Model Checking & Program Analysis Markus Mller-Olm Dortmund - PDF document

Model Checking & Program Analysis Markus Müller-Olm Dortmund University Overview � Introduction � Model Checking � Flow Analysis � Some Links between MC and FA � Conclusion Apology for not giving proper credit to other researchers' work in this tutorial ! MOVEP'02, Nantes, June 17-21, 2002 2

Purposes of Automatic Analysis � Optimizing compilation � Validation/Verification � Type checking � Functional correctness � Security properties � . . . � Debugging MOVEP'02, Nantes, June 17-21, 2002 3 Fundamental Limit Rice's Theorem [Rice,1953]: All interesting semantic questions about programs from a universal programming language are undecidable. MOVEP'02, Nantes, June 17-21, 2002 4

Example: Detection of Constants ? read(new); read(new); π; π; write(new) write(k) write(new) can be replaced by write(k) for some constant k ⇔ π terminates Hence: Constant Detection is undecidable MOVEP'02, Nantes, June 17-21, 2002 5 Two Solutions Weaker formalisms Approximate analyses analyze abstract yield sound but, in � � models of systems general, incomplete results e.g.: automata, labelled � transition systems,... e.g.: detects some � instead of all constants Model checking Flow analysis Abstract interpretation Type checking MOVEP'02, Nantes, June 17-21, 2002 6

Weaker Formalisms Exact analyzer for Program Abstract model abstract model main() { x=17; if (x>63) { y=17;x=10;x=x+1;} else { x=42; while (y<99) { y=x+y;x=y+1;} y=11;} x=y+1; out(x); } Approximate Exact MOVEP'02, Nantes, June 17-21, 2002 7 Overview � Introduction � Model Checking � Flow Analysis � Some Links between MC and FA � Conclusion MOVEP'02, Nantes, June 17-21, 2002 8

Model Checking OK or Finite-state structure Error trace Model Checker Φ → Ψ ) G( F Temporal logic formula MOVEP'02, Nantes, June 17-21, 2002 9 What is a Model Checker? an automatic procedure for deciding φ M � where • M is a model structure • φ is a (temporal-logic) formula • � means satisfaction MOVEP'02, Nantes, June 17-21, 2002 10

Model Structures φ M � MOVEP'02, Nantes, June 17-21, 2002 11 Model Structures own ¬ own own use ¬ use ¬ use Kripke structure acquire start Labeled Transition System release end P ¬ P P acquire start ¬ Q ¬ Q Q Kripke Transition System release end MOVEP'02, Nantes, June 17-21, 2002 12

Kripke Structures own ¬ own own use ¬ use ¬ use = K ( , , ), where S R I states S ⊆ × R S S transition relation, total → AP : I S 2 interpretation AP atomic propositions MOVEP'02, Nantes, June 17-21, 2002 13 Temporal Logics φ M � MOVEP'02, Nantes, June 17-21, 2002 16

Temporal Logics � Linear-Time Logics � formulas specify properties of program paths � state satisfies property if all paths starting in this state do � Branching-Time Logic � can specify properties sensitive to branching � has (or can simulate) path quantifiers A and E MOVEP'02, Nantes, June 17-21, 2002 17 Branching vs. Linear-Time Logics Q P coin coin coin coffee tea coffee tea � LT logics cannot distinguish P and Q: � P and Q have same execution paths � BT logics can: � P � [coin] <tea> true but Q � [coin] <tea> true MOVEP'02, Nantes, June 17-21, 2002 18

A Linear-Time Logic: PLTL PLTL formulas own ¬ own own use ¬ use ¬ use φ = ¬ φ φ ∨ φ :: p | | | 1 2 φ φ φ X | U 1 2 own the resource 1. before using it Abbreviations ¬ use U own φ = φ F : trueU release the resource 2. φ = ¬ ¬ φ G : F ( ) in finite time φ ψ = φ ψ ∨ φ WU : U G ⇒ ¬ own F ( own ) MOVEP'02, Nantes, June 17-21, 2002 19 Linear-Time Modalities φ . . . X φ : neXt φ φ φ φ φ . . . G φ : Generally φ . . . F φ : Finally φ φ φ ψ . . . φ U ψ : Until φ WU ψ : φ U ψ or G φ Weak Until MOVEP'02, Nantes, June 17-21, 2002 20

Until φ � Linear-time: blue nodes ψ φ satisfy v � φ U ψ φ � Branching-time: blue φ ψ nodes satisfy v � A( φ U ψ ) φ MOVEP'02, Nantes, June 17-21, 2002 21 Weak Until φ � Linear-time: blue nodes ψ φ satisfy v � φ WU ψ φ � Branching-time: blue φ ψ nodes satisfy v � A ( φ WU ψ ) φ MOVEP'02, Nantes, June 17-21, 2002 22

