1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST Laboratory of Model Driven Engineering for embedded systems F Gif-sur-Yvette, FRANCE. Tests and Proofs 2009

3 rd of July 2009 DTSI CEA-LIST Context and motivation Critical embedded systems => formal methods Spec (  ) Model ( M ) Model System (black box) Conforms to ? (TAP’07) Conforms to ? (TestCom’06) Conforms to ? refinement implementation design Several problems, one technique, Symbolic Execution (SE), one platform (AGATHA). shift from space complexity to time complexity (for verification). concise representation: for simulation, test purpose definition … M |= symb exec  ?

3 rd of July 2009 DTSI CEA-LIST Outline  Models: IOSTS formalism  Specifications: IOLTL logic  IOLTL tableau calculus  Symbolic Execution technique  Tableau calculus and SE (|= symb path )  Termination  Experiment, Conclusion, Futur works

3 rd of July 2009 DTSI CEA-LIST IOSTS Formalism T [rel_speed?v] {} T [  ] {b : = 1, v : = 0} (b = = 0) [  ] {} v > 1 [motor ! -1]{} v < -1 [motor ! 1]{} -1  v  1 [  ]{} q r p I T [  ] {b:=0} t4t4 t3t3 (I,v  0,b  1) (p,v  0,b  0) (q,v  -5,b  0)(r,v  -5,b  0) (p,v  -5,b  0) rel_speed ? -5 a run: motor ! 1 Data part: first order decidable theory Th (ex: Presburger Arithmetics) state variables: {v,b} Graph part : states, transitions label: Guard [I|O|  ] {Substitution} I: channel ? Variable O : channel ! Term Relative speed regulator (virtual trains for trucks)

3 rd of July 2009 DTSI CEA-LIST IOLTL BNF Grammar:  ::= atom | T |  |   1 |  1   2 | X  1 |  1 U  2 |  1 R  2 Atomic propositions: properties over states: (v > 0) properties over I/O: (c ! u, u > v+1) Satisfaction: M |= iosts  if for all r  Run(M), r |= run  Implicit Kripke structure : I p e1e1 e2e2 I,e 1 p,e 2 |= X  if |= 

3 rd of July 2009 DTSI CEA-LIST IOLTL tableau calculus r |= run  means r(0) |= run  r(i) |= run  can be reduced to: r[i] |= state Now(  ) or r(i+1) |= run neXt(  ) where Now(  )  Atoms r[i] |= state Now(  ) means T |= /\ r[i]  /\ Now(  ) Goal: transform satisfaction relation |= run into an operational procedure. Idea : reduce it to a satisfaction relation on state |= state which can be reduced itself to Th |= f (the data theory Th is supposed to be decidable). Now neXt Now’ neXt’ 2 kind of inference rules  neXt neXt  r(i) r[i] r: (transformation) (transition)

3 rd of July 2009 DTSI CEA-LIST Tableau calculus: example F p (abbreviates: T U p) F p  p  X (F p) r(i) |= F p iff r[i] |= p or r(i+1) |= F p {F p},  {p},  {F p},  {},{F p} {F p},{} F1F1 F2F2 NSR (Next State Rule) p {},{F p} p p Prove p now … … or prove Fp in the next state. Build the next state. If p is not an atom: after F 1 rules dedicated to p main operator are applied and so on until Now set contains only atoms.

3 rd of July 2009 DTSI CEA-LIST Symbolic execution (I, T,{v  v 0, b  b 0 }) (p, T,{v  v 0, b  0 })  (q, T,{v  v 1, b  0 }) rel_speed?v 1 (r, T,{v  v 1, b  0 }) (r, T,{v  0, b  1 }) (p, v 1 < -1,{v  v 1, b  0 }) (p, v 1 > 1,{v  v 1, b  0 }) (p,-1  v 1  1,{v  v 1, b  0 }) Motor ! -1 Motor ! 1  Principle: symbols are used instead of values. Red symbolic path: contains the run of slide 4. Correct, complete. Intentional representation of all runs (concise and exact). M |= iosts  iff for all sp  SP(M) we have sp |= symb path 

3 rd of July 2009 DTSI CEA-LIST IOLTL tableau calculus and symbolic execution (p, v i >1, v  v i ) {F (v < 5) }  E,  (p, vi>1, v  v i ) { (v < 5) }  E,  F1F1 E,E, Atom (p, v i >1, v  v i ) (p, (v i >1)  (v  vi)(v<5), v  v i ) { (v < 5) }  E,  (p, (1<v i <5), v  v i ) Atom Rule transfers atoms into path condition.

