• No results found

SLAM Motivation & Example

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SLAM Motivation & Example"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

SLAM

Motivation & Example

Verification & Testing

Roderick Bloem

(2)

This week: SLAM

Automatically verify properties of drivers

Part of MS Windows Driver Kit (called the Static

Driver Verifier)

Key: automatic abstraction

Based on: Ball & Rajamani, Automatically Validating

Temporal Safety Properties of Interfaces, SPIN

Workshop on Software Model Checking, 2001

(3)

Why Drivers?

Drivers are…

…critical

– Run in kernel space, wreak havoc

…not under MS control

– Developed by hardware companies (limited understanding of Windows)

– Cannot: verify correctness, impose coding standards, educate

designers,

…simple

– Small code base

– Important properties: locking protocol, …

(4)

The Approach

C Program Abstract Abstract

Program Boolean Model Checker Counterexample Analyze counterexample on original program True counterexam ple? NO YES

BUG

Predicates

(initially empty) Correct?

NO

YES

C Program

(5)

The Approach

Construct abstraction of program.

Abstraction adds behavior

Abstraction may have counterexample that is

impossible on real program

Make abstraction more precise until

The abstraction contains no counterexamples

We find a real bug

We use predicate abstraction

(6)

Approach

First set of predicates is empty

Abstraction engine uses predicates to construct Boolean Program

– First approximation has only data flow, no variables

Run model checker for Boolean programs

– No counterexample? C program is correct! Stop.

Analyze counterexample

– If it is real, we have found a real bug. Stop

– If not, add predicates to make abstraction more precise. Start from 2.

(7)

Boolean Programs

• Functions with parameters, recursion

• Global and local Variables

• No mallocs and frees

• Only Boolean (one-bit) variables; no integers

• Nondeterminism: *

• assert , assume

Theory: Boolean programs are pushdown automata

– Checking Boolean programs is not hard (algorithm next

week)

(8)

Some Syntax

a ? b : c

meaning: if a then b else c.

Example: b = c ? 2 : 3

• assert(e)

• meaning: dump core unless e is true

• assume(e)

• meaning: executions with e false are irrelevant.

• *

• meaning: function that evaluates to 0 or 1

nondeterministically

– example: if(*) b = 1; else b=2; evaluates to b=1

or b=2, but never to b=3.

– * is a function, not a value (After b = *, b equals 0 or 1,

b cannot equal *)

(9)

Choose

SLAM papers use choose function:

choose(f, g) is the same as

f ? true : (g? false: *);

i.e.,

• If f is true then true,

• if g is true then false,

• if neither are true then nondeterministic

• Both are true should be impossible

(10)

Example: Specification

int isLocked = 0;

void lock(){

assert(!isLocked);

isLocked = true;

}

void release(){

assert(isLocked);

isLocked = false;

}

(11)

5 req = devExt->WLHV;

6 if(req && req-> status){

7 devExt->WLHV = req->next; 8 release(); 9 irp = req->irp; 10 if(req->status > 0){ 11 irp->IoS.status = SUCCESS; 12 irp->IoS.Info = req->Stat; 13 } else { 14 irp->IoS.status = FAIL; 15 irp->IoS.Info = req->Stat; 16 } 17 smartDevFreeBlock(req); 18 IoCompleteRequest(irp); 19 nPackets++;

(12)

Counterexample

3. lock(); 4. skip; 5. skip; 6. { 7. skip; 8. release(); 9. skip; 10. { 11. skip; 12. skip; 13. } 14. 15. 16. 17. skip; 18. skip; 19. skip; 20. } 21. } 22. release();

(13)

5 req = devExt->WLHV;

6 if(req && req-> status){

7 devExt->WLHV = req->next; 8 release(); 9 irp = req->irp; 10 if(req->status > 0){ 11 irp->IoS.status = SUCCESS; 12 irp->IoS.Info = req->Stat; 13 } else { 14 irp->IoS.status = FAIL; 15 irp->IoS.Info = req->Stat; 16 } 17 smartDevFreeBlock(req); 18 IoCompleteRequest(irp); 19 nPackets++;

(14)

5 req = devExt->WLHV; req = devExt->WLHV;

6 if(req && req-> status){ if(req && req-> status){

7 devExt->WLHV = req->next; devExt->WLHV = req->next;

8 release(); release();

9 irp = req->irp; irp = req->irp;

10 if(req->status > 0){ asssume(req->status > 0){

11 irp->IoS.status = SUCCESS; irp->IoS.status = SUCCESS;

12 irp->IoS.Info = req->Stat; irp->IoS.Info = req->Stat;

13 } else { } else {

14 irp->IoS.status = FAIL; irp->IoS.status = FAIL;

15 irp->IoS.Info = req->Stat; irp->IoS.Info = req->Stat;

16 } }

17 smartDevFreeBlock(req); smartDevFreeBlock(req);

18 IoCompleteRequest(irp); IoCompleteRequest(irp);

(15)

5 req = devExt->WLHV;

6 if(req && req-> status){

7 devExt->WLHV = req->next; 8 release(); 9 irp = req->irp; 10 asssume(req->status > 0){ 11 irp->IoS.status = SUCCESS; 12 irp->IoS.Info = req->Stat; 13 } else { 14 irp->IoS.status = FAIL; 15 irp->IoS.Info = req->Stat; 16 } 17 smartDevFreeBlock(req); 18 IoCompleteRequest(irp); 19 nPackets++;

(16)
(17)

Counterexample Infeasible?

(18)

5 req = devExt->WLHV;

6 if(req && req-> status){

7 devExt->WLHV = req->next; 8 release(); 9 irp = req->irp; 10 if(req->status > 0){ 11 irp->IoS.status = SUCCESS; 12 irp->IoS.Info = req->Stat; 13 } else { 14 irp->IoS.status = FAIL; 15 irp->IoS.Info = req->Stat; 16 } 17 smartDevFreeBlock(req); 18 IoCompleteRequest(irp); 19 nPackets++;

(19)

2.

do{

3.

lock();

4.

b = true;

5.

skip;

6.

if(*){

7.

skip;

8.

release();

9.

skip;

10.

if(*){

11.

skip;

12.

skip;

13.

} else {

14.

skip;

15.

skip;

16.

}

17.

skip;

18.

skip;

19.

b = b ? false: *;

20.

}// if

21.

} while(!b);

(20)

Second Boolean Program

(21)

The Approach

C Program Abstract Abstract

Program Boolean Model Checker Counterexample Analyze counterexample on original program True counterexam ple? NO YES

BUG

Predicates

(initially empty) Correct?

NO

YES

C Program

References

Download now ( PDF - 21 Page - 489.45 KB )

Related documents

Alternative to Comprehensive Ecosystem Services Markets: The Contribution of Forest-Related Programs in New Zealand

Figure 1: Conceptual framework for the study (Henkens et al., 2007) Impact on ecosystem (structure & processes) Ecosystem goods & services or ES (provisioning,

Risk-aware Path and Motion Planning for a Tethered Aerial Visual Assistant in Unstructured or Confined Environments

The intellectual merit of the proposed work has three facets: a reasoning framework for robot motion risk including a formal risk definition and an explicit risk representation

GUIDE 6: Can we claim on?

contents in exchange. If the purchaser of the hamper decides to pay over the market value for the hamper, ‘for the good of the cause.’ The excess amount paid over-and above

London Metropolitan Archives. Information Leaflet Number 66. Imprisoned debtors

Records of the prisons in the City of London and Southwark where most debtors were confined, the Fleet, the Marshalsea, and King’s (or Queen’s) Bench are held by The National

From smart to deep: Robust activity recognition on smartwatches using deep learning

Motivated by the untapped potential of mobile deep learning combined with increased embedded systems resources, we report here on a systematic study of the benefits to smartwatch-

Configuring POS. POS on the ML-Series Card. ML-Series SONET and SDH Circuit Sizes CHAPTER

For step-by-step instructions on configuring an ML-Series card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide..

Trust on the Web: A model for online discussions

Proofs can be a direct set of statements but may also include provenance information (information about how the proof was generated). Trust can then be established,

BotTorrent: Misusing BitTorrent to Launch DDoS Attacks

The easiest way to launch such an attack would be to pub- lish a torrent file that contains the IP address(es) of a victim as the main tracker or as a list of trackers.. However,