Title: A
1A Framework for Verifying Concurrent C Programs
- Sagar Chaki
- Thesis Defense Talk
2Motivation
Requirements
Specification
Specification Validation
Code
Code Validation
3Related Work
- Model Checking
- Symbolic model checking (SMV,MURPHI,MOCHA)
- Partial order reduction (SPIN,COSPAN)
- Compositional reasoning
- Assume-guarantee
- Abstraction
- Abstract interpretation, existential abstraction
- Message-passing systems
- CCS, ?-Calculus
- Simulation, bisimulation,
4Iterative Refinement
No
Counterexample
Counterexample Valid?
5Related Work
- Iterative Refinement (Kurshan)
- Hardware
- Yuan Lu ) Ph.D. thesis
- SLAM (device drivers)
- BLAST (lazy abstraction, thread modular safety)
- Concurrent Software
- SPIN, Behave!, ZING
- Own modeling language
- No iterative refinement
- Safety properties
6Contributions
- Compositional Iterative Refinement (IR)
- concurrent message-passing programs
- simulation conformance
- Combining predicate abstraction with existential
abstraction - Predicate Minimization
- Compositional IR for Liveness properties
- Compositional IR for Deadlock detection
7Basic Concepts
- Var set of variables
- Expr expressions over Var
- Store set of stores
- Var ! Addresses
- Addresses ! Values
- AP set of atomic propositions
- Conc AP Expr
8Extended FSM
- Transitions labeled with guarded commands
- Guards are expressions
- Command are actions or assignments
x 0 ? x
true ? ?
x ! 0 ? ?
9Control Flow Graph
xxy
lib()
Component
10Control Flow Graph
xxy
1
x 0 ? x
2
x ! 0 ? ?
true ? ?
Control Flow Graph
11Labeled Kripke Structure
- M ( Q , I , ? , T , AP, L)
- Q non-empty set of states
- I 2 Q initial state
- ? set of actions alphabet
- T µ Q ? Q transition relation
- AP µ AP set of atomic propositions
- L Q ! 2AP propositional labeling
q
?
?
?
? ?,?,?,?,?,?
p
r
p,r
AP p,q,r,s
?
?
p,q
?
12Concurrent C Program
- Set of components P hC1 ,, Cn i
- Each Ci is a single C procedure
- Possibly calling library routines
- Library routines are specified via EFSMs
- Semantics of C is an LKS
- Depends on the library specificationss
13Context for Pi
- Context (Init, EFSM, ?, ?, AP)
- Init An initial condition
- EFSM Lib ! EFSM
- Specification EFSMs for all libraries
- An internal action ?
- AP µ AP Set of atomic propositions
- ? alphabet
14Concrete Semantics of C
- Context (Init, EFSM, ?, ?, AP)
- SCFG States of CFG
- ICFG Initial state of CFG
- MC ( Q , I , ? ?, T , AP, L)
- Q SCFG Store
- I (s,?) j s ICFG and ? ² Init
- L(s,?) p j ? ² Conc(p)
15Transitions of P
?
- (s,?) ! (s,?)
- s assignment
- s next(s) and ? ?(s)
- s branch with condition c
- s then(s) and ? ² c
- s else(s) and ? ² c
16Transitions of P
?
- (s,?) ! (s,?)
- ? 2 ?
- s inlined EFSM state
- s next(s)
- s ! s with guard g and action ?
- ? ² g
17Concrete Semantics
xxy
1
x 0 ? x
2
x ! 0 ? ?
true ? ?
p x 0
18Predicate Abstraction
- Pred µ Expr
- Set of expressions (predicates) associated with
each state of the CFG - Pred Conc(p) j p 2 AP
- Predicate corresponding to every atomic
proposition must be associated with each state of
the CFG - In practice each CFG state has a different set of
associated predicates
19Valuation Two Views
- Valuation minterm Pred
- Set of all valuations 2Pred
- Pred x 0, y 0
- x ? 0 Æ y ? 0 ,
- x 0 Æ y ? 0 , x 0
- x ? 0 Æ y 0 , y 0
- x 0 Æ y 0 , x 0, y0
Expression
Subset of Pred
20Compatibility
- Given expressions e1 and e2
- e1 e2 iff e1 Æ e2 is satisfiables
- 9 ? 2 Store ? ² e1 Æ ? ² e2
- e1 e2 e1 and e2 are compatible
- Each valuation v is an expression
- v e and v v defined as above
21Abstract Semantics of C
- Context (Init, EFSM, ?, ?, AP, Pred)
- SCFG States of CFG
- ICFG Initial state of CFG
- MC ( Q , I , ? ?, T , AP, L)
- Q SCFG 2Pred
- I (s,v) j s ICFG and v Init
- L(s,v) p j Conc(p) 2 v
22Transitions of P
?
