Post on 19-Dec-2015
A … Framework for Verifying Concurrent C Programs
Sagar Chaki
Thesis Defense Talk
2
Motivation
Requirements SpecificationSpecification
Validation
CodeCode
Validation
Conformance
CheckConformance
Check
Distributed Programswith Message-Passing
Communicating
Distributed Programswith Message-Passing
Communicating
3
Related Work
Model Checking Symbolic model checking (SMV,MURPHI,MOCHA) Partial order reduction (SPIN,COSPAN)
Compositional reasoning Assume-guarantee
Abstraction Abstract interpretation, existential abstraction
Message-passing systems CCS, -Calculus Simulation, bisimulation, …
4
Iterative Refinement
Yes
System OK
AbstractionAbstractionModel
CounterexampleValid?
CounterexampleValid?
System
AbstractionGuidance No
Counterexample
AbstractionRefinementAbstractionRefinement
ImprovedAbstractionGuidance
No
SpuriousCounterexample
Yes
VerificationVerification
Spec
5
Related Work
Iterative Refinement (Kurshan)Hardware
Yuan Lu ) Ph.D. thesis
SLAM (device drivers)BLAST (lazy abstraction, thread modular safety)
Concurrent SoftwareSPIN, Behave!, ZING
Own modeling language No iterative refinement
Safety properties
6
Contributions
Compositional Iterative Refinement (IR)concurrent message-passing programssimulation conformance
Combining predicate abstraction with existential abstraction
Predicate MinimizationCompositional IR for Liveness propertiesCompositional IR for Deadlock detection
7
Basic Concepts
Var : set of variablesExpr : expressions over VarStore : set of stores
Var ! AddressesAddresses ! Values
AP : set of atomic propositionsConc : AP $ Expr
8
Extended FSM
Transitions labeled with guarded commandsGuards are expressionsCommand are actions or assignments
x == 0 ? x++
x != 0 ?
true ?
9
Control Flow Graph
x=x+y
lib()
Component
1
2
x == 0 ? x++
x != 0 ?
true ?
EFSM(lib)
10
Control Flow Graphx=x+y
1
2
x == 0 ? x++
x != 0 ?
true ?
Control Flow Graph
11
Labeled Kripke StructureM = ( Q , I , , T , AP, L)
Q ´ non-empty set of statesI 2 Q ´ initial state ´ set of actions ´ alphabetT µ Q £ £ Q ´ transition relationAP µ AP ´ set of atomic propositionsL : Q ! 2AP ´ propositional labeling
p
q
r
= { ,,,,,}
p,q
p,rAP = { p,q,r,s }
12
Concurrent C Program
Set of components P = hC1 ,…, Cn i
Each Ci is a single C procedurePossibly calling library routinesLibrary routines are specified via EFSMs
Semantics of C is an LKSDepends on the library specificationss
14
Concrete Semantics of C
Context = (Init, EFSM, , , AP)SCFG ´ States of CFGICFG ´ Initial state of CFG
MC = ( Q , I , [ , T , AP, L)
Q = SCFG £ Store
I = { (s,) j s = ICFG and ² Init }
L(s,) = { p j ² Conc(p) }
17
Concrete Semantics
x=x+y
1
2
x == 0 ? x++
x != 0 ?
true ?
x=1,y=-3
x=-2,y=-3
x=-2,y=-3
p ´ x = 0
x=5,y=-5
x=1,y=-5
x=0,y=-5
x=1,y=-5
p
18
Predicate Abstraction
Pred µ ExprSet of expressions (predicates) associated with each
state of the CFG
Pred ¶ { Conc(p) j p 2 AP }Predicate corresponding to every atomic proposition
must be associated with each state of the CFG
In practice each CFG state has a different set of associated predicates
19
Valuation : Two Views
Valuation ´ minterm PredSet of all valuations ´ 2Pred
Pred = { x = 0, y = 0 }
x 0 Æ y 0 , {} x = 0 Æ y 0 , {x = 0} x 0 Æ y = 0 , {y = 0} x = 0 Æ y = 0 , {x = 0, y=0}
Expression Subset of Pred
21
Abstract Semantics of C
Context = (Init, EFSM, , , AP, Pred)SCFG ´ States of CFGICFG ´ Initial state of CFG
M[C] = ( Q , I , [ , T , AP, L)
Q = SCFG £ 2Pred
I = { (s,v) j s = ICFG and v ° Init }
L(s,v) = { p j Conc(p) 2 v }
24
Abstract Semantics
x=x+y
1
2
x == 0 ? x++
x != 0 ?
