Automatic Fault Localization for BIP

Similar documents
COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Alan Bundy. Automated Reasoning LTL Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Verifying Properties of Parallel Programs: An Axiomatic Approach

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

The State Explosion Problem

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Revising Distributed UNITY Programs is NP-Complete

Proof Calculus for Partial Correctness

Program verification. 18 October 2017

Deductive Verification

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

Static Program Analysis using Abstract Interpretation

Probabilistic Guarded Commands Mechanized in HOL

Constraint Solving for Program Verification: Theory and Practice by Example

Vinter: A Vampire-Based Tool for Interpolation

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Hoare Logic: Reasoning About Imperative Programs

Program Analysis Part I : Sequential Programs

Lecture Notes on Software Model Checking

Predicate Abstraction: A Tutorial

The algorithmic analysis of hybrid system

Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs

Proofs of Correctness: Introduction to Axiomatic Verification

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Reasoning About Imperative Programs. COS 441 Slides 10b

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Constraint Solving for Program Verification: Theory and Practice by Example

A Short Introduction to Hoare Logic

Automata-Theoretic Model Checking of Reactive Systems

Model Checking: An Introduction

What You Must Remember When Processing Data Words

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Inductive Data Flow Graphs

IC3 and Beyond: Incremental, Inductive Verification

Hoare Logic and Model Checking

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

FMCAD 2013 Parameter Synthesis with IC3

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Revising UNITY Programs: Possibilities and Limitations 1

Ranking Verification Counterexamples: An Invariant guided approach

Hoare Logic: Reasoning About Imperative Programs

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

FAIRNESS FOR INFINITE STATE SYSTEMS

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Complexity and algorithms for monomial and clausal predicate abstraction

Software Verification with Abstraction-Based Methods

From High-Level Component-Based Models to Distributed Implementations

A new Abstraction-Refinement based Verifier for Modular Linear Hybrid Automata and its Implementation

Interpolant-based Transition Relation Approximation

Hoare Calculus and Predicate Transformers

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Relative Completeness of Abstraction Refinement for Software Model Checking

IMITATOR: A Tool for Synthesizing Constraints on Timing Bounds of Timed Automata

Model Checking. Boris Feigin March 9, University College London

Revising Distributed UNITY Programs is NP-Complete

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Static Program Analysis

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Soundness and Completeness of Axiomatic Semantics

Binary Decision Diagrams and Symbolic Model Checking

Software Verification

Program verification using Hoare Logic¹

Dictionary-Less Defect Diagnosis as Surrogate Single Stuck-At Faults

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Applications of Craig Interpolants in Model Checking

CSE 331 Winter 2018 Homework 1

Simple Bivalency Proofs of the Lower Bounds in Synchronous Consensus Problems

Safety and Liveness Properties

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Programming Languages and Compilers (CS 421)

Towards a Mechanised Denotational Semantics for Modelica

Symbolic Computation and Theorem Proving in Program Analysis

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

ESE601: Hybrid Systems. Introduction to verification

CSE 331 Winter 2018 Reasoning About Code I

On Boolean Encodings of Transition Relation for Parallel Compositions of Transition Systems

Latency Analysis for Sequential Circuits

Verifying Randomized Distributed Algorithms with PRISM

Formal Specification and Verification. Specifications

Programming Languages

Software Engineering

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

SAT-Based Verification with IC3: Foundations and Demands

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Introduction to Axiomatic Semantics

Refinement of Trace Abstraction

An Informal introduction to Formal Verification

A Lower Bound of 2 n Conditional Jumps for Boolean Satisfiability on A Random Access Machine

Transcription:

