Compositional Verification of PLC Software using Horn Clauses and - - PowerPoint PPT Presentation

compositional verification of plc software using horn
SMART_READER_LITE
LIVE PREVIEW

Compositional Verification of PLC Software using Horn Clauses and - - PowerPoint PPT Presentation

Nov 05, 2022 550 likes •1.75k views

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri Bohlender | Stefan Kowalewski WODES 2018, June 1, 2018 Introduction CHC-based Verification Conclusion Outline Introduction CHC-based Verification

slide-1
SLIDE 1

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction

Dimitri Bohlender | Stefan Kowalewski WODES 2018, June 1, 2018

slide-2
SLIDE 2

Introduction CHC-based Verification Conclusion

Outline

Introduction CHC-based Verification

  • Constrained Horn Clauses
  • Modelling of PLC Software with CHCs
  • Mode-Space as Call Summary
  • Experiments

Conclusion

1 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-3
SLIDE 3

Introduction CHC-based Verification Conclusion

Outline

Introduction CHC-based Verification

  • Constrained Horn Clauses
  • Modelling of PLC Software with CHCs
  • Mode-Space as Call Summary
  • Experiments

Conclusion

1 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-4
SLIDE 4

Introduction CHC-based Verification Conclusion

Outline

Introduction CHC-based Verification

  • Constrained Horn Clauses
  • Modelling of PLC Software with CHCs
  • Mode-Space as Call Summary
  • Experiments

Conclusion

1 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-5
SLIDE 5

Introduction CHC-based Verification Conclusion Motivation

Programmable Logic Controllers (PLCs)

◮ PLCs are devices tailored to the domain of industrial

automation, e.g. for actuating valves of a tank

◮ Realise reactive systems, repeatedly executing the same task

Single Cycle PLC sensors actuators

2 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-6
SLIDE 6

Introduction CHC-based Verification Conclusion Motivation

Programmable Logic Controllers (PLCs)

◮ PLCs are devices tailored to the domain of industrial

automation, e.g. for actuating valves of a tank

◮ Realise reactive systems, repeatedly executing the same task

Single Cycle PLC Input Variables sensors actuators

2 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-7
SLIDE 7

Introduction CHC-based Verification Conclusion Motivation

Programmable Logic Controllers (PLCs)

◮ PLCs are devices tailored to the domain of industrial

automation, e.g. for actuating valves of a tank

◮ Realise reactive systems, repeatedly executing the same task

Single Cycle PLC Program (IEC 61131-3) Input Variables sensors actuators

2 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-8
SLIDE 8

Introduction CHC-based Verification Conclusion Motivation

Programmable Logic Controllers (PLCs)

◮ PLCs are devices tailored to the domain of industrial

automation, e.g. for actuating valves of a tank

◮ Realise reactive systems, repeatedly executing the same task

Single Cycle PLC Program (IEC 61131-3) Input Variables Output Variables sensors actuators

2 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-9
SLIDE 9

Introduction CHC-based Verification Conclusion Motivation

Programmable Logic Controllers (PLCs)

◮ PLCs are devices tailored to the domain of industrial

automation, e.g. for actuating valves of a tank

◮ Realise reactive systems, repeatedly executing the same task

Single Cycle PLC Program (IEC 61131-3) Input Variables Local Variables Output Variables sensors actuators

2 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-10
SLIDE 10

Introduction CHC-based Verification Conclusion Motivation

Running Example

◮ Implements delegation

  • f requests

◮ Input in forwarded on

rising edge for req

◮ ReqHandler h is polled

in every cycle

◮ Exhibits state-machine

semantics via DiagCode

✞ ☎

PROGRAM Main VAR_INPUT req:BOOL; in:WORD; END_VAR VAR m :BOOL; h :ReqHandler;END_VAR VAR_OUTPUT out:WORD; END_VAR // Forward data on rising edge IF (req AND NOT m) THEN h(data:=in, res=>out); ELSE h(res=>out); END_IF m:=req; END_PROGRAM FUNCTION_BLOCK ReqHandler VAR_INPUT data :WORD; END_VAR VAR DiagCode:WORD; END_VAR VAR_OUTPUT res :WORD; END_VAR // Body omitted ... END_FUNCTION_BLOCK

