The Software Model Checker BLAST

Size: px

Start display at page:

Download "The Software Model Checker BLAST"

Audrey Campbell
6 years ago
Views:

1 The Software Model Checker BLAST BLAST 2.0 Team: Dirk Beyer, Tom Henzinger, Ranjit Jhala, and Rupak Majumdar Guest Lecture in Viktor Kuncak s Verification Class,

2 Motivation Software stands for - Functionality -Flexibility - Affordability in today s products and infrastructures. Practice: - Vulnerability - Obstacle to redesign - Cost overruns - Buggy, brittle, insecure, and not interoperable.

3 French Guyana, June 4, 1996 $600 million software failure

4 Mars, December 3, 1999 Crashed due to uninitialized variable

5 Mars, July 4, 1997 Lost contact due to priority inversion bug

6 Something reliable Uptime: 68 years

8 Our Application Areas Verification of systems code Locking disciplines Interface specifications Temporal properties Require path-sensitive analysis Swamped by false positives Really hard to check

9 Specifying and Checking Properties of Programs Goals Defect detection Partial validation Properties Memory safety Temporal safety Security Many (mature) techniques - Automated deduction - Program analysis - Type checking - Model checking Many projects Bandera, Blast, ESC-Java, FeaVer, JPF, LClint, OSQ, PolyScope, PREfix, SLAM, TVLA, Verisoft, xgcc,

10 Property Checking Programmer gives partial specifications Code checked for consistency with spec Different from program correctness Specifications are not complete Are there actually complete specs? - Look for problems that occur often

11 Property 1: Double Locking lock unlock unlock lock An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock. Calls to lock and unlock must alternate.

12 Property 2: Drop Root Privilege [Chen-Dean-Wagner 02] User applications must not run with root privilege When execv is called, must have suid 0

Property 3 : IRP Handler IRP accessible MPR2 start NP MPR3 synch not pending returned CallDriver MPR1 NP MPR completion Skip prop completion no prop completion SKIP1 CallDriver PPC N/A CallDriver

13 Property 3 : IRP Handler IRP accessible MPR2 start NP MPR3 synch not pending returned CallDriver MPR1 NP MPR completion Skip prop completion no prop completion SKIP1 CallDriver PPC N/A CallDriver CallDriver Complete request CallDriver SKIP2 IPC DC N/A synch return child status return not Pend MPR3 CallDriver start P synch MPR1 MPR2not pending returned NP MPR completion Mark Pending Skip prop completion no prop completion CallDriver SKIP1 PPC N/A CallDriver CallDriver Complete request SKIP2 IPC CallDriver DC return Pending [Fahndrich]

14 Does a given usage rule hold? Undecidable! Equivalent to the halting problem Restricted computable versions are prohibitively expensive (PSPACE) Why bother? Just because a problem is undecidable, it doesn t go away!

15 Running Example Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q!= NULL){ 3: q->data = new; unlock(); new ++; 4: while(new!= old); 5: unlock (); return; unlock lock unlock lock

What a program really is State Transition pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: Example Example ( ) { 1: 1: do{ do{ lock(); lock(); old old = new; new; q = q->next; 2:

16 What a program really is State Transition pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: Example Example ( ) { 1: 1: do{ do{ lock(); lock(); old old = new; new; q = q->next; 2: 2: if if (q (q!=!= NULL){ NULL){ 3: 3: q->data q->data = new; new; unlock(); new new ++; ++; 4: 4: while(new!=!= old); old); 5: 5: unlock unlock (); (); return; pc lock old new q a 4 a a 5 a 6 a 0x133a

17 The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula

18 Representing States as Formulas [F] states satisfying F {s s ² F F FO fmla over prog. vars [F 1 ] Å [F 2 ] F 1 Æ F 2 [F 1 ] [F 2 ] F 1 Ç F 2 [F] F [F 1 ] [F 2 ] F 1 implies F 2 i.e. F 1 Æ F 2 unsatisfiable

19 Idea 1: Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent Merged into one abstract state #abstract states is finite

20 Abstract States and Transitions State pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x133a Theorem Prover lock old=new lock old=new

21 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x133a Theorem Prover Existential Lifting lock old=new lock old=new

22 Abstraction State pc lock old new q a 3 a a 5 a 5 a 0x133a 3: 3: unlock(); new++; 4: pc lock old new q a 4 a a 5 a 6 a 0x133a lock old=new lock old=new

23 Analyze Abstraction Analyze finite graph Over Approximate: Safe System Safe No false negatives Problem Spurious counterexamples

24 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction!

25 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction 1. Add predicates to distinguish states across cut 2. Build refined abstraction Imprecision due to merge

26 Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01] 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe

27 Software Model Checking CProgram Abstract Yes Safe BLAST Property Refine No Trace

28 Lazy Abstraction CProgram spec.opt Instrumented C file With ERROR label BLAST Yes Safe Property No Trace

29 Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 100 s, #States ~ 2 100, #Reach ~ 1000 s

30 Solution1: Only Abstract Reachable States Safe Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Build abstraction during search

31 Solution2: Don t Refine Error-Free Regions Error Free Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions

32 Key Idea: Reachability Tree Initial 1 2 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds.

33 Key Idea: Reachability Tree Initial 1 2 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free

34 Key Idea: Reachability Tree Initial 1 2 Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates Rebuild subtree with new preds. Error Free SAFE S1: Only Abstract Reachable States S2: Don t refine error-free regions

35 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK 1 Predicates: LOCK Reachability Tree

36 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); lock() old = new q=q->next 1 2 LOCK LOCK 1 2 Predicates: LOCK Reachability Tree

37 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); [q!=null] LOCK LOCK LOCK Predicates: LOCK Reachability Tree

38 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); q->data = new unlock() new LOCK LOCK LOCK LOCK Predicates: LOCK Reachability Tree

39 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK LOCK LOCK 4 LOCK [new==old] 5 5 LOCK Predicates: LOCK Reachability Tree

40 Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK LOCK LOCK 4 LOCK Predicates: LOCK unlock() 5 LOCK LOCK Reachability Tree

41 Analyze Counterexample Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK LOCK LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] 5 5 LOCK unlock() Predicates: LOCK LOCK Reachability Tree

42 Analyze Counterexample Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); Predicates: LOCK LOCK LOCK LOCK LOCK LOCK LOCK old = new new++ [new==old] Inconsistent new == old Reachability Tree

43 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK 1 Predicates: LOCK, new==old Reachability Tree

44 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK, new==old 2 LOCK lock() old = new q=q->next 1 2 Predicates: LOCK, new==old Reachability Tree

45 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK LOCK, new==old 2 LOCK, new==old 3 q->data = new unlock() LOCK, new = old 4 new Predicates: LOCK, new==old Reachability Tree

46 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3 LOCK, new = old 4 [new==old] 1 LOCK Predicates: LOCK, new==old Reachability Tree

47 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old 2 LOCK, new==old 3 LOCK, new = old 4 1 [new!=old] LOCK Predicates: LOCK, new==old LOCK, new == old Reachability Tree

48 Repeat Build-and-Search Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); LOCK, new==old LOCK, new==old LOCK SAFE LOCK, new = old 4 4 LOCK, new=old Predicates: LOCK, new==old 1 LOCK, new == old 5 LOCK, new==old Reachability Tree

49 Key Idea: Reachability Tree Initial 1 2 Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates Rebuild subtree with new preds. Error Free SAFE S1: Only Abstract Reachable States S2: Don t refine error-free regions

50 Lazy Abstraction CProgram Abstract Yes Safe Property Refine No Trace Problem: Abstraction is Expensive Solution: 1. Abstract reachable states, 2. Avoid refining error-free regions Key Idea: Reachability Tree

51 Technical Details Example ( ) { 1: 1: do{ do{ lock(); old old = new; q = q->next; 2: 2: if if (q (q!=!= NULL){ 3: 3: q->data = new; unlock(); new new ++; ++; 4:while(new!=!= old); 5: 5: unlock (); (); 1 LOCK Q. How to find predicates LOCK, new==old 2? LOCK, new==old LOCK, new = old LOCK, new=old SAFE Refinement Predicates: LOCK, new==old LOCK, new == old LOCK, new==old

52 #Predicates grows with program size T F T while(1){ 1: if (p 1 ) lock() ; if (p 1 ) unlock() ; 2: if (p 2 ) lock() ; if (p 2 ) unlock() ; n: if (p n ) lock() ; if (p n ) unlock() ; Tracking lock not enough Problem: p 1,,p n needed for verification Exponential reachable abstract states

53 #Predicates grows with program size while(1){ 1: if (p 1 ) lock() ; if (p 1 ) unlock() ; 2: if (p 2 ) lock() ; if (p 2 ) unlock() ; n: if (p n ) lock() ; if (p n ) unlock() ; LOCK LOCK, p 1 LOCK, p 1 LOCK, p 1 LOCK, p 1 LOCK p 1 p 2 p 1 p 2 p 1 p 2 p 1 p 2 2 n Abstract States Problem: p 1,,p n needed for verification Exponential reachable abstract states

54 Predicates useful locally p 1 p 2 p n while(1){ 1: if (p 1 ) lock() ; if (p 1 ) unlock() ; 2: if (p 2 ) lock() ; if (p 2 ) unlock() ; n: if (p n ) lock() ; if (p n ) unlock() ; LOCK LOCK, p 1 LOCK, p 1 LOCK, LOCK p 1 LOCK LOCK, p 1 LOCK, p 2 LOCK, p 2 LOCK 2n Abstract States Solution: Use predicates only where needed Using Counterexamples: Q1. Find predicates Q2. Find where predicates are needed

55 Lazy Abstraction CProgram Abstract Yes Safe Property Refine No Trace Problem: #Preds grows w/ Program Size Solution: Localize pred. use, find where preds. needed Ctrex. Trace Refine Pred. Map PC a Preds.

56 Counterexample Traces 1: x = ctr; 2: ctr = ctr + 1; 3: y = ctr; 4: if (x = i-1){ 5: if (y!= i){ ERROR: 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) y = x +1

57 Trace Formulas 1: x = ctr 2: ctr = ctr+1 3: y = ctr 4: assume(x=i-1) 5: assume(y i) Trace 1: x 1 = ctr 0 2: ctr 1 = ctr : y 1 = ctr 1 4: assume(x 1 =i 0-1) 5: assume(y 1 i 0 ) SSA Trace x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Trace Feasibility Formula Thm: Trace is feasible TF is satisfiable

58 The Present State Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) is all the information the executing program has here 5: assume(y i) State 1. after executing trace past (prefix) 2. knows present values of variables 3. makes trace future (suffix) infeasible At pc 4, which predicate on present state shows infeasibility of future?

59 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr 0 +1 Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0

60 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix Predicate implied by TF prefix

61 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 x 1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix 2. has present values of variables Predicate implied by TF prefix on common variables

62 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix 2. has present values of variables 3. makes trace suffix infeasible Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable

63 What Predicate is needed? Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula (TF) x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 Relevant Information 1. after executing trace prefix 2. has present values of variables 3. makes trace suffix infeasible Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable

64 Interpolant = Predicate! Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Craig Interpolant [Craig 57] Computable from Proof of Unsat [Krajicek 97] [Pudlak 97] Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 ψ - Interpolate ψ + Φ Æ y 1 i 0 y 1 = x Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable Predicate at 4: y= x+1

65 Interpolant = Predicate! Trace 1: x = ctr 2: ctr = ctr + 1 Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr ψ - 3: y = ctr Æ y 1 = ctr Q. How to compute interpolants 1 Interpolate? Φ 4: assume(x = i-1) Æ x 1 = i 0-1 5: assume(y i) ψ + Predicate at 4: y= x+1 Æ y 1 i 0 y 1 = x Craig Interpolant [Craig 57] Computable from Proof of Unsat [Krajicek 97] [Pudlak 97] Predicate implied by TF prefix on common variables & TF suffix is unsatisfiable

66 Building Predicate Maps Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 ψ - Predicate Map 2: x= ctr Interpolate ψ + x 1 = ctr 0 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i

67 Building Predicate Maps Trace 1: x = ctr 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 ψ - ψ + Predicate Map 2: x = ctr 3: x= ctr-1 Interpolate x 1 = ctr 1-1 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i

68 Building Predicate Maps Trace 1: x = ctr Trace Formula x 1 = ctr 0 Predicate Map 2: x = ctr 3: x= ctr - 1 4: y= x + 1 2: ctr = ctr + 1 3: y = ctr 4: assume(x = i-1) 5: assume(y i) Æ ctr 1 = ctr Æ y 1 = ctr 1 Æ x 1 = i 0-1 Æ y 1 i 0 ψ - ψ + Interpolate y 1 = x 1 +1 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i

69 Building Predicate Maps Trace 1: x = ctr 2: ctr = ctr + 1 Trace Formula x 1 = ctr 0 Æ ctr 1 = ctr Predicate Map 2: x = ctr 3: x= ctr - 1 4: y= x + 1 5: y = i 3: y = ctr Æ y 1 = ctr 1 4: assume(x = i-1) Æ x 1 = i 0-1 5: assume(y i) Æ y 1 i 0 Cut + Interpolate at each point Pred. Map: pc i a Interpolant from cut i ψ - ψ + Interpolate y 1 = i 0

70 Local Predicate Use Use predicates needed at location #Preds. grows with program size #Preds per location small Predicate Map 2: x = ctr 3: x= ctr - 1 4: y= x + 1 5: y = i Local Predicate use Ex: 2n states Global Predicate use Ex: 2 n states

71 Property3: Localizing IRP Handler Win NT DDK Program Lines* Previous Time Predicates Time(mins) (mins) Total Average kbfiltr 12k floppy 17k diskprf 14k cdaudio 18k parport 61k DNF parclss 138k DNF * Pre-processed

72 Lazy Abstraction CProgram Abstract Yes Safe Property Refine No Trace Solution: Localize pred. use, find where preds. needed Refine Ctrex. Trace Problem: #Preds grows w/ Program Size Trace Feas Formula Thm Pvr Proof of Unsat Interpolate Pred. Map PC a Preds.

73 Lazy Abstraction: Summary Predicates: Abstract infinite program states Counterexample-guided Refinement: Find predicates tailored to prog, property 1. Abstraction : Expensive Reachability Tree 2. Refinement : Find predicates, use locations Proof of unsat of TF + Interpolation

74 The BLAST Query Language 1. (Possibly Infinite-State) Monitor Automata for Reachability Queries over Program Locations 2. First-Order Imperative Scripting Language for Combining Relations over Program Locations

75 Two-State Locking Monitor GLOBAL int locked; EVENT { PATTERN { init() ACTION { locked = 0; U unlock () lock () unlock () E L lock () EVENT { PATTERN { lock() ASSERT { locked == 0 ACTION { locked = 1; EVENT { PATTERN { unlock() ASSERT { locked == 1 ACTION { locked = 0;

76 Two-State Locking Monitor GLOBAL int locked; EVENT { PATTERN { init() ACTION { locked = 0; EVENT { PATTERN { lock() ASSERT { locked == 0 ACTION { locked = 1; EVENT { PATTERN { unlock() ASSERT { locked == 1 ACTION { locked = 0; lock () U unlock () unlock () E L lock () else REJECT else REJECT

77 Single-Lock Safety Analysis source(l1) := LOC_LABEL(l1, START ); target(l2) := TRUE(l2); error-traces(l1,l2) := REJECT(source,target,monitor); error-locs(l2) := EXISTS(l1,error-traces(l1,l2)); PRINT The following locations are reachable and cause a locking error: ; PRINT error-locs(l2); REJECT(l1,l2,monitor) is the set of all location pairs (l1,l2) such that there is a feasible program trace from l1 to l2 which is rejected by the automaton monitor.

78 Type-State Locking Monitor SHADOW lock_t { int locked; EVENT { PATTERN { init($1) ACTION { $1->locked = 0; EVENT { PATTERN { lock($1) ASSERT { $1->locked == 0 ACTION { $1->locked = 1; EVENT { PATTERN { unlock($1) ASSERT { $1->locked == 1 ACTION { $1->locked = 0;

79 Dead-Code Analysis source(l1) := LOC_LABEL(l1, START ); target(l2) := TRUE(l2); feasible-traces(l1,l2) := ACCEPT(source,target,EMPTY); reached-locs(l2) := feasible-traces(_,l2)); PRINT The following locations are not reachable: ; PRINT!reached-locs(l2);

80 Impact Analysis GLOBAL int defined; INITIAL { defined = 0; EVENT { PATTERN { j = $1; ACTION { defined ++ ; FINAL { defined == 1 else REJECT affected(l1,l2) := ACCEPT(LOC_LHS(l1, j ),LOC_RHS(l2, j ),monitor); PRINT affected(l1,l2);

81 Benefits of Two-Level Specifications 1. Separates properties from programs, while keeping a familiar syntax for writing properties 2. Treats a program as a database of facts that can be queried, and supports macros for traditional temporal-logic specifications 3. Supports the formulation of decomposition strategies for verification tasks 4. Supports the incremental maintenance of properties during program development

82 The BLAST Two-Level Query Language 1. (Possibly Infinite-State) Monitor Automata for Reachability Queries over Program Locations: checked by the BLAST model checking engine 2. First-Order Imperative Scripting Language for Combining Relations over Program Locations: checked by the CrocoPat relational query engine [Beyer, Noack, Lewerentz]

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies Tom Henzinger EPFL Three Verification Communities Model checking: -automatic, but inefficient