model checking c programs
DESCRIPTION
Model Checking C Programs. Zijiang (James) Yang Department of Computer Science Western Michigan University In collaboration with NEC Laboratories America. Economic Impact of Software Verification. Simulation does not. scale. Unpredictable. Unpredictable. Not exhaustive. Not exhaustive. - PowerPoint PPT PresentationTRANSCRIPT
Model Checking C Programs
Zijiang (James) YangDepartment of Computer Science
Western Michigan University
In collaboration with NEC Laboratories America
Economic Impact of Software Verification
Cost of software bugs to U.S. economy in 2002: $60Billion
80% of software development cost is in debugging
Simulation and Testing Effective in discovering bugs in early stages Expensive and not exhaustive!
UnpredictableNot exhaustiveUnpredictableNot exhaustive
Simulation does notscale
Legend
Testing vs. Formal Verification
1: int foo(int x) {
2: int y = 2*x ;
3: if ( y < 100 )
4: y += 50 ;
5: if ( y == 50 )
6: y+=user(-1,6);
7: return y;
8: }
9:
…
200
10-100
10: int bar (int x) {
11: int y ;
12: assume ( x >= 0 );
13: y = foo(x) ;
14: assert ( y >= 50 );
15: return y;
16: }
10-99
100
101
102 ……
1049
1050
1051
10100… …
1250
1249
1251
12100
120
121
122 … … …
10
11
12 …
149
150
151
1100… …
212
224
24998
250
100
251
102
2100200
… … …
40
50
41
52
42
54
449
148… … …
1350
100
1351
102
13100200
…131
52
132
54
1349
148
60
53
130
53
60
54
130
54
60
55
130
55
60
56
130
56
60
52
130
52
60
51
130
51
60
50
130
50
60
49
130
49
SimulationTesting
linexy
Formal Verification
Formal verification is the process of systematically checking that system behavior satisfies a given property, both described using formal models. Automated and effective debugging Systematic and exhaustive analysis
Scalability is still a problemEffective use requires some expertise
Specification
Implementation
Formal relationship
Correctness
Design
F-Soft: Automated Bug Finder and Correctness Prover
F-SoftF-Soft
1: void pivot_sort(int A[], int n){ 2: int pivot=A[0], low=0, high=n; 3: while ( low < high ) { 4: do { 5: low++ ; 6: } while ( A[low] <= pivot ) ; 7: do { 8: high - - ; 9: } while ( A[high] >= pivot );10: swap(&A[low],&A[high]); 11: }12: }
Array Bound Violations?
Line 1: n=2, A[0]=10, A[1]=10
Line 2: pivot=10, low=0, high=2
Line 5: low = 1
Line 6: A[low] <= pivot ? YES!
Line 3: low < high ? YES!
Line 5: low = 2
Line 6: A[low] <= pivot ?
Buffer Overflow!!!
F-Soft outputs a trace:
Software Verification Tool
program
property
correct
bug
Automated F-Soft Software Verification Flow
Legend
User inputAutomatic
Source code
BooleanAnalysis
Analysis & Refinement
Proof
PredicateAbstraction
BooleanModel Builder
Program slicing
Range analysis
User-specified properties
Automatedproperties
StaticAnalysis
Bug
TestbenchGenerator
Properties Considered
Basic F-Soft mode: Automatically generated standard properties (verification or warning mode)
Buffer overflow, array bound violationsUse of un-initialized variablesNULL pointer dereferencingAlternating locks and unlocks of shared resourcesFile IO handlingDivision by zero
Full mode: User specified propertiesSoftware adheres to specificationUser specified program assertionsHigh-Level System Properties
Program Slicing
A program slice is a subset of the original code that only contains relevant statements to the computation of interest.
Based on static analysis of data and control flow
void arithmetic(int *A,int n) { int sum=0, product=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; }}
original program
void arithmetic(int *A,int n) { int sum=0, product=1, mean=0; int i = 0 ; while ( i < n ) { sum += A[i] ; product *= A[i] ; mean += A[i]/n; i++ ; }}
slice with respect to sum
Range Analysis
Goal: For a C program, automatically find the range and minimal number of bits needed to represent a variable
We are first to apply range analysis for verification of software
int a;
a = (b != 15);
for (a = 0; a < 6; a++) { … }
a: 32 bits/a:<MIN,MAX>
a: 1 bit/a:<0,1>
a: 3 bits/a:<0,5>
a: 3 bits/a:<0,6>
Predicate Abstraction
Predicate abstraction is powerful technique to reduce system complexity from potentially infinite-state systems to finite domain Predicates are relational expressions over program variables Abstraction using k predicates results in at most 2k abstract states
int x , y ;
if ( x>0 ){
…
y = x+1 ;
…
}
else {
…
y = x+2 ;
…
}
bool bx , by ;
if ( bx ){
…
by = T ;
…
}
else {
…
by{T,F};
…
}
Predicate abstraction
bx := (x > 0)by := (y > 0)
TF
TT
FF
FT
x
y
Abstract datavariables usingBooleans.
