Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Embedded Systems

Published byRuby Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking Embedded Systems"— Presentation transcript:

1 Model Checking Embedded Systems
IAS Seminar Model Checking Embedded Systems Lucas Cordeiro

2 Career Summary BSc in Electrical Engineering, MSc/PhD in Computer Science algorithms, software engineering, formal verification, and embedded systems 39 reviewed publications, including 6 journal papers and 33 workshop/conference contributions distinguished paper awards at SAC'08 and ICSE'11, and two bronze medals at TACAS’12 and TACAS’13 developer of XMPM, STB225, and ESBMC tools research collaborations with Southampton and Stellenbosh research funding from Samsung, Nokia, and Royal Society research team leader (one PhD, four MSc, and two BSc students) acting as course leader of Electrical Engineering

3 Embedded systems are ubiquitous but their verification becomes more difficult.
embedded system is part of a well-specified larger system (intelligent product) automobiles airplanes communication systems consumer electronics medical systems

4 Embedded systems are ubiquitous but their verification becomes more difficult.
embedded system is part of a well-specified larger system (intelligent product) automobiles airplanes communication systems consumer electronics medical systems provide a number of distinctive characteristics usually implemented in DSP, FPGA and C (mass production) functionality determined by software in read-only memory multi-core processors with scalable shared memory limited amount of energy

5 Verification Challenges
verification methodologies for embedded systems verification of embedded systems raises additional challenges handle concurrent software meet time and energy constraints legacy designs (usually written in low-level languages) improve coverage and reduce verification time Specification assert Embedded Software data Generate test vectors with constraints Microprocessor model (x>0) [1..7]

6 Bounded Model Checking (BMC)
Basic Idea: check negation of given property up to given depth transition system M unrolled k times for programs: loops, arrays, … translated into verification condition  such that  satisfiable iff  has counterexample of max. depth k has been applied successfully to verify (embedded) software property ¬0 ¬1 ¬2 ¬k-1 ¬k . . . transition system M0 M1 M2 Mk-1 Mk bound counterexample trace

7 BMC of Multi-threaded Software
concurrency bugs are tricky to reproduce because they usually occur under specific thread interleavings most common errors: 67% related to atomicity and order violations, 30% related to deadlock [Lu et al.’08] b1 a1 a2 b2 a1 context switch Thread T1 a1 a2 Thread T2 b1 b2 number of executions: O(ns) a2 b1 concurrency bugs are shallow [Qadeer&Rehof’05] a2 b2 b1 hypothesis: SAT/SMT solvers produce unsatisfiable cores that allow removing possible undesired models of the system b2 b2 a2

8 Standard Libraries of C++
BMC of SystemC/C++ SystemC consists of a set of C++ classes that simulates concurrent processes using plain C++ object-oriented design and template classes the standard C++ library complicates the VCs unnecessarily hypothesis: abstract representation of the standard C++ libraries to conservatively approximate their semantics template <class _Tp, class _Alloc>void vector<_Tp, _Alloc>::_M_fill_insert(iterator __position, size_type __n, const _Tp& __x){ if (__n != 0) { if (size_type(_M_end_of_storage - _M_finish) >= __n) { _Tp __x_copy = __x; const size_type __elems_after = _M_finish - __position; iterator __old_finish = _M_finish; if (__elems_after > __n) { uninitialized_copy(_M_finish - __n, _M_finish, _M_finish); _M_finish += __n; copy_backward(__position, __old_finish - __n, __old_finish); fill(__position, __position + __n, __x_copy); Standard Libraries of C++ g++ compiler executable file C++ Programs Operational Model ESBMC++ verification result

9 BMC of Discrete-Time Systems
discrete-time systems consist of a mathematical operator that maps one signal into another signal fixed-point implementation leads to errors due to the finite word-length hypothesis: discrete-time systems realization has a rigid structure simplify the models according to the property to be verified MAX = 2k-1 – 2-l MIN = -2k-1 T [.] X(n) Y(n) = T[x(n)] limit cycle overflow wrap around time constraint 𝑙 𝑡𝑖𝑚𝑖𝑛𝑔 ⟺ (𝑁×𝑇)≤𝐷 𝑦 𝑛 =− 𝑘=1 𝑁 𝑎 𝑘 y n−k + 𝑘=0 𝑀 𝑏 𝑘 x n−k

10 Software BMC using ESBMC
program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unfolded up to given bounds loop iterations context switches unfolded program optimized to reduce blow-up constant propagation forward substitutions int main() { int a[2], i, x; if (x==0) a[i]=0; else a[i+2]=1; assert(a[i+1]==1); } crucial

11 Software BMC using ESBMC
program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unfolded up to given bounds loop iterations context switches unfolded program optimized to reduce blow-up constant propagation forward substitutions front-end converts unrolled and optimized program into SSA int main() { int a[2], i, x; if (x==0) a[i]=0; else a[i+2]=1; assert(a[i+1]==1); } g1 = x1 == 0 a1 = a0 WITH [i0:=0] a2 = a0 a3 = a2 WITH [2+i0:=1] a4 = g1 ? a1 : a3 t1 = a4 [1+i0] == 1 crucial

12 Software BMC using ESBMC
program modelled as state transition system state: program counter and program variables derived from control-flow graph checked safety properties give extra nodes program unfolded up to given bounds loop iterations context switches unfolded program optimized to reduce blow-up constant propagation forward substitutions front-end converts unrolled and optimized program into SSA extraction of constraints C and properties P specific to selected SMT solver, uses theories satisfiability check of C ∧ ¬P int main() { int a[2], i, x; if (x==0) a[i]=0; else a[i+2]=1; assert(a[i+1]==1); } crucial

13 Context-Bounded Model Checking in ESBMC
Idea: iteratively generate all possible interleavings and call the BMC procedure on each interleaving ... combines symbolic model checking: on each individual interleaving explicit state model checking: explore all interleavings bound the number of context switches allowed among threads

14 Lazy Exploration of the Reachability Tree
0 : tmain,0, val1=0, val2=0, m1=0, m2=0,… active thread, context bound initial state global and local variables 1: ttwoStage,1, val1=0, val2=0, m1=1, m2=0,… syntax-directed expansion rules CS1 CS2 execution paths

15 Lazy Exploration of the Reachability Tree
0 : tmain,0, val1=0, val2=0, m1=0, m2=0,… active thread, context bound initial state global and local variables 1: ttwoStage,1, val1=0, val2=0, m1=1, m2=0,… syntax-directed expansion rules CS1 2: ttwoStage,2, val1=1, val2=0, m1=1, m2=0,… interleaving completed, so call single-threaded BMC CS2 execution paths

16 Lazy Exploration of the Reachability Tree
0 : tmain,0, val1=0, val2=0, m1=0, m2=0,… active thread, context bound initial state global and local variables 1: ttwoStage,1, val1=0, val2=0, m1=1, m2=0,… backtrack to last unexpanded node and continue CS1 2: ttwoStage,2, val1=1, val2=0, m1=1, m2=0,… 3: treader,2, val1=0, val2=0, m1=1, m2=0,… CS2 execution paths blocked execution paths (eliminated)

17 Lazy Exploration of the Reachability Tree
0 : tmain,0, val1=0, val2=0, m1=0, m2=0,… active thread, context bound initial state global and local variables 1: ttwoStage,1, val1=0, val2=0, m1=1, m2=0,… backtrack to last unexpanded node and continue CS1 2: ttwoStage,2, val1=1, val2=0, m1=1, m2=0,… 3: treader,2, val1=0, val2=0, m1=1, m2=0,… symbolic execution can statically determine that path is blocked (encoded in instrumented mutex-op) CS2 execution paths blocked execution paths (eliminated)

18 Lazy Exploration of the Reachability Tree
0 : tmain,0, val1=0, val2=0, m1=0, m2=0,… active thread, context bound initial state global and local variables 1: ttwoStage,1, val1=0, val2=0, m1=1, m2=0,… 4: treader,1, val1=0, val2=0, m1=1, m2=0,… CS1 2: ttwoStage,2, val1=1, val2=0, m1=1, m2=0,… 3: treader,2, val1=0, val2=0, m1=1, m2=0,… 5: ttwoStage,2, val1=0, val2=0, m1=1, m2=0,… 6: treader,2, val1=0, val2=0, m1=1, m2=0,… CS2 execution paths blocked execution paths (eliminated)

19 Achievements proposed first SMT-based context-BMC for full C
verifies single- and multi-threaded software (ASE’09, distinguished paper award at ICSE’11, TSE’12) discrete-time systems (SBrT’13) and C++ (ECBS’13) combines plain BMC with k-induction (TACAS’13, SBESC’13) found undiscovered bugs related to arithmetic overflow, buffer overflow, and invalid pointer in standard benchmarks confirmed by the benchmark’s creators (NOKIA, NEC, NXP) most prominent BMC tool (two bronze medals in the overall ranking at TACAS’12 and TACAS’13) users of our ESBMC model checker Airbus, Fraunhofer-Institut (Germany), LIAFA laboratory (France), University of Tokyo (Japan), Nokia Institute of Technology (Brazil)

20 Joint Work with IAS manual localization and correction takes significant time debugging consists of failure detection, fault localization, and fault correction apply automated fault localization to embedded software c = a + b; d = a ∗ b; if (a % 2 == 0) { int e; a = e; }

21 Fault Localization: Running Example

22 Future Work verify SystemC within the context of C++
operational model to allow functional verification analyze the proof of unsatisfiability to remove behaviour that is not relevant to check a given property design and verify discrete-time systems fault localization extend the range of properties prove the correctness and timeliness of systems via mathematical induction heap-manipulating programs Integrate methods to localize faults in industrial automation systems

Download ppt "Model Checking Embedded Systems"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)

Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
Constraint Systems used in Worst-Case Execution Time Analysis Andreas Ermedahl Dept. of Information Technology Uppsala University.

Constraint Systems used in Worst-Case Execution Time Analysis Andreas Ermedahl Dept. of Information Technology Uppsala University.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
CS 355 – Programming Languages

CS 355 – Programming Languages
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Similar presentations

Ads by Google