevelopment

PreciseAPI Usage Rules

(SLIC)

Software Model Checking

Read forunderstanding

New API rules

Drive testingtools

Defects

100% pathcoverage

Rules

Static Driver VerifierStatic Driver Verifier


SLAM ToolkitSLAM toolkit was developed to find errors in

windows device driversWindows device drivers are required to interact

with the windows kernel according to certain interface rules

SLAM toolkit has an interface specification language called SLIC (Specification Language for Interface Checking) which is used for writing these interface rules

The SLAM toolkit instruments the driver code with assertions based on these interface rules


25

Windows Device Drivers & SLICKernel presents a very complex interface to

driverstack of driversNT kernel multi-threaded

Correct API usage described by finite state protocols

SLICFinite state language for stating rulesmonitors behavior of C codetemporal safety propertiesfamiliar C syntax


NewtonGiven an error path p in boolean program B, it

checksis p a feasible path of the corresponding C

program?Yes: found an errorNo: find predicates that explain the

infeasibility

Uses the same interfaces to the theorem provers as c2bp.


How SLAM does it

Model checking a C program is not feasible!

Still model checking is very effective on model level ...

Idea: automatically extract an (abstract) model from C source.

But even this is hard: which aspects should be retained and hidden?? how to extract??

Idea: Start with a very abstract model, whose extraction is

quite trivial. Incrementally refine the abstraction as needed.April 18, 2023Automatic Predicate Abstraction of C Programs27

Sequential C program

Finite state machines

Source code

FSM

modelchecker

Traditional approach


Sequential C program

Finite state machines

Source code

FSM

abstraction

modelchecker

C data structures, pointers,procedure calls, parameter passing,scoping,control flow

Boolean program

Data flow analysis implemented using BDDs

SLAM

Push down model


30

SLAM Soundness

Idea: SLAM constructs sound abstractions!

Therefore, theorem:

Every possible execution path of P is a possible execution path of A.

Therefore, theorem :

If A is a constructed abstraction of P, A preserves P’s control structure.

paths(P) paths(A)

So, if A satisfies the SLIC spec; so does P !


31

SLAM completeness

Unfortunately, the reverse of the previous theorem is generally not true

an execution path (including an error path) in A may not be

an execution path in P

so, an error found in A may be a false error

If A produces false errors, we can try to refine it (to make it more precise) to a new model A’ ; so an A’ such that:

(suggesting an iterative procedure....)

paths(P) paths(A’) paths(A)


SLAM main iteration32

Instrument Program

Abstraction

is feasible in P ? Model checking:A |= φ ?

Abstraction A of P'No. Then refine the abstraction

Instrumented program P'Initial predicates

Property φ

Program P

Property φ is invalid Property φ is valid

yes!no violation

violation by an error path

But verification is generally undecidable; hence this iteration may not terminate.


Pointers and SLAMAbstracting from a language with pointers (C) to

one without pointers (boolean programs) is a challenge

With pointers, C supports call by referenceStrictly speaking, C supports only call by valueWith pointers and the address-of operator, one can

simulate call-by-reference

Boolean programs support only call-by-value-resultSLAM mimics call-by-reference with call-by-value-result

Extra complications:address operator (&) in Cmultiple levels of pointer dereference in C


Challenges of predicate abstraction


Pointers: two related sub-problems treated in a uniform wayassignments through de-referenced pointers

in original C-programpointers & pointer-dereferences in the

predicates for the abstractionProcedures: allow procedural abstraction in

Boolean programs. They also have:global variablesprocedures with local variablescall-by-value parameter passingprocedural abstraction – signatures

constructed in isolation

Cont’d …


Procedure calls: abstraction process is challenging in the presence of pointersafter a call the caller must conservatively

update local state modified by proceduresound and precise approach that takes

side-effects into accountUnknown values: it is not always possible to

determine the effect of a statement in the C-program in terms of the input predicate set Esuch non-determinism handled in BP via

non-deterministic control expression ‘*’ which allows to implicitly express 3-valued domain for boolean variables

Assumption over a C-program:


All inter-procedural control flow is by if and goto

All expressions are free of side-effects & short-circuit evaluation

All expressions do not contain multiple pointer dereferences (e.g. **p)

Function calls occur at topmost level of expressions

37

Weakest PreconditionFor a statement ‘s’ and a predicate ‘φ’ , let WP(s, φ)

denote the weakest liberal precondition of φ with respect to ‘s’

For assignment statement,By definition WP(x = e, φ) is φ with all occurrences of x

replaced with e, denoted φ[e/x]For example WP(x=x+1, x<5) = (x+1) < 5 = (x<4)

Given S and Q, what is the weakest P’ satisfying {P’} S {Q} ?P' is called the weakest precondition of S with respect to Q, written

WP(S, Q)to check {P} S {Q}, check P P’C2BP uses decision procedures (i.e., a theorem

prover) to strengthen the weakest precondition


SLAM Future WorkMore impact

Static Driver Verifier (internal, external)

More featuresHeap abstractionsConcurrency

More languagesC# and CIL


38

Predicate abstraction overview


PA Problem: given (P, E) whereP is a C-programE = {φ1, …, φn} is a set of pure boolean

C-expressions over variables and constants of the C-language

Compute BP(P, E) which is a boolean program thathas some control structure as Pcontains only boolean variables V = {b1,

…, bn} where bi = {φi} represents predicate φiguaranteed to be an abstraction of P

(superset of traces modulo …)

SLAM – Software Model Checking

SLAM innovationsboolean programs: a new model for softwaremodel creation (c2bp)model checking (bebop)model refinement (newton)

SLAM toolkitbuilt on MSR program analysis infrastructureSLAM is Microsoft’s fully automated tool to verify

the correctness of C programsMore info:

http://www.research.microsoft.com/slam/ April 18, 202340 Automatic Predicate Abstraction of C Programs

GlossaryModel checking Checking properties by systematic exploration of the state-space of a

model. Properties are usually specified as state machines, or using temporal logics

Safety properties Properties whose violation can be witnessed by a finite run of the system. The most common safety properties are invariants

Reachability Specialization of model checking to invariant checking. Properties are specified as invariants. Most common use of model checking. Safety properties can be reduced to reachability.

Boolean programs “C”-like programs with only boolean variables. Invariant checking and reachability is decidable for boolean programs.

Predicate A Boolean expression over the state-space of the program eg. (x < 5)

Predicate abstraction A technique to construct a boolean model from a system using a given set of predicates. Each predicate is represented by a boolean variable in the model.

Weakest precondition The weakest precondition of a set of states S with respect to a statement T is the largest set of states from which executing T, when terminating, always results in a state in S.


Thank You for your Attention!


Questions are welcome

Documents

Universität Paderborn Prof. Dr. Heike Wehrheim, Daniel Wonisch, Nils Timm, Steffen Ziegert Verification of parameterised systems Automatic Predicate Abstraction