Software Model Checking and Counter-example Guided Abstraction - PowerPoint PPT Presentation

Software Model Checking and Counter-example Guided Abstraction Refinement Claire Le Goues 1

Motivation: How should we analyze this? • * means something we can’t analyze (user input, random value) • Line 5: the lock is held if and only if old = new 2

Motivation: How should we analyze this? • * means something we can’t analyze (user input, random value) • Line 10: the lock is held if and only if got_lock = 1 3

Dataflow analysis requires fixed Tradeoffs… abstractions, e.g., zero/non-zero, locked/unlocked Explicit-state Model Checking needs programs to be represented as a Symbolic execution shows need to finite state model…state explosion?? eliminate infeasible paths, see lock/unlock on correlated branches (more complicated logic!). 4

Enter: Abstraction Refinement • Can we get both soundness and the precision to eliminate infeasible paths? o In general: of course not! That’s undecidable. o But in many situations we can solve it with abstraction refinement. • …what will we lose? o Answer: Termination guarantees. OH WELL. 5

CEGAR: Counterexample Guided Abstraction Refinement Check for property violation. Program, Abstract Model Abstract No Property Property Program Checker Using Error Holds Spec Predicates Error New Found Predicates Begin with a coarse Generate Path abstraction Infeasible Feasible Report New Feasibility Bug Predicates Checker Is the error path Refine abstraction to actually feasible? exclude infeasible Hint: weakest “error” path preconditions! 6

Property 1: Double Locking lock unlock unlock lock “An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock .” Calls to lock and unlock must alternate .

Property 2: Drop Root Privilege [Chen-Dean-Wagner ’02] “User applications must not run with root privilege” When execv is called, must have suid ¹ 0 8

Property 3 : IRP Handler start NP SKIP1 CallDriver SKIP2 return Skip child status CallDriver IPC synch MPR3 not pending returned NP CallDriver prop PPC completion MPR Complete completion CallDriver request return MPR1 MPR2 DC not Pend no prop synch completion CallDriver N/A N/A IRP accessible CallDriver start P Mark Pending SKIP2 SKIP1 Skip CallDriver IPC synch MPR3 not pending returned NP CallDriver return prop PPC Pending completion MPR Complete completion CallDriver request MPR2 MPR1 DC no prop completion CallDriver N/A [Fahndrich] 9

Example SLAM Input Example ( ) { 1 : do{ lock(); lock old = new; q = q->next; 2 : if (q != NULL){ unlock 3 : q->data = new; unlock lock unlock(); new ++; } 4 : } while(new != old); 5 : unlock (); return; }

Incorporating Specs Example ( ) { Example ( ) { 1 : do{ 1 : do{ lock(); if L=1 goto ERR; old = new; else L=1; q = q->next; 2 : if (q != NULL){ old = new; 3 : q->data = new; q = q->next; unlock(); 2 : if (q != NULL){ new ++; 3 : q->data = new; } 4 : } while(new != old); if L=0 goto ERR; 5 : unlock (); else L=0; return; new ++; } } lock 4 : } while(new != old); 0 1 5 : if L=0 goto ERR; Original program else L=0; violates spec iff unlock return; unlock lock new program ERR ERR: abort(); reaches ERR 11 }

Program As Labeled Transition System State Transition pc ! 3 pc ! 4 3 : unlock(); lock lock ! ! new++; 4 :} … ! 5 ! 5 old old ! 5 ! 6 new new q ! 0x133a q ! 0x133a Example ( ) { 1 : do { lock(); old = new ; q = q->next; 2 : if (q != NULL){ 3 : q->data = new; unlock(); new ++; } 4 : } while(new != old); 5 : unlock (); return; } 12

The Safety Verification Problem Error (e.g., states with PC = Err) Safe States (never reach Error) Initial Is there a path from an initial to an error state ? Problem: Infinite state graph (old=1, old=2, old=…) Solution : Set of states ' logical formula 13

Representing [Sets of States] as Formulas [ F ] F states satisfying F {s | s ² F } FO fmla over prog. vars [ F 1 ] \ [ F 2 ] F 1 ^ F 2 [ F 1 ] [ [ F 2 ] F 1 _ F 2 ¬ F [ F ] ¬ [ F 1 ] µ [ F 2 ] F 1 ) F 2 i.e. F 1 ^ ¬ ¬ F 2 unsatisfiable 14

Idea 1: Predicate Abstraction • Predicates on program state: lock (i.e., lock=true) old = new • States satisfying same predicates are equivalent – Merged into one abstract state • #abstract states is finite – Thus model-checking the abstraction will be feasible! 15

