Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Similar documents
Having a BLAST with SLAM

Having a BLAST with SLAM

Software Model Checking with Abstraction Refinement

Having a BLAST with SLAM

Having a BLAST with SLAM

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

CS 510/13. Predicate Abstraction

Formal Verification by Model Checking

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Software Model Checking. Xiangyu Zhang

More on Verification and Model Checking

Scalable Program Verification by Lazy Abstraction

Software Model Checking. From Programs to Kripke Structures

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Static Program Analysis

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

Lecture 2: Symbolic Model Checking With SAT

Finite State Verification. CSCE Lecture 14-02/25/2016

Model Checking with Automata An Overview

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Predicate Abstraction Daniel Kroening 1

Sérgio Campos, Edmund Clarke

Formal Methods in Software Engineering. Lecture 07

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Finite State Verification. CSCE Lecture 21-03/28/2017

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

Action Language Verifier, Extended

Model checking Timber program. Paweł Pietrzak

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Model-Checking Concurrent Systems

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Tutorial on Model Checking Modelling and Verification in Computer Science

NuSMV Hands-on introduction

Model Checking. Dragana Cvijanovic

Model Checking with Abstract State Matching

Scenario Graphs Applied to Security (Summary Paper)

System Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

The Maude LTL Model Checker and Its Implementation

Abstract Interpretation

F-Soft: Software Verification Platform

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Model Checking: Back and Forth Between Hardware and Software

AN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION

CSC2108: Automated Verification Assignment 1 - Solutions

Binary Decision Diagrams and Symbolic Model Checking

Distributed Systems Programming (F21DS1) Formal Verification

Introduction to Axiomatic Semantics (1/2)

Symbolic Model Checking

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Symbolic and Concolic Execution of Programs

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction

A Simple Tutorial on NuSMV

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Analyzing Tabular Requirements Specifications Using Infinite State Model Checking

T Reactive Systems: Kripke Structures and Automata

Ashish Sabharwal Computer Science and Engineering University of Washington, Box Seattle, Washington

Analyzing Tabular Requirements Specifications Using Infinite State Model Checking

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Introduction to Axiomatic Semantics (1/2)

Counterexample Guided Abstraction Refinement in Blast

Proving the Correctness of Distributed Algorithms using TLA

Verification Framework for Detecting Safety Violations in UML State chart Models of Reactive Systems C.M. Prashanth

Property Specifications

Syntax-directed model checking of sequential programs

Regression Verification - a practical way to verify programs

WHEN concurrent processes share a resource such as a file

Verifying IP-Core based System-On-Chip Designs

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Distributed Memory LTL Model Checking

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

The Spin Model Checker : Part I/II

Introduction to SMV. Arie Gurfinkel (SEI/CMU) based on material by Prof. Clarke and others Carnegie Mellon University

Formal Methods for Software Development

STATIC PROGRAM TRANSFORMATIONS FOR EFFICIENT SOFTWARE MODEL CHECKING

Formal Verification of Synchronization Issues in SpecC Description with Automatic Abstraction

CS/ECE 5780/6780: Embedded System Design

Lectures 20, 21: Axiomatic Semantics

Configurable Software Model Checking

Formal Specification and Verification

Model Checking VHDL with CV

NuSMV 2.2 Tutorial. Roberto Cavada, Alessandro Cimatti, Gavin Keighren, Emanuele Olivetti, Marco Pistore and Marco Roveri

Over-Approximating Boolean Programs with Unbounded Thread Creation

Program verification. Generalities about software Verification Model Checking. September 20, 2016

A Case Study for CTL Model Update

An Eclipse Plug-in for Model Checking

Cyber Physical System Verification with SAL

Specifying circuit properties in PSL

Outline. Introduction SDV Motivation Model vs Real Implementation SLIC SDVRP SLAM-2 Comparisons Conclusions

Introduction In Practice State Explosion Problem Infinity and Uncomputability Techniques References. Model Checking. Toryn Qwyllyn Klassen

