thomas ball rupak majumdar todd millstein sriram k rajamani l.
Download
Skip this Video
Download Presentation
Automatic Predicate Abstraction of C Programs

Loading in 2 Seconds...

play fullscreen
1 / 41

Automatic Predicate Abstraction of C Programs - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani. In PLDI 01: Programming Language Design and Imple- mentation , 2001. Automatic Predicate Abstraction of C Programs. Presented by Yifan Li (yl2774@columbia.edu) November 22nd.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Automatic Predicate Abstraction of C Programs' - sachi


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
thomas ball rupak majumdar todd millstein sriram k rajamani
Thomas Ball, Rupak Majumdar,

Todd Millstein, Sriram K. Rajamani

In PLDI 01: Programming Language Design and Imple-

mentation, 2001

AutomaticPredicateAbstractionofCPrograms

Presented by Yifan Li (yl2774@columbia.edu)

November 22nd

outline
Outline
  • What is model checking
  • Why it is important
  • Current state of the art
  • Challenges in applying model checking to C programs
  • SLAM project
outline4
Outline
  • What is model checking
  • Why it is important
  • Current state of the art
  • Challenges in applying model checking to C programs
  • SLAM project
model checking
ModelChecking
  • A specific technique of formal verification
  • Given a model of a system, test automatically whether this model meets a given specification
formal verification
FormalVerification
  • Formal Verification

 Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property

  • To help mathematically prove the correctness of a software or hardware system
the model checking problem
The Model checking problem
  • Let M be a Kripke structure (i.e., state-transition graph)
  • Let f be a formula of temporal logic (i.e., the specification)
  • Find all states s of M such that M,s ├f
a typical model checking system
A typical model checking system

Figure 1. A typical model checking system

kripke structure
Kripke Structure
  • A Kripke structure is a type of nondeterministic finite state machine  proposed by Saul Kripke, used in model checking

Let the set of atomic

propositions AP = {p,q}.

p and q can model arbitrary

boolean properties of the

system that the Kripke

structure is modelling

M may produce a path ρ = s1,s2,s1,s2,s3,

s3,s3,... (potentially infinite)

Figure 2. Kripke Structure

how to model check
How to model-check
  • Basic Procedure:
    • Describe the system as a finite state model
    • Express properties in temporal logic
    • Formal Verification by automatic exhaustive search over the state space
  • Use a model checker to check properties
temporal logic
Temporal logic
  • Used to describe any system of rules for representing propositions in terms of time
  • Statements in temporal logic:

"I am alwayshungry“

"I will eventually be hungry“

"I will be hungryuntil I eat something“

  • Temporal logics describe the ordering of events in time without introducing time explicitly.
  • The meaning of a temporal logic formula is determined with respect to a labeled state-transition graph or Kripke structure.
abstraction of model
Abstraction of model
  • What if the model is infinite-like?

Using abstraction

  • Any effort to model check software must first construct an abstract model of the software
  • Predicate Abstraction- A promising approach to construct abstractions automatically (which will be covered later)
what is a model checker
What is a model checker

A model checker is a software tool that

  • given a description of a Kripke model M ...
  • ... and a property φ
  • decides whether M ├ φ
  • returns “yes” if the property is satisfied,
  • otherwise returns “no”, and provides a counterexample
what is a model checker14
What is a model checker

Figure 3. The model Checker

outline15
Outline
  • What is model checking
  • Why it is important
  • Current state of the art
  • Challenges in applying model checking to C programs
  • SLAM project
why it is important
Why it is important
  • software bugs are so common that their cost to the American economy alone is $60 billion a year or about 0.6% of gross domestic product (NIST)
why it is important17
Why it is important?