3 rd of July 2009 DTSI CEA-LIST IOLTL tableau calculus and symbolic execution (p, v i >1, v  v i ) {F (v < 5) },  (p, vi>1, v  v i ) ,{F (v < 5)} F2F2 NSR (p, v i >1, v  v i ) ,{F (v < 5) } {F (v < 5) },  (q, v i >1, v  v i+1 ) rel_speed?v i+1 Context Rules build sequences of transitions linking contexts: we call them unfoldings (an unfolding is consistent if the path condition of its symbolic state component)

3 rd of July 2009 DTSI CEA-LIST Satisfaction problem with Until formulas v > 0 v > 1 Consider: F(v<0) and the kripke structure above. Rule F 2 applies forever (i.e. build an infinite consistent unfolding) although (v<0) is never satisfied ! C onsistency of an infinite unfolding is not a sufficient criteria for the satisfaction relation. The technique requires a third set of formulas which stores Until formulas (remember that F is an Until) never proved: initialized with all Until (Finally) sub-formulas. USet, {}, neXt USet  neXt, neXt, {} NSR (modified to take Uset into account) With above example: USet always contains F(x<0) ! Emptiness of the Uset provides a sufficient criterion.

3 rd of July 2009 DTSI CEA-LIST Lemma With Uset emptiness criterion (never infinitely non empty) |= run and |= symb path are equivalent (i.e. we can use |= symb path instead of |= run in the definition of |= iosts )

3 rd of July 2009 DTSI CEA-LIST Termination criterion 1: lassos detection Context with Uset =  Lemma: O 1  O 2   => There is a lasso (see red execution a.b) a b Moreover, if there exists, in the loop part of the unfolding, a context with Uset =  then: a.b* satisfies . O 1, O 2 are omega sets (see paper) with respect to symbols present in the prefix) O1O1 O2O2 prefix loop An unfolding:

3 rd of July 2009 DTSI CEA-LIST Termination criterion 2: “dead end” detection Uset   O 2  O 1   => unfoldings “after” S2 cannot prove more than those “after” S1 => cut on S2. O 1, O 2 (omega sets of S1 and S2 with respect to  ) S2 S1

3 rd of July 2009 DTSI CEA-LIST Theorems Theorem 1: If there exits an unfolding satisfying the lasso criterion and the Uset criterion then there exists a run r |= . Theorem 2: If all unfoldings satisfy the inclusion criterion but not the Uset criterion then there exists no run satisfying . (the two criteria are applied in a defined sequence)

3 rd of July 2009 DTSI CEA-LIST First experiment Diagnosability. A model is not diagnosable with respect to a fault if we can find two different runs, having the same observable traces, one being affected by the fault and not the other. The speed regulator IOSTS model of slide 4 contains a fault whose occurrence is characterized by the value of b). Diagnosability can be reduced to a model-checking problem: M  M |= iosts F G (b 1 = T  b 2 =  ) ? Answer about the speed captor failure: Not diagnosable when relative speed is maintained at 0.

3 rd of July 2009 DTSI CEA-LIST Conclusion  |= symb path can be used instead of |= run  Allows analysis of models with unbounded variables or huge domains  SE and tableau calculus combination provides an operational technique for |= symb  semi-decision verification algorithm (between test and proof)

3 rd of July 2009 DTSI CEA-LIST FUTUR WORKS  Improve verification algorithm with strategies (priorities over rules: F 1 > F 2 to check F G  )  Monte Carlo methods for large systems (adaptation of the MC2 PLTL checker approach)  What about FIFO channels ?  Use tableau calculus and SE to generate tests purposes (TestCom’06) from IOLTL properties (Test purpose refinement). Thank You !