Model Checking of Software - PowerPoint PPT Presentation

model checking of software n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Model Checking of Software PowerPoint Presentation
Download Presentation
Model Checking of Software

play fullscreen
1 / 149
Model Checking of Software
190 Views
Download Presentation
maylin
Download Presentation

Model Checking of Software

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Model Checking of Software Mooly Sagiv (Contributions from Orna Grumberg and Eran Yahav)

  2. What is model checking? c-000157-mp-000001.jpg

  3. Yes What is software model checking? Program Property Model Checker No/Erroneous Input

  4. Yes P0: while (1) do { wait(turn==0); CR0; turn =1; } P1: while (1) do { wait(turn==1); CR1; turn =0; } Mutual exclusion Model Checker

  5. typedef struct element { int value; struct element next; } Elements void main() { Elements y; … search(7, y); bool search( int value, Elements head) { Elements elem = head;while ( head != NULL ) { if (elem  val == value) return TRUE; elem = elem  next; } return FALSE; } No null dereferences NO head,y elem 1 2 3 NULL MC

  6. Specification Challenge • How does one specify what the application software is supposed to do? • Different correctness notions • Can be very difficult and impossible on a real application • Software is constantly modified

  7. Toward Realistic Specification • Partial • Only addresses certain aspects • Can be wrong • Different formalisms • Executable • Declarative • First order logic • Temporal logic • Some mechanisms for modularity

  8. Model Checking Challenges It is not decidable even to check properties such as absence of NULL dereferences

  9. Coping with Undecidablity(Classical Theorem Proving Approach) • Allow user interaction • Specify loop invariants • The model checker need not terminate on all programs • Manually write proofs of certain parts

  10. Coping with Undecidablity(Classical MC Approach) • Extract a finite state machine that conservatively describes program behavior (model) • Specify the property using a formula in propositional temporal logic • Automatically check that the model satisfy the formula • Refine the model when spurious counter examples occur

  11. Model temporal propotional formula Model Checker No/Erroneous Input Yes Classical MC Approach High level specification Program Front-End

  12. l0,l1 turn=0 l0,l1 turn=1 NC0,l1 turn=0 l0,NC1 turn=1 l0,NC1 turn=0 NC0,l1 turn=1 CR0,l1 turn=0 l0,CR1 turn=1 NC0, NC1 turn=0 NC0, NC1 turn=1 CR0,NC1 turn=0 NC0,CR1 turn=1 l0: while (1) do { NC0: wait(turn==0); CR0: turn =1; } l1: while (1) do { NC1:wait(turn==1); CR1: turn =0; } Mutual exclusion (pc0=CR0 pc1=CR1) Front-End

  13. l0,l1 turn=0 l0,l1 turn=1 NC0,l1 turn=0 l0,NC1 turn=1 l0,NC1 turn=0 NC0,l1 turn=1 CR0,l1 turn=0 l0,CR1 turn=1 NC0, NC1 turn=0 NC0, NC1 turn=1 CR0,NC1 turn=0 NC0,CR1 turn=1 l0: while (1) do { NC0: wait(turn==0); CR0: turn =1; } l1: while (1) do { NC1:wait(turn==1); CR1: turn =0; } Accessibility  pc0=CR0  pc1=CR1 Front-End

  14. No null dereferences typedef struct element { int value; struct element next; } Elements void main() { Elements y; … l1: search(7, y); bool search( int value, Elements head) { l2: Elements elem = head; l3: while ( head != NULL ) { l4: if (elem  val == value) l5: return TRUE; l6: elem = elem  next; } l7: return FALSE; } (pc=l4  pc=l6  elem   l3 e=,h l3 e,h l4 e,h l6 e,h l5 e,h l7 e=,h= l3 e=,h=

  15. Coping with Undecidablity(Abstract Interpretation) • Define operational semantics of the program • Safety properties can be defined a program condition • Liveness properties require trace semantics • Collecting semantics define the set of states • Abstract states conservatively represent many concrete states • Use an abstract interpretation algorithm to provide a sound solution • Finite number of explored abstract states

  16. How to give a presentation • What to say and how to say it • Getting through the audience • Visual aids

  17. What to say and how to say it • Communicate the Key Ideas • Don’t get bogged down in Details • The best talk make you read the paper • Structure your talk • Use Top-Down approach • Introduction • Body • [Technicalities] • The Conclusion Use Examples

  18. Introduction • Define the problem • Motivate the audience • Introduce terminology • Discuss earlier work • Emphasize the contributions • [Provide a road map] Use Examples

  19. The body • Abstract the major results • Explain the significance of the results • Explain the main techniques • Use enlightening examples • Demonstrations are welcome

  20. [Technicalities] • Expert only part • Show something really interesting beyond the paper/tool

  21. The Conclusion • Hindsight is clearer than Foresight • Give open problems/further work • Indicate that your talk is over

  22. Know your audience • Background

  23. Getting through the Audience • Use Repetitions • Remind, don’t assume • Don’t over-run • Maintain Eye Contact • Control your voice • Control your motion • Take care of your appearance

