Formal Verification by Model Checking

Transcription

1 Formal Verifiation by Model Cheking Jonathan Aldrih Carnegie Mellon University Based on slides developed by Natasha Sharygina : Introdution to Software Engineering Fall Formal Verifiation by Model Cheking Domain: Continuously operating onurrent systems (e.g. operating systems, hardware ontrollers and network protools) Ongoing, reative semantis Non-terminating, infinite omputations Manifest non-determinism Instrument: Temporal logi [Pnueli 77] is a formalism for reasoning about behavior of reative systems 4 1

2 Temporal Logi Model Cheking [Clarke,Emerson 81][Queille,Sifakis 82] Systems are modeled by finite state mahines Properties are written in propositional temporal logi Verifiation proedure is an exhaustive searh of the state spae of the design Diagnosti ounterexamples 5 Temporal Logi Model Cheking Finite State Mahine Preproessor Property Model Cheker True or Counterexample 6 2

3 What is Model Cheking? Does model M satisfy a property P? (written M = P) What is M? What is P? What is satisfy? 7 What is M? States: valuations to all variables Initial states: subset of states a b Ars: transitions between states Atomi Propositions: e.g. x = 5, y = true b State Transition Graph or Kripke Model 8 3

4 What is M? M = S, S 0, R, L Kripke struture: S finite set of states S 0 S set of initial states R S S set of ars L : S 2 AP mapping from states to a set of atomi propositions 9 Model of Computation a b a b b b a b State Transition Graph Infinite Computation Tree Unwind State Graph to obtain Infinite Tree. A trae is an infinite sequene of states. 10 4

5 Semantis a b a b b b a b State Transition Graph Infinite Computation Tree The semantis of a FSM is a set of traes. Semantis of the omposition of FSMs is the intersetion of traes of individual FSMs. 11 What is P? Different kinds of temporal logis Syntax: Semantis: formula P? What are the formulas in the logi? What does it mean for model M to satisfy Formulas: - Atomi propositions: properties of states - Temporal Logi Speifiations: properties of traes. 12 5

6 Computation Tree Logis Examples: Safety (mutual exlusion): no two proesses an be at a ritial setion at the same time Liveness (absene of starvation): every request will be eventually granted Temporal logis differ aording to how they handle branhing in the underlying omputation tree. In a linear temporal logi (LTL), operators are provided for desribing system behavior along a single omputation path. In a branhing-time logi (CTL), the temporal operators quantify over the paths that are possible from a given state. 13 Computation Tree Logis Formulas are onstruted from path quantifiers and temporal operators: 1. Path Quantifiers: A for every path E there exists a path 2. Temporal Operator: Xα - α holds next time Fα - α holds sometime in the future Gα - α holds globally in the future α Uβ - α holds untilβholds 14 6

7 Formulas over States and Paths State formulas Desribe a property of a state in a model M If p AP, then p is a state formula If f and g are state formulas, then f, f g and f g are state formulas If f is a path formula, then E f and A f are state formulas Path formulas Desribe a property of an infinite path through a model M If f is a state formula, then f is also a path formula If f and g are path formulas, then f, f g, f g, X f, F f, G f, and f U g are path formulas 15 Notation A path π in M is an infinite sequene of states s 0, s 1, suh that for every i 0, (s i, s i+1 ) R π i denotes the suffix of π starting at s i If f is a state formula, M, s f means that f holds at state s in the Kripke struture M If f is a path formula, M,π fmeans that f holds along path π in the Kripke struture M 16 7

8 Semantis of Formulas M, s p p L(s) M, s f M, s f M, s f 1 f 2 M, s f 1 M, s f 2 M, s f 1 f 2 M, s f 1 M, s f 2 M, s E g 1 π=s M,π g 1 M, s A g 1 π=s M,π g 1 M,π f π=s M, s f M,π g M,π g M,π g 1 g 2 M,π g 1 M,π g 2 M,π g 1 g 2 M,π g 1 M,π g 2 M,π X g M,π 1 g M,π F g k 0 M,π k g M,π G g k 0 M,π k g M,π g 1 U g 2 k 0 M,π k g 2 0 j<k M,π j g 1 17 The Logi LTL Linear Time Logi (LTL) [Pnueli 77]: logi of temporal sequenes. Has form A f where f is a path formula whih has no path quantifiers (A or E) α: α holds in the urrent state α AXα: α holds in the next state α AFγ: γ holds eventually γ AGλ: λ holds from now on λ λ λ λ A(α U β): α holds until β holds α α β 18 8

9 The Logi CTL In a branhing-time logi (CTL), the temporal operators quantify over the paths that are possible from a given state (s 0 ). Requires eah temporal operator (X, F, G, and U) to be preeded by a path quantifier (A or E). M, s 0 AG M, s 0 AF M, s 0 EF M, s 0 EG 19 Typial CTL Formulas EF (ed Ready): it is possible to get to a state where ed holds but Ready does not hold. AG (Req AF Ak): whenever Request ours, it will be eventually Aknowledged. AG (DevieEnabled): DevieEnabled always holds on every omputation path. AG (EF Restart): from any state it is possible to get to the Restart state. 20 9

10 Announements Please your Stak.java file to Marwan for Assignment 8 part 4 This will help with the grading 21 Trivia AG(EF p) annot be expressed in LTL Reset property: from every state it is possible to get to p But there might be paths where you never get to p Different from A(GF p) Along eah possible path, for eah state in the path, there is a future state where p holds Counterexample: ababab b a p 22 10

11 Trivia A(FG p) annot be expressed in CTL Along all paths, one eventually reahes a point where p always holds from then on But at some points in some paths where p always holds, there might be a diverging path where p does not hold Different from AF(AG p) Along eah possible path there exists a state suh that p always holds from then on Counterexample: the path that stays in s 0 s 0 p s 1 s 2 b p 23 LTL Conventions Often leave the initial A impliit G is sometimes written F is sometimes written 24 11

12 Linear vs. branhing-time logis some advantages of LTL LTL properties are preserved under abstration : i.e., if M approximates a more omplex model M, by introduing more paths, then M ψ M ψ ounterexamples for LTL are simpler: onsisting of single exeutions (rather than trees). The automata-theoreti approah to LTL model heking is simpler (no tree automata involved). anedotally, it seems most properties people are interested in are linear-time properties. some advantages of BT logis BT allows expression of some useful properties like reset. CTL, a limited fragment of the more omplete BT logi CTL*, an be model heked in time linear in the formula size (as well as in the transition system). But formulas are usually far smaller than system models, so this isn t as important as it may first seem. Some BT logis, like µ-alulus and CTL, are well-suited for the kind of fixed-point omputation sheme used in symboli model heking. 25 CTL Model Cheking Theorem: Any CTL formula an be expressed in terms of,, EX, EU, and EG. F p = true U p A[x U y] = (EG y E[ y U (x y)]) AX p = EX p AG p = EF p Model heking: determine whih states of M satisfy f Algorithm Consider all subformulas of f, in order of depth of nesting Initially, label eah state with the atomi subformulas that are true in that state For eah formula, use information about the states where the immediate subformulas are true to label states with the new formula 26 12

13 Subformula Labeling Case f Label eah state not labeled with f f 1 f 2 Label eah state whih is labeled with either f 1 or f 2 EX f Label every state that has some suessor labeled with f E[f 1 U f 2 ] Label every state labeled with f 2 Traverse bakwards from labeled states; if the previous state is labeled with f 1, label it with E[f 1 U f 2 ] as well EG f 1 Find strongly onneted omponents where f 1 holds Traverse bakwards from labeled states; if the previous state is labeled with f 1, label it with EG f 1 as well 27 CTL Model Cheking Example Pressing will eventually result in heat ~ ~ ~ Error ~ ~ Heat Error Heat 28 13

14 CTL Model Cheking Example Pressing will eventually result in heat AG( AF Heat) = E[true U ( EG Heat)] ~ ~ ~ Error ~ ~ Heat Error Heat 29 CTL Model Cheking Example The oven doesn t heat up until the door is losed. ~ ~ ~ Error ~ ~ Heat Error Heat 30 14

15 CTL Model Cheking Example The oven doesn t heat up until the door is losed. A[( Heat) U ] = EG E[ U (Heat )] ~ ~ ~ Error ~ ~ Heat Error Heat 31 LTL Model Cheking Beyond the sope of this ourse Canonial referene on Model Cheking: Edmund Clarke, Orna Grumberg, and Doron A. Peled. Model Cheking. MIT Press,

16 SPIN: The Promela Language PROess MEta LAnguage Asynhronous omposition of independent proesses Communiation using hannels and global variables Non-deterministi hoies and interleavings 33 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; protype proess(int id) { beginning: nonritial: state[id] = NONCRITICAL; if :: goto nonritial; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; ritial: state[id] = CRITICAL; if :: goto ritial; :: true; fi; goto beginning;} init { run proess(0); run proess(1); } NC T C 34 16

17 Enabled Statements A statement needs to be enabled for the proess to be sheduled. bool a, b; protype p1() { a = true; a & b; a = false; } protype p2() { b = false; a & b; b = true; } These statements are enabled only if both a and b are true. In this ase b is always false and therefore there is a deadlok. init { a = false; b = false; run p1(); run p2(); } 42 Other onstruts Do loops do :: ount = ount + 1; :: ount = ount - 1; :: (ount == 0) -> break od 43 17

