1 / 29

SLAM Over the Summer

SLAM Over the Summer. Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das). SLAM in 60 seconds. Question: does program meet safety policy? If not, give a counter-example 1. Instrument C program with policy 2. Abstract C program to boolean program 3. Model-check boolean program

ling
Télécharger la présentation

SLAM Over the Summer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)

  2. SLAM in 60 seconds • Question: does program meet safety policy? • If not, give a counter-example • 1. Instrument C program with policy • 2. Abstract C program to boolean program • 3. Model-check boolean program • 4. Is resulting error trace feasible? • 5. If not, refine abstraction, goto 2

  3. C program Spec. SLIC GOLF predicates Boolean program CFG + VFG c2bp bebop predicates Pass newton Fail, p GUI Error

  4. The Cunning Plan • Study SLAM termination • Make SLAM scale to real programs • Come up with interesting specifications • Run SLAM on device drivers • Find bugs • Retire to a life of luxury, resting on laurels

  5. SLAM Termination • If abstract interpretation with widening terminates, will SLAM with widening terminate as well? • Answer: Yes. • Andreas Podelski finished this before I arrived …

  6. 5 Secrets to Scaling SLAM • Don’tfork() 1 theorem prover per query • Don’t cache theorem prover results • Do cache theorem prover results (even between iterations) • Do store the CFG, don’t re-parse • Don’t use algorithms that require exponential stack space

  7. Specify, specify, specify • SLAM specifications (“slic”) • are like monitors • instrument function calls, returns • can mimic a sort of type state • A week or two after I arrived, Manuel Fandrich wrote up a lovely IO spec

  8. start NP CallDriver SKIP1 SKIP2 return child status Skip CallDriver IPC synch MPR3 NP CallDriver prop completion PPC not pending returned MPR completion Complete request CallDriver MPR1 MPR2 DC return not Pend no prop completion synch CallDriver N/A N/A IRP accessible CallDriver start P SKIP2 Mark Pending SKIP1 Skip CallDriver IPC synch MPR3 NP CallDriver prop completion return Pending PPC not pending returned MPR completion Complete request CallDriver MPR1 MPR2 DC no prop completion CallDriver N?A

  9. SLAMzilla vs. moNThra • “Classic” SLAM does not scale • 25 iterations on floppy.c (for a simpler spec) • each iter adds a few predicates, repeats work • see “Lazy Abstraction” / BLAST project • “Classic” SLAM vs. NT: either SLAM • has an internal error • fails to terminate • exhausts virtual memory

  10. Iterative Predicate Generation • Normally SLAM starts with all predicates mentioned in the spec • Must rediscover “unintersting” predicates • Example: • x = y; • if (x == FAILURE) abort(); • One iteration just to get “y == FAILURE”

  11. Value Flow Idea • Run some Value Flow algorithm on instrumented program • See what values can flow into final important “if” statements • Generate those predicates in advance • Rejoice as SLAM actually terminates

  12. The Magic Bullet Theory • For a restricted subset of C • Find enough predicates • So that SLAM terminates correctly • In just 1 iteration • If real program not in restricted subset of C, iterate to find remaining predicates

  13. How restricted? • v1 = v2 • v = i // (i Î Z) • if (*) stmt1 else stmt2 • v1 = fun(v2, …) • return v • abortif(v1» v2) // some relop • sometimes v1 = v2Å v3 // some binops

  14. “Simple” Example foo(int a, int b) abortif(a » b) pick(int s) int v; if (*) v = s; else v = 4; return v bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

  15. Value Flow Graph 2 x z c p a 3 s v y d q b Recall the goal: Decide if a » b 4 5

  16. The Lofty Ideal • If we knew the final values of a and b (e.g., “3” and “5”) we could decide a»b • Walk back in the graph from a • Take every edge “x®z”, “2®x” • Add the predicates “x == z”, “2 == x” • Do the same for b • Voila!

  17. Theory and Practice Let’s try it on the a branch … 2 x z c p a 3 s v y d q b p==a c==p z==c x==z 2==x 3==x 4 5

  18. The Root of the Problem Let’s try it on the a branch … 2 x z c p a 3 s v y d q b p==a // Bad (no scope) c==p // OK z==c // Bad (no scope) x==z // OK 2==x // OK 3==x // OK 4 5

  19. Scoping Things Out There is no scope in which “z == c” is a valid predicate. But this predicate is necessary! Solution: link all ground terms to c bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

  20. Value Flow Revised 2 x z c p a 3 s v y d q b Red ® represents function calls and returns (crossing scopes) 4 5

  21. Value Flow Fixup 2 x z c p a 3 s v y d q b Concentrating just on z®c, conceptually add 3®c and 2®c, thus adding “3==c” and “2==c” 4 5

  22. Fixup Bonanza 2 x z c p a 3 s v y d q b 4 5

  23. Why does it work? There is no scope in which “z == c” is a valid predicate. However… If we know “z==2” or “z==3” We can easily prove “c==2” or “c==3” at the call-site And “c==2 & z==2” implies “c==z” bar(int c, int d) int p,q; p = c; q = d; foo(p,q) main() int x,y,z; x = 2; x = 3; y = 5; y = pick(3); z = x; bar(z,y);

  24. This is Weak • It relies on having a constant, finite set of “ground terms” (like “2” and “3”) • It will generate many more predicates than necessary (it ignores control-flow) • aÅb only works if the result is a ground term that reaches a or b (e.g., no *p) • But we have iteration to pick up the pieces

  25. Extensions • If we know more about the predicate a » b, we can do better: • a £ b, a < b, etc. • Run algorithm as before, generate “x £ 5” instead of “x == 5”, keep “vi == vj” • a = 5 • Run algorithm as before, ignore actual set of ground terms, always generate “vi == 5”

  26. Variable Equality (a==b) 2 x z c p a 3 s v y d q b Consider the intersection of the ground terms: “a==3” and “b==3”, etc., should suffice, right? Sadly, no. 4 5

  27. Results? • Floppy driver (1 bug) (3 iterations instead of 25) • 6500 lines, simple spec • 21 global predicates • 741 local predicates • 72 max local in scope • Battery driver (2 bugs) (8 iterations instead of crashing) • 2410 lines, that complex spec • 18 global predicates • 137 local predicates • 24 max local in scope

  28. SLAM-PCC • Perhaps not of general interest • Verify bprog=c2bp(preds,cprog) • requires O(|CFG|*2|preds|) proofs • Verify final result: • Standard VCGen(cprog,property) • Get loop invariants, function pre-post from model checker

  29. Questions?

More Related