Automatic Fault Localization for BIP Wang Qiang 1, Lei Yan 2, Simon Bliudze 1, and Mao Xiaoguang 3,4 1 École Polytechnique Fédérale de Lausanne, Switzerland 2 Logistical Engineering University of PLA, China 3 College of Computer, National University of Defense Technology, China 4 Laboratory of Science and Technology on Integrated Logistics Support, National University of Defense Technology, China Abstract. This paper presents a novel idea of automatic fault localization by exploiting counterexamples generated by a model checker. The key insight is that, if a candidate statement is faulty, it is possible to modify (i.e. correct) this statement so that the counterexample is eliminated. We have implemented the proposed fault localization algorithm for component-based systems modelled in the BIP (Behaviour, Interaction and Priority) language, and conducted the first experimental evaluation on a set of benchmarks with injected faults, showing that our approach is promising and capable of quickly and precisely localizing faults. 1 Introduction The rigorous system design process in BIP starts with the high-level modelling of application software. The final system implementation is then derived from the high-level system model by a series of property preserving model transformations, taking into account the architectural features of execution platform. Thus, correctness of the system implementation with respect to essential safety properties follows from the correctness of high-level system models, which can be guaranteed by applying verification techniques [2, 12]. When a counterexample is found, showing that the system model violates the required properties, designers manually investigate it in order to fix the model. However, the counterexample generated by a model checker can be large, requiring considerable effort to localize the fault. It is thus desirable to provide a method for automatic localization of faults to streamline the rigorous system design process. Existing fault localization techniques [10] are mostly statistical. They are generally referred to as Spectrum-based Fault Localization (SFL) [11]. In order to identify suspicious locations, they require a considerable number of test cases, including both passed and failed ones. When only a few tests are available, these techniques become imprecise. In [1], the authors exploit the difference between counterexamples and successful traces to localize faults in the program. The faults are those transitions that do not appear in the correct traces. In [7], the authors propose to instrument the program with additional diagnosis variables and perform model checking on this modified program. The valuation of diagnosis variables indicates the location of a fault, when a counterexample is found. In [8], the authors propose a reduction of the fault localization problem to This work was partially funded by National Natural Science Foundation of China (61379054).

the maximum Boolean satisfiability problem extracted from the counterexample trace. The solution of the satisfiability problem provides a set of locations that are potentially responsible for the fault. In this paper, we focus on component-based systems modelled in BIP. In contrast with the work cited above, our approach does not require neither test inputs, nor instrumentation of the model. Instead, it exploits the counterexample generated by a model checker. It reports the exact location, where the fault could be corrected instead of a set of suspicious locations. The key insight of our approach stems from the observation that a statement in the counterexample is faulty if it is possible to modify (i.e. correct) this statement so that the counterexample is eliminated. Given a counterexample that is an execution trace that violates the desired property we first assume that this counterexample is spurious, meaning that its postcondition is false. 5 Our algorithm then proceeds by propagating this postcondition backwards, computing the weakest preconditions of the statements that form the execution trace, until it reaches a statement that interferes with the propagated postcondition. We mark this statement as a candidate fault location. In the second phase, the algorithm symbolically executes the counterexample trace from the initial state to the candidate faulty statement, which results in a symbolic state. This symbolic state, together with the candidate faulty statement and the propagated postcondition form a Hoare triple. We say that the candidate faulty statement is a fault if this statement can be modified to make the Hoare triple valid. Since the postcondition of the resulting trace is false, the counterexample is eliminated. We remark that BIP is an expressive intermediate modelling language for component-based software. Industrial languages, used, for instance, for the design of Programmable Logic Controller software [5], can be encoded into BIP. This opens the possibility of applying our fault localisation approach to real-life industrial programs. 2 The BIP language The BIP framework advocates strong separation of computation and coordination concerns. To this end, the BIP language provides a modelling formalism based on three layers: Behaviour, Interaction and Priority. Behaviour is characterised by a set of atomic components, modelled by automata extended with linear arithmetic. Transitions are labelled by ports, used for synchronization and data transfer with other components. Coordination is specified by interaction and priority models. An interaction model is a set of interactions, representing guarded strong synchronizations of transitions of atomic components. An interaction is a triple, consisting of a sets of ports to be synchronized, a Boolean guard and an assignment statement updating the variables of the participating components. When several interactions are enabled simultaneously, priority can be used to reduce non-determinism and decide which interaction will be executed. We refer to [2, 4] for the formal presentation of the BIP framework and operational semantics. Example 1. We model in BIP the ticket mutual exclusion algorithm [9] with two processes. A graphical representation is shown in Fig. 1. Each process gets a ticket from 5 We assume the readers to be familiar with the notions of Hoare triple and weakest precondition. 2

