Model Checking: An Introduction



Similar documents
logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Introduction to Software Verification

Model Checking II Temporal Logic Model Checking

Formal Verification and Linear-time Model Checking

Algorithmic Software Verification

Formal Verification by Model Checking

Temporal Logics. Computation Tree Logic

Formal Verification of Software

The Course.

Software Model Checking: Theory and Practice

Model Checking of Software

Static Program Transformations for Efficient Software Model Checking

Automata-based Verification - I

Software Modeling and Verification

2 Temporal Logic Model Checking

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Testing LTL Formula Translation into Büchi Automata

Development of dynamically evolving and self-adaptive software. 1. Background

T Reactive Systems: Introduction and Finite State Automata

The Model Checker SPIN

Software Verification and Testing. Lecture Notes: Temporal Logics

Automated Theorem Proving - summary of lecture 1

Software Verification: Infinite-State Model Checking and Static Program

Software safety - DEF-STAN 00-55

tutorial: hardware and software model checking

LTL Model Checking with Logic Based Petri Nets

Model Checking based Software Verification

InvGen: An Efficient Invariant Generator

The software model checker BLAST

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

CISC422/853: Formal Methods

Specification and Analysis of Contracts Lecture 1 Introduction

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

A computational model for MapReduce job flow

From Workflow Design Patterns to Logical Specifications

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Slides based in part on previous lectures by Mahesh Vishwanathan, and by Gul Agha January 21,

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Formal Verification of Computer Systems - (INFO-F-412)

µz An Efficient Engine for Fixed points with Constraints

Combining Software and Hardware Verification Techniques

Software Engineering using Formal Methods

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

Program Analysis: Theory and Practice

Feature Specification and Automated Conflict Detection

MetaGame: An Animation Tool for Model-Checking Games

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Analysis of Boolean Programs

Fundamentals of Software Engineering

6.080/6.089 GITCS Feb 12, Lecture 3

Introducing Formal Methods. Software Engineering and Formal Methods

Verifying Real-Time Embedded Software by Means of Automated State-based Online Testing and the SPIN Model Checker Application to RTEdge Models

Introduction to Static Analysis for Assurance

A Classification of Model Checking-based Verification Approaches for Software Models

Rigorous Software Development CSCI-GA

Program Synthesis is a Game

The ProB Animator and Model Checker for B

Path Querying on Graph Databases

Goal-Driven Adaptable Software Architecture for UAVs

Fixed-Point Logics and Computation

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Foundational Proof Certificates

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

INF5140: Specification and Verification of Parallel Systems

Checking. E. M. Clarke O. Grumberg K. L. McMillan X. Zhao

Validated Templates for Specification of Complex LTL Formulas

CS Master Level Courses and Areas COURSE DESCRIPTIONS. CSCI 521 Real-Time Systems. CSCI 522 High Performance Computing

Model Checking LTL Properties over C Programs with Bounded Traces

A Propositional Dynamic Logic for CCS Programs

Bounded LTL Model Checking with Stable Models

Business Process Verification: The Application of Model Checking and Timed Automata

Monitoring Metric First-order Temporal Properties

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

Transcription:

Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI 5535, Spring 2009 2 A Double Header Two lectures Model checking primer Software model checking SLAM and BLAST (tools) Some key players: Model checking Ed Clarke, Ken McMillan, Amir Pnueli SLAM Tom Ball, Sriram Rajamani BLAST Ranjit Jhala, Rupak Majumdar, Tom Henzinger Who are we again? We're going to find critical bugs in important bits of software using PL techniques! You ll be enthusiastic about this and thus want to learn the gritty details 3 4 Take-Home Message Model checking is the exhaustive exploration of the state space of a system, typically to see if an error state is reachable It produces concrete counterexamples The state explosion problem refers to the large number of states in the model Temporal logic allows you to specify properties with concepts like eventually and always 5 Overarching Plan Model Checking (today) Transition systems (ie, models) Temporal properties Temporal logics: LTL and CTL Explicit-state model checking Symbolic model checking Counterexample Guided Abstraction Refinement Safety properties Predicate abstraction c2bp Software model checking bebop Counterexample feasibility newton Abstraction refinement weakest pre, thrm prv 6 1

