thomas ball, rupak majumdar, todd millstein, sriram k. rajamani presented by yifan li...
TRANSCRIPT
AUTOMATIC PREDICATE
ABSTRACTION OF C PROGRAMS
Thomas Ball, Rupak Majumdar,
Todd Millstein, Sriram K. RajamaniPresented by Yifan Li ([email protected])November 22nd
In PLDI 01: Programming Language Design and Imple-mentation, 2001
“Can software help programmers write better software?”
Outline
What is model checking Why it is important Current state of the art Challenges in applying model checking
to C programs SLAM project
Outline
What is model checking Why it is important Current state of the art Challenges in applying model checking
to C programs SLAM project
Model Checking A specific technique of formal verification Given a model of a system, test
automatically whether this model meets a given specification
Formal Verification
Formal Verification Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property
To help mathematically prove the correctness of a software or hardware system
The Model checking problem Let M be a Kripke structure (i.e., state-
transition graph) Let f be a formula of temporal logic (i.e.,
the specification) Find all states s of M such that M,s ├ f
A typical model checking system
Figure 1. A typical model checking system
Kripke Structure A Kripke structure is a type of nondeterministic
finite state machine proposed by Saul Kripke, used in model checking
Let the set of atomic
propositions AP = {p,q}.
p and q can model arbitrary
boolean properties of the
system that the Kripke
structure is modelling
M may produce a path ρ = s1,s2,s1,s2,s3,
s3,s3,... (potentially infinite)Figure 2. Kripke Structure
How to model-check Basic Procedure:
1. Describe the system as a finite state model
2. Express properties in temporal logic
3. Formal Verification by automatic exhaustive search over the state space
Use a model checker to check properties
Temporal logic Used to describe any system of rules for
representing propositions in terms of time Statements in temporal logic:
"I am always hungry“
"I will eventually be hungry“
"I will be hungry until I eat something“ Temporal logics describe the ordering of events
in time without introducing time explicitly. The meaning of a temporal logic formula is
determined with respect to a labeled state-transition graph or Kripke structure.
Abstraction of model What if the model is infinite-like? Using abstraction Any effort to model check software must
first construct an abstract model of the software
Predicate Abstraction- A promising approach to construct abstractions automatically (which will be covered later)
What is a model checker A model checker is a software tool that given a description of a Kripke model
M ... ... and a property φ decides whether M ├ φ returns “yes” if the property is satisfied, otherwise returns “no”, and provides a
counterexample
What is a model checker
Figure 3. The model Checker
Outline
What is model checking Why it is important Current state of the art Challenges in applying model checking to C
programs SLAM project
Why it is important
software bugs are so common that their cost to the American economy alone is $60 billion a year or about 0.6% of gross domestic product (NIST)
Why it is important?
Some errors in software systems are expensive:Space Mission Failed: A bug caused 370-million dollar failure in 1996, which is $514 to $686 million in 2010 (Flight 501)
While some are pretty annoying:“Bill Gates: 5% of Windows Machines Crash More Than Twice A Day”
Outline
What is model checking Why it is important Current state of the art Challenges in applying model checking to C
programs SLAM project
A wide Variety of model checkers
Name a few:
For C programs: BLAST (Berkeley) CMBC (Carnegie Mellon) CPA checker(U of Passau, Germany) SLAM(Microsoft Research)
Others: SPIN (Bell Lab, System Software Award-
2001)
SLAM
“software (specifications), programming languages, abstraction, and model checking”
SLAM is a program-analysis engine of the SDV tool used to check if clients of an API follow the API’s stateful usage rules
SLAM toolkit, include C2BP, BEBOP, NEWTON is the analysis engine of the SDV tool
SLAM2
The improved version of SLAM With under 4% false alarms
SDVStatic Driver Verifier (SDV):
• Compile-time verification tool• Ships with Windows 7 Driver Kit (WDK)• Less than 4% false alarms on real drivers• Supports many driver APIs (WDM, KMDF, NDIS, …)• Uses SLAM as the verification engine
Based on CEGAR loop Boolean abstraction of input C programs
• API-specific components: environment model API rules in SLIC language
Driver’s Source Code in C
PreciseAPI Usage Rules
(SLIC)
Defects
100% pathcoverage
Rules
Static Driver Verifier
Environment model
Static
Driver
Verifier
Figure 4. SDV
Usage
SDV 2.0 is applied as an automatic and required quality gate for Windows 7 device drivers
SLAM is distributed as part of the Windows Driver Development Kit
Outline
What is model checking Why it is important Current state of the art Challenges in applying model
checking to C programs SLAM project
Challenges in applying model checking to C program
Pointers (alias problem) Procedures( signature) unknown values (*) Lots of predicate states
Outline
What is model checking Why it is important Current state of the art Challenges in applying model checking
to C program SLAM project
SLAM Project
SLIC
C Program PInstrumented C program P’
C2BP Boolean Program BP(E,P’)
Bebop
Error Path
Feasible
No, refine the Predicate, gen-erate new BP
Yes, An error found
Program Bug
Figure 5. The SLAM realization of CEGAR loop
CEGAR
In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms
SLIC
SLIC: Specification Language for Interface Checking
SLIC is a subset of the C language augmented with elements that identify the events of interest.
Next slide, an example of a SLIC language and the instructed C program based on that
Figure 6. To check that a spinlock cannot be acquired without it first being released, and that a spinlock cannot be released twice
Figure 7. The BP of the instructed C program. The first and second iterations of Bebop and Newton
Figure 8. Slic Specification for Proper Usage of Spin Locks, and (b) Its Compilation into C Code.
Example 2
Figure 9. (a) A snippet of device driver code P, and (b) program P0 resulting from instrumentation of program P due to Slic specification in Figure 8
Figure 10. The C code of the Slic specification from Figure 1(b) compiled by C2bp into a boolean program.
Figure 11. The two boolean programs created while checking the code from Figure 9 (b)
How well it works
• Experience of SLAM works on device drivers that have hundred's or thousand’s lines of codes
How well it works• There are true errors
found in the device driver when running SLAM on them
Conclusion
Slam toolkit outcomes the challenges in applying model checking to C programs
Slam is appropriate to use on large scale C programs and on device drivers written in C
The SDV tool has already been used in model checking device drivers for Windows 7 before they come to market
References Measure the buying power of US dollar at different times
http://www.measuringworth.com/ppowerus/ Bill Gates Talk
http://www.osnews.com/story/4122/Bill_Gates_5_Of_Windows_Machines_Crash_More_Than_Twice_A_Day
Symbolic Model Checking
http://www.cse.iitd.ernet.in/~sak/courses/foav/nusvm-iitd-1.pdf Building a better bug-trap
http://www.economist.com/node/1841081 The SLAM project
http://research.microsoft.com/en-us/projects/slam/
Thank you!