1 automatically validating temporal safety properties of interfaces - overview of slam parts of the...
DESCRIPTION
3 Temporal safety properties Something “bad” does not happen –Eg. A lock is never released without first being acquired Unlocked Locked Error U LL UTRANSCRIPT
![Page 1: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/1.jpg)
1
Automatically Validating Temporal Safety Properties of
Interfaces- Overview of SLAM
Parts of the slides are from http://research.microsoft.com/slam/presentations/spin2001.ppt
![Page 2: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/2.jpg)
2
Checking API Usage
Application
C lib | DLL | COM |…
API
Does an application follow the “proper usage” rules of an API?
![Page 3: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/3.jpg)
3
Temporal safety properties• Something “bad” does not happen
– Eg. A lock is never released without first being acquired
Unlocked Locked Error
U
L L
U
![Page 4: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/4.jpg)
4
C program
Boolean program
c2bp
bebop
Fail, p
Pass
newton
SLIC
InstrumentedC program
predicates
Error
Spec.
predicates
Big picture of SLAM process
![Page 5: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/5.jpg)
5
SLIC spec for Spinlock
enum { Unlocked=0, Locked=1 } state = Unlocked;
KeAcquireSpinLock.call { if (state==Locked) abort; else state = Locked;}KeReleaseSpinLock.call { if (state==Unlocked) abort; else state = Unlocked;}
Unlocked Locked Error
U
L L
U
![Page 6: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/6.jpg)
6
Target program to validatedo {
KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; request = devExt->WriteListHeadVa;if(request && request->status){
devExt->WriteListHeadVa = request->Next;
KeReleaseSpinLock(&devExt->writeListLock);irp = request->irp;if(request->status > 0){
irp->IoStatus.Status = STATUS_SUCCESS;irp->IoStatus.Information = request->Status;
} else{irp->IoStatus.Status = STATUS_UNSUCCESSFUL;irp->IoStatus.Information = request->Status;
}SmartDevFreeBlock(request);IoCompleteRequest(irp, IO_NO_INCREMENT);nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock(&devExt->writeListLock);
Question:Is locking protocol respected?
![Page 7: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/7.jpg)
7
Safety to Reachability
Program P
SLICspec S
SLIC
Program P satisfies specification S
Label ERROR is not reachable in P’
InstrumentedProgram P’
![Page 8: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/8.jpg)
8
do {KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; request = devExt->WriteListHeadVa;if(request && request->status){ devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++;}
} while (nPackets != nPacketsOld);KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);
enum { Unlocked=0, Locked } state = Unlocked;
void slic_abort() { ERROR:}void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); else state = Locked;}void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked;}
Question:Is locking protocol respected?
Equivalently:Is label ERROR reachable?
Instrumented Program
![Page 9: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/9.jpg)
9
C program
Boolean program
c2bp
bebop
Fail, p
Pass
newton
SLIC
InstrumentedC program
predicates
Error
Spec.
predicates
Big picture of SLAM process
![Page 10: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/10.jpg)
10
Predicate abstraction by C2BP
Instrumentedprogram P’
Booleanprogram BP(P’,E0)
C2BP
Initialpredicates E0
state==Locked, state==Unlocked
![Page 11: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/11.jpg)
11
do {KeAcquireSpinLock_call(); skip;skip; skip;if(*){ skip; KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; skip;}
} while (*);KeReleaseSpinLock_call();skip;
decl {state==Locked},{state==Unlocked} := F,T;
void slic_abort() { ERROR:}
void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F;}
void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T;}
Question:Is locking protocol respected?
Equivalently:Is label ERROR reachable?
Initial boolean Program
![Page 12: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/12.jpg)
12
Model-check by BEBOPdo {
KeAcquireSpinLock_call(); skip;skip; skip;if(*){ skip; KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; skip;}
} while (*);KeReleaseSpinLock_call();skip;
decl {state==Locked},{state==Unlocked} := F,T;
void slic_abort() { ERROR:}
void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F;}
void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T;}
{state==Unlocked}Æ :{state==Locked}
:{state==Unlocked}Æ{state==Locked}
reached ERROR label
![Page 13: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/13.jpg)
13
The execution path to blame!