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

Model checking pushdown systems

Verifying C & C++ with ESBMC

Behavior models and verification Lecture 6

Embedded Software Verification Challenges and Solutions. Static Program Analysis

Transcription:

Model Checking #1

Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation Some Key Players: Model Checking: Ed Clarke, Ken McMillan, Amir Pnueli SLAM: Tom Ball, Sriram Rajamani BLAST: Ranjit Jhala, Rupak Majumdar, Tom Henzinger #2

Who are we again? We're going to find critical bugs in important bits of software using PL techniques! You will be enthusiastic about this and thus want to learn the gritty details #3

Take-Home Message Model checking is the exhaustive exploration of the state space of a system, typically to see if an error state is reachable It produces concrete counterexamples The state explosion problem refers to the large number of states in the model Temporal logic allows you to specify properties with concepts like eventually and always #4

Overarching Plan Model Checking (Today) Transition Systems (Models) Temporal Properties LTL and CTL (Explicit State) Model Checking Symbolic Model Checking Counterexample Guided Abstraction Refinement Safety Properties Predicate Abstraction Software Model Checking Counterexample Feasibility Abstraction Refinement ( c2bp ) ( bebop ) ( newton, hw 5 ) (weakest pre, thrm prvr) #5

Spoiler Space This stuff really works! Symbolic Model Checking is a massive success in the model-checking field I know people who think Ken McMillan walks on water in a ha-ha-ha only serious way SLAM took the PL world by storm Spawned multiple copycat projects Incorporated into Windows DDK as static driver verifier #6

Topic: (Generic) Model Checking There are complete courses in model checking; I will skim Model Checking by Edmund C Clarke, Orna Grumberg, and Doron A Peled, MIT press Symbolic Model Checking by Ken McMillan #7

Model Checking Model checking is an automated technique Model checking verifies transition systems Model checking verifies temporal properties Model checking can be also used for falsification by generating counter-examples Model Checker: A program that checks if a (transition) system satisfies a (temporal) property #8

Verification vs Falsification An automated verification tool can report that the system is verified (with a proof) or that the system was not verified (with???) When the system was not verified it would be helpful to explain why Model checkers can output an error counter-example: a concrete execution scenario that demonstrates the error Can view a model checker as a falsification tool The main goal is to find bugs OK, so what can we verify or falsify? #9

Temporal Properties Temporal Property: A property with time-related operators such as invariant or eventually Invariant(p): is true in a state if property p is true in every state on all execution paths starting at that state The Invariant operator has different names in different temporal logics: G, AG, ( globally or box or forall ) Eventually(p): is true in a state if property p is true at some state on every execution path starting from that state F, AF, } ( diamond or future or exists ) #10

An Example Concurrent Program A simple concurrent mutual exclusion program Two processes execute asynchronously There is a shared variable turn Two processes use the shared variable to ensure that they are not in the critical section at the same time Can be viewed as a fundamental program: any bigger concurrent one would include this one 10: while True do 11: wait(turn = 0); // critical section 12: work(); turn := 1; 13: end while; // concurrently with 20: while True do 21: wait(turn = 1); // critical section 22: work(); turn := 0; 23: end while #11

Reachable States of the Example Program 10,20 10,21 11,20 11,21 Next: formalize this intuition t=1 10,20 t=1 10,21 12,20 12,21 t=1 10,22 t=1 11,22 t=1 11,20 t=1 11,21 Each state is a valuation of all the variables: turn and the two program counters for two processes #12

Transition Systems In model checking the system being analyzed is represented as a labeled transition system T = (S, I, R, L) Also called a Kripke Structure S = Set of states I S = Set of initial states R S S = Transition relation L: S P(AP) = Labeling function // standard FSM // standard FSM // standard FSM // this is new! AP: Set of atomic propositions (eg, x=5 2AP) Atomic propositions capture basic properties For software, atomic props depend on variable values The labeling function labels each state with the set of propositions true in that state #13