the controller by taking its corresponding request transition (e.g. request1 in the leftmost component in Fig. 1), and stores it in its buffer variable (e.g. buffer1). When the ticket held by the process is equal to the number to be served (represented by the guards [ticketn = next], with N = 1, 2, on the interactions in Fig. 1), the process can enter the critical location (i.e. S3) by taking the enter transition. The controller keeps track of the latest ticket it issues in the number variable and the next ticket to be served in the next variable. These variables are increased by one when a process requests a ticket or leaves the critical location, respectively. The mutual exclusion property requires that the two processes never be in the critical locations simultaneously. buffer1:=number buffer2:=number request1(buffer1) leave1 leave request(number) request2(buffer2) leave2 S1 request1 ticket1:=buffer1 request number++ S1 request2 ticket2:=buffer2 leave1 S2 S1 enter leave2 S2 enter1 S3 enter1(ticket1) leave next++ enter(next) enter2 S3 enter2(ticket2) process1 [ticket1=next] controller [ticket2=next] Fig. 1. Ticket mutual exclusion algorithm in BIP process2 For the sake of conciseness, in Section 3, we will denote the request ports of the controller and the two process components r, r 1 and r 2, respectively. Similarly, we will use e, e 1, e 2 for the enter ports; t 1, b 1, t 2, b 2 for the variables of the two process components; n and x for the number and next variables of the controller component. 3 Overview of the algorithm We inject a fault in the model presented in Example 1 by modifying the assignment of transition r 2 to be t 2 := b 2 1. The mutual exclusion property is then violated by the sequence of interactions γ 1, γ 2, γ 3, γ 4, where γ 1 = ({r, r 1 }, true, b 1 := n), γ 2 = ({r, r 2 }, true, b 2 := n), γ 3 = ({e, e 1 }, t 1 = x, skip), γ 4 = ({e, e 2 }, t 2 = x, skip). We first build a sequential execution of this counterexample by serializing the statements associated with interactions and their participating transitions: cex = b 1 := n; t 1 := b 1 ; n := n+1; b 2 := n; t 2 := b 2 1; n := n+1; assume(t 1 = x t 2 = x). Our first observation is that if a statement is faulty, it is possible to modify it so that the counterexample is eliminated. However, this can also be the case for a correct statement: e.g. replacing n := n + 1 in the transition r of the controller component by n := n eliminates the above counterexample. To avoid this, we use the following characterisation of faults. We say that a statement s interferes with a predicate ϕ if the Hoare triple {ϕ}s{ϕ} is invalid. Given a counterexample cex, we call a statement s faulty, if 1) it interferes with the predicate ϕ obtained by backward propagation of false along cex through the computation of weakest preconditions and 2) it is possible to 3

