1 / 61

A … Framework for Verifying Concurrent C Programs

This thesis defense talk discusses a framework for verifying concurrent C programs using message-passing communication. It covers topics such as code validation, model checking, abstraction, and compositional reasoning.

wmarty
Download Presentation

A … Framework for Verifying Concurrent C Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk

  2. Distributed Programs with Message-Passing Communicating Conformance Check Motivation Requirements Specification Specification Validation Code Validation Code

  3. Related Work • Model Checking • Symbolic model checking (SMV,MURPHI,MOCHA) • Partial order reduction (SPIN,COSPAN) • Compositional reasoning • Assume-guarantee • Abstraction • Abstract interpretation, existential abstraction • Message-passing systems • CCS, -Calculus • Simulation, bisimulation, …

  4. Spec System Abstraction Model Verification Yes Abstraction Guidance System OK Improved Abstraction Guidance No Abstraction Refinement Yes Spurious Counterexample Iterative Refinement No Counterexample Counterexample Valid?

  5. Related Work • Iterative Refinement (Kurshan) • Hardware • Yuan Lu ) Ph.D. thesis • SLAM (device drivers) • BLAST (lazy abstraction, thread modular safety) • Concurrent Software • SPIN, Behave!, ZING • Own modeling language • No iterative refinement • Safety properties

  6. Contributions • Compositional Iterative Refinement (IR) • concurrent message-passing programs • simulation conformance • Combining predicate abstraction with existential abstraction • Predicate Minimization • Compositional IR for Liveness properties • Compositional IR for Deadlock detection

  7. Basic Concepts • Var : set of variables • Expr : expressions over Var • Store : set of stores • Var! Addresses • Addresses ! Values • AP: set of atomic propositions • Conc : AP$Expr

  8. Extended FSM • Transitions labeled with guarded commands • Guards are expressions • Command are actions or assignments x == 0 ? x++ true ?  x != 0 ? 

  9. 1 x == 0 ? x++ 2 x != 0 ?  true ?  EFSM(lib) Control Flow Graph x=x+y lib() Component

  10. Control Flow Graph x=x+y 1 x == 0 ? x++ 2 x != 0 ?  true ?  Control Flow Graph

  11. Labeled Kripke Structure • M = ( Q , I ,  , T , AP, L) • Q´ non-empty set of states • I2Q´ initial state • ´ set of actions ´ alphabet • TµQ££Q´ transition relation • APµAP´ set of atomic propositions • L : Q! 2AP´ propositional labeling q     = { ,,,,, } p r p,r AP = { p,q,r,s }   p,q 

  12. Concurrent C Program • Set of components P = hC1 ,…, Cn i • Each Ci is a single C procedure • Possibly calling library routines • Library routines are specified via EFSMs • Semantics of C is an LKS • Depends on the library specificationss

  13. Concrete Semantics of C • Context = (Init, EFSM, , , AP) • SCFG´States of CFG • ICFG´Initial state of CFG • MC = ( Q , I ,  [, T , AP, L) • Q = SCFG£Store • I = { (s,)js = ICFG and ²Init } • L(s,) = { pj²Conc(p) }

  14. x=1,y=-3 x=5,y=-5   x=-2,y=-3 x=0,y=-5 p  x=1,y=-5   x=-2,y=-3 x=1,y=-5 Concrete Semantics x=x+y 1 x == 0 ? x++ 2 x != 0 ?  true ?  p ´x = 0

  15. Predicate Abstraction • PredµExpr • Set of expressions (predicates) associated with each state of the CFG • Pred¶ { Conc(p)jp2AP } • Predicate corresponding to every atomic proposition must be associated with each state of the CFG • In practice each CFG state has a different set of associated predicates

  16. Valuation : Two Views • Valuation ´ minterm Pred • Set of all valuations ´ 2Pred • Pred = { x = 0, y = 0 } • x  0 Æ y  0, {} • x = 0 Æ y  0, {x = 0} • x 0 Æ y = 0, {y = 0} • x = 0 Æ y = 0, {x = 0, y=0} Expression Subset of Pred

  17. Abstract Semantics of C • Context = (Init, EFSM, , , AP, Pred) • SCFG´States of CFG • ICFG´Initial state of CFG • M[C] = ( Q , I ,  [, T , AP, L) • Q = SCFG£ 2Pred • I = { (s,v)js = ICFG and v °Init } • L(s,v) = { pjConc(p) 2 v }

  18. x0,y=0 x=0,y=0 p   x0,y=0 x=0,y=0 p  X0,y=0   x0,y=0 x0,y=0 Abstract Semantics x=x+y 1 x == 0 ? x++ 2 x != 0 ?  true ?  p ´x = 0

  19. Simulation • M1 = ( Q1 , I1 ,  , T1 , AP, L1) • M2 = ( Q2 , I2 ,  , T2 , AP, L2) • Rµ Q1£ Q2 is a simulation relation if • s1R s2) • L1(s1) = L2(s2) • 8(s1, , s’1) 2 T1¦9 s’2¦ (s2, , s’2) 2 T2Æ s’1R s’2 • M14M2´ 9Rµ Q1£ Q2¦8 s12 I1¦9 s22 I2¦ s1R s2

  20. MC4M[C] • (e)´ evaluation of e under  • ²e´(e) 0 • Define relation RµQC£Q[C] • (s,m) R (s,v), m²v • R is a simulation relation • 8s2IC¦9[s]2I[C]¦sR[s]

  21. Parallel Composition • M1 = ( Q1 , I1 , 1, T1 , AP2, L1) • M2 = ( Q2 , I2 , 2, T2 , AP1, L2) • M1||M2 = ( Q1£ Q2 , I1£ I2 , 1[2, T , AP1[ AP2 , L) • L(s1,s2) = L1(s1)[L2(s2) • ((s1, s2), , (s’1, s’2))2T iff for i 2 {1,2} • iÆ(si, , s’i)2Ti • iÆsi = s’i

  22. Program Semantics • P = h C , C’ i • MP = MC|| MC’ • M[P] = M[C]|| M[C’] • Abstraction is done modularly 4 4 4

  23. Program Semantics • P = C || C’ • [P] = [C] || [C’] 4 4 4

  24. Verification • Specification is an LKS Spec • Given P and Spec, check if P4Spec • Construct [P] • Check if [P]4Spec • P4[P]Æ[P]4Spec)P4Spec • Otherwise …

  25. Counterexample • :([P]4Spec)) • 9CE¦CE4[P]Æ: (CE4Spec) • CE has a tree structure • Look at Chapter 5 for the procedure to check [P]4Spec and construct CE if necessary

  26. Counterexample Validation • Check if CE4P • : (CE4Spec)ÆCE4P ): (P4Spec) • Real • P = C || C’

  27. CE 4 C || C’ Problems Infinite States Statespace Explosion Symbolic Representation Compositional Reasoning

  28.  [’ ’ = { ,,z } AP’ = { p,r,t } LKS Projection q     = { ,,,,, } p r p,r AP = { p,q,r,s }   p,q  M

  29.  [’ ’ = { ,,z } AP’ = { p,r,t } LKS Projection t   Å’ [ {} p r r AP Å AP’  t p t M ¼ { ’,AP’ } M’ = ( …, ’ , AP’ , …))M ¼ M’ ´ M ¼ { ’, AP’ }

  30. Weak Simulation • M1 = ( Q1 , I1 ,  [{  }, T1 , AP, L1) • M2 = ( Q2 , I2 ,  , T2 , AP, L2) • Rµ Q1£ Q2 is a weak simulation relation if • s1R s2) • L1(s1) = L2(s2) • 8(s1, , s’1) 2 T1¦9 s’2¦ (s2, , s’2) 2 T2Æ s’1R s’2 • 8(s1, , s’1) 2 T1¦ s’1R s2 • M1 - M2´ 9Rµ Q1£ Q2¦8 s12 I1¦9 s22 I2¦ s1R s2

  31. Compositional Validation CE 4 C || C’ , CE ¼ C - CÆ CE ¼ C’ - C’

  32. Infinite States Symbolic Representation Compositional Validation CE 4 C || C’ , CE¼- CÆ CE¼- C’

  33. Symbolic Representation • MC = ( Q , I ,  , T , AP, L) • There exists a class Rµ 2Q • Each r 2 R has a finite representation • Q2R • Rclosed under intersection and pre-image • Given r2R can check if r = ;

  34. CE¼- C  t g Q b(Q) Q d(Q) t b t d Q Q Q Q CE ¼ C

  35. CE¼- C (Q) b(Q) (Q Åd(Q))  t g Q b(Q) Q Åd(Q) t b t d Q Q Q Q CE ¼ C

  36. CE¼- C (Q) Å(Q) Å(Q Åd(Q)) = ; ?  t g Q b(Q) Q Åd(Q) t b t d Q Q Q Q CE ¼ C

  37. Abstraction Refinement • Check if CE4P • CE4P) Real • Update the set Pred such that for the new [P] we have :(CE4[P]) • Chapter 6 • Minimize number of predicates to be added • Chapter 7

  38. Case Study: SSL Handshake • Verify that OpenSSL correctly implements the SSL handshake • Server and client code • Each about 2500 LOC • 400 LOC after abstracting away library routine calls • Analyzed client and server separately and together

  39. SSL Results

  40. SSL Results

  41. Thoughts • Predicate abstraction alone inadequate for concurrent systems • States from different control locations are always kept distinct • They might be merged • How do we combine other kinds of abstractions with predicate abstraction

  42. Spec System Abstraction Model Verification System OK Improved Abstraction Guidance No Abstraction Refinement Iterative Refinement No Counterexample Valid?

  43. Spec System Abstraction Model Verification System OK Improved Abstraction Guidance No Abstraction Refinement IR ´ Model Checking No Counterexample Valid?

  44. Spec System Abstraction Model Iterative Refinement System OK Improved Abstraction Guidance No Abstraction Refinement Verification ´ IR No Counterexample Valid?

  45. Existential Abstraction • M = ( Q , I ,  , T , AP, L) • Equivalence RµQ£Q • Compatible with propositional labeling • sRs’)L(s) = L(s’) • [s]´ equivalence class of s • Induces a quotient LKS MR

  46. [1] a b [2,3] d b c a e [4,5] [6,7] MR Example Theorem M ¹ MR p 1 a b d 2 3 q Proof (s R [s]) is a simulation relation b c a e 4 5 6 7 M

  47. Verification • Given [P] = [C]|| [C’] and Spec • Use equivalence relations R and R’ • Initially R and R’ are maximal • Construct [P]RR’ = [C]R|| [C’]R’ • [P] 4 [P]RR’ • Check if [P]RR’4Spec • [P]4[P]RR’Æ [P]RR’4Spec ) [P]4Spec • Otherwise …

  48.  b g b g [C] 4 Splitting R  b g CE¼ [C]R [C]R -

  49. Splitting R   Repeated Splitting ) CR converges to bisimulation quotient of C b g b g CE¼ [C]R [C]R -

  50. Predicate Abstraction 4 [C1] [C2] [C3] [C4] Spec Existential Abstraction 4 Spec A1 A2 A3 A4 Two Level IR 4 C1 C2 C3 C4 Spec

More Related