scalable software verification with blast l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Scalable Software Verification with BLAST PowerPoint Presentation
Download Presentation
Scalable Software Verification with BLAST

Loading in 2 Seconds...

play fullscreen
1 / 140

Scalable Software Verification with BLAST - PowerPoint PPT Presentation


  • 269 Views
  • Uploaded on

Scalable Software Verification with BLAST Rupak Majumdar U.C. Los Angeles Mars, July 4, 1997 Lost contact due to real-time priority inversion bug Mars, December 3, 1999 Crashed due to uninitialized variable Jul 19, 2001 Code Red: Buffer overrun Estimated cost $2.6 billion

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Scalable Software Verification with BLAST


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
scalable software verification with blast

Scalable Software Verification with BLAST

Rupak Majumdar

U.C. Los Angeles

slide2

Mars, July 4, 1997

Lost contact due to real-time priority inversion bug

Mars, December 3, 1999

Crashed due to uninitialized variable

slide3

Jul 19, 2001

Code Red:

Buffer overrun

Estimated cost $2.6 billion

slide5

Conclusion

Code is buggy!

So what’s new?

  • Reliability is an important issue now!
  • More computers are used in embedded, safety critical applications
  • Cost of failure or fixing bug is high
  • Computers are faster, so reliability is more important in many applications than speed
slide6

Something Reliable

Uptime: 67 years

why don t bridges crash
Why don’t Bridges Crash ?

Abstraction

Bridges

Programs

Building Blocks

Logic

Mechanics

  • Relevant facts*
  • Model
  • Analysis

Mass, Tensile Strength

Free Body Diagram

Solve Equations

?

?

?

* w.r.t. property of interest

primary goal
Primary Goal

Yes

BLAST

Safe

Search

CProgram

Relevant facts

Model

Analysis

[POPL 02]

Refine

No

Property

Property

[POPL 04]

Trace

Lazy Abstraction:

Abstract what is needed, nothing more, nothing less

properties
Properties
  • Goals
    • defect detection
    • partial validation
  • Properties
    • memory safety
    • temporal safety
    • security

Example Properties:

  • “Do not lock a spin_lock that has already been locked”
  • “Do not call system() with root privilege”
  • “If the IO request is delegated to a lower level driver, return the error status of the lower driver”
  • “no buffer is accessed beyond its length”
property 1 double locking

lock

unlock

unlock

lock

Property 1: Double Locking

“An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.”

Calls to lock and unlock must alternate.

property 2 drop root privilege
Property 2: Drop Root Privilege

[Chen-Dean-Wagner ’02]

“User applications must not run with root privilege”

When execv is called, must have suid  0

property 3 irp handler

start NP

CallDriver

SKIP1

SKIP2

return

child status

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

return

not Pend

no prop

completion

synch

CallDriver

N/A

N/A

IRP accessible

CallDriver

start P

SKIP2

Mark Pending

SKIP1

Skip

CallDriver

IPC

synch

MPR3

NP

CallDriver

prop

completion

return

Pending

PPC

not pending returned

MPR

completion

Complete

request

CallDriver

MPR1

MPR2

DC

no prop

completion

CallDriver

N/A

Property 3 : IRP Handler

[Fahndrich]

property 4 data races
A data race on x is a state where:

Two threads can access x

One of the accesses is a write

There should be no races on shared variables

Property 4: Data Races

x:= x+1

x:= x-5

x

our goal
Our Goal

Specifying and Checking Properties of Programs

  • Goals
    • defect detection
    • partial validation
  • Properties
    • memory safety
    • temporal safety
    • security

Many techniques

  • Testing and code auditing
  • Automated analysis of software
    • Program analysis
    • Symbolic model checking
    • Theorem proving
slide15
Plan
  • C.G. Abstraction-Refinement
  • Lazy Abstraction
      • Sequential Programs
      • Multithreaded Programs
  • Demo
the safety verification problem
The Safety Verification Problem

Error

Initial

Program State Space

Q:From Initial states is an Error state Reachable ?

Idea 1: Symbolic Analysis

(strongest postconditions)

Problem: Symbolic Iteration does not terminate

idea 2 predicate abstraction
Idea 2: Predicate Abstraction

Error

Initial

  • [Graf-Saidi 97]

Abstraction

Program State Space

  • Abstraction: Predicates on program state
    • Signs: x > 0
    • Aliasing: &x  &y
  • States satisfying the same preds are equivalent
    • Merged into single abstract state
example predicate abstraction
Example: Predicate Abstraction

For the red region above, the predicate abstraction is the set of “boxes” that cover the red region

  • Use a decision procedure to compute this blue region

For each small box , ask the theorem prover if

Æ

is satisfiable

idea 2 predicate abstraction19
Idea 2: Predicate Abstraction

Abstract

  • Search finite state space symbolically
  • Conservative
    • Abstraction safe ) System safe
    • Too coarse )spurious counterexample
idea 3 counterexample analysis
Idea 3: Counterexample Analysis

Abstract Counterexamples:

Analyze counterexamples

to check feasibility

1. Feasible )BUG

2. Infeasible ) What predicates distinguish states across cut?

3. Build refined abstraction

idea 3 counterex guided refinement
Idea 3: Counterex.-Guided Refinement

Abstract

Refine

  • [Kurshan et al. 93]
  • [Clarke et al. 00]
  • [Ball-Rajamani 01]
  • Add predicates to rule out spurious trace
  • Repeat reachability
    • Till safe or real trace is found
idea 3 counterex guided refinement22
Idea 3: Counterex.-Guided Refinement

Abstract

safe

Refine

  • [Kurshan et al. 93]
  • [Clarke et al. 00]
  • [Ball-Rajamani 01]
  • Add predicates to rule out spurious trace
  • Repeat reachability
    • Till safe or real trace is found
slide23
Plan

1. C.G. Abstraction-Refinement

2. Lazy Abstraction

  • Sequential Programs
  • Multithreaded Programs

3. Future Work

scaling sequential verification
Scaling Sequential Verification

Yes

Safe

Abstract

lazily

CProgram

Refine

No

Property

Trace

problem abstraction is expensive
Problem: Abstraction is Expensive

Reachable

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

Observe

Fraction of state space reachable

#Preds ~ 100’s, #States ~ 2100 ,

#Reach ~ 1000’s

solution1 only abstract reachable states
Solution1: Only Abstract Reachable States

Solution

Build abstraction on-the-fly,

during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

slide27

Solution1: Only Abstract Reachable States

Solution

Build abstraction on-the-fly,

during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

slide28

Solution1: Only Abstract Reachable States

Solution

Build abstraction on-the-fly,

during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

slide29

Solution1: Only Abstract Reachable States

Safe

Solution

Build abstraction on-the-fly,

during search

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

slide30

Solution2: Don’t Refine Error-Free Regions

Error

Free

Solution

Don’t refine error-free regions

Problem

#abstract states = 2#predicates

Exponential Thm. Prover queries

key idea reachability tree
Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

5

4

3

key idea reachability tree32
Key Idea: Reachability Tree

Initial

Unroll Abstraction

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min infeasible suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

5

3

3

Error Free

key idea reachability tree33
Key Idea: Reachability Tree

Initial

Unroll

1. Pick tree-node (=abs. state)

2. Add children (=abs. successors)

3. On re-visiting abs. state, cut-off

1

2

3

6

Find min spurious suffix

- Learn new predicates

- Rebuild subtree with new preds.

4

7

8

5

8

3

1

1

3

Error Free

S1: Only Abstract Reachable States

S2: Don’t refine error-free regions

SAFE

build and search
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK

build and search35
Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK

3

LOCK

4

: LOCK

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK

analyze counterexample
Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

lock()

old = new

q=q->next

2

LOCK

[q!=NULL]

3

LOCK

q->data = new

unlock()

new++

4

: LOCK

[new==old]

5

: LOCK

5

unlock()

4

: LOCK

1

2

3

Reachability Tree

Predicates:LOCK

analyze counterexample37
Analyze Counterexample

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

old = new

2

LOCK

3

LOCK

new++

4

: LOCK

[new==old]

5

: LOCK

5

Inconsistent

4

: LOCK

new == old

1

2

3

Reachability Tree

Predicates:LOCK

repeat build and search
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

1

Reachability Tree

Predicates:LOCK, new==old

repeat build and search39
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new==old]

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old

repeat build and search40
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

3

LOCK , new==old

4

: LOCK , : new = old

[new!=old]

1

: LOCK,

: new == old

4

4

1

2

3

Reachability Tree

Predicates:LOCK, new==old

repeat build and search41
Repeat Build-and-Search

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4:}while(new != old);

5: unlock ();

}

1

: LOCK

2

LOCK , new==old

SAFE

3

LOCK , new==old

4

4

LOCK , new=old

: LOCK , : new = old

1

5

5

: LOCK,

: new == old

4

4

4

1

: LOCK , new==old

2

3

Reachability Tree

Predicates:LOCK, new==old

scaling sequential verification42
Scaling Sequential Verification

Yes

Safe

Abstract

lazily

CProgram

Refine

No

Property

Trace

Problem:Abstraction is Expensive

Solution:1.Abstract reachable states, 2. Avoid refining error-free regions

Key Idea: Reachability Tree

results

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed

predicates grows with program size
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

T

F

T

Tracking lock not enough

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states

predicates grows with program size45
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