Abstraction Refinement Flow
unsafe path
safe systemabstract
abstract system
concretepath
spurious path
refinemodel
forward analysis
concrete system
analysisengine
Control Flow Graph Computation
1: void bar() {
2: int x = 3 , y = x-3 ;
3: while ( x <= 4 ) {
4: y++ ;
5: x = foo(x);
6: }
7: y = foo(y);
8: }
9: 10: int foo ( int l ) {
11: int t = l+2 ;
12: if ( t>6 )
13: t -= 3;
14: else
15: t--;
16: return t;
17: }
Line 2
Line 3 Line 4
Line 7(call)
Line 5(call)
Lines11-12,14Line 13
Line 15Line 16
Line 5(return)
Line 7(return)
Control Logic Example
x<=4
0
1 2
x>4
3 4
t>6
t<=6
56
78
!rtr
rtr10
9
c3 c2 c1 c0 c3' c2' c1' c0' condition0 0 0 0 0 0 0 1 10 0 0 1 0 0 1 0 x<=40 0 0 1 0 0 1 1 x>40 0 1 0 0 1 0 0 10 0 1 1 0 1 0 1 10 1 0 0 0 1 0 1 10 1 0 1 0 1 1 0 t>60 1 0 1 0 1 1 1 t<=60 1 1 0 1 0 0 0 10 1 1 1 1 0 0 0 11 0 0 0 1 0 0 1 rtr=01 0 0 0 1 0 1 0 rtr=11 0 0 1 0 0 0 1 1
Control Logic
Let N be the number of basic blocks, PC variable needs logN bits
Next state logic
ci’=j:vij’=1(kj p:vpj=1 cp p:vpj=0 cp)
Data Logic
Simplify assignments in basic blocks Sequential --> parallel Pointers
Assume a variable vj
Assigned in blocks {b1…bk} with expressions {Lj1…Ljk}
Not assigned in blocks {bk+1…bN}
Next state logic of vj
vj’= i=1,k(c1…cn=biLji) i=k+1,N(c1…cn=bivj)
Bounded Model Checking (BMC)
Search for a bounded length counterexample By unrolling steps of programs, no complete (fixpoint)
traversal Formula is satisfiable if and only if a counterexample exists Checked by a SAT solver
Step nStep n-1Step 2Step1Input
PS1 NS1=PS2
F-Soft Case Study: Network Protocol PPP
Point-to-Point Protocol (PPP) Analyzed LCP (link control
protocol) part of PPP that establishes, configures, and tests a data-link connection
Specification is given as RFC 1661 Linux implementation contains
about 2000 lines of C code Property: Implementation
adheres to specification
StatesEvents Req-Sent OpenedClose Term-Req
goto ClosingTerm-Reqgoto Closing
Conf-Ackgoto Ack-Rcvd
goto Req-Sent
Term-Ack
Conf-Reqgoto Req-Sent
Term-Req
Term-Ack Term-Ackgoto Stopping
RFC 1661
static void fsm_rtermack(fsm *f){ switch (f->state) { /* other cases here */ case OPENED: if ( f->callbacks->down) (*f->callbacks->down)(f); /* informing upper layers */ fsm_sconfreq(f,0); break ; }}
Public implementation
Missing: f->state = REQSENT;
F-Soft Case Study: Floppy Disk Driver Important property: Does the code obey the locking
rules? Rule 1: Only an unlocked resource can be locked. Rule 2: Only a locked resource can be unlocked.
VOID FloppyProcessQueuedRequests ( IN OUT PDISKETTE_EXTENSION DisketteExtension) { PLIST_ENTRY headOfList; KeAcquireSpinLock(&DisketteExtension, &oldIrql); while ((headOfList = ExInterlockedRemoveHeadList(…)!=NULL{ currentIrp = CONTAINING_RECORD( headOfList,…); if (IoSetCancelRoutine( currentIrp, NULL)) irpSp = IoGetCurrentIrpStackLocation( currentIrp ); else { … } KeReleaseSpinLock(&DisketteExtension,oldIrql); if (currentIrp) { … } else switch ( irpSp->MajorFunction ) { case IRP_MJ_READ: case IRP_MJ_WRITE: (VOID)FloppyReadWrite( DisketteExtension,currentIrp); break; case IRP_MJ_DEVICE_CONTROL: (VOID)FloppyDeviceControl(DisketteExtension, currentIrp); break; default: … } if (currentIrp) FloppyPageEntireDriver(); KeAcquireSpinLock(&DisketteExtension,&oldIrql); } KeReleaseSpinLock(&DisketteExtension,oldIrql);}
Disk driver implementation
Property specified using automatically generated code:
bool locked=FALSE;
void KeAcquireSpinLock(…) { if (locked) abort() ; locked = TRUE;}
void KeReleaseSpinLock(…){ if (!locked) abort() ; locked = FALSE ;}
void abort() { assert(0);}
Automaticallygenerated propertymonitor
F-Soft Case Study: Serial Device Driver
Source code from WINDDK 3790 for Windows NT “Plug and Play” compliant serial 16550-based RS-
232 driver Lines of code measures
31,930 lines of C source code for this device driver Additionally, > 600,000 lines of C code in included
header files Property analyzed for this device driver
Alternating use of acquiring and releasing locks Among the 93 API functions
Basic F-Soft v0.3 proves 72 API functions correct within a few minutes
Improvements expected in follow-up releases
Conclusions
Software verification can Find tricky bugs otherwise cannot be found by
traditional methods improve software development productivity
F-Soft provides R&D framework for efficient SW verification Controlling complexity by block-wise program analysis Various techniques to reduce the program sizes Boolean representation of C programs Specialized heuristics for analysis of program model
Thank you!
Zijiang (James) Yang