What's in a Label? We must decide in advance which facts are important We can have x=5 or x=6 but not x Similarly for relations (eg, x<y, x<z ) #14

Properties of the Program Example: In all the reachable states (configurations) of the system, the two processes are never in the critical section at the same time Equivalently, we can say that Invariant( (pc1=12 pc2=22)) Also: Eventually the first process enters the critical section Eventually(pc1=12) pc1=12, pc2=22 are atomic properties #15

Temporal Logics There are four basic temporal operators: X p = Next p, p holds in the next state G p = Globally p, p holds in every state, p is an invariant F p = Future p, p will hold in a future state, p holds eventually p U q = p Until q, assertion p will hold until q holds Precise meaning of these temporal operators are defined on execution paths #16

Execution Paths A path in a transition system is an infinite sequence of states (s0, s1, s2, ), such that 8i 0 (si, si+1) R A path (s0, s1, s2, ) is an execution path if s0 I Given a path x = (s0, s1, s2, ) xi denotes the ith state si xi denotes the ith suffix (si, si+1, si+2, ) In some temporal logics one can quantify the paths starting from a state using path quantifiers A : for all paths E : there exists a path #17

Being Judgmental We write x²p the path x makes the predicate p true x is a path in a transition system p is a temporal logic predicate Example: A x x ² G ( (pc1=12 pc2=22)) #18

Linear Time Logic (LTL) LTL properties are constructed from atomic propositions in AP; logical operators,, ; and temporal operators X, G, F, U The semantics of LTL properties is defined on paths: Given a path x: x²p iff L(x0, p) // atomic prop x²xp iff x1 ² p // next x²fp iff 9i 0 xi ² p // future x²gp iff 8i 0 xi ² p // globally x²puq iff 9i 0 xi ² q and 8j<i xj ² p // until#19

Satisfying Linear Time Logic Given a transition system T = (S, I, R, L) and an LTL property p, T satisfies p if all paths starting from all initial states I satisfy p Example LTL formulas: Invariant( (pc1=12 pc2=22)): G( (pc1=12 pc2=22)) Eventually(pc1=12): F(pc1=12) #20

Computation Tree Logic (CTL) In CTL temporal properties use path quantifiers A : for all paths E : there exists a path The semantics of CTL properties is defined on states: Given a path x s ²p iff L(s, p) s0 ² EX p iff 9 a path (s0, s1, s2, ) s1 ² p s0 ² AX p iff 8 paths (s0, s1, s2, ) s1 ² p s0 ² EG p iff 9 a path (s0, s1, s2, ) 8i 0 si ² p s ² AG p iff 8 paths (s, s, s, ) 8i 0 s ² p #21

Linear vs Branching Time LTL is a linear time logic When determining if a path satisfies an LTL formula we are only concerned with a single path CTL is a branching time logic When determining if a state satisfies a CTL formula we are concerned with multiple paths In CTL the computation is not viewed as a single path but as a computation tree which contains all the paths The computation tree is obtained by unrolling the transition relation The expressive powers of CTL and LTL are incomparable (LTL µ CTL*, CTL µ CTL*) Basic temporal properties can be expressed in both logics Not in this lecture, sorry! (Take a class on Modal Logics) #22

Remember the Example 10,20 10,21 t=1 10,20 11,20 11,21 t=1 10,21 12,20 12,21 t=1 10,22 t=1 11,22 t=1 11,20 t=1 11,21 This is a labeled transition system #23

One path starting at state (turn=0,pc1=10,pc2=20) 10,20 Linear vs Branching Time Linear Time View Branching Time View 10,20 A computation tree starting at state (turn=0,pc1=10,pc2=20) 10,21 10,21 10,21 11,21 11,21 12,21 t=1 10,21 11,20 10,21 11,21 11,21 12,20 12,21 t=1 10,20 #24

LTL Satisfiability Examples p does not hold p holds On this path: F p holds, G p does not hold, p does not hold, X p does not hold, X (X p) holds, X (X (X p)) does not hold On this path: F p holds, G p holds, p holds, X p holds, X (X p) holds, X (X (X p))) holds #25

p does not hold p holds CTL Examples s s s At state s: EF p, EX (EX p), AF ( p), p holds At state s: EF p, AF p, EX (EX p), EX p, EG p, p holds At state s: EF p, AF p, AG p, EG p, Ex p, AX p, p holds AF p, AG p, AG ( p), EX p, EG p, p does not hold AG p, AG ( p), AF ( p) does not hold EG ( p), EF ( p), does not hold #26

Q: General (468 / 842) This country's automobile stickers use the abbreviation CH (Confederatio Helvetica) The 1957 Max Miedinger typeface Helvetica is also named for this country

Q: Computer Science This American computer scientist won the Turing Award for granular database locking and two-tier transaction commit semantics He was reported missing while sailing in 2007

Model Checking Complexity Given a transition system T = (S, I, R, L) and a CTL formula f One can check if a state of the transition system satisfies the temporal logic formula f in O( f ( S + R )) time Given a transition system T = (S, I, R, L) and an LTL formula f One can check if the transition system satisfies the temporal logic formula f in O(2 f ( S + R )) time Model checking procedures can generate counterexamples without increasing the complexity of verification (= for free ) #29

Which is slower? #30

State Space Explosion The complexity of model checking increases linearly with respect to the size of the transition system ( S + R ) However, the size of the transition system ( S + R ) is exponential in the number of variables and number of concurrent processes This exponential increase in the state space is called the state space explosion Dealing with it is one of the major challenges in model checking research #31

Explicit-State Model Checking One can show the complexity results using depth first search algorithms The transition system is a directed graph CTL model checking is multiple depth first searches (one for each temporal operator) LTL model checking is one nested depth first search (ie, two interleaved depth-firstsearches) Such algorithms are called explicit-state model checking algorithms (details on next slides) #32

Temporal Properties Fixpoints States that satisfy AG(p) are all the states which are not in EF( p) (= the states that can reach p) Compute EF( p) as the fixpoint of Func: 2S 2S This is called the Given Z µ S, Func(Z) = p reach-in-one-step(z) or Func(Z) = p EX(Z) inverse image of Z Actually, EF( p) is the least-fixpoint of Func smallest set Z such that Z = Func(Z) to compute the least fixpoint, start the iteration from Z=, and apply the Func until you reach a fixpoint This can be computed (unlike most other fixpoints) #33

Pictoral Backward Fixpoint Inverse Image of p = EX( p) Initial states initial states that violate AG(p) = initial states that satisfy EF( p) p states that can reach p = EF( p) = states that violate AG(p) This fixpoint computation can be used for: verification of EF( p) or falsification of AG(p) and a similar forward fixpoint handles the other cases #34

Symbolic Model Checking Symbolic Model Checking represent state sets and the transition relation as Boolean logic formulas Fixpoint computations manipulate sets of states rather than individual states Recall: we needed to compute EX(Z), but Z µ S Forward and backward fixpoints can be computed by iteratively manipulating these formulas Forward, inverse image: Existential variable elimination Conjunction (intersection), disjunction (union) and negation (set difference), and equivalence check Use an efficient data structure for manipulation of Boolean logic formulas Binary Decision Diagrams (BDDs) #35

Binary Decision Diagrams (BDDs) Efficient representation for boolean functions (a set can be viewed as a function, hw0) Disjunction, conjunction complexity: at most quadratic Negation complexity: constant Equivalence checking complexity: constant or linear Image computation complexity: can be exponential #36

Symbolic Model Checking Using BDDs SMV (Symbolic Model Verifier) was the first CTL model checker to use a BDD representation It has been successfully used in verification of hardware specifications, software specifications, protocols, etc SMV verifies finite state systems It supports both synchronous and asynchronous composition It can handle boolean and enumerated variables It can handle bounded integer variables using a binary encoding of the integer variables It is not very efficient in handling integer variables although this can be fixed #37

