![Page 1: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/1.jpg)
1
E. YahavSchool of Computer Science
Tel-Aviv University
Verifying Safety Propertiesusing Separation
and Heterogeneous Abstractions
G. RamalingamIBM T.J. Watson Research Center
![Page 2: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/2.jpg)
2
Lightweight Specification"correct usage" rules a client must follow
"call open() before read()"
Certificationdoes the client program satisfy the lightweight specification?
Verification of Safety Properties
Componenta library with cleanly encapsulated state
Clienta program that uses
the library
The Canvas Project (IBM Watson and Tel Aviv)(Component Annotation, Verification and
Stuff)
![Page 3: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/3.jpg)
3
Quick Overview:Fine Grained Heap Abstraction
HeapH
Precise ...... but often too expensive
![Page 4: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/4.jpg)
4
Quick Overview:Separation & Heterogeneous Abstraction
Fine-grainedabstraction
Coarseabstraction
![Page 5: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/5.jpg)
5
Separation: The Intuition
InputStream ins1 = new InputStream();InputStream ins2 = new InputStream();...
if (?) { ins1.close(); ...}if (?) { ins2.close(); ...}…
Problem: verify that InputStreamsare used correctly: not read after they are closed.Possible states:(1) ins1: open; ins2: open(2) ins1: open; ins2:
closed(3) ins1: closed; ins2: open(4) ins1: closed; ins2:
closed
![Page 6: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/6.jpg)
6
Separation: The Intuition
InputStream ins1 = new InputStream();InputStream ins2 = new InputStream();...
if (?) { ins1.close(); ...}if (?) { ins2.close(); ...}…
Sub-problems:(1)verify that ins1 is used
correctly(2)verify that ins2 is used
correctlyPossible states
(sub-problem 1)
(1)ins1: open
(2)ins1: closed
Possible states(sub-problem 2)(1)ins2: open (2)ins2: closed
![Page 7: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/7.jpg)
7
Separation: The Intuition
Basic idea of separation is not new independent attribute analysis vs. relational
analysis e.g. conventional (compiler) dataflow analyses e.g. ESP (PLDI 2002) exploits separation
![Page 8: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/8.jpg)
8
Our Contribution:Separation + Heap Analysis
Separation for heap analysis integrated with verification• Heterogeneous abstraction for heaps
Separation for first-order safety properties• Separation strategies
• More focused separation• individual object vs. allocation-site
![Page 9: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/9.jpg)
9
Heap (Pointer) Analysis
Dynamic object creation (heap allocation) is the primary source of unbounded program state
Creating a bounded representation of a potentially unbounded heap is a key aspect of program analysis by merging multiple objects into a “summary”
object e.g., merge all objects allocated at same
allocation site into one summary object
![Page 10: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/10.jpg)
10
A Common Approach to Pointer Analysis in Software Verification
Break verification problem into two phases Preprocessing phase – separate points-to analysis
• typically no distinction between objects allocated at same site
Verification phase – verification using points-to results
May lose precision May lose ability to perform strong updates May produce false alarms
Program
Property
Pointer Analysis
VerificationAnalysis
![Page 11: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/11.jpg)
11
Loss of Precision in Two-Phase Approach
f = new InputStream();
f.read();
f.close();
Verify f is not readafter it is closed
Straightforward ...
![Page 12: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/12.jpg)
12
Loss of Precision in Two-Phase Approach
while (?) {
f = new InputStream();
f.read();
f.close();
}
f1f closed
False alarm!“read may be erroneous”
![Page 13: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/13.jpg)
13
The TVLA Approach
TVLA is a flexible (parametric) system for abstract interpretation and verification1. parametric heap (i.e., pointer) analysis
user can specify criterion for merging heap-allocated objects
user can specify criterion for merging shape graphs
2. verification integrated with heap analysis heap analysis (merging criterion) can adapt to
verification
Program
Property
Frontend
First-OrderTransition Sys
AbstractInterpretation
![Page 14: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/14.jpg)
14
while (?) {
f = new InputStream();
f.read();
f.close();
}
The TVLA Approach: An Example
f
closedf
closedf closed
closedf closed closed
…
Concrete States
f
closedf
closedf
Abstract States
![Page 15: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/15.jpg)
15
Fine Grained Heap Abstraction
HeapH
Precise ...... but often too expensive
![Page 16: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/16.jpg)
16
Separation & Heterogeneous Abstraction
Fine-grainedabstraction
Coarseabstraction
![Page 17: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/17.jpg)
17
Outline of Our Approach
Decompose verification problem into a set of subproblems
Adapt abstraction to each subproblem
![Page 18: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/18.jpg)
18
Outline of Our Approach
Decompose verification problem into a set of subproblems• Analysis-user specifies a separation strategy
Adapt abstraction to each subproblem Heterogeneous abstraction
![Page 19: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/19.jpg)
19
Example – Input Streams
InputStream ins1 = getInputStream();InputStream ins2 = getInputStream();InputStream ins3 = getInputStream();InputStream ins4 = getInputStream();
InputStream ins = ins1;
if (?) { ins1.close(); ins = ins2;}if (?) { ins2.close(); ins = ins3;}if (?) { ins3.close(); ins = ins4;}int val = ins.read();…
![Page 20: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/20.jpg)
20
