software verification with blast

Software Verification Software Verification with Blastwith Blast

Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar,George Necula, Grégoire Sutre, Wes Weimer

UC Berkeley

2

MotivationMotivation

Verification of systems codeLocking disciplinesInterface specifications

Essential for correct operationHigh rate of bugs

Temporal propertiesRequire path-sensitive analysisSwamped by false positives

Really hard to check

3

Model CheckingModel Checking

Doesn’t scale to low level implementations

Can only model check “abstractions”

Requires human intervention …

Abstract – Check – Refine LoopMicrosoft SLAM Project[Clarke et. al. 00], [Saidi 00]

4

Abstract-Check-Refine LoopAbstract-Check-Refine Loop

Abstract

Explanation

YES (Trace)

BUG

Feasible

???

Check

Refine

NO

SAFE

Seed Abstraction

Program

Abstraction

InfeasibleWhy infeasible ?

Is model unsafe ?

5

Model Checking 101Model Checking 101

ERROR STATES

Init

SYSTEM’S STATE SPACE

Keep searching successors until …Hit error states: report “bug” !Add no new successors: report “safe”Could take a long time …

6

Model Checking & AbstractionModel Checking & Abstraction

Problem: Far too many states Iterations don’t terminate !Solution: Abstract …

ERROR STATES

Init

7

ERROR STATES

Init


Problem: Abstraction too coarseSolution: Refine abstraction

Make boxes smaller

8

ERROR STATES

Init


Problem: Abstraction too coarseSolution: Refine abstraction

Make boxes smaller

9

Abstract Only Where RequiredAbstract Only Where Required

ERROR STATES

Abstraction is very expensive Why abstract regions that are never visited ?

Init

Reachable States

On-the-fly abstraction: driven by the search

10

Refine Only Where RequiredRefine Only Where Required

Why be precise everywhere ?Don’t refine error-free regions

ERROR STATES

Init

ERROR FREE

11

Refine Only Where RequiredRefine Only Where Required

Why be precise everywhere ?Don’t refine error-free regions

Different precision for different regions Local Refinement : driven by the search

ERROR STATES

Init

ERROR FREE

12

How to improve How to improve

Abstract only where requiredReachable state space is very sparseConstruct the abstraction on-the-fly

Use greater precision only where requiredDifferent precisions/abstractions for different regionsRefine locally

Reuse work from earlier phasesBatch-oriented ) lose work from previous runsIntegrate the three phases

Exploit control flow structure

13

ExampleExample

Q: Is Error Reachable ?

Example ( ) {1: if (*) { 7: do { got_lock = 0;8: if (*) {9: lock(); got_lock ++; }10: if (got_lock) {11: unlock(); }12: } while (*) ; }2: do { lock(); old = new;3: if (*) {4: unlock(); new ++; }5: } while ( new != old);6: unlock (); return;}

unlock() lock()

lock()

unlock()

14


Example:CFAExample:CFA1

3

lock();

old = new

2 7

[>][>]

4

5

[>]

[>]

unlock()

new++

6

[new==old]

[new!=old]

retunlock()

15


Example:CFAExample:CFA

8

10

9

12

11

7

1

3

2

4

5

6

ret

got_lock=0

[>]

[>]

lock();

got_lock++

[got_lock == 0]

[got_lock != 0]

unlock()

[>] [>]

16


Q: Is Error Reachable ?


8

10

9

12

11

7

1

3

2

4

5

6

retunlock() lock()

lock()

unlock()

17

Step 1: SearchStep 1: Search

Set of predicates:

LOCK=0, LOCK=1

1 LOCK=0

2 LOCK=0

4 LOCK=1

6 LOCK=0

[>]

lock();

old = new

[>]

unlock()

new++

[new==old]

unlock()

8

10

9

12

11

7

1

3

2

4

5

6

ret

5 LOCK=0

3 LOCK=1

Err LOCK=0

18

Q: When can:

Step 2:Step 2: Analyze CounterexampleAnalyze Counterexample

1 LOCK=0

2 LOCK=0

3 LOCK=1

4 LOCK=1

5 LOCK=0

6 LOCK=0

Err LOCK=0

8

10

9

12

11

7

1

3

2

4

5

6

ret

n Errops

States that can = wp( >,ops)

States at node n = Rn

) check:

Rn Æ wp( >,ops) = ? ?

