Thomas Ball Sriram K. Rajamani

Thomas BallSriram K. Rajamani

http://research.microsoft.com/slam/

Bebop: A Path-sensitive Interprocedural Dataflow

Analysis Engine




What is Bebop?

Model checker for boolean programs

A generic dataflow engine

What are Boolean Programs?

C program with just boolean variables

Used to represent abstractions of C programs

Language for encoding dataflow problems

Agenda

SLAM and boolean programs

Bebop – internals

Current status and future plans

Checking API Usage

Application

C lib | DLL |

COM |…

API

Does an application follow the “proper usage” rules of an API?

State MachineFor Locking

Unlocked Locked Error

U

L

L

U

state {

int locked = 0;

}

Lock.call {

if (locked==1) abort;

else locked = 1;

}

UnLock.call {

if (locked==0) abort;

else locked = 0;

}

Demo

Goal:

Run the state machine through all paths in the program

Problem: Too many paths!

Solution: Data flow analysis

Problem : False alarms

Solution : Better abstraction

False alarmdo { //get the write lock

KeAcquireSpinLock( &devExt->writeListLock );

nPacketsOld = nPackets; request = devExt->WriteListHeadVa;

if(request && request->status){devExt->WriteListHeadVa = request->Next;

KeReleaseSpinLock(&devExt->writeListLock);

...nPackets++;

}} while (nPackets != nPacketsOld);


False alarmdo { //get the write lock


nPacketsOld = nPackets; request = devExt->WriteListHeadVa;



...nPackets++;

}} while (nPackets != nPacketsOld);


Abstractiondo { //get the write lock


nPacketsOld = nPackets; b := true; request = devExt->WriteListHeadVa;



...

nPackets++; b := b ? false : *; }

} while (nPackets != nPacketsOld);


Boolean variable b represents the condition (nPacketsOld == nPackets)

b

b

!bb

Abstractiondo { //get the write lock


nPacketsOld = nPackets; b := true; request = devExt->WriteListHeadVa;



...

nPackets++; b := b ? false : *; }

} while (nPackets != nPacketsOld);



b

b

!bb

Boolean programdo { //get the write lock

KeAcquireSpinLock();

b := true;

if(*){

KeReleaseSpinLock();...

b := b ? false : *; }

} while ( !b );

KeReleaseSpinLock();


b

b

!bb

C program

Boolean program

c2bp

bebop

Fail, p

Pass

newton

GOLF

SLIC

CFG + VFG

predicates

Error GUI

Spec.

predicates

Agenda

SLAM and boolean programs

Bebop – internals

Current status and future plans

Interprocedural dataflow analysis

[Sharir-Pnueli, 1981] “functional approach” (v) = maps facts from “entry” to facts at v inefficient algorithm

[Reps-Horwitz-Sagiv, POPL’95] construct “exploded supergraph”

product of CFG and dataflow facts efficient refinement of Sharir-Pnueli iterative addition of edges to graph

“path edges”: <entry,d1> -> <v,d2> “summary edges”: <call,d1> -> <return,d2>

decl g;void main()decl u,v; [1] u := !v;

[2] equal(u,v);

[3] if (g) then R: skip;

fi [4] return;

void equal(a, b)

[5] if (a = b) then [6] g := 1; else [7] g := 0; fi [8] return;

[1] [1] [1]

[2] [2]

u!=v

g=0

[5] [5]

[7]

[3]

[4]

[1]

[8]

[7]

u=v

g=0

u!=v

g=1

u=v

g=1

Symbolic dataflow analysis

Do not construct explicit “exploded supergraph”

Represent “path edges” and “summary edges” implicitly (using BDDs)

[Ball, Rajamani, SPIN 2000]

Binary Decision Diagrams [Bryant]

Ordered decision tree for f = a b c d

0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0

d d d d d d d

c c c c

0 1

0 1 0 1

0 1 0 1 0 1 1

b b

a

d

OBDD reduction

a

b b

c c

d d

0 1

0

01

01

01

1

10

01

01

f = a b c d

Difficulty

Do not want to encode control flow graph with BDDs

Solution: No need to represent the CFG “source”

<entry,d1> -> <v,d2>

Partition path edges by their “target”! PE(v) = { <d1,d2> | <entry,d1> ->

<v,d2> } use a BDD to represent PE(v)


[2] equal(u,v);


fi [4] return;

[1] [1] [1]

[2] [2]

u!=v

g=0

[5] [5]

[7]

[3]

[4]

[1]

[8]

[7]

u=v

g=0

u!=v

g=1

u=v

g=1

void equal(a, b)



[2] equal(u,v);


fi [4] return;

[1] [1] [1]

[2] [2]

u!=v

g=0

[5] [5]

[7]

[3]

[4]

[1]

[8]

[7]

u=v

g=0

u!=v

g=1

u=v

g=1

void equal(a, b)



[2] equal(u,v);


fi [4] return;

[1] [1] [1]

[2] [2]

[5] [5]

[7]

[3]

[4]

[1]

[8]

[7]

g=g’& u=u’& v=v’

g=g’& v!=u’ & v=v’

g=g’ & a=a’ & b=b’ & a!=b

g’=0 & v’!=u’ & v=v’

g’=0 & v!=u’ & v=v’

g=g’& a=a’ & b=b’& a!=b

g’=0 & a=a’ & b=b’& a!=b

void equal(a, b)


Boolean Programs

A target language for encoding finite interprocedural program analyses

All the control-flow primitives of C, including procedures and recursion direct mapping of control-flow ease programming of DFA

Boolean variables represent finite sets of dataflow facts implicit three-valued logic via BDDs

void foo( int *p, int *q) if( p != NULL)

q = p; if( p != NULL)

*q = *p + 1;

void foo( bool bp, bool bq) if(bp)

bq = bp; if(bp)

skip

Nullness analysis

C programBoolean program

Performance

Complexity: O(E * 2O(N)

) E is the size of the CFG N is the max. number of variables in scope

Some execution times 300 line C driver in 9 seconds

37 predicates 1,100 line boolean program 300 boolean variables

7,000 line C driver in 8 seconds 22 predicates 16,000 line boolean program 400 boolean variables

Conclusions

Boolean programs – a generic model Abstractions in model checking

software Adding predicate sensitivity to dataflow

Bebop – a symbolic dataflow analyzer Explicit representation of CFG Implicit representation of path edges

and summary edges Generation of hierarchical error traces

In progress

Separate compilation Combine top-down and bottom-up

Precision/efficiency tradeoff Cartesian abstraction Partition the BDDs

don’t track all correlations large amount of work to draw upon

from symbolic model checking

Software Productivity ToolsMicrosoft Research


Documents

Thomas Ball Sriram K. Rajamani