Presentation is loading. Please wait.

Presentation is loading. Please wait.

in collaboration with University of Kent Clara Benac Earle SICS Mads Dam Lars-Åke Fredlund Dilian Gurov Gena Chugunov CWI Izak van Langevelde Wan Fokkink.

Published byGeorge Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "in collaboration with University of Kent Clara Benac Earle SICS Mads Dam Lars-Åke Fredlund Dilian Gurov Gena Chugunov CWI Izak van Langevelde Wan Fokkink."— Presentation transcript:

1

2 in collaboration with University of Kent Clara Benac Earle SICS Mads Dam Lars-Åke Fredlund Dilian Gurov Gena Chugunov CWI Izak van Langevelde Wan Fokkink Jaco van de Pol Stefan Blom Inria Rhône-alpes Hubert Garavel Radu Mateescu RWTH Aachen Thomas Noll Martin Leucker Jürgen Giesl LFCIA Juanjo Sánchez Penas in collaboration with University of Kent SICS CWI Inria Rhône-alpes RWTH Aachen LFCIA Formal verification of software Thomas Arts Ericsson Stockholm, Sweden

3 Why formal verification ? cut down on testing/maintenance cost Common Criteria (ISO 15408) prescribes it allow more complex products to be built For what purpose ? find bugs in design/software prove correctness

4 Where to apply ? Verify design Verify software Verify software implements design Verify design equivalence Verify program equivalence case-studies WAP Database lookup Resource locking leader election TCAP

5 Formal Verification of Design Make a formal design (specification language) Formalize properties Find a technique to verify that the formal property holds for the formal design

6 Formal Verification of Design (example) Design of resource locker locker B A C D client

7 locker client ok request A, B release idle critical idle request resources ok release idle request resources release available ? ok idle pending available? add pending idle ok rm pending Formal Verification of Design (example)

8 Client specification idle critical idle request resources ok release client_idle = send(request_recources). receive(ok). client_critical client_critical = send(release). client_idle init locker_idle || client_idle

9 idle request resources release available ? ok idle pending available? add pending idle ok rm pending locker_idle = receive(request_resources). (available. send(ok). locker_idle + not_available. add_pending. locker_idle ) + receive(release). locker_intermediate locker_intermediate = pending_available. send(ok). rm_pending. locker_intermediate + not_pending_available. locker_idle Locker specification

10 State space generation Clearly there are deadlock states in the state space They correspond to the situation where: - resource not available - resource available but no client waiting for it Both situations cannot occur in reality

11 2 clients and a locker Non-determinism gives possibility that both clients are waiting for the resource Note that both clients can get access to the same resource

12 Formal Verification of Design have to make formal design not enough detail for interesting properties no feeling for implementation (memory consumption, speed) implementation may divert from design

13 Formal Verification of Design More and more details are added to the design in order to check interesting properties. CLAIM: For Interesting properties one need to add details until the specification is executable, i.e. is a program.

14 Formal verification of a Program IDEA: Use code as formal design document + Libraries can be used as-is + Programming languages support debug facilities, testing possibilities, etc. + Designers do not need to learn a new language

15 Formal verification of a Program (example) idle critical idle request resources ok release -module(client). start(Locker) -> spawn(fun() -> loop(Locker) end). loop(Locker) -> Tag = ref(), Locker!{request,[a],self(),Tag}, receive {ok,Tag} -> critical(), Locker!{release,self()}, loop() end.

16 Formal verification of a Program (example) -module(locker). loop(Locks) -> receive {request,Rs,Client,Tag} -> case available(Locks,Rs) of true -> Client ! {ok,Tag}, loop(update(Locks)); false -> loop(add(Locks,Rs, {Client,Tag})) end; {release,Client} ->... idle request resources release available ? ok idle pending available? add pending idle ok rm pending

17 Formal verification of a Program IDEA: Use code as formal design document + Libraries can be used as-is + Programming languages support debug facilities, testing possibilities, etc. + Designers do not need to learn a new language design patterns - Too much detail no feeling for design - Risk of infinite state space theorem prover or abstraction

18 Formal verification of a Program (example) use the generic server design pattern to implement the locker init(Resources) -> {ok, built_locks(Resources)}. handle_call({request,Rs},Client,Locks) -> case available(Rs,Locks) of true -> {reply,ok,update(Locks)}; false -> {noreply,add(Locks,Rs,Client)} end;....

19 Formal verification of a Program Techniques: Theorem Proving expressive logic allows (co-)induction large manual effort Model Checking limited logic (e.g. CTL) little manual effort Ad Hoc solutions

20 State Space Generation Erlang modules our Tool We developed a tool to generate all possible traces for simple client- server applications

21 State Space Generation In Erlang we use a supervisor design pattern to handle fault-tolerance. If a process dies, it’s supervisor restarts it. supervisor locker gen_server client

22 State Space Generation We use supervisor design pattern to obtain initialization information for transition diagram supervisor locker gen_server client start the locker with 2 clients supervisor:start(locker_sup,init,[[[a,b],[b,c]]]). start verification with 2 clients etomcrl:start(locker_sup,init,[[[a,b],[b,c]]]). We build one state space per configuration

23 our Tool locker.erl client.erl locker_sup.erl client_sup.erl our Tool our Tool our Tool our Tool EtoE rest tool locker.erl client.erl init.erl instantiation State Space Generation

24 locker.erl client.erl locker_sup.erl client_sup.erl locker.erl client.erl init.erl instantiation tomcrl.erl instantiation EtoE rest tool EtoPmcrl

25 State Space Generation locker.erl client.erl locker_sup.erl client_sup.erl instantiation tomcrl.erl instantiation EtoE rest tool EtoPmcrl rest tool CWI tool instantiator locker.mCRL toMCRL locker.erl client.erl init.erl

26 State Space Generation locker.erl client.erl locker_sup.erl client_sup.erl instantiation tomcrl.erl instantiation EtoE rest tool EtoPmcrl CWI tool instantiator locker.mCRL toMCRL locker.erl client.erl init.erl CADP locker.aut

27 2 clients and a locker

28 Model Checking Software macro UNTIL (Act1,Act2) = [true*.(Act1).(not(Act2))*.(Act1)]false end_macro UNTIL('action_use(.*a.*)','action_free(.*a.*)') and UNTIL('action_use(.*b.*)','action_free(.*b.*)') and UNTIL('action_use(.*c.*)','action_free(.*c.*)')

29 Model Checking Software Non Starvation: [-*. request(1,[A])] mu X.( true /\ [not reply(1,ok)]X) /\ [-*. request(2,[A])] mu X.( true /\ [not reply(2,ok)]X) /\... [-*. request(1,[B])] mu X.( true /\ [not reply(1,ok)]X) /\.... request(2,[B]) request(1,[A]) reply(1,ok) reply(2,ok)

30 Model Checking Software Non Starvation: [-*. request(1,[A])] mu X.( true /\ [not reply(1,ok)]X) /\ [-*. request(2,[A])] mu X.( true /\ [not reply(2,ok)]X) /\... tau request(1,[A]) reply(1,ok) Non-starvation per group of resources. Hide all actions of which resources are not in closure of resources you are intersted in Safety reduction (trace equivalence)

31 Model Checking Software Abstraction may be needed to keep state space finite: Generic abstraction mechanism by providing abstraction functions over messages and server state This allows to obtain a design from a program! not yet implemented in combination with CWI tool

32 Results Automatic state space generation from rich class of Erlang programs Several case studies evaluated: model checking for software is possible more work to do: more design patterns property patterns in Erlang style add generic abstraction mechanism without design patterns or comments largest case-study is about 300 lines of code

33 Future how many configurations do we need to check? fault tolerance: - restarting processes compositionality: - N lockers exchanging information - lockers on top of leader election

Download ppt "in collaboration with University of Kent Clara Benac Earle SICS Mads Dam Lars-Åke Fredlund Dilian Gurov Gena Chugunov CWI Izak van Langevelde Wan Fokkink."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
Test process essentials Riitta Viitamäki, 14.4.2004

Test process essentials Riitta Viitamäki,
Model Driven Generative Programming Reza Azimi February 6, 2003 ECE1770: Trends in Middleware Systems.

Model Driven Generative Programming Reza Azimi February 6, 2003 ECE1770: Trends in Middleware Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Component-Level Design

Component-Level Design
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.

Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

Similar presentations

Ads by Google