CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded Software Pavel Andrianov, andrianov@ispras.ru
Motivation Linux module drivers/net/irda/w83977af_ir.ko: 10 000 LOC static void w83977af_change_speed(struct w83977af_ir *self , __u32 speed ){ ... self->io.speed = speed; ... SMACK: memory limit } CBMC: time limit Yogar-CBMC: segmentation fault Mu-Cseq: –, UNKNOWN static void w83977af_hard_xmit(struct CPALockator: 15 sec sk_buff *skb , struct net_device *dev){ ... speed = irda_get_next_speed(skb); tmp_speed = self->io.speed; assert(self->io.speed == tmp_speed); if ((speed != self->io.speed) && ...) { … } }
The goals of a new theory Scaling on a real software Small amount of false alarms Flexible balance between speed and precision
Thread-Modular Approach Thread Thread Thread Thread … || || || || Thread || Environment , … , Thread || Environment
Interleavings Partial states Thread1 Thread2 ... ... a 1 a 2 a 1 Environment a 2 b 1 a 2 a 1 b 2 b 1 b 2 ... c 1 Environment c 2 c 1 a 2 b 1 b 2 ... ... ... ...
Environment actions based on inference objects Thread1 Thread2 ... ... Environment ... ... ...
Environment actions based on abstract transitions Thread1 Thread2 ... ... Environment ... ... ...
Abstract transitions Abstract state x → 2 y = x Operation over the state (abstract edge)
Abstract transitions x → 2 x → 2 y → 2 Transfer relation y = x [x > 0]
Environment computation Thread 1 as environment Thread1 Thread2 x → 2 y → 0 y → 0 x → 2 y = 2 y = 2 [y > 0] y = x Normal Projected Applied Normal transition transition transition transition
Extension of the theory
Transfer Relation of ThreadModularCPA
Optimized Transfer Relation
Experiments 16 tasks x {true, false} = 32 benchmarks ThreadModularCPA Limits: 15 min, 8 Gb ARGCPA CompositeCPA LocationCPA CallstackCPA LockCPA ThreadCPA PredicateCPA
Results Approach Theory with Theory with abstract inference objects transitions False verdicts Correct 10 12 Incorrect 2 2 True verdicts 12 11 Unknowns 8 7 Time(s) 10200 9820
Refinement of environment formula encoding Error Path Precise formula Imprecise formula int f() { int tmp = 2; tmp = 2 tmp = 2 tmp = 2; g = 1; g = 1; g = 1 g = * if (g != 0) { [ g == 0 ] [g == 0] [g == 0] g++; [ tmp < 10 ] } ERROR(); tmp < 10 tmp < 10 if (tmp < 10) { Interpolants ERROR(); } [ g != 0 ] [ tmp == 2 ] }
Results Approach Base refinement Imprecise+Precise combination False verdicts Correct 12 12 Incorrect 2 2 True verdicts 11 11 Unknowns 7 7 Time(s) 9820 9790
Refinement with iterative proactive effects application Error Path Precise formula Precise formula with int f() { effects int tmp = 2; tmp = 2 tmp = 2 tmp = 2; g = 1; g = 1; g = 1 g = 1 if (g != 0) { [ g == 0 ] g = * [g == 0] [g == 0] g++; [ tmp < 10 ] } ERROR(); tmp < 10 tmp < 10 if (tmp < 10) { Interpolants ERROR(); } [ g != 0 ] [ tmp == 2 ] }
Results Approach Base version Proactive refinement False verdicts Correct 12 15 Incorrect 2 2 True verdicts 11 12 Unknowns 7 3 Time(s) 9820 7780
Predicate Abstract edge (effect) Origin Edge: g = g + 1 Statement Projected Edge: g = g + 1 convert to PathFormula Applied Edge: [g 6 = g 5 + 1]
Predicate Abstract edge (effect) Origin Edge: g = g + 1 Statement Boolean formula Projected Edge: [g 3 = g 2 + 1] g = g + 1 Change SSA indices convert to PathFormula Applied Edge: [g 6 = g 5 + 1] [g 6 = g 5 + 1]
Instantiating of formulas Origin edge Thread state g = g + 1 g 5 = 2 project apply SSA indices update g 2 ➝ g 5 g 3 ➝ g 6 g 5 = 2 ∧ Boolean [g 3 = g 2 + 1] g 6 = g 5 + 1 apply formula
Results Approach Base version Formula effects False verdicts Correct 12 13 Incorrect 2 2 True verdicts 11 12 Unknowns 7 5 Time(s) 9820 6600
Results Approach Base version Proactive refinement + Formula effects False verdicts Correct 12 16 Incorrect 2 2 True verdicts 11 13 Unknowns 7 2 Time(s) 9820 3950
Adjustable block encoding ABE SBE [ p == 0] [ p == 0] y 2 = p 2 y 2 = p 2 y 2 = p 2 ... g = * y 2 = p 2 [ y == 0] p 3 = y 2 + 1 p 3 = y 2 + 1 p 3 = * ... [p == 1] [p == 1] [true]
Recommend
More recommend