Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the Abstract Model Simulating the Counterexample Refining the Abstraction Predicate Abstraction with SATABS – http://www.cprover.org/ 2 “ One of the least visible ways that Microsoft Research contributed to Vista, but something I like to talk about, is the work we did on what’s called the Static Driver Verifier. People who develop device drivers for Vista can verify the properties of their drivers before they ever even attempt to test that. What’s great about this technology is “ Things like even software verification, this has there is no testing involved. For the properties that it is been the Holy Grail of computer science for many proving, they are either true or false. decades, but now in some very key areas, for You don’t have to ask yourself example, driver verification we’re building tools “ Did I come up with a good test case or not? ” that can do actual proof about the software and how it works in order to guarantee the reliability.” Rick Rashid, Microsoft Research chief father of CMU’s Mach Operating System (Mac OS X) Bill Gates, April 18, 2002 news.cnet.com interview, 2008 Keynote address at WinHec 2002 Predicate Abstraction with SATABS – http://www.cprover.org/ 3 Predicate Abstraction with SATABS – http://www.cprover.org/ 4 Model Checking with Predicate Abstraction Model Checking with Predicate Abstraction ◮ A heavy-weight formal analysis technique ◮ Goal: make the abstract model small enough for an analysis with a BDD-based Model Checker ◮ Recent successes in software verification, e.g., SLAM at Microsoft ◮ Idea: only track predicates on data, and remove data variables from model ◮ The abstraction reduces the size of the model by removing irrelevant detail ◮ Mostly works with control-flow dominated properties Predicate Abstraction with SATABS – http://www.cprover.org/ 5 Predicate Abstraction with SATABS – http://www.cprover.org/ 6
Notation for Abstractions Predicate Abstraction as Abstract Domain ◮ We are given a set of predicates over S , denoted by Π 1 , . . . , Π n . Abstract Domain Approximate representation of ◮ An abstract state is a valuation of the predicates: sets of concrete values ˆ S = B n α − → ˆ S S ← − ◮ The abstraction function: γ α ( s ) = � Π 1 ( s ) , . . . , Π n ( s ) � Predicate Abstraction with SATABS – http://www.cprover.org/ 7 Predicate Abstraction with SATABS – http://www.cprover.org/ 8 Existential Abstraction 1 Predicate Abstraction: the Basic Idea Concrete states over variables x , y : Definition (Existential Abstraction) x = 2 x = 2 x = 0 A model ˆ M = ( ˆ S, ˆ S 0 , ˆ y = 0 y = 1 y = 0 T ) is an existential abstraction of M = ( S, S 0 , T ) with respect to α : S → ˆ S iff p 1 , ¬ p 2 ¬ p 1 , p 2 p 1 , p 2 s ∈ ˆ ◮ ∃ s ∈ S 0 . α ( s ) = ˆ s ⇒ ˆ S 0 and s ′ ) ∈ ˆ ◮ ∃ ( s, s ′ ) ∈ T. α ( s ) = ˆ s ∧ α ( s ′ ) = ˆ s ′ ⇒ (ˆ s, ˆ T . x = 1 x = 1 x = 1 y = 0 y = 1 y = 2 ¬ p 1 , ¬ p 2 Predicates: Abstract Transitions? p 1 ⇐ ⇒ x > y p 2 ⇐ ⇒ y = 0 1 Clarke, Grumberg, Long: Model Checking and Abstraction , ACM TOPLAS, 1994 Predicate Abstraction with SATABS – http://www.cprover.org/ 9 Predicate Abstraction with SATABS – http://www.cprover.org/ 10 Minimal Existential Abstractions Existential Abstraction We write α ( π ) for the abstraction of a path π = s 0 , s 1 , . . . : There are obviously many choices for an existential abstraction for a given α . α ( π ) = α ( s 0 ) , α ( s 1 ) , . . . Definition (Minimal Existential Abstraction) Lemma A model ˆ M = ( ˆ S, ˆ S 0 , ˆ T ) is the minimal existential abstraction of Let ˆ M = ( S, S 0 , T ) with respect to α : S → ˆ M be an existential abstraction of M . The abstraction of S iff every path (trace) π in M is a path (trace) in ˆ M . s ∈ ˆ ◮ ∃ s ∈ S 0 . α ( s ) = ˆ ⇐ ⇒ ˆ and s S 0 s ′ ) ∈ ˆ ◮ ∃ ( s, s ′ ) ∈ T. α ( s ) = ˆ s ∧ α ( s ′ ) = ˆ s ′ ⇐ ⇒ (ˆ s, ˆ T . α ( π ) ∈ ˆ π ∈ M ⇒ M Proof by induction. This is the most precise existential abstraction. We say that ˆ M overapproximates M . Predicate Abstraction with SATABS – http://www.cprover.org/ 11 Predicate Abstraction with SATABS – http://www.cprover.org/ 12
