Download - Thomas Ball Sriram K. Rajamani
![Page 1: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/1.jpg)
Thomas BallSriram K. Rajamani
http://research.microsoft.com/slam/http://msrweb/slam
![Page 2: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/2.jpg)
Checking API Usage
Application
C lib | DLL |
COM |…
API
Does an application follow the “proper usage” rules of an API?
![Page 3: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/3.jpg)
One Application: W2k Device Drivers
Device Driver
NT Kernel
IO Manager API
Does a device driver acquire and release spin locks properly?
![Page 4: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/4.jpg)
Device Drivers and SLAM
Device Driver
API Rules
(SLIC)
IO Manager Interface
![Page 5: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/5.jpg)
State MachineFor Locking
Unlocked Locked Error
U
L
L
U
state {
int locked = 0;
}
Lock.call {
if (locked==1) abort;
else locked = 1;
}
UnLock.call {
if (locked==0) abort;
else locked = 0;
}
![Page 6: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/6.jpg)
Demo
![Page 7: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/7.jpg)
State MachineFor Irp Handling
init
pending
Error
IoMarkIrpPending
return:status != STATUS_PENDING
complete
IoCompleteRequest
return: status == STATUS_PENDING
![Page 8: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/8.jpg)
IRP Complete/Pending Rulestate {
enum {Init, Complete,
Pending} s = Init;
}
IoCompleteRequest.call{
if ( s != Init) abort;
else s = Complete;
}
IoMarkIrpPending.call{
if( s != Init) abort;
else s = Pending;
}
Dispatch.exit{
if (s == Complete) {
if ($return == STATUS_PENDING)
abort;
} else if (s == Pending) {
if( $return != STATUS_PENDING)
abort;
}
}
![Page 9: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/9.jpg)
Goal:
Run the state machine through all paths in the program
Problem: Too many paths!
Solution: State based search
Problem : False alarms!
Solution : Better abstraction
![Page 10: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/10.jpg)
False alarm
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
![Page 11: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/11.jpg)
False alarm
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
![Page 12: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/12.jpg)
False alarm
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b := true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b := b? false : *;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
![Page 13: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/13.jpg)
False alarm
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b := true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b := b? false : *;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
b
b
b
b
b
b
!b
![Page 14: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/14.jpg)
False alarm
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b := true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b := b? false : *;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
b
b
b
b
b
b
!b
![Page 15: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/15.jpg)
C program
Boolean program
c2bp
bebop
Fail, p
Pass
newton
GOLF
SLIC
CFG + VFG
predicates
Error GUI
Spec.
predicates
![Page 16: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/16.jpg)
Key Ideas
Inexpensive whole program analysis (GOLF)
Local abstraction step to produce an abstraction for the property of interest (c2bp)
State-based search on the abstraction (bebop)
Automated refinement of abstractions (newton)
![Page 17: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/17.jpg)
Bebop
Performs reachability analysis of boolean programs
Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis Explicit representation of control flow Implicit representation of reachable states via BDDs
Complexity of algorithm is O( E 2n)
E = size of interprocedural control flow graph
n = max. number of variables in the scope of any label
![Page 18: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/18.jpg)
c2bp: Automatic Predicate Abstraction of
C What is the predicate language?
Pure C boolean expressions Input: a C program P and set of predicates E Output: a boolean program c2bp(P,E) that is
a sound abstraction of P a precise abstraction of P
Difficulties procedures pointers
![Page 19: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/19.jpg)
C2bp Philosophy
Computing a precise Boolean abstraction is too expensive unnecessary for C
deterministic concrete semantics
Exploit ideas from program analysis and symbolic model checking
Off-line computation of abstract transfer function Attribute (predicate) independence Disjunctive completion Focus operation
Static partitioning of states by control points Implicit representation of stack in boolean program
![Page 20: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/20.jpg)
c2bp(P,E)
Statement in P:s : nPackets = nPackets+1;
Predicates in E: e : (nPacketsOld==nPackets)
Weakest Precondition:pre(s,e): nPacketsOld==nPackets+1
Strengthened WP:F(pre(s,e)): false
![Page 21: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/21.jpg)
c2bp(P,E)
Statement in P:s : nPackets = nPackets+1;
Predicates in E: e : (nPacketsOld==nPackets)
Weakest Precondition:pre(s,!e): !(nPacketsOld==nPackets+1)
Strengthened WP:F(pre(s,!e)): e
![Page 22: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/22.jpg)
c2bp(P,E)
bool choose(bool pos,bool neg) = true if pos=true false if neg=true * pos=neg=false
choose not well defined for pos=neg=true
In general, given statement s and predicates { e1 ,…, en }:
{e1},…,{en} := choose(F(pre(s,e1),F(pre(s,!e1))), …,
choose(F(pre(s,en),F(pre(s,!en)));O(2n*2n)O(2n*nc)
![Page 23: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/23.jpg)
WP and pointers
Statement in P:s : *p = *p + 1
Predicates in E: e : (x==2)
WP:WP(s,e): x==2 ???