19


1 LOCK=0

2 LOCK=0

3 LOCK=1

4 LOCK=1

5 LOCK=0

6 LOCK=0

Err LOCK=0

lock();

old = new

[>]

unlock();

new++

[new==old]

unlock()

LOCK=0

LOCK=0

LOCK=0 Æ new = old

LOCK=0 Æ new+1 = new

LOCK=1 Æ new+1 = old

LOCK=1 Æ new +1 = old

8

10

9

12

11

7

1

3

2

4

5

6

ret

Rn Æ wp (>,ops) = ? ?

20


1 LOCK=0

2 LOCK=0

3 LOCK=1

4 LOCK=1

5 LOCK=0

6 LOCK=0

Err LOCK=0

lock();

old = new

[>]

unlock();

new++

[new==old]

unlock()

LOCK=0

LOCK=0

LOCK=0 Æ new = old

LOCK=0 Æ new+1 = new

LOCK=1 Æ new+1 = old

LOCK=1 Æ new +1 = old

8

10

9

12

11

7

1

3

2

4

5

6

ret

Track the predicate:

new = old

21

Step 3: Resume searchStep 3: Resume search1LOCK=0

2LOCK=0

4LOCK=1 Æ new = old

lock();

old = new

[>]

unlock()

new++

[new==old]

? 6[new!=old]

2

LOCK=0 Æ : new = old µ LOCK =0

Set of predicates:

LOCK=0, LOCK=1

New predicate:

new = old,

8

10

9

12

11

7

1

3

2

4

5

6

ret

5LOCK=0 Æ : new = old


22

Step 3: Resume searchStep 3: Resume search1LOCK=0

2LOCK=0




? 6 2

LOCK=0 Æ : new = old

[>]

5LOCK=1 Æ new=old

6

[new==old][new!=old]

1

?unlock()

8

10

9

12

11

7

1

3

2

4

5

6

ret

Set of predicates:

LOCK=0, LOCK=1

New predicate:

new = old

retLOCK=0Æ new=old

23



8

10

9

12

11

7

1

3

2

4

5

6

ret

got_lock=0

[>]

[>]

lock();

got_lock++

[got_lock == 0]

[got_lock != 0]

unlock()

[>] [>]

24

Step 4: Search Right BranchStep 4: Search Right Branch1 LOCK=0

[>]

2LOCK=0 7 LOCK=0

[>]

Err

8

10

9

12

11

7

1

3

2

4

5

6

ret

Set of predicates:

LOCK=0, LOCK=1

New predicate: (from trace)

got_lock = 0

25

Leaves Covered (Reuse work)Leaves Covered (Reuse work)1 LOCK=0

2LOCK=0 7 LOCK=0

222

LOCK=0 Æ …

COVERED !

Leaves covered:

Avoid repeating search when paths merge

8

10

9

12

11

7

1

3

2

4

5

6

ret

27

Reachability TreeReachability Tree1LOCK=0

2LOCK=0




? 6 2

5LOCK=1 Æ new=old

6 1

?

retLOCK=0Æ new=old

8

12

7

10

10

11

1211

9

LOCK=0

12

82

LOCK=0 Æ got_lock=0

LOCK=1 Æ got_lock!=0



?

?

