Abstractions and Decision Procedures for Effective Software Model Checking

Similar documents
Model Checking: An Introduction

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Predicate Abstraction: A Tutorial

3-Valued Abstraction-Refinement

Software Verification with Abstraction-Based Methods

Counterexample-Guided Abstraction Refinement

Automata-Theoretic Model Checking of Reactive Systems

The State Explosion Problem

Model Checking. Boris Feigin March 9, University College London

Finite-State Model Checking

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Algorithmic verification

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

MODEL CHECKING. Arie Gurfinkel

Lecture 2: Symbolic Model Checking With SAT

Software Verification

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Chapter 4: Computation tree logic

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Computation Tree Logic

Automata-based Verification - III

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

State-Space Exploration. Stavros Tripakis University of California, Berkeley

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Formal Verification of Mobile Network Protocols

Information Flow Analysis via Path Condition Refinement

Alan Bundy. Automated Reasoning LTL Model Checking

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

A Brief Introduction to Model Checking

Overview. overview / 357

Automata-based Verification - III

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

T Reactive Systems: Temporal Logic LTL

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Computer-Aided Program Design

Sanjit A. Seshia EECS, UC Berkeley

CEGAR:Counterexample-Guided Abstraction Refinement

ESE601: Hybrid Systems. Introduction to verification

Model for reactive systems/software

IC3 and Beyond: Incremental, Inductive Verification

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Ranking Verification Counterexamples: An Invariant guided approach

Temporal Logic Model Checking

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Computer Aided Verification

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Computation Tree Logic

Timo Latvala. March 7, 2004

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Lecture Notes on Software Model Checking

The algorithmic analysis of hybrid system

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Revisiting Synthesis of GR(1) Specifications

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

SAT-Based Verification with IC3: Foundations and Demands

Topics in Verification AZADEH FARZAN FALL 2017

Safety and Liveness Properties

Monitoring Distributed Controllers

Timo Latvala. February 4, 2004

An Informal introduction to Formal Verification

Easy Parameterized Verification of Biphase Mark and 8N1 Protocols

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Static Program Analysis

Linear-time Temporal Logic

Integrating Induction, Deduction and Structure for Synthesis

arxiv: v1 [cs.lo] 29 May 2014

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Linear Temporal Logic and Büchi Automata

Revising UNITY Programs: Possibilities and Limitations 1

Linear-Time Logic. Hao Zheng

Model Checking with CTL. Presented by Jason Simas

Binary Decision Diagrams and Symbolic Model Checking

Chapter 6: Computation Tree Logic

The TLA + proof system

Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs

Lecture 2 Automata Theory

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Predicate Abstraction in Protocol Verification

Learning Abstractions for Model Checking

Principles of Sequential-Equivalence Verification

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Chapter 5: Linear Temporal Logic

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Teaching vs. Learning, and Course Wrap-Up

FAIRNESS FOR INFINITE STATE SYSTEMS

Transition Systems and Linear-Time Properties

Lecture 2 Automata Theory

A Short Introduction to Hoare Logic

Efficient Algorithm for Reachability Checking in Modeling

COEN6551: Formal Hardware Verification

Transcription:

Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture 1 1

Traditional Approaches Testing: Run the system on select inputs Simulation: Simulate a model of the system on select (often symbolic) inputs Code review and auditing 2

What are the Problems? not exhaustive (missed behaviors) not all are automated (manual reviews, manual testing) do not scale (large programs are hard to handle) no guarantee of results (no mathematical proofs) concurrency problems (non-determinism) 3

What is Formal Verification? Build a mathematical model of the system: what are possible behaviors? Write correctness requirement in a specification language: what are desirable behaviors? Analysis: (Automatically) check that model satisfies specification 4

What is Formal Verification (2)? Formal - Correctness claim is a precise mathematical statement Verification - Analysis either proves or disproves the correctness claim 5

Algorithmic Analysis by Model Checking Analysis is performed by an algorithm (tool) Analysis gives counterexamples for debugging Typically requires exhaustive search of state-space Limited by high computational complexity 6