Abstract States and Transitions State pc ! 3 pc ! 4 3 : unlock(); lock ! lock ! new++; 4 :} … ! 5 old ! 5 old new ! 5 ! 6 new q ! 0x133a q ! 0x133a Theorem Prover ¬ lock lock old=new ¬ old=new 16

Abstraction State c 1 c 2 pc ! 3 pc ! 4 3 : unlock(); lock ! lock ! new++; 4 :} … ! 5 old ! 5 old new ! 5 ! 6 new q ! 0x133a q ! 0x133a A 1 A 2 Theorem Prover ¬ lock lock ¬ old=new old=new Existential Lifting ¬ (i.e., A 1 ! A 2 iff 9 c 1 2 A 1 . 9 c 2 2 A 2 . c 1 ! c 2 ) 17

Abstraction State pc ! 3 pc ! 4 3 : unlock(); lock ! lock ! new++; 4 :} … ! 5 old ! 5 old new ! 5 ! 6 new q ! 0x133a q ! 0x133a ¬ lock lock ¬ old=new old=new ¬ 18

Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples 19

Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction! 20

Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction Imprecision due to merge 21

Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Untill real counterexample or system proved safe [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01] 22

Problem: Abstraction is Expensive Reachable Problem Observe #abstract states = 2 #predicates Fraction of state space reachable #Preds ~ 100’s, #States ~ 2 100 , Exponential Thm. Prover queries #Reach ~ 1000’s 23

Solution1 : Only Abstract Reachable States Safe Solution Problem #abstract states = 2 #predicates Build abstraction during search Exponential Thm. Prover queries 24

Solution2 : Don’t Refine Error-Free Regions Error Free Solution Problem #abstract states = 2 #predicates Don’t refine error-free regions Exponential Thm. Prover queries 25

Build reachability tree. • Generate Abstract Reachability Tree o Contains all reachable nodes o Annotates each node with state § Initially LOCK = 0 or LOCK = 1 § Cross product of CFA and data flow abstraction • Algorithm: depth-first search o Generate nodes one by one o If you come to a node that’s already in the tree, stop § This state has already been explored through a different control flow path o If you come to an error node, stop 26

Less abstractly: build reachability tree 2 lock(); old=new; 3 [T] [new != old] [T] 4 unlock(); 5 new++; [new = old] 6 unlock(); ret 27

Key Idea: Reachability Tree Initial Unroll Abstraction 1 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 2 3. On re-visiting abs. state, cut-off 3 Find min infeasible suffix 4 5 - Learn new predicates - Rebuild subtree with new preds. 3

Key Idea: Reachability Tree Initial Unroll Abstraction 1 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 2 3. On re-visiting abs. state, cut-off 3 6 Find min infeasible suffix 4 5 7 - Learn new predicates - Rebuild subtree with new preds. 3 3 Error Free

Key Idea: Reachability Tree Initial Unroll 1 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 2 3. On re-visiting abs. state, cut-off 3 6 Find min spurious suffix 4 5 7 8 - Learn new predicates - Rebuild subtree with new preds. 8 3 1 1 3 Error Free S1 : Only Abstract Reachable States SAFE S2: Don’t refine error-free regions 30

Less abstractly: build reachability tree 2 lock(); old=new; 3 [T] [new != old] [T] 4 unlock(); 5 new++; [new = old] 6 unlock(); ret 31

Build-and-Search Example ( ) { 1 : do{ lock(); 1 ¬ LOCK old = new; q = q->next; 2 : if (q != NULL){ 3 : q->data = new; unlock(); new ++; } 4 :}while(new != old); 5 : unlock (); } 1 Reachability Tree Predicates: LOCK 32

Build-and-Search Example ( ) { 1 : do{ lock(); 1 ¬ LOCK old = new; lock() q = q->next; old = new q=q->next 2 : if (q != NULL){ 2 LOCK 3 : q->data = new; unlock(); new ++; } 4 :}while(new != old); 5 : unlock (); } 1 2 Reachability Tree Predicates: LOCK 33

Build-and-Search Example ( ) { 1 : do{ lock(); 1 ¬ LOCK old = new; q = q->next; 2 : if (q != NULL){ 2 LOCK 3 : q->data = new; [q!=NULL] unlock(); new ++; } 3 LOCK 4 :}while(new != old); 5 : unlock (); } 1 2 3 Reachability Tree Predicates: LOCK 34

Build-and-Search Example ( ) { 1 : do{ lock(); 1 ¬ LOCK old = new; q = q->next; 2 : if (q != NULL){ 2 LOCK 3 : q->data = new; unlock(); new ++; } 3 LOCK 4 :}while(new != old); q ->data = new unlock() 5 : unlock (); new++ } 4 ¬ LOCK 4 1 2 3 Reachability Tree Predicates: LOCK 35