do {KeAcquireSpinLock_call(); KeAcquireSpinLock(&devExt->writeListLock);nPacketsOld = nPackets; // s1request = devExt->WriteListHeadVa; // s2if(request && request->status){ // s3 devExt->WriteListHeadVa = request->Next; KeReleaseSpinLock_call(); KeReleaseSpinLock(&devExt->writeListLock); irp = request->irp; if(request->status > 0){ irp->IoStatus.Status = STATUS_SUCCESS; irp->IoStatus.Information = request->Status; } else { irp->IoStatus.Status = STATUS_UNSUCCESSFUL; irp->IoStatus.Information = request->Status; } SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++;}
} while (nPackets != nPacketsOld); // s4KeReleaseSpinLock_call();KeReleaseSpinLock(&devExt->writeListLock);
enum { Unlocked=0, Locked } state = Unlocked;
void slic_abort() { ERROR: // s6}void KeAcquireSpinLock_call () { if(state==Locked) slic_abort(); // s5 else state = Locked; // s0}void KeReleaseSpinLock_call () { if(state==Unlocked) slic_abort(); else state = Unlocked;}
s0: state = Locked; s1: nPacketsOld = nPackets; s2: request = devExt->WriteListHeadVa;s3: assume(!request);s4: assume(nPackets != nPacketsOld);s5: assume(state==Locked);s6: ERROR:
![Page 14: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/14.jpg)
14
Time for NEWTONs0: state = Locked; s1: nPacketsOld = nPackets; s2: request = devExt->WriteListHeadVa;s3: assume(!request);s4: assume(nPackets != nPacketsOld);s5: assume(state==Locked);s6: ERROR:
Location Value Dependencies
0. state Locked ()
1. nPackets ()
2. nPacketsOld 1
3. devExt ()
4. ->WriteListHeadVa 3
5. request 3, 4
Conditions Dependencies
!( ) 5
( != ) 1, 2
New predicate!nPackets==nPacketsOld
![Page 15: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/15.jpg)
15
C program
Boolean program
c2bp
bebop
Fail, p
Pass
newton
SLIC
InstrumentedC program
predicates
Error
Spec.
predicates
Big picture of SLAM process
![Page 16: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/16.jpg)
16
do {KeAcquireSpinLock_call(); skip;b := T; // nPackets = nPacketsOld;skip;if(*){ skip; KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; b := b ? F : *; // nPackets++;}
} while(!b); // while (nPackets!=nPacketsOld);KeReleaseSpinLock_call();skip;
Variable b represents (nPackets==nPacketsOld)
decl {state==Locked},{state==Unlocked} := F,T;
void slic_abort() { ERROR:}void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F;}void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T;}
Question:Is locking protocol respected?
Equivalently:Is label ERROR reachable?
The second boolean Program
![Page 17: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/17.jpg)
17
Model-check again by BEBOPdo {
KeAcquireSpinLock_call(); skip;b := T; skip;if(*){ skip;
KeReleaseSpinLock_call(); skip; skip; if(*){ skip; skip; } else { skip; skip; } skip; skip; b := b ? F : *; }
} while(!b);KeReleaseSpinLock_call();skip;
*
decl {state==Locked},{state==Unlocked} := F,T;
void slic_abort() { ERROR:}
void KeAcquireSpinLock_call () { if({state==Locked}) slic_abort(); else {state==Locked},{state==Unlocked} := T,F;}
void KeReleaseSpinLock_call () { if({state==Unlocked}) slic_abort(); else {state==Locked},{state==Unlocked} := F,T;}
{state==Unlocked}Æ :{state==Locked}
:{state==Unlocked}Æ{state==Locked}
reached ERROR label
*T
T
T
F
![Page 18: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/18.jpg)
18
C program
Boolean program
c2bp
bebop
Fail, p
Pass
newton
SLIC
InstrumentedC program
predicates
Error
Spec.
predicates
Big picture of SLAM process
![Page 19: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/19.jpg)
19
C2BP
• Automatic predicate abstraction of C• What is the predicate language?
– Pure C boolean expressions• Input: a C program P and set of predicates E• Output: a boolean program C2BP(P,E) that is
– a sound abstraction of P– a precise abstraction of P
• Difficulties– procedures– pointers
![Page 20: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/20.jpg)
20
BEBOP
Reachability analysis of boolean programs
Symbolic version of [Reps-Horwitz-Sagiv, POPL’95] interprocedural data flow analysis Explicit representation of control flow Implicit representation of reachable states via BDDs
![Page 21: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/21.jpg)
21
NEWTON• Symbolically executes (interprocedural) path in C
program
• Checks for path infeasibility using decision procedures (theorem provers: Simplify, Vampyre)
• If infeasibility detected– Find weak(est) condition implying the infeasibility– Obtains new predicates
![Page 22: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/22.jpg)
22
Contributions• Use of boolean programs for program
abstractions• C2BP : the first automatic predicate
abstraction tool for a full-scale language• BEBOP : the first model checker to handle
procedure calls using inter-procedural DFA• Global analysis only on the boolean
program abstractions : scalable…?
![Page 23: 1 Automatically Validating Temporal Safety Properties of Interfaces - Overview of SLAM Parts of the slides are from](https://reader036.vdocuments.mx/reader036/viewer/2022081514/5a4d1b5a7f8b9ab0599aae43/html5/thumbnails/23.jpg)
23
Defects• Defects of SLAM
– Uses a logical memory model• Assumes for all i,j : p[i] = p[j]
– No guarantee on the termination of iterative refinement
• Defects of the paper– No experimental results
(describes their experiences only)