Where s the Beef To produce the explicit counter-example, use the onion-ring method A counter-example is a valid execution path For each Image Ring (= set of states), find a state and link it with the concrete transition relation R Since each Ring is reached in one step from previous ring (eg, Ring#3 = EX(Ring#4)) this works Each state z comes with L(z) so you know what is true at each point (= what the values of variables are) Initial 1 states 3 4 p 2 #38

Building Up To: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim #39

Key Terms CEGAR = Counterexample guided abstraction refinement A successful software modelchecking approach Sometimes called Iterative Abstraction Refinement SLAM = The first CEGAR project/tool Developed at MSR Lazy Abstraction = A CEGAR optimization used in the BLAST tool from Berkeley See also CPAChecker Other terms: c2bp, bebop, newton, npackets++, MAGIC, flying boxes, etc #40

So what is Counterexample Guided Abstraction Refinement? Theorem Proving? Dataflow Analysis? Model Checking? #41

Verification by Theorem Proving Example Example (( )) {{ 1: 1: do{ do{ lock(); lock(); old old == new; new; qq == q->next; q->next; 2: if 2: if (q (q!=!= NULL){ NULL){ 3: q->data 3: q->data == new; new; unlock(); unlock(); new new ++; ++; }} 4: 4: }} while(new while(new!=!= old); old); 5: 5: unlock unlock (); (); return; return; }} 1 Loop Invariants 2 Logical formula 3 Check Validity Invariant: lock Æ new = old Ç : lock Æ new old #42

Verification by Theorem Proving Example Example (( )) {{ 1: 1: do{ do{ lock(); lock(); old old == new; new; qq == q->next; q->next; 2: if 2: if (q (q!=!= NULL){ NULL){ 3: q->data 3: q->data == new; new; unlock(); unlock(); new new ++; ++; }} 4: 4: }} while(new while(new!=!= old); old); 5: 5: unlock unlock (); (); return; return; }} 1 Loop Invariants 2 Logical formula 3 Check Validity - Loop Invariants - Multithreaded Programs + Behaviors encoded in logic + Decision Procedures [ESC, PCC] Precise - #43

Verification by Program Analysis Example Example (( )) {{ 1: 1: do{ do{ lock(); lock(); old old == new; new; qq == q->next; q->next; 2: if 2: if (q (q!=!= NULL){ NULL){ 3: q->data 3: q->data == new; new; unlock(); unlock(); new new ++; ++; }} 4: 4: }} while(new while(new!=!= old); old); 5: 5: unlock unlock (); (); return; return; }} 1 Dataflow Facts 2 Constraint System 3 Solve constraints - Imprecision due to fixed facts + Abstraction + Type/Flow Analyses Scalable [CQUAL, ESP, MC] #44

Verification by Model Checking Example Example (( )) {{ 1: 1: do{ do{ lock(); lock(); old old == new; new; qq == q->next; q->next; 2: if 2: if (q (q!=!= NULL){ NULL){ 3: q->data 3: q->data == new; new; unlock(); unlock(); new new ++; ++; }} 4: 4: }} while(new while(new!=!= old); old); 5: 5: unlock unlock (); (); return; return; }} 1 (Finite State) Program 2 State Transition Graph 3 Reachability - Pgm! Finite state model - State explosion + State Exploration + Counterexamples Precise [SPIN, SMV, Bandera, JPF ] #45

One Ring To Rule Them All? #46

Combining Strengths Theorem Proving Program Analysis - Need loop invariants (will find automatically) + Behaviors encoded in logic (used to refine abstraction) + Theorem provers (used to compute successors, refine abstraction) - Imprecise (will be precise) + Abstraction (will shrink the state space we must explore) SLAM Model Checking - Finite-state model, state explosion (will find small good model) + State Space Exploration (used to get a path sensitive analysis) + Counterexamples (used to find relevant facts, refine abstraction) #47

Homework Read Lazy Abstraction Optionally read TAR #48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback