cse507
play

CSE507 Computer-Aided Reasoning for Software Model Checking II - PowerPoint PPT Presentation

Jan 17, 2023 •279 likes •831 views

CSE507 Computer-Aided Reasoning for Software Model Checking II courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Model checking basics 2 Today Last lecture Model

  1. CSE507 Computer-Aided Reasoning for Software Model Checking II courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu

  2. Today 2

  3. Today Last lecture • Model checking basics 2

  4. Today Last lecture • Model checking basics Today Based on lectures by Tom Ball and Sriram K. Rajamani. • Software model checking with SLAM See the SLAM project webpage for details. 2

  5. Today Last lecture • Model checking basics Today Based on lectures by Tom Ball and Sriram K. Rajamani. • Software model checking with SLAM See the SLAM project webpage for details. Reminders • Homework 3 is due on today at 11pm • Project demos will be held on Dec 08, 10:30-12:20, in MGH 254 2

  6. Overview of SLAM SLAM Program P ✓ Software, programming Languages, Safety Abstraction, and Model checking property S A trace of P that violates S 3

  7. Overview of SLAM A sequential program (device driver) implemented in C. SLAM Program P ✓ Software, programming Languages, Safety Abstraction, and Model checking property S A trace of P that violates S 3

  8. Overview of SLAM A sequential program (device driver) implemented in C. SLAM Program P ✓ Software, programming Languages, Safety Abstraction, and Model checking property S Temporal property (an API usage rule) written in SLIC, such as “a lock should be alternatively acquired and A trace of P released.” that violates S 3

  9. Overview of SLAM Most influential PLDI paper award and the 2011 CAV award. SLAM Program P ✓ Software, programming Languages, Safety Abstraction, and Model checking property S Ships in Microsoft’s Static Driver Verifier (SDV) tool. A trace of P that violates S 3

  10. The SLAM process Program P Instrumentation P’ Safety property S 4

  11. The SLAM process Abstraction boolean Program P program B Instrumentation P’ Safety property S 4

  12. The SLAM process Abstraction boolean Program P program B Instrumentation P’ Model checking Safety property S 4

  13. The SLAM process Abstraction boolean Program P program B ✓ Instrumentation P’ Model checking Safety property S 4

  14. The SLAM process Abstraction boolean Program P program B ✓ Instrumentation P’ Model checking error trace Safety for B property S Trace validation 4

  15. The SLAM process Abstraction boolean Program P program B ✓ Instrumentation P’ Model checking error trace Safety for B property S Trace validation A trace of P that violates S 4

  16. The SLAM process Abstraction boolean Program P program B ✓ Instrumentation P’ Model checking error trace Safety for B property S new Trace validation predicates A trace of P that violates S 4

  17. The SLAM process C2BP Abstraction boolean Program P program B ✓ Instrumentation P’ Model checking Bebop error trace Safety for B property S new Trace validation Newton predicates A trace of P that violates S 4

  18. The SLAM process: specifying safety properties C2BP boolean Program P program B ✓ Instrumentation P’ Bebop error trace Safety for B property S new Newton predicates A trace of P that violates S 5

  19. Specification Language for Interface Checking 6

  20. Specification Language for Interface Checking A finite state language for stating rules for API usage • Temporal safety properties expressed as safety automata that monitor program’s execution behavior at the level of function calls and returns. • Familiar C syntax. 6

  21. Specification Language for Interface Checking A finite state language for stating rules for API usage • Temporal safety properties expressed as safety automata that monitor program’s execution behavior at the level of function calls and returns. • Familiar C syntax. Suitable for control-dominated properties • E.g., ordering of function calls with associated constraints on data values at the API boundary. 6

  22. A locking protocol in SLIC release acquire Unlocked Locked release acquire Error 7

  23. A locking protocol in SLIC state { enum {Locked, Unlocked} state = Unlocked; release } KeAcquireSpinLock. return { acquire The global state if (state == Locked) Unlocked Locked abort ; structure defines a static else set of state variables . release acquire state = Locked; } Error KeReleaseSpinLock. return { if (state == Unlocked) abort ; else state = Unlocked; } 7

  24. A locking protocol in SLIC state { enum {Locked, Unlocked} state = Unlocked; release } KeAcquireSpinLock. return { acquire if (state == Locked) Unlocked Locked abort ; else release acquire state = Locked; } Error KeReleaseSpinLock. return { Transfer functions if (state == Unlocked) define events and abort ; event handlers that else describe state state = Unlocked; transitions on events. } 7

  25. The SLAM process: instrumentation C2BP boolean Program P program B ✓ Instrumentation P’ Bebop error trace Safety for B property S new Newton predicates A trace of P that violates S 8

  26. Instrumentation by example: 2 steps state { void example() { enum {Locked, Unlocked} do { state = Unlocked; KeAcquireSpinLock(); } nOld = nPackets; KeAcquireSpinLock. return { if (state == Locked) if (request) { abort ; request = request->next; else KeReleaseSpinLock(); state = Locked; nPackets++; } } } while (nPackets != nOld); KeReleaseSpinLock. return { if (state == Unlocked) KeReleaseSpinLock(); abort ; } else state = Unlocked; } Safety Simplified Program P property S code for a PCI device driver. 9

