static analysis by abstract interpretation of functional
play

Static Analysis by Abstract Interpretation of Functional Properties - PowerPoint PPT Presentation

Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS Abdelraouf Ouadjaout, Antoine Min, Noureddine Lasla, Nadjib Badache ENS & UPMC, Paris CERIST & USTHB, Algiers Workshop on Static


  1. Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS Abdelraouf Ouadjaout, Antoine Miné, Noureddine Lasla, Nadjib Badache ENS & UPMC, Paris CERIST & USTHB, Algiers Workshop on Static Analysis of Concurrent Software September 11th, 2016 Edinburgh, Scotland 1 / 20

  2. Part I Context 2 / 20

  3. Context Application Domain: Wireless Sensor Networks We target programs for wireless sensor networks (WSN). A distributed system of wirelessly connected embedded nodes for monitoring a physical phenomena. Ad hoc communications and collaborative routing. Many applications: irrigation, weather/pollution monitoring, fire detection, etc . 3 / 20

  4. Context Problem Formulation: Device Driver Verification We aim at verifying the correctness of device drivers in TinyOS programs. Motivation Drivers difficult to develop/debug, error-prone and critical. Summary of Our Approach We focus on functional properties specifying programming rules to access hardware correctly. We employ Abstract Interpretation to automatically verify that all possible executions obey such specifications. For more details: Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS In Journal of Systems and Software , 2016. 4 / 20

  5. Part II Expressing Specifications 5 / 20

  6. Specifications Example: ATmega128 Timer/Counter0 ATmega128

  7. Specifications Example: ATmega128 Timer/Counter0 ATmega128 Datasheet, pp. 107

  8. Specifications Example: ATmega128 Timer/Counter0 ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. Datasheet, pp. 107

  9. Specifications Example: ATmega128 Timer/Counter0 ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. Formalism To formalize this rule, we use an automaton tai- lored to describe patterns of hardware interactions Datasheet, pp. 107 6 / 20

  10. Specifications Abstract Device Properties An abstract device property is a special register automaton describing patterns of hardware interactions: A = (S , s 0 , s BUG , R ,ξ, T ) where: S set of states s 0 initial state bug state s BUG R set of hardware registers = { X ◇ ∣ X ∈ R , ◇ ∈ { r , w }} ∪ { int i ∣ i ∈ I } ∪ { α, sleep } ξ T ⊆ S × ξ × S × Stmt C × Stmt C 7 / 20

  11. Specifications ADP Example ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. Datasheet, pp. 107

  12. Specifications ADP Example ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. STABLE Datasheet, pp. 107

  13. Specifications ADP Example ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. STABLE e:sleep SLEEP UNSTBL Datasheet, pp. 107 e:int 15 ∣ 16

  14. Specifications ADP Example ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. STABLE BUSY e :TCCR0 w e:sleep a: ASSR|=(1<<TCR0UB) SLEEP UNSTBL Datasheet, pp. 107 e:int 15 ∣ 16

  15. Specifications ADP Example ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. e: α a: ASSR&=~(1<<TCR0UB) STABLE BUSY e :TCCR0 w e:sleep a: ASSR|=(1<<TCR0UB) SLEEP UNSTBL Datasheet, pp. 107 e:int 15 ∣ 16

  16. Specifications ADP Example ATmega128 Rule If Timer/Counter0 is used to wake the device up [...], precautions must be taken [...] 1 Write a value to TCCR0 , TCNT0 , or OCR0 . 2 Wait until the corresponding Update Busy flag in ASSR returns to zero. 3 Enter Power-save or Extended Standby mode. e: α a: ASSR&=~(1<<TCR0UB) STABLE BUSY e:sleep e :TCCR0 w e:sleep BUG a: ASSR|=(1<<TCR0UB) e:sleep SLEEP UNSTBL Datasheet, pp. 107 e:int 15 ∣ 16 8 / 20

  17. Part III Abstractions 9 / 20

  18. Concrete Semantics TinyOS Kernel TinyOS is an open source OS developped by Berkely. Mixture of preemptive and cooperative execution models. 1 Hardware interrupts can preempt execution at any time (if not masked). 2 Tasks are functions that are posted for being executed when system is idle. 10 / 20

  19. Concrete Semantics TinyOS Kernel TinyOS is an open source OS developped by Berkely. Mixture of preemptive and cooperative execution models. 1 Hardware interrupts can preempt execution at any time (if not masked). 2 Tasks are functions that are posted for being executed when system is idle. Concrete Environment HW state Interrupts E = M Memory × S × Tasks queue × Q I 10 / 20

  20. Hardware State Partitioning Definition Hardware state is the primary information in the analysis. We should keep precise information about it. Memory content should be in relation with the hardware state because program infer the state by accessing hardware registers and/or some program variables. 11 / 20

  21. Hardware State Partitioning Definition Hardware state is the primary information in the analysis. We should keep precise information about it. Memory content should be in relation with the hardware state because program infer the state by accessing hardware registers and/or some program variables. Hardware State Partitioning D ♯ S 1 First, we partition the environments w.r.t. automaton states S . 2 Then, we use a numerical abstract domain ⟨ D ♯ M , ⊑ M ⟩ to abstract the values of registers and variables. ← − − ⟨ S → D ♯ ⟨℘( E ) , ⊆⟩ − M , ˙ ⊑ M ⟩ − → 11 / 20

  22. Hardware State Partitioning Example 1 void main () { 10 ISR( TIMER0_OVF_vect ) { 2 11 // Config timer ... 3 ... 12 // Stabilize the timer 4 13 // Wait for interrupt TCCR0 = TCCR0; 5 while (1) { 14 while 6 15 asm volatile("sleep"::); (ASSR & 1 << TCR0UB ); 7 ... 16 // Continue work 8 17 } ... 9 } 18 } e: α a: ASSR&=~(1<<TCR0UB) STABLE BUSY e:sleep e :TCCR0 w e:sleep BUG a: ASSR|=(1<<TCR0UB) e:sleep SLEEP UNSTBL e:int 15 ∣ 16 12 / 20

  23. Hardware State Partitioning Example 1 void main () { 10 ISR( TIMER0_OVF_vect ) { 2 11 // Config timer ... 3 ... 12 // Stabilize the timer 4 13 // Wait for interrupt TCCR0 = TCCR0; 5 while (1) { 14 while 6 15 asm volatile("sleep"::); (ASSR & 1 << TCR0UB ); 7 ... 16 // Continue work 8 17 } ... 9 } 18 } X 6 X 11 X 14 X 17 e: α a: ASSR&=~(1<<TCR0UB) STABLE BUSY e:sleep e :TCCR0 w e:sleep BUG a: ASSR|=(1<<TCR0UB) e:sleep SLEEP UNSTBL e:int 15 ∣ 16 12 / 20

  24. Hardware State Partitioning Example 1 void main () { 10 ISR( TIMER0_OVF_vect ) { 2 11 // Config timer ... 3 ... 12 // Stabilize the timer 4 13 // Wait for interrupt TCCR0 = TCCR0; 5 while (1) { 14 while 6 15 asm volatile("sleep"::); (ASSR & 1 << TCR0UB ); 7 ... 16 // Continue work 8 17 } ... 9 } 18 } X 6 X 11 X 14 X 17 e: α a: ASSR&=~(1<<TCR0UB) STABLE BUSY STABLE UNSTBL BUSY STABLE e:sleep ASSR = 0 ASSR = 0 ASSR = 1 ASSR = 0 e :TCCR0 w e:sleep BUG a: ASSR|=(1<<TCR0UB) STABLE ASSR = 0 e:sleep SLEEP UNSTBL e:int 15 ∣ 16 12 / 20

  25. Tasks Queue Partitioning Motivation Example: SPI serial transfer with a task polling (instead of an active polling). 13 / 20

  26. Tasks Queue Partitioning Motivation Example: SPI serial transfer with a task polling (instead of an active polling). task void check () { task void end () { task void tx() { if !( SPSR &(1<< SPIF )) SPCR if (i < m_len) { post check (); &=~(1<< SPE ); SPDR = m_data[i]; else { ... post check (); m_answer[i] = SPDR; } return; i++; } post tx (); post end (); } } } 13 / 20

Recommend


More recommend