eliminate cex by modifying s. We explain the idea by applying our algorithm to the counterexample above. We start by computing the weakest precondition of false for the assume statement: wp(false, assume(t 1 = x t 2 = x)) = (t 1 x t 2 x). According to our fault model for BIP (Section 4), an assume statement cannot be a fault candidate. Therefore, we proceed to the statement n := n + 1, which is a fault candidate. Since wp(t 1 x t 2 x, n := n + 1) = (t 1 x t 2 x), n := n + 1 does not interfere with the predicate (t 1 x t 2 x). Hence it is not faulty and we proceed to the next statement. Since wp(t 1 x t 2 x, t 2 := b 2 1) = (t 1 x b 2 1 x) is not implied by t 1 x t 2 x, we conclude that t 2 := b 2 1 interferes with this latter predicate. To check if this statement is the fault, we replace it by t 2 := v, where v is a fresh variable, and compute its precondition by symbolically executing the fragment preceding t 2 := b 2 1, (i.e. b 1 := n; t 1 := b 1 ; n := n + 1; b 2 := n ), which results in b 1 = 1 t 1 = 1 n = 2 x = 1 b 2 = 2 t 2 = 0. We now have to check whether there exists a valuation of v that makes the Hoare triple {b 1 = 1 t 1 = 1 n = 2 x = 1 b 2 = 2 t 2 = 0} t 2 := v {t 1 x t 2 x} valid, which would ensure the elimination of the counterexample cex. This is, indeed, the case, since the implication b 1 = 1 t 1 = 1 n = 2 x = 1 b 2 = 2 t 2 = 0 wp(t 1 x t 2 x, t 2 := v) is satisfiable. Thus we conclude that the statement t 2 := b 2 1 associated with the transition r 2 is the fault responsible for the counterexample cex. 4 Fault localization algorithm for BIP Since the synchronization aspect of interaction models is memoryless and can be synthesized from high-level properties [3], it is reasonable to assume that coordination is correct and focus on the faults in the assignment statements. We assume that there is at most one fault, which can occur in the right-hand side of an assignment, and we do not consider missing-code faults. Although these assumptions are quite strong, they are satisfied by a considerable number of realistic models. In fact, our fault model is quite similar to the faulty expression model widely used for fault localization in C programs [7], where the control flow of the program is assumed to be correct, but the expressions may be wrong. Our algorithm (Algorithm 1) utilizes a model checker or a symbolic executor as a subroutine to detect a counterexample (line 1). When a counterexample is generated, a sequential execution trace tr is constructed (line 5). Then for each statement s in tr, we compute the weakest precondition pre of s with respect to post, initially set to false (lines 6, 8, 17, 19). If s is suspicious (i.e. it is admitted by our fault model) and interferes with its postcondition (line 9), we check whether it is possible to modify it to eliminate cex. To this end, we compute s = Modify(s) (line 10), which replaces the right-hand side of s by a fresh variable. We symbolically execute the counterexample until s (lines 11 12). Notice that the same statement may appear in the prefix due to the presence of a loop. Finally, we check whether the symbolic state st implies the weakest precondition pre of s (lines 13 14). If the implication is satisfiable, there exists a replacement s of s that eliminates cex and s is the fault (line 16). Otherwise, we propagate the postcondition backwards and proceed to the next statement. 4

Algorithm 1 Automatic fault localization algorithm Input: A BIP model B with the encoding of safety property Output: Either no counterexample is found or potential fault is suggested 1: cex CounterexampleDetection(B) 2: if cex is Null then 3: return No counterexamples found 4: else 5: tr SequentialExecution(cex) 6: post false 7: for each s in tr do 8: pre WeakestPrecondition(post, s) 9: if s is suspicious and post pre is invalid then 10: s Modify(s) 11: prefix PrefixExecution(tr, s) 12: st SymbolicExecute(prefix, s) 13: pre WeakestPrecondition(post, s ) 14: if st pre is satisfiable then 15: return s is the fault location 16: else 17: post pre 18: else 19: post pre 5 Experimental evaluation We have implemented the proposed algorithm based on an existing model checker [2], and adopted several benchmarks from the same work for the experimental evaluation. We also used industrial benchmarks [5] and the TCAS test suite [6], which is widely used by the fault localization community. Faults are injected into all benchmarks by modifying some assignments in the transitions of atomic components. Due to the space limitation, we refer the reader to our website 6 for further detail. All the experiments have been performed on a 64-bit Linux PC with a 2.8 Ghz Intel i7-2640m CPU, with a memory limit of 4Gb and a time limit of 300 seconds. The results are listed in Table 1, which shows that our algorithm has quickly and precisely localized the faults in all considered benchmarks. The second column of Table 1 shows the number of lines of the BIP model; the third shows the exact location (i.e. line number) of the fault in the program; in the forth, indicates that our algorithm has localized the fault successfully; the fifth shows the time of performing fault localization, which remains stable with the size of the benchmarks. This can be explained by the fact that our algorithm uses counterexamples, rather than the models themselves. The last column shows the total time of detecting and localizing the fault. 6 Conclusion Fault localization techniques based on formal methods are attracting attention. In this short paper, we have presented a novel automatic fault-localization algorithm for sin- 6 http://risd.epfl.ch/fault-localisation 5

