4d81428903d8d59f8e5f1255c96eb827.ppt

- Количество слайдов: 25

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University

Symbolic Model Checking of Software • Goal: – Use BDD-based Symbolic Model Checker for the verification of concurrent software • Motivation: – Very successful for large state spaces in hardware • Challenges: – Generating the models (language -> SMV) – Adding Partial-Order Reduction – Optimized BDD-operations (e. g. , generation and storage) • This Talk: – Focus on Partial-Order Reduction

Outline • Background – Modeling language – Partial-order reduction – Twophase algorithm • New Approach: Im. Proviso – Basic formulation – Extensions – Experimental results • Related Work • Future Work • Conclusions

Background: Software Verification • Concurrent software – Asynchronous execution, unlike hardware – Huge state space, e. g. large variable ranges • Partial-order reduction (POR) – Attacks the state-space explosion problem – Very effective in explicit-state model checking – Symbolic Model Checking yet to benefit

Background: Modeling Language • Process-oriented modeling language – Each process maintains local variables – Each process has a program counter • System – Concurrent processes – Global variables – Point-to-point channels • Each process is specified as statements – Statements are formalized as transition functions – Multiple statements per pc value allowed, i. e. non-determinism • Example: Promela

Background: Partial-Order Reduction s 0 s 0’ y=2 x=1 Choose a representative set of paths s 0 s 1’ s 1 s 0’ y=2 x=1 s 1 s 1’

Background: Partial-Order Reduction • Two kinds of state-expansion – Full Expansion generate next states for all enabled transitions – Partial Expansion expand only a subset of enabled transitions, postponing all others • Challenges: – How to choose such subset? (-> deterministic) – How to avoid transitions being postponed indefinitely? (-> proviso)

Background: Deterministic States • Which subset of enabled transitions to choose? • Deterministic state for a process P: – Only one transition t of P enabled at that state – Can be taken without affecting property to be verified A state s is deterministic for a process P iff: q only one transition t of P is enabled in s q t commutes with transitions that can be executed by other processes q executing t does not disable transitions of other processes q executing a transition of another process cannot disable or enable any transition of P • Partial Expansions of deterministic states – Do not need to consider all interleavings

Background: Partial-Order Reduction • Avoiding transitions being postponed indefinitely: Proviso S 1 t 0 t 5 S 2 t 1 t t 2 3 S 4 t 2 S 3 t 1 t 4 t 2 t 1 • SPIN: In-Stack Proviso – Partial Expansion should not generate a state in stack – Otherwise, must do Full Expansion

Combining POR with Symbolic Model Checking • POR developed for explicit-state – DFS – Stack: for proviso check • Whereas symbolic verification – Involves a BFS-like algorithm – No stack exists – Only frontier at hand

Twophase Partial-Order Algorithm • Nalumasu, Gopalakrishnan [1997] – Modified proviso check – Alternating phases • Phase 1: Do for each process in sequence expand if in deterministic state • Phase 2: Full expansion of the current state • Proviso check: S 1 P 2 S 3 S 4 S 5 P 2 S 6 P 2 P 1 P 1 Suits the symbolic case P 1 S 7 P 1 S 8 (a) (b)

New Approach: Im. Proviso • Implicit Proviso check – Employs BDDs • Motivation – Based on Twophase (explicit-state) – Observation: can be formulated in an implicit way – Crucial point: more efficient proviso than previous techniques • New Contributions: – – Defining the transition relation Implicit formulation Dropping the determinism Additional fixpoint computation • Automated and incorporated into Nu. SMV

Im. Proviso: Defining the Transition Relation • Two transition relations: – TR 1: all transitions from deterministic states (Phase 1) – TR 2: entire system (Phase 2) • TR 1 is further partitioned: – one transition relation for each process Pi • Example: – Statement reads from a channel into a local variable – States in which the channel is not empty are deterministic – TR 1 : = channel is not empty => TR-stmt

Im. Proviso: Dropping the Determinism • Twophase: – Only one transition in Phase 1 may be enabled – Simplifies Twophase implementation – Not necessary for correctness • Im. Proviso allows non-determinism in Phase 1 – Multiple enabled transitions in each process – Each enabled transition must fulfill other conditions of a deterministic state • BFS search, i. e. enabled transitions expanded at the same time

Im. Proviso: Illustration bool c=-1; chan a = [1] of {int}; rec: d=0 1 active proctype rec() { int x=0; bool d; d=0; a? x; } 1 2 active proctype send() { a!1; } active proctype p 1() { c=0; . . . } active proctype p 2() { c=1; . . . } rec: a? x send: a!1 1 2 2 p 1: c=0 p 2: c=1 rec: a? x 2 p 2: c=0 2 p 1: c=1 1 rec: a? x

Im. Proviso: Illustration bool c=-1; chan a = [1] of {int}; rec: d=0 1 active proctype rec() { int x=0; bool d; d=0; a? x; } send: a!1 active proctype send() { a!1; } 1 1 active proctype p 1() { c=0; . . . } active proctype p 2() { c=1; . . . } rec: a? x 2 Phase 1: Fixed Point p 1: c=0 rec: a? x 2 p 2: c=1 1

Im. Proviso: Implicit Formulation • Implicit formulation of the algorithm – conceptually simple but… not so easy to get right • Reason: paths may have different lengths – BFS instead of DFS • Im. Proviso: ‘tighter’ over-approximation than previous symbolic methods – Problem: visited vs. in-stack • phase-1 only Cycles -> local check • Larger than phase-1 -> no issue!

Related Work • Two other approaches combine PO and Symbolic Model Checking: – Kurshan et al. : Preprocess the model – Alur et al. : BDD-based Stack P 1 P 2 P 1 Current Image Alur’s approach P 1 Im. Proviso

Implementation Promela Specifications Promela 2 SMV translator Add Phase 1 and Phase 2 information Nu. SMV + Im. Proviso • Automated Model Checking framework – Im. Proviso implemented in Nu. SMV • Current examples translated from Promela • Considerable effort to compare with explicit state model checkers – e. g. , atomic construct in Spin

Comparison: Nu. SMV vs. Nu. SMV-Im. Proviso • #states: significant reduction • Time: significant reduction • Memory: No reduction

Comparison: Nu. SMV-Im. Proviso, PV, and SPIN • SPIN and PV faster, if they can handle example • Nu. SMV-Im. Proviso can handle more examples • Nu. SMV-Im. Proviso matches PV, SPIN on Best, Worst

Comparison: Leader Election Protocol • Models of same size in SMV and Promela • Same reduction • SPIN, PV faster until…

Leader with Non-deterministic Initial State

Future Work • Reduce memory and run time – BDD blowup problem – BDD algorithms optimized for Concurrent Software • Verification of both safety and liveness properties – Only safety now • Flexible input languages – Only Promela now

Conclusions • Novel Partial Order Reduction algorithm for Symbolic Model Checking – Incorporated into Nu. SMV • Illustrated the effectiveness with several benchmark examples • Current focus is on tackling large run-time and memory problems • Symbolic Model Checking of Software, Software Model Checking Workshop CAV’ 03