![Page 24: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/24.jpg)
Morris’ Axiom ofAssignment
Statement in P:s : *p = *p + 1
Predicates in E: e : (x==2)
WP:WP(s,e): ((p!=&x) and x==2) or ((p==&x) and x==1)
![Page 25: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/25.jpg)
WP and pointers
Statement in P:s : *p = *p + 1
Predicates in E: e : (x==2)
WP:WP(s,e): x==2
if we can show p can never point to x, using points-to-analysis
![Page 26: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/26.jpg)
c2bp
Processes one statement at a time Assignments, conditionals, procedure call/return
Computes WP and strengthens it theorem prover (Simplify,Vampyre)
Alias queries one-level flow flow-insensitive PTA of Das
[PLDI’00]
![Page 27: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/27.jpg)
c2bp
Soundness: have to consider aliasing have to consider side effects of procedure calls [Ball-Majumdar-Millstein-Rajamani PLDI 01] [Ball-Millstein-Rajamani, Tech-report]
Precision: formalized declaratively as an abstract
interpretation [Ball-Podelski-Rajamani TACAS 01]
![Page 28: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/28.jpg)
On-line Abstraction:State = Bit Vector
each abstract step during model checking
requires O(2n) theorem prover queries
b
post
b
n
k
![Page 29: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/29.jpg)
On-line Abstraction:Set of States = Single Tri-vector
each abstract step during model checkingcb requires O(2n) theorem prover queries
c
c
b
post
b
![Page 30: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/30.jpg)
SLAM - Off-line Abstraction:Set of States = Set of Tri-vectors
each abstract step during model checking
requires O(2n*k) operations, k=O(2n )
c2bpbebop
![Page 31: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/31.jpg)
c2bp
Number of theorem prover calls:
Worst case : O(|P| . 2|E|
)
Practice: O(|P|. |E|3)
![Page 32: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/32.jpg)
Newton
Symbolically executes (interprocedural) path in C program
Checks for path infeasibility using decision procedures
If infeasibility detected Minimizes inconsistent conditions Obtains new predicates
![Page 33: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/33.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
Conditions:
![Page 34: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/34.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
Conditions:
![Page 35: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/35.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
Conditions:
![Page 36: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/36.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
(3) devExt:
Conditions:
![Page 37: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/37.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
(3) devExt:
(4) ->WLHeadVa: (3)
Conditions:
![Page 38: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/38.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
(3) devExt:
(4) ->WLHeadVa: (3)
(5) request: (3,4)
Conditions:
![Page 39: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/39.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
(3) devExt:
(4) ->WLHeadVa: (3)
(5) request: (3,4)
Conditions:
! (5)
![Page 40: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/40.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
(3) devExt:
(4) ->WLHeadVa: (3)
(5) request: (3,4)
Conditions:
! (5)
!= (1,2)
![Page 41: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/41.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
(3) devExt:
(4) ->WLHeadVa: (3)
(5) request: (3,4)
Conditions:
!= (1,2)
![Page 42: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/42.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Store:
(1) nPacketsOld:
(2) nPackets: (1)
Conditions:
!= (1,2)
![Page 43: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/43.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Predicates:
(nPacketsOld == )
(nPackets == )
( != )
![Page 44: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/44.jpg)
Example
nPackets = nPacketsOld;
request = devExt->WLHeadVa;
assume(!request);
assume(nPackets != nPacketsOld);
Predicates:
(nPacketsOld != nPackets)
![Page 45: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/45.jpg)
Example (2)
assume(x > y);
y := y - 1;
assume ( !(x > y));
Store:
Conditions:
![Page 46: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/46.jpg)
Example (2)
assume(x > y);
y := y - 1;
assume ( !(x > y));
Store:
(1) x :
(2) y :
Conditions:
> (1,2)
![Page 47: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/47.jpg)
Example (2)
assume(x > y);
y := y - 1;
assume ( !(x > y));
Store:
(1) x :
(3) y : - 1 (2)
Conditions:
> (1,2)
History:
(2) y :
![Page 48: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/48.jpg)
Example (2)
assume(x > y);
y := y - 1;
assume ( !(x > y));
Store:
(1) x :
(3) y : - 1 (2)
Conditions:
> (1,2)
!( > -1 ) (1,3)
History:
(2) y :
![Page 49: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/49.jpg)
Example (2)
assume(x > y);
y := y - 1;
assume ( !(x > y));
Predicates:
y ==
y == - 1
x >
![Page 50: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/50.jpg)
Related Work
VCGen based tools ESC-Java [Leino-Nelson-et al.] Proof-Carrying Code [Lee-Necula] PREfix [Pincus-et al.]
Model Checking of Software Using an abstract model
Bandera [Hatcliff-Dwyer-et al.] FeaVer [Holzmann] FLAVERS [Clarke-Osterweil-et al.] Metal [Engler]
By gaining control over the scheduler Java Path Finder [Visser-et al.] Verisoft [Godefroid] Java model checker [Stoller]
![Page 51: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/51.jpg)
Related Work Model checkers
Temporal logic model checking [Clarke-Emerson][Sifakis][Vardi-Wolper]
Symbolic model checking BDDs [Bryant] SMV [McMillan, Clarke]
Model checking of Hiearchical FSMs [Alur,Grosu], [Alur, Yannakakis, et al.], [Benedikt,Godefroid,Reps]
Abstract Interpretation [Cousot-Cousot]
Program Analysis shape analysis [Sagiv-Reps-Wilhelm]
Predicate Abstraction [Graf-Saidi][Das-Dill-Park]
Dataflow analysis=Model Checking + Abstract Interpretation
[Steffen-Schmidt] Counterexample driven refinement
[Kurshan, Clarke-Grumberg-Jha-Lu-Veith] Temporal safety property checking as type checking
[DeLine-Fahndrich] ESP
[Das]
![Page 52: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/52.jpg)
Future Directions New Models
boolean programs lack expressivity
The Heap pointer logics recursive types
Concurrency predicate abstraction for an Owicki/Gries-style logic?
Scaling reinvestigate assume/guarantee for software
![Page 53: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/53.jpg)
SLAM Papers The SLAM Process
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. Rajamani, SPIN 2001
The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani, CAV 2001 Boolean Programs: A Model and Process for Software Analysis, Thomas
Ball, Sriram K. Rajamani, MSR Technical Report 2000-14
Boolean Programs Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball,
Sriram K. Rajamani, PASTE 2001 Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball,
Sriram K. Rajamani, SPIN 2000.
Predicate Abstraction of C Programs Automatic Predicate Abstraction of C Programs, Thomas Ball, Rupak
Majumdar, Todd Millstein, Sriram K. Rajamani, PLDI 2001 Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K.
Rajamani, MSR Technical Report 2001-10 Boolean and Cartesian Abstractions for Model Checking C Programs,
Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001
Concurrency Parameterized Verification of Multithreaded Software Libraries, Thomas
Ball, Sagar Chaki, Sriram K. Rajamani, TACAS 2001
![Page 54: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/54.jpg)
Thanks to…
Sagar Chaki (CMU) Rupak Majumdar (UC Berkeley) Todd Millstein (U Washington) Andreas Podelski (MPI) Members of Software Productivity
Tools group and PPRC
![Page 55: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/55.jpg)
Summary
Fully automated way to check temporal safety properties of software interfaces
Tools are based on novel ideas interprocedural dataflow with BDDs (bebop) predicate abstraction of C (c2bp) predicate discovery (newton)
Demonstration on Windows 2000 device drivers
![Page 56: Thomas Ball Sriram K. Rajamani](https://reader035.vdocuments.net/reader035/viewer/2022062304/56813980550346895da1132e/html5/thumbnails/56.jpg)
Software Productivity ToolsMicrosoft Research
http://research.microsoft.com/slam/
http://msrweb/slam/