SLAM2: Static driver verification with under 4% false alarms

In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms. In practice, CEGAR can report false alarms because: (1) the underlying problem CEGAR is trying to solve is undecidable; (2) approximations introduced for optimization purposes may cause CEGAR to be unable to eliminate a false alarm; (3) CEGAR has no termination guarantee — if it runs out of time or memory then the last counterexample generated is provably a false alarm. We report on advances in the SLAM analysis engine, which implements CEGAR for C programs using predicate abstraction, that greatly reduce the false alarm rate. SLAM is used by the Static Driver Verifier (SDV) tool. Compared to the first version of SLAM (SLAM1, shipped in SDV 1.6), the improved version (SLAM2, shipped in SDV 2.0) reduces the percentage of false alarms from 25.7% to under 4% for the WDM class of device drivers. For the KMDF class of device drivers, SLAM2 has under 0.05% false alarms. The variety and the volume of our experiments of SDV with SLAM2, significantly exceed those performed for other CEGAR-based model checkers. These results made it possible for SDV 2.0 to be applied as an automatic and required quality gate for Windows 7 device drivers.

[1]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[2]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[3]  Kenneth L. McMillan Lazy Annotation for Program Testing and Verification , 2010, CAV.

[4]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[5]  Sriram K. Rajamani,et al.  Generating Abstract Explanations of Spurious Counterexamples in C Programs , 2002 .

[6]  Dirk Beyer,et al.  Software model checking via large-block encoding , 2009, 2009 Formal Methods in Computer-Aided Design.

[7]  Shuvendu K. Lahiri,et al.  Predicate Abstraction via Symbolic Decision Procedures , 2005, Log. Methods Comput. Sci..

[8]  Andreas Podelski,et al.  Boolean and Cartesian Abstraction for Model Checking C Programs , 2001, TACAS.

[9]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[10]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[11]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[12]  Andreas Podelski,et al.  Relative Completeness of Abstraction Refinement for Software Model Checking , 2002, TACAS.

[13]  Aditya V. Thakur,et al.  The Yogi Project : Software Property Checking via Static Analysis and Testing , 2009 .

[14]  Sriram K. Rajamani,et al.  Refining Approximations in Software Predicate Abstraction , 2004, TACAS.

[15]  Todd D. Millstein,et al.  Polymorphic predicate abstraction , 2005, TOPL.

[16]  Thomas Ball,et al.  Efficient evaluation of pointer predicates with Z3 SMT Solver in SLAM2 , 2010 .

[17]  Robert J. Simmons,et al.  Proofs from Tests , 2008, IEEE Transactions on Software Engineering.