Temporal Logic Model Checking [Clarke,Emerson 81][Queille,Sifakis 82] M = P implementation (system model) specification (sy stem property) satisfies, implements, refines (satisfaction relation) 7

Temporal Logic Model Checking more detailed M = P more abstract implementation (system model) specification (sy stem property) satisfies, implements, refines, confirms, (satisfaction relation) 8

Temporal Logic Model Checking M = P system model system specification satisfaction relation 9

Decisions when choosing a system model: n variable-based vs. event-based n interleaving vs. true concurrency n synchronous vs. asynchronous interaction n clocked vs. speed-independent progress n etc. 10

Characteristics of system models which favor model checking over other verification techniques: n ongoing input/output behavior (not: single input, single result) n concurrency (not: single control flow) n control intensive (not: lots of data manipulation) 11

Decisions when choosing a system model: While the choice of system model is important for ease of modeling in a given situation, the only thing that is important for model checking is that the system model can be translated into some form of state-transition graph. 12

Finite State Machine (FSM) Specify state-transition behavior Transitions depict observable behavior unlock ERROR lock lock unlock Acceptable sequences of acquiring and releasing a lock 13

High-level View Linux Kernel (C) Conformance Check Spec (FSM) 14

High-level View Model Checking Linux Kernel (C) By Construction Finite State Model (FSM) Spec (FSM) 15

Low-level View State-transition graph S set of states I set of initial states AP set of atomic observation R S S transition relation L: S 2 AP observation (labeling) function 16

s 1 a a,b b s 2 s 3 Run: s 1 s 3 s 1 s 3 s 1 state sequence Trace: a b a b a observation sequence 17

Model of Computation a b b c a b c b c c a b c c State Transition Graph Infinite Computation Tree Unwind State Graph to obtain Infinite Tree. 18 A trace is an infinite sequence of state observations

Semantics a b b c a b c b c c a b c c State Transition Graph Infinite Computation Tree The semantics of a FSM is a set of traces 19

Where is the model? Need to extract automatically Easier to construct from hardware Fundamental challenge for software Linux Kernel ~1000,000 LOC Recursion and data structures Pointers and Dynamic memory Processes and threads Finite State Model 20

Mutual-exclusion protocol loop out: x1 := 1; last := 1 req: await x2 = 0 or last = 2 in: x1 := 0 end loop. loop out: x2 := 1; last := 2 req: await x1 = 0 or last = 1 in: x2 := 0 end loop. P1 P2 21

oo001 ro101 or012 io101 rr112 ir112 pc1: {o,r,i} pc2: {o,r,i} x1: {0,1} x2: {0,1} last: {1,2} 3 3 2 2 2 = 72 states 22

State space blow up The translation from a system description to a state-transition graph usually involves an exponential blow-up!!! e.g., n boolean variables 2 n states This is called the state-explosion problem. 23

Temporal Logic Model Checking M = P system model system specification satisfaction relation 24

Decisions when choosing system properties: n operational vs. declarative: automata vs. logic n may vs. must: branching vs. linear time n prohibiting bad vs. desiring good behavior: safety vs. liveness 25

System Properties/Specifications - Atomic propositions: properties of states - (Linear) Temporal Logic Specifications: properties of traces. 26

Specification (Property) Examples: Safety (mutual exclusion): no two processes can be at the critical section at the same time Liveness (absence of starvation): every request will be eventually granted Linear Time Logic (LTL) [Pnueli 77]: logic of temporal sequences. next (α): α holds in the next state α eventually(γ): γ holds eventually γ always(λ): λ holds from now on λ λ λ λ α until β: α holds until β holds α α β 27

Kinematics Criteria Compliance Dynamics v EEF W Forces Torques Inertia Performance Operational Software Components Resource Allocation Real-Time Control Components To Simulation Operator Priority Setting Actuator Control 28

Examples of the Robot Control Properties Configuration Validity Check: If an instance of EndEffector is in the FollowingDesiredTrajectory state, then the instance of the corresponding Arm class is in the Valid state Always((ee_reference=1) ->(arm_status=1) Control Termination: Eventually the robot control terminates Eventually(abort_var=1) 29