LOCK, p1

: LOCK, : p1

: LOCK, : p1

: LOCK, p1

: LOCK

p1p2

p1: p2

: p1 p2

: p1: p2

2nAbstract States

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states

slide46

LOCK, p2

: LOCK, : p2

#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

p1

LOCK, p1

: LOCK, : p1

: LOCK, : p1

: LOCK

: LOCK, p1

: LOCK

: LOCK

p2

: LOCK, : p2

: LOCK, p2

: LOCK

pn

2.n Abstract States

Observe:

Predicates are useful locally

slide47

#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

p1

p2

Preds. used globally

Ex: 2n states

Preds. Used locally

Ex: 2.n states

pn

Solution: Use predicates only where needed

Refinement: from (spurious) Counterexamples

Q1.Find predicates

Q2.Find where predicates are needed

scaling sequential verification48
Scaling Sequential Verification

Yes

Safe

Abstract

lazily

CProgram

Refine

locally

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Refine

Trace

Feas

Formula

Proof of

Unsat

Ctrex.

Trace

Pred. Map

PC  Preds.

Thm Pvr

Interpolate

counterexample traces
Counterexample Traces

1: x = ctr;

2: ctr = ctr + 1;

3: y = ctr;

4: if (x = i-1){

5: if (y != i){

ERROR: }

}

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

y = x +1

trace feasibility formulas
Trace Feasibility Formulas

1: x = ctr

2: ctr = ctr+1

3: y = ctr

4: assume(x=i-1)

5: assume(yi)

1: x1 = ctr0

2: ctr1 = ctr0+1

3: y1 = ctr1

4: assume(x1=i0-1)

5: assume(y1i0)

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Trace

Trace Feasibility

Formula

SSA Trace

what predicate is needed
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

1. … after executing trace prefix

what predicate is needed52
What Predicate is needed ?

Trace Formula (TF)

Trace

x1

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

1. … after executing trace prefix

2. … has present values of variables

what predicate is needed53
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible

what predicate is needed54
What Predicate is needed ?

Trace Formula (TF)

Trace

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

Relevant Information

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

1. … after executing trace prefix

2. … has present values of variables

3. … makes trace suffix infeasible

craig s interpolation theorem craig 57
Craig’s Interpolation Theorem [Craig ’57]

Given formulas - , + s.t. -Æ + is unsatisfiable

There exists an Interpolant for - , +, s.t.

  • -implies
  •  has symbols common to -, +
  • Æ+ is unsatisfiable

 computable from Proof of Unsat. of - Æ+

[Krajicek ’97] [Pudlak ’97]

(boolean) SAT-based Model Checking [McMillan ’03]

interpolant predicate
Interpolant = Predicate !

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Predicate at 4:

y= x+1

-

Interpolate

+

y1 = x1 + 1

Craig Interpolant

[Craig 57]

Predicate …

… implied by TF prefix

… on common variables

… & TF suffix is unsatisfiable

building predicate maps
Building Predicate Maps

Predicate Map

2:x= ctr

Trace

Trace Formula

-

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

Interpolate

x1 = ctr0

+

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
building predicate maps58
Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr-1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

-

Interpolate

x1= ctr1-1

+

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
building predicate maps59

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= x1+1

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
building predicate maps60

-

Interpolate

+

Building Predicate Maps

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

Trace

Trace Formula

1: x = ctr

2: ctr = ctr + 1

3: y = ctr

4: assume(x = i-1)

5: assume(y  i)

x1 = ctr0

Æctr1 = ctr0 + 1

Æy1 = ctr1

Æ x1 = i0- 1

Æy1i0

y1= i0

  • Cut + Interpolate at each point
  • Pred. Map: pci Interpolant from cut i
local predicate use
Local Predicate Use

At each location, only use

needed Predicates

  • #Predicates grows with program size
  • #Preds per location small
  • Verification scales …

Predicate Map

2:x = ctr

3:x= ctr - 1

4:y= x + 1

5:y = i

results62

Property3:

IRP Handler

Win NT DDK

Results

* Pre-processed

localizing works

Property3:

IRP Handler

Win NT DDK

Localizing Works

* Pre-processed

scaling sequential verification64
Scaling Sequential Verification

Yes

Safe

Abstract

lazily

CProgram

Refine

locally

No

Property

Trace

Problem:#Preds grows w/ Program Size

Solution: Localize pred. use, find where preds. needed

Refine

Trace

Feas

Formula

Proof of

Unsat

Pred. Map

PC  Preds.

Ctrex.