18 Other onstruts Do loops Communiation over hannels protype sender(han out) { int x; if ::x=0; ::x=1; fi } out! x; 44 Other onstruts Do loops Communiation over hannels Assertions protype reeiver(han in) { int value; in? value; assert(value == 0 value == 1) } 45 18

19 Other onstruts Do loops Communiation over hannels Assertions Atomi Steps int value; protype inrement() { atomi { x = value; x = x + 1; value = x; } } 46 Mutual Exlusion Peterson s solution to the mutual exlusion problem flag 0 =1 turn=1 flag 0 =0 flag 1!= 0 && turn!= 0 flag 1 == 0 turn == 0 Critial Setion 47 19

20 bool turn; bool flag[2]; protype mutex0() { again: } flag[0] = 1; turn = 1; Mutual Exlusion in SPIN (flag[1] == 0 turn == 0); /* ritial setion */ flag[0] = 0; goto again; flag 1!= 0 && turn!= 0 flag 1 == 0 turn == 0 guard: Cannot go past this point until the ondition is true flag 0 =1 turn=1 flag 0 =0 Critial Setion 48 Mutual Exlusion in SPIN bool turn, flag[2]; Ative proess: automatially reates instanes of proesses ative [2] protype user() { assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; assert: Cheks that there are only at most two instanes with identifiers 0 and 1 (flag[1 - _pid] == 0 turn == _pid); /* ritial setion */ _pid: Identifier of the proess } flag[_pid] = 0; goto again; 49 20

21 Mutual Exlusion in SPIN bool turn, flag[2]; byte nrit; ative [2] protype user() { assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); nrit: Counts the number of Proess in the ritial setion } nrit++; assert(nrit == 1); /* ritial setion */ nrit--; flag[_pid] = 0; goto again; assert: Cheks that there are always at most one proess in the ritial setion 50 Mutual Exlusion in SPIN bool turn, flag[2]; bool ritial[2]; LTL Properties: ative [2] protype user() { assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); ritial[_pid] = 1; /* ritial setion */ ritial[_pid] = 0; flag[_pid] = 0; goto again; } The proesses are never both in the ritial setion AG(!(ritial[0] && ritial[1])) [](!(ritial[0] && ritial[1])) No matter what happens, a proess will eventually get to a ritial setion [] <> (ritial[0] ritial[1]) If proess 0 is in the ritial setion, proess 1 will get to be there next [] (ritial[0] -> ritial[0] U (!ritial[0] U ritial[1])) 51 21

22 Mutual Exlusion in SPIN bool turn, flag[2]; bool ritial[2]; LTL Properties: ative [2] protype user() { assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); ritial[_pid] = 1; /* ritial setion */ ritial[_pid] = 0; []!(ritial[0] && ritial[1]) [] <> (ritial[0]) [] <> (ritial[1]) [] (ritial[0] -> (ritial[0] U (!ritial[0] && ((!ritial[0] &&!ritial[1]) U ritial[1])))) } flag[_pid] = 0; goto again; * aveat: an t use array indexes in SPIN LTL properties Have to dupliate ode 52 State Spae Explosion Problem: Size of the state graph an be exponential in size of the program (both in the number of the program variables and the number of program omponents) M = M 1 M n If eah M i has just 2 loal states, potentially 2 n global states Researh Diretions: State spae redution 53 22

23 Model Cheking Performane Model Chekers today an routinely handle systems with between 100 and 300 state variables. Systems with reahable states have been heked. By using appropriate abstration tehniques, systems with an essentially unlimited number of states an be heked. 54 Notable Examples IEEE Salable Coherent Interfae In 1992 Dill s group at Stanford used Murphi to find several errors, ranging from uninitialized variables to subtle logial errors IEEE Futurebus In 1992 Clarke s group at CMU found previously undeteted design errors PowerSale multiproessor (proessor, memory ontroller, and bus arbiter) was verified by Verimag researhers using CAESAR toolbox Luent teleom. protools were verified by FormalChek errors leading to lost transitions were identified PowerPC 620 Miroproessor was verified by Motorola s Verdit model heker

24 The Grand Challenge: Model Chek Software Extrat finite state mahines from programs written in onventional programming languages Use a finite state programming language: exeutable design speifiations (Stateharts, xuml, et.). Unroll the state mahine obtained from the exeutable of the program. 56 The Grand Challenge: Model Chek Software Use a ombination of the state spae redution tehniques to avoid generating too many states. Verisoft (Bell Labs) FormalChek/xUML (UT Austin, Bell Labs) ComFoRT (CMU/SEI) Use stati analysis to extrat a finite state skeleton from a program. Model hek the result. Bandera Kansas State Java PathFinder NASA Ames SLAM/Bebop - Mirosoft 57 24