![Page 1: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/1.jpg)
Soundness and Completeness of the NRB verification logic
Peter T. BreuerUniversity of Birmingham, UK
Simon J. PickinUniversidad Complutense de Madrid, Spain
![Page 2: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/2.jpg)
Static Analysis of Linux kernel
● NRB logic used in static analysis of LK– Found `sleep-under-spinlock' deadlocks
● Proved no more exist than those found
– v2.6 linux kernel
– Million LOC barrier broken in 2006
● Suitable for distributed computation– Certification on the 'open' model
● Many contributions, repeated at will● Confidence because false result will be found
![Page 3: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/3.jpg)
Who guarantees the guarantor?
● Logic provides guarantees for an analysis● Satisfy obligation to guarantee the logic
![Page 4: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/4.jpg)
Idea of the logic
a b{p} {r}{q}
{s}
{r}
{s}
Sequence a;b can either error in a with s, or complete a normally with q. Code b can either error with s or complete normally with r.
{p} a {Es ∨ Nq} ∧ {q} b {Es ∨ Nr} ⇒ {p} a;b {Es ∨ Nr}
![Page 5: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/5.jpg)
NRB: Strengths and Weaknesses
● Excellent at following control flow– Classical program logics don't really do gotos
● Poor at understanding data (following pointers)– Uses events on traces instead
● Approximate (from above)– gives false alarms for possible breaches of
safety conditions
– Does not miss any real alarms
![Page 6: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/6.jpg)
Technical foundations
● That's what this paper provides for NRB!– Soundness
● An easily comprehensible model in terms of transitions between states
– If you disagree with it you can see why you do ● Axioms of logic are true in the model
– Completeness● Logic is sufficient
– Shows anything shown by model-checking– Symbolic reasoning misses nothing
![Page 7: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/7.jpg)
Completeness & Approximation
● The logic is approximate yet complete?– Model of code contains more transitions than reality
– Logic is complete with respect to model
● If logic says breach of safety condition impossible– Model has no transitions breaching condition
– So in reality, condition is never breached in program
![Page 8: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/8.jpg)
Distributed calculation
● Static analysis with NRB is split up – Function and sub-function units
– Results stored in a decorated syntax tree
– Sub-problem data fully recoverable from tree● Each sub-calculation checkable by any observer
– 'Accountable'
![Page 9: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/9.jpg)
Accountability
● Category-theoretic definition– Calculation tree can be partially stripped down
and partially redone in any order (and each partial result will be the same).
● Even a category-theoretic result ...– Definition means there is a pre-inverse map to
the map forgetting everything about the calculation tree except the ordering between pairs of subtrees (p1,p2)6(p3,p4) ⇔ p16p2,p36p4
![Page 10: Soundness and Completeness of the NRB verification logic (OpenCert 2013)](https://reader034.vdocuments.site/reader034/viewer/2022052600/5577b531d8b42a1c068b467f/html5/thumbnails/10.jpg)
Conclusion
● NRB is a logic used in the past for massive static analysis of the Linux kernel
● Gives guarantees on the safety of code● This paper gives technical guarantees on the
reliability and reach of the logic