Spoiler This stuff really works! Symbolic model checking is a massive success in the model-checking field SLAM took the PL world by storm Spawned multiple copycat projects Launched Microsoft s Static Driver Verifier (released in the Windows DDK) 7 Model Checking There are complete courses in model checking (see ECEN 5139, Prof Somenzi) Model Checking by Edmund M Clarke, Orna Grumberg, and Doron A Peled Symbolic Model Checking by Ken McMillan We will skim Keywords Model checking is an automated technique Model checking verifies transition systems Model checking verifies temporal properties Model checking falsifies by generating counterexamples Verification vs Falsification What is verification? What is falsification? A model checker is a program that checks if a (transition) system satisfies a (temporal) property 9 10 Verification vs Falsification An automated verification tool can report that the system is verified (with a proof); or that the system was not verified When the system was not verified, it would be helpful to explain why Model checkers can output an error counterexample: a concrete execution scenario that demonstrates the error Can view a model checker as a falsification tool The main goal is to find bugs So what can we verify or falsify? 11 Temporal Properties Temporal Property A property with time-related operators such as invariant or eventually Invariant(p) is true in a state if property p is true in every state on all execution paths starting at that state G, AG, ( globally or box or forall ) Eventually(p) is true in a state if property p is true at some state on every execution path starting from that state F, AF, ( future or diamond or exists ) 12 2

An Example Concurrent Program A simple concurrent mutual exclusion program Two processes execute asynchronously There is a shared variable turn Two processes use the shared variable to ensure that they are not in the critical section at the same time Can be viewed as a fundamental program: any bigger concurrent one would include this one 10: while (true) { 11: wait(turn == 0); // critical section 12: work(); turn = 1; 13: // concurrently with 20: while (true) { 21: wait(turn == 1); // critical section 22: work(); turn = 0; 23: 13 Reachable States of the Example Program 12,21 12,20 10,22 11,22 Next: formalize this intuition Each state is a valuation of all the variables: turn and the two program counters for two processes #14 Analyzed System is a Transition System Labeled transition system T = (S, I, R, L) Also called a Kripke Structure S = Set of states // standard FSM I S = Set of initial states // standard FSM R S S = Transition relation // standard FSM L: S 2 AP = Labeling function // this is new! AP: Set of atomic propositions (eg, x=5 AP) Atomic propositions capture basic properties For software, atomic props depend on variable values The labeling function labels each state with the set of propositions true in that state 15 Example Properties of the Program In all the reachable states (configurations) of the system, the two processes are never in the critical section at the same time pc1=12, pc2=22 are atomic properties for being in the critical section Eventually the first process enters the critical section 16 Example Properties of the Program Temporal Logics For what? For expressing properties In all the reachable states (configurations) of the system, the two processes are never in the critical section at the same time pc1=12, pc2=22 are atomic properties for being in the critical section Invariant( (pc1=12 pc2=22)) Eventually the first process enters the critical section Eventually(pc1=12) 17 There are four basic temporal operators: X p Next p, in the next state G p Globally p, in every state, p is an invariant F p Future p, p will hold in a future state, eventually p U q p Until q, assertion p will hold until q holds Precise meaning of these temporal operators are defined on execution paths 18 3

Execution Paths A path in a transition system is an infinite sequence of states (s 0, s 1, s 2, ), such that i 0 (s i, s i+1 ) R A path (s 0,s 1,s 2,) is an execution path if s 0 I Given a path x = (s 0, s 1, s 2, ) x i denotes the i th state: s i x i denotes the i th suffix: (s i, s i+1, s i+2, ) In some temporal logics one can quantify paths starting from a state using path quantifiers A : for all paths E : there exists a path Paths and Predicates We write x p the path x makes the predicate p true x is a path in a transition system p is a temporal logic predicate Example: A x x G ( (pc1=12 pc2=22)) 19 20 Linear Time Logic (LTL) LTL properties are constructed from atomic propositions in AP; logical operators,, ; and temporal operators X, G, F, U The semantics of LTL is defined on paths: Given a path x: x p iff L(x 0, p) atomic prop x X p iff x 1 p next x F p iff x G p iff x p U q iff 21 Linear Time Logic (LTL) LTL properties are constructed from atomic propositions in AP; logical operators,, ; and temporal operators X, G, F, U The semantics of LTL is defined on paths: Given a path x: x p iff L(x 0, p) atomic prop x X p iff x 1 p next x F p iff i 0 x i p future x G p iff i 0 x i p globally x p U q iff i 0 x i q and j<i x j p until 22 Satisfying Linear Time Logic Given a transition system T = (S, I, R, L) and an LTL property p, T satisfies p if all paths starting from all initial states I satisfy p 23 Computation Tree Logic (CTL) In CTL temporal properties use path quantifiers: A : for all paths, E : there exists a path The semantics of CTL is defined on states: Given a state s s p iff L(s, p) s 0 EX p iff a path (s 0, s 1, s 2, ) s 1 p s 0 AX p iff paths (s 0, s 1, s 2, ) s 1 p s 0 EG p iff a path (s 0, s 1, s 2, ) i 0 s i p s 0 AG p iff paths (s 0, s 1, s 2, ) i 0 s i p 24 4

Linear vs Branching Time Recall the Example LTL is a linear time logic When determining if a path satisfies an LTL formula we are only concerned with a single path CTL is a branching time logic When determining if a state satisfies a CTL formula we are concerned with multiple paths In CTL the computation is instead viewed as a computation tree which contains all the paths The computation tree is obtained by unrolling the transition relation The expressive powers of CTL and LTL are incomparable (LTL CTL*, CTL CTL*) Basic temporal properties can be expressed in both logics Not in this lecture, sorry! (Take a class on Modal Logics) 25 12,21 12,20 10,22 11,22 This is a labeled transition system 26 Linear vs Branching Time LTL Satisfiability Examples Linear Time View Branching Time View 12,20 On this path: Holds Does Not Hold 12,21 One path starting at state (turn=0,pc1=10,pc2=20) A computation tree starting at state (turn=0,pc1=10,pc2=20) 12,21 27 28 LTL Satisfiability Examples LTL Satisfiability Examples On this path: Holds Does Not Hold On this path: F, G,, X, X (X p) holds, X (X (X p)) does not hold On this path: F, G,, X, X (X p) holds, X (X (X p))) holds 29 30 5

CTL Satisfiability Examples s At state s: Holds Does Not Hold s CTL Satisfiability Examples At state s: Holds Does Not Hold 31 32 CTL Satisfiability Examples s s s At state s: EF p, EX (EX p), AF ( p), AF p, AG p, AG ( p), EX p, EG p, At state s: EF p, AF p, EX (EX p), EX p, EG p, AG p, AG ( p), AF ( p) does not hold At state s: EF p, AF p, AG p, EG p, Ex p, AX p, EG ( p), EF ( p), does not hold #33 Model Checking Complexity Given a transition system T = (S, I, R, L) and a CTL formula f One can check if a state of the transition system satisfies the formula f in O( f ( S + R )) time Multiple depth first searches (one for each temporal operator) = explicit-state model checking Given a transition system T = (S, I, R, L) and an LTL formula f One can check if the transition system satisfies the formula f in O(2 f ( S + R )) time 35 State Space Explosion The complexity of model checking increases linearly with respect to the size of the transition system ( S + R ) However, the size of the transition system ( S + R ) is exponential in the number of variables and number of concurrent processes This exponential increase in the state space is called the state space explosion Dealing with it is one of the major challenges in model checking research 36 6

