abstraction and modular reasoning for the verification of software
DESCRIPTION
Abstraction and Modular Reasoning for the Verification of Software. Corina Pasareanu NASA Ames Research Center. Outline. Bandera Project (Kansas Sate University): Tool Support for Program Abstraction and Abstract Counter-example Analysis (joint work with the Bandera team) NASA Ames Projects: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/1.jpg)
Abstraction and Modular Reasoning Abstraction and Modular Reasoning for the Verification of Softwarefor the Verification of Software
Corina Pasareanu
NASA Ames Research Center
![Page 2: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/2.jpg)
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis (joint work with the Bandera team)
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking (joint work with Willem Visser)– Assumption Generation for Component Verification
(joint work with Dimitra Giannakopoulou and Howard Barringer)
![Page 3: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/3.jpg)
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking – Assumption Generation for Component Verification
![Page 4: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/4.jpg)
Finite-state VerificationFinite-state Verification
OKFinite-state system
Specification
Verification tool
or
Error trace
Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…
![Page 5: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/5.jpg)
Finite-State VerificationFinite-State Verification
Effective for analyzing properties of hardware systems
Widespread success and adoption in industry
Recent years have seen many efforts to apply those techniques to software
Limited success due to the enormous state spaces associated with most software systems
![Page 6: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/6.jpg)
Abstraction: the key to scaling upAbstraction: the key to scaling up
Originalsystem
symbolic state
Abstract system
represents a set of states
abstraction
Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system
![Page 7: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/7.jpg)
Goals of our work …Goals of our work …
Develop multiple forms of tool support for abstraction that is…
… applicable to program source code… largely automated… usable by non-experts
Evaluate the effectiveness of this tool support through…
… implementation in the Bandera toolset… application to real multi-threaded Java programs
![Page 8: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/8.jpg)
Data Type AbstractionData Type Abstraction
int x = 0;if (x == 0) x = x + 1;
Data domains
(n<0) : NEG(n==0): ZERO(n>0) : POS
Signs
NEG POSZERO
int
Code
Signs x = ZERO;if (Signs.eq(x,ZERO)) x = Signs.add(x,POS);
Collapses data domains via abstract interpretation:
![Page 9: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/9.jpg)
Abstraction in BanderaAbstraction in Bandera
AbstractionLibrary
VariableConcrete Type
Abstract Type
Inferred Type
Object
xydonecount
ob
intintbool
Buffer
int….
SignsSignsSigns
intbool
….PointBuffer
Program Abstract CodeGenerator
AbstractedProgram
BASLCompiler
BanderaAbstractionSpecificationLanguage
AbstractionDefinition
PVS
![Page 10: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/10.jpg)
Definition of Abstractions in BASLDefinition of Abstractions in BASLabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };
abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end
operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_) -> {NEG,ZERO,POS}; /* case (POS,NEG),(NEG,POS) */ end
AutomaticGeneration
Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2)
Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2)
Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2)
Proof obligations submitted to PVS...
Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}
![Page 11: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/11.jpg)
Compiling BASL DefinitionsCompiling BASL Definitions
abstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };
abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end
operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end
public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abs(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; }
public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ }
Compiled
![Page 12: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/12.jpg)
Abstract Counter-example AnalysisAbstract Counter-example Analysis
Example:x = -2; if(x + 2 == 0) then ...x = NEG; if(Signs.eq(Signs.add(x,POS),ZERO)) then ... {NEG,ZERO,POS}
For an abstracted program, a counter-example may be infeasible because:– Over-approximation introduced by abstraction
![Page 13: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/13.jpg)
Our SolutionsOur Solutions
Choice-bounded State Space Search– “on-the-fly”, during model checking
Abstract Counter-example Guided Concrete Simulation
– Exploit implementations of abstractions for Java programs
– Effective in practice– Implemented in Java PathFinder tool
![Page 14: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/14.jpg)
““Choose”-free state space searchChoose”-free state space search
Theorem [Saidi:SAS’00] Every path in the abstracted program where all
assignments are deterministic is a path in the concrete program.
Bias the model checker– to look only at paths that do not include
instructions that introduce non-determinism JPF model checker modified
– to detect non-deterministic choice (i.e. calls to Bandera.choose()); backtrack from those points
![Page 15: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/15.jpg)
Choice-bounded SearchChoice-bounded Search
choose()
XX
Detectable ViolationUndetectable Violation
State space searched
![Page 16: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/16.jpg)
Case Study: DEOS Kernel (NASA Ames)Case Study: DEOS Kernel (NASA Ames) Honeywell Dynamic Enforcement Operating System (DEOS)
– A real time operating system for integrated modular avionics
– Non-trivial concurrent program (1433 lines of code, 20 classes, 6 threads)
– Written in C++, translated into Java and Promela
– With a known bug Verification of the system exhausted 4 Gigabytes of memory without
completion; abstraction needed
Abstracted using data type abstraction Checked using JPF and SPIN Defect detected using choice-bounded search
![Page 17: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/17.jpg)
Conclusion and Future Research DirectionsConclusion and Future Research Directions
Tool support for abstraction enables verification of real properties of real programs
Extend abstraction support for objects– Heap abstractions to handle an unbounded
number of dynamically allocated objects– Handle recursive procedures, unbounded
number of processes Extend automation
– For selection and refinement based on counter-example analysis
![Page 18: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/18.jpg)
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking – Assumption Generation for Component Verification
![Page 19: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/19.jpg)
Java Path Finder (NASA Ames)Java Path Finder (NASA Ames)
Model checker for Java programs Built on top of a custom made Java Virtual
Machine Checks for deadlock and violation of
assertions; LTL properties Support for abstraction:
– Predicate abstraction– Bandera’s data abstraction
Heuristic search
![Page 20: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/20.jpg)
Symbolic ExecutionSymbolic Execution
void test(int n){[1] if (n > 0) {[2] n = n + 1;[3] if (n < 3)[4] ... }[5] ... }
Code
Uses “symbolic names” to represent program inputs
1n:SPC:true
3n:S+1PC:S>0
2n:SPC:S>0 5
n:SPC:S<=0
...
5n:S+1PC:S>0 & S+1>=34
n:S+1PC:S>0 & S+1<3
... ...
Symbolic execution tree(PC=“path condition”)
![Page 21: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/21.jpg)
Symbolic Execution and JPF: ApplicationsSymbolic Execution and JPF: Applications
Extends JPF with a new form of abstraction
Test case generationAbstract counter-example analysis
and refinementSymbolic execution of multithreaded
programsParameter synthesis …
![Page 22: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/22.jpg)
Implementation in JPFImplementation in JPF
Easy:– Uses Bandera’s type abstraction– Uses Omega library (Java version)
• Manipulates sets of linear constraints over integer variables
Can be used as a “symbolic execution tool with backtracking”
Good for finding counter-examples No state matching!
![Page 23: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/23.jpg)
(Possible) Implementation(Possible) Implementation
void test(int n) { if (n > 0) { n = n + 1; ... }
public class SymVal { public SymVal() { ... } public SymVal(int n) { ... } public SymVal(SymVal s1, SymVal s2,
String ops) { ... } ... }
public class SymOps { public SymVal add(SymVal s1, SymVal s2){ return new SymVal(s1,s2,’+’); }
public bool gt(SymVal s1, SymVal s2) { bool result = Verify.chooseBool(); if(result) { // “true”
PC.addCondition(s1,s2,’>’); } else { // “false”
PC.addCondition(s1,s2,’<=‘); } PC.simplify(); return result; } ... }
Code
PathCondition PC; // =“true”
void test(SymVal n) { n = new SymVal(); if(SymOps.gt(n,new SymVal(0)){ n=SymOps.add(n,new SymVal(1)); ... }
![Page 24: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/24.jpg)
Problem: ConvergenceProblem: Convergence
Symbolic execution tree
void test(int n) {[1] int x = 0;[2] while(x < n)[3] x = x + 1;[4] }
Code1
n:SPC:true
2n:S,x:0PC:true
2n:S,x:1PC:0<S
4n:S,x:1PC:0<S & 1>=S3
n:S,x:1PC:0<S & 1<S
3n:S,x:0PC:0<S 4
n:S,x:0PC:0>=S
....