true ?
x0,y=0
x0,y=0
x0,y=0
p ´ x = 0
x=0,y=0
x0,y=0
x=0,y=0
X0,y=0
p
p
25
Simulation
M1 = ( Q1 , I1 , , T1 , AP, L1)M2 = ( Q2 , I2 , , T2 , AP, L2)
R µ Q1 £ Q2 is a simulation relation ifs1 R s2 )
L1(s1) = L2(s2)8 (s1, , s’1) 2 T1 ¦ 9 s’2 ¦ (s2, , s’2) 2 T2 Æ s’
1 R s’
2
M1 4 M
2 ´
9 R µ Q1 £ Q2 ¦ 8 s1 2 I1 ¦ 9 s2 2 I2 ¦ s1 R s2
27
MC 4 M[C]
(e) ´ evaluation of e under ² e ´ (e) 0
Define relation R µ QC £ Q[C]
(s,m) R (s,v) , m ² vR is a simulation relation 8 s 2 IC ¦ 9 [s] 2 I[C] ¦ s R [s]
28
Parallel Composition
M1 = ( Q1 , I1 , , T1 , AP2, L1)
M2 = ( Q2 , I2 , 2, T2 , AP1, L2)
M1||M2 = ( Q1 £ Q2 , I1 £ I2 , 1 [ 2, T , AP1 [ AP2 , L)
L(s1,s2) = L1(s1) [ L2(s2)
((s1, s2), , (s’1, s’2)) 2 T iff for i 2 {1,2} i Æ (si, , s’i) 2 Ti
i Æ si = s’i
29
Program Semantics
P = h C , C’ i
MP = MC || MC’
M[P] = M[C] || M[C’]
Abstraction is done modularly
444
30
Program Semantics
P = C || C’
[P] = [C] || [C’]
444
31
Verification
Specification is an LKS Spec Given P and Spec, check if P 4 Spec
1. Construct [P]2. Check if [P] 4 Spec
1. P 4 [P] Æ [P] 4 Spec ) P 4 Spec2. Otherwise …
32
Counterexample
: ([P] 4 Spec) )9 CE ¦ CE 4 [P] Æ : (CE 4 Spec)CE has a tree structure
Look at Chapter 5 for the procedure to check [P] 4 Spec and construct CE if necessary
33
Counterexample Validation
Check if CE 4 P
: (CE 4 Spec) Æ CE 4 P
) : (P 4 Spec)
Real
P = C || C’
34
Problems
CE 4 C || C’
Infinite StatesStatespace Explosion
Symbolic Representation Compositional Reasoning
35
LKS Projection
p
q
r
= { ,,,,,}
p,q
p,rAP = { p,q,r,s }
M
’ = { ,,} AP’ = { p,r,t } [ ’
36
LKS Projection
p r
Å ’ [ {}
p
rAP Å AP’
M ¼ { ’,AP’ }
’ = { ,,} AP’ = { p,r,t } [ ’
M’ = ( …, ’ , AP’ , …) ) M ¼ M’ ´ M ¼ { ’, AP’ }
37
Weak Simulation
M1 = ( Q1 , I1 , [ { }, T1 , AP, L1)M2 = ( Q2 , I2 , , T2 , AP, L2)
R µ Q1 £ Q2 is a weak simulation relation ifs1 R s2 )
L1(s1) = L2(s2)8 (s1, , s’1) 2 T1 ¦ 9 s’2 ¦ (s2, , s’2) 2 T2 Æ s’
1 R s’
28 (s1, , s’1) 2 T1 ¦ s’
1 R s
2
M1 - M
2 ´
9 R µ Q1 £ Q2 ¦ 8 s1 2 I1 ¦ 9 s2 2 I2 ¦ s1 R s2
38
Compositional Validation
CE 4 C || C’
,CE ¼ C - C Æ CE ¼ C’ - C’
39
Compositional Validation
CE 4 C || C’
,CE ¼ - C Æ CE ¼ - C’
Infinite States
Symbolic Representation
40
Symbolic Representation
MC = ( Q , I , , T , AP, L)
There exists a class R µ 2Q
Each r 2 R has a finite representation Q 2 RR closed under intersection and pre-imageGiven r 2 R can check if r = ;
41
CE ¼ - C
CE ¼ C
Q
Q Q)
Q
Q
Q
Q)
Q
42
CE ¼ - C
Q
Q Q)
Q Q
Q Å Q)
Q
Q Å Q))Q)Q)
CE ¼ C
43
CE ¼ - C
Q
Q Q)
Q Q
Q Å Q)
Q
Q) Å (Q) Å Q Å Q))
= ; ?
CE ¼ C
44
Abstraction Refinement
Check if CE 4 P
CE 4 P ) Real
Update the set Pred such that for the new [P] we have :(CE 4 [P])Chapter 6
Minimize number of predicates to be addedChapter 7
45
Case Study: SSL Handshake
Verify that OpenSSL correctly implements the SSL handshakeServer and client codeEach about 2500 LOC400 LOC after abstracting
away library routine calls
Analyzed client and server separately and together
46
SSL ResultsNAME
LINES OF CODE
NO. OF ITER
AVG. MODEL SIZE
AVG. MODEL TIME (SEC)
SPEC SIZE (ST/TR)
AVG. HORN VAR NUM
AVG. HORN CLAUSE NUM
VERIF TIME
TOTAL TIME (SEC)
MEMORY (MB)
SERVER
2483
64
8984
40.2
32 / 67
287472
352150
1636
8639
743
CLIENT
2484
71
6747
28.7
29 / 60
195635
238296
1217
7437
185
SRVR-CLNT
4967
175
77474
3.3
6 / 5
387375
1386980
13786
21134
1105
47
SSL ResultsNAME
LINES OF CODE
NO. OF ITER
AVG. MODEL SIZE
AVG. MODEL TIME (SEC)
SPEC SIZE (ST/TR)
AVG. HORN VAR NUM
AVG. HORN CLAUSE NUM
VERIF TIME
TOTAL TIME (SEC)
MEMORY (MB)
SERVER
2483
64
8984
40.2
32 / 67
287472
352150
1636
8639
743
CLIENT
2484
71
6747
28.7
29 / 60
195635
238296
1217
7437
185
SRVR-CLNT
4967
175
77474
3.3
6 / 5
387375
1386980
13786
21134
1105
48
Thoughts
Predicate abstraction alone inadequate for concurrent systemsStates from different control locations are
always kept distinctThey might be merged
How do we combine other kinds of abstractions with predicate abstraction
49
Iterative Refinement
System OK
AbstractionAbstractionModel
CounterexampleValid?
CounterexampleValid?
System
No
AbstractionRefinementAbstractionRefinement
ImprovedAbstractionGuidance
No
VerificationVerification
Spec
50
IR ´ Model Checking
System OKAbstraction
Model
CounterexampleValid?
System
No
AbstractionRefinement
ImprovedAbstractionGuidance
No
Verification
Spec
51
Verification ´ IR
System OK
AbstractionAbstractionModel
CounterexampleValid?
CounterexampleValid?
System
No
AbstractionRefinementAbstractionRefinement
ImprovedAbstractionGuidance
No
IterativeRefinement
IterativeRefinement
Spec
52
Existential Abstraction
M = ( Q , I , , T , AP, L)
Equivalence R µ Q £ QCompatible with propositional labelings R s’ ) L(s) = L(s’)[s] ´ equivalence class of s
Induces a quotient LKS MR
54
Example
1
2 3
4 6
a b
b e
M
TheoremM ¹ MR
Proof(s R [s]) is a
simulation relation
5 7
ac
d
MR
eb
[2,3]
[4,5] [6,7]
[1]
a b
c a
dq
p
55
Verification
Given [P] = [C] || [C’] and Spec
1. Use equivalence relations R and R’ Initially R and R’ are maximal
2. Construct [P]RR’ = [C]R || [C’]R’
[P] 4 [P]RR’
3. Check if [P]RR’ 4 Spec1. [P] 4 [P]RR’ Æ [P]RR’ 4 Spec ) [P] 4 Spec2. Otherwise …
58
Splitting R
CE ¼ [C]R
[C]R -
[C] 4
59
Splitting R
Repeated Splitting )
CR converges tobisimulation quotient
of C
CE ¼ [C]R [C]R
-
60
Two Level IRC1 Spec4
[C1] 4 Spec
Predicate
Abstraction
[C2] [C3] [C4]
C2 C3 C4
Existential
Abstraction
4 SpecA1 A2 A3 A4
61
Two Level IRC1 Spec4
[C1] Spec
Predicate
