Title: Abstraction and Modular Reasoning for the Verification of Software
1Abstraction and Modular Reasoning for the
Verification of Software
- Corina Pasareanu
- NASA Ames Research Center
2Outline
- Bandera Project (Kansas Sate University)
- Tool Support for Program Abstraction and Abstract
Counter-example Analysis (joint work with the
Bandera team) - NASA Ames Projects
- Combining Symbolic Execution with (Explicit
State) Model Checking (joint work with Willem
Visser) - Assumption Generation for Component Verification
(joint work with Dimitra Giannakopoulou and
Howard Barringer)
3Outline
- Bandera Project (Kansas Sate University)
- Tool Support for Program Abstraction and Abstract
Counter-example Analysis - NASA Ames Projects
- Combining Symbolic Execution with (Explicit
State) Model Checking - Assumption Generation for Component Verification
4Finite-state Verification
5Finite-State Verification
- Effective for analyzing properties of hardware
systems - Widespread success and adoption in industry
- Recent years have seen many efforts to apply
those techniques to software - Limited success due to the enormous state spaces
associated with most software systems
6Abstraction the key to scaling up
7Goals of our work
8Data Type Abstraction
Collapses data domains via abstract
interpretation
Data domains
Code
int x 0 if (x 0) x x 1
9Abstraction in Bandera
Signs
Signs
Signs
bool
Abstraction Library
int
.
Point
Buffer
10Definition of Abstractions in BASL
operator add begin (NEG , NEG) -gt NEG
(NEG , ZERO) -gt NEG (ZERO, NEG) -gt
NEG (ZERO, ZERO) -gt ZERO (ZERO,
POS) -gt POS (POS , ZERO) -gt POS
(POS , POS) -gt POS (_,_) -gt
NEG,ZERO,POS / case (POS,NEG),(NEG,POS)
/ end
abstraction Signs abstracts int begin TOKENS
NEG, ZERO, POS abstract(n) begin
n lt 0 -gt NEG n 0 -gt
ZERO n gt 0 -gt POS end
11Compiling BASL Definitions
abstraction Signs abstracts int begin TOKENS
NEG, ZERO, POS abstract(n) begin
n lt 0 -gt NEG n 0 -gt
ZERO n gt 0 -gt POS end
operator add begin (NEG , NEG) -gt NEG
(NEG , ZERO) -gt NEG (ZERO, NEG) -gt
NEG (ZERO, ZERO) -gt ZERO (ZERO,
POS) -gt POS (POS , ZERO) -gt POS
(POS , POS) -gt POS (_,_)-gt NEG, ZERO,
POS / case (POS,NEG), (NEG,POS) / end
public class Signs public static final int
NEG 0 // mask 1 public static final int
ZERO 1 // mask 2 public static final int POS
2 // mask 4 public static int abs(int n)
if (n lt 0) return NEG if (n 0)
return ZERO if (n gt 0) return POS
public static int add(int arg1, int arg2)
if (arg1NEG arg2NEG) return NEG if
(arg1NEG arg2ZERO) return NEG if
(arg1ZERO arg2NEG) return NEG if
(arg1ZERO arg2ZERO) return ZERO if
(arg1ZERO arg2POS) return POS if
(arg1POS arg2ZERO) return POS if
(arg1POS arg2POS) return POS return
Bandera.choose(7) / case (POS,NEG),
(NEG,POS) /
12Abstract Counter-example Analysis
- For an abstracted program, a counter-example may
be infeasible because - Over-approximation introduced by abstraction
- Example
- x -2 if(x 2 0) then ...
- x NEG if(Signs.eq(Signs.add(x,POS),ZERO)) then
... - NEG,ZERO,POS
13Our Solutions
- Choice-bounded State Space Search
- on-the-fly, during model checking
- Abstract Counter-example Guided Concrete
Simulation - Exploit implementations of abstractions for Java
programs - Effective in practice
- Implemented in Java PathFinder tool
14Choose-free state space search
- Theorem SaidiSAS00
- Every path in the abstracted program where all
assignments are deterministic is a path in the
concrete program. - Bias the model checker
- to look only at paths that do not include
instructions that introduce non-determinism - JPF model checker modified
- to detect non-deterministic choice (i.e. calls to
Bandera.choose()) backtrack from those points
15Choice-bounded Search
choose()
X
X
16Counter-example guided simulation (?)