✝ ✆

3 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-11
SLIDE 11

Introduction CHC-based Verification Conclusion Motivation

Running Example

◮ Implements delegation

  • f requests

◮ Input in forwarded on

rising edge for req

◮ ReqHandler h is polled

in every cycle

◮ Exhibits state-machine

semantics via DiagCode

✞ ☎

PROGRAM Main VAR_INPUT req:BOOL; in:WORD; END_VAR VAR m :BOOL; h :ReqHandler;END_VAR VAR_OUTPUT out:WORD; END_VAR // Forward data on rising edge IF (req AND NOT m) THEN h(data:=in, res=>out); ELSE h(res=>out); END_IF m:=req; END_PROGRAM FUNCTION_BLOCK ReqHandler VAR_INPUT data :WORD; END_VAR VAR DiagCode:WORD; END_VAR VAR_OUTPUT res :WORD; END_VAR // Body omitted ... END_FUNCTION_BLOCK

✝ ✆

3 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-12
SLIDE 12

Introduction CHC-based Verification Conclusion Motivation

Running Example

◮ Implements delegation

  • f requests

◮ Input in forwarded on

rising edge for req

◮ ReqHandler h is polled

in every cycle

◮ Exhibits state-machine

semantics via DiagCode

✞ ☎

PROGRAM Main VAR_INPUT req:BOOL; in:WORD; END_VAR VAR m :BOOL; h :ReqHandler;END_VAR VAR_OUTPUT out:WORD; END_VAR // Forward data on rising edge IF (req AND NOT m) THEN h(data:=in, res=>out); ELSE h(res=>out); END_IF m:=req; END_PROGRAM FUNCTION_BLOCK ReqHandler VAR_INPUT data :WORD; END_VAR VAR DiagCode:WORD; END_VAR VAR_OUTPUT res :WORD; END_VAR // Body omitted ... END_FUNCTION_BLOCK

✝ ✆

3 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-13
SLIDE 13

Introduction CHC-based Verification Conclusion Motivation

Running Example

◮ Implements delegation

  • f requests

◮ Input in forwarded on

rising edge for req

◮ ReqHandler h is polled

in every cycle

◮ Exhibits state-machine

semantics via DiagCode

✞ ☎

PROGRAM Main VAR_INPUT req:BOOL; in:WORD; END_VAR VAR m :BOOL; h :ReqHandler;END_VAR VAR_OUTPUT out:WORD; END_VAR // Forward data on rising edge IF (req AND NOT m) THEN h(data:=in, res=>out); ELSE h(res=>out); END_IF m:=req; END_PROGRAM FUNCTION_BLOCK ReqHandler VAR_INPUT data :WORD; END_VAR VAR DiagCode:WORD; END_VAR VAR_OUTPUT res :WORD; END_VAR // Body omitted ... END_FUNCTION_BLOCK

✝ ✆

3 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-14
SLIDE 14

Introduction CHC-based Verification Conclusion Motivation

Mode Spaces in Model-Checking

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

Figure: Main CFA of example

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001

Figure: Mode space of ReqHandler

◮ Requests are processed in ≤ two execution cycles?

⇒ On request, “Processing” mode is reached in a single cycle

4 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-15
SLIDE 15

Introduction CHC-based Verification Conclusion Motivation

Mode Spaces in Model-Checking

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

Figure: Main CFA of example

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001

Figure: Mode space of ReqHandler

◮ Requests are processed in ≤ two execution cycles?

⇒ On request, “Processing” mode is reached in a single cycle

4 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-16
SLIDE 16

Introduction CHC-based Verification Conclusion Motivation

Mode Spaces in Model-Checking

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

Figure: Main CFA of example

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001

Figure: Mode space of ReqHandler

◮ Requests are processed in ≤ two execution cycles?

⇒ On request, “Processing” mode is reached in a single cycle

4 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-17
SLIDE 17

Introduction CHC-based Verification Conclusion Motivation

Mode Spaces in Model-Checking

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

Figure: Main CFA of example

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001

Figure: Mode space of ReqHandler

◮ Requests are processed in ≤ two execution cycles?

⇒ On request, “Processing” mode is reached in a single cycle

4 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-18
SLIDE 18

Introduction CHC-based Verification Conclusion Motivation

Mode Spaces in Model-Checking

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

Figure: Main CFA of example

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001

Figure: Mode space of ReqHandler

◮ Requests are processed in ≤ two execution cycles?

