Скачать презентацию Symbolic Model Checking of Software Nishant Sinha with Скачать презентацию Symbolic Model Checking of Software Nishant Sinha with

4d81428903d8d59f8e5f1255c96eb827.ppt

  • Количество слайдов: 25

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University

Symbolic Model Checking of Software • Goal: – Use BDD-based Symbolic Model Checker for Symbolic Model Checking of Software • Goal: – Use BDD-based Symbolic Model Checker for the verification of concurrent software • Motivation: – Very successful for large state spaces in hardware • Challenges: – Generating the models (language -> SMV) – Adding Partial-Order Reduction – Optimized BDD-operations (e. g. , generation and storage) • This Talk: – Focus on Partial-Order Reduction

Outline • Background – Modeling language – Partial-order reduction – Twophase algorithm • New Outline • Background – Modeling language – Partial-order reduction – Twophase algorithm • New Approach: Im. Proviso – Basic formulation – Extensions – Experimental results • Related Work • Future Work • Conclusions

Background: Software Verification • Concurrent software – Asynchronous execution, unlike hardware – Huge state Background: Software Verification • Concurrent software – Asynchronous execution, unlike hardware – Huge state space, e. g. large variable ranges • Partial-order reduction (POR) – Attacks the state-space explosion problem – Very effective in explicit-state model checking – Symbolic Model Checking yet to benefit

Background: Modeling Language • Process-oriented modeling language – Each process maintains local variables – Background: Modeling Language • Process-oriented modeling language – Each process maintains local variables – Each process has a program counter • System – Concurrent processes – Global variables – Point-to-point channels • Each process is specified as statements – Statements are formalized as transition functions – Multiple statements per pc value allowed, i. e. non-determinism • Example: Promela

Background: Partial-Order Reduction s 0 s 0’ y=2 x=1 Choose a representative set of Background: Partial-Order Reduction s 0 s 0’ y=2 x=1 Choose a representative set of paths s 0 s 1’ s 1 s 0’ y=2 x=1 s 1 s 1’

Background: Partial-Order Reduction • Two kinds of state-expansion – Full Expansion generate next states Background: Partial-Order Reduction • Two kinds of state-expansion – Full Expansion generate next states for all enabled transitions – Partial Expansion expand only a subset of enabled transitions, postponing all others • Challenges: – How to choose such subset? (-> deterministic) – How to avoid transitions being postponed indefinitely? (-> proviso)

Background: Deterministic States • Which subset of enabled transitions to choose? • Deterministic state Background: Deterministic States • Which subset of enabled transitions to choose? • Deterministic state for a process P: – Only one transition t of P enabled at that state – Can be taken without affecting property to be verified A state s is deterministic for a process P iff: q only one transition t of P is enabled in s q t commutes with transitions that can be executed by other processes q executing t does not disable transitions of other processes q executing a transition of another process cannot disable or enable any transition of P • Partial Expansions of deterministic states – Do not need to consider all interleavings

Background: Partial-Order Reduction • Avoiding transitions being postponed indefinitely: Proviso S 1 t 0 Background: Partial-Order Reduction • Avoiding transitions being postponed indefinitely: Proviso S 1 t 0 t 5 S 2 t 1 t t 2 3 S 4 t 2 S 3 t 1 t 4 t 2 t 1 • SPIN: In-Stack Proviso – Partial Expansion should not generate a state in stack – Otherwise, must do Full Expansion

Combining POR with Symbolic Model Checking • POR developed for explicit-state – DFS – Combining POR with Symbolic Model Checking • POR developed for explicit-state – DFS – Stack: for proviso check • Whereas symbolic verification – Involves a BFS-like algorithm – No stack exists – Only frontier at hand

Twophase Partial-Order Algorithm • Nalumasu, Gopalakrishnan [1997] – Modified proviso check – Alternating phases Twophase Partial-Order Algorithm • Nalumasu, Gopalakrishnan [1997] – Modified proviso check – Alternating phases • Phase 1: Do for each process in sequence expand if in deterministic state • Phase 2: Full expansion of the current state • Proviso check: S 1 P 2 S 3 S 4 S 5 P 2 S 6 P 2 P 1 P 1 Suits the symbolic case P 1 S 7 P 1 S 8 (a) (b)

New Approach: Im. Proviso • Implicit Proviso check – Employs BDDs • Motivation – New Approach: Im. Proviso • Implicit Proviso check – Employs BDDs • Motivation – Based on Twophase (explicit-state) – Observation: can be formulated in an implicit way – Crucial point: more efficient proviso than previous techniques • New Contributions: – – Defining the transition relation Implicit formulation Dropping the determinism Additional fixpoint computation • Automated and incorporated into Nu. SMV