- Use abstract counter-example to guide simulation
of concrete program - Why it works
- Correspondence between concrete and abstracted
program - Unique initial concrete state (Java defines
default initial values for all data)
17Case Study DEOS Kernel (NASA Ames)
- Honeywell Dynamic Enforcement Operating System
(DEOS) - A real time operating system for integrated
modular avionics - Non-trivial concurrent program (1433 lines of
code, 20 classes, 6 threads) - Written in C, translated into Java and Promela
- With a known bug
- Verification of the system exhausted 4 Gigabytes
of memory without completion abstraction needed
- Abstracted using data type abstraction
- Checked using JPF and SPIN
- Defect detected using choice-bounded search
18Conclusion and Future Research Directions
- Tool support for abstraction enables verification
of real properties of real programs - Extend abstraction support for objects
- Heap abstractions to handle an unbounded number
of dynamically allocated objects - Handle recursive procedures, unbounded number of
processes - Extend automation
- For selection and refinement based on
counter-example analysis
19Outline
- Bandera Project (Kansas Sate University)
- Tool Support for Program Abstraction and Abstract
Counter-example Analysis - NASA Ames Projects
- Combining Symbolic Execution with (Explicit
State) Model Checking - Assumption Generation for Component Verification
20Java Path Finder (NASA Ames)
- Model checker for Java programs
- Built on top of a custom made Java Virtual
Machine - Checks for deadlock and violation of assertions
LTL properties - Support for abstraction
- Predicate abstraction
- Banderas data abstraction
- Heuristic search
21Symbolic Execution
Uses symbolic names to represent program inputs
Code
void test(int n) 1 if (n gt 0) 2 n
n 1 3 if (n lt 3) 4 ... 5
...
22Symbolic Execution and JPF Applications
- Extends JPF with a new form of abstraction
- Test case generation
- Abstract counter-example analysis and refinement
- Symbolic execution of multithreaded programs
- Parameter synthesis
23Implementation in JPF
- Easy
- Uses Banderas type abstraction
- Uses Omega library (Java version)
- Manipulates sets of linear constraints over
integer variables - Can be used as a symbolic execution tool with
backtracking - Good for finding counter-examples
- No state matching!
24(Possible) Implementation
Code
public class SymVal public SymVal() ...
public SymVal(int n) ... public
SymVal(SymVal s1, SymVal s2, String ops) ...
... public class SymOps public SymVal
add(SymVal s1, SymVal s2) return new
SymVal(s1,s2,) public bool gt(SymVal
s1, SymVal s2) bool result
Verify.chooseBool() if(result) //
true PC.addCondition(s1,s2,gt) else
// false PC.addCondition(s1,s2,lt)
PC.simplify() return result ...
void test(int n) if (n gt 0) n n 1
...
25Problem Convergence
Symbolic execution tree
Code
void test(int n) 1 int x 0 2
while(x lt n) 3 x x 1 4
26Problem Convergence
Solutions?
- Limit the search depth of MC
- Unwind loops a fixed number of times (similar to
Bounded MC?) - Discover simple and practical widening
techniques - Acceleration techniques
- Heuristics?
- Combine with predicate abstraction
27Relation to Bounded MC
- Extend BMC with symbolic variables?
- Widening for C programs?
28Outline
- Bandera Project (Kansas Sate University)
- Tool Support for Program Abstraction and Abstract
Counter-example Analysis - NASA Ames Projects
- Combining Symbolic Execution with (Explicit
State) Model Checking - Assumption Generation for Component Verification
29Assumption Generation for Component Verification
Environment
Property
? Environment Assumption ?
The weakest assumption A for component C for
all environments E, E A ? E C P
30Applications
- Support for modular verification
- Compositional verification
- Property decomposition
- Run-time monitoring of the environment
- Component retrieval
- Sub-module construction
31Implementation
- In Labeled Transition Systems Analyzer (LTSA)
tool - Imperial college - Supports compositional reachability analysis
based on software architecture - Incremental system design and verification
- Component abstraction (hiding of internal
actions) - Minimization wrt. observational equivalence
- Both components and properties expressed as
labeled transition systems
32Example A System and A Property
33Assumption Generation
- Step 1 composition, hiding of
- internal actions and
- minimization
34Composite System
E.release
E.enterCS
E.acquire
E.exitCS
E.release
E.exitCS
E.enterCS
E.release
E.enterCS
E.enterCS
t
E.enterCS E.exitCS
E.exitCS
35Backward Error Propagation (with t)
E.release
E.enterCS
E.acquire
E.exitCS
E.release
E.exitCS
E.enterCS
E.release
E.enterCS
E.enterCS
t
E.enterCS E.exitCS
E.exitCS
36Backward Error Propagation (with t)
E.release
E.enterCS
E.exitCS
E.release
E.enterCS
E.release
E.enterCS
E.enterCS E.exitCS
E.exitCS
37Property Extraction
E.acquire
E.enterCS
E.release
E.exitCS
E.enterCS E.release
E.enterCS E.exitCS
E.exitCS
38Generated Assumption
E.acquire, E.release E.enterCS, E.exitCS
E.release
E.acquire
E.acquire
E.acquire
E.enterCS
E.release
E.exitCS
39Directions for Future Work
- Liveness /fairness
- Extend to other frameworks
- LTL checking (since we are interested only in
error behaviors) - Is the sub-set construction needed?
- Study other forms of composition