1 / 21

Model Checking C Programs

Model Checking C Programs. Zijiang (James) Yang Department of Computer Science Western Michigan University In collaboration with NEC Laboratories America. Economic Impact of Software Verification. Simulation does not. scale. Unpredictable. Unpredictable. Not exhaustive. Not exhaustive.

elisa
Télécharger la présentation

Model Checking C Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking C Programs Zijiang (James) Yang Department of Computer Science Western Michigan University In collaboration with NEC Laboratories America

  2. Economic Impact of Software Verification Simulation does not scale Unpredictable Unpredictable Not exhaustive Not exhaustive • Cost of software bugs to U.S. economy in 2002: $60Billion • 80% of software development cost is in debugging • Simulation and Testing • Effective in discovering bugs in early stages • Expensive and not exhaustive!

  3. 4 49 148 2 100 200 2 51 102 2 50 100 4 2 54 4 1 52 4 0 50 2 49 98 2 1 2 2 0 0 2 2 4 10 -100 line x y 12 100 13 51 102 13 50 100 10 100 13 100 200 13 49 148 10 -99 10 2 10 50 12 49 12 50 12 51 12 0 12 1 12 2 13 0 56 10 1 10 51 13 0 55 13 0 54 13 0 53 13 2 54 13 1 52 10 49 13 0 52 13 0 51 10 0 13 0 50 6 0 53 6 0 51 6 0 55 6 0 54 6 0 50 6 0 56 6 0 49 6 0 52 Testing vs. Formal Verification 1:int foo(int x) { 2: int y = 2*x ; 3: if ( y < 100 ) 4: y += 50 ; 5: if ( y == 50 ) 6: y+=user(-1,6); 7: return y; 8: } 9: … … … … … … … … 1 0 1 1 1 2 1 49 1 50 1 51 1 100 … … … … … … 10: int bar (int x) { 11: int y ; 12:assume ( x >= 0 ); 13: y = foo(x) ; 14:assert ( y >= 50 ); 15: return y; 16: } … … … Simulation Testing … Legend 13 0 49

  4. Correctness Specification Formal relationship Implementation Design Formal Verification • Formal verification is the process of systematically checking that system behavior satisfies a given property, both described using formal models. • Automated and effective debugging • Systematic and exhaustive analysis • Scalability is still a problem • Effective use requires some expertise

  5. Software Verification Tool correct program bug property 1:void pivot_sort(int A[], int n){ 2:int pivot=A[0], low=0, high=n; 3:while ( low < high ) { 4:do { 5:low++ ; 6:} while ( A[low] <= pivot ) ; 7:do { 8:high - - ; 9:} while ( A[high] >= pivot ); 10:swap(&A[low],&A[high]); 11:} 12:} F-Soft F-Soft outputs a trace: Line 1: n=2, A[0]=10, A[1]=10 Line 2: pivot=10, low=0, high=2 Line 3: low < high ? YES! Line 5: low = 1 Line 6: A[low] <= pivot ? YES! Line 5: low = 2 Line 6: A[low] <= pivot ? Array Bound Violations? Buffer Overflow!!! F-Soft: Automated Bug Finder and Correctness Prover

  6. User-specified properties Source code Program slicing Automated properties Static Analysis Range analysis Testbench Generator Predicate Abstraction Bug Analysis & Refinement Boolean Model Builder Legend   Proof User input Boolean Analysis Automatic Automated F-Soft Software Verification Flow

  7. Properties Considered • Basic F-Soft mode: Automatically generated standard properties • (verification or warning mode) • Buffer overflow, array bound violations • Use of un-initialized variables • NULL pointer dereferencing • Alternating locks and unlocks of shared resources • File IO handling • Division by zero • Full mode: User specified properties • Software adheres to specification • User specified program assertions • High-Level System Properties

  8. void arithmetic(int *A,int n) { int sum=0, product=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; } } void arithmetic(int *A,int n) { intsum=0, product=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; } } original program slice with respect to sum Program Slicing • A program slice is a subset of the original code that only contains relevant statements to the computation of interest. • Based on static analysis of data and control flow

  9. Range Analysis • Goal: For a C program, automatically find the range and minimal number of bits needed to represent a variable • We are first to apply range analysis for verification of software int a; a = (b != 15); for (a = 0; a < 6; a++) { … } a: 32 bits/a:<MIN,MAX> a: 1 bit/a:<0,1> a: 3 bits/a:<0,5> a: 3 bits/a:<0,6>

  10. y TT FT x FF TF Predicate Abstraction • Predicate abstraction is powerful technique to reduce system complexity from potentially infinite-state systems to finite domain • Predicates are relational expressions over program variables • Abstraction using k predicates results in at most 2k abstract states int x , y ; if ( x>0 ){ … y = x+1 ; … } else { … y = x+2 ; … } bool bx , by ; if ( bx ){ … by = T ; … } else { … by{T,F}; … } Predicate abstraction bx := (x > 0) by := (y > 0) Abstract data variables using Booleans.