- (s,v) ! (s,v)
- s assignment
- s next(s) and v WP v (s)
- s branch with condition c
- s then(s) and v ² c Æ v
- s else(s) and v ² c Æ v
23Transitions of P
?
- (s,v) ! (s,v)
- ? 2 ?
- s inlined EFSM state
- s next(s)
- s ! s with guard g and action ?
- v ² g Æ v
24Abstract Semantics
xxy
1
x 0 ? x
2
x ! 0 ? ?
true ? ?
p x 0
25Simulation
- M1 ( Q1 , I1 , ? , T1 , AP, L1)
- M2 ( Q2 , I2 , ? , T2 , AP, L2)
- R µ Q1 Q2 is a simulation relation if
- s1 R s2 )
- L1(s1) L2(s2)
- 8 (s1, ?, s1) 2 T1 9 s2 (s2, ?, s2) 2 T2 Æ
s1 R s2 - M1 4 M2
- 9 R µ Q1 Q2 8 s1 2 I1 9 s2 2 I2 s1 R s2
26Satisfaction
- ?(e) evaluation of e under ?
- ? ² e ?(e) ? 0
- ?(stmt) new store after executing statement
stmt in store ?
27MC 4 MC
- ?(e) evaluation of e under ?
- ? ² e ?(e) ? 0
- Define relation R µ QC QC
- (s,m) R (s,v) , m ² v
- R is a simulation relation
- 8 s 2 IC 9 s 2 IC s R s
28Parallel Composition
- M1 ( Q1 , I1 , ?1 , T1 , AP2, L1)
- M2 ( Q2 , I2 , ?2 , T2 , AP1, L2)
- M1M2
- ( Q1 Q2 , I1 I2 , ?1 ?2 , T , AP1 AP2
, L) - L(s1,s2) L1(s1) L2(s2)
- ((s1, s2), ?, (s1, s2)) 2 T iff for i 2 1,2
- ? ? ?i Æ (si, ?, si) 2 Ti
- ? ? ?i Æ si si
29Program Semantics
- P h C , C i
- MP MC MC
- MP MC MC
- Abstraction is done modularly
4
4
4
30Program Semantics
4
4
4
31Verification
- Specification is an LKS Spec
- Given P and Spec, check if P 4 Spec
- Construct P
- Check if P 4 Spec
- P 4 P Æ P 4 Spec ) P 4 Spec
- Otherwise
32Counterexample
- (P 4 Spec) )
- 9 CE CE 4 P Æ (CE 4 Spec)
- CE has a tree structure
- Look at Chapter 5 for the procedure to check P
4 Spec and construct CE if necessary
33Counterexample Validation
- Check if CE 4 P
- (CE 4 Spec) Æ CE 4 P
- ) (P 4 Spec)
- Real
- P C C
34Problems
Infinite States
Statespace Explosion
Symbolic Representation
Compositional Reasoning
35LKS Projection
q
?
?
?
? ?,?,?,?,?,?
p
r
p,r
AP p,q,r,s
?
?
p,q
?
M
36LKS Projection
t
?
?
? Å ? ?
p
r
r
AP Å AP
?
t
p
t
M ¼ ?,AP
M ( , ? , AP , ) ) M ¼ M M ¼ ?, AP
37Weak Simulation
- M1 ( Q1 , I1 , ? ? , T1 , AP, L1)
- M2 ( Q2 , I2 , ? , T2 , AP, L2)
- R µ Q1 Q2 is a weak simulation relation if
- s1 R s2 )
- L1(s1) L2(s2)
- 8 (s1, ?, s1) 2 T1 9 s2 (s2, ?, s2) 2 T2 Æ
s1 R s2 - 8 (s1, ?, s1) 2 T1 s1 R s2
- M1 - M2
- 9 R µ Q1 Q2 8 s1 2 I1 9 s2 2 I2 s1 R s2
38Compositional Validation
,
CE ¼ C - C Æ CE ¼ C - C
39Compositional Validation
,
CE ¼ - C Æ CE ¼ - C
40Symbolic Representation
- MC ( Q , I , ? , T , AP, L)
- There exists a class R µ 2Q
- Each r 2 R has a finite representation
- Q 2 R
- R closed under intersection and pre-image
- Given r 2 R can check if r
41CE ¼ - C
?
