SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.

SLAM internals

Sriram K. Rajamani

Rigorous Software Engineering

Microsoft Research, India

Syntactic sugar

if (e) { S1;} else { S2;}S3;

goto L1, L2;

L1: assume(e); S1; goto L3;

L2: assume(!e); S2; goto L3;

L3: S3;

Example, in C

void cmp (int a , int b) { if (a == b) g = 0; else g = 1;}

int g;

main(int x, int y){

cmp(x, y);

if (!g) { if (x != y) assert(0); } }

void cmp(int a , int b) { goto L1, L2; L1: assume(a==b); g = 0; return;

L2: assume(a!=b); g = 1; return;}

int g;

main(int x, int y){

cmp(x, y);

assume(!g); assume(x != y) assert(0); }

Example, in C--

c2bp: Predicate Abstraction for C Programs

Given• P : a C program• F = {e1,...,en}

– each ei a pure boolean expression– each ei represents set of states for which ei is true

Produce a boolean program B(P,F)• same control-flow structure as P• boolean vars {b1,...,bn} to match {e1,...,en}• properties true of B(P,F) are true of P

Assumptions

Given• P : a C program• F = {e1,...,en}

– each ei a pure boolean expression– each ei represents set of states for which ei is true

• Assume: each ei uses either:– only globals (global predicate)– local variables from some procedure (local predicate for that

procedure)

• Mixed predicates:– predicates using both local variables and global variables– complicate “return” processing– covered in Step 2

C2bp Algorithm

• Performs modular abstraction– abstracts each procedure in isolation

• Within each procedure, abstracts each statement in isolation– no control-flow analysis– no need for loop invariants

void cmp (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


Preds: {x==y}

{g==0}

{a==b}

void cmp (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


decl {g==0} ;

main( {x==y} ) {

}

void cmp ( {a==b} ) {

}

Preds: {x==y}

{g==0}

{a==b}

void equal (int a , int b) { goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


decl {g==0} ;

main( {x==y} ) {

cmp( {x==y} );

assume( {g==0} ); assume( !{x==y} ); assert(0); }

void cmp ( {a==b} ) { goto L1, L2; L1: assume( {a==b} ); {g==0} = T; return;

L2: assume( !{a==b} ); {g==0} = F; return;}

Preds: {x==y}

{g==0}

{a==b}

Abstracting Assignments

Suppose you are given an assignment s

• if ImpliesF(WP(s, ei)) is true before s then– ei is true after s

• if ImpliesF(WP(s, !ei)) is true before s then– ei is false after s

{ei} = ImpliesF(WP(s, ei)) ? true :

ImpliesF(WP(s, !ei)) ? false : *;

Abstracting Expressions via F

• F = { e1,...,en }

• ImpliesF(e)

– best boolean function over F that implies e

• ImpliedByF(e)

– best boolean function over F implied by e

– ImpliedByF(e) = !ImpliesF(!e)

ImpliesF(e) and ImpliedByF(e)

e

ImpliesF(e)

ImpliedByF(e)

Computing ImpliesF(e) • F = { e1,...,en }

• minterm m = d1 && ... && dn

– where di = ei or di = !ei

• ImpliesF(e) – disjunction of all minterms that imply e

• Naïve approach– generate all 2n possible minterms– for each minterm m, use decision procedure to check validity of each

implication me

• Many optimizations possible

do {KeAcquireSpinLock();

nPacketsOld = nPackets; b = true;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;

}} while (nPackets != nPacketsOld); !b

KeReleaseSpinLock();

ExampleAdd new predicateto boolean program

(c2bp)b : (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E

Assignment Example

Statement in P: Predicates in F:

y = y+1; {x==y}

Weakest Precondition:WP(y=y+1, x==y) = x==y+1

ImpliesF( x==y+1 ) = false

ImpliesF( x!=y+1 ) = x==y

Abstraction of assignment in B:{x==y} = {x==y} ? false : *;