  11. safe system abstract unsafe path concrete system refine model abstract system spurious path concrete path forward analysis Abstraction Refinement Flow analysis engine

  12. Control Flow Graph Computation 1: void bar() { 2: int x = 3 , y = x-3 ; 3: while ( x <= 4 ) { 4: y++ ; 5: x = foo(x); 6: } 7: y = foo(y); 8: } 9: 10: int foo ( int l ) { 11: int t = l+2 ; 12: if ( t>6 ) 13: t -= 3; 14: else 15: t--; 16: return t; 17: } Line 2 Line 4 Line 3 Line 5 (call) Line 7 (call) Lines 11-12,14 Line 13 Line 5 (return) Line 7 (return) Line 16 Line 15

  13. Control Logic Example 0 x<=4 1 2 x>4 3 4 t>6 9 6 5 t<=6 !rtr rtr 8 7 10

  14. Control Logic • Let N be the number of basic blocks, PC variable needs logN bits • Next state logic ci’=j:vij’=1(kj  p:vpj=1 cp  p:vpj=0 cp)

  15. Data Logic • Simplify assignments in basic blocks • Sequential --> parallel • Pointers • Assume a variable vj • Assigned in blocks {b1…bk} with expressions {Lj1…Ljk} • Not assigned in blocks {bk+1…bN} • Next state logic of vj vj’= i=1,k(c1…cn=biLji)  i=k+1,N(c1…cn=bivj)

  16. Step1 Step 2 Step n-1 Step n Bounded Model Checking (BMC) • Search for a bounded length counterexample • By unrolling steps of programs, no complete (fixpoint) traversal • Formula is satisfiable if and only if a counterexample exists • Checked by a SAT solver Input PS1 NS1=PS2

  17. static void fsm_rtermack(fsm *f){ switch (f->state) { /* other cases here */ case OPENED: if ( f->callbacks->down) (*f->callbacks->down)(f); /* informing upper layers */ fsm_sconfreq(f,0); break ; } } Public implementation Missing: f->state = REQSENT; F-Soft Case Study: Network Protocol PPP • Point-to-Point Protocol (PPP) • Analyzed LCP (link control protocol) part of PPP that establishes, configures, and tests a data-link connection • Specification is given as RFC 1661 • Linux implementation contains about 2000 lines of C code • Property: Implementation adheres to specification RFC 1661

  18. VOID FloppyProcessQueuedRequests ( IN OUT PDISKETTE_EXTENSION DisketteExtension) { PLIST_ENTRY headOfList; KeAcquireSpinLock(&DisketteExtension, &oldIrql); while ((headOfList = ExInterlockedRemoveHeadList(…)!=NULL{ currentIrp = CONTAINING_RECORD( headOfList,…); if (IoSetCancelRoutine( currentIrp, NULL)) irpSp = IoGetCurrentIrpStackLocation( currentIrp ); else { … } KeReleaseSpinLock(&DisketteExtension,oldIrql); if (currentIrp) { … } else switch ( irpSp->MajorFunction ) { case IRP_MJ_READ: case IRP_MJ_WRITE: (VOID)FloppyReadWrite( DisketteExtension,currentIrp); break; case IRP_MJ_DEVICE_CONTROL: (VOID)FloppyDeviceControl(DisketteExtension, currentIrp); break; default: … } if (currentIrp) FloppyPageEntireDriver(); KeAcquireSpinLock(&DisketteExtension,&oldIrql); } KeReleaseSpinLock(&DisketteExtension,oldIrql); } Property specified using automatically generated code: bool locked=FALSE; void KeAcquireSpinLock(…) { if (locked) abort() ; locked = TRUE; } void KeReleaseSpinLock(…){ if (!locked) abort() ; locked = FALSE ; } void abort() { assert(0); } Automatically generated property monitor Disk driver implementation F-Soft Case Study: Floppy Disk Driver • Important property: Does the code obey the locking rules? • Rule 1: Only an unlocked resource can be locked. • Rule 2: Only a locked resource can be unlocked.

  19. F-Soft Case Study: Serial Device Driver • Source code from WINDDK 3790 for Windows NT • “Plug and Play” compliant serial 16550-based RS-232 driver • Lines of code measures • 31,930 lines of C source code for this device driver • Additionally, > 600,000 lines of C code in included header files • Property analyzed for this device driver • Alternating use of acquiring and releasing locks • Among the 93 API functions • Basic F-Soft v0.3 proves 72 API functions correct within a few minutes • Improvements expected in follow-up releases

  20. Conclusions • Software verification can • Find tricky bugs otherwise cannot be found by traditional methods • improve software development productivity • F-Soft provides R&D framework for efficient SW verification • Controlling complexity by block-wise program analysis • Various techniques to reduce the program sizes • Boolean representation of C programs • Specialized heuristics for analysis of program model

  21. Thank you! Zijiang (James) Yang

More Related