Automatically validating temporal safety properties of interfaces
We present a process for validating temporal safety properties of software that uses a well-defined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The process is realized in the SLAM toolkit, which consists of a model checker, predicate abstraction tool and predicate discovery tool. We have applied the SLAM toolkit to a number of Windows NT device drivers to validate critical safety properties such as correct locking behavior. We have found that the process converges on a set of predicates powerful enough to validate properties in just a few iterations.
KeywordsModel Check Theorem Prover Boolean Variable Safety Property Abstract Interpretation
Unable to display preview. Download preview PDF.
- 1.T. Ball, R. Majumdar, T. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In PLDI 01: Programming Language Design and Implementation (to appear). ACM, 2001.Google Scholar
- 2.T. Ball, A. Podelski, and S. K. Rajamani. Boolean and cartesian abstractions for model checking C programs. In TACAS 01: Tools and Algorithms for Construction and Analysis of Systems(to appear). Springer-Verlag, 2001.Google Scholar
- 3.T. Ball and S. K. Rajamani. Bebop: A symbolic model checker for Boolean programs. In SPIN 00: SPIN Workshop, LNCS 1885, pages 113–130. Springer-Verlag, 2000.Google Scholar
- 4.D. Blei and et al. Vampyre: A proof generating theorem prover — http://www.eecs.berkeley.edu/ rupak/vampyre.
- 8.J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In ICSE 2000: International Conference on Software Engineering, pages 439–448. ACM, 2000.Google Scholar
- 9.P. Cousot and R. Cousot. Abstract interpretation: a uni_ed lattice model for the static analysis of programs by construction or approximation of fix points. In POPL 77: Principles of Programming Languages, pages 238–252. ACM, 1977.Google Scholar
- 10.P. Cousot and R. Cousot. Temporal abstract interpretation. In POPL 00: Principles of Programming Languages, pages 12–25. ACM, 2000.Google Scholar
- 11.M. Das. Unification-based pointer analysis with directional assignments. In PLDI 00: Programming Language Design and Implementation, pages 35–46. ACM, 2000.Google Scholar
- 12.R. DeLine and M. Fähndrich. Enforcing high-level protocols in low-level software In PLDI 01: Programming Language Design and Implementation(to appear). ACM, 2001.Google Scholar
- 13.D. Detlefs, G. Nelson, and J. Saxe. Simplify theorem prover — http://research.compaq.com/src/esc/simplify.html.
- 14.D. L. Detlefs, K. R. M. Leino, G. Nelson, and J. B. Saxe. Extended static checking. Technical Report Research Report 159, Compaq Systems Research Center, December 1998.Google Scholar
- 15.E. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.Google Scholar
- 16.M. Dwyer and L. Clarke. Data flow analysis for verifying properties of concurrent programs. In FSE 94: Foundations of Software Engineering, pages 62–75. ACM, 1994.Google Scholar
- 17.M. Dwyer, J. Hatcliff, R. Joehanes, S. Laubach, C. Pasareanu, Robby, W. Visser, and H. Zheng. Tool-supported program abstraction for finite-state verification. In ICSE 01: Software Engineering (to appear), 2001.Google Scholar
- 18.D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI 00: Operating System Design and Implementation. Usenix Association, 2000.Google Scholar
- 19.C. Flanagan, R. Joshi, and K. R. M. Leino. Annotation inference for modular checkers. Information Processing Letters (to appear), 2001.Google Scholar
- 20.S. Graf and H. Saidi. Construction of abstract state graphs with PVS. In CAV 97: Computer Aided Verification, LNCS 1254, pages 72–83. Springer-Verlag, 1997.Google Scholar
- 22.G. Holzmann. Logic verification of ANSI-C code with Spin. In SPIN 00: SPIN Workshop, LNCS 1885, pages 131–147. Springer-Verlag, 2000.Google Scholar
- 23.R. Kurshan. Computer-aided Verification of Coordinating Processes. Princeton University Press, 1994.Google Scholar
- 25.K. R. M. Leino and G. Nelson. An extended static checker for Modula-3. In CC 98: Compiler Construction, LNCS 1383, pages 302–305. Springer-Verlag, 1998.Google Scholar
- 26.G. Necula. Proof carrying code. In POPL 97: Principles of Programming Languages, pages 106–119. ACM, 1997.Google Scholar
- 27.G. Nelson. Techniques for program verification. Technical Report CSL81-10, Xerox Palo Alto Research Center, 1981.Google Scholar
- 28.S. Owre, S. Rajan, J. Rushby, N. Shankar, and M. Srivas. PVS: Combining specification, proof checking, and model checking. In CAV 96: Computer-Aided Verification, LNCS 1102, pages 411–414. Springer-Verlag, 1996.Google Scholar
- 29.J. Pincus. personal communication, October 2000.Google Scholar
- 31.T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL 95: Principles of Programming Languages, pages 49–61. ACM, 1995.Google Scholar
- 33.D. Schmidt. Data flow analysis is model checking of abstract interpretation. In POPL 98: Principles of Programming Languages, pages 38–48. ACM, 1998.Google Scholar
- 34.M. Sharir and A. Pnueli. Two approaches to interprocedural data dalow analysis. In Program Flow Analysis: Theory and Applications, pages 189–233. Prentice-Hall, 1981.Google Scholar
- 35.N. Suzuki and K. Ishihata. Implementation of an array bound checker. In POPL 77: Principles of Programming Languages, pages 132–143. ACM, 1977.Google Scholar
- 36.Z. Xu, B. P. Miller, and T. Reps. Safety checking of machine code. In PLDI 00: Programming Language Design and Implementation, pages 70–82. ACM, 2000.Google Scholar