Algorithm: Temporal Properties = Fixpoints States that satisfy AG(p) are all the states which are not in EF( p) (= the states that can reach p) Pictorial Backward Fixed Point Inverse Image of p = EX( p) Compute EF( p) as the fixed point of Func: 2 S 2 S Given Z S, Func(Z) = p reach-in-one-step(z) or Func(Z) = p EX(Z) Actually, EF( p) is the least-fixed point of Func smallest set Z such that Z = Func(Z) to compute the least fixed point, start the iteration from Z=, and apply the Func until you reach a fixed point This can be computed (unlike most other fixed points) 37 Initial states initial states that violate AG(p) = initial states that satisfy EF( p) p states that can reach p = EF( p) = states that violate AG(p) This fixed point computation can be used for: verification of EF( p) or falsification of AG(p) and similar fixed points handle the other cases 38 Symbolic Model Checking Symbolic model checking represent state sets and the transition relation as Boolean logic formulas Fixed point computations manipulate sets of states rather than individual states Recall: we needed to compute EX(Z), but Z S Fixed points can be computed by iteratively manipulating these formulas Use an efficient data structure for manipulation of Boolean logic formulas Binary Decision Diagrams (BDDs) SMV (Symbolic Model Verifier) was the first CTL model checker to use BDDs 39 Binary Decision Diagrams (BDDs) Efficient representation for boolean functions (a set can be viewed as a function) Disjunction, conjunction complexity: at most quadratic Negation complexity: constant Equivalence checking complexity: constant or linear Image computation complexity: can be exponential 40 Key Terms Building Up To Software Model Checking via Counterexample Guided Abstraction Refinement There are easily dozens of papers We will skim Counterexample guided abstraction refinement (CEGAR) A successful software model-checking approach Sometimes called Iterative Abstraction Refinement SLAM = The first CEGAR project/tool Developed at MSR Lazy Abstraction = CEGAR optimization Used in the BLAST tool from Berkeley 42 7

What is Counterexample Guided Abstraction Refinement (CEGAR)? Verification by Model Checking? Theorem Proving? Dataflow Analysis or Program Analysis? Verification un 4: while(new!= old); Is this program correct? What does correct mean? How do we determine if a program is correct? 43 44 Verification by Model Checking Verification by Theorem Proving un 4: while(new!= old); 1 (Finite State) Program 2 State Transition Graph 3 Reachability - Program Finite state model - State explosion + State exploration + Counterexamples Precise [SPIN,SMV,Bandera,JPF] 45 un 4: while(new!= old); 1 Loop Invariants 2 Logical Formulas 3 Check Validity Invariant: lock Æ new = old Ç lock Æ new old 46 Verification by Theorem Proving Verification by Program Analysis un 4: while(new!= old); 1 Loop Invariants 2 Logical Formulas 3 Check Validity - Loop invariants - Multithreaded programs + Behaviors encoded in logic + Decision procedures Precise [ESC, PCC] 47 un 4: while(new!= old); 1 Dataflow Facts 2 Constraint System 3 Solve Constraints - Imprecision: fixed facts + Abstraction + Type/Flow analyses Scalable [Cqual, ESP] 48 8

Combining Strengths Theorem Proving - Need loop invariants (will find automatically) + Behaviors encoded in logic (used to refine abstraction) + Theorem provers (used to compute successors, refine abstraction) SLAM Model Checking Program Analysis - Imprecise (will be precise) + Abstraction (will shrink the state space we must explore) For Next Time Read Lazy Abstraction for the main ideas, ok to skim Sec 7 - Finite-state model, state explosion (will find small good model) + State space exploration (used to get a path sensitive analysis) + Counterexamples (used to find relevant facts, refine abstraction) 49 50 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information