Absracting Assumes

• WP( assume(e) , Q) = eQ

• assume(e) is abstracted to: assume( ImpliedByF(e) )

• Example:F = {x==2, x<5}assume(x < 2) is abstracted to:

assume( {x<5} && !{x==2} )

Abstracting Procedures

• Each predicate in F is annotated as being either global or local to a particular procedure

• Procedures abstracted in two passes:– a signature is produced for each procedure in

isolation– procedure calls are abstracted given the

callees’ signatures

Abstracting a procedure call

• Procedure call– a sequence of assignments from actuals to formals– see assignment abstraction

• Procedure return– NOP for C-- with assumption that all predicates

mention either only globals or only locals– with pointers and with mixed predicates:

• Most complicated part of c2bp• Covered in Step 2

void cmp (int a , int b) {Goto L1, L2 L1: assume(a==b); g = 0; return;


int g;

main(int x, int y){

cmp(x, y);


decl {g==0} ;

main( {x==y} ) {

cmp( {x==y} );

assume( {g==0} ); assume( !{x==y} ); assert(0); }

void cmp ( {a==b} ) {Goto L1, L2 L1: assume( {a==b} ); {g==0} = T; return;

L2: assume( !{a==b} ); {g==0} = F; return;}

{x==y}

{g==0}

{a==b}

Precision loss during predicate abstraction

• For program P and F = {e1,...,en}, there exist two “ideal” abstractions:– Boolean(P,F) : most precise abstraction– Cartesian(P,F) : less precise abstraction, where each boolean variable

is updated independently

• Theory:– with an “ideal” theorem prover, c2bp can compute Cartesian(P,F)

• Practice:– c2bp computes a less precise abstraction than Cartesian(P,F)– we use Das/Dill’s technique to incrementally improve precision – with an “ideal” theorem prover, the combination of c2bp + Das/Dill can

compute Boolean(P,F)

Cartesian abstractionF = { (x!=5), (y<5), (y>5)}

Statement: y = x

Abstract statement in the boolean program:{y < 5} = {x != 5} ? * : false{y > 5} = {x != 5} ? * : false

Suppose {x != 5} is true before the assignmentThen, only one of {y <5} or {y > 5} can be true after the assignment

This correlation is lost in cartesian abstraction

prog. P’prog. P

SLIC rule

The SLAM Process

boolean program

pathpredicates

slic

c2bp

bebop

newton

Bebop

• Model checker for boolean programs

• Based on CFL reachability

• Explicit representation of CFG

• Implicit representation of path edges and summary edges

• Generation of hierarchical error traces

Domains

g Globall Localf Frames Stack = Frame*State = Global X Local X Stack

Transitions:T (Global X Local) X ( Global X Local)T+ Local X (Local X Frame)T- (Local X Frame) X Local

Transition Relation

STEPT (g, l, g’, l’)

________________(g,l,s) (g’,l’, s)

PUSHT+(l, l’, f)

__________________(g,l,s) (g’,l’, s.f)

POPT-(l, f, l’’)

_______________________(g,l,s.f) (g’,l’, s)

g Globall Localf Frames Stack = Frame*State = Global X Local X Stack

Transitions:T (Global X Local) X ( Global X Local)T+ Local X (Local X Frame)T- (Local X Frame) X Local

Naïve model checking

STEPT (g, l, g’, l’)

________________(g,l,s) (g’,l’, s)

PUSHT+(l, l’, f)

__________________(g,l,s) (g’,l’, s.f)

POPT-(l, f, l’’)

_______________________(g,l,s.f) (g’,l’, s)

Start with initial state: (g0,l0,)

Find all the states s such that(g0,l0,) * s

Even if Globals and Locals are finite, the set of reachable states could be infinite since the stack can grow infinite

No guarantee for termination

Still, assertion checking is decidable

Need to use a different algorithm (CFL reachability)

CFL reachability

CFL-STEPP(g1, l1, g2, l2) T(g2, l2, g3, l3)

________________P(g1, l1, g3, l3)

CFL-PUSHP(g1, l1, g2, l2) T+(l2, l3 ,f,)

__________________P(g2, l3, g2, l3)

CFL-SUMP(g1, l1, g2, l2) T-(l2, f , l3,)

__________________Sum(g1, l1, f, g2, l3)

CFL-POPP(g1, l1, g2, l2) T+(l2, l3 ,f,) Sum( g2, l3, f , g3, l4 )

_______________________P(g1, l1, g3, l4)

P (Global X Local) X ( Global X Local)Sum (Global X Local) X Frame X ( Global X Local)

CFL-INIT_______________

P(g0, l0, g0, l0)

[Sharir-Pnueli 81] [Reps-Sagiv-Horwitz 95]

decl g;void main()decl u,v; [1] u := !v;

[2] equal(u,v);

[3] if (g) then R: skip;

fi [4] return;

void equal(a, b)

[5] if (a = b) then [6] g := 1; else [7] g := 0; fi [8] return;

[1] [1] [1]

[2] [2]

u!=v

g=0

[5] [5]

[7]

[3]

[4]

[1]

[8]

[7]

u=v

g=0

u!=v

g=1

u=v

g=1

Symbolic CFL reachability Partition path edges by their “target”

PE(v) = { <d1,d2> | <entry,d1> <v,d2> }

What is <d1,d2> for boolean programs? A bit-vector!

What is PE(v)? A set of bit-vectors

Use a BDD (attached to v) to represent PE(v)

decl g;void main()decl u,v; [1] u := !v;

[2] equal(u,v);

[3] if (g) then R: skip;

fi [4] return;

void equal(a, b)

[5] if (a = b) then [6] g := 1; else [7] g := 0; fi [8] return;

[1] [1] [1]

[2] [2]

u!=v

g=0

[5] [5]

[7]

[3]

[4]

[1]

[8]

[7]

u=v

g=0

u!=v

g=1

u=v

g=1

g=g’& u=u’& v=v’

g=g’& v!=u’ & v=v’

g=g’ & a=a’ & b=b’ & a!=b

g’=0 & v’!=u’ & v=v’

g’=0 & v!=u’ & v=v’

g=g’& a=a’ & b=b’& a!=b

g’=0 & a=a’ & b=b’& a!=b

Bebop: summary

Explicit representation of CFG Implicit representation of path edges and

summary edges Generation of hierarchical error traces

Complexity: O(E * 2O(N)

) E is the size of the CFG N is the max. number of variables in scope

prog. P’prog. P

SLIC rule

The SLAM Process

boolean program

pathpredicates

slic

c2bp

bebop

newton

Type 1: False error trace due to approximate predicate abstraction

Type 2: False error trace due to insufficient predicates

prog. P’prog. P

SLIC rule

The SLAM Process (more accurate)

boolean program

pathpredicates

slic

c2bp

bebop

newton


With this technique we can be as preciseas boolean abstraction(rather than cartesian)

Type 2: False error trace due to insufficient predicates

prog. P’prog. P

SLIC rule

The SLAM Process (more accurate)

boolean program

pathpredicates

slic

c2bp

bebop

newton

Newton

• Given an error path p in boolean program B– is p a feasible path of the corresponding C

program?• Yes: found an error• No: find predicates that explain the infeasibility

– uses the same interfaces to the theorem provers as c2bp.

Newton

• Execute path symbolically

• Check conditions for inconsistency using theorem prover (satisfiability)

• After detecting inconsistency:– minimize inconsistent conditions– traverse dependencies– obtain predicates


if(*){


}} while (*);


ExampleModel checking boolean program

(bebop)

U

L

L

L

L

U

L

U

U

U

E


nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++;

}} while (nPackets != nPacketsOld);


ExampleIs error path feasible

in C program?(newton)

U

L

L

L

L

U

L

U

U

U

E


nPacketsOld = nPackets; b = true;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;

}} while (nPackets != nPacketsOld); !b


ExampleAdd new predicateto boolean program

(c2bp)b : (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E

Symbolic simulation for C--

Domains– variables: names in the program– values: constants + symbols

State of the simulator has 3 components:– store: map from variables to values– conditions: predicates over symbols– history: past valuations of the store

Symbolic simulation AlgorithmInput: path p

For each statement s in p domatch s with

Assign(x,e):let val = Eval(e) inif (Store[x]) is defined then

History[x] := History[x] Store[x]Store[x] := val

Assume(e):let val = Eval(e) in

Cond := Cond and vallet result = CheckConsistency(Cond) inif (result == “inconsistent”) then

GenerateInconsistentPredicates()End

Say “Path p is feasible”

Symbolic Simulation: Caveats

• Procedure calls– add a stack to the simulator– push and pop stack frames on calls and returns– implement mappings to keep values “in scope” at

calls and returns

• Dependencies– for each condition or store, keep track of which values

where used to generate this value– traverse dependency during predicate generation



int g;

main(int x, int y){

cmp(x, y);




int g;

main(int x, int y){

cmp(x, y);


Global:

main:

(1) x: X

(2) y: Y

Conditions:



int g;

main(int x, int y){

cmp(x, y);


Global:

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

Map:

X A

Y B



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]Map:

X A

Y B



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]

(6) (X == Y) [5]

Map:

X A

Y B



int g;

main(int x, int y){

cmp(x, y);


Global:

(6) g: 0

main:

(1) x: X

(2) y: Y

cmp:

(3) a: A

(4) b: B

Conditions:

(5) (A == B) [3, 4]

(6) (X == Y) [5]

(7) (X != Y) [1, 2]

Contradictory!



int g;

main(int x, int y){

cmp(x, y);


Predicates after simplification:

{ x == y, a == b }

Refinement Using Interpolants

Given formulas - , + s.t. - + is unsatisfiable

An interpolant for - , + is a formula s.t.1. - implies 2. has symbols common to -, + 3. + is unsatisfiable

computable from proof of unsat. of - +

[Henzinger-Jhala-Majumdar-McMillan POPL 04] give a way to generate predicates for refinement from infeasible traces using interpolants

Interpolants: Example (1)

pc1: x = ctr

pc2: ctr = ctr + 1

pc3: y = ctr

pc4: assume(x = i-1)

pc5: assume(y i)

Trace Trace Formula

•Cut + Interpolate at each point

•Pred. Map: pci Interpolant from cut i

-

+Interpolate x1 = ctr0

Predicate Map pc2: x= ctr

x1 = ctr0

ctr1 = ctr0 + 1

y1 = ctr1

x1 = i0 – 1

y1 i0

pc1: x = ctr

pc2: ctr = ctr + 1

pc3: y = ctr


pc5: assume(y i)

Trace Trace Formula



-

+Interpolate

Predicate Map pc2: x = ctrpc3: x= ctr-1

x1= ctr1-1

x1 = ctr0

ctr1 = ctr0 + 1

y1 = ctr1

x1 = i0 – 1

y1 i0


-

+Interpolate

pc1: x = ctr

pc2: ctr = ctr + 1

pc3: y = ctr


pc5: assume(y i)

Trace Trace Formula

y1 = x1 + 1

x1 = ctr0

ctr1 = ctr0 + 1

y1 = ctr1

x1 = i0 – 1

y1 i0

Predicate Map pc2: x = ctrpc3: x= ctr-1pc3: y= x+1




pc1: x = ctr

pc2: ctr = ctr + 1

pc3: y = ctr


pc5: assume(y i)

Trace Trace Formula



-

+Interpolate

Predicate Map pc2: x = ctrpc3: x = ctr-1pc4: y = x+1pc5: y= i

y1= i0

x1 = ctr0

ctr1 = ctr0 + 1

y1 = ctr1

x1 = i0 – 1

y1 i0


pc1: x = ctr

pc2: ctr = ctr + 1

pc3: y = ctr


pc5: assume(y i)

Trace Trace Formula

Predicate Map pc2: x = ctrpc3: x = ctr-1pc4: y = x+1pc5: y = i

Theorem: Predicate map makes trace abstractly infeasible

x1 = ctr0

ctr1 = ctr0 + 1

y1 = ctr1

x1 = i0 – 1

y1 i0


Homework

Weakest Precondition:WP( *p=3 , x==5 ) = ?? What if *p and x alias?

Statement in P: Predicates in E:

*p = 3 {x==5}

Advanced Topics: Pointers

prog. P’prog. P

SLIC rule

So far..

boolean program

pathpredicates

slic

c2bp

bebop

newton

Abstracting Procedure Returns

• Let a be an actual at call-site P(…)– pre(a) = the value of a before transition to P

• Let f be a formal of a procedure P– pre(f) = the value of f upon entry to P

int R (int f) {

int r = f+1;

f = 0;

return r;

}

WP(x=r, x==2) = r==2

Q() {

int x = 1;

x = R(x)

}

pre(f) == x

x = r

{x==1}

{x==2}

{f==pre(f)}

{r==pre(f)+1}

predicate call/return relation call/return assign

{x==2} = s & {x==1};

}

bool R ( {f==pre(f)} ) {

{r==pre(f)+1} = {f==pre(f)};

{f==pre(f)} = *;

return {r==pre(f)+1};

}

WP(f=x, f==pre(f) ) = x==pre(f)

f = x

x==pre(f) is true at the call to R

pre(f)==x and x==1 and r==pre(f)+1 implies r==2

Q() { {x==1},{x==2} = T,F;

s = R(T);

{x==1} s

int R (int f) {

int r = f+1;

f = 0;

return r;

}

WP(x=r, x==2) = r==2

Q() {

int x = 1;

x = R(x)

}

pre(f) == x

x = r

{x==1}

{x==2}

{f==pre(f)}

{r==pre(f)+1}


bool R ( {f==pre(f)} ) {

{r==pre(f)+1} = {f==pre(f)};

{f==pre(f)} = *;

return {r==pre(f)+1};

}

WP(f=x, f==pre(f) ) = x==pre(f)

f = x

x==pre(f) is true at the call to R

pre(f)==x and x==1 and r==pre(f)+1 implies r==2

Q() { {x==1},{x==2} = T,F;

s = R(T);

{x==1} s

{x==1}, {x==2} = *, s & {x==1};

}

Pointers and SLAM

• With pointers, C supports call by reference– Strictly speaking, C supports only call by value– With pointers and the address-of operator, one can

simulate call-by-reference

• Boolean programs support only call-by-value-result– SLAM mimics call-by-reference with call-by-value-result

• Extra complications:– address operator (&) in C– multiple levels of pointer dereference in C

What changes with pointers?

• C2bp– abstracting assignments– abstracting procedure returns

• Newton– simulation needs to handle pointer accesses– need to copy local heap across scopes to match Bebop’s

semantics– need to refine imprecise alias analysis using predicates

• Bebop– remains unchanged!

Recall : Abstracting Assignments

Suppose you are given an assignment s

• if ImpliesF(WP(s, ei)) is true before s then– ei is true after s

• if ImpliesF(WP(s, !ei)) is true before s then– ei is false after s

{ei} = ImpliesF(WP(s, ei)) ? true :

ImpliesF(WP(s, !ei)) ? false : *;

Assignments + Pointers

Weakest Precondition:WP( *p=3 , x==5 ) = x==5 What if *p and x alias?

We use Das’s pointer analysis [PLDI 2000] to prune disjuncts representing infeasible alias scenarios.

Correct Weakest Precondition:(p==&x and 3==5) or (p!=&x and x==5)

Statement in P: Predicates in E:

*p = 3 {x==5}

Abstracting Procedure Return

• Need to account for – lhs of procedure call– mixed predicates– side-effects of procedure

• Boolean programs support only call-by-value-result– C2bp models all side-effects using return

processing

Extending Pre-states

• Suppose formal parameter is a pointer– eg. P(int *f)

• pre( *f )– value of *f upon entry to P– can’t change during P

• * pre( f )– value of dereference of pre( f )– can change during P

int R (int *a) {

*a = *a+1;

}

Q() {

int x = 1;

R(&x);

}

pre(a) = &x

{x==1}

{x==2}


{x==2} = s & {x==1};

}

bool R ( {a==pre(a)}, {*pre(a)==pre(*a)} ) {

{*pre(a)==pre(*a)+1} = {*pre(a)==pre(*a)} ;

return {*pre(a)==pre(*a)+1};

}

a = &x

Q() { {x==1},{x==2} = T,F;

s = R(T,T);

{a==pre(a)} {*pre(a)==pre(*a)}

{*pre(a)=pre(*a)+1}

pre(x)==1 and pre(*a)==pre(x) and *pre(a)==pre(*a)+1 and pre(a)==&x implies x==2

{x==1}

s

Newton: what changes with pointers?

• Simulation needs to handle pointer accesses

• Need to copy local heap across scopes to match Bebop’s semantics

void foo (int *a) {assume(*a > 5);assert(0);

}

main(int *x){

assume(*x < 5); foo(x);

}

Contradictory!

void foo (int *a) {assume(*a > 5);assert(0);

}

main(int *x){

assume(*x < 5); foo(x);

}

main:

(1) x: X

(2) *X: Y [1]

foo:

(3) a: A

(4) *A: B [3]

Conditions:

(5) (Y< 5) [1,2]

(6) (B < 5) [3,4,5]

(7) (B > 5) [3,4]

Predicates after simplification:

*x < 5 , *a < 5, *a > 5

prog. P’prog. P

SLIC rule

Non progress..

boolean program

pathpredicates

slic

c2bp

bebop

newton

Non-progress due to alias analysis imprecision

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;

{x==0}

{x==0} = T;skip;skip;

{x==0} = *;

assume( !{x==0} );

skip;

Pts-to(p)=

{ &x, &y}

x = 0;y = 0;p = &y

if (p == &x) x = x + 1;else y = y + 1;

assume(x!=0);

p = &x;

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;


{x==0} = *;

assume(!{x==0} );

skip;

Non-progress due to alias analysis imprecision

Consider values in abstract trace

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;


{x==0} = *;

assume(!{x==0} );

skip;

{x==0} is true

{x==0} is false

INCONSISTENT

Consider values in abstract trace

x = 0;y = 0;p = &y

*p = *p + 1;

assume(x!=0);

p = &x;


{x==0} = *;

assume(!{x==0} );

skip;

WP(*p = *p +1, !(x==0) )

= ((p == &x) and !(x==-1)) or ((p != &x) and !(x==0))

(p!=&x) gets added as a predicate

Generalization of refinement predicates

main(){ int x; x = 0; while(*) {

x++;}assert(x >= 0);}

Iterative refinement produces predicates:(x == 0),(x == 1),(x ==2) …

Need to generate (x >= 0) automatically!

Difficult to come up with general methods to do such generalizations

Areas for future work

• Abstraction-refinement loop with richer models (than just booleans) for solving the progress problem with pointers

• Combination of over-approximation and under-approximation based methods to avoid refining in irrelevant places in the program

SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.

Documents

Transcript of SLAM internals Sriram K. Rajamani Rigorous Software Engineering Microsoft Research, India.