Trace

Thm Pvr

Interpolate

analyzing programs
Analyzing Programs

Abstraction

Programs

Building Blocks

Logic

  • Relevant facts*
  • Model
  • Analysis

Predicates

Reach Tree

Search (model checking)

* w.r.t. property of interest

slide66
Plan
  • C.G. Abstraction-Refinement
  • Lazy Abstraction
      • Sequential Programs [POPL 02, POPL 04]
      • Multithreaded Programs
  • Demo
multithreaded programs
OS, WebServers, Databases, Embedded Systems

Curse of Interleaving

Non-deterministic scheduling

Exponentially many behaviors: hard to detect, reproduce errors

Testing exercises a fraction of possible behaviours

Multithreaded Programs

Thread

Thread

x

Shared

Memory

data races
A data race on x is a state where:

Two threads can access x

One of the accesses is a write

Unpredictable, undesirable program

Synchronization: Must hold lock when accessing x

Data Races

x:= x+1

x:= x-5

lock(l)

unlock(l)

lock(l)

unlock(l)

x

previous work
Previous Work

[Dinning-Schonberg 90] ,[Savage et al. 97]

[Cheng et al. 98], [Choi et al. 02]

Dynamic LockSet

[Flanagan-Freund 00] [Bacon et al. 00]

[Boyapati et al. 02]

Type-based

Static LockSet

[Sterling 93], [Engler-Ashcraft 03]

Object Usage Graph

[von Praun-Gross 03]

  • Infer some lock(s) that protect x
  • Check lock(s)held when accessing x
  • Report error if lock(s) not held
previous work70
Previous Work

[Dinning-Schonberg 90] ,[Savage et al. 97]

[Cheng et al. 98], [Choi et al. 02]

Dynamic LockSet

[Flanagan-Freund 00] [Bacon et al. 00]

[Boyapati et al. 02]

Type-based

Static LockSet

[Sterling 93], [Engler-Ashcraft 03]

Object Usage Graph

[von Praun-Gross 03]

[Godefroid 97][Holzmann] [Havelund-Visser]

[Dwyer-Hatcliff][Avrunin-Clarke]

[Musuvathi-Dill-Engler 02]

Model Checking

Any Synchronization Idiom

Fixed threads, State-explosion

other synchronization idioms
Other Synchronization Idioms

Producer-Consumer

atomic{

old:= state;

if(state==0){

state:=1;

}

}

if(old==0){

x++;

state:=0;

}

x

Interrupt-toggling

State-based

slide72

Race Checking by State Exploration

Initial

Shared Memory

Is there a path from

Initial to Race ?

Data Race

problem state explosion
Problem: State Explosion

Initial

Shared Memory

Is there a path from

Initial to Race ?

Data Race

problem state explosion74
Problem: State Explosion

Initial

2. Control

k threads, m locations =mk

- k=4,m=100, states = 1 billion

Unbounded threads ?

1. Data

Infinitely many valuations

for program variables

Data Race

solution abstract irrelevant detail
Solution: Abstract Irrelevant Detail

Observe

- Few relevant variables, relationships

- Track predicates (relationships)

instead of values

1. Predicate Abstraction

1. Data

Infinitely many valuations

for program variables

Observe

- Analyze system as Thread + Context

- Context: Summary of all other threads

(w.r.t. property)

2. Thread-Context Analysis

2. Control

k threads, m locations =mk

- k=4,m=100, states = 1 billion

Unbounded threads ?

threads contexts
Threads, Contexts

Assume threads run same code

Context:

Summary of all other threads

- Precise enough to check property

System = Thread + Context

Context

Shared Memory

Q:What about other threads ?

Q:What does a Context look like ?

thread contexts

Context

s,x

s=0

s0

s

Shared Memory

s0

Thread, Contexts

Context

Thread

Summary

Context:

Summary of all other threads

  • Summarize a single thread

As an automaton over

global predicates

2. Multiple threads by counting

1: while(1){

atomic{

2: old := s;

3: if(s==0){

4: s := 1;

}

}

// do_work()

5: if(old==0){

6: x++;

7: s:=0;}

}

Q:What does a Context look like ?

many threads by counting

s,x

s=0

s0

s

s0

Contra!

Many Threads by Counting

Context

Initial loc = 1, other = 0

Operations

1. Pick edge w/ source counter > 0,

2. Source counter -1

Target counter +1

Havoc variables on edge,

Assume predicate on target

Unbounded threads

k-Counter Abstraction:

Value > k abstracted to 1

for k=1, values: 0,1,1

1

1

1

1

1

1

2

0

0

State

0

s=0

True

s 0Æ s=0

s 0

Q:What does a Context look like ?

thread context reasoning
Q: How to check race-freedom ?

Given an Abstraction:

1. Data:Predicates 2. Control: Summary, k

k

Shared Memory

Thread-Context Reasoning

k

Summarize

Reach Graph

µ

No Race

Given Summary

Computed Summary

Use Context

Build finite Reach Graph

CheckRace unreachable

Verify Context Sound

Check Summary Overapprox.

single Thread’s behavior

1

2

slide80
Q: How to check race-freedom ?

