1 automatic software model checking via constraint logic programming cormac flanagan systems...
Post on 19-Dec-2015
219 views
TRANSCRIPT
![Page 1: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/1.jpg)
1
Automatic Software Model Checking
via
Constraint Logic Programming
Cormac FlanaganSystems Research Center
HP Labs
![Page 2: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/2.jpg)
2
Software Reliability
• Testing– dominant methodology– costly– test coverage problem
• Static checking– combats test coverage by considering all
paths – Type systems– very effective for certain type errors
– Extended Static Checking– targets errors missed by type systems
![Page 3: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/3.jpg)
3
Extended Static Checking
• Targets errors not caught by type system– array bounds errors– division by zero– null dereference– assertions– API usage rules
• don’t write to a closed file• don’t acquire a lock you already hold
– method preconditions, postconditions– object invariants
![Page 4: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/4.jpg)
4
ESC/Java Exampleclass Rational { int num, den;
Rational(int n, int d) { num = n; den = d; }
int trunc() { return num/den; }
public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() );} } }
//@ invariant den != 0;
//@ requires d != 0;
Warning: possible division by zero
Warning: invariant possibly not established
Warning: preconditionpossibly not established
![Page 5: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/5.jpg)
5
ESC/Java Experience
• Tested on 40+ KLOC (Java front end, web crawler, ...)
• Finds software defects!
• Useful educational tool
• Annotation cost significant
– 100 annotations per KLOC
– 3 programmer-hours per KLOC
• Annotation overhead significantly limits widespread use of extended static checking
• Why do we need these annotations?
![Page 6: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/6.jpg)
6
ESC/Java Architecture
The translator “understands” the semantics of Java.
An error condition is a logical formula that, ideally, is satisfiable if and only if the program contains an error.
The satisfiability checker is invisible to users.
Satisfying assignments are turned into precise warning messages.
ESC/JavaJava program + Annotations
Translator
Error conditions
Satisfiability checker
Satisfying assignment
Post-processor
Warning messagesIndex out of bounds on line 218Index out of bounds on line 218Method does not preserve object invariant on line 223Method does not preserve object invariant on line 223
![Page 7: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/7.jpg)
7
Generating Error Conditions
Error condition
( x<0 x’=-x (x’>=0) )
((x<0) (x>=0) )
Code
if (x < 0) { x := -x; } //@ assert x >= 0;
• Source code translated into error condition• Error condition should be satisfiable if code
may fail an assertion
p = q
f’ = store(f, p, 3)
select(f’, q) = 0
p := q;p.f := 3;//@ assert q.f != 0;
![Page 8: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/8.jpg)
8
Error Condition Logic
• terms t ::= x | f(t)• constraints c ::= p(t)• formulae e ::= c | c | e e | e e | y. e
• theories of equality, linear arithmetic, select+store
• some heuristics for universal quantification
• logic cannot express iteration or recursion
![Page 9: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/9.jpg)
9
ESC/Java Architecture
The translator uses specifications to “translate away” procedure calls
The error condition is expressed in first-order logic with theories; it cannot express recursion
Indicates: Bad program Bad specification Insufficient spec
ESC/Java
Program +
procedure specifications
Translator
Error conditions
Satisfiability checker
Satisfying assignment
Post-processor
Warning messages
Method does not establish postconditionMethod does not establish postconditionIndex out of bounds on line 218Index out of bounds on line 218
![Page 10: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/10.jpg)
10
Verifun Checker
• “Annotation-free” Extended Static Checker• Statically check assertions, API usage rules, ...• No need for annotations
– no loop invariants – no procedure specifications
• Uses extended logic that can encode recursion
![Page 11: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/11.jpg)
11
• Query: Given d, is e satisfiable?
• Constraint Logic Programming – [Jaffar and Lassez, POPL’87]– Efficient implementations!
Error Condition Logic
• terms t ::= x | f(t)• constraints c ::= p(t)• formulae e ::= c | c | e e | e e | y. e • theories for equality, linear arithmetic, select+store
| r(t)
• user-defined relation symbols r• definitions d ::= r(x) :- e
![Page 12: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/12.jpg)
12
Error Conditions in CLP int fact(int i) { if (i == 0) return 1; int t = fact(i-1); assert t > 0; return i*t;}
Emain() :- Efact(j)
void main() { int j = readInt(); fact(j);}
Tfact(i, r) :- ( i = 0 r = 1) ( i != 0 Tfact(i-1,t) t>0 r=i*t )
Efact(i) :- i != 0 ( Efact(i-1) (Tfact(i-1, t) t <= 0 ))
• Transfer relation Tfact(pre-state,post-state) relates pre and post states of executions of fact
• Error relation Efact(pre-state) describes pre-states from which fact may go wrong
• CLP has least fixpoint semantics• CLP Query: Is Emain() satisfiable?