Separation Strategieschoose some i : InputStream()
site[1]
ins1
site[1]
ins2 ins3 ins4
site[1]
ins2
site[1]
ins1 ins3 ins4
site[1]
ins3
site[1]
ins1 ins2 ins4
site[1]
ins4
site[1]
ins1 ins2 ins3
Without separation
site[1]
ins1
site[1]
ins2
site[1]
ins3
site[1]
ins4 ins1
site[1]
ins2 ins3 ins4
Abstraction 1 (expensive) Abstraction 2 (imprecise)
Abstract state after creation of all four InputStream: (with separation)
![Page 21: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/21.jpg)
21
Example – Input Streams
InputStream ins1 = getInputStream();InputStream ins2 = getInputStream();InputStream ins3 = getInputStream();InputStream ins4 = getInputStream();
InputStream ins = ins1;
if (?) { ins1.close(); ins = ins2;}if (?) { ins2.close(); ins = ins3;}if (?) { ins3.close(); ins = ins4;}int val = ins.read();…
closedsite[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
site[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
…
…
site[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
closedsite[1]
ins1 ins
site[1]
ins2
site[1]
ins3
site[1]
ins4
…
closedsite[1]
ins1
closedsite[1]
ins2
closedsite[1]
ins3
site[1]
ins4ins
…
…
…
![Page 22: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/22.jpg)
22
Example – Input Streams
InputStream ins1 = getInputStream();InputStream ins2 = getInputStream();InputStream ins3 = getInputStream();InputStream ins4 = getInputStream();
InputStream ins = ins1;
if (?) { ins1.close(); ins = ins2;}if (?) { ins2.close(); ins = ins3;}if (?) { ins3.close(); ins = ins4;}int val = ins.read();…
closedsite[1]
ins1 ins
site[1]
ins2 ins3 ins4
site[1]
ins1 ins
site[1]
ins2 ins3 ins4
site[1]
ins1 ins
site[1]
ins2 ins3 ins4
site[1]
ins1 ins
closed = 1/2site[1]
ins2 ins3 ins4
closedsite[1]
ins1
closed=1/2site[1]
ins2 ins3 ins4ins
![Page 23: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/23.jpg)
23
First-Order Safety Properties
Involve multiple correlated objects e.g., JDBC
Problem can be decomposed into sub-problems in several different ways• Different separation granularity• Different efficiency, different precision
...ResultSet rs2 = stmt2.executeQuery(...);...ResultSet minRs2 = stmt2.executeQuery(...)...rs2.next();
![Page 24: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/24.jpg)
24
Example: JDBC SpecificationClass Connection { Set statements; …}class Statement { boolean closed; ResultSet myResultSet; Connection myConnection; Statement(Connection c) { closed = false; myConnection = c; myResultSet = null; } ResultSet executeQuery(String qry) { requires !closed; if (myResultSet != null) myResultSet.closed = true; myResultSet = new ResultSet(this); return myResultSet; } …}
class ResultSet { boolean closed; Statement ownerStmt; ResultSet(Statement s) { closed = false ; ownerStmt = s; } void close() { closed = true; } boolean next() { requires !closed; }}
![Page 25: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/25.jpg)
25
Single Choice Separationchoose some c : Connection()
choose all s : Statement(x) / x == c
choose all r : ResultSet(y) / y == s
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
![Page 26: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/26.jpg)
26
Multiple Choice Separationchoose some c : Connection()
choose some s : Statement(x) / x == c
choose some r : ResultSet(y) / y == s
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
con1 stmt1 rs1
stmt myRS
maxRs
own
own
con2 stmt2 minRs2
stmt myRS
maxRs2
own
ownown
rs2
+ 6more
![Page 27: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/27.jpg)
27
Strategy Implementation
separation strategy + program + property compiled into TVLA input using instrumentation predicates details in paper
![Page 28: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/28.jpg)
28
Prototype Implementation
Implemented over TVLAApplied to several example programs
Up to 5000 lines of JavaUsed to verify
Absence of concurrent modification exception (CME)
JDBC API conformance IOStreams API conformance
Improved performanceIn some cases improved precision
![Page 29: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/29.jpg)
29
![Page 30: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/30.jpg)
30
Analysis Times
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
ISPath
Inpu
tStre
am5
Inpu
tStre
am5b
inputS
tream
6
JDBC E
xample
JDBC E
xample
2db
Kerne
l Ben
chm
ark
1
SQLExe
cuto
r
Benchmark
Tim
e (
se
c)vanilla
single
singlesim
multi
incremental
![Page 31: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/31.jpg)
31
Other Issues
Objects chosen for verificationObjects relevant for verification (for chosen
object) Identified via reachability User hints via separation strategy
![Page 32: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/32.jpg)
32
Related Work
Demand-driven analysis hard for heap analysis
Program slicing an approach to demand-driven analysis simple slicing can be an effective optimization precise slicing (for heap) is hard
Client-driven pointer analysis (Guyer & Lin, SAS 2003)
Counter-example guided abstraction refinement
![Page 33: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/33.jpg)
33
Verification: Recent Work
ESC/Modula-3, ESC/Java (CC ’98, ...)MC (OSDI 2000, ...)Bandera (ICSE 2000, ...)SLAM (SPIN 2001, ...)Vault (PLDI 2001, ...)BLAST (POPL 2002, ...)ESP (PLDI 2002, ...)Foster, Terauchi and Aiken (PLDI 2002, ...) ... several others ...
![Page 34: Verifying Safety Properties using Separation and Heterogeneous Abstractions](https://reader036.vdocuments.mx/reader036/viewer/2022062803/5681462f550346895db33ee2/html5/thumbnails/34.jpg)
34
Some tasks are best done by machine,while others are best done by human insight;
and a properly designed system will find the right balance.
D. Knuth
The End
It is of highest importance ... to be able to recognizeout of a number of facts which are incidental
and which vital... Otherwise your energy and attentionmust be dissipated instead of being concentrated.
Arthur Conan Doyle