Given an Abstraction:

1. Data:Predicates 2. Control: Summary, k

k

Shared Memory

Shared Memory

Thread-Context Reasoning

2

1

Summarize

Reach Graph

µ

No Race

Given Summary

Computed Summary

Assume-Guarantee

(Use) (Verify)

Assume-Guarantee

[Owicki-Gries 73]

[Chandy-Misra 81]

[Jones 83] [Stark 85]

[Abadi-Lamport 93]

[Alur-Henzinger 96]

[McMillan 97]

[Flanagan-Qadeer 01]

No Race

inference build summary

;

Inference: Build Summary

Abstraction

Preds: P0 Ctr: k0

1

Trace

Reach Graph

Race

1

2

Reach Graph

Summarize

µ

;

No Race

inference trace analysis
Inference: Trace Analysis

Abstraction

Preds: P0 Ctr: k0

Abstraction

Preds: P1 Ctr: k1

Trace

Infeasible

Feasible

Refine using Trace

Either:

  • Add new predicates
  • Raisek

Report Trace

Interleaved sequence

of threads’ ops

inference build summary83
Inference: Build Summary

Abstraction

Preds: P0 Ctr: k0

Abstraction

Preds: P1 Ctr: k1

1

2

Summarize

Reach Graph

µ

1

2

Summarize

Reach Graph

µ

1

2

Summarize

Reach Graph

;

µ

;

context inferred

Shared Memory

Context Inferred

1

2

Summarize

Reach Graph

µ

Assume-Guarantee

No Race

context inference
Context Inference

BUILD SUMMARY

Update

Summary

1

2

YES

NO

Init. Abstraction

Preds: P0 Ctr: k0

Safe?

Init. Summary

Summary: ;

Reach Graph

Summarize

µ ?

YES

NO (trace)

NO

Refine using

Trace

Feasible?

Output SAFE

No Data Races

YES

TRACE ANALYSIS

Output

Data Race

ex races on x

x

Ex: Races on x

Build Summary

1

T

1: while(1){

atomic{

2: old := s;

3: if(s==0){

4: s := 1;

}

}

// do_work()

5: if(old==0){

6: x++;

7: s:=0;}

}

2

1

2

Reach Graph

3

Summarize

µ

;

;

4

x

5

6

x++;

Abstraction

Preds =;

k=1

7

Control-Flow Graph

ex races on x87
Ex: Races on x

Build Summary

1

1: while(1){

atomic{

2: old := s;

3: if(s==0){

4: s := 1;

}

}

// do_work()

5: if(old==0){

6: x++;

7: s:=0;}

}

1

2

Reach Graph

3

x

4

5

6

Abstraction

Preds =;

k=1

6

x++

x

Race

ex races on x88
Ex: Races on x

Trace Analysis

Trace

Thread 1

Thread 0

1

assume (True)

old := s

2

assume (s==0)

s:= 1

3

// do_work()

assume (old==0)

4

//write x enabled

5

assume (True)

old := s

6

assume (s==0)

s:= 1

6

// do_work()

x++

x

assume (old==0)

//write x enabled

ex races on x89
Ex: Races on x

Trace Analysis

Trace

Thread 1

Thread 0

Time

assume (True)

old := s

assume (s==0)

s:= 1

s is set to 1

// do_work()

assume (old==0)

//write x enabled

assume (True)

old := s

Infeasible branch

assume (s==0)

s:= 1

Infeasible Trace

// do_work()

New Predicate

s = 0

assume (old==0)

//write x enabled

ex races on x90

s=0

s

s0

x

s0

s

Ex: Races on x

Build Summary

1

s=0

1: while(1){

atomic{

2: old := s;

3: if(s==0){

4: s := 1;

}

}

// do_work()

5: if(old==0){

6: x++;

7: s:=0;}

}

2

s=0

2

s=0

1

s

s=0 old=0

;

3

µ

s0

;

Summarize

Reach Graph

x

s=0 old=0

4

s0

s

s:=1

: s=0 old=0

5

Local Pred. old=0

- Cuts locally infeasible paths

- Invisible to other threads

- Quantified away

: s=0 old=0

6

Abstraction

Preds: s=0

k=1

x++

: s=0 old=0

7

, old=0

s:=0

ex races on x91

s=0

s=0

s

s,x

s

s0

s0

s=0

s0

x

s

x

s0

s0

s0

s

s

Ex: Races on x

Build Summary

s=0 Ç s0

Context changes s

1

T

1:while(1){

atomic{

2: old := s;

3: if(s==0){

4: s := 1;

}

}

// do_work()

5: if(old==0){

6: x++;

7: s:=0;}

}

1

2

2

T

s=0 Ç s0

s,x

3

Reach Graph

Summarize

µ

s=0

s0

s=0 old=0

4

5

s

s0 old0

s0

s:=1

s0 old=0

5

Local Pred. old=0

- Cuts locally infeasible paths

- Invisible to other threads

- Quantified away

s:=0

s0 old=0

6

x++

Abstraction

Preds: s=0

k=1

, old=0

ex races on x92

1

T

2

T

3

T

s,x

s,x

s,x

s=0 old=0

s=0

s=0

s=0

s0

s0

s0

4

5

s

s

s

s0 old0

s:=1

s0

s0

s0

s0 old=0

5

s:=0

s0 old=0

6

x++

SAFE

No Races on x

Ex: Races on x

Build Summary

1:while(1){

atomic{

2: old := s;