t
g
Q
b(Q)
Q
d(Q)
t
b
t
d
Q
Q
Q
Q
CE ¼ C
42CE ¼ - C
?(Q)
?(Q Å d(Q))
b(Q)
?
t
g
Q
b(Q)
Q Å d(Q)
t
b
t
d
Q
Q
Q
Q
CE ¼ C
43CE ¼ - C
?(Q) Å ?(Q) Å ?(Q Å d(Q))
?
?
t
g
Q
b(Q)
Q Å d(Q)
t
b
t
d
Q
Q
Q
Q
CE ¼ C
44Abstraction Refinement
- Check if CE 4 P
- CE 4 P ) Real
- Update the set Pred such that for the new P we
have (CE 4 P) - Chapter 6
- Minimize number of predicates to be added
- Chapter 7
45Case Study SSL Handshake
- Verify that OpenSSL correctly implements the SSL
handshake - Server and client code
- Each about 2500 LOC
- 400 LOC after abstracting
- away library routine calls
- Analyzed client and server separately and together
46SSL Results
NAME
LINES OF CODE
NO. OF ITER
AVG. MODEL SIZE
AVG. MODEL TIME (SEC)
SPEC SIZE (ST/TR)
AVG. HORN VAR NUM
AVG. HORN CLAUSE NUM
VERIF TIME
TOTAL TIME (SEC)
MEMORY (MB)
SERVER
2483
64
8984
40.2
32 / 67
287472
352150
1636
8639
743
CLIENT
2484
71
6747
28.7
29 / 60
195635
238296
1217
7437
185
SRVR-CLNT
4967
175
77474
3.3
6 / 5
387375
1386980
13786
21134
1105
47SSL Results
NAME
LINES OF CODE
NO. OF ITER
AVG. MODEL SIZE
AVG. MODEL TIME (SEC)
SPEC SIZE (ST/TR)
AVG. HORN VAR NUM
AVG. HORN CLAUSE NUM
VERIF TIME
TOTAL TIME (SEC)
MEMORY (MB)
SERVER
2483
64
8984
40.2
32 / 67
287472
352150
1636
8639
743
CLIENT
2484
71
6747
28.7
29 / 60
195635
238296
1217
7437
185
SRVR-CLNT
4967
175
77474
3.3
6 / 5
387375
1386980
13786
21134
1105
48Thoughts
- Predicate abstraction alone inadequate for
concurrent systems - States from different control locations are
always kept distinct - They might be merged
- How do we combine other kinds of abstractions
with predicate abstraction
49Iterative Refinement
No
Counterexample Valid?
50IR Model Checking
No
Counterexample Valid?
51Verification IR
No
Counterexample Valid?
52Existential Abstraction
- M ( Q , I , ? , T , AP, L)
- Equivalence R µ Q Q
- Compatible with propositional labeling
- s R s ) L(s) L(s)
- s equivalence class of s
- Induces a quotient LKS MR
53Quotient LKS
- M ( Q , I , ? , T , AP, L), R µ Q Q
- MR ( QR , IR , ? , TR , AP, LR)
- QR s j s 2 Q
- IR s j s 2 I
- (s, ?, s) 2 TR , (s, ?, s) 2 T
- LR(s) L(s)
- R compatible with L ) LR well-defined
54Example
Theorem M ¹ MR
p
1
a
b
d
2
3
q
Proof (s R s) is a simulation relation
b
e
a
c
4
6
5
7
M
55Verification
- Given P C C and Spec
- Use equivalence relations R and R
- Initially R and R are maximal
- Construct PRR CR CR
- P 4 PRR
- Check if PRR 4 Spec
- P 4 PRR Æ PRR 4 Spec ) P 4 Spec
- Otherwise
56Counterexample Validation
- (PRR 4 Spec) )
- 9 CE CE 4 PRR Æ (CE 4 Spec)
- CE has a tree structure
- Check if CE 4 P C C
- Same as CE ¼ - C Æ CE ¼ - C
- (CE 4 Spec) Æ CE 4 P
- ) (P 4 Spec)
57Refinement
- Suppose (CE ¼ - C)
- We know CE 4 PRR CR CR
- Hence CE ¼ - CR
- By transitivity (CR - C)
- Can split some equivalence class of R
58Splitting R
?
b
g
CE ¼ CR
CR
-
59Splitting R
?
