1 e. yahav school of computer science tel-aviv university verifying safety properties using...
Post on 18-Dec-2015
218 views
TRANSCRIPT
1
E. YahavSchool of Computer Science
Tel-Aviv University
Verifying Safety Propertiesusing Separation
and Heterogeneous Abstractions
G. RamalingamIBM T.J. Watson Research Center
2
Lightweight Specification"correct usage" rules a client must follow
"call open() before read()"
Certificationdoes the client program satisfy the lightweight specification?
Verification of Safety Properties
Componenta library with cleanly encapsulated state
Clienta program that uses
the library
The Canvas Project (IBM Watson and Tel Aviv)(Component Annotation, Verification and
Stuff)
5
Separation: The Intuition
InputStream ins1 = new InputStream();InputStream ins2 = new InputStream();...
if (?) { ins1.close(); ...}if (?) { ins2.close(); ...}…
Problem: verify that InputStreamsare used correctly: not read after they are closed.Possible states:(1) ins1: open; ins2: open(2) ins1: open; ins2:
closed(3) ins1: closed; ins2: open(4) ins1: closed; ins2:
closed
6
Separation: The Intuition
InputStream ins1 = new InputStream();InputStream ins2 = new InputStream();...
if (?) { ins1.close(); ...}if (?) { ins2.close(); ...}…
Sub-problems:(1)verify that ins1 is used
correctly(2)verify that ins2 is used
correctlyPossible states
(sub-problem 1)
(1)ins1: open
(2)ins1: closed
Possible states(sub-problem 2)(1)ins2: open (2)ins2: closed
7
Separation: The Intuition
Basic idea of separation is not new independent attribute analysis vs. relational
analysis e.g. conventional (compiler) dataflow analyses e.g. ESP (PLDI 2002) exploits separation
8
Our Contribution:Separation + Heap Analysis
Separation for heap analysis integrated with verification• Heterogeneous abstraction for heaps
Separation for first-order safety properties• Separation strategies
• More focused separation• individual object vs. allocation-site
9
Heap (Pointer) Analysis
Dynamic object creation (heap allocation) is the primary source of unbounded program state
Creating a bounded representation of a potentially unbounded heap is a key aspect of program analysis by merging multiple objects into a “summary”
object e.g., merge all objects allocated at same
allocation site into one summary object
10
A Common Approach to Pointer Analysis in Software Verification
Break verification problem into two phases Preprocessing phase – separate points-to analysis
• typically no distinction between objects allocated at same site
Verification phase – verification using points-to results
May lose precision May lose ability to perform strong updates May produce false alarms
Program
Property
Pointer Analysis
VerificationAnalysis
11
Loss of Precision in Two-Phase Approach
f = new InputStream();
f.read();
f.close();
Verify f is not readafter it is closed
Straightforward ...
12
Loss of Precision in Two-Phase Approach
while (?) {
f = new InputStream();
f.read();
f.close();
}
f1f closed
False alarm!“read may be erroneous”
13
The TVLA Approach
TVLA is a flexible (parametric) system for abstract interpretation and verification1. parametric heap (i.e., pointer) analysis
user can specify criterion for merging heap-allocated objects
user can specify criterion for merging shape graphs
2. verification integrated with heap analysis heap analysis (merging criterion) can adapt to
verification
Program
Property
Frontend
First-OrderTransition Sys
AbstractInterpretation
14
while (?) {
f = new InputStream();
f.read();
f.close();
}
The TVLA Approach: An Example
f
closedf
closedf closed
closedf closed closed
…
Concrete States
f
closedf
closedf
Abstract States
17
Outline of Our Approach
Decompose verification problem into a set of subproblems
Adapt abstraction to each subproblem
18
Outline of Our Approach
Decompose verification problem into a set of subproblems• Analysis-user specifies a separation strategy
Adapt abstraction to each subproblem Heterogeneous abstraction
19
Example – Input Streams
InputStream ins1 = getInputStream();InputStream ins2 = getInputStream();InputStream ins3 = getInputStream();InputStream ins4 = getInputStream();
InputStream ins = ins1;
if (?) { ins1.close(); ins = ins2;}if (?) { ins2.close(); ins = ins3;}if (?) { ins3.close(); ins = ins4;}int val = ins.read();…
20
Separation Strategieschoose some i : InputStream()
site[1]
ins1
site[1]
ins2 ins3 ins4
site[1]
ins2
site[1]
ins1 ins3 ins4
site[1]
ins3
site[1]
ins1 ins2 ins4
site[1]
ins4
site[1]
ins1 ins2 ins3
Without separation
site[1]
ins1
site[1]
ins2
site[1]
ins3
site[1]
ins4 ins1
site[1]
ins2 ins3 ins4
Abstraction 1 (expensive) Abstraction 2 (imprecise)
Abstract state after creation of all four InputStream: (with separation)
21
Example – Input Streams
InputStream ins1 = getInputStream();InputStream ins2 = getInputStream();InputStream ins3 = getInputStream();InputStream ins4 = getInputStream();
InputStream ins = ins1;
if (?) { ins1.close(); ins = ins2;}if (?) { ins2.close(); ins = ins3;}if (?) { ins3.close(); ins = ins4;}int val = ins.read();…
closedsite[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
site[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
…
…
site[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
closedsite[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
…
closedsite[1]
ins1
closedsite[1]
ins2
closedsite[1]
ins3
site[1]
ins4ins
…
…
…
22
Example – Input Streams
InputStream ins1 = getInputStream();InputStream ins2 = getInputStream();InputStream ins3 = getInputStream();InputStream ins4 = getInputStream();
InputStream ins = ins1;
if (?) { ins1.close(); ins = ins2;}if (?) { ins2.close(); ins = ins3;}if (?) { ins3.close(); ins = ins4;}int val = ins.read();…
closedsite[1]
ins1 ins
site[1]
ins2 ins3 ins4
site[1]
ins1 ins
site[1]
ins2 ins3 ins4
site[1]
ins1 ins
site[1]
ins2 ins3 ins4
site[1]
ins1 ins
closed = 1/2site[1]
ins2 ins3 ins4
closedsite[1]
ins1
closed=1/2site[1]
ins2 ins3 ins4ins
23
First-Order Safety Properties
Involve multiple correlated objects e.g., JDBC
Problem can be decomposed into sub-problems in several different ways• Different separation granularity• Different efficiency, different precision
...ResultSet rs2 = stmt2.executeQuery(...);...ResultSet minRs2 = stmt2.executeQuery(...)...rs2.next();
24
Example: JDBC SpecificationClass Connection { Set statements; …}class Statement { boolean closed; ResultSet myResultSet; Connection myConnection; Statement(Connection c) { closed = false; myConnection = c; myResultSet = null; } ResultSet executeQuery(String qry) { requires !closed; if (myResultSet != null) myResultSet.closed = true; myResultSet = new ResultSet(this); return myResultSet; } …}
class ResultSet { boolean closed; Statement ownerStmt; ResultSet(Statement s) { closed = false ; ownerStmt = s; } void close() { closed = true; } boolean next() { requires !closed; }}
25
Single Choice Separationchoose some c : Connection()
choose all s : Statement(x) / x == c
choose all r : ResultSet(y) / y == s
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
26
Multiple Choice Separationchoose some c : Connection()
choose some s : Statement(x) / x == c
choose some r : ResultSet(y) / y == s
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
+ 6more
27
Strategy Implementation
separation strategy + program + property compiled into TVLA input using instrumentation predicates details in paper
28
Prototype Implementation
Implemented over TVLAApplied to several example programs
Up to 5000 lines of JavaUsed to verify
Absence of concurrent modification exception (CME)
JDBC API conformance IOStreams API conformance
Improved performanceIn some cases improved precision
30
Analysis Times
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
ISPath
Inpu
tStre
am5
Inpu
tStre
am5b
inputS
tream
6
JDBC E
xample
JDBC E
xample
2db
Kerne
l Ben
chm
ark
1
SQLExe
cuto
r
Benchmark
Tim
e (
se
c)vanilla
single
singlesim
multi
incremental
31
Other Issues
Objects chosen for verificationObjects relevant for verification (for chosen
object) Identified via reachability User hints via separation strategy
32
Related Work
Demand-driven analysis hard for heap analysis
Program slicing an approach to demand-driven analysis simple slicing can be an effective optimization precise slicing (for heap) is hard
Client-driven pointer analysis (Guyer & Lin, SAS 2003)
Counter-example guided abstraction refinement
33
Verification: Recent Work
ESC/Modula-3, ESC/Java (CC ’98, ...)MC (OSDI 2000, ...)Bandera (ICSE 2000, ...)SLAM (SPIN 2001, ...)Vault (PLDI 2001, ...)BLAST (POPL 2002, ...)ESP (PLDI 2002, ...)Foster, Terauchi and Aiken (PLDI 2002, ...) ... several others ...
34
Some tasks are best done by machine,while others are best done by human insight;
and a properly designed system will find the right balance.
D. Knuth
The End
It is of highest importance ... to be able to recognizeout of a number of facts which are incidental
and which vital... Otherwise your energy and attentionmust be dissipated instead of being concentrated.
Arthur Conan Doyle