1 / 90

Program Verification by Lazy Abstraction

Program Verification by Lazy Abstraction. Ranjit Jhala UC San Diego. With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre. Motivation. Software is buggy. How can we make it more reliable ?. Property Checking. Programmer gives partial specifications

dustin
Download Presentation

Program Verification by Lazy Abstraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Verification byLazy Abstraction Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre

  2. Motivation Software is buggy. • How can we make it more reliable ?

  3. Property Checking • Programmer gives partial specifications • Code checked for consistency w/ spec • Different from program correctness • Specifications are not complete • Is there a complete spec for Word ? Emacs ?

  4. Interface Usage Rules • Rules in documentation • Order of operations & data access • Resource management • Incomplete, unenforced, wordy • Violated rules ) bad behavior • System crash or deadlock • Unexpected exceptions • Failed runtime checks

  5. lock unlock unlock lock Property 1: Double Locking “An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.” Calls to lock and unlock must alternate.

  6. Property 2: Drop Root Privilege [Chen-Dean-Wagner ’02] “User applications must not run with root privilege” When execv is called, must have suid  0

  7. start NP CallDriver SKIP1 SKIP2 return child status Skip CallDriver IPC synch MPR3 NP CallDriver prop completion PPC not pending returned MPR completion Complete request CallDriver MPR1 MPR2 DC return not Pend no prop completion synch CallDriver N/A N/A IRP accessible CallDriver start P SKIP2 Mark Pending SKIP1 Skip CallDriver IPC synch MPR3 NP CallDriver prop completion return Pending PPC not pending returned MPR completion Complete request CallDriver MPR1 MPR2 DC no prop completion CallDriver N/A Property 3 : IRP Handler [Fahndrich]

  8. Does a given usage rule hold? • Undecidable! • Equivalent to the halting problem • Restricted versions are in PSPACE • Prohibitively expensive • Why bother ? Just because a problem is hard, it doesn’t go away!

  9. lock unlock unlock lock Example Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; }

  10. pc lock old new q  3   5  5  0x133a pc lock old new q  4   5  6  0x133a What a program really is… State Transition 3: unlock(); new++; 4:} … Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return;}

  11. The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state ? Problem:Infinitestate graph Solution : Set of states ' logical formula

  12. Representing States asFormulas [F] states satisfyingF {s | s² F } F FO fmla over prog. vars [F1] Å [F2] F1ÆF2 [F1] [ [F2] F1 ÇF2 [F] : F [F1] µ [F2] F1 implies F2 i.e. F1Æ: F2 unsatisfiable

  13. Idea 1: Predicate Abstraction • Predicates on program state: lock old = new • States satisfying same predicates are equivalent • Merged into one abstract state • #abstract states is finite

  14. pc lock old new q  3   5  5  0x133a pc lock old new q  4   5  6  0x133a Abstract States and Transitions State 3: unlock(); new++; 4:} … Theorem Prover lock old=new : lock : old=new

  15. pc lock old new q  3   5  5  0x133a pc lock old new q  4   5  6  0x133a Abstraction State 3: unlock(); new++; 4:} … Theorem Prover lock old=new : lock : old=new Existential Lifting

  16. pc lock old new q  3   5  5  0x133a pc lock old new q  4   5  6  0x133a Abstraction State 3: unlock(); new++; 4:} … lock old=new : lock : old=new

  17. Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples

  18. Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!

  19. Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction Imprecision due to merge

  20. Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]

  21. Lazy Abstraction Yes BLAST Safe Abstract CProgram Refine No Property Trace

  22. Problem: Abstraction is Expensive Reachable Problem #abstract states = 2#predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 100’s, #States ~ 2100 , #Reach ~ 1000’s

  23. Solution1: Only Abstract Reachable States Safe Solution Build abstraction during search Problem #abstract states = 2#predicates Exponential Thm. Prover queries

  24. Solution2: Don’t Refine Error-Free Regions Error Free Solution Don’t refine error-free regions Problem #abstract states = 2#predicates Exponential Thm. Prover queries

  25. Key Idea: Reachability Tree Initial Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 5 4 3

  26. Key Idea: Reachability Tree Initial Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 6 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. 4 7 5 3 3 Error Free

  27. Key Idea: Reachability Tree Initial Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 6 Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. 4 7 8 5 8 3 1 1 3 Error Free S1: Only Abstract Reachable States S2: Don’t refine error-free regions SAFE

  28. Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 1 Reachability Tree Predicates:LOCK

  29. Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK lock() old = new q=q->next 2 LOCK 1 2 Reachability Tree Predicates:LOCK

  30. Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK [q!=NULL] 3 LOCK 1 2 3 Reachability Tree Predicates:LOCK

  31. Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK 3 LOCK q->data = new unlock() new++ 4 : LOCK 4 1 2 3 Reachability Tree Predicates:LOCK

  32. Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK 3 LOCK 4 : LOCK [new==old] 5 : LOCK 5 4 1 2 3 Reachability Tree Predicates:LOCK

  33. Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK 3 LOCK 4 : LOCK 5 : LOCK 5 unlock() 4 : LOCK 1 2 3 Reachability Tree Predicates:LOCK

  34. Analyze Counterexample Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK lock() old = new q=q->next 2 LOCK [q!=NULL] 3 LOCK q->data = new unlock() new++ 4 : LOCK [new==old] 5 : LOCK 5 unlock() 4 : LOCK 1 2 3 Reachability Tree Predicates:LOCK

  35. Analyze Counterexample Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK old = new 2 LOCK 3 LOCK new++ 4 : LOCK [new==old] 5 : LOCK 5 Inconsistent 4 : LOCK new == old 1 2 3 Reachability Tree Predicates:LOCK

  36. Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 1 Reachability Tree Predicates:LOCK, new==old

  37. Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK lock() old = new q=q->next 2 LOCK , new==old 1 2 Reachability Tree Predicates:LOCK, new==old

  38. Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK , new==old 3 LOCK , new==old q->data = new unlock() new++ 4 : LOCK , : new = old 4 1 2 3 Reachability Tree Predicates:LOCK, new==old

  39. Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK , new==old 3 LOCK , new==old 4 : LOCK , : new = old [new==old] 4 1 2 3 Reachability Tree Predicates:LOCK, new==old

  40. Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK , new==old 3 LOCK , new==old 4 : LOCK , : new = old [new!=old] 1 : LOCK, : new == old 4 4 1 2 3 Reachability Tree Predicates:LOCK, new==old

  41. Repeat Build-and-Search Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK , new==old SAFE 3 LOCK , new==old 4 4 LOCK , new=old : LOCK , : new = old 1 5 5 : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Reachability Tree Predicates:LOCK, new==old

  42. Key Idea: Reachability Tree Initial Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off 1 2 3 6 Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. 4 7 8 5 8 3 1 1 3 Error Free S1: Only Abstract Reachable States S2: Don’t refine error-free regions SAFE

  43. Two handwaves Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK 2 LOCK , new==old SAFE 3 LOCK , new==old 4 4 LOCK , new=old : LOCK , : new = old 1 5 5 : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Reachability Tree Predicates:LOCK, new==old

  44. Two handwaves Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK Q. How to compute “successors” ? 2 LOCK , new==old SAFE 3 3 LOCK , new==old LOCK , new==old q->data = new unlock() new++ 4 4 4 LOCK , new=old : LOCK , : new = old : LOCK , : new = old 1 5 5 : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Reachability Tree Predicates:LOCK, new==old

  45. Two handwaves Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK Q. How to compute “successors” ? 2 LOCK , new==old SAFE Abstraction 3 LOCK , new==old 4 4 LOCK , new=old : LOCK , : new = old Q. How to find predicates ? 1 5 5 Refinement : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Predicates:LOCK, new==old

  46. Two handwaves Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 : LOCK Q. How to compute “successors” ? 2 LOCK , new==old SAFE Abstraction 3 LOCK , new==old 4 4 LOCK , new=old : LOCK , : new = old 1 5 5 Refinement : LOCK, : new == old 4 4 4 1 : LOCK , new==old 2 3 Predicates:LOCK, new==old

  47. Weakest Preconditions WP(P,OP) Weakest formula P’ s.t. if P’ is true beforeOP then P is true afterOP [WP(P, OP)] OP [P]

  48. Weakest Preconditions WP(P,OP) Weakest formula P’ s.t. if P’ is true beforeOP then P is true afterOP [WP(P, OP)] OP [P] P[e/x] new+1 = old Assign new=new+1 x=e P new = old

  49. Weakest Preconditions WP(P,OP) Weakest formula P’ s.t. if P’ is true beforeOP then P is true afterOP [WP(P, OP)] OP [P] c ) P new=old ) new=old Assume Branch [new=old] [c] P new = old

  50. How to compute successor ? Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 3 F LOCK , new==old OP ? 4 : LOCK , : new = old For each p • Check if p is true (or false) after OP Q:When is p true afterOP ? - If WP(p, OP) is true beforeOP ! - We know F is true before OP - Thm. Pvr. Query: F) WP(p, OP) Predicates:LOCK, new==old

More Related