Automatic Predicate Abstraction of C Programs: The C2bp Tool - Prof. William Pugh, Study notes of Computer Science

The c2bp tool, an automatic predicate abstractor for c code developed by microsoft research and uc berkeley. The tool handles the complex constructs of c, such as pointers, recursion, and structs, and provides a modular abstraction of procedures. It operates on an intermediate representation of the code and uses a provably sound algorithm to produce a boolean program that preserves the temporal properties of the original program. The tool has been successfully applied to verify properties of device drivers and other software systems.

Typology: Study notes

Pre 2010

Uploaded on 02/13/2009

koofers-user-xf4-1
koofers-user-xf4-1 🇺🇸

10 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Automatic Predicate
Abstraction of C Programs
Thomas Ball Microsoft
Rupak Majumdar UC Berkeley
Todd Millstein U Washington
Sriram K. Rajamani Microsoft
http://research.microsoft.com/slam/
S
o
f
t
w
a
r
e
Tools
P
r
o
d
u
c
t
i
v
i
t
y
do {
//get the write lock
AcquireLock(&dev->lock);
nPacketsOld = nPackets;
request = dev->WriteListHeadVa;
if(request && request->status){
dev->WriteListHeadVa = request->Next;
ReleaseLock(&dev->lock);
irp = request->irp;
if(request->status > 0){
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = request->Status;
}
else{
irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
irp->IoStatus.Information = request->Status;
}
SmartDevFreeBlock(request);
IoCompleteRequest(irp, IO_NO_INCREMENT);
nPackets++;
}
} while (nPackets != nPacketsOld);
ReleaseLock(&dev->lock);
Question:
Is locking protocol
respected?
Verifying Temporal Properties of Software
Verifying Temporal Properties of Software
do {
//get the write lock
AcquireLock(&dev->lock);
nPacketsOld = nPackets;
request = dev->WriteListHeadVa;
if(request && request->status){
dev->WriteListHeadVa = request->Next;
ReleaseLock(&dev->lock);
irp = request->irp;
if(request->status > 0){
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = request->Status;
}
else{
irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
irp->IoStatus.Information = request->Status;
}
SmartDevFreeBlock(request);
IoCompleteRequest(irp, IO_NO_INCREMENT);
nPackets++;
}
} while (nPackets != nPacketsOld);
ReleaseLock(&dev->lock);
pf3
pf4
pf5

Partial preview of the text

Download Automatic Predicate Abstraction of C Programs: The C2bp Tool - Prof. William Pugh and more Study notes Computer Science in PDF only on Docsity!

Automatic Predicate

Abstraction of C Programs

Thomas Ball Microsoft

Rupak Majumdar UC Berkeley

Todd Millstein U Washington

Sriram K. Rajamani Microsoft

http://research.microsoft.com/slam/

S^ o^ ft w^ a^ r e P^ r Tools o^ d^ u c^ tiv ity do { //get the write lock AcquireLock(&dev->lock); nPacketsOld = nPackets; request = dev->WriteListHeadVa; if( dev->WriteListHeadVarequest && request->status = request->Next; ){ ReleaseLock(&dev->lock); irp = request->irp; if(request->status irp->IoStatus.Status > 0){ = STATUS_SUCCESS; }^ irp->IoStatus.Information^ =^ request->Status; else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; }^ irp->IoStatus.Information^ =^ request->Status; SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while ( nPackets != nPacketsOld ); ReleaseLock(&dev->lock); Question: Is locking protocol respected?

Verifying Temporal Properties of Software

Verifying Temporal Properties of Software

do { //get the write lock AcquireLock(&dev->lock); nPacketsOld = nPackets; request = dev->WriteListHeadVa; if( dev->WriteListHeadVarequest && request->status = request->Next; ){ ReleaseLock(&dev->lock); irp = request->irp; if(request->status irp->IoStatus.Status > 0){ = STATUS_SUCCESS; }^ irp->IoStatus.Information^ =^ request->Status; else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; }^ irp->IoStatus.Information^ =^ request->Status; SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); ReleaseLock(&dev->lock);

do { AcquireLock(); b = true; if () { ReleaseLock(); b = b? false : ; } } while ( !b ); ReleaseLock(); do { //get the write lock AcquireLock(&dev->lock); nPacketsOld = nPackets; request = dev->WriteListHeadVa; if( dev->WriteListHeadVarequest && request->status = request->Next; ){ ReleaseLock(&dev->lock); irp = request->irp; if(request->status irp->IoStatus.Status > 0){ = STATUS_SUCCESS; }^ irp->IoStatus.Information^ =^ request->Status; else{ irp->IoStatus.Status = STATUS_UNSUCCESSFUL; }^ irp->IoStatus.Information^ =^ request->Status; SmartDevFreeBlock(request); IoCompleteRequest(irp, IO_NO_INCREMENT); nPackets++; } } while (nPackets != nPacketsOld); ReleaseLock(&dev->lock);

Predicate Abstraction

C program

Boolean program Predicate Abstraction (C2bp) Model Checking (Bebop) [PASTE 2001, Spin 2000] Predicate Discovery (Newton)

E = {e 1 ,...,e n}

no yes

C2bp: Predicate Abstraction

for C Programs

Given

n P : a C program

n E = {e 1 ,...,e n} : set of C boolean expressions

over the variables in P

n no side effects, no procedure calls

Produce a boolean program B

n same control-flow structure as P

n only vars are 3-valued booleans {b 1 ,...,b n}

n properties true of B are true of P

Strengthening

S(e) is the best predicate over {e 1 ,...,en} that

implies e:

n a minterm is a conjunction d 1 ^ ... ^ dn,

where di = ei or di = !ei

n S(e) = disjunction of all minterms that

imply e

n use decision procedure to check implication

Abstracting Assignments

n S(wp(s, ei)) is true before s implies

predicate ei is true after s

n S(!wp(s, ei)) is true before s implies

predicate ei is false after s

bi = S(wp(s, ei))? true :

S(!wp(s, ei))? false :

Assignment Example

Statement in P: Predicates in E: y = y+1; {x==y} Weakest Precondition: wp(y=y+1, x==y) = x==y+ Strengthenings: S(x==y+1) = false S(x!=y+1)) = x==y Abstraction of s in B: b = b? false : *;

Handling Pointers

Weakest Precondition: wp(*p=3, x==5) = x==5 What if *p and x alias? We use Das’s pointer analysis [PLDI 2000] to prune disjuncts representing infeasible alias scenarios. Correct Weakest Precondition: (p==&x && 3==5) || (p!=&x && x==5) Statement in P: Predicates in E: *p = 3; {x==5}

Abstracting Conditionals

in P:

if (expr) {...} else {...}

in B:

if (*) {assume(W(expr)); ...}

else {assume(W(!expr)); ...}

weakening : W(expr) = !S(!expr)

Handling Procedures

n each predicate in E is annotated as being

either global or local to a particular

procedure

n procedures abstracted in two passes:

n a signature is produced for each procedure in isolation n procedure calls are abstracted given the callees’ signatures

Predicate-sensitive Alias Analysis

prev = NULL; newl = NULL; while (curr) { next = curr->next; if (curr->val > v) { if (prev) prev->next = next; curr->next = newl; L: newl = curr; } else prev = curr; curr = nextCurr; } prev == NULL curr == NULL prev->val > v curr->val > v (curr!=NULL) && ( prev==NULL || (prev->val <= v) && (curr->val >v) ) implies (prev != curr) at label L