  27. Step 1: translate the SLIC spec S to C enum {Locked=0, Unlocked=1} state = Unlocked; state { enum {Locked, Unlocked} state = Unlocked; void slic_abort() { Distinguished } SLIC_ERROR: ; error label. } KeAcquireSpinLock. return { if (state == Locked) void KeAcquireSpinLock_return { abort ; if (state == Locked) else slic_abort(); state = Locked; else } state = Locked; } KeReleaseSpinLock. return { if (state == Unlocked) void KeReleaseSpinLock_return { abort ; if (state == Unlocked) else slic_abort(); state = Unlocked; else } Safety state = Unlocked; property S } 10

  28. Step 2: insert calls to SLIC functions into P void example() { void example() { do { do { KeAcquireSpinLock(); KeAcquireSpinLock(); KeAcquireSpinLock_return(); nOld = nPackets; nOld = nPackets; if (request) { request = request->next; if (request) { KeReleaseSpinLock(); request = request->next; nPackets++; KeReleaseSpinLock(); } KeReleaseSpinLock_return(); } while (nPackets != nOld); nPackets++; } KeReleaseSpinLock(); } while (nPackets != nOld); } KeReleaseSpinLock(); KeReleaseSpinLock_return(); } Program P Program P’ 11

  29. P satisfies S iff SLIC_ERROR is unreachable in P’ enum {Locked=0, Unlocked=1} state = Unlocked; void example() { do { KeAcquireSpinLock(); void slic_abort() { KeAcquireSpinLock_return(); SLIC_ERROR: ; } nOld = nPackets; void KeAcquireSpinLock_return { if (request) { if (state == Locked) request = request->next; slic_abort(); KeReleaseSpinLock(); else KeReleaseSpinLock_return(); state = Locked; nPackets++; } } } while (nPackets != nOld); void KeReleaseSpinLock_return { if (state == Unlocked) KeReleaseSpinLock(); slic_abort(); KeReleaseSpinLock_return(); Program P’ else } state = Unlocked; } 12

  30. The SLAM process: predicate abstraction C2BP boolean Program P program B ✓ Instrumentation P’ Bebop error trace Safety for B property S new Newton predicates A trace of P that violates S 13

  31. Predicate abstraction of C Programs 14

  32. Predicate abstraction of C Programs Given a program P and a finite set E of predicates, C2BP creates a boolean program B that is a sound over-approximation of P. • B has the same control-flow structure as P , but only |E| boolean variables. • For any path p feasible in P , there is a corresponding feasible path in B. 14

  33. Predicate abstraction of C Programs Given a program P and a finite set E of predicates, C2BP creates a boolean program B that is a sound over-approximation of P. • B has the same control-flow structure as P , but only |E| boolean variables. • For any path p feasible in P , there is a corresponding feasible path in B. Suitable abstraction for checking control- dominated properties (such as SLIC rules). • Models control flow in P precisely. • Models only a few predicates about data relevant to each rule being checked (so limits state explosion). 14

  34. Predicate abstraction by example: 5+ steps void example() { enum {Locked=0, Unlocked=1} do { state = Unlocked; KeAcquireSpinLock(); KeAcquireSpinLock_return(); void slic_abort() { SLIC_ERROR: ; } nOld = nPackets; void KeAcquireSpinLock_return { if (request) { if (state == Locked) (state == Locked) request = request->next; slic_abort(); KeReleaseSpinLock(); else KeReleaseSpinLock_return(); state = Locked; } nPackets++; } void KeReleaseSpinLock_return { } while (nPackets != nOld); if (state == Unlocked) (state == Unlocked) slic_abort(); KeReleaseSpinLock(); else KeReleaseSpinLock_return(); state = Unlocked; } Program P’ } 15

Recommend

CSE507 Computer-Aided Reasoning for Software Symbolic Execution

CSE507 Computer-Aided Reasoning for Software Symbolic Execution

CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Bounded verification: forward VCG for finitized programs 2

851 views • 45 slides
CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding

CSE507 Computer-Aided Reasoning for Software Finite Model Finding courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture The DPPL(T) framework for deciding quantifier-free SMT

986 views • 69 slides
CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification

CSE507 Computer-Aided Reasoning for Software Bounded Verification courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Full functional verification with Dafny, Boogie, and Z3 2

809 views • 54 slides
CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis

CSE507 Computer-Aided Reasoning for Software Program Synthesis courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today Last lecture Angelic nondeterminism and execution Today Program synthesis:

645 views • 15 slides
CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I

CSE507 Computer-Aided Reasoning for Software Model Checking I courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Symbolic execution and concolic testing 2 Today Last lecture

776 views • 62 slides
CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages

CSE507 Computer-Aided Reasoning for Software Solver-Aided Languages courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Program synthesis 2 Today Last lecture Program

1.77k views • 127 slides

More recommend