  24. Visual Aids • PowerPoint transparencies • Don’t overload transparencies • Don’t use too many transparencies • Use Overlays Properly • Use Color Effectively • Use Pictures and Tables • The blackboard can be used too

  25. The input of the program can be arbitrary. Let x be a prime number, i.e., all the numbers z<x do not divide x. y be the next prime number, i.e., etc. Arbitrary input Prime number x The next prime y Don’t overload transparencies

  26. Use overlays (im)properly • Item 1 • Item 1.1 • Item 1.2 • Item 2 • Item 2.1 • Item 2.1.1

  27. Use colors properly • Item 1 • Item 2 • Item 3

  28. Model Checking, Abstractionsand Reductions Orna Grumberg Computer Science Department Technion Haifa, Israel

  29. Program verification Given a program and a specification, does the program satisfy the specification? Not decidable! We restrict the problem to a decidable one: • Finite-state reactive systems • Propositional temporal logics

  30. Model Checking An efficient procedure that receives • Description of a finite-state system (model) • Property written as a formula of propositional temporal logic It returns yes, if the system has the property It returns no+counterexample, otherwise

  31. Finite state systems • hardware designs • Communication protocols • High level description of non finite state systems

  32. Properties in temporal logic • mutual exclusion: always ( cs1  cs2) • non starvation: always(request eventuallygrant) • communication protocols: ( get-message) until send-message

  33. Model of a systemKripke structure / transition system a,b a a b,c b a,c a,b c

  34. Model of systems • M=<S, I, R, L> • S - Set of states. • I  S - Initial states. • R  S x S - Total transition relation. • L: S 2AP - Labeling function. • AP – Set of atomic propositions

  35. =s0s1s2... is apath in M from siff s =s0 and for every i0: (si,si+1)R

  36. Propositional temporal logic In Negation Normal Form AP– a set of atomic propositions Temporal operators: Gp Fp Xp pUq Path quantifiers:A for all path E there exists a path

  37. Computation Tree Logic(CTL) CTL operator: path quantifier + temporal operator Literals:p , p for pAP Boolean operators: f  g , f  g Universal formulas: AX f, A(f U g), AG f , AF f Existential formulas: EX f, E(f U g), EG f , EF f

  38. Semantics for CTL • For pAP: s |= p p  L(s)s |= p p  L(s) • s |= fgs |= fand s |= g • s |= fg s |= fors |= g • s |= EXf =s0s1... from s:s1 |= f • s |= E(f Ug) =s0s1... from s j0 [sj |= gand i : 0 i j [si |= f] ] • s |= EGf=s0s1... from s i  0: si |= f

  39. Linear Temporal logic (LTL) Formulas are of the form Af, where f can include any nesting of temporal operators but no path quantifiers

  40. CTL* Includes LTL and CTL and more ACTL*, ACTL (LTL) Universal fragments of CTL*, CTL ECTL*, ECTL Existential fragment of CTL*, CTL

  41. Example formulas CTL formulas: • mutual exclusion: AG ( cs1  cs2) • non starvation: AG(request AF grant) • “sanity” check: EF request LTL formulas: • fairness: A(GFenabled  GF executed) • A(x=a  y=bXXXXz=a+b)

  42. Property types

  43. Property types (cont.) Combination of universal safety and existential liveness: “along every possible execution, in every statethere is a possible continuation that will eventuallyreach a reset state” AGEFreset

  44. Model Checking M |= f[Clarke, Emerson, Sistla 83] • The Model Checking algorithm works iterativelyon subformulas of f, from simplersubformulas to more complex ones • When checking subformula g of f we assume that all subformulas of g have already been checked • For subformula g, the algorithm returns the set ofstates that satisfy g ( Sg) • The algorithm has time complexity: O( |M|  |f| )

  45. Model checking f =EF g Given a model M= < S, I, R, L > and Sg the sets of states satisfying g in M procedureCheckEF(Sg ) Q := emptyset; Q’ := Sg ; while Q  Q’ do Q := Q’; Q’ := Q  { s | s' [ R(s,s’)  Q(s’) ] } end while Sf := Q ;return(Sf)

  46. f f g f g f f g f Example: f =EF g f

  47. Model checking f =EG g CheckEGgetsM= < S, I, R, L >and Sg and returnsSf procedureCheckEG(Sg) Q := S ; Q’ := Sg ; while Q  Q’ do Q := Q’; Q’ := Q { s | s' [ R(s,s’)  Q(s’) ] } end while Sf := Q ; return(Sf)

  48. g g g g g g Example:f =EG g

  49. Symbolic model checking[Burch, Clarke, McMillan, Dill 1990] If the model is given explicitly (e.g. by adjacent matrix) then only systems with about ten Boolean variables (~1000 states) can be handled Symbolic model checking uses Binary Decision Diagrams ( BDDs ) to represent the model and sets of states. It can handle systems with hundredsof Boolean variables.

  50. Binary decision diagrams (BDDs) [Bryant 86] • Data structure for representing Boolean functions • Often concise in memory • Canonical representation • Boolean operations on BDDs can be done in polynomial time in the BDD size