Soundness and Completeness of the NRB verification logic

Peter T. BreuerUniversity of Birmingham, UK

Simon J. PickinUniversidad Complutense de Madrid, Spain

Static Analysis of Linux kernel

● NRB logic used in static analysis of LK– Found `sleep-under-spinlock' deadlocks

● Proved no more exist than those found

– v2.6 linux kernel

– Million LOC barrier broken in 2006

● Suitable for distributed computation– Certification on the 'open' model

● Many contributions, repeated at will● Confidence because false result will be found

Who guarantees the guarantor?

● Logic provides guarantees for an analysis● Satisfy obligation to guarantee the logic

Idea of the logic

a b{p} {r}{q}

{s}

{r}

{s}

Sequence a;b can either error in a with s, or complete a normally with q. Code b can either error with s or complete normally with r.

{p} a {Es ∨ Nq} ∧ {q} b {Es ∨ Nr} ⇒ {p} a;b {Es ∨ Nr}

NRB: Strengths and Weaknesses

● Excellent at following control flow– Classical program logics don't really do gotos

● Poor at understanding data (following pointers)– Uses events on traces instead

● Approximate (from above)– gives false alarms for possible breaches of

safety conditions

– Does not miss any real alarms

Technical foundations

● That's what this paper provides for NRB!– Soundness

● An easily comprehensible model in terms of transitions between states

– If you disagree with it you can see why you do ● Axioms of logic are true in the model

– Completeness● Logic is sufficient

– Shows anything shown by model-checking– Symbolic reasoning misses nothing

Completeness & Approximation

● The logic is approximate yet complete?– Model of code contains more transitions than reality

– Logic is complete with respect to model

● If logic says breach of safety condition impossible– Model has no transitions breaching condition

– So in reality, condition is never breached in program

Distributed calculation

● Static analysis with NRB is split up – Function and sub-function units

– Results stored in a decorated syntax tree

– Sub-problem data fully recoverable from tree● Each sub-calculation checkable by any observer

– 'Accountable'

Accountability

● Category-theoretic definition– Calculation tree can be partially stripped down

and partially redone in any order (and each partial result will be the same).

● Even a category-theoretic result ...– Definition means there is a pre-inverse map to

the map forgetting everything about the calculation tree except the ordering between pairs of subtrees (p1,p2)6(p3,p4) ⇔ p16p2,p36p4

Conclusion

● NRB is a logic used in the past for massive static analysis of the Linux kernel

● Gives guarantees on the safety of code● This paper gives technical guarantees on the

reliability and reach of the logic