Automatically Validating Temporal Safety Properties of Interfaces

1
Automatically Validating Temporal Safety
Properties of Interfaces

• Thomas Ball
• Sriram K. Rajamani

http//research.microsoft.com/slam/
2
Outline

• What is SLAM?
• Show and tell
• SLAM on Win2000 floppy driver
• SLAM tools and process
• Automatic abstraction
• State-based search
• Counterexample-driven refinement
• Discussion
• Related work
• Current status of SLAM
• Future work

3
Checking API Usage
Application
Does an application follow the proper usage
rules of an API?
API
C lib DLL COM
4
Temporal safety properties

• Something bad does not happen
• Eg. A lock is never released without first being
  acquired
• Defined in the 70s.
• LamportAlpern-Schneider

5
One Application Win2000 Device Drivers
Device Driver
Does a device driver acquire and release spin
locks properly?
NTddk.h
NT Kernel
6
Device Drivers and SLAM
Device Driver
NTddk.h
API Rules
7
State MachineFor Locking
U
L
L
Unlocked
Locked
Error
U
8
SLIC Locking Property (simplified)

• state
• int locked 0
• KeAcquireSpinLock.call
• if (locked1) abort
• else locked 1
• KeReleaseSpinLock.call
• if (locked0) abort
• else locked 0

9

• do
• //get the write lock
• KeAcquireSpinLock(devExt-gtwriteListLock)
• nPacketsOld nPackets
• request devExt-gtWriteListHeadVa
• if(request request-gtstatus)
• devExt-gtWriteListHeadVa request-gtNext
• KeReleaseSpinLock(devExt-gtwriteListLock)
• irp request-gtirp
• if(request-gtstatus gt 0)
• irp-gtIoStatus.Status STATUS_SUCCESS
• irp-gtIoStatus.Information request-gtStatus
• else
• irp-gtIoStatus.Status STATUS_UNSUCCESSFUL
• irp-gtIoStatus.Information request-gtStatus
• SmartDevFreeBlock(request)

Question Is locking protocol respected?
10
Safety to Reachability
prog P
instrument
prog P
SLIC spec S
Program P satisfies specification S ? Label ERROR
is not reachable in P
11
Instrumented Driver

• do
• //get the write lock
• KeAcquireSpinLock_call()
• KeAcquireSpinLock(devExt-gtwriteListLock)
• nPacketsOld nPackets
• request devExt-gtWriteListHeadVa
• if(request request-gtstatus)
• devExt-gtWriteListHeadVa request-gtNext
• KeReleaseSpinLock_call()
• KeReleaseSpinLock(devExt-gtwriteListLock)
• irp request-gtirp
• if(request-gtstatus gt 0)
• irp-gtIoStatus.Status STATUS_SUCCESS
• irp-gtIoStatus.Information request-gtStatus
• else
• irp-gtIoStatus.Status STATUS_UNSUCCESSFUL

Question Is locking protocol respected?
int locked 0 void Error_Routine() ERROR
assert(0) void KeAcquireSpinLock_call ()
if (locked1) Error_Routine() else locked
1 void KeReleaseSpinLock_call () if
(locked0) Error_Routine() else locked 0
Equivalently Is label ERROR reachable?
12
Demo
13
Outline

• What is SLAM?
• Show and tell
• SLAM on floppy driver
• SLAM tools and process
• State-based search
• Automatic abstraction
• Counterexample-driven refinement
• Discussion
• Related work
• Current status of SLAM
• Future work

14
State-based Search
do //get the write lock KeAcquireSpinLock_
call() KeAcquireSpinLock(devExt-gtwriteListLock
) nPacketsOld nPackets request
devExt-gtWriteListHeadVa if(request
request-gtstatus) devExt-gtWriteListHeadVa
request-gtNext KeReleaseSpinLock_call()
KeReleaseSpinLock(devExt-gtwriteListLock) ..
. nPackets while (nPackets !
nPacketsOld) KeReleaseSpinLock_call() KeReleaseS
pinLock(devExt-gtwriteListLock)
15
A Boolean Program Abstraction
Boolean variable b represents the condition
(nPacketsOld nPackets)

• do
• //get the write lock
• KeAcquireSpinLock_call()
• b true // npacketsOld
  npackets
• if () then
• KeReleaseSpinLock_call()
• if () then
• else
• fi
• b b ? false // npackets
• fi
• while ( !b )
• KeReleaseSpinLock_call()

16
SLAM Components

• Reuse
• AST toolkit
• GOLF
• value flow analysis
• points-to analysis
• BDD libraries
• CMU
• CUDD
• Decision procedures
• Simplify
• Vampyre

• Prepass
• SLIC compiler and instrumentation tool
• Core
• C2bp
• predicate abstraction of C
• Bebop
• model checking of boolean programs
• Newton
• predicate discovery
• Error display
• DHTML GUI

17
C program
Spec.
SLIC
GOLF
predicates
Boolean program
CFG VFG
c2bp
bebop
Pass
predicates
newton
Fail, p
GUI
Error
18
c2bp

• Automatic predicate abstraction of C
• What is the predicate language?
• Pure C boolean expressions
• Input a C program P and set of predicates E
• Output a boolean program c2bp(P,E) that is
• a sound abstraction of P
• a precise abstraction of P
• Difficulties
• procedures
• pointers

19
Bebop

• Reachability analysis of boolean programs
• Symbolic version of Reps-Horwitz-Sagiv, POPL95
  interprocedural data flow analysis
• Explicit representation of control flow
• Implicit representation of reachable states via
  BDDs
• Complexity of algorithm is O( E ? 2n)
• E size of interprocedural control flow graph
• n max. number of variables in the scope of
  any label

