formal verification by model checking
play

Formal Verification by Model Checking Jonathan Aldrich Carnegie - PDF document

Oct 08, 2023 •101 likes •307 views

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

  1. Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking • AG (Start ⇒ AF Heat) • Theorem: Any CTL formula can be expressed in terms of ¬ , ∨ , EX , EU , and EG . – F p = true U p – A [x U y] = ¬ ( EG ¬ y ∨ E [ ¬ y U ¬ (x ∨ y)]) – AX p = ¬ EX ¬ p – AG p = ¬ EF ¬ p 2 1

  2. Subformula Labeling Case ¬ f • – Label each state not labeled with f f 1 ∨ f 2 • – Label each state which is labeled with either f 1 or f 2 EX f • – Label every state that has some successor labeled with f E [ f 1 U f 2 ] • – Label every state labeled with f 2 – Traverse backwards from labeled states; if the previous state is labeled with f 1 , label it with E [ f 1 U f 2 ] as well EG f 1 • – Find strongly connected components where f 1 holds – Traverse backwards from labeled states; if the previous state is labeled with f 1 , label it with EG f 1 as well 4 CTL Model Checking Example • Pressing Start will eventually result in heat ~ Start ~ Close ~ Heat AG (Start ⇒ AF Heat) ~ Error = ¬ E [ true U (Start ∧ EG ¬ Heat)] Start ~ Start ~ Start ~ Close Close Close ~ Heat Heat ~ Heat Error ~ Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat Error ~ Error ~ Error 5 2

  3. CTL Model Checking Example • The oven doesn’t heat up until the door is closed. ~ Start ~ Close ~ Heat ~ Error Start ~ Start ~ Start ~ Close Close Close ~ Heat Heat ~ Heat Error ~ Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat Error ~ Error ~ Error 6 Practice Writing Properties • If the door is locked, it will not open until someone unlocks it • If you press ctrl-C, you will get a command line prompt • The saw will not run unless the safety guard is engaged 10 3

  4. LTL Model Checking • Beyond the scope of this course • Canonical reference on Model Checking: – Edmund Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, 1999. 12 Dataflow Analysis as Model Checking • Consider a lattice that is a tuple of sets: – Var � 2 Set – e.g. [ x � { <, = }, y � { > } ] where Set = { <, =, > } • Represent the CFG as a Kripke structure – Let N be the nodes in the CFG, with initial node N 0 – Let E be the edges in the CFG Consider the set of abstract stores L = 2 Var � � Set � � • – Choose one element of lattice set for each var e.g. [ x � <, y � > ] • • Strategy: instead of propagating around sets, see if each individual member of the lattice set can reach each node (may traverse each path multiple times) – This is exactly what Metal does! – Metal is essentially a model checker 13 4

  5. Propagating Elements Instead of Sets L U get_free_buffer if (…) L U L save_flags(flags) if (…) sh->bp = … U L U L cli() sti() bh->bs = … L U L return NULL restore_flags(flags) U return bh 14 Dataflow Analysis as Model Checking Let F = { l 1 � e l 2 | • n 1 � e n 2 ∈ E ∧ l 2 ∈ � DF ({ l 1 }, n 1 ) } [all others] – Represents flow functions L – There’s an edge from one lattice value to another, annotated with edge e from the sti(), program, iff when we apply the cli() restore_flags(flags) flow function for the source node of the program edge to the singleton set containing the U first lattice value, the second lattice value is one of the results [all others] – We will assume edges are annotated with the source node 15 5

  6. Dataflow Analysis as Model Checking • Consider synchronous product – Cross product of nodes • N p = N*L – Edges exist only when there is an edge in both source graphs with the same label • E p = { (n 1 ,l 1 ) � e (n 2 ,l 2 ) | n 1 � e n 2 ∈ E ∧ l 1 � e l 2 ∈ F } • Purpose: matches up edge from n 1 to n 2 (marked n 1 ) with edge representing flow function for n 1 (also marked n 1 ) • Data flow is reachability in product graph – Flow(n) = { l | EF (n,l) } 16 Dataflow Analysis as Model Checking ✔ cli() if (…) ✔ cli() if (…) ✔ sh->bp = … ✔ save_flags(flags) if (…) sh->bp = … ✔ ✔ ✔ save_flags(flags) if (…) sti() bh->bs = … ✔ ✔ sti() bh->bs = … get_free_buffer return NULL ✔ restore_flags(flags) ✔ get_free_buffer return NULL ✔ restore_flags(flags) return bh Which nodes are reachable? Locked For which (n,l) do we have EF (n,l)? ✔ Unlocked Labeling algorithm works backwards 17 return bh For this special case forwards is more efficient 6

  7. Abstraction • Data flow values – We abstracted program values to two states: locked and unlocked • Program – We represented the program directly as a CFG, without abstracting it – But really, we only care about 4 node types: • sti() • cli() • restore_flags(…) • anything else – Can we abstract the program to just these types of nodes? 18 Model Checking Abstract Graph cli() if (…) sh->bp = … save_flags(flags) if (…) sti() bh->bs = … get_free_buffer return NULL restore_flags(flags) return bh 19 7