Abstraction
Existential
Abstraction
[C2] [C3] [C4]
C2 C3 C4
SpecA1 A2 A3 A4
A1
Existential
Refinement
4
4
62
Two Level IRC1 Spec
[C1] Spec
Predicate
Abstraction
Existential
Abstraction
[C2] [C3] [C4]
C2 C3 C4
SpecA1 A2 A4
A1
Existential
Refinement
A3
A3
4
4
4
63
Two Level IRC1 Spec
[C1] Spec
Predicate
Abstraction
Existential
Abstraction
[C2] [C3] [C4]
C2 C3 C4
SpecA1 A2 A4
A1
Existential
Refinement
A3
A3
A1
4
4
4
64
Two Level IRC1 Spec
[C1] Spec
Predicate
Abstraction
Existential
Abstraction
[C2] [C3] [C4]
C2 C3 C4
SpecA1 A4
A1
Existential
Refinement
A3
A3
A1
4
4
4
A2
A2
65
Two Level IRC1 Spec
[C1] Spec
Predicate
Abstraction
Existential
Abstraction
[C2] [C3] [C4]
C2 C3 C4
SpecA1 A2 A4Existential
Refinement
A3
A3
[C2]
A1
A1
4
4
4
No bugs or real
66
Test
Name
One Level Two Level Gain
S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1
SSL-2
SSL-3
SSL-4
SSL-5
SSL-6
SSL-7
SSL-8
SSL-9
SSL-10
SSL-11
SSL-12
SSL-13
Results
67
Test
Name
One Level Two Level Gain
S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1 157266 1023 886 15840 122 1081 0.82 8.39
SSL-2 201940 1070 1645 6072 64 500 3.29 16.72
SSL-3 203728 1003 1069 20172 130 1805 0.59 7.72
SSL-4 201940 640 1184 7808 69 482 2.46 9.28
SSL-5 184060 780 1355 6240 64 407 3.33 12.19
SSL-6 158898 426 695 2310 56 219 3.17 7.61
SSL-7 103566 250 447 7743 74 472 0.95 3.38
SSL-8 161580 945 1071 4617 64 387 2.77 14.77
SSL-9 214989 1475 1515 13800 106 716 2.12 13.92
SSL-10 118353 663 628 3024 60 402 1.56 11.05
SSL-11 204708 1131 794 8820 79 446 1.78 14.32
SSL-12 121170 373 303 2079 56 204 1.49 6.66
SSL-13 152796 361 579 3780 60 349 1.66 6.02
Results
68
Test
Name
One Level Two Level Gain
S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1 157266 1023 886 15840 122 1081 0.82 8.39
SSL-2 201940 1070 1645 6072 64 500 3.29 16.72
SSL-3 203728 1003 1069 20172 130 1805 0.59 7.72
SSL-4 201940 640 1184 7808 69 482 2.46 9.28
SSL-5 184060 780 1355 6240 64 407 3.33 12.19
SSL-6 158898 426 695 2310 56 219 3.17 7.61
SSL-7 103566 250 447 7743 74 472 0.95 3.38
SSL-8 161580 945 1071 4617 64 387 2.77 14.77
SSL-9 214989 1475 1515 13800 106 716 2.12 13.92
SSL-10 118353 663 628 3024 60 402 1.56 11.05
SSL-11 204708 1131 794 8820 79 446 1.78 14.32
SSL-12 121170 373 303 2079 56 204 1.49 6.66
SSL-13 152796 361 579 3780 60 349 1.66 6.02
Results
69
Summary
Compositional IR for concurrent programs Message-passing communicationSimulation conformance
Combine predicate abstraction and existential abstraction in a two-level compositional IR algorithmExperimental validation
70
Thank you!
Edmund ClarkeExemplary advisor
Alex Groce, Somesh Jha, Helmut VeithThe original magicians
Tom Ball, Sriram Rajamani, Jakob RehofSuperb summer job mentors
Orna Grumberg, Joel Ouaknine, Natalia Sharygina, Ofer Strichman, Karen YoravAwesome guides
Randal Bryant, David GarlanExcellent thesis committee members
71
Questions?Questions?