1 / 69

SLAM

SLAM. A Microsoft tool for checking safety of device drivers Inspired BLAST. BLAST. Berkeley Lazy Abstraction Software * Tool. www.eecs.berkeley.edu/~blast/. Counter Example Guided Refinement CEGAR. Mooly Sagiv. Recap. Many abstract domains Signs Odd/Even Constant propagation

Télécharger la présentation

SLAM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SLAM • A Microsoft tool for checking safety of device drivers • Inspired BLAST

  2. BLAST Berkeley Lazy Abstraction Software * Tool www.eecs.berkeley.edu/~blast/

  3. Counter Example Guided RefinementCEGAR Mooly Sagiv

  4. Recap • Many abstract domains • Signs • Odd/Even • Constant propagation • Intervals • [Polyhedra] • Canonic abstraction • Domain constructors • … • Static Algorithms • Iterative Chaotic Iterations • Widening/Narrowing • Interprocedural Analysis • Concurrency • Modularity • Non-Iterative methods

  5. A Lattice of Abstractions • Every element is an abstract domain • A  A’ if there exists a Galois Connection from A to A’

  6. But how to find the appropriate abstract domain • Precision vs. Scalability • Sometimes precision improves scalability • Specialize the abstraction for the desired property

  7. Counter Example Guided Refinement (CEGAR) • Run the analysis with a simple abstract domain • When the analysis verifies the property declare done • If the analysis reports an error employs a theorem prover to identify if the error is feasible • If the error is feasible generate a concrete trace • If the error is spurious refine the abstract domain and repeat

  8. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x) [x ] z = 5 [x ] y  0 [x P] [x ] F T x = z x = -y [x ] [x ] [x ] assert x >0

  9. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y) [x , y ] z = 5 [x , y] y > 0 [x , yN] [x , yP] T F x = z x = -y [x , yP] [x P, yN] [x , y] assert x >0

  10. A Simple Example z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y), sign(z) [x , y, z ] z = 5 [x , y, zP ] y > 0 [x , yN, zP ] [x , yP, zP ] T F x = z x = -y [x P, yP, zP ] [x P, yN, zP ] [x P, y, zP ] assert x >0

  11. Simple Example (local abstractions) z =5 if (y >0) x = z; else x = -y; assert x >0 sign(x), sign(y), sign(z) [] z = 5 [zP ] y > 0 [yN] [yP, zP] T F x = z x = -y [x P] [x P] [x P] assert x >0

  12. Plan • CEGAR in BLAST (inspired by SLAM) POPL’04 • Limitations

  13. Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]

  14. Scalable Program Verification • Little theorems about big programs • Partial Specifications • Device drivers use kernel API correctly • Applications use root privileges correctly • Behavioral, path-sensitive properties

  15. Predicate Abstraction: A crash course Error Initial Program State Space Abstraction • Abstraction: Predicates on program state • Signs: x > 0 • Aliasing: &x  &y • States satisfying the same predicates are equivalent • Merged into single abstract state

  16. (Predicate) Abstraction: A crash course Error Initial Program State Space Abstraction Q1: Which predicates are required to verify a property ?

  17. The Predicate Abstraction Domain • Fixed set of predicates Pred • The relational domain is <P(P(Pred)), , P(Pred), , > • Join is set union • State space explosion • Special case of canonic abstraction

  18. Scalability vs. Verification scalability verification • Few predicates tracked • e.g. type of variables • Imprecision hinders Verification • Spurious counterexamples • Many predicates tracked • e.g. values of variables • State explosion • Analysis drowned in detail

  19. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock T F T unlock scalability lock Only track lock • Bogus Counterexample • Must correlate branches Predicatep1makes trace abstractly infeasible pi required for verification

  20. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock unlock verification scalability lock Only track lock Track lock, pi s • Bogus Counterexample • Must correlate branches • State Explosion • > 2n distinct states • intractable How can we get scalable verification ?

  21. p1 p2 pn By Localizing Precision while (*) { 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } Preds. Used locally Ex: 2 £ n states Preds. used globally Ex: 2n states Q2: Where are the predicates required ?

  22. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract • explanation Why infeasible ? [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’01]

  23. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement Abstract

  24. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement safe Abstract

  25. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG This Talk: Counterexample Analysis • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract

  26. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

  27. Trace Formulas • A single abstract trace represents infinite number of traces • Different loop iterations • Different concrete values • Solution • Only considers concrete traces with the same number of executions • Use formulas to represent sets of states

  28. Representing States asFormulas • [F] • states satisfying F {s | s F } • F • FO formula over prog. vars • [F1] [F2] • F1F2 • [F1] [F2] • F1 F2 • [F] • F • [F1] [F2] • F1 implies F2 • i.e. F1  F2 unsatisfiable

  29. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  30. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  31. Traces pc1: x = ctr; pc2: ctr = ctr + 1; pc3: y = ctr; pc4: if (x = i-1){ pc5: if (y != i){ ERROR:} } pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) y = x +1

  32. Trace Feasibility Formulas pc1: x = ctr pc2: ctr = ctr+1 pc3: y = ctr pc4: assume(x=i-1) pc5: assume(yi) pc1: x1 = ctr0 pc2: ctr1 = ctr0+1 pc3: y1 = ctr1 pc4: assume(x1=i0-1) pc5: assume(y1i0) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Trace SSA Trace Trace Feasibility Formula Theorem: Trace is Feasible, TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]

  33. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  34. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  35. Proof of Unsatisfiability x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 x1 = ctr0 x1 = i0 -1 ctr1= ctr0+1 ctr0 = i0-1 ctr1 = i0 y1= ctr1 y1= i0 y1 i0 ; Proof of Unsatisfiability Trace Formula • PROBLEM • Proof uses entire history of execution • Information flows up and down • No localized or state information !

  36. The Present State… Trace pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) … is all the information the executing program has here State… 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible At pc4, which predicate on present state shows infeasibility of suffix ?

  37. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  38. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1  y1i0 x1 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 State… Predicate … … implied by TF prefix … on common variables 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  39. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  40. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible

  41. + - Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -+ is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has symbols common to -, + • + is unsatisfiable 

  42. Examplesof Craig’s Interpolation • - =b  (b c) + =c • - =x1 =ctr0  ctr1=ctr0+1y1=ctr1+ =x1=i0-1 y1i0 • y1 = x1 + 1

  43. Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has only symbols common to -, + • + is unsatisfiable  computable from Proof of Unsat. of - + [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]

  44. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate  + Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. + is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables common = current value 3. Predicate & suffix yields a contradiction

  45. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate  + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. + is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

  46. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Predicate at pc4: y= x+1 - Interpolate  pc4 + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

  47. Building Predicate Maps Predicate Map pc2: x= ctr Trace Trace Formula - pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Interpolate x1 = ctr0 + pc2 • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  48. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x= ctr-1 Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate x1= ctr1-1 pc3 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  49. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y= i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 - Interpolate y1= i0 pc5 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  50. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 ctr1 = ctr0 + 1 y1 = ctr1 x1 = i0- 1 y1i0 Theorem:Predicatemap makes trace abstractly infeasible

More Related