Formal Methods Group ETH Z¨ urich June 2003 Armin Biere, Cyrille Artho, Malek Haroud, Viktor Schuppan Computer Systems Institute ETH Z¨ urich, Switzerland FMICS’03, Røros, Norway
Vision 2 Formal method tools are used like compilers: 1. verification. In the context of (formal) 2. synthesis. 3. analysis. FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Overview 3 1. Model Checking, SAT, and QBF . 2. Translation of liveness into safety. 3. High-level data races. 4. Replaying of multi-threaded executions. 5. Equivalence checking of SDL vs C. FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Model Checking 4 ➤ BDD based mu-calculus model checker mu-cke – Efficient implementation. – Input language with C++ syntax for specifying model and properties. ➤ Performance study of BDD based model checking ➤ Bounded Model Checking – Leverages power of SAT solvers for model checking purposes. – Wide industrial acceptance. FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
SAT and QBF 5 ➤ SAT (propositional satisfiability solvers) – Continuing increase in reasoning power. – Instances with million of variables can often be handled. – Dedicated heuristics for bounded model checking possible. ➤ Solvers for QBF (quantified boolean formula), e.g., ∀ x ∃ y [( x ∨ y ) ∧ ( x ∨ y )] – Start to become practical ... – ... although more practical research necessary (efficient implementations). – Potentially allow to make bounded model checking complete. ➤ Applications of QBF and SAT in other domains (e.g., SW checking). FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Translating Liveness into Safety: Finite State Systems 6 1 2 1 2 + �→ + Safety 1’ 2’ Liveness 3 ⊥ 3 3’ If the number of states is finite: 1. A system with a liveness property can be transformed into a system with an equivalent safety property. 2. The transformed system can be model-checked efficiently . FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Translating Liveness into Safety: Predicated Radius/Diameter 7 ¬p ¬p ¬p ¬p p d =3 d=2 ¬p Bounds stated at FMICS’02 require further restrictions: ➤ Search for counterexample traverses paths where ¬ p holds. ➤ Notion of predicated radius and diameter. ➤ Leads to tight bound for bounded model checking of F p . FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
JNuke: Our own Java Virtual Machine 8 Platform for static and dynamic analysis ➤ Java VM written in C. Bytecode ➤ API for run-time analysis. ➤ Small state representation. Loader Instrumenter ➤ Rollback (undo) operations. ➤ “Exhaustive” scheduling possible (Rivet). VM ➤ Instrumentation: reproducing counterexamples. FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
JNuke: High-level data race analysis 9 Thread 1 Thread 2 X X Y Y Z ➤ Both accesses are protected by a common lock (Eraser). ➤ Different atomicity assumptions by the two threads. ➤ New source of potential errors, found by view consistency . FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
JNuke: Replay of Multi-Threaded Executions 10 .class JNuke replay VM before Class 1 0 1 engine switch 1 T0 before Class 2 1 1 switch 2 Static compliant before Class 1 2 1 T1 modified switch 1 jreplay in Class 2 1 10 Checker VM/ .class terminate T2 debugger t Dynamic T1 Checker deterministic schedule execution ➤ Enables replay of thread schedules independently of specific VM. → Off-the-shelf debuggers. ➤ Schedule format not tailored to JNuke VM. → Usable by other tools. FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Equivalence Checking SDL vs C 11 SDL as modelling language in telecommunication applications (or more general for embedded SW) S y n t h e s SDL i s Model Synthesized C Program s i s e Verification with h t n Equivalence Checking y S same motivation Manually Generated as in HW equivalence checking Optimized C Program FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Establishing formal methods 12 Short-term: Scalability, light-weight process. Long-term: Formal loop: Formal methods on all levels. FMICS’03 – Røros – Norway – June 2003 Formal Methods Group – Computer Systems Institute – ETH Z¨ urich
Recommend
More recommend
