1 / 43

Build Your Own Model Checker in One Month

Build Your Own Model Checker in One Month. SUN, Jun Assistant Professor@SUTD , Visiting Scientist@MIT Jing Song Dong and Yang Liu, NUS. How to Deliver Correct Computer-based Systems?. System requirements: functionality, performance, security, etc. synthesizer. System implementation.

kare
Download Presentation

Build Your Own Model Checker in One Month

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Build Your Own Model Checker in One Month SUN, Jun Assistant Professor@SUTD, Visiting Scientist@MIT Jing Song Dong and Yang Liu, NUS

  2. How to Deliver Correct Computer-based Systems?

  3. System requirements: functionality, performance, security, etc. synthesizer System implementation The synthesis problem

  4. System requirements: functionality, performance, security, etc. Is it exception free? System implementation The verification problem

  5. Model Checking • Model checking: check whether a model satisfies a property by exhaustive searching. Model Model Checker Counterexample! Property

  6. Two Problems How to obtain a finite-state model? How to deal with state space explosion?

  7. One Simple Example • Number of States: 16! = 20922789888000

  8. Model Checking Works!

  9. How to Apply Model Checking • Applying existing model checkers • Good news: plenty model checkers out there. • Bad news: using them might not be easy. • Extending existing model checkers • Developing one from scratch • Language parser, operational semantics encoding, model checking algorithms, state reduction techniques, visualization, …

  10. Process Analysis Toolkit http://www.patroot.com

  11. Some Facts about PAT • Over 1 million lines of C# codes • The PAT team has now 10 PhD candidates, 2 research assistant, 5 postdoc, and 2 faculties. • More than 1000 registered users from more than 200 organizations • Adopted for teaching formal methods and model checking (NUS, Monash, Auckland, York U.@Canada) • Supporting 10 different languages

  12. More Than a Model Checker How to Deliver Correct Computer-based Systems?

  13. Build a Model Checker Define Syntax Define Semantics Property Language Visualize Trace Develop MC Algorithms Optimization

  14. Build a Model Checker with PAT Define Syntax Define Semantics

  15. Case Study 1: RTS@PAT • Real-time system modeling and verification is dominated by Timed Automata • High-level requirements are often stated in terms of deadline, timeout, etc. • Many real-time systems are hierarchical. How about we develop a model checker to verify Hierarchical Real-Time Systems supporting Timeout, Deadline, etc.?

  16. What Language Features? • Data/Data Operations • Invoke external C#/Java programs? • Control Flow • Hoare’s CSP? • Real-time • Delay, Timeout, Timed Interrupt, Deadline, etc. • Property • Reachability Analysis? • Linear Temporal Logic? • Refinement checking?

  17. Define Syntax • A RTS program is a tuple (Var, Proc, Assertions) • Var is a finite set of finite-domain variables; • Proc is a process which models control flow. • Assertions is a set of assertions.

  18. Variables • Constants #define N 5; • Variables of Type Bool, Integer, Arrays of integers var x: {0..10} = 5; var x[N]; • User-defined data types var<Stack> stack;

  19. Processes

  20. Assertions

  21. A Modeling Example #define N 4; #define Idle -1; var x = Idle; varcounter; P(i) = ifb(x == Idle) { ((update.i{x = i} -> Wait[4]) within[3]); if (x == i) { cs.i{counter++} -> exit.i{counter--; x=Idle} -> P(i) } else { P(i) } }; FischersProtocol = ||| i:{0..N-1}@P(i); #assert FischersProtocol reaches (counter > 1); #assert FischersProtocol |= [] (x==1) -> <> cs.1;

  22. RTS@PAT • First version finished in 6 weeks! • Efficiency with Zone Abstraction • Efficiency with Digitalization

  23. How PAT Helps?

  24. Starting Building a Model Checker • Step 1: Build a parser – using Antlr. • Step 2: Define/encoding operational semantics. • Step 3 [optional]: Develop/implement specialized model checking algorithms.

  25. PAT Class Diagram

  26. Essential Classes • The Specification classwhich contains everything in any given model. • A list of variables, with types, domains, initial values, etc. • A list of processes, with parameters, etc. • A list of assertions, with the initial process, etc. • A method to obtain the initial system configuration.

  27. Essential Classes: Configuration • A configuration is a global state which encapsulates every varying aspects of a model. • A configuration of a RTS module is a pair (V, P) where V is a valuation function which gives the values of the variables and P is the current process expression. • The configuration class has one essential method to be implemented. public Configuration[] MakeOneMove(Configuration source) { … }

  28. RTS: MakeOneMove • Given one configuration (V, P), what are the next configurations that can be reachabile via one transition? • If P is Stop, return an empty list. • If P is Skip, return configuration (V, Stop) – the event that has been performed is the special termination event √. • If P is e{x:=1} -> Q, return configuration (V’, Q) such that V’ is equivalent to V except that x is set to 1 in V’. • …

  29. Operational Semantics: Choice (V, P) –e-> (V’, P’) --------------- (V, P | Q) –e-> (V’, P’) (V, Q) –e-> (V’, Q’) --------------- (V, P | Q) –e-> (V’, Q’) This translates exactly into MakeOneMove().

  30. System Exploration Get Initial Configuration from Specification Class MakeOneMove MakeOneMove MakeOneMove

  31. Infinite Configurations • What if the number of configurations are infinite? • Wait[1] -0.1-> Wait[0.9] -0.01-> • Wait[0.89] -0.001-> Wait[0.889] -0.0001 -> … • Abstraction • Infinitely many configurations are partitioned into finitely many groups, referred as abstract configurations. • Correctness: There is a counterexample if and only if there is a counterexample in the abstract state space.

  32. Digitalization for RTS • Theorem: It is correct to always make time transitions of duration 1 (with respect to untimed properties). • Example: • Wait[3] -1-> Wait[2] -1-> Wait[1] -1-> Wait[0] • (Wait[3]) timeout[2] (P) -1-> (Wait[2]) timeout[1] (P) -1-> (Wait[1]) timeout[0] (P) -τ-> P

  33. Timeout Implementation public override List<Configuration> GetEventTransitions(Configuration current) { List<Configuration> toReturn = FirstProcess.GetEventTransitions(current); foreach (Configuration configin toReturn) { if (value == 0) { config.IsUrgent= true; } } if (value == 0) { toReturn.Add(new Configuration(SecondProcess, TAU, eStep.GlobalEnv, false, true); } } public override Configuration GetTimeTransitions(Configuration current) { if (value == 0) {return null;} Configuration toReturn = FirstProcess.GetTimeTransitions(current); if (toReturn == null) {return null;} toReturn.Process= new TimeOutProcess(toReturn.Process, SecondProcess, d - 1); return toReturn; }

  34. RTS@PAT • First version finished in 6 weeks! • Efficiency with Zone Abstraction • Efficiency with Digitalization

  35. RTS + Probability • Real-world systems may have data structures, real-time, probability, hierarchical control flow, etc. • We propose PRTS = RTS + probabilistic choice FlipCoin = Wait[1]; pcase { [0.5]: head -> FlipCoin [0.5]: tail -> FlipCoin }; • The semantic model is Markov Decision Processes (MDP).

  36. PAT’s Model Checking Library • LTL to BA or DRA translation • Zone abstraction library • BDD encoding library …

  37. Case Study 2: Fairness Fairness matters in verifying liveness!

  38. Fairness is Well-Studied

  39. Fairness in PAT • A variety of fairness supported in PAT with simply one method!

  40. Fairness: Efficiency

  41. Conclusion • Developing a model checker in PAT is really easy. • Implement a language parser (two weeks) • Encode operational semantics (two weeks) • Fight against state-space explosion (indefinitely long) • A unified framework helps to maintain and compare the great variety of existing model checking algorithms.

  42. Ongoing PAT-based Projects NesC Model Checker Orc Model Checker Event Grammar Model Checker Partial Order Reduction Symmtry Detection/Reduction BDD Library MTBDD Library

  43. Conclusion • PAT is available at http://www.patroot.com • PAT source code is available upon email request. Multiple Postdoc Postions Available in NUS or SUTD

More Related