Formal Verification by Model Checking

Similar documents
Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

Model checking Timber program. Paweł Pietrzak

Formal Verification by Model Checking

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Tool demonstration: Spin

Design of Internet Protocols:

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Sérgio Campos, Edmund Clarke

Lecture 3 SPIN and Promela

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

Design and Analysis of Distributed Interacting Systems

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Patrick Trentin Formal Methods Lab Class, March 03, 2017

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

The Design of a Distributed Model Checking Algorithm for Spin

The Spin Model Checker : Part I/II

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

More on Verification and Model Checking

CS477 Formal Software Development Methods / 32

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

The SPIN Model Checker

THE MODEL CHECKER SPIN

Software Engineering using Formal Methods

CS477 Formal Software Development Methods / 39

Computer Aided Verification 2015 The SPIN model checker

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Formal Specification and Verification

SPIN, PETERSON AND BAKERY LOCKS

Model-Checking Concurrent Systems

Software Model Checking. From Programs to Kripke Structures

SPIN: Introduction and Examples

Formal Verification of Process Communications in Operational Flight Program for a Small-Scale Unmanned Helicopter

Software Engineering using Formal Methods

Network Protocol Design and Evaluation

Model Checking with Automata An Overview

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

The ComFoRT Reasoning Framework

Network Protocol Design and Evaluation

Introduction to Model Checking

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Applications of Formal Verification

Spin: Overview of PROMELA

Applications of Formal Verification

Model Checking with Abstract State Matching

Applications of Formal Verification

Introduction to Software Verification

The Spin Model Checker : Part I. Moonzoo Kim KAIST

Automated Reasoning. Model Checking with SPIN (II)

Distributed Systems Programming (F21DS1) Formal Verification

The SPIN Model Checker

LTL Reasoning: How It Works

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

Introduction In Practice State Explosion Problem Infinity and Uncomputability Techniques References. Model Checking. Toryn Qwyllyn Klassen

Mapping of UML Diagrams to Extended Petri Nets for Formal Verification

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

INF5140: Specification and Verification of Parallel Systems

Proving Dekker with SPIN and PROMELA

Source Code Formal Verification. Riccardo Sisto, Politecnico di Torino

Formal Specification and Verification

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

A Tutorial on Model Checker SPIN

T Reactive Systems: Kripke Structures and Automata

Lecture 2: Symbolic Model Checking With SAT

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

WHEN concurrent processes share a resource such as a file

Having a BLAST with SLAM

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Spin: Overview of PROMELA

Verifying IP-Core based System-On-Chip Designs

Automatic Verification of Finite State Concurrent Systems

Formal Methods for Software Development

Logic Model Checking

CSE 153 Design of Operating Systems

Software Model Checking. Xiangyu Zhang

Logic Model Checking

MP 6 Modeling in Promela and SPIN

Model-Driven Verifying Compilation of Synchronous Distributed Applications

G52CON: Concepts of Concurrency

Despite some help from modeling tools such as UML, the problem of ensuring the quality of. 1 of :30 AM

Using Spin to Help Teach Concurrent Programming

Symmetric Multiprocessors: Synchronization and Sequential Consistency

Building Graphical Promela Models using UPPAAL GUI

CS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol

Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Counterexample Guided Abstraction Refinement in Blast

T Parallel and Distributed Systems (4 ECTS)

Towards Promela verification using VerICS

Software Model Checking with Abstraction Refinement

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION

Model Checking. Dragana Cvijanovic

Syntax-directed model checking of sequential programs

Transcription:

Formal Verication by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artacts Spring 2006 1 CTL Model Checking Theorem: Any CTL formula can be expressed in terms of,, EX, EU, and EG. F p = true U p A[x U y] = (EG y E[ y U (x y)]) AX p = EX p AG p = EF p AG(Start AF Heat) 2 1

Subformula Labeling Case f Label each state not labeled with f f 1 f 2 Label each state which is labeled with either f 1 or f 2 EX f Label every state that has some successor labeled with f E[f 1 U f 2 ] Label every state labeled with f 2 Traverse backwards from labeled states; the previous state is labeled with f 1, label it with E[f 1 U f 2 ] as well EG f 1 Find strongly connected components where f 1 holds Traverse backwards from labeled states; the previous state is labeled with f 1, label it with EG f 1 as well 4 CTL Model Checking Example Pressing Start will eventually result in heat AG(Start AF Heat) = E[true U (Start EG Heat)] ~ Start ~ Close ~ Heat ~ Error Start ~ Close ~ Heat Error ~ Start Close ~ Heat ~ Error ~ Start Close Heat ~ Error Start Close ~ Heat Error Start Close ~ Heat ~ Error Start Close Heat ~ Error 5 2

CTL Model Checking Example The oven doesn t heat up until the door is closed. ~ Start ~ Close ~ Heat ~ Error Start ~ Close ~ Heat Error ~ Start Close ~ Heat ~ Error ~ Start Close Heat ~ Error Start Close ~ Heat Error Start Close ~ Heat ~ Error Start Close Heat ~ Error 6 Practice Writing Properties If the door is locked, it will not open until someone unlocks it If you press ctrl-c, you will get a command line prompt The saw will not run unless the safety guard is engaged 10 3

LTL Model Checking Beyond the scope of this course Canonical reference on Model Checking: Edmund Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, 1999. 12 Dataflow Analysis as Model Checking Consider a lattice that is a tuple of sets: Var 2 Set e.g. [ x <, =, y > ] where Set = <, =, > Represent the CFG as a Kripke structure Let N be the nodes in the CFG, with initial node N 0 Let E be the edges in the CFG Consider the set of abstract stores L = 2 Var Set Choose one element of lattice set for each var e.g. [ x <, y > ] Strategy: instead of propagating around sets, see each individual member of the lattice set can reach each node (may traverse each path multiple times) This is exactly what Metal does! Metal is essentially a model checker 13 4

Propagating Elements Instead of Sets U get_free_buffer L ( ) U save_flags(flags) L ( ) L sh->bp = U cli() L sti() U L bh->bs = L return NULL U L restore_flags(flags) U return bh 14 Dataflow Analysis as Model Checking Let F = l 1 e l 2 n 1 e n 2 E l 2 ƒ DF ( l 1, n 1 ) Represents flow functions There s an edge from one lattice value to another, annotated with edge e from the program, f when we apply the flow function for the source node of the program edge to the singleton set containing the first lattice value, the second lattice value is one of the results We will assume edges are annotated with the source node sti(), restore_flags(flags) [all others] L U [all others] cli() 15 5

Dataflow Analysis as Model Checking Consider synchronous product Cross product of nodes N p = N*L Edges exist only when there is an edge in both source graphs with the same label E p = (n 1,l 1 ) e (n 2,l 2 ) n 1 e n 2 E l 1 e l 2 F Purpose: matches up edge from n 1 to n 2 (marked n 1 ) with edge representing flow function for n 1 (also marked n 1 ) Data flow is reachability in product graph Flow(n) = l EF (n,l) 16 Dataflow Analysis as Model Checking cli() ( ) cli() save_flags(flags) save_flags(flags) ( ) ( ) ( ) sti() sh->bp = sh->bp = bh->bs = get_free_buffer get_free_buffer return NULL return NULL sti() bh->bs = restore_flags(flags) restore_flags(flags) Locked Unlocked Which nodes are reachable? For which (n,l) do we have EF (n,l)? Labeling algorithm works backwards For this special case forwards is more efficient return bh return 17bh 6

Abstraction Data flow values We abstracted program values to two states: locked and unlocked Program We represented the program directly as a CFG, without abstracting it But really, we only care about 4 node types: sti() cli() restore_flags( ) anything else Can we abstract the program to just these types of nodes? 18 Model Checking Abstract Graph cli() ( ) sh->bp = save_flags(flags) ( ) sti() bh->bs = get_free_buffer return NULL restore_flags(flags) return bh 19 7

Model Checking Abstract Graph cli() cli() sti() sti() restore_flags(flags) restore_flags(flags) Locked Unlocked Which nodes are reachable? For which (n,l) do we have EF (n,l)? 20 Duality of Dataflow Analysis and Model Checking We ve seen how dataflow analysis can be phrased as a model checking problem Applies to all analyses that are tuples of sets A more complex (and inefficient) construction still works your lattice cannot be phrased as a tuple of sets Benefit: can take advantage of model checking techniques Symbolic representations (beyond scope of course) Counterexample-guided abstraction refinement (CEGAR next lecture) Cost: explores each path for each set element Unless you re using a symbolic representation or need CEGAR, dataflow analysis will be more efficient The converse is possible in some cases Probably impossible for general LTL formulas I have not actually seen impossibility results, but the model checking algorithm involves nested depth-first search which does not match dataflow analysis well 21 8

SPIN: The Promela Language PROcess MEta LAnguage Asynchronous composition of independent processes Communication using channels and global variables Non-deterministic choices and interleavings 22 An Example mtype = NONCRITICAL, TRYING, CRITICAL ; show mtype state[2]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning; init run process(0); run process(1); NC T C 23 9

An Example mtype = NONCRITICAL, TRYING, CRITICAL ; show mtype state[2]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning; init run process(0); run process(1); 24 An Example mtype = NONCRITICAL, TRYING, CRITICAL ; show mtype state[2]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning; init run process(0); run process(1); 25 10

An Example mtype = NONCRITICAL, TRYING, CRITICAL ; show mtype state[2]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning; init run process(0); run process(1); 26 An Example mtype = NONCRITICAL, TRYING, CRITICAL ; show mtype state[2]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning; init run process(0); run process(1); 27 11

An Example mtype = NONCRITICAL, TRYING, CRITICAL ; show mtype state[2]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning; init run process(0); run process(1); NC T C 28 Enabled Statements A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() a = true; a & b; a = false; proctype p2() b = false; a & b; b = true; init a = false; b = false; run p1(); run p2(); 29 12

Enabled Statements A statement needs to be enabled for the process to be scheduled. bool a, b; These statements are enabled proctype p1() only both a and b are true. a = true; a & b; a = false; proctype p2() b = false; a & b; b = true; init a = false; b = false; run p1(); run p2(); 30 Enabled Statements A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() a = true; a & b; a = false; proctype p2() b = false; a & b; b = true; These statements are enabled only both a and b are true. In this case b is always false and therefore there is a deadlock. init a = false; b = false; run p1(); run p2(); 31 13

Other constructs Do loops do :: count = count + 1; :: count = count - 1; :: (count == 0) -> break od 32 Other constructs Do loops Communication over channels proctype sender(chan out) int x; ::x=0; ::x=1; fi out! x; 33 14

Other constructs Do loops Communication over channels Assertions proctype receiver(chan in) int value; in? value; assert(value == 0 value == 1) 34 Other constructs Do loops Communication over channels Assertions Atomic Steps int value; proctype increment() atomic x = value; x = x + 1; value = x; 35 15

Mutual Exclusion Peterson s solution to the mutual exclusion problem flag 0 =1 turn=1 flag 0 =0 flag 1!= 0 && turn!= 0 flag 1 == 0 turn == 0 Critical Section 36 bool turn; bool flag[2]; proctype mutex0() again: flag[0] = 1; turn = 1; Mutual Exclusion in SPIN (flag[1] == 0 turn == 0); /* critical section */ flag[0] = 0; goto again; flag 1!= 0 && turn!= 0 flag 1 == 0 turn == 0 guard: Cannot go past this point until the condition is true flag 0 =1 turn=1 flag 0 =0 Critical Section 37 16

Mutual Exclusion in SPIN bool turn, flag[2]; Active process: automatically creates instances of processes active [2] proctype user() assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; assert: Checks that there are only at most two instances with identiers 0 and 1 (flag[1 - _pid] == 0 turn == _pid); /* critical section */ _pid: Identier of the process flag[_pid] = 0; goto again; 38 Mutual Exclusion in SPIN bool turn, flag[2]; byte ncrit; active [2] proctype user() assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); ncrit: Counts the number of Process in the critical section ncrit++; assert(ncrit == 1); /* critical section */ ncrit--; flag[_pid] = 0; goto again; assert: Checks that there are always at most one process in the critical section 39 17

Mutual Exclusion in SPIN bool turn, flag[2]; bool critical[2]; LTL Properties: active [2] proctype user() assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); critical[_pid] = 1; /* critical section */ critical[_pid] = 0; flag[_pid] = 0; goto again; The processes are never both in the critical section No matter what happens, a process will eventually get to a critical section If process 0 is in the critical section, process 1 will get to be there next 40 State Space Explosion Problem: Size of the state graph can be exponential in size of the program (both in the number of the program variables and the number of program components) M = M 1 M n If each M i has just 2 local states, potentially 2 n global states Research Directions: State space reduction 42 18

Model Checking Performance Model Checkers today can routinely handle systems with between 100 and 300 state variables. Systems with 10 120 reachable states have been checked. By using appropriate abstraction techniques, systems with an essentially unlimited number of states can be checked. 43 Notable Examples IEEE Scalable Coherent Interface In 1992 Dill s group at Stanford used Murphi to find several errors, ranging from uninitialized variables to subtle logical errors IEEE Futurebus In 1992 Clarke s group at CMU found previously undetected design errors PowerScale multiprocessor (processor, memory controller, and bus arbiter) was veried by Verimag researchers using CAESAR toolbox Lucent telecom. protocols were veried by FormalCheck errors leading to lost transitions were identied PowerPC 620 Microprocessor was veried by Motorola s Verdict model checker. 44 19

The Grand Challenge: Model Check Software Extract finite state machines from programs written in conventional programming languages Use a finite state programming language: executable design specications (Statecharts, xuml, etc.). Unroll the state machine obtained from the executable of the program. 45 The Grand Challenge: Model Check Software Use a combination of the state space reduction techniques to avoid generating too many states. Verisoft (Bell Labs) FormalCheck/xUML (UT Austin, Bell Labs) ComFoRT (CMU/SEI) Use static analysis to extract a finite state skeleton from a program. Model check the result. Bandera Kansas State Java PathFinder NASA Ames SLAM/Bebop - Microsoft 46 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback