Model Checking Büchi Pushdown Systems Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

A Survey of Runtime Verification Jonathan Amir 2004.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Co-verification Experience Juncao Li System Verification Lab Computer Science, PSU 01/05/2010.

Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:

Property-Based Test Generation Li Tan, Oleg Sokolsky, and Insup Lee University of Pennsylvania.

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.

Review of the automata-theoretic approach to model-checking.

Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.

Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.

Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, Open Implication.

Mining Windows Kernel API Rules Jinlin Yang 09/28/2005CS696.

A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Lecture 2 Foundations and Definitions Processes/Threads.

Yang Liu, Jun Sun and Jin Song Dong School of Computing National University of Singapore.

Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.

Fault-Tolerant Parallel and Distributed Computing for Software Engineering Undergraduates Ali Ebnenasir and Jean Mayo {aebnenas, Department.

Formalizing Hardware/Software Interface Specifications

ICS 216 Embedded Systems Validation and Test Instructor: Professor Ian G. Harris Department of Computer Science University of California Irvine.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.

Verification & Validation By: Amir Masoud Gharehbaghi

Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.

Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.

Symbolic Algorithms for Infinite-state Systems Rupak Majumdar (UC Berkeley) Joint work with Luca de Alfaro (UC Santa Cruz) Thomas A. Henzinger (UC Berkeley)

Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

What Makes Device Driver Development Hard Synthesizing Device Drivers Roumen Kaiabachev and Walid Taha Department of Computer Science, Rice University.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

Model Checking Lecture 1: Specification Tom Henzinger.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Operating systems depend on device drivers to communicate with attached hardware. A device driver is a collection of subroutines written in a low-level.

Complexity Relief Techniques for Model Checking METU, Aug SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,

Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

CIS 842: Specification and Verification of Reactive Systems

Monitoring Programs using Rewriting

Model Checking for an Executable Subset of UML

Generating Optimal Linear Temporal Logic Monitors by Coinduction

Translating Linear Temporal Logic into Büchi Automata

Presentation transcript:

Model Checking Büchi Pushdown Systems Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball and Vladimir Levin Microsoft Corporation

Hardware/Software (HW/SW) Interfaces are Pervasive… Windows XP ◦ Over 35,000 drivers (over 100,000 versions) for different devices (Murphy and Garzia, 2004) Linux ◦ 70% of code for drivers that operate hardware (Chou, et al., 2001)

And Unreliable… In Windows ◦ Drivers cause 85% reported failures  (Swift, 2005) ◦ At least 52.6% of Windows crashes involve HW/SW interaction  (Sinha, 2005) In Linux ◦ Seven times more driver failures  (Chou, et al., 2001) Lots of issues cannot be gathered … ◦ e.g., device/driver I/O hangs

What we have done (FASE’10, CAV’10) Formal specification framework Specify hardware model for verifying software Unifying formal model Labeled Pushdown System (LPDS) as the software model Büchi automaton (BA) as the hardware model Büchi Pushdown System (BPDS): BA ˣ LPDS Reachability analysis algorithm For BPDS Static Partial Order Reduction Discovered12 bugs in 5 Windows drivers

Need more? Why? (system responsiveness) Software commands will always be acknowledged I/O will not hang How? Specify the properties Linear Temporal Logic (LTL) Model checking algorithm For checking liveness properties of BPDS Reduction algorithm Static Partial Order Reduction

Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

Büchi Automaton (BA) A BA, ◦, the alphabet ◦, the finite set of states ◦, the set of state transitions ◦, the initial state ◦, the set of final states The alphabet is defined on the states of LPDS ◦ LPDS is the generator of inputs to BA WRITE_REGISTER_UCHAR(foo, 32)

Labeled Pushdown System (LPDS) An LPDS, ◦, the input alphabet ◦, finite set of global states ◦, finite stack alphabet ◦, initial configuration ◦ the set of transition rules is 

Labeling Functions

BPDS …

Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

Model Checking Problem

Find a trace that ◦ Starts from the initial state ◦ Visits the final states infinitely often ◦ Satisfies the fairness requirement  Infinite many hardware transitions from and  Infinite many software transitions from

Model Checking Algorithm Detect the loops in that ◦ visit the final states ◦ contains at least one hardware transition ◦ contains at least one software transition ◦ Backward reachability analysis algorithm of Pushdown systems (Schwoon, 2002) Check if one of the loops is reachable from the initial state ◦ Reachability checking (FASE’2010, CAV’2010)

Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

Static Partial Order Reduction Partial order reduction ◦ Exploit commutativity of concurrent transitions ◦ Usually applied during model checking Static – applied at compile time ◦ NO modification to model checker ◦ Can be applied with other techniques, e.g., co- simulation (Kuznetsov, 2010 ) ◦ May be less effective in reduction

State Graph LPDS self-loops BA self-loops BA and LPDS both transition

An Intuition of the Reduction LPDS self-loops BA self-loops BA and LPDS both transition

What to reduce? SensitiveSet ◦ when HW/SW interface events happen, e.g., HW interrupt, SW writes to HW register VisibleSet ◦ when the propositional variables of the LTL formula are affected LoopSet ◦ when this is the last HW (or SW) transition in a loop – fairness constraint

Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware With reduction LTL formula: G (sw_reset -> (F reset_act))

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware SensitiveSet VisibleSet LoopSet With reduction LTL formula: G (sw_reset -> (F reset_act))

Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

Evaluation Designed a BPDS template To generate BPDS models with different complexities Verified eleven LTL formulae Observations 80% average reduction in time usage 35% average reduction in memory usage One spaceout without reduction The reduction is effective Since HW and SW transitions are mostly asynchronous 28

Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

Conclusion We have presented A model checking algorithm for BPDS A static partial order reduction algorithm for BPDS Take away with you … The model checking algorithm can be implemented based on existing liveness verification engines of Pushdown Systems The reduction algorithm has a broader application, e.g., co- simulation Future work Realize the liveness checking on BPDS specified in C language Co-simulation that utilizes our reduction algorithm 30

References Murphy, B., Garzia, M.R.: Software reliability engineering for mass market products. Available in: (2004) Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proc. of SOSP. (2001) Swift, M.M.: Improving the Reliability of Commodity Operating Systems. PhD thesis (2005) Sinha, A.: Windows driver quality signature. Available in: (2005) Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis (2002) Li, J., Xie, F., Ball, T., Levin, V., and McGarvey, C.. An Automata-Theoretic Approach to Hardware/Software Co-verification. In Proc. of FASE. (2010) Li, J., Xie, F., Ball, T., and Levin, V.. Efficient Reachability Analysis of Büchi Pushdown Systems for Hardware/Software Co-verification. In Proc. of CAV. (2010) Kuznetsov, V., Chipounov, V. and Candea, G.: Testing closed-source binary device drivers with DDT. In: Proc. of USENIXATC. (2010)