Abstracting Properties Abstracting Properties We define an abstract version of it as follows: ◮ First of all, the negations are pushed into the atomic Reminder: we are using propositions. ◮ a set of atomic propositions (predicates) A , and E.g., we will have ◮ a state-labelling function L : S → P ( A ) x = 0 ∈ A in order to define the meaning of propositions in our properties. and x � = 0 ∈ A Predicate Abstraction with SATABS – http://www.cprover.org/ 13 Predicate Abstraction with SATABS – http://www.cprover.org/ 14 Abstracting Properties Conservative Abstraction The keystone is that existential abstraction is conservative for certain properties: ◮ An abstract state ˆ s is labelled with a ∈ A iff all of the Theorem (Clarke/Grumberg/Long 1994) corresponding concrete states are labelled with a . Let φ be a ∀ CTL* formula where all negations are pushed into a ∈ ˆ L (ˆ s ) ⇐ ⇒ ∀ s | α ( s ) = ˆ s. a ∈ L ( s ) the atomic propositions, and let ˆ M be an existential abstraction of M . If φ holds on ˆ M , then it also holds on M . ˆ M | = φ ⇒ M | = φ ◮ This also means that an abstract state may have neither the label x = 0 nor the label x � = 0 – this may happen if it We say that an existential abstraction is conservative for ∀ CTL* concretizes to concrete states with different labels! properties. The same result can be obtained for LTL properties. The proof uses the lemma and is by induction on the structure of φ . The converse usually does not hold. Predicate Abstraction with SATABS – http://www.cprover.org/ 15 Predicate Abstraction with SATABS – http://www.cprover.org/ 16 Conservative Abstraction Back to the Example x = 2 x = 2 x = 0 We hope: computing ˆ M and checking ˆ M | = φ is easier than y = 0 y = 1 y = 0 checking M | = φ . p 1 , ¬ p 2 ¬ p 1 , p 2 p 1 , p 2 x = 1 x = 1 x = 1 y = 0 y = 1 y = 2 ¬ p 1 , ¬ p 2 Predicate Abstraction with SATABS – http://www.cprover.org/ 17 Predicate Abstraction with SATABS – http://www.cprover.org/ 18
Let’s try a Property Another Property ✔ ✔ ✔ ✔ x = 2 x = 2 x = 0 x = 2 x = 2 x = 0 y = 0 y = 1 y = 0 y = 0 y = 1 y = 0 p 1 , ¬ p 2 ¬ p 1 , p 2 p 1 , ¬ p 2 ¬ p 1 , p 2 p 1 , p 2 p 1 , p 2 ✔ ✘ x = 1 x = 1 x = 1 x = 1 x = 1 x = 1 y = 0 y = 1 y = 2 y = 0 y = 1 y = 2 ¬ p 1 , ¬ p 2 ¬ p 1 , ¬ p 2 Property: Property: But: the counterexample is spurious x > y ⇐ ⇒ p 1 x > y ∨ y � = 0 ⇐ ⇒ p 1 ∨ ¬ p 2 Predicate Abstraction with SATABS – http://www.cprover.org/ 19 Predicate Abstraction with SATABS – http://www.cprover.org/ 20 SLAM SLIC ◮ Microsoft blames most Windows crashes on third party device drivers ◮ Finite state language for defining properties ◮ The Windows device driver API is quite complicated ◮ Monitors behavior of C code ◮ Temporal safety properties (security automata) ◮ familiar C syntax ◮ Drivers are low level C code ◮ SLAM: Tool to automatically check device drivers for certain errors ◮ Suitable for expressing control-dominated properties ◮ e.g., proper sequence of events ◮ SLAM is shipped with Device Driver Development Kit ◮ can track data values ◮ Full detail available at http://research.microsoft.com/slam/ Predicate Abstraction with SATABS – http://www.cprover.org/ 21 Predicate Abstraction with SATABS – http://www.cprover.org/ 22 SLIC Example Refinement Example do { state { KeAcquireSpinLock (); enum { Locked , Unlocked } s = Unlocked ; nPacketsOld = nPackets; } if (request) { acq Does this code KeAcquireSpinLock . entry { request = request − > Next; unlocked locked obey the locking i f ( s==Locked ) abort ; KeReleaseSpinLock (); rel rule? else s = Locked ; acq rel nPackets++; } error } KeReleaseSpinLock . entry { } while (nPackets != nPacketsOld); i f ( s==Unlocked ) abort ; else s = Unlocked ; } KeReleaseSpinLock (); Predicate Abstraction with SATABS – http://www.cprover.org/ 23 Predicate Abstraction with SATABS – http://www.cprover.org/ 24
Recommend
More recommend