abstraction and modular reasoning for the verification of software n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Abstraction and Modular Reasoning for the Verification of Software PowerPoint Presentation
Download Presentation
Abstraction and Modular Reasoning for the Verification of Software

Loading in 2 Seconds...

play fullscreen
1 / 38

Abstraction and Modular Reasoning for the Verification of Software - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Abstraction and Modular Reasoning for the Verification of Software. Corina Pasareanu NASA Ames Research Center. Outline. Bandera Project (Kansas Sate University): Tool Support for Program Abstraction and Abstract Counter-example Analysis (joint work with the Bandera team) NASA Ames Projects:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Abstraction and Modular Reasoning for the Verification of Software' - raanan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
abstraction and modular reasoning for the verification of software

Abstraction and Modular Reasoning for the Verification of Software

Corina Pasareanu

NASA Ames Research Center

outline
Outline
  • Bandera Project (Kansas Sate University):
    • Tool Support for Program Abstraction and Abstract Counter-example Analysis (joint work with the Bandera team)
  • NASA Ames Projects:
    • Combining Symbolic Execution with (Explicit State) Model Checking (joint work with Willem Visser)
    • Assumption Generation for Component Verification (joint work with Dimitra Giannakopoulou and Howard Barringer)
outline1
Outline
  • Bandera Project (Kansas Sate University):
    • Tool Support for Program Abstraction and Abstract Counter-example Analysis
  • NASA Ames Projects:
    • Combining Symbolic Execution with (Explicit State) Model Checking
    • Assumption Generation for Component Verification
finite state verification

OK

Finite-state system

Verification

tool

or

Error trace

(F W)

Line 5: …

Line 12: …

Line 15:…

Line 21:…

Line 25:…

Line 27:…

Line 41:…

Line 47:…

Specification

Finite-state Verification
finite state verification1
Finite-State Verification
  • Effective for analyzing properties of hardware systems

Widespread success and adoption in industry

  • Recent years have seen many efforts to apply those techniques to software

Limited success due to the enormous state spaces associated with most software systems

abstraction the key to scaling up

symbolic state

represents a set of states

Original

system

Abstract

system

abstraction

Safety:

The set of behaviors of the abstract system over-approximates

the set of behaviors of the original system

Abstraction: the key to scaling up
goals of our work

Develop multiple forms of tool support for abstraction that is…

… applicable to program source code

… largely automated

… usable by non-experts

Evaluate the effectiveness of this tool support through…

… implementation in the Bandera toolset

… application to real multi-threaded Java programs

Goals of our work …
data type abstraction

int

(n<0) : NEG

(n==0): ZERO

(n>0) : POS

Signs

Signs x = ZERO;

if (Signs.eq(x,ZERO))

x = Signs.add(x,POS);

NEG

ZERO

POS

Data Type Abstraction

Collapses data domains via abstract interpretation:

Code

Data domains

int x = 0;

if (x == 0)

x = x + 1;

abstraction in bandera

Bandera

Abstraction

Specification

Language

PVS

Concrete

Type

Abstract

Type

Inferred

Type

Abstraction

Definition

Variable

x

int

y

int

done

bool

count

int

BASL

Compiler

….

o

Object

b

Buffer

Program

Abstracted

Program

Abstract Code

Generator

Abstraction in Bandera

Signs

Signs

Signs

bool

Abstraction

Library

int

….

Point

Buffer

definition of abstractions in basl

Automatic

Generation

Example: Start safe, then refine:+(NEG,NEG)={NEG,ZERO,POS}

Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2)

Proof obligations submitted to PVS...

Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2)

Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2)

Definition of Abstractions in BASL

operator + add

begin

(NEG , NEG) -> {NEG} ;

(NEG , ZERO) -> {NEG} ;

(ZERO, NEG) -> {NEG} ;

(ZERO, ZERO) -> {ZERO} ;

(ZERO, POS) -> {POS} ;

(POS , ZERO) -> {POS} ;

(POS , POS) -> {POS} ;

(_,_) -> {NEG,ZERO,POS};

/* case (POS,NEG),(NEG,POS) */

end

abstraction Signs abstracts int

begin

TOKENS = { NEG, ZERO, POS };

abstract(n)

begin

n < 0 -> {NEG};

n == 0 -> {ZERO};

n > 0 -> {POS};

end

compiling basl definitions

Compiled

Compiling BASL Definitions

abstraction Signs abstracts int

begin

TOKENS = { NEG, ZERO, POS };

abstract(n)

begin

n < 0 -> {NEG};

n == 0 -> {ZERO};

n > 0 -> {POS};

end

operator + add

begin

(NEG , NEG) -> {NEG} ;

(NEG , ZERO) -> {NEG} ;

(ZERO, NEG) -> {NEG} ;

(ZERO, ZERO) -> {ZERO} ;

(ZERO, POS) -> {POS} ;