What is satisfy? M satisfies S if all the reachable states satisfy P Different Algorithms to check if M = P. - Explicit State Space Exploration For example: Invariant checking Algorithm. 1. Start at the initial states and explore the states of M using DFS or BFS. 2. In any state, if P is violated then print an error trace. 3. If all reachable states have been visited then say yes. 30

State Space Explosion Problem: Size of the state graph can be exponential in size of the program (both in the number of the program variables and the number of program components) M = M 1 M n If each M i has just 2 local states, potentially 2 n global states Research Directions: State space reduction 31

Abstractions They are one of the most useful ways to fight the state explosion problem They should preserve properties of interest: properties that hold for the abstract model should hold for the concrete model Abstractions should be constructed directly from the program 32

Abstractions Why do we need to abstract? To reduce a number of states To represent (in a sound manner) infinite state systems as finite state systems

Why we need to abstract? To reduce a number of states To represent (in a sound manner) infinite state systems as finite state systems How do we abstract? Abstractions By removing irrelevant to verification details

Data Abstraction Given a program P with variables x 1,...x n, each over domain D, the concrete model of P is defined over states (d 1,...,d n ) D... D Choosing Abstract domain A Abstraction mapping (surjection) h: D A we get an abstract model over abstract states (a 1,...,a n ) A... A 35

Example Given a program P with variable x over the integers Abstraction 1: A 1 = { a, a 0, a + } a + if d>0 h 1 (d) = a 0 if d=0 a if d<0 Abstraction 2: A 2 = { a even, a odd } h 2 (d) = if even( d ) then a even else a odd 36

Existential Abstraction A h h h M < A M 37

Existential Abstraction 1 [1] a b a b 2 3 [2,3] c d e f c d e f 4 5 6 7 [4,5] [6,7] M A 38

Existential Abstraction Every trace of M is a trace of A A over-approximates what M can do (Preserves safety properties!): A satisfies φ M satisfies φ Some traces of A may not be traces of M May yield spurious counterexamples - < a, e > Eliminated via abstraction refinement Splitting some clusters in smaller ones Refinement can be automated 39

Original Abstraction 1 [1] a b a b 2 3 [2,3] c d e f c d e f 4 5 6 7 [4,5] [6,7] M A 40

Refined Abstraction 1 [1] a b a b 2 3 [2] [3] c d e f c d e f 4 5 6 7 [4,5] [6,7] M A 41

How to define an abstract model Given M (model) and ϕ (spec), choose S h - a set of abstract states AP a set of atomic propositions that label concrete and abstract states h : S S h - a mapping from S on S h that satisfies: h(s) = h(t) only if L(s)=L(t)

Abstraction Depending on h and the size of M, M h (i.e., I h, R h ) can be built using: BDDs or SAT solver or Theorem prover

Predicate Abstraction [Graf/Saïdi 97] Idea: Only keep track of predicates on data Abstraction function: 44

Predicate Abstraction

Predicate Abstraction Labeling of concrete states: L(s) = { P i s = P i }

Abstract Model Abstract states are defined over Boolean variables { B 1,...,B k }:

Example Program over natural variables x, y AP = { P1, P2, P3 }, where P1 = x 1, P2 = x>y, P3 = y=2 AP = { x 1, x>y, y=2 } For state s, where s(x)=s(y)=0: L(s) = { P1 } For state t, where t(x)=1, t(y)=2: L(t) = { P1,P3 }

Example

Computing abstract transition relation (the same example)

Abstract transition relation

Concrete States: Example Predicates: Abstract transitions?

How to get abstract transitions? Typically done in a conservative manner Existential abstraction:

Predicate Abstraction ü ü Abstract Transitions: ü Property: Property holds. Ok.

Predicate Abstraction ü ü Abstract Transitions: Property: û This trace is spurious!

Predicate Abstraction New Predicates: ü

CEGAR Counter Example Guided Abstraction Refinement

CEGAR approach

CEGAR M α Spurious Initial Abstraction Spurious counterexample Refinement Refinement Validation or Counterexample Correct! M Original Model

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback