Proving safety properties of software

The use of software is pervasive in areas as diverse as aerospace, automotive, chemical processes, civil infrastructure, energy, health-care, manufacturing, transportation, entertainment, and consumer appliances. Our safety, security, and economy are now closely linked to the reliability of software. This research is about a technique to prove event-based safety properties of program. A safety property is defined in terms of event traces. An event trace is associated with an execution path and it is the sequence of events that execute on the path. Each event is identified with a program statement or a block of statements. Particularly, this research has been focused on one type of problem that follows one type of safety property we call matching pair (MP) property. Memory leaks, asymmetric synchronization, and several other defects are examples of violation of the matching pair property. The property involves matching between two types of events on every execution path. We present a practical method to validate the MP property for large software. The method is designed to address the challenges resulting from the cross-cutting semantics and presence of invisible control flow. The method has two phases: the macro phrase and the micro phrase. The macro analysis phase incorporates important notions of signature and matching pair graph (MPG). Signatures enable a decomposition of the problem into small independent instances for validation, each identified by a unique signature. The MPG( X) defines for each signature X, a minimal set of functions to be analyzed for validating the instance. The micro analysis phase produces the event traces graph representing all the relevant execution paths through the functions belonging to a MPG(X). A fast and accurate analysis of large software is possible because the macro analysis can exactly identify the functions that need to be analyzed and the micro analysis further greatly reduces the amount of analysis required to cover all execution paths by creating event trace graph (ETG) from the control flow graph (CFG). We applied macro level analysis on eight versions of Linux kernels spanning for three years. We further calculated ETGs for all functions identified by macro analysis for three versions of Linux. With the combination of macro and micro analysis, we were able to prove the correctness of more than 90% of the synchronization instances in the Linux kernel. For each remaining case, we produced relevant ETGs for the further investigation by human experts.

[1]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[2]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[3]  David Gay,et al.  Effective static deadlock detection , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[4]  Eugen-Nicolae Volanschi A Portable Compiler-Integrated Approach to Permanent Checking , 2006, ASE.

[5]  Richard N. Taylor,et al.  Complexity of analyzing the synchronization structure of concurrent programs , 1983, Acta Informatica.

[6]  Claudio Demartini,et al.  A deadlock detection tool for concurrent Java programs , 1999, Softw. Pract. Exp..

[7]  David Lorge Parnas,et al.  Specification of Software Component Requirements Using the Trace Function Method , 2006, 2006 International Conference on Software Engineering Advances (ICSEA'06).

[8]  Thomas Ball,et al.  Testing, abstraction, theorem proving: better together! , 2006, ISSTA '06.

[9]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[10]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[11]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[12]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[13]  Alfred V. Aho,et al.  Do Crosscutting Concerns Cause Defects? , 2008, IEEE Transactions on Software Engineering.

[14]  Alexander Aiken,et al.  Context- and path-sensitive memory leak detection , 2005, ESEC/FSE-13.

[15]  David Gay,et al.  An effective dynamic analysis for detecting generalized deadlocks , 2010, FSE '10.

[16]  Zengo Furukawa,et al.  Coverage Based Testing for Concurrent Software , 2008, 2008 The 28th International Conference on Distributed Computing Systems Workshops.

[17]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[18]  Joël Ouaknine,et al.  Concurrent software verification with states, events, and deadlocks , 2005, Formal Aspects of Computing.

[19]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[20]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1984, TOPL.

[21]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[22]  Mark Dowson,et al.  The Ariane 5 software failure , 1997, SOEN.

[23]  Sigmund Cherem,et al.  Practical memory leak detection using guarded value-flow analysis , 2007, PLDI '07.

[24]  Monica S. Lam,et al.  Static detection of leaks in polymorphic containers , 2006, ICSE '06.

[25]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[26]  Jong-Deok Choi,et al.  Interprocedural pointer alias analysis , 1999, TOPL.

[27]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[28]  Monica S. Lam,et al.  A practical flow-sensitive and context-sensitive C and C++ memory leak detector , 2003, PLDI '03.

[29]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[30]  Suraj C. Kothari,et al.  A 2-Phase Method for Validation of Matching Pair Property with Case Studies of Operating Systems , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[31]  Alan R. Hevner,et al.  Using function abstraction to understand program behavior , 1990, IEEE Software.

[32]  Suraj C. Kothari,et al.  Event Views and Graph Reductions for Understanding System Level C Code , 2006, 2006 22nd IEEE International Conference on Software Maintenance.