⇒ On request, “Processing” mode is reached in a single cycle

4 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-19
SLIDE 19

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-20
SLIDE 20

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-21
SLIDE 21

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-22
SLIDE 22

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-23
SLIDE 23

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-24
SLIDE 24

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-25
SLIDE 25

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-26
SLIDE 26

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-27
SLIDE 27

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-28
SLIDE 28

Introduction CHC-based Verification Conclusion Motivation

Requirements Towards Formalism & Model Checker

◮ Compositional reasoning

(no cloning or inlining)

Example

◮ Let f1:FB; f2:FB; ◮ Reason about FB(. . . ) ◮ Avoid f1(. . . ), f2(. . . ) and

instruction cloning

◮ Integrates with abstraction

  • f calls (call summaries)

Example

◮ Consider abs(x) = y ◮ Use summary

y ≥ 0

◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software

5 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-29
SLIDE 29

Introduction CHC-based Verification Conclusion Constrained Horn Clauses

Constrained Horn Clauses

◮ Special case of Satisfiability Modulo Theories (SMT)

Definition

Given sets of variables V, function symbols F, and predicates P, a Constrained Horn Clause (CHC) is a formula ∀V p1( X1) ∧ · · · ∧ pk( Xk) ∧ ϕ

  • body

→ h( X)

head

, k ≥ 0, where

Xi, X ⊆ V are possibly empty vectors of variables

◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of pi exists

6 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-30
SLIDE 30

Introduction CHC-based Verification Conclusion Constrained Horn Clauses

Constrained Horn Clauses

◮ Special case of Satisfiability Modulo Theories (SMT)

Definition

Given sets of variables V, function symbols F, and predicates P, a Constrained Horn Clause (CHC) is a formula ∀V p1( X1) ∧ · · · ∧ pk( Xk) ∧ ϕ

  • body

→ h( X)

head

, k ≥ 0, where

Xi, X ⊆ V are possibly empty vectors of variables

◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of pi exists

6 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-31
SLIDE 31

Introduction CHC-based Verification Conclusion Constrained Horn Clauses

Constrained Horn Clauses

◮ Special case of Satisfiability Modulo Theories (SMT)

Definition

Given sets of variables V, function symbols F, and predicates P, a Constrained Horn Clause (CHC) is a formula ∀V p1( X1) ∧ · · · ∧ pk( Xk) ∧ ϕ

  • body

→ h( X)

head

, k ≥ 0, where

Xi, X ⊆ V are possibly empty vectors of variables

◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of pi exists

6 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-32
SLIDE 32

Introduction CHC-based Verification Conclusion Constrained Horn Clauses

Constrained Horn Clauses

◮ Special case of Satisfiability Modulo Theories (SMT)

Definition

Given sets of variables V, function symbols F, and predicates P, a Constrained Horn Clause (CHC) is a formula ∀V p1( X1) ∧ · · · ∧ pk( Xk) ∧ ϕ

  • body

→ h( X)

head

, k ≥ 0, where

Xi, X ⊆ V are possibly empty vectors of variables

◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of pi exists

6 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-33
SLIDE 33

Introduction CHC-based Verification Conclusion Constrained Horn Clauses

Constrained Horn Clauses

◮ Special case of Satisfiability Modulo Theories (SMT)

Definition

Given sets of variables V, function symbols F, and predicates P, a Constrained Horn Clause (CHC) is a formula ∀V p1( X1) ∧ · · · ∧ pk( Xk) ∧ ϕ

  • body

→ h( X)

head

, k ≥ 0, where

Xi, X ⊆ V are possibly empty vectors of variables

◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of pi exists

6 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-34
SLIDE 34

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Concept

For each block type A with signature VarTypes, add a predicate pA : Loc × VarTypes

  • source

× Loc × VarTypes

  • target

→ B

◮ Will define transitive reachability within A

⇒ Observable semantics of procedure captured by pA(lentry

const

, X, lexit

  • const

, X′)

◮ Solving CHC finding over-approximating summary of A

7 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-35
SLIDE 35

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Concept

For each block type A with signature VarTypes, add a predicate pA : Loc × VarTypes

  • source

× Loc × VarTypes

  • target

→ B

◮ Will define transitive reachability within A

⇒ Observable semantics of procedure captured by pA(lentry

const

, X, lexit

  • const

, X′)

◮ Solving CHC finding over-approximating summary of A

7 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-36
SLIDE 36

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Concept

For each block type A with signature VarTypes, add a predicate pA : Loc × VarTypes

  • source

× Loc × VarTypes

  • target

→ B

◮ Will define transitive reachability within A

⇒ Observable semantics of procedure captured by pA(lentry

const

, X, lexit

  • const

, X′)

◮ Solving CHC finding over-approximating summary of A

7 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-37
SLIDE 37

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Concept

For each block type A with signature VarTypes, add a predicate pA : Loc × VarTypes

  • source

× Loc × VarTypes

  • target

→ B

◮ Will define transitive reachability within A

⇒ Observable semantics of procedure captured by pA(lentry

const

, X, lexit

  • const

, X′)

◮ Solving CHC finding over-approximating summary of A

7 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-38
SLIDE 38

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Transition

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Transitive Reachability: pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

8 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-39
SLIDE 39

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Transition

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Transitive Reachability: pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

8 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-40
SLIDE 40

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Transition

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Transitive Reachability: pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