(POS , ZERO) -> {POS} ;

(POS , POS) -> {POS} ;

(_,_)-> {NEG, ZERO, POS};

/* case (POS,NEG), (NEG,POS) */

end

public class Signs {

public static final int NEG = 0; // mask 1

public static final int ZERO = 1; // mask 2

public static final int POS = 2; // mask 4

public static int abs(int n) {

if (n < 0) return NEG;

if (n == 0) return ZERO;

if (n > 0) return POS;

}

public static int add(int arg1, int arg2) {

if (arg1==NEG && arg2==NEG) return NEG;

if (arg1==NEG && arg2==ZERO) return NEG;

if (arg1==ZERO && arg2==NEG) return NEG;

if (arg1==ZERO && arg2==ZERO) return ZERO;

if (arg1==ZERO && arg2==POS) return POS;

if (arg1==POS && arg2==ZERO) return POS;

if (arg1==POS && arg2==POS) return POS;

return Bandera.choose(7);

/* case (POS,NEG), (NEG,POS) */

}

abstract counter example analysis
Abstract Counter-example Analysis
  • For an abstracted program, a counter-example may be infeasible because:
    • Over-approximation introduced by abstraction
  • Example:

x = -2; if(x + 2 == 0) then ...

x = NEG; if(Signs.eq(Signs.add(x,POS),ZERO)) then ...

{NEG,ZERO,POS}

our solutions
Our Solutions
  • Choice-bounded State Space Search
    • “on-the-fly”, during model checking
  • Abstract Counter-example Guided Concrete Simulation
    • Exploit implementations of abstractions for Java programs
    • Effective in practice
    • Implemented in Java PathFinder tool
choose free state space search
“Choose”-free state space search
  • Theorem [Saidi:SAS’00]

Every path in the abstracted program where all assignments are deterministic is a path in the concrete program.

  • Bias the model checker
    • to look only at paths that do not include instructions that introduce non-determinism
  • JPF model checker modified
    • to detect non-deterministic choice (i.e. calls to Bandera.choose()); backtrack from those points
choice bounded search

State space searched

Undetectable Violation

Detectable Violation

Choice-bounded Search

choose()

X

X

case study deos kernel nasa ames
Case Study: DEOS Kernel (NASA Ames)
  • Honeywell Dynamic Enforcement Operating System (DEOS)
    • A real time operating system for integrated modular avionics
    • Non-trivial concurrent program (1433 lines of code, 20 classes, 6 threads)
    • Written in C++, translated into Java and Promela
    • With a known bug
  • Verification of the system exhausted 4 Gigabytes of memory without completion; abstraction needed
  • Abstracted using data type abstraction
  • Checked using JPF and SPIN
  • Defect detected using choice-bounded search
conclusion and future research directions
Conclusion and Future Research Directions
  • Tool support for abstraction enables verification of real properties of real programs
  • Extend abstraction support for objects
    • Heap abstractions tohandle an unbounded number of dynamically allocated objects
    • Handle recursive procedures, unbounded number of processes
  • Extend automation
    • For selection and refinement based on counter-example analysis
outline2
Outline
  • Bandera Project (Kansas Sate University):
    • Tool Support for Program Abstraction and Abstract Counter-example Analysis
  • NASA Ames Projects:
    • Combining Symbolic Execution with (Explicit State) Model Checking
    • Assumption Generation for Component Verification
java path finder nasa ames
Java Path Finder (NASA Ames)
  • Model checker for Java programs
  • Built on top of a custom made Java Virtual Machine
  • Checks for deadlock and violation of assertions; LTL properties
  • Support for abstraction:
    • Predicate abstraction
    • Bandera’s data abstraction
  • Heuristic search
symbolic execution

Symbolic execution tree

(PC=“path condition”)

n:S

PC:true

4

5

2

5

1

3

n:S

PC:S<=0

n:S

PC:S>0

...

n:S+1

PC:S>0

n:S+1

PC:S>0 & S+1>=3

n:S+1

PC:S>0 & S+1<3

...

...

Symbolic Execution

Uses “symbolic names” to represent program inputs

Code

void test(int n){

[1] if (n > 0) {

[2] n = n + 1;

[3] if (n < 3)

[4] ...

}

[5] ...

}

symbolic execution and jpf applications
Symbolic Execution and JPF: Applications
  • Extends JPF with a new form of abstraction
  • Test case generation
  • Abstract counter-example analysis and refinement
  • Symbolic execution of multithreaded programs
  • Parameter synthesis …
implementation in jpf
Implementation in JPF
  • Easy:
    • Uses Bandera’s type abstraction
    • Uses Omega library (Java version)
      • Manipulates sets of linear constraints over integer variables
  • Can be used as a “symbolic execution tool with backtracking”
  • Good for finding counter-examples
  • No state matching!
possible implementation

PathCondition PC; // =“true”

void test(SymVal n) {

n = new SymVal();

if(SymOps.gt(n,new SymVal(0)){

n=SymOps.add(n,new SymVal(1));

...

