SLIDE 1
2
Interrupt-driven Software 2 3 Interrupt 1 Interrupt 2 Interrupt - - PowerPoint PPT Presentation
Interrupt-driven Software 2 3 Interrupt 1 Interrupt 2 Interrupt - - PowerPoint PPT Presentation
Interrupt-driven Software 2 3 Interrupt 1 Interrupt 2 Interrupt ?? Interrupt 3 4 5 6 7 T1() { T2() { a = 1; a = 2; x = a; }; }; T1() { T2() { a = 1; a = 2; x = a; }; }; 8 9 10 Interrupt-driven Abstract Interpretation
SLIDE 2
SLIDE 3
3
SLIDE 4
4
Interrupt 1 Interrupt 2 Interrupt 3 Interrupt ??
SLIDE 5
5
SLIDE 6
6
SLIDE 7
7
SLIDE 8
8
T1() { a = 1; x = a; }; T2() { a = 2; }; T1() { a = 1; x = a; }; T2() { a = 2; };
SLIDE 9
9
SLIDE 10
10
SLIDE 11
Interrupt-driven programs CFG Checking the feasibility
- f Dataflow between interrupts
Interrupt behavior modeling Invariants
Abstract Interpretation with inter-interrupt propagation
11
Query
LLVM Front-end
SLIDE 12
L1-S1
Abstract Interpretation with inter-interrupt propagation
L2-S2 L3-S3 L4-S4 L2-S2 L4-S4
12
SLIDE 13
13
Irq_L() { x = 1; }; Irq_H() { x = 0; assert(x == 0); }; Priority: L < H
SLIDE 14
Irq_L() { x = 1; }; Irq_H() { x = 0; assert(x == 0); }; Priority: L < H Thread behavior: The assertion can be violated!
13
SLIDE 15
Irq_L() { x = 1; }; Irq_H() { x = 0; assert(x == 0); }; Priority: L < H Interrupt behavior: The assertion holds!
13
SLIDE 16
14
Irq_L() { x = 1; }; Irq_H() { assert(x == 0); }; Priority: L < H
SLIDE 17
Irq_L() { x = 1; }; Irq_H() { assert(x == 0); }; Priority: L < H Thread behavior: The assertion can be violated!
14
SLIDE 18
Irq_L() { x = 1; }; Irq_H() { assert(x == 0); }; Priority: L < H Thread behavior: The assertion can be violated! Interrupt behavior: The assertion can be violated as well!
14
SLIDE 19
15
Irq_L() { assert(x == 0); }; Irq_H() { if (…) x = 1; x = 0; }; Priority: L < H
SLIDE 20
Irq_L() { assert(x == 0); }; Irq_H() { if (…) x = 1; x = 0; }; Priority: L < H Thread behavior: The assertion can be violated!
15
SLIDE 21
Irq_L() { assert(x == 0); }; Irq_H() { if (…) x = 1; x = 0; }; Priority: L < H Interrupt behavior: The assertion holds!
