Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Partial Order Reduction: Main Idea

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Satisfiability Modulo Theories (An introduction)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Concurrency: introduction1 ©Magee/Kramer 2 nd Edition Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

CS 61B Data Structures and Programming Methodology July 31, 2008 David Sun.

Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.

Leveraging Assertion Based Verification by using Magellan Michal Cayzer.

Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Banker’s Algorithm Implementation in CPN Tools Michal Žarnay Department of Transportation Networks University of Žilina, Slovakia.

Component-Level Design

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

CSE 830: Design and Theory of Algorithms

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

1 An Open Boundary Safety-of- Territory Solver for the Game of Go Author: Xiaozhen Niu, Martin Mueller Dept of Computing Science University of Alberta.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Reporter: PCLee. Assertions in silicon help post-silicon debug by providing observability of internal properties within a system which are.

A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.

Event Driven Programming

The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.

Institute e-Austria in Timisoara 1 Author: prep. eng. Calin Jebelean Verification of Communication Protocols using SDL ( )

CS6133 Software Specification and Verification

Joseph Cordina 1/11 The Use of Model-Checking for the Verification of Concurrent Algorithms Joseph Cordina Department of C.S.&A.I.

Major objective of this course is: Design and analysis of modern algorithms Different variants Accuracy Efficiency Comparing efficiencies Motivation thinking.

1 MVD 2010 University of Iowa New York University Comparing Proof Systems for Linear Real Arithmetic Using LFSC Andrew Reynolds September 17, 2010.

Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.

ABSTRACT The real world is concurrent. Several things may happen at the same time. Computer systems must increasingly contend with concurrent applications.

An Ontological Framework for Web Service Processes By Claus Pahl and Ronan Barrett.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.

CJAdviser: SMT-based Debugging Support for ContextJ* Shizuka Uchio(Kyushu University, Japan) Naoyasu Ubayashi(Kyushu University, Japan) Yasutaka Kamei(Kyushu.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.

CSCI1600: Embedded and Real Time Software Lecture 11: Modeling IV: Concurrency Steven Reiss, Fall 2015.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.

Random Logic l Forum.NET l State Machine Mechanism Forum.NET 1 st Meeting ● December 27, 2005.

Lecture #1: Introduction to Algorithms and Problem Solving Dr. Hmood Al-Dossari King Saud University Department of Computer Science 6 February 2012.

On Concurrency Idioms and their Effect on Program Analysis Weizmann Institute of Science Guy Katz and David Harel.

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2)

The Structuring of Systems Using Upcalls By David D. Clark Presented by Samuel Moffatt.

Principles of Programming & Software Engineering

SS 2017 Software Verification Bounded Model Checking, Outlook

Operating systems Deadlocks.

Lazy Proofs for DPLL(T)-Based SMT Solvers

Piecewise Linear Neural Network Verification

David Harel, Robby Lampert, Assaf Marron, Gera Weiss

Objective of This Course

Operating systems Deadlocks.

Predicate Abstraction

Presentation transcript:

Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science

Compositional Verification A divide and conquer verification approach No need to explore all composite states 2

The Difficulties Automation 1.Partition the system into modules 2.Choose “good” module properties 3.Prove module properties 4.Prove global property A very difficult problem! 3

Our Approach 4 Trade generality for effectiveness ◦ Do well on specific classes of programs We present a fully automatic, compositional approach ◦ Handle concurrent programs written in the RWB model ◦ Based on SMT solving

Transition Systems An SMT-Driven Process 5 SMT Solver SMT Solver Arithmetic Arrays SAT (unsafe) or UNSAT (safe) Transition Systems

A Theory of Transition Systems 6 Decision procedure: state space traversal Look for known patterns in the input ◦ Generate lemmas for other theory solvers Lemmas allow other theories to aid in the verification ◦ Prune the search space ◦ Can significantly reduce verification time

Agenda RWB Transition Systems A Theory of Transition Systems Programs with Shared Arrays Periodic Programs Experimental Results 7

Agenda RWB Transition Systems A Theory of Transition Systems Programs with Shared Arrays Periodic Programs Experimental Results 8

