1 / 21

Temporal-Logic Constraints in Feature-Oriented Verification

Temporal-Logic Constraints in Feature-Oriented Verification. Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now at UPenn) Pascal Van Hentenryck (Brown). Base. Base. Base. Encrypt. Encrypt. Decrypt. Decrypt. Sign. Sign. Sign. Auth. Auth.

topanga-fernandez
Download Presentation

Temporal-Logic Constraints in Feature-Oriented Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Temporal-Logic Constraints inFeature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now at UPenn) Pascal Van Hentenryck (Brown)

  2. Base Base Base Encrypt Encrypt Decrypt Decrypt Sign Sign Sign Auth Auth Auth An Email Product Line

  3. Base Encrypt Decrypt Sign Auth A Desired Product Property Signed emails can always be authenticated Decrypting mangles the signature

  4. Sign F4 F1 F3 F2 F2 F3 F4 Sign F2 F4 F4 Sign F1 F2 F1 Mix-and-Match Systems The number ofconfigurations isenormous… There is nosingle “program”!

  5. Model Checking Product Lines • Features unaware of other features and their requirements by design • Products often contain bugs as a result • “feature interaction problem” • Modular reasoning essential to cope with design space (not product size)

  6. Base s1 Sign Sign Auth sign s0 s2 Modeling Features and Products Points of entry (s0) and exit (s2) Feature: Product: a sequential composition of features

  7. Verification Problem (1) • Have a set of features and a property that should hold of all products • Verify property against each feature separately • Combine results to show property holds of product

  8. s1 sign s0 s2 Try Model Checking Problems: • Sign feature has no knowledge of encrypted • Property must hold globally • but there is no temporal information at s2 What value to return? AG(encrypted g AF decrypt)

  9. Model Checking’s Limitation • Model checking designed to give a yes/no answer about a closed system • Features are inherently open systems

  10. s1 sign s0 s2 Model Checking’s Limitation Two sources of openness: • values of (some) propositions • behavior along paths from exit AG(encrypted g AF decrypt)

  11. Verification Problem (2) • Have a set of features and a property that should hold of all products • Derive constraint on each feature that is sufficient to preserve property • expensive verification should happen here • Check constraints when form product • this step should be lightweight

  12. s1 sign s0 s2 Feature Constraints • Where does value of encrypted come from? • from an earlier feature (enter at s0) • Where do rest of control paths come from? • from the subsequent features (exit at s2) Want a constraint parameterized on these values AG(encrypted g AF decrypt)

  13. s1 sign s0 s2 Constraint Contents If encrypted is true at s0, what is required at s2? AF decrypt What must hold at s2 regardless of encrypted? AG(encrypted g AF decrypt) AG(encrypted g AF decrypt)

  14. s1 sign s0 s2 The Computed Constraint [AG(encrypted g AF decrypt)]s2Ù Øencryptedv[AF decrypt]s2 AG(encrypted g AF decrypt) constraint parameterized over both data and control values

  15. s1 sign s0 s2 Computing Constraints [AG(encrypted g AF decrypt)]s2Ù Øencrypted v [AF decrypt]s2 AG(encrypted g AF decrypt) Modification of basic model checker: • Propositions: return name if value unknown • Terminal states: return annotated formula

  16. [AG(encrypted g AF decrypt)]s2Ù Øencrypted v [AF decrypt]s2 Base Encrypt Decrypt Sign Auth Discharging Constraints encrypted effectively propositional [AG(encrypted g AF decrypt)]s2 , [AF decrypt]s2

  17. D1 D2 D3 D4 D5 F1 F2 F4 F3 F5 C5P C4P C1P C3P C2P Verification Given Property P … … D1 D1o D2 … … … C5(D1-5)

  18. Undiscussed Details • Dataflow computation for data values • Propositional reasoning actually 3-valued • handles data values across different paths • Can use simpler reasoning about individual features in some cases

  19. Case Study • Conducted on an email suite that exhibits many property violations (previously discovered manually by Robert Hall [FITS00]) • Tested 9 properties; detected all violations successfully (each one a feature interaction) • Detected violations without traversing features at composition time

  20. Limitations • Current algorithm cannot handle cyclic feature compositions (DAGs fine) • supports pipe-and-filter architecture • have other work (heavier checks) supporting cyclic compositions and liveness properties [Fisler/Krishnamurthi FSE2001, FSE2004] • Cycles within individual features cannot set data propositions used in properties

  21. Perspective A non-trivial class of systems needs • openness due to design considerations • sequential composition • looser forms of modular verification Traditional modular verification seems mismatched with these demands Our property-driven constraint generation targets these systems

More Related