3: if(s==0){

4: s := 1;

}

}

// do_work()

5: if(old==0){

6: x++;

7: s:=0;}

}

1

2

Reach Graph

Sumz

µ

Abstraction

Preds: s=0

k=1

, old=0

data races in nesc programs
Data Races in NesC Programs
  • PL for Networked Embedded Systems [Gay et al. 03]
  • Interrupts fire events, which fire other events

or post tasks which run asynchronously

  • Race-freedom important
    • Non-trivial synchronization idioms
    • Flow-based analysis
  • Compiled to C
analyzing programs95
Analyzing Programs

Abstraction

Multithreaded

Programs

Building Blocks

Logic

  • Relevant facts*
  • Model
  • Analysis

Predicates

Summary

Assume-Guarantee

Predicates

Reach Tree

Search

* w.r.t. property of interest

main ideas
Main Ideas

Counterexample-Guided Abstraction-Refinementfor large programs, complex propertiesSequential Programs1. Abstraction is expensiveReachability Tree2. Refinement must find where to use predicatesProof of unsatof trace formula+InterpolationConcurrent ProgramsThe curse of InterleavingsIterativelyinferred threadsummaries

slide97
Plan
  • C.G. Abstraction-Refinement
  • Lazy Abstraction
      • Sequential Programs [POPL 02, POPL 04]
      • Multithreaded Programs [CAV 03, PLDI 04]
  • Demo
combining strengths
Combining Strengths

Program Analysis

[Kildall, Wegman, Cousot2]

- Imprecise

+ Abstraction

Shrink state space

Theorem Proving

[Dijkstra, Hoare, Floyd]

- loop invariants

+ Behaviors encoded in logic

Refine

+ Theorem provers

Computing Successors,Refine

Lazy

Abstraction

Model Checking

[Clarke-Sifakis, McMillan, Holzmann]

- Finite-state model, state explosion

+ State Space Exploration

Path Sensitive Analysis

+ Counterexamples

Finding Relevant Facts

history of program verification
History of Program Verification
  • 1960s and 70s: Program verification techniques
  • 1979: Decision procedures
  • 1980s: Theory of finite-state model checking [Clarke, Sifakis, et al.]

Program Analysis for Compiler Optimizations

  • 1990s: Symbolic methods: Finite-state model checking penetrates the hardware industry [Intel, IBM, Motorola, Siemens, Lucent/Cadence]

Theory of infinite-state model checking

  • 2000s: Heuristics for automatic model extraction

Power of model checking given directly to the programmer

  • 2010s: Infinite-state model checking penetrates the software industry ?

Scale software model checking to million line code bases ?

blast http www eecs berkeley edu blast

Blast: http://www.eecs.berkeley.edu/~blast

Acknowledgments:

Tom Henzinger, Ranjit Jhala

Gregoire Sutre, Shaz Qadeer, Tom Ball, Sriram Rajamani, Ken McMillan, Todd Millstein, Adam Chlipala, Dirk Beyer

what i d like
What I’d like

Rigorous

Mechanical

Analyses

Software Today

Software Tomorrow

Berkeley Lazy Abstraction Software Verification Tool

www.eecs.berkeley.edu/~blast/

what i d like102
What I’d like

Rigorous

Mechanical

Analyses

Software Today

Software Tomorrow

Berkeley Los Angeles Software Verification Tool

www.eecs.berkeley.edu/~blast/

what i d like103
What I’d like

Rigorous

Mechanical

Analyses

Software Today

Software Tomorrow

Berkeley LausAnnegeles Software Verification Tool

www.eecs.berkeley.edu/~blast/

what i d like104
What I’d like

Rigorous

Mechanical

Analyses

Software Today

Software Tomorrow

Berkeley LausAnnegeles SanDiego Verification Tool

www.eecs.berkeley.edu/~blast/

what i d like105
What I’d like

Rigorous

Mechanical

Analyses

Software Today

Software Tomorrow

www.eecs.berkeley.edu/~blast/

verification by theorem proving
Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

[Dijkstra, Floyd, Hoare]

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

Invariant:

lock Æ new = old

Ç

: lock Æ new  old

verification by theorem proving111
Verification by Theorem Proving

1. Loop Invariants

2. Logical formula

3. Check Validity

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

  • - Loop Invariants
  • Multithreaded Programs
  • + Behaviors encoded in logic
  • + Theorem provers

[ESC]

Precise

verification by program analysis
Verification by Program Analysis

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. Dataflow Facts

2. Constraint System

3. Solve constraints

[Wegman, Kildall, Milner, Cousot2]

- Imprecision due to fixed facts

+ Abstraction

+ Type/Flow Analyses

[CQUAL, ESP, MC]

Scalable

verification by model checking
Verification by Model Checking

Example ( ) {

1: do{

lock();

old = new;

q = q->next;

2: if (q != NULL){

3: q->data = new;

unlock();

new ++;

}

4: } while(new != old);

5: unlock ();

return;

}

1. (Finite State) Program

2. State Transition Graph

3. Reachability

[Clarke-Sifakis, McMillan, Holzmann]

- Pgm ! Finite state model

  • State explosion

+ State Exploration

+ Counterexamples

[SPIN, SMV, Bandera,JPF ]

Precise

lazy abstraction search
Lazy Abstraction: Search

Yes

Safe

Search

CProgram

[POPL 02]

Refine

No

Property

Trace

scalable sequential verification
Scalable Sequential Verification

#Abstract States Exp. in #Predicates

#Predicates grows with program size

  • Search

Building/Exploring abstraction is expensive

  • Refine

Need to find where a predicate is useful

lazy abstraction refine
Lazy Abstraction: Refine

Yes

Safe

Search

CProgram

[POPL 02]

Refine

No

Property

[POPL 04]

Trace

idea 2 counterex guided refinement
Idea 2: Counterex.-Guided Refinement

Solution

Use spurious counterexamples

to refine abstraction

1. Add predicates to distinguish

states across cut

2. Build refined abstraction

[Kurshan et al ’93] [Clarke et al ’00]

[Ball-Rajamani ’01]

problem different relevant facts

p1

p2

pn

m

n

Problem:Different Relevant Facts

while (*) {

1: if (p1) lock();

if (p1) unlock();

2: if (p2) lock();

if (p2) unlock();

n: if (pn) lock();

if (pn) unlock();

}

m + n states/paths

m £ n states/paths

Solution

  • Localize precision
  • Q: Where is a fact relevant ?
counterexample analysis
Counterexample Analysis

1: x:= a;

y:= x;

p:= q->foo;

2: if(y>0&&q!=NULL){

5

3: y:= -1*y;

q->foo ++;

4

1

2

3

4: q:= q->next;

z:= y;

5: if(z>a+1){

ERROR:

why is this hard

5

4

1

2

3

Why is this hard ?

1: x:= a;

y:= x;

p:= q->foo;

  • Filter Noise

2: if(y>0&&q!=NIL){

3: y:= -1*y;

q->foo ++;

4: q:= q->next;

z:= y;

5: if(z>a+1){

ERROR:

why is this hard121

5

4

1

2

3

Why is this hard ?

1: x:= a;

y:= x;

  • Filter Noise

2: if(y>0){

3: y:= -1*y;

4: z:= y;

5: if(z>a+1){

ERROR:

why is this hard122

5

4

1

2

3

Why is this hard ?

1: x:= a;

y:= x;

  • Filter Noise

2: if(y>0){

3: y:= -1*y;

2.Find Info flow

4: z:= y;

5: if(z>a+1){

Syntactic methods fail

- Need y to show z<a

- Can’t forget preds with y

ERROR:

what info is needed
What Info is Needed ?

1: x:= a;

y:= x;

p:= q->foo;

2: if(y>0&&q!=NULL){

5

3: y:= -1*y;

q->foo ++;

Which predicates

needed here ?

4

1

2

3

4: q:= q->next;

z:= y;

5: if(z>a+1){

ERROR:

states reachable from init
States Reachable fromInit

1: x:= a;

y:= x;

p:= q->foo;

x = a

Æ y = x

Æ p = [q,foo]

2: if(y>0&&q!=NULL){

5

3: y:= -1*y;

q->foo ++;

4

1

2

3

4: q:= q->next;

z:= y;

Strongest

Postcondition

5: if(z>a+1){

ERROR:

states reachable from init125
States Reachable fromInit

1: x:= a;

y:= x;

p:= q->foo;

x = a

Æ y = x

Æ p = [q,foo]

2: if(y>0&&q!=NULL){

Æ y>0 Æ q  0

5

3: y:= -1*y;

q->foo ++;

4

1

2

3

4: q:= q->next;

z:= y;

Strongest

Postcondition

5: if(z>a+1){

ERROR:

states reachable from init126
States Reachable fromInit

1: x:= a;

y:= x;

p:= q->foo;

x = a

Æ y’ = x

Æ p = [q,foo]’

2: if(y>0&&q!=NULL){

Æ y’>0 Æ q  0

5

Æ y = -1 * y’

Æ [q,foo]=[q,foo]’+1

3: y:= -1*y;

q->foo ++;

4

1

2

3

4: q:= q->next;

z:= y;

Strongest

Postcondition

5: if(z>a+1){

ERROR:

states that can reach error
States that Can ReachError

Weakest

Precondition

1: x:= a;

y:= x;

p:= q->foo;

x = a

Æ y’ = x

Æ p = [q,foo]’

2: if(y>0&&q!=NULL){

Æ y’>0 Æ q  0

5

Æ y = -1 * y’

Æ [q,foo]=[q,foo]’+1

3: y:= -1*y;

q->foo ++;

4

1

2

3

4: q:= q->next;

z:= y;

5: if(z>a+1){

Æ z > a+1

ERROR:

states that can reach error128
States that Can ReachError

Weakest

Precondition

1: x:= a;

y:= x;

p:= q->foo;

x = a

Æ y’ = x

Æ p = [q,foo]’

2: if(y>0&&q!=NULL){

Æ y’>0 Æ q  0

5

Æ y = -1 * y’

Æ [q,foo]=[q,foo]’+1

3: y:= -1*y;

q->foo ++;

4

1

2

3

4: q:= q->next;

z:= y;

Æ q’ = [q,next]

Æ z = y

5: if(z>a+1){

Æ z > a+1

ERROR:

predicates from proofs
Predicates from Proofs

x = a

Æ y’ = x

Æ p = [q,foo]’

1.Proof of Contradiction

Filters noise

Æ y’>0 Æ q  0

5

Æ y = -1 * y’

Æ [q,foo]=[q,foo]’+1

4

1

2

3

Æ q’ = [q,next]

Æ z = y

Æ z > a+1

Empty

Intersection

Contradiction

predicates from proofs130
Predicates from Proofs

1.Proof of Contradiction

Filters noise

2.Craig Interpolation

Extracts info needed at 4: fromproof

[Krajicek 97] [Pudlak 97]

x = a

Æ y’ = x

Æ y’>0

Æ y = -1 * y’

4

Reduces to common vars.

Preserving Contradiction

y < a

Æ z = y

Æ z > a+1

Empty

Intersection

Contradiction

repeat at each point 2
Repeat at Each Point 2:

x = a

Æ y = x

y = a

Æ y>0

Æ y’ = -1 * y

Æ z = y’

2

Æ z > a+1

1.Proof of Contradiction

2.Craig Interpolation

Empty

Intersection

Contradiction

repeat at each point 3
Repeat at Each Point 3:

x = a

Æ y = x

Æ y>0

y = a Æ a > 0

Æ y’ = -1 * y

Æ z = y’

3

Æ z > a+1

1.Proof of Contradiction

2.Craig Interpolation

Empty

Intersection

Contradiction

repeat at each point 4
Repeat at Each Point 4:

x = a

Æ y’ = x

Æ y’>0

Æ y = -1 * y’

4

y < a

Æ z = y

Æ z > a+1

1.Proof of Contradiction

2.Craig Interpolation

Empty

Intersection

Contradiction

repeat at each point 5
Repeat at Each Point 5:

x = a

Æ y’ = x

Æ y’>0

5

Æ y = -1 * y’

Æ z = y

z < a

Æ z > a+1

1.Proof of Contradiction

2.Craig Interpolation

Empty

Intersection

Contradiction

local predicates
Local Predicates

At each location, only use

needed Predicates

  • #Predicates grows with program size
  • #Preds per location small
  • Verification scales …

Location

Predicates Needed

Predicate Map

localizing works136

Property3:

IRP Handler

Win NT DDK

Localizing Works

* Pre-processed

predicates grows with program size137
#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

T

F

T

LOCK, p1

: LOCK, : p1

Tracking lock not enough

: LOCK, : p1

: LOCK, p1

: LOCK

p1p2

p1: p2

: p1 p2

: p1: p2

2nAbstract States

Problem:

p1,…,pn needed for verification

Exponential reachable abstract states

slide138

LOCK, p2

: LOCK, : p2

#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

: LOCK

p1

LOCK, p1

: LOCK, : p1

: LOCK, : p1

: LOCK

: LOCK, p1

: LOCK

: LOCK

p2

: LOCK, : p2

: LOCK, p2

: LOCK

pn

2.n Abstract States

Observe:

Predicates are useful locally

slide139

#Predicates grows with program size

while(1){

1: if (p1) lock() ;

if (p1) unlock() ;

2: if (p2) lock() ;

if (p2) unlock() ;

n: if (pn) lock() ;

if (pn) unlock() ;

}

p1

p2

Preds. used globally

Ex: 2n states

Preds. Used locally

Ex: 2.n states

pn

Solution: Use predicates only where needed

Refinement: from (spurious) Counterexamples

Q1.Find predicates

Q2.Find where predicates are needed

idea 1 predicate abstraction
Idea 1: Predicate Abstraction

Error

Initial

Abstraction

Program State Space

  • Abstraction: Predicates on program state
    • Signs: x > 0
    • Aliasing: &x  &y
  • States satisfying the same preds are equivalent
    • Merged into single abstract state

Q:From Initial states is an Error state Reachable ?