Some errors in software systems are expensive:

  • Space Mission Failed: A bug caused 370-million dollar failure in 1996, which is $514 to $686 million in 2010 (Flight 501)

While some are pretty annoying:

  • “Bill Gates: 5% of Windows Machines Crash More Than Twice A Day”
outline18
Outline
  • What is model checking
  • Why it is important
  • Current state of the art
  • Challenges in applying model checking to C programs
  • SLAM project
a wide variety of model checkers
A wide Variety of model checkers

Name a few:

For C programs:

  • BLAST (Berkeley)
  • CMBC (Carnegie Mellon)
  • CPA checker(U of Passau, Germany)
  • SLAM(Microsoft Research)

Others:

  • SPIN (Bell Lab, System Software Award-2001)
slide20
SLAM
  • “software (specifications), programming languages, abstraction, and model checking”
  • SLAM is a program-analysis engine of the SDV tool used to check if clients of an API follow the API’s statefulusage rules
  • SLAM toolkit, include C2BP, BEBOP, NEWTON is the analysis engine of the SDV tool
slam2
SLAM2
  • The improved version of SLAM
  • With under 4% false alarms
slide22
SDV

Static Driver Verifier (SDV):

  • Compile-time verification tool
  • Ships with Windows 7 Driver Kit (WDK)
  • Less than 4% false alarms on real drivers
  • Supports many driver APIs (WDM, KMDF, NDIS, …)
  • Uses SLAM as the verification engine
    • Based on CEGAR loop
    • Boolean abstraction of input C programs
  • API-specific components:
    • environment model
    • API rules in SLIC language
slide23

Precise

API Usage Rules

(SLIC)

Defects

100% path

coverage

StaticDriverVerifier

Rules

Static Driver Verifier

Environment

model

Driver’s Source Code in C

Figure 4. SDV

usage
Usage
  • SDV 2.0 is applied as an automatic and required quality gate for Windows 7 device drivers
  • SLAM is distributed as part of the Windows Driver Development Kit
outline25
Outline
  • What is model checking
  • Why it is important
  • Current state of the art
  • Challenges in applying model checking to C programs
  • SLAM project
challenges in applying model checking to c program
Challenges in applying model checking to C program
  • Pointers (alias problem)
  • Procedures( signature)
  • unknown values (*)
  • Lots of predicate states
outline27
Outline
  • What is model checking
  • Why it is important
  • Current state of the art
  • Challenges in applying model checking to C program
  • SLAM project
slam project
SLAMProject

Instrumented C program P’

C2BP

Boolean Program BP(E,P’)

SLIC

C Program P

Bebop

No, refine the

Predicate, gen-

erate new BP

Error Path Feasible

Yes, An error found

Program Bug

Figure 5. The SLAM realization of CEGAR loop

cegar
CEGAR
  • In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms
slide30
SLIC
  • SLIC: Specification Language for Interface Checking
  • SLIC is a subset of the C language augmented with elements that identify the events of interest.
  • Next slide, an example of a SLIC language and the instructed C program based on that
slide31
Figure 6. To check that a spinlock cannot be acquired without it first being released, and that a spinlock cannot be released twice
example 2
Example 2

Figure 8. Slic Specification for Proper Usage of Spin Locks, and (b) Its Compilation into C Code.

slide34

Figure 9. (a) A snippet of device driver code P, and (b) program P0 resulting from instrumentation of program P due to Slic specification in Figure 8

slide35

Figure 10. The C code of the Slic specification from Figure 1(b) compiled by C2bp into a boolean program.

how well it works
How well it works
  • Experience of SLAM works on device drivers that have hundred's or thousand’s lines of codes
how well it works38
How well it works
  • There are true errors found in the device driver when running SLAM on them
conclusion
Conclusion
  • Slam toolkit outcomes the challenges in applying model checking to C programs
  • Slam is appropriate to use on large scale C programs and on device drivers written in C
  • The SDV tool has already been used in model checking device drivers for Windows 7 before they come to market
references
References
  • Measure the buying power of US dollar at different times http://www.measuringworth.com/ppowerus/
  • Bill Gates Talk

http://www.osnews.com/story/4122/Bill_Gates_5_Of_Windows_Machines_Crash_More_Than_Twice_A_Day

  • Symbolic Model Checking

http://www.cse.iitd.ernet.in/~sak/courses/foav/nusvm-iitd-1.pdf

  • Building a better bug-trap

http://www.economist.com/node/1841081

  • The SLAM project

http://research.microsoft.com/en-us/projects/slam/