20
Newton

• Symbolically executes (interprocedural) path in C
  program
• Checks for path infeasibility using decision
  procedures
• If infeasibility detected
• Find weak(est) condition implying the
  infeasibility
• Obtains new predicates

21
Key Ideas of SLAM

• State-based search
• Small state machines large programs
• Exploit locality of scoping to scale
• Automated discovery of abstractions
• Analysis of counterexamples
• Global reasoning
• GOLF (flow-insensitive)
• model checking (abstract path/flow-sensitive)
• symbolic execution (concrete path-sensitive)
• Local reasoning
• predicate abstraction/decision procedures

22
Outline

• What is SLAM?
• Show and tell
• SLAM on floppy driver
• SLAM tools and process
• Automatic abstraction
• State-based search
• Counterexample-driven refinement
• Discussion
• Related work
• Current status of SLAM
• Future directions

23
Related Work

• VCGen based tools
• ESC-Java Leino-Nelson-et al.
• Proof-Carrying Code Lee-Necula
• PREfix Pincus-et al.
• Model Checking of Software
• Using an abstract model
• Bandera Hatcliff-Dwyer-et al.
• FeaVer Holzmann
• FLAVERS Clarke-Osterweil-et al.
• Metal Engler
• By gaining control over the scheduler
• Java Path Finder Visser-et al.
• Verisoft Godefroid
• Java model checker Stoller

24
Related Work

• Model checkers
• Temporal logic model checking
• Clarke-EmersonSifakisVardi-Wolper
• Symbolic model checking
• BDDs Bryant
• SMV McMillan, Clarke
• Model checking of Hiearchical FSMs
• Alur,Grosu, Alur, Yannakakis, et al.,
  Benedikt,Godefroid,Reps
• Abstract Interpretation
• Cousot-Cousot
• Program Analysis
• shape analysis Sagiv-Reps-Wilhelm
• Predicate Abstraction
• Graf-SaidiDas-Dill-Park
• Dataflow analysisModel Checking Abstract
  Interpretation
• Steffen-Schmidt
• Counterexample driven refinement
• Kurshan, Clarke-Grumberg-Jha-Lu-Veith
• Temporal safety property checking as type
  checking

25
Current Status of SLAM

• Project started in January 2000
• Toolkit now functional on C code
• found first real bug in production code in March
  2001
• Needs more work on
• performance
• scope
• function pointers
• exception handling
• specification language
• user interface

26
Future Directions

• New Models
• boolean programs lack expressivity
• The Heap
• pointer logics
• recursive types
• Concurrency
• predicate abstraction for an Owicki/Gries-style
  logic?
• Scaling
• reinvestigate assume/guarantee for software

27
SLAM Papers

• The SLAM Process
• Automatically Validating Temporal Safety
  Properties of Interfaces Thomas Ball, Sriram K.
  Rajamani, SPIN 2001
• The SLAM Toolkit, Thomas Ball, Sriram K.
  Rajamani, CAV 2001
• Boolean Programs A Model and Process for
  Software Analysis, Thomas Ball, Sriram K.
  Rajamani, MSR Technical Report 2000-14
• Boolean Programs
• Bebop A Path-sensitive Interprocedural Dataflow
  Engine, Thomas Ball, Sriram K. Rajamani, PASTE
  2001
• Bebop A Symbolic Model Checker for Boolean
  Programs, Thomas Ball, Sriram K. Rajamani, SPIN
  2000
• .
• Predicate Abstraction of C Programs
• Automatic Predicate Abstraction of C Programs,
  Thomas Ball, Rupak Majumdar, Todd Millstein,
  Sriram K. Rajamani, PLDI 2001
• Polymorphic Predicate Abstraction, Thomas Ball,
  Todd Millstein, Sriram K. Rajamani, MSR Technical
  Report 2001-10
• Boolean and Cartesian Abstractions for Model
  Checking C Programs, Thomas Ball, Andreas
  Podelski, Sriram K. Rajamani, TACAS 2001
• Concurrency
• Parameterized Verification of Multithreaded
  Software Libraries,  Thomas Ball, Sagar Chaki,
  Sriram K. Rajamani, TACAS 2001

28
Thanks to

• Sagar Chaki (CMU)
• Rupak Majumdar (UC Berkeley)
• Todd Millstein (U Washington)
• Andreas Podelski (MPI)
• Members of Software Productivity Tools group and
  PPRC

29
Summary

• Fully automated way to check temporal safety
  properties of software interfaces
• Tools are based on novel ideas
• interprocedural dataflow with BDDs (bebop)
• predicate abstraction of C (c2bp)
• predicate discovery (newton)
• Demonstration on Windows 2000 device drivers

30

• Software Productivity Tools
• Microsoft Research
• http//research.microsoft.com/slam/

31
State MachineFor Irp Handling
init
IoMarkIrpPending
IoCompleteRequest
pending
complete
returnstatus ! STATUS_PENDING
return status STATUS_PENDING
Error
32
IRP Complete/Pending Rule
state enum Init, Complete,
Pending s Init IoCompleteRequest.call
if ( s ! Init) abort else s
Complete IoMarkIrpPending.call if( s !
Init) abort else s Pending
Dispatch.exit if (s Complete) if
(return STATUS_PENDING) abort
else if (s Pending) if( return !
STATUS_PENDING) abort