Post-dominate
15
SLIDE 22
16
Thread behavior (Existing) Interrupt behavior (Our approach) Example1 Warning Proof Example2 Warning Warning Example3 Warning Proof
SLIDE 23
Interrupt-driven programs CFG Datalog Facts Datalog Rules Feasibility Checking (Z3 fixed-point)
Interrupt behavior modeling Invariants
Abstract Interpretation with inter-interrupt propagation
17
Query
LLVM Front-end
SLIDE 24
Interrupt-driven programs CFG Datalog Facts Datalog Rules Feasibility Checking (Z3 fixed-point)
Interrupt behavior modeling Invariants
Abstract Interpretation with inter-interrupt propagation
17
Query
LLVM Front-end
SLIDE 25
18
Interrupt-driven software Datalog facts Datalog rules Data-flow Feasibility between interrupts Datalog Engine
[Whaley & Lam, 2004] [Livshits & Lam, 2005]
SLIDE 26
19
Declarative language for deductive databases [Ullman 1989] Facts parent (bill, mary) parent (mary, john) Rules ancestor (X, Y) ← parent (X, Y) ancestor (X, Y) ← parent (X, Z), ancestor (Z, Y) New relationship: ancestor (bill, john)
SLIDE 27
20
NoPreempt (s1, s2) <- Pri(s1, p1) & Pri(s2, p2) & (p2 ≥ p1)
Irq_L() { x = 1; }; Irq_H() { x = 0; assert(x == 0); };
NoPreempt (x=1, x==0) <- Pri(x=1, L) & Pri(x==0, H) & (H ≥ L)
NoPreempt
SLIDE 28
20
CoverdLoad(l) <- Load(l, v) & Store (s, v) & Dom (s, l)
Irq_L() { x = 1; }; Irq_H() { x = 0; assert(x == 0); };
CoveredLoad(x==0) <- Load(x==0) & Store(x=0) & Dom(x=0, x==0)
Dominate CoveredLoad
SLIDE 29
20
MustNotReadFrom(l, s) <- CoveredLoad(l) & NoPreempt (s, l) for the same variable
Irq_L() { x = 1; }; Irq_H() { x = 0; assert(x == 0); };
MustNotReadFrom(x==0, x=1) <- CoveredLoad(x==0) & NoPreempt (x=1, x==0) for x
MustNotReadFrom CoveredLoad NoPreempt
SLIDE 30
21
NoPreempt (s1, s2) <- Pri(s1, p1) & Pri(s2, p2) & (p2 ≥ p1) NoPreempt (x==0, x=1) <- Pri(x==0, L) & Pri(x=1, H) & (H ≥ L)
Irq_L() { assert(x == 0); }; Irq_H() { if (…) x = 1; x = 0; };
NoPreempt
SLIDE 31
21
InterceptedStore(s1) <- Store(s1, v) & Store(s2, v) & PostDom(s1, s2) InterceptedStore(x=1) <- Store(x=1) & Store(x=0) & PostDom(x=0, x=1)
Irq_L() { assert(x == 0); }; Irq_H() { if (…) x = 1; x = 0; };
Post-dominate InterceptedStore
SLIDE 32
21
MustNotReadFrom(l, s) <- InterceptedStore(s) & NoPreempt(l, s) for the same variable MustNotReadFrom(x==0, x=1) <- InterceptedStore(x=1) & NoPreempt(x==0, x=1) for x
Irq_L() { assert(x == 0); }; Irq_H() { if (…) x = 1; x = 0; };
InterceptedStore MustNotReadFrom NoPreempt
SLIDE 33
Interrupt-driven programs CFG Datalog Facts Datalog Rules Feasibility Checking (Z3 fixed-point)
Interrupt behavior modeling Invariants
Abstract Interpretation with inter-interrupt propagation
22
Query
LLVM Front-end
SLIDE 34
L1-S1 MustNotReadFrom(L1, S1) MustNotReadFrom(L3, S3)
Abstract Interpretation with inter-interrupt propagation
L2-S2 L3-S3 L4-S4 L2-S2 L4-S4
23
SLIDE 35
24
Summary
- Num. of Benchmarks
35 Total LOC 22,541 lines Total number of pairs 5,116 Number of filtered pairs 3,560 Analysis time
64.21 s
69%
SLIDE 36
25
SLIDE 37
26
Number of warnings & proofs w.r.t each method
100 200 300 violation proofs warnings proofs warnings proofs BMC base Thread behavior Interrupt behavior
IntAbs (Our method) Modular [VMCAI 14] BMC [DATE 15]
SLIDE 38
26
Number of warnings & proofs w.r.t each method
100 200 300 violation proofs warnings proofs warnings proofs BMC base Thread behavior Interrupt behavior
IntAbs (Our method) Modular [VMCAI 14] BMC [DATE 15]
Unsound
SLIDE 39
26
Number of warnings & proofs w.r.t each method
100 200 300 violation proofs warnings proofs warnings proofs BMC base Thread behavior Interrupt behavior
IntAbs (Our method) Modular [VMCAI 14] BMC [DATE 15]
SLIDE 40
27
- Proposed the first modular static analysis
method for sound verification of interrupt- driven software
- Precisely identified infeasible data flows
between interrupts with a declarative interrupt model
- Showed significant precision and performance
improvements
SLIDE 41