Rule Checking

•SLAM•Checking Temporal Properties of Software with Boolean

ProgramsThomas Ball, Sriram K. Rajamani

Microsoft ResearchPresented by Okan Duzyol

Introduction

• Software Validation: Traditionally done by testing, lately by property checking tools.

• Tools do not typically ensure that the software implements intended functionality correctly.

Background

• The fundamental difficulty in using any kind of static analysis to detect program errors is that the problem is undecidable and equivalent to Turing’s halting problem.

• Earliest static analysis tool that has been widely used is the Unix utility Lint.

Background

• Specification language: Early tools check for common errors that can be characterized at the level of the programming language. Modern tools allow users to state the kind of errors they are looking for.

Background

• Engineering tradeoffs: precision, scalability, soundness, completeness and usability.

• No tool can be both sound and complete.

• Attaching preconditions and postconditions to method boundaries has been widely advocated.

Checking Temporal Properties of Software with Boolean Programs

• Takes a program written in imperative language and targets for a boolean program.

• Checks whether a program obeys a Temporal Property, by checking invariants.

From C to Boolean

• Is [L1,L3,L4,L5,ERR] feasible in B2?Decl {u=M} :=1;L1…..L2…..assert ( ! ( {u=M} & {*M=0}));assert ( ! ( 1 & {*M=0}));

L3…..L4…..L5…..assert ( ! ( {u=M} & !{*M=0}));assert ( ! ( 1 & !0);

ERR is not reachable

Goal: Validate temporal safety properties using model checking

Microsoft Research

Motivation

• Large-scale software – many components, many programmers

• Integration testing– Impossible– Ineffective at best

• Fuzzy requirements -> inconsistent implementation

• Consistent requirements -> inconsistent implementation

SLAM Approach

• Modules interact properly…• If program observes temporal safety properties of

interfaces it uses– temporal safety = properties whose violation is witnessed

by a finite execution trace, i.e. path to ERROR state

• State temporal safety properties formally• Automatic verification• Interface compliance checked statically (catch bugs

early)

SLAM Process

prog. P’prog. P

SLIC rule

boolean program

pathpredicates

slic

C2BP

BEBOP

NEWTON

Language for specifying safety properties

Generate abstract boolean program from C code

Model checker

Predicate discover

er

SLAM = A collection of tools

SLIC – Language for specifying safety properties

C2BP – Generate abstract boolean program from C code

BEBOP – Model checking boolean programs

NEWTON – Theorem prover – Refine boolean program

SLAM - formally

1. P’ a C program, Ei={e1,e2,…,en} a set of predicates, apply C2BP to create a boolean program BP(P’,Ei)

2. Apply BEBOP to check whether exists a path pi in BP(P’,Ei) that reaches ERROR state

– if pi not found, terminate with SUCCESS– if pi found go to 3

3. Use NEWTON to check pi feasible– If pi feasible, terminate with FAILURE – If pi not feasible find set Fi of predicates that explains

infeasibility

4. Ei+1= Ei UFi+1 , i=i+1, go to 1

Example – device driverdo {

KeAcquireSpinLock();nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock();

Prove safety – “something bad does not happen”(lock acquired/released twice)

Step 0 – Property Specificationtypedef {Locked, Unlocked} STATETYPE;typedef {Acq, Rel} MTYPE;

STATETYPE state = Unlocked;

FSM(m : MTYPE){if ((state==Unlocked) && (m==Acq))A: state = Locked;else if ((state==Locked) && (m==Rel))B: state = Unlocked;elseERROR: ;}

SLIC Specification = FSM•Global state•State transitions (events)

Instrumented Program P’

Step 1 - Instrumentationdo {

KeAcquireSpinLock();C: FSM(Acq);

nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();

D: FSM(Rel);nPackets++;

}E:} while (nPackets != nPacketsOld);

KeReleaseSpinLock();F: FSM(Rel);

typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE;

STATETYPE state = Unlocked;

FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq))A: state = Locked; else if ((state==Locked) && (m==Rel))B: state = Unlocked; elseERROR: ;}

SLIC Specification

• Step 0 - Specification

• Step 1 - Instrumentation

• Step 2 - Abstraction

• Step 3 - Model Checking

• Step 4 - Theorem Proving

• Step 5 – Predicate discovery

Outline

manual

automated

Abstraction• Abstract Interpretation• In

– C program P – set of predicates E={e1,e2,…,en}

• Out – abstract boolean program BP(P,E) with n

boolean variables V={b1,b2,…,bn}

• Boolean program (C-like) – all vars have type bool– control nondeterminism (*)– only call by value

Step 2 – Abstraction (C2BP)

typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE;

STATETYPE state = Unlocked;

FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq))A: state = Locked; else if ((state==Locked) && (m==Rel))B: state = Unlocked; elseERROR: ;}

decl {state==Locked, state==Unlocked};

void FSM({m==Acq,m==Rel}){ if ({state==Unlocked} & {m==Acq})A: {state==Locked, state==Unlocked }:=1,0;else if ({state==Locked} & {m==Rel})B: {state==Locked, state==Unlocked }:=0,1;elseERROR: ;}

Instrumented Program P’

Step 2 – Abstraction (C2BP)do {

KeAcquireSpinLock();C: FSM(Acq);

nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();

D: FSM(Rel);nPackets++;

}E:} while (nPackets != nPacketsOld);

KeReleaseSpinLock();F: FSM(Rel);

Boolean Program BP(P’,E0)

do { skip;

C: FSM(1,0); skip;

if(*){ skip; skip;

D: FSM(0,1); skip;

}E:} while (*);

skip;F: FSM(0,1);

Step 3 - Model Checking (BEBOP)

Boolean Program BP(P’,E0)

do { skip;

C: FSM(1,0); skip;

if(*){ skip; skip;

D: FSM(0,1); skip;

}E:} while (*);

skip;F: FSM(0,1);

decl {state==Locked, state==Unlocked};

void FSM({m==Acq,m==Rel}){

if ({state==Unlocked} & {m==Acq})A: {state==Locked, state==Unlocked }:=1,0;

else if ({state==Locked} & {m==Rel})B: {state==Locked, state==Unlocked }:=0,1;

elseERROR: ;}

Is there a path that leads to ERROR ? YES [C,A,E,C,ERROR ]

1

2

3

4

do {KeAcquireSpinLock();

C: FSM(Acq);nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();

D: FSM(Rel);nPackets++;

}E:} while (nPackets != nPacketsOld);

KeReleaseSpinLock();F: FSM(Rel);

Step 4 – Theorem Proving (NEWTON)

typedef {Locked, Unlocked} STATETYPE; typedef {Acq, Rel} MTYPE;

STATETYPE state = Unlocked;

FSM(m : MTYPE){ if ((state==Unlocked) && (m==Acq))A: state = Locked; else if ((state==Locked) && (m==Rel))B: state = Unlocked; elseERROR: ;}

Is path [C,A,E,C] feasible ? NO

// nPacketsOld==nPackets, nPacketsOld != nPackets

Step 5 – Predicate Discovery (NEWTON)b: {nPackets == nPacketsOld};do {

skip; b:=1;C: FSM(1,0);

skip;

if(*){ skip; skip;

D: FSM(0,1); skip; b:=0;

}E:} while (!b);

skip;F: FSM(0,1);

do { skip;

C: FSM(1,0); skip;

if(*){ skip; skip;

D: FSM(0,1); skip;

}E:} while (*);

skip;F: FSM(0,1);

Boolean Program BP(P’,E0) Boolean Program BP(P’,E1)

Step 3 - Model Checking (BEBOP)do {

skip; b:=1;

C: FSM(1,0); skip;

if(*){ skip; skip;

D: FSM(0,1); skip; b:=0;

}E:} while (!b);

skip;F: FSM(0,1);

decl {state==Locked, state==Unlocked};decl b: {nPackets==nPacketsOld};

void FSM({m==Acq,m==Rel}){

if ({state==Unlocked} & {m==Acq})A: {state==Locked, state==Unlocked }:=1,0;

else if ({state==Locked} & {m==Rel})B: {state==Locked, state==Unlocked }:=0,1;

elseERROR: ;}

Is there a path that leads to ERROR ? NO

C2BP

• From a C program P and a set of predicates E={e1,e2,…,en} create an abstract boolean program BP(P,E) which has n boolean variables V={b1,b2,…,bn}

• Determine for each statement s in P and predicate ei in E how the execution of s can affect the truth value of ei

– if it doesn’t, s->skip

C2BP cont’d

• Static analysis– alias – logical model: p, p+i same object – interprocedural – side-effects (conservative)

BEBOP

• Essentially a model checker

• Interprocedural dataflow analysis -> reachable states

• Uses BDDs to represent state/transfer functions

• ERROR state reachability reduces to vertex reachability on the CFG of the boolean program BP which is decidable

NEWTON

Predicate discoverer / Theorem prover– walk error path p found by BEBOP– compute conditions (predicate values) along p– if algorithm terminates

• inconsistence detected ( =!), add to list of predicates, repeat whole process

• else report p as witness

Results

NT device drivers – Max 60000 LOC– <10 user-supplied predicates, tens-hundreds

inferred– < 20-30 iterations– 672 runs daily, 607 terminate within 20

minutes

SLAM

SLAM

Specification SLIC

Sound

Complete

Scalability (LOC) 10,000

Refinement

Spurious errors Very Few

Conclusions

• SLAM = process for checking temporal safety properties

• Formally state safety properties that interface clients must observe

• Fully automated validation (iterative refinement)• Sound; if process terminates either SUCCESS

or FAILURE (w/counterexample) reported• Accurate (few false positives)

- Poor scalability

References:

• Automatic Property Checking for Software: Past, Present and Future; Sriram K. Rajamani,

• Checking Temporal Properties of Software with Boolean Programs; Thomas Ball, Sriram Rajamani

• Automatically Validating Temporal Safety Properties of Interfaces; Thomas Ball, Sriram Rajamani

Thank You

Questions ?