![Page 13: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/13.jpg)
13
• Program correctness • CLP satisfiability
Imperative Software
Constraint Logic Programming
• Bounded software model checking
• Efficient implementations– Sicstus Prolog (depth-first)
![Page 14: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/14.jpg)
14
Rational Exampleclass Rational { int num, den;
Rational(int n, int d) { num = n; den = d; }
int trunc() { return num/den; }
public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); for(int i=0; i<10000; i++) { print( r.trunc() );} } }
![Page 15: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/15.jpg)
15
Error Condition for Rational in CLPt_rat(AllocPtr, Num, Den, N, D, This, AllocPtrp, Nump, Denp) :-
AllocPtrp is AllocPtr+1,This = AllocPtrp,aset(This,Den,D,Denp),aset(This,Num,N,Nump).
t_readInt(R).
e_trunc(This, Num, Den) :- aref(This,Den,D), {D = 0}.
e_loop(I, This, Num, Den) :- e_trunc(This, Num, Den).e_loop(I, This, Num, Den) :- {I<10000, Ip=I+1}, e_loop(Ip,This, Num, Den).
e_main :- AllocPtr = 0, ;; no objs allocatednew_array(Num), ;; initialise arrays encoding fields Numnew_array(Den), ;; and Dent_readInt(D), t_readInt(N), {D =\= 0},t_rat(AllocPtr, Num, Den, D, N, This, AllocPtrp, Nump, Denp), e_loop(0, This, Nump, Denp).
![Page 16: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/16.jpg)
16
Checking Rational with CLP
• Get error condition, a constraint-logic program• Feed into CLP implementation (SICStus Prolog)
– explicitly explores all paths through EC– symbolically considers all data values, eg, for
n,d• using theory of linear arithmetic
– quickly finds that the EC is satisfiable– gives satisfying derivation for EC– can convert to program execution trace that
crashes with division-by-zero error
![Page 17: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/17.jpg)
17
Checking Factorial with CLP
• Feed EC into CLP implementation (SICStus Prolog)– explicitly explores all paths through EC– infinitely many paths– all paths are ok– CLP implementation diverges!
• Can modify error condition to bound recursion depth• Automatic bounded model checking for software
– efficient symbolic analysis for linear arithmetic, ...
![Page 18: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/18.jpg)
18
• Program correctness • CLP satisfiability
Imperative Software
Constraint Logic Programming
• Bounded software model checking
• Predicate abstraction & counter-example driven predicate refinement– SLAM, BLAST
• Efficient implementations– Sicstus Prolog (depth-first)
– Tableau methods– Subsumption
• CLP implementation technique– Avoids considering all paths – Verifun CLP satisfiability
checker under development
![Page 19: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/19.jpg)
19
Verifun Architecture
Uses predicate abstraction and counter-example driven predicate refinement to check satisfiability of EC, without exploring all paths
Error message includes an execution trace that violates desired correctness property.
Verifun
Program
(without annotations)
Translator
Error condition (CLP)
Satisfiability Checker for CLP
Satisfying CLP derivation
Post-processor
Error trace
![Page 20: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/20.jpg)
20
Unit of Development
• Programmers work on “unit of development”
• Interfaces between such units must be
specified
– reasonable to make specifications formal
• Use Verifun to check unit of development with
respect to its specification
![Page 21: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/21.jpg)
21
Related Work
• Program checking– Stanford Pascal Verifier– ESC/M3, ESC/Java – SLAM, BLAST – (many, many non-EC approaches)
• Automatic theorem proving– Simplify, SVC, CVC
• Constraint Logic Programming– [Jaffar and Lassez, POPL’87], SICStus Prolog,
…
![Page 22: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/22.jpg)
22
Summary
• Deep connection between
– correctness of imperative programs • with pointers, heap allocation, aliasing, ...
– satisfiability of CLP queries
• Verifun Checker
– annotation-free extended static checker
– statically check assertions, API usage rules, ...
– interprocedural ECs are constraint logic programs
• .
![Page 23: 1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649d385503460f94a1137e/html5/thumbnails/23.jpg)
23
The End