}

(Possible) Implementation

Code

public class SymVal {

public SymVal() { ... }

public SymVal(int n) { ... }

public SymVal(SymVal s1, SymVal s2,

String ops) { ... } ...

}

public class SymOps {

public SymVal add(SymVal s1, SymVal s2){

return new SymVal(s1,s2,’+’);

}

public bool gt(SymVal s1, SymVal s2) {

bool result = Verify.chooseBool();

if(result) { // “true”

PC.addCondition(s1,s2,’>’);

}

else { // “false”

PC.addCondition(s1,s2,’<=‘);

}

PC.simplify();

return result;

} ... }

void test(int n) {

if (n > 0) {

n = n + 1;

...

}

problem convergence

n:S

PC:true

4

3

1

2

2

4

3

n:S,x:0

PC:0>=S

n:S,x:0

PC:true

n:S,x:0

PC:0<S

n:S,x:1

PC:0<S

n:S,x:1

PC:0<S & 1>=S

n:S,x:1

PC:0<S & 1<S

....

Problem: Convergence

Symbolic execution tree

Code

void test(int n) {

[1] int x = 0;

[2] while(x < n)

[3] x = x + 1;

[4] }

problem convergence1
Problem: Convergence

Solutions?

  • Limit the search depth of MC
  • Unwind loops a fixed number of times (similar to Bounded MC?)
  • Discover “simple and practical” widening techniques
  • Acceleration techniques
  • Heuristics?
  • Combine with “predicate abstraction” …
relation to bounded mc
Relation to Bounded MC
  • Extend BMC with symbolic variables?
  • Widening for C programs?
outline3
Outline
  • Bandera Project (Kansas Sate University):
    • Tool Support for Program Abstraction and Abstract Counter-example Analysis
  • NASA Ames Projects:
    • Combining Symbolic Execution with (Explicit State) Model Checking
    • Assumption Generation for Component Verification
assumption generation for component verification

Component

Assumption Generation for Component Verification
  • Problem:

Environment

Property

? Environment Assumption ?

The “weakest” assumption A for component C:

for all environments E,

E |= A  E || C |= P

applications
Applications
  • Support for modular verification
    • Compositional verification
    • Property decomposition
  • Run-time monitoring of the environment
  • Component retrieval
  • Sub-module construction …
implementation
Implementation
  • In Labeled Transition Systems Analyzer (LTSA) tool - Imperial college
    • Supports compositional reachability analysis based on software architecture
    • Incremental system design and verification:
      • Component abstraction (hiding of internal actions)
      • Minimization wrt. observational equivalence
    • Both components and properties expressed as labeled transition systems
example a system and a property

Mutex:

Mutual Exclusion Property:

E.acquire

W.acquire

E.enterCS

W.enterCS

W.acquire

E.release

||

E.exitCS

W.exitCS

Writer:

W.enterCS

W.exitCS

E.enterCS

Interface actions

W.exitCS

E.exitCS

W.enterCS

E.enterCS

E.exitCS

W.acquire

W.enterCS

W.exitCS

W.release

Example: A System and A Property

||

assumption generation

Property true!

(all environments)

Step 2: backward reachability

with error state

Property false!

(all environments)

Step 3: property extraction

(sub-set construction

and completion)

Assumption

Assumption Generation

Step 1: composition, hiding of

internal actions and

minimization

composite system
Composite System

E.release

E.enterCS

E.acquire

E.exitCS

E.release

E.exitCS

E.enterCS

E.release

E.enterCS

E.enterCS

t

E.enterCS

E.exitCS

E.exitCS

backward error propagation with t
Backward Error Propagation (with t)

E.release

E.enterCS

E.acquire

E.exitCS

E.release

E.exitCS

E.enterCS

E.release

E.enterCS

E.enterCS

t

E.enterCS

E.exitCS

E.exitCS

backward error propagation with t1
Backward Error Propagation (with t)

E.release

E.enterCS

E.exitCS

E.release

E.enterCS

E.release

E.enterCS

E.enterCS

E.exitCS

E.exitCS

property extraction

E.acquire, E.release

E.enterCS, E.exitCS

E.release

E.acquire

E.acquire

Property Extraction

E.acquire

E.enterCS

E.release

E.exitCS

E.enterCS

E.exitCS

E.enterCS

E.release

E.exitCS

generated assumption
Generated Assumption

E.acquire, E.release

E.enterCS, E.exitCS

E.release

E.acquire

E.acquire

E.acquire

E.enterCS

E.release

E.exitCS

directions for future work
Directions for Future Work
  • Liveness /fairness
  • Extend to other frameworks
    • LTL checking (since we are interested only in error behaviors)
  • Is the sub-set construction needed?
  • Study other forms of composition …