Request / Wait / Block (RWB) RWB programs have events and threads Threads synchronize and declare 1.Requested events 2.Waited-for events 3.Blocked events Trigger an event that is requested and not blocked Inform threads that requested / waited-for the event 9

B-s Block Wait Request Threads The Execution Cycle 10

Toy Example 11 Trace:

Why RWB? RWB idioms are common ◦ Publish / Subscribe systems ◦ Supervisory control ◦ Live Sequence Charts (LSCs) ◦ Behavioral Programming The strict synchronization mechanism facilitates reasoning about individual threads Makes finding module properties easier 12

Agenda RWB Transition Systems A Theory of Transition Systems Programs with Shared Arrays Periodic Programs Experimental Results 13

The Transition System (TS) Solver Input: ◦ Formulas describing RWB threads ◦ An assertion that the program is unsafe  A deadlock state is reachable  Safety reducible to deadlock freedom Output: ◦ SAT if the property is violated (+ counter-example) ◦ UNSAT if the property holds 14

Basic Decision Procedure 15 S TART D ECIDE U NSAT SAT Theory-valid lemmas:

Pattern Matching During state space traversal, TS looks for thread patterns ◦ Structural properties of threads ◦ Checked on each thread separately (compositionally) When a pattern applies, lemmas are generated ◦ From the languages of other theory solvers ◦ The SMT core handles the interfaces Other solvers can then curtail the search space 16

Pattern Matching: Example 17

Looped Threads 18

Generating Lemmas 19

Generating Lemmas (cnt’d)

Matchers implemented as C++ classes Take the input transition systems, answer yes/no ◦ If pattern holds, invoked every time a new state is visited ◦ Get to generate lemmas Internally, very flexible ◦ Compute strongly connected components ◦ Check when events are always blocked / never requested ◦ Threads are small, so this is cheap Restriction: don’t construct the composite state graph! Implementing Pattern Matchers

The technique is useful only when a pattern applies Can a few stored patterns apply to many programs? ◦ Examples in next sections Adding patterns is amortized over future applications Portfolio approach: quickly recognize that no pattern matches Limitations

Agenda RWB Transition Systems A Theory of Transition Systems Programs with Shared Arrays Periodic Programs Experimental Results 23

Shared Arrays in RWB 24 Locally, threads can use any construct ◦ Arrays, lists, etc Inter-thread shared arrays – only through RWB

Example: A Shared Bit 25

Leveraging Shared Arrays 26 Recognize shared arrays in the input threads ◦ Extract arity, read / write events, initial value, etc ◦ Sometimes it is used unintentionally Check if violations occur only in certain configurations ◦ Sometimes certain configurations are the violation During state traversal, generate lemmas when a shared memory cell becomes fixed ◦ Write events always blocked / never requested The array theory solver can then curtail the search

Example: Tic Tac Toe 27 Goal: complete a row, column or diagonal If no mistakes are made, game always ends in a draw XX O X X O X X OO X X OOX X OX OOX XX OX OOX XX OX OOX

Implementing Tic Tac Toe 28

Verifying Tic Tac Toe 29

Example 30

Agenda RWB Transition Systems A Theory of Transition Systems Programs with Shared Arrays Periodic Programs Experimental Results 31

Periodic Programs 32

Periodic Programs in RWB A task that needs to be scheduled requests an event Priorities expressed by blocking less urgent tasks Pattern matcher checks this on individual threads Then generates arithmetic lemmas about time instances when a violation can occur

Example 34 TS Theory Arithmetic Theory UNSAT, property holds

Agenda RWB Transition Systems A Theory of Transition Systems Programs with Shared Arrays Periodic Programs Experimental Results 35

Experimental Results 36

Experimental Results (cnt’d) 37

Conclusion 38 Automatic compositional verification of RWB programs Added a theory of transition systems to CVC4 Traverse state space and look for patterns ◦ When a pattern is found, generate lemmas ◦ Other theories can then curtail the search space Examples: ◦ Programs with shared arrays ◦ Periodic programs

Future Work 39 Support additional models beyond RWB Add more patterns Improve the portfolio approach

Questions 40 Thank You!