?
Repeated Splitting ) CR converges
to bisimulation quotient of C
b
g
b
g
CE ¼ CR
CR
-
60Two Level IR
4
C1
Spec
C2
C3
C4
61Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
Existential Abstraction
A1
4
Spec
A1
A2
A3
A4
Existential Refinement
62Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
Existential Abstraction
A1
A3
4
Spec
A1
A2
A4
A3
Existential Refinement
63Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
A1
Existential Abstraction
A3
A1
4
Spec
A1
A2
A4
A3
Existential Refinement
64Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
A1
Existential Abstraction
A3
A1
A2
4
Spec
A1
A4
A3
A2
Existential Refinement
65Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
C2
4
C1
Spec
C2
C3
C4
A1
Existential Abstraction
A3
A1
4
Spec
A1
A2
A4
A3
Existential Refinement
66Results
Test Name One Level One Level One Level Two Level Two Level Two Level Gain Gain
Test Name S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1
SSL-2
SSL-3
SSL-4
SSL-5
SSL-6
SSL-7
SSL-8
SSL-9
SSL-10
SSL-11
SSL-12
SSL-13
67Results
Test Name One Level One Level One Level Two Level Two Level Two Level Gain Gain
Test Name S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1 157266 1023 886 15840 122 1081 0.82 8.39
SSL-2 201940 1070 1645 6072 64 500 3.29 16.72
SSL-3 203728 1003 1069 20172 130 1805 0.59 7.72
SSL-4 201940 640 1184 7808 69 482 2.46 9.28
SSL-5 184060 780 1355 6240 64 407 3.33 12.19
SSL-6 158898 426 695 2310 56 219 3.17 7.61
SSL-7 103566 250 447 7743 74 472 0.95 3.38
SSL-8 161580 945 1071 4617 64 387 2.77 14.77
SSL-9 214989 1475 1515 13800 106 716 2.12 13.92
SSL-10 118353 663 628 3024 60 402 1.56 11.05
SSL-11 204708 1131 794 8820 79 446 1.78 14.32
SSL-12 121170 373 303 2079 56 204 1.49 6.66
SSL-13 152796 361 579 3780 60 349 1.66 6.02
68Results
Test Name One Level One Level One Level Two Level Two Level Two Level Gain Gain
Test Name S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1 157266 1023 886 15840 122 1081 0.82 8.39
SSL-2 201940 1070 1645 6072 64 500 3.29 16.72
SSL-3 203728 1003 1069 20172 130 1805 0.59 7.72
SSL-4 201940 640 1184 7808 69 482 2.46 9.28
SSL-5 184060 780 1355 6240 64 407 3.33 12.19
SSL-6 158898 426 695 2310 56 219 3.17 7.61
SSL-7 103566 250 447 7743 74 472 0.95 3.38
SSL-8 161580 945 1071 4617 64 387 2.77 14.77
SSL-9 214989 1475 1515 13800 106 716 2.12 13.92
SSL-10 118353 663 628 3024 60 402 1.56 11.05
SSL-11 204708 1131 794 8820 79 446 1.78 14.32
SSL-12 121170 373 303 2079 56 204 1.49 6.66
SSL-13 152796 361 579 3780 60 349 1.66 6.02
69Summary
- Compositional IR for concurrent programs
- Message-passing communication
- Simulation conformance
- Combine predicate abstraction and existential
abstraction in a two-level compositional IR
algorithm - Experimental validation
70Thank you!
- Edmund Clarke
- Exemplary advisor
- Alex Groce, Somesh Jha, Helmut Veith
- The original magicians
- Tom Ball, Sriram Rajamani, Jakob Rehof
- Superb summer job mentors
- Orna Grumberg, Joel Ouaknine, Natalia Sharygina,
Ofer Strichman, Karen Yorav - Awesome guides
- Randal Bryant, David Garlan
- Excellent thesis committee members
71Questions?