Table 1. Experimental results Benchmark LOC Fault Location Result FaultLoc Time (s) Total Time (s) atm transaction system 90 L57 0.004 0.036 ticket algorithm 89 L54 0.008 0.024 gate control system 80 L51 0.004 0.244 bakery algorithm 77 L41 0.004 0.048 plc code1 162 L98 0.004 0.040 plc code2 76 L46 0.004 0.016 plc code3 133 L96 0.008 1.144 simple c code 68 L32 0.004 0.020 tcas 197 L140 0.008 0.700 gle assignment faults in BIP models. Our first experimental evaluation shows that the algorithm is promising: under some admittedly strong, but realistic assumptions, it is capable of quickly and precisely localizing faults. In the future work, we are planning to explore the possibilities of relaxing these assumptions, perform further experimental evaluation, and investigate the possibilities of automatically repairing the detected faults. References 1. Ball, T., Naik, M., Rajamani, S.K.: From symptom to cause: Localizing errors in counterexample traces. In: POPL (2003) 2. Bliudze, S., Cimatti, A., Jaber, M., Mover, S., Roveri, M., Saab, W., Wang, Q.: Formal verification of infinite-state BIP models. In: ATVA (2015), to appear 3. Bliudze, S., Sifakis, J.: Synthesizing glue operators from glue constraints for the construction of component-based systems. In: Apel, S., Jackson, E. (eds.) Software Composition. LNCS, vol. 6708, pp. 51 67. Springer Berlin / Heidelberg (2011) 4. Bliudze, S., Sifakis, J., Bozga, M.D., Jaber, M.: Architecture internalisation in BIP. In: Proceedings of the 17th International ACM Sigsoft Symposium on Component-based Software Engineering. pp. 169 178. CBSE 14, ACM, New York, NY, USA (2014) 5. Darvas, D., Fernández Adiego, B., Vörös, A., Bartha, T., Blanco Viñuela, E., González Suárez, V.M.: Formal verification of complex properties on plc programs. In: Formal Techniques for Distributed Objects, Components and Systems (2014) 6. Do, H., Elbaum, S., Rothermel, G.: Supporting controlled experimentation with testing techniques: An infrastructure and its potential impact. Empirical Software Engineering (2005) 7. Griesmayer, A., Staber, S., Bloem, R.: Automated fault localization for c programs. Electron. Notes Theor. Comput. Sci. (2007) 8. Jose, M., Majumdar, R.: Cause clue clauses: Error localization using maximum satisfiability. In: PLDI (2011) 9. Lynch, N.A.: Distributed Algorithms (1996) 10. Mao, X., Lei, Y., Dai, Z., Qi, Y., Wang, C.: Slice-based statistical fault localization. Journal of Systems and Software (2014) 11. Naish, L., Lee, H., Ramamohanarao, K.: A model for spectra-based software diagnosis. ACM Transactions on Software Engineering and Methodology (2011) 12. Sifakis, J.: Rigorous system design. Foundations and Trends in Electronic Design Automation (2013) 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback