Automatically Validating Temporal Safety Properties of Interfaces

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball Sriram K. Rajamani http://research.microsoft.com/slam/

Outline • What is SLAM? • Show and tell • SLAM on Win2000 floppy driver • SLAM tools and process • Automatic abstraction • State-based search • Counterexample-driven refinement • Discussion • Related work • Current status of SLAM • Future work

Checking API Usage Application Does an application follow the “proper usage” rules of an API? API C lib | DLL | COM |…

Temporal safety properties • Something “bad” does not happen • Eg. A lock is never released without first being acquired • Defined in the 70’s. • [Lamport][Alpern-Schneider]

One Application: Win2000 Device Drivers Device Driver Does a device driver acquire and release spin locks properly? NTddk.h NT Kernel

Device Drivers and SLAM Device Driver NTddk.h API Rules

State MachineFor Locking U L L Unlocked Locked Error U

SLIC Locking Property (simplified) state { int locked = 0; } KeAcquireSpinLock.call { if (locked==1) abort; else locked = 1; } KeReleaseSpinLock.call { if (locked==0) abort; else locked = 0; }

Question: Is locking protocol respected? do { //get the write lock KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(&devExt->writeListLock);

Safety to Reachability prog P instrument prog P’ SLIC spec S Program P satisfies specification S  Label ERROR is not reachable in P’

Instrumented Driver Question: Is locking protocol respected? do { //get the write lock KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); int locked = 0; void Error_Routine() { ERROR: assert(0); } void KeAcquireSpinLock_call () { if (locked==1) Error_Routine(); else locked = 1; } void KeReleaseSpinLock_call () { if (locked==0) Error_Routine(); else locked = 0; } Equivalently: Is label ERROR reachable?

Demo

Outline • What is SLAM? • Show and tell • SLAM on floppy driver • SLAM tools and process • State-based search • Automatic abstraction • Counterexample-driven refinement • Discussion • Related work • Current status of SLAM • Future work

State-based Search do { //get the write lock KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock); nPacketsOld = nPackets; request = devExt->WriteListHeadVa; if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); ... nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock);

!b b b b b !b b A Boolean Program Abstraction Boolean variable b represents the condition (nPacketsOld == nPackets) do //get the write lock KeAcquireSpinLock_call(); b := true; // npacketsOld = npackets; if (*) then KeReleaseSpinLock_call(); if (*) then else fi b := b ? false : *; // npackets++; fi while ( !b ); KeReleaseSpinLock_call();

SLAM Components • Reuse • AST toolkit • GOLF • value flow analysis • points-to analysis • BDD libraries • CMU • CUDD • Decision procedures • Simplify • Vampyre • Prepass • SLIC compiler and instrumentation tool • Core • C2bp • predicate abstraction of C • Bebop • model checking of boolean programs • Newton • predicate discovery • Error display • DHTML GUI

C program Spec. SLIC GOLF predicates Boolean program CFG + VFG c2bp bebop predicates Pass newton Fail, p GUI Error

c2bp • Automatic predicate abstraction of C • What is the predicate language? • Pure C boolean expressions • Input: a C program P and set of predicates E • Output: a boolean program c2bp(P,E) that is • a sound abstraction of P • a precise abstraction of P • Difficulties • procedures • pointers

Bebop • Reachability analysis of boolean programs • Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis • Explicit representation of control flow • Implicit representation of reachable states via BDDs • Complexity of algorithm is O( E  2n) E = size of interprocedural control flow graph n = max. number of variables in the scope of any label

Newton • Symbolically executes (interprocedural) path in C program • Checks for path infeasibility using decision procedures • If infeasibility detected • Find weak(est) condition implying the infeasibility • Obtains new predicates

Key Ideas of SLAM • State-based search • Small state machines – large programs • Exploit locality of scoping to scale • Automated discovery of abstractions • Analysis of counterexamples • Global reasoning • GOLF (flow-insensitive) • model checking (abstract path/flow-sensitive) • symbolic execution (concrete path-sensitive) • Local reasoning • predicate abstraction/decision procedures

Outline • What is SLAM? • Show and tell • SLAM on floppy driver • SLAM tools and process • Automatic abstraction • State-based search • Counterexample-driven refinement • Discussion • Related work • Current status of SLAM • Future directions

Related Work • VCGen based tools • ESC-Java [Leino-Nelson-et al.] • Proof-Carrying Code [Lee-Necula] • PREfix [Pincus-et al.] • Model Checking of Software • Using an abstract model • Bandera [Hatcliff-Dwyer-et al.] • FeaVer [Holzmann] • FLAVERS [Clarke-Osterweil-et al.] • Metal [Engler] • By gaining control over the scheduler • Java Path Finder [Visser-et al.] • Verisoft [Godefroid] • Java model checker [Stoller]

Related Work • Model checkers • Temporal logic model checking • [Clarke-Emerson][Sifakis][Vardi-Wolper] • Symbolic model checking • BDDs [Bryant] • SMV [McMillan, Clarke] • Model checking of Hiearchical FSMs • [Alur,Grosu], [Alur, Yannakakis, et al.], [Benedikt,Godefroid,Reps] • Abstract Interpretation • [Cousot-Cousot] • Program Analysis • shape analysis [Sagiv-Reps-Wilhelm] • Predicate Abstraction • [Graf-Saidi][Das-Dill-Park] • Dataflow analysis=Model Checking + Abstract Interpretation • [Steffen-Schmidt] • Counterexample driven refinement • [Kurshan, Clarke-Grumberg-Jha-Lu-Veith] • Temporal safety property checking as type checking • [DeLine-Fahndrich]

Current Status of SLAM • Project started in January 2000 • Toolkit now functional on C code • found first real bug in production code in March 2001 • Needs more work on: • performance • scope • function pointers • exception handling • specification language • user interface

Future Directions • New Models • boolean programs lack expressivity • The Heap • pointer logics • recursive types • Concurrency • predicate abstraction for an Owicki/Gries-style logic? • Scaling • reinvestigate assume/guarantee for software

SLAM Papers • The SLAM Process • Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball, Sriram K. Rajamani, SPIN 2001 • The SLAM Toolkit, Thomas Ball, Sriram K. Rajamani,CAV 2001 • Boolean Programs: A Model and Process for Software Analysis, Thomas Ball, Sriram K. Rajamani, MSR Technical Report 2000-14 • Boolean Programs • Bebop: A Path-sensitive Interprocedural Dataflow Engine, Thomas Ball, Sriram K. Rajamani, PASTE 2001 • Bebop: A Symbolic Model Checker for Boolean Programs, Thomas Ball, Sriram K. Rajamani, SPIN 2000 . • Predicate Abstraction of C Programs • Automatic Predicate Abstraction of C Programs, Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani, PLDI 2001 • Polymorphic Predicate Abstraction, Thomas Ball, Todd Millstein, Sriram K. Rajamani, MSR Technical Report 2001-10 • Boolean and Cartesian Abstractions for Model Checking C Programs, Thomas Ball, Andreas Podelski, Sriram K. Rajamani, TACAS 2001 • Concurrency • Parameterized Verification of Multithreaded Software Libraries, Thomas Ball, Sagar Chaki, Sriram K. Rajamani,TACAS 2001

Thanks to… • Sagar Chaki (CMU) • Rupak Majumdar (UC Berkeley) • Todd Millstein (U Washington) • Andreas Podelski (MPI) • Members of Software Productivity Tools group and PPRC

Summary • Fully automated way to check temporal safety properties of software interfaces • Tools are based on novel ideas • interprocedural dataflow with BDDs (bebop) • predicate abstraction of C (c2bp) • predicate discovery (newton) • Demonstration on Windows 2000 device drivers

Software Productivity Tools Microsoft Research http://research.microsoft.com/slam/

State MachineFor Irp Handling init IoMarkIrpPending IoCompleteRequest pending complete return:status != STATUS_PENDING return: status == STATUS_PENDING Error

IRP Complete/Pending Rule state { enum {Init, Complete, Pending} s = Init; } IoCompleteRequest.call{ if ( s != Init) abort; else s = Complete; } IoMarkIrpPending.call{ if( s != Init) abort; else s = Pending; } Dispatch.exit{ if (s == Complete) { if ($return == STATUS_PENDING) abort; } else if (s == Pending) { if( $return != STATUS_PENDING) abort; } }

Automatically Validating Temporal Safety Properties of Interfaces