  8. Model Checking Abstract Graph cli() ANY cli() ANY ANY ANY ANY ANY sti() ANY ANY ANY sti() ANY ANY ANY restore_flags(flags) ANY restore_flags(flags) ANY Which nodes are reachable? Locked For which (n,l) do we have EF (n,l)? Unlocked 20 ANY Duality of Dataflow Analysis and Model Checking • We’ve seen how dataflow analysis can be phrased as a model checking problem – Applies to all analyses that are tuples of sets • A more complex (and inefficient) construction still works if your lattice cannot be phrased as a tuple of sets – Benefit: can take advantage of model checking techniques • Symbolic representations (beyond scope of course) • Counterexample-guided abstraction refinement (CEGAR—next lecture) – Cost: explores each path for each set element • Unless you’re using a symbolic representation or need CEGAR, dataflow analysis will be more efficient • The converse is possible in some cases – Probably impossible for general LTL formulas • I have not actually seen impossibility results, but the model checking algorithm involves nested depth-first search which does not match dataflow analysis well 21 8

  9. SPIN: The Promela Language • PROcess MEta LAnguage • Asynchronous composition of independent processes • Communication using channels and global variables • Non-deterministic choices and interleavings 22 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: NC noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; T trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: C state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 23 9

  10. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 24 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 25 10

  11. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 26 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 27 11

  12. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: NC noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; T trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: C state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 28 Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } 29 12

Recommend

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 , Raluca Lefticaru 1 , Ignacio Prez-Hurtado 2 , Mario J. Prez-Jimnez 2 , Cristina Tudose 1 1 University of Pitesti 2 University of Sevilla

578 views • 23 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

707 views • 56 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal verification? Does so&amp;ware correctly implement a specifica3on? Does so&amp;ware have desired proper3es (safety, liveness, other)? Is a par3cular

1.25k views • 47 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of

Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of

Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of Denmark (DTU) Overview Background Many problems within formal verification can be reduced to solving parity games Model checking (Stirling,

794 views • 64 slides
Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Introduction Modeling Specification Algorithms Conclusions Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification Algorithms Conclusions Motivation Formal Methods: Motivation examples of what can go

986 views • 74 slides
Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal

Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal

Alpine Verification Meeting 2013, FBK, Trento, Italy. Optimization Techniques For Craig Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal Methods Group, Politecnico di Torino, Torino, Italy. Before

880 views • 40 slides
VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking Model checking Automated formal verification for finite-state models Finite-state model System Result Model checker e.g. SMV, Spin Counter-

776 views • 58 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of

Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of

Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of Computer Science University of Oxford Probabilistic Model Checking Formal verification and analysis of systems that exhibit probabilistic

821 views • 40 slides
Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and Verification Group RWTH Aachen University associated to University of Twente, Formal Methods and Tools Lecture at Quantitative Model Checking School, March

672 views • 66 slides
Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and Verification Group RWTH Aachen University associated to University of Twente, Formal Methods and Tools Lecture at Quantitative Model Checking School, March

638 views • 45 slides
Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development

Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development

Software Verification with BLAST Daniele Sgandurra Introduction Software Verification with BLAST Model Checking Blast Motivation Rigorous Sofware Development via Model Checking Lazy Abstraction Reachability Tree Seminar Complete

970 views • 95 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

Fachgebiet RechnerSysteme Technische Universitt Verification Technology Darmstadt 3. Satisfiability Checking Computer Systems Lab 1 3. Satisfiability Checking 3 3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification

278 views • 11 slides
Bayesian Statistical Model Checking with Application to Stateflow/Simulink Verification Paolo

Bayesian Statistical Model Checking with Application to Stateflow/Simulink Verification Paolo

Bayesian Statistical Model Checking with Application to Stateflow/Simulink Verification Paolo Zuliani Andr Platzer Edmund M. Clarke Computer Science Department Carnegie Mellon University Problem Verification of Stochastic Systems

752 views • 39 slides
Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo

Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo

Higher-Order Model Checking and Program Verification Naoki Kobayashi University of Tokyo Whats This Talk About? Introduction to higher-order model checking (model checking of higher- order recursion schemes) and its applications to

641 views • 40 slides
COMP4600 Advanced algorithms: Algorithms for verification (3 lectures) Andreas Bauer NICTA

COMP4600 Advanced algorithms: Algorithms for verification (3 lectures) Andreas Bauer NICTA

Introduction LTL model checking CTL model checking Binary decision diagrams Symbolic model checking COMP4600 Advanced algorithms: Algorithms for verification (3 lectures) Andreas Bauer NICTA Software Systems Research Group &amp; The

1.77k views • 160 slides
Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition systems checks safety and

439 views • 17 slides

More recommend