Static Program Transformations for Efficient Software Model Checking

Similar documents

Model Checking: An Introduction

Formal Verification and Linear-time Model Checking

Algorithmic Software Verification

The Model Checker SPIN

Testing LTL Formula Translation into Büchi Automata

Software safety - DEF-STAN 00-55

A Classification of Model Checking-based Verification Approaches for Software Models

Automated Theorem Proving - summary of lecture 1

Formal Verification by Model Checking

Model Checking of Software

Software Modeling and Verification

STATUS REPORT ON MAUDE-NPA TOOL

Regression Verification: Status Report

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Formal Verification of Software

Arithmetic Coding: Introduction

Firewall Verification and Redundancy Checking are Equivalent

Software Model Checking. Equivalence Hierarchy

Model Checking II Temporal Logic Model Checking

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Software Verification and Testing. Lecture Notes: Temporal Logics

InvGen: An Efficient Invariant Generator

Software Verification: Infinite-State Model Checking and Static Program

2 Temporal Logic Model Checking

T Reactive Systems: Introduction and Finite State Automata

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Software Engineering using Formal Methods

Model Checking based Software Verification

tutorial: hardware and software model checking

CHAPTER 7 GENERAL PROOF SYSTEMS

New Hash Function Construction for Textual and Geometric Data Retrieval

Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

Development of dynamically evolving and self-adaptive software. 1. Background

Euler Paths and Euler Circuits

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Rigorous Software Development CSCI-GA

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

ML for the Working Programmer

ALGEBRA 2 CRA 2 REVIEW - Chapters 1-6 Answer Section

Satisfiability Checking

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

Chapter 6: Episode discovery process

Foundational Proof Certificates

Finding Liveness Errors with ACO

The ProB Animator and Model Checker for B

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Temporal Logics. Computation Tree Logic

LTL Model Checking with Logic Based Petri Nets

How Can Metaheuristics Help Software Engineers

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

Introduction to Software Verification

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

The finite field with 2 elements The simplest finite field is

Fundamentals of Software Engineering

CS510 Software Engineering

Verifying Specifications with Proof Scores in CafeOBJ

Scalable Automated Symbolic Analysis of Administrative Role-Based Access Control Policies by SMT solving

Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder

Logic in general. Inference rules and theorem proving

Outline. NP-completeness. When is a problem easy? When is a problem hard? Today. Euler Circuits

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

arxiv: v1 [math.pr] 5 Dec 2011

Software Verification and System Assurance

Fixed-Point Logics and Computation

CS Master Level Courses and Areas COURSE DESCRIPTIONS. CSCI 521 Real-Time Systems. CSCI 522 High Performance Computing

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

MODEL CHECKING CONCURRENT AND REAL-TIME SYSTEMS: THE PAT APPROACH. LIU YANG (B.Sc. (Hons.), NUS)

CHAPTER 1 INTRODUCTION

Automated Formal Analysis of Internet Routing Systems

Unified Static and Runtime Verification of Object-Oriented Software

Factoring & Primality

Validated Templates for Specification of Complex LTL Formulas

CORRELATED TO THE SOUTH CAROLINA COLLEGE AND CAREER-READY FOUNDATIONS IN ALGEBRA

Software Verification/Validation Methods and Tools... or Practical Formal Methods

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Automata-based Verification - I

A New Generic Digital Signature Algorithm

Summary Last Lecture. Automated Reasoning. Outline of the Lecture. Definition sequent calculus. Theorem (Normalisation and Strong Normalisation)

Bindings, mobility of bindings, and the -quantifier

INF5140: Specification and Verification of Parallel Systems

How To Prove The Dirichlet Unit Theorem

Transcription:

Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin

Dependable Systems Large and complex systems Software faults are major concern Dependability achieved by Testing Debugging Formal Verification August 24, 2004 S. Vasudevan and J. A. Abraham 2

Formal Verification: Model Checking Formal description of model Property specified in temporal logic (LTL, CTL etc) State space explosion for reasonably sized systems August 24, 2004 S. Vasudevan and J. A. Abraham 3

A Solution: Abstractions Model checking models need to be made smaller Smaller or reduced models must retain information Property being checked should yield same result Balancing solution: Abstractions August 24, 2004 S. Vasudevan and J. A. Abraham 4

Program Transformation Based Abstractions Abstractions on Kripke structures Cone of Influence (COI), Symmetry, Partial Order, etc. State transition graphs for even small programs can be very large to build Abstractions on Program Text Scale well with program size High economic interest Static Program Transformations August 24, 2004 S. Vasudevan and J. A. Abraham 5

Types of Abstractions Sound Property holds in abstraction implies property holds in the original program Complete Algorithm always finds an abstract program if it exists Exact Property holds in the abstraction iff property holds in the main program August 24, 2004 S. Vasudevan and J. A. Abraham 6

Abstraction Landscape High Property Dependence Medium Property Dependence Low Property Dependence Slicing Counterexample Guided Refinement techniques Data Abstractions Abstract Interpretation High Automation Medium Automation Low Automation August 24, 2004 S. Vasudevan and J. A. Abraham 7

Data Abstractions Abstract data information Typically manual abstractions Infinite behavior of system abstracted Each variable replaced by abstract domain variable Each operation replaced by abstract domain operation Data independent Systems Data values do not affect computation Datapath entirely abstracted August 24, 2004 S. Vasudevan and J. A. Abraham 8

Data Abstractions: Examples Arithmetic operations Congruence modulo an integer k replaced by k mod m High orders of magnitude Logarithmic values instead of actual data value Bitwise logical operations Large bit vector to single bit value Parity generator Cumbersome enumeration of data values Symbolic values of data August 24, 2004 S. Vasudevan and J. A. Abraham 9

Abstract Interpretation Abstraction function mapping concrete domain values to abstract domain values Over-approximation of program behavior Every execution corresponds to abstract execution Abstract semantics constructed once, manually August 24, 2004 S. Vasudevan and J. A. Abraham 10

Abstract Interpretation: Examples Sign abstraction Replace integers by their sign Each integer K replaced by one of {> 0, < 0, =0} Interval Abstraction Approximates integers by maximal and minimal values Counter variable i replaced by lower and upper limits of loop Relational Abstraction Retain relationship between sets of data values Set of integers replaced by their convex hull August 24, 2004 S. Vasudevan and J. A. Abraham 11

Counterexample Guided Refinement Approximation on set of states Initial state to bad path Successive refinement of approximation Forward or backward passes Process repeated until fixpoint is reached Empty resulting set of states implies property proved Otherwise, counterexample is found Counterexample can be spurious because of over-approximations Heuristics used to determine spuriousness of counterexamples August 24, 2004 S. Vasudevan and J. A. Abraham 12

Counterexample Guided Refinement Predicate Abstraction Predicates related to property being verified (User defined) Theorem provers compute the abstract program Spurious counterexamples determined by symbolic algorithms Some techniques use error traces to identify relevant predicates August 24, 2004 S. Vasudevan and J. A. Abraham 13

Counterexample Guided Refinement Lazy Abstraction More efficient algorithm Abstraction is done on-the-fly Minimal information necessary to validate a property is maintained Abstract state where counterexample fails is pivot state Refinement is done only from the pivot state on August 24, 2004 S. Vasudevan and J. A. Abraham 14

Program Slicing Program transformation involving statement deletion Relevant statements determined according to slicing criterion Slice construction is completely automatic Correctness is property specific Loss of generality Abstractions are sound and complete August 24, 2004 S. Vasudevan and J. A. Abraham 15

Specialized Slicing Techniques Static slicing produces large slices Has been used for verification Semantically equivalent to COI reductions Slicing criterion can be enhanced to produce other types of slices Amorphous Slicing Conditioned Slicing August 24, 2004 S. Vasudevan and J. A. Abraham 16

Our Contribution: Specialized Slicing for Verification Amorphous Slicing Static slicing preserves syntax of program Amorphous Slicing does not follow syntax preservation Semantic property of the slice is retained Uses rewriting rules for program transformation August 24, 2004 S. Vasudevan and J. A. Abraham 17

Example of Amorphous Slicing begin i = start; while (i <= (start + num)) { result = K + f(i); sum = sum + result; i = i + 1; } end LTL Property: G sum > K Slicing Criterion: (end, {sum, K}) August 24, 2004 S. Vasudevan and J. A. Abraham 18

Example of Amorphous Slicing Amorphous Slice: begin sum = sum + K + f(start); sum = sum + K + f(start + num); end Program Transformation rules applied Induction variable elimination Dependent assignment removal Amorphous Slice takes a fraction of the time as the real slice on SPIN August 24, 2004 S. Vasudevan and J. A. Abraham 19

Amorphous Slicing for Verification Similar to term rewriting Used by theorem provers for deductive verification What is different? Theorem provers try to prove entirely by rewriting We propose a hybrid approach Rewriting only part of the program, based on slicing criterion Model checking the sliced program August 24, 2004 S. Vasudevan and J. A. Abraham 20

Conditioned Slicing Theoretical bridge between static and dynamic slicing Conditioned Slices specify initial state in criterion Constructed with respect to set of possible inputs Characterized by first order predicate formula Yields much smaller slices than static slices August 24, 2004 S. Vasudevan and J. A. Abraham 21

Conditioned Slicing for Verification Safety properties specified as: Antecedent => Consequent For these properties, antecedent can be used to specify the initial states of interest We do not need states where antecedent is not true Static slices preserves all possible executions August 24, 2004 S. Vasudevan and J. A. Abraham 22

Conditioned Slicing for Verification Abstractions created by conditioned slicing of antecedents in formula Antecedent Conditioned Slices Exact abstractions Automatic construction of slices August 24, 2004 S. Vasudevan and J. A. Abraham 23

Example Program begin 1: read(n); 2: A = 1; 3: if (N < 0) { 4: B = f(a); 5: C = g(a); } else 6: if (N > 0) { 7: B = f (A); 8: C = g (A); } else { 9: B = f (A); 10: C = g (A); } 11: print(b); 12: print(c); end August 24, 2004 S. Vasudevan and J. A. Abraham 24

Static Slice of Program begin 1: read(n); 2: A = 1; 3: if (N < 0) { 4: B = f(a); 5: C = g(a); Slicing criterion: } else <(N<0), 11, B> 6: if (N > 0) { 7: B = f (A); 8: C = g (A); } else { 9: B = f (A); 10: C = g (A); } 11: print(b); 12: print(c); end August 24, 2004 S. Vasudevan and J. A. Abraham 25

Conditioned Slice of Program begin 1: read(n); 2: A = 1; 3: if (N < 0) { Slicing criterion: 4: B = f(a); 5: C = g(a); } else <(N<0), 11, B> 6: if (N > 0) { 7: B = f (A); 8: C = g (A); } else { 9: B = f (A); 10: C = g (A); } 11: print(b); 12: print(c); end August 24, 2004 S. Vasudevan and J. A. Abraham 26

Preliminary Experimental Results Group Address Registration Protocol (GARP) and X.509 authentication protocol SPIN model checker Memory limit of 512 MB given Max search depth of 2 20 steps All properties were in the form Antecedent => Consequent August 24, 2004 S. Vasudevan and J. A. Abraham 27

Preliminary Experimental Results Property Unsliced* Conditioned Sliced Property Proved P1 91.65 1.72 Yes P2 145.78 8.44 Yes P3 145.36 8.41 Yes P4 154.96 1.95 Yes P5 117.81 10.23 Yes *Static slicing in SPIN was enabled August 24, 2004 S. Vasudevan and J. A. Abraham 28

Conclusions Abstraction techniques are evaluated by Degree of automation vs. Manual effort Property dependence vs. Generic nature Exact vs. Over-approximation Software reliability is the grand challenge of the next decade Abstractions are the powerful candidate solutions to this challenge Need integration of all abstraction techniques into an optimal framework August 24, 2004 S. Vasudevan and J. A. Abraham 29