algorithmic software verification rajeev alur university of pennsylvania aro review, may 2005

Algorithmic Software Verification

Rajeev Alur

University of Pennsylvania

ARO Review, May 2005

Software Model Checking

Code Abstractor Model

Verifier Specification

Yes

Counter-example

Predicate abstraction

Finite-stateBoolean vars

On-the-fly explicit stateOr Symbolic fixpoint evaluation

LTL/CTL/Automata Regular!

Observables

Abstracting Modular Programs

main() { bool y; … x = P(y); … z = P(x); …}bool P(u: bool) {…return Q(u);}bool Q(w: bool) { if … else return P(~w)}

A2

A1

A3

A2

A2

A3

A3

A1Entry/Inputs

Exit/outputs

Box (function-calls)

Program Recursive State Machine (RSM)/ Pushdown automaton

Software Model Checking



Yes

Counter-example


Recursive State Machines

On-the-fly explicit state(see poster for VERA)

LTL/CTL/Automata Regular!

Observables

LTL

Linear-time Temporal Logic (LTL)

Q ::- p | not Q | Q or Q’ | Next Q | Always Q | Eventually Q | Q Until Q’

Interpreted over (infinite) sequences.Models of any LTL formula is a regular language.Useful for stating sequencing properties:

If req happens, then req holds until it is granted: Always ( req → (req Until grant) )

An exception is never raised: Always ( not Exception )

LTL is not expressive enough

LTL cannot express:

Classical Hoare-style pre/post conditions If p holds when procedure A is invoked, q holds upon

return Total correctness: every invocation of A terminates Integral part of emerging standard JML

Stack inspection properties For security/access control

If a setuuid bit is being set, process root must be in the call stack

Above requires matching of calls with returns, orfinding unmatched calls --- Context-free properties!

Context-free specifications

But model-checking context-free properties against context-free models is Undecidable.

However, the properties described are verifiable.

Existing work in security that handles some stack inspection properties [JMT99,JKS03]

Adding assert statements in the program (with additional local variables, if needed), and then checking regular properties (e.g. reachability) amounts to checking context-free properties

CARET

CARET: A temporal logic for Calls and Returns Expresses context-free properties

A

B

C

A

Global successor used by LTL

………….

CARET


A

B

C

D


………….

Local successor: Jump from calls to returns Otherwise global successor at the same level

CARET


A

B

C

A


………….


CARET


A

B

C

A


………….


Local path

CARET


A

B

C

A


………….


Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes

CARET


A

B

C

A


………….

Abstract successor: Jump from calls to returns Otherwise global successor at the same level

Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes

Caller path gives the stack content!

Expressing properties in Caret

Pre-post conditions If P holds when A is called, then Q must hold when

the call returns

Always ( (P and call-to-A) Local-Next Q )

A

PQ

Pre-post conditions are integral to specifications for JML (Java Modeling Language)


If A is called with low priority, then it cannot access the file Always ( call-to-A and low-priority

Local-Always ( not access-file ) )

Alowpriority

Ahighpriority access-file


Stack inspection properties

If variable x is accessed, then A must be on the call stack Always ( access-to-x

CallerPath-Eventually call-to-A )

access-to-x

A

Model checking CARET

Given: A (boolean) recursive state machine/ pushdown automaton M A CARET formula Q

Model-checking: Do all runs of M satisfy the specification Q?

CARET can be model-checked in time that is polynomial in M and exponential in Q.

|M|3 . 2O(|Q|)

Complexity same as that for LTL !

Model-checking CARET: intuition

Main Idea: The specification matches calls and returns of the program. Hence the push (pop) operations of the model and the

specifications synchronize Given M and formula Q,

Build a Buchi pushdown automaton that accepts words exhibited by M that satisfy (not Q) Check this pushdown automaton for emptiness Specification automaton also pushes onto the stack!

s, Q1

sPush s and Q1

Local-Next Q1 Pop s and Q1 ;

Check Q1

Can we generalize the idea?

LTL Regular Languages

CARET ?

Must be asuperset of CARET

Must be model-checkableagainst pushdown

models

Generalizing the idea

Structured words: Partitioned alphabet:

Σ = Spush Spop Sinternal

Consider finite words over Σ

A visibly pushdown automaton over Σ is a pushdown automaton that pushes a symbol onto the stack on a letter in Spush

pops the stack on a letter in Spop

cannot change the stack on a letter in Sinternal

Note: Stack size at any time is determined by the input wordbut not the stack content

A language is a VPL over a partitioned alphabet Σ, if there is a visibly pushdown automata that accepts it (acceptance by final state)

CARET is contained in VPLModel-checking:

CARET Q VPL LQ

Pushdown model M VPL LM

M satisfies Q iff LM LQ = (Emptiness of pushdown automata is decidable)

Visibly pushdown languages (VPL)

VPL is closed under boolean operations: union, intersection and complement

VPL

VPLs are also determinizable (Consequence: Runtime monitors for CARET/VPL can be built)

We have also extended this class to languages of infinite words.

Regular Lang

DCFL

CFL

VPL

VPL

Regular

CFL

DCFL

VPL

L

PSPACE

Emptiness Inclusion

Yes Yes Yes NLOG

Yes No No

No

UndecPTIME

No Yes PTIME Undec

Yes Yes Yes PTIME Exptime

VPL: Connection to tree languages

Let w = i5 c1 i1 c2 i4 i3 i3 r3 c1 i1 r1 r5 i5 i3

i5

c1

r5i1

c2

i4

i3

i3

i5

i3r3

Stack trees

r1

c1

i1

VPL: Connection to tree languages

Tree-language characterization:

Let L be a set of strings and let ST(L) be the set of stack trees that correspond to L.

Then L is a VPL iff ST(L) is a regular tree language

VPL is robust

Visibly pushdownlanguages

Regular stack-trees

Monadic second order logic with a matching predicate

Context-free Grammar Subset (generalizes Knuth’s Parantheses Languages)

ω-VPL - extension to infinite words

A Büchi VPA: VPA over infinite strings A word is accepted if along a run, the set QF is seen infinitely

often

ω-VPL – class of languages accepted by Büchi VPAs

ω-VPL is closed under all boolean operations Characterization using regular trees and MSO characterization hold.

However, ω-VPLs are not determinizable!

Let L be the set of all words such that the stack is “repeatedly bounded”

i.e. n. the stack depth is n infinitely often.

L is an ω-VPL but there is no deterministic Muller VPA for it.

“Regular-like” properties continue..

Congruences and minimization (Myhill-Nerode Theorem) cornerstone of theory of regular languages

Given a language L, for well-matched words u and v, define u ~L v iff for all words x and y, xuy in L iff xvy in L

Theorem: A language L of well-matched words is a VPL iff the congruence ~L is of finite index

Minimization No unique minimal deterministic VPA in general, but… Minimization of RSMs (i.e. procedural boolean programs)

possible. Partitioning into k procedures/modules is adequate to get canonicity!

Conclusions

Exposing calls and returns leads to an interesting subclass of context-free languages

VPLs seem robust and adequate to model software analysis problems

Publications: TACAS’04, STOC’04, TACAS’05, ICALP’05

Coauthors: S. Chaudhuri, K. Etessami, V. Kumar, P. Madhusudan, M. Viswanathan

Active area of current research DTDs, XML, and query languages Branching-time logics, Fixpoint calculus, and visibly

pushdown tree automata

New Foundations for Software Model Checking



Yes

Counter-example


Recursive State machines+

Boolean vars

On-the-fly explicit stateOr Symbolic fixpoint evaluation

Caret/VPAs/VPVPLs

ObservableCalls/rets

algorithmic software verification rajeev alur university of pennsylvania aro review, may 2005

Documents

local successor

contextfree models

abstract successor

matching of calls

regular properties

exception ltl

ltl formula

orfinding unmatched