Im. Proviso: Defining the Transition Relation • Two transition relations: – TR 1: all Im. Proviso: Defining the Transition Relation • Two transition relations: – TR 1: all transitions from deterministic states (Phase 1) – TR 2: entire system (Phase 2) • TR 1 is further partitioned: – one transition relation for each process Pi • Example: – Statement reads from a channel into a local variable – States in which the channel is not empty are deterministic – TR 1 : = channel is not empty => TR-stmt

Im. Proviso: Dropping the Determinism • Twophase: – Only one transition in Phase 1 Im. Proviso: Dropping the Determinism • Twophase: – Only one transition in Phase 1 may be enabled – Simplifies Twophase implementation – Not necessary for correctness • Im. Proviso allows non-determinism in Phase 1 – Multiple enabled transitions in each process – Each enabled transition must fulfill other conditions of a deterministic state • BFS search, i. e. enabled transitions expanded at the same time

Im. Proviso: Illustration bool c=-1; chan a = [1] of {int}; rec: d=0 1 Im. Proviso: Illustration bool c=-1; chan a = [1] of {int}; rec: d=0 1 active proctype rec() { int x=0; bool d; d=0; a? x; } 1 2 active proctype send() { a!1; } active proctype p 1() { c=0; . . . } active proctype p 2() { c=1; . . . } rec: a? x send: a!1 1 2 2 p 1: c=0 p 2: c=1 rec: a? x 2 p 2: c=0 2 p 1: c=1 1 rec: a? x

Im. Proviso: Illustration bool c=-1; chan a = [1] of {int}; rec: d=0 1 Im. Proviso: Illustration bool c=-1; chan a = [1] of {int}; rec: d=0 1 active proctype rec() { int x=0; bool d; d=0; a? x; } send: a!1 active proctype send() { a!1; } 1 1 active proctype p 1() { c=0; . . . } active proctype p 2() { c=1; . . . } rec: a? x 2 Phase 1: Fixed Point p 1: c=0 rec: a? x 2 p 2: c=1 1

Im. Proviso: Implicit Formulation • Implicit formulation of the algorithm – conceptually simple but… Im. Proviso: Implicit Formulation • Implicit formulation of the algorithm – conceptually simple but… not so easy to get right • Reason: paths may have different lengths – BFS instead of DFS • Im. Proviso: ‘tighter’ over-approximation than previous symbolic methods – Problem: visited vs. in-stack • phase-1 only Cycles -> local check • Larger than phase-1 -> no issue!

Related Work • Two other approaches combine PO and Symbolic Model Checking: – Kurshan Related Work • Two other approaches combine PO and Symbolic Model Checking: – Kurshan et al. : Preprocess the model – Alur et al. : BDD-based Stack P 1 P 2 P 1 Current Image Alur’s approach P 1 Im. Proviso

Implementation Promela Specifications Promela 2 SMV translator Add Phase 1 and Phase 2 information Implementation Promela Specifications Promela 2 SMV translator Add Phase 1 and Phase 2 information Nu. SMV + Im. Proviso • Automated Model Checking framework – Im. Proviso implemented in Nu. SMV • Current examples translated from Promela • Considerable effort to compare with explicit state model checkers – e. g. , atomic construct in Spin

Comparison: Nu. SMV vs. Nu. SMV-Im. Proviso • #states: significant reduction • Time: significant Comparison: Nu. SMV vs. Nu. SMV-Im. Proviso • #states: significant reduction • Time: significant reduction • Memory: No reduction

Comparison: Nu. SMV-Im. Proviso, PV, and SPIN • SPIN and PV faster, if they Comparison: Nu. SMV-Im. Proviso, PV, and SPIN • SPIN and PV faster, if they can handle example • Nu. SMV-Im. Proviso can handle more examples • Nu. SMV-Im. Proviso matches PV, SPIN on Best, Worst

Comparison: Leader Election Protocol • Models of same size in SMV and Promela • Comparison: Leader Election Protocol • Models of same size in SMV and Promela • Same reduction • SPIN, PV faster until…

Leader with Non-deterministic Initial State Leader with Non-deterministic Initial State

Future Work • Reduce memory and run time – BDD blowup problem – BDD Future Work • Reduce memory and run time – BDD blowup problem – BDD algorithms optimized for Concurrent Software • Verification of both safety and liveness properties – Only safety now • Flexible input languages – Only Promela now

Conclusions • Novel Partial Order Reduction algorithm for Symbolic Model Checking – Incorporated into Conclusions • Novel Partial Order Reduction algorithm for Symbolic Model Checking – Incorporated into Nu. SMV • Illustrated the effectiveness with several benchmark examples • Current focus is on tackling large run-time and memory problems • Symbolic Model Checking of Software, Software Model Checking Workshop CAV’ 03