![Page 25: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/25.jpg)
Problem: ConvergenceProblem: Convergence
Limit the search depth of MC Unwind loops a fixed number of times
(similar to Bounded MC?) Discover “simple and practical” widening
techniques Acceleration techniques Heuristics? Combine with “predicate abstraction” …
Solutions?
![Page 26: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/26.jpg)
Relation to Bounded MCRelation to Bounded MC
Extend BMC with symbolic variables?
Widening for C programs?…
![Page 27: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/27.jpg)
OutlineOutline
Bandera Project (Kansas Sate University):– Tool Support for Program Abstraction and Abstract
Counter-example Analysis
NASA Ames Projects:– Combining Symbolic Execution with (Explicit State)
Model Checking– Assumption Generation for Component Verification
![Page 28: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/28.jpg)
Assumption Generation for Component VerificationAssumption Generation for Component Verification
Problem:
Component Environment
Property ? Environment Assumption ?
The “weakest” assumption A for component C: for all environments E,
E |= A E || C |= P
![Page 29: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/29.jpg)
ApplicationsApplications
Support for modular verification– Compositional verification– Property decomposition
Run-time monitoring of the environment
Component retrievalSub-module construction …
![Page 30: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/30.jpg)
ImplementationImplementation
In Labeled Transition Systems Analyzer (LTSA) tool - Imperial college– Supports compositional reachability analysis
based on software architecture– Incremental system design and verification:
• Component abstraction (hiding of internal actions)• Minimization wrt. observational equivalence
– Both components and properties expressed as labeled transition systems
![Page 31: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/31.jpg)
Interface actions
E.acquire
E.release
W.acquire
W.acquire
Mutex:
Example: A System and A PropertyExample: A System and A Property
W.acquire
W.release
W.enterCS
W.exitCS
Writer:
E.enterCS
E.exitCS
W.enterCS
W.exitCS
Mutual Exclusion Property:
||
W.enterCS
E.enterCS
E.exitCS
W.exitCS
E.exitCS
W.enterCS
W.exitCS
E.enterCS
||
![Page 32: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/32.jpg)
Assumption GenerationAssumption Generation
Step 1: composition, hiding of internal actions and minimization
Step 2: backward reachability
with error state
Step 3: property extraction
(sub-set construction
and completion)
Property true!
(all environments)
Property false!
(all environments)
Assumption
![Page 33: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/33.jpg)
Composite SystemComposite System
E.enterCS
E.exitCS
E.acquire
E.release
E.exitCS
E.release
E.enterCS
E.exitCS
E.exitCS
E.enterCS
E.enterCS
E.enterCS
E.release
![Page 34: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/34.jpg)
Backward Error Propagation (with Backward Error Propagation (with ))
E.enterCS
E.exitCS
E.acquire
E.release
E.exitCS
E.release
E.enterCS
E.exitCS
E.exitCS
E.enterCS
E.enterCS
E.enterCS
E.release
![Page 35: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/35.jpg)
Backward Error Propagation (with Backward Error Propagation (with ))
E.enterCS
E.release
E.exitCS
E.release
E.enterCS
E.exitCS
E.exitCS
E.enterCS
E.enterCS
E.release
![Page 36: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/36.jpg)
Property ExtractionProperty Extraction
E.acquire
E.release
E.enterCS
E.exitCS
E.enterCS
E.release
E.exitCSE.enterCS
E.exitCS
E.acquire
E.release E.acquire
E.acquire, E.release
E.enterCS, E.exitCS
![Page 37: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/37.jpg)
Generated AssumptionGenerated Assumption
E.acquire
E.release
E.enterCS
E.exitCS
E.acquire
E.release E.acquire
E.acquire, E.release
E.enterCS, E.exitCS
![Page 38: Abstraction and Modular Reasoning for the Verification of Software](https://reader035.vdocuments.site/reader035/viewer/2022062409/5681501f550346895dbe03d3/html5/thumbnails/38.jpg)
Directions for Future WorkDirections for Future Work
Liveness /fairnessExtend to other frameworks
– LTL checking (since we are interested only in error behaviors)
Is the sub-set construction needed?Study other forms of composition …