A Branching-Time Logic: CTL State formulas φ own ¬ own own use ¬ use ¬ use φ = ¬ φ φ ∨ φ :: p | | | 1 2 ψ ψ E | A own the resource 1. before using it Path formulas ψ ¬ A ( use U own ) ψ = φ φ φ :: X | U | release the resource 2. 1 2 in finite time φ φ G | F ⇒ ¬ own AF ( own ) MOVEP'02, Nantes, June 17-21, 2002 23 Duality � Path quantifiers are duals: � ¬ A φ = E ¬ φ � ¬ E φ = A ¬ φ � Until and weak until are almost duals (on paths): � ¬ ( φ U ψ ) = ¬ ψ WU ( ¬ φ ∧ ¬ ψ ) � ¬ ( φ WU ψ ) = ¬ ψ U ( ¬ φ ∧ ¬ ψ ) MOVEP'02, Nantes, June 17-21, 2002 24

Modal mu-Calculus � a branching-time logic with local modalities… � � φ : all successor states satisfy φ � ◊ φ : some successor state satisfies φ � … and fixpoint formulae. � µ X. φ (X) : minimum fixpoint formula � ν X. φ (X) : maximum fixpoint formula � Fixpoint formulae can be nested � Alternation: µ X.( ν Y.X ∧ Y) MOVEP'02, Nantes, June 17-21, 2002 25 Local Modalities for Labelled Edges φ a . . a . . . . a a [a] φ : <a> φ : φ φ . . . . . . a a φ MOVEP'02, Nantes, June 17-21, 2002 26

Computing Fixpoint Formulae � On finite structures, meaning of fixpoint formulae can be computed by computing Kleene chains until stabilization: � µ : ⊥ ,f( ⊥ ),f(f( ⊥ ),f(f(f( ⊥ ))), . . . � ν : � ,f( � ),f(f( � )),f(f(f( � ))), . . . f is a function on state sets derived from the body of the fixpoint formula. MOVEP'02, Nantes, June 17-21, 2002 27 CTL and Modal mu-Calculus � CTL-formulae can inductively be transformed to modal mu-calculus formulae � Global modalities can be expressed by fixpoint formulae, e.g.: φ ψ = µ ψ ∨ φ ∧ ∧ ◊ A ( U ) X.( ( � X true)) φ ψ = µ ψ ∨ φ ∧ ◊ E ( U ) X.( ( X)) φ ψ = ν ψ ∨ φ ∧ � A ( WU ) X.( ( X)) φ ψ = ν ψ ∨ φ ∧ ◊ ∨ E ( WU ) X.( ( ( X � false))) MOVEP'02, Nantes, June 17-21, 2002 28

Model Checking Approaches φ M � MOVEP'02, Nantes, June 17-21, 2002 29 Global vs. Local Model Checking � Global model checking problem � Given: finite model structure M, formula φ � Determine: {s | s � φ } � Local model checking problem � Given: finite model structure M, formula φ , and state s in M � Determine, whether s � φ or not MOVEP'02, Nantes, June 17-21, 2002 30

Model Checking Approaches Iterative model checking � Automata-theoretic model checking � Tableau-based model checking � MOVEP'02, Nantes, June 17-21, 2002 31 Iterative Model Checking Good for global model-checking of � branching-time logics Idea: Compute semantics of formula on � given model by structural induction on the formula Reduce modalities to their fixpoint definition � Compute the fixpoints by Kleene chains � Alternating fixpoints lead to backtracking � ( → proceedings) MOVEP'02, Nantes, June 17-21, 2002 32

Iterative Model Checking of CTL � Annotate each state with those subformulas ψ of φ with s � ψ . � Use structural induction on φ . � Use backwards propagation to compute modalities A( φ U ψ ) and A( φ WU ψ ). MOVEP'02, Nantes, June 17-21, 2002 33 Model Checking A( φ U ψ ) φ Mark all nodes v with 1. ψ v � ψ φ Mark all unmarked 2. nodes w with w � φ and φ all successors marked Iterate 2. until φ ψ 3. stabilization φ MOVEP'02, Nantes, June 17-21, 2002 34

Model Checking A( φ WU ψ ) φ Mark all nodes with 1. ψ v � φ or v � ψ φ Unmark all nodes v 2. with v � ψ and some unmarked successor φ Iterate 2. until φ ψ 3. stabilization φ MOVEP'02, Nantes, June 17-21, 2002 35 Automata-theoretic MC � Good for linear-time logics � Idea: reduce model-checking to non- emptiness problem of an automaton MOVEP'02, Nantes, June 17-21, 2002 36

Automata-theoretic MC � Construct (Büchi-) automaton, A φ , from φ � A φ accepts paths satisfying φ � Construct (Büchi-) automaton, A M , from M � A M accepts paths exhibited by M φ ⊆ M iff L(A ) L(A ) � M φ ∩ = ∅ iff L(A ) L(A ) φ M × = ∅ iff L(A A ) φ M MOVEP'02, Nantes, June 17-21, 2002 37 Automata-theoretic MC � Construct (Büchi-) automaton, A φ , from φ � A φ accepts paths satisfying φ � Construct (Büchi-) automaton, A M , from M � A M accepts paths exhibited by M � Compute automaton A M × A φ � Complementation & product construction � Decide L(A M × A φ )= ∅ by reachability analysis MOVEP'02, Nantes, June 17-21, 2002 38