28

InvariantsInvariants1LOCK=0

2LOCK=0




? 6 2

5LOCK=1 Æ new=old

6 1

?

retLOCK=0Æ new=old

Regions in the tree are invariants:

Invariant Inv (n) for node n =

Disjunction of all node-n regions in the tree

Inv (5) is:

LOCK=0 Æ : new = old Ç LOCK=1 Æ new=old

Inv (6) is:

LOCK=1 Æ new=old

29

Proof GenerationProof Generation1

3

2

4

5

6

ret

LOCK=0 Æ : new = oldÇ

LOCK=1 Æ new=old [new==old]

[new!=old]

Use the invariants from the tree

Verification Conditions for correctness

1. Pre ) Inv (1)

2. Inv (e) = false for error node e

3. Post (Inv (j), cjk ) ) Inv (k)

These can be formalized as in PCC

1. Inv (1) contains Pre as disjunct

2. Error node not in tree

30

Proof Generation IIProof Generation II1

3

2

4

5

6

ret



[new!=old]

Prove : Post ( Inv (i) , cij ) ) Inv (j)

Use the tree to break the proof:

Post(AÇ B, c) ) D Ç E

becomes:

Post (A,c) ) D and Post (B,c) ) E

Example: Post (Inv (5), new==old) ) Inv (6)

LOCK=1 Æ new=old

Post (LOCK=0 Æ : new=old, new==old) ) LOCK=1Æ new=old

Post(LOCK=1 Æ new=old, new==old) ) LOCK=1 Æ new=old

31

Proof Generation IIProof Generation II1

3

2

4

5

6

ret



[new!=old]

Prove : Post ( Inv (i) , cij ) ) Inv (j)

Use the tree to break the proof:

Post(AÇ B, c) ) D Ç E

becomes:

Post (A,c) ) D and Post (B,c) ) E

But these were computed in the forward search!

Example: Post (Inv (5), new==old) ) Inv (6)

LOCK=1 Æ new=old

false ) LOCK=1Æ new=old

LOCK=1 Æ new=old) LOCK=1 Æ new=old

33

BLASTBLAST

LAZY

ABSTRACTION

Berkeley Lazy Abstraction Software verification Tool10K Lines of OcamlAnalyze Linux/Windows Device Drivers

CIL

(C ! CFA)

REGION

STRUCTURE

BDD Engine

(Boolean ops)

Simplify

(Post#)

Vampyre

(focus)

Proof Gen

(PCC)

34

MPR3

CallDriver

MPRcompletion

synch

not pending returned

SKIP2

IPCCallDriver

Skip returnchild status

DC

Completerequest

returnnot Pend

PPCprop

completion

CallDriver

N/A

no propcompletion

CallDriver

start NP

returnPending

NP

MPR1

MPRcompletion

SKIP2

IPCCallDriver

CallDriver

DC

Completerequest

PPCprop

completion

CallDriver

N?A

no propcompletion

CallDriver

start P Mark Pending

IRP accessible N/A

synch

SKIP1CallDriver

SKIP1Skip

MPR2 MPR1

NP

MPR3

CallDrivernot pending returned

MPR2

synch

From the SLAM project

35

ExperimentsExperiments

Windows Drivers (IRP Spec – 22 states)

Program Lines Predicates Time Proof

floppy.c 17386 62 37 35 min

17386 93 44 21 min 60K

parport.c 61781 193 50 33 min 103K

mouclass.c 17352 57 46 1 min

cdaudio.c 17798 85 45 23 min 156K

kbfiltr.c 12131 54 40 1 min

12131 12 8 10 sec 7K

36

Experiments Experiments : Linux Locking: Linux Locking

Program Lines Predicates Time Proof

ide.c 18131 5 5 4 sec 253

aironet.c 18152 17 11 4 min

aha152x.c 17736 2 2 20 sec

tlan.c 16505 5 4 7 min 405

37

Why Abstract Lazily ?Why Abstract Lazily ?

Reach set is very sparseAbstract on-the-flyOnly the reachable regionRequires very fast post#

Exploit Control-Flow StructureFree partitioning of state spacePartition preds: different abstractionsRefine locally: don’t repeat old work

38

Problems/Future workProblems/Future work

Engineering IssuesProgram analysis Partitioning by partial evaluation

Theory of counterexample driven refinement

for all linear and branching time logics

44

“BLAST! This is why I hate flying!”- Jedi Master Obi-Wan Kenobi in Episode II: Attack of the

Clones, 2002

software verification with blast

Documents