Presentation is loading. Please wait.

Presentation is loading. Please wait.

Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.

Published byCooper Bruley Modified over 9 years ago

Similar presentations

Presentation on theme: "Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now."— Presentation transcript:

1 Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now at UPenn) Pascal Van Hentenryck (Brown)

2 An Email Product Line BaseEncryptDecryptSignAuthBaseEncryptDecryptSignAuthBaseSignAuth

3 A Desired Product Property Signed emails can always be authenticated BaseEncryptDecryptSignAuth Decrypting mangles the signature

4 Mix-and-Match Systems F1F2F4Sign F2F4F1F4F3F2F1F3F4SignF2 There is no single “program”! The number of configurations is enormous…

5 Model Checking Product Lines Features unaware of other features and their requirements by design Products often contain bugs as a result –“feature interaction problem” Modular reasoning essential to cope with design space (not product size)

6 Modeling Features and Products Points of entry (s0) and exit (s2) sign s1 s0s2 SignBaseSignAuth Product: a sequential composition of features Feature:

7 Verification Problem (1) Have a set of features and a property that should hold of all products Verify property against each feature separately Combine results to show property holds of product

8 Try Model Checking Problems: Sign feature has no knowledge of encrypted Property must hold globally –but there is no temporal information at s2 What value to return? sign s1 s0s2 AG(encrypted  AF decrypt)

9 Model Checking’s Limitation Model checking designed to give a yes/no answer about a closed system Features are inherently open systems

10 Model Checking’s Limitation Two sources of openness: values of (some) propositions behavior along paths from exit sign s1 s0s2 AG(encrypted  AF decrypt)

11 Verification Problem (2) Have a set of features and a property that should hold of all products Derive constraint on each feature that is sufficient to preserve property –expensive verification should happen here Check constraints when form product –this step should be lightweight

12 Feature Constraints Where does value of encrypted come from? –from an earlier feature (enter at s0) Where do rest of control paths come from? –from the subsequent features (exit at s2) Want a constraint parameterized on these values sign s1 s0s2 AG(encrypted  AF decrypt)

13 Constraint Contents If encrypted is true at s0, what is required at s2? AF decrypt What must hold at s2 regardless of encrypted? AG(encrypted  AF decrypt) sign s1 s0s2 AG(encrypted  AF decrypt)

14 The Computed Constraint [AG(encrypted  AF decrypt)] s2   encrypted v [AF decrypt] s2 sign s1 s0s2 AG(encrypted  AF decrypt) constraint parameterized over both data and control values

15 Computing Constraints [AG(encrypted  AF decrypt)] s2   encrypted v [AF decrypt] s2 sign s1 s0s2 AG(encrypted  AF decrypt) Modification of basic model checker: Propositions: return name if value unknown Terminal states: return annotated formula

16 Discharging Constraints SignBaseEncryptDecryptAuth [AG(encrypted  AF decrypt)] s2   encrypted v [AF decrypt] s2 encrypted [AG(encrypted  AF decrypt)] s2, [AF decrypt] s2 effectively propositional

17 Verification Given Property P F3F1F2F4F5 C 3P C 1P C 2P C 4P C 5P D3D3 D1D1 D2D2 D4D4 D5D5 D1D1 D 1 o D 2 …… C 5 (D 1-5 ) …… …

18 Undiscussed Details Dataflow computation for data values Propositional reasoning actually 3-valued –handles data values across different paths Can use simpler reasoning about individual features in some cases

19 Case Study Conducted on an email suite that exhibits many property violations (previously discovered manually by Robert Hall [ FITS 00 ]) Tested 9 properties; detected all violations successfully (each one a feature interaction) Detected violations without traversing features at composition time

20 Limitations Current algorithm cannot handle cyclic feature compositions ( DAG s fine) –supports pipe-and-filter architecture –have other work (heavier checks) supporting cyclic compositions and liveness properties [Fisler/Krishnamurthi FSE2001, FSE2004] Cycles within individual features cannot set data propositions used in properties

21 Perspective A non-trivial class of systems needs openness due to design considerations sequential composition looser forms of modular verification Traditional modular verification seems mismatched with these demands Our property-driven constraint generation targets these systems

Download ppt "Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Outline  Introduction  Background  Distributed DBMS Architecture  Distributed Database Design  Semantic Data Control ➠ View Management ➠ Data Security.

Outline  Introduction  Background  Distributed DBMS Architecture  Distributed Database Design  Semantic Data Control ➠ View Management ➠ Data Security.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Intelligent Profiling by Example From: “Intelligent profiling by Example”, Sybil Sherin, Henry Lieberman

Intelligent Profiling by Example From: “Intelligent profiling by Example”, Sybil Sherin, Henry Lieberman
1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem.

1 Verifying Aspect Advice Modularly By:Shiram Krishnamurthi Kathi Fisler Michael Greenberg Presented by:Iddit Shalem.
Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.

Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

Similar presentations

Ads by Google