8 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-41
SLIDE 41

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Transition

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Transitive Reachability: pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

8 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-42
SLIDE 42

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Transition

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Transitive Reachability: pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

8 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-43
SLIDE 43

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Transition

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Transitive Reachability: pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

8 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-44
SLIDE 44

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Transitive Reachability (& call summary): pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

9 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-45
SLIDE 45

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Transitive Reachability (& call summary): pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

9 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-46
SLIDE 46

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Transitive Reachability (& call summary): pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

9 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-47
SLIDE 47

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Transitive Reachability (& call summary): pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

9 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-48
SLIDE 48

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Transitive Reachability (& call summary): pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

9 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-49
SLIDE 49

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Transitive Reachability (& call summary): pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

9 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-50
SLIDE 50

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Checking Safety Specifications

◮ Does safety property safe(

X) hold at the end of every cycle? ⇒ Yes, if adding pMain(0, X, 7, X′) → safe( X′) keeps CHCs satisfiable

◮ Violated, if unsatisfiable 1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

10 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-51
SLIDE 51

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Checking Safety Specifications

◮ Does safety property safe(

X) hold at the end of every cycle? ⇒ Yes, if adding pMain(0, X, 7, X′) → safe( X′) keeps CHCs satisfiable

◮ Violated, if unsatisfiable 1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

10 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-52
SLIDE 52

Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs

Checking Safety Specifications

◮ Does safety property safe(

X) hold at the end of every cycle? ⇒ Yes, if adding pMain(0, X, 7, X′) → safe( X′) keeps CHCs satisfiable

◮ Violated, if unsatisfiable 1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

10 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-53
SLIDE 53

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-54
SLIDE 54

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-55
SLIDE 55

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-56
SLIDE 56

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-57
SLIDE 57

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-58
SLIDE 58

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-59
SLIDE 59

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-60
SLIDE 60

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Approximating the Mode-Space

Idea:

◮ Procedure’s complexity needs to be low w.r.t. CHC-solving

⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure:

  • 1. Use global VSA to approximate all variables’ values
  • 2. For each function block type, e.g. ReqHandler

2.1 For each computed mode-value, e.g. {0, 0x8000, 0xC001}

  • Keep global VSA values but fix mode, e.g. set DiagCode=0
  • Compute block’s single-cycle VSA
  • Interpret resulting mode-values as targets, e.g. {0, 0x8000}

11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-61
SLIDE 61

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-62
SLIDE 62

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-63
SLIDE 63

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-64
SLIDE 64

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-65
SLIDE 65

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-66
SLIDE 66

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-67
SLIDE 67

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-68
SLIDE 68

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-69
SLIDE 69

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-70
SLIDE 70

Introduction CHC-based Verification Conclusion Mode-Space as Call Summary

Mode-Space as Call Summary

◮ Mode-space constrains possible transitions

⇒ Yields call summary SReqHandler( Xh, X′

h):

(h.DiagCode = 0 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0x8000) ∧ (h.DiagCode = 0x8000 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001) ∧ (h.DiagCode = 0xC001 → h.DiagCode′ = 0 ∨ h.DiagCode′ = 0xC001)

◮ Add to encoding of each call of ReqHandler

“Idle” DiagCode =0x0000 “Processing” DiagCode =0x8000 “Error” DiagCode =0xC001 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-71
SLIDE 71

Introduction CHC-based Verification Conclusion Experiments

Benchmarks

◮ Two groups of PLC programs from PLCopen Safety library

  • elementary modules implementing safety concepts (23 specs)
  • user examples composed of elementary ones (17 specs)

◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR)

13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-72
SLIDE 72

Introduction CHC-based Verification Conclusion Experiments

Benchmarks

◮ Two groups of PLC programs from PLCopen Safety library

  • elementary modules implementing safety concepts (23 specs)
  • user examples composed of elementary ones (17 specs)

◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR)

13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-73
SLIDE 73

Introduction CHC-based Verification Conclusion Experiments

Benchmarks

◮ Two groups of PLC programs from PLCopen Safety library

  • elementary modules implementing safety concepts (23 specs)
  • user examples composed of elementary ones (17 specs)

◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR)

13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-74
SLIDE 74

Introduction CHC-based Verification Conclusion Experiments

Benchmarks

◮ Two groups of PLC programs from PLCopen Safety library

  • elementary modules implementing safety concepts (23 specs)
  • user examples composed of elementary ones (17 specs)

◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR)

13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-75
SLIDE 75

Introduction CHC-based Verification Conclusion Experiments

Benchmarks

◮ Two groups of PLC programs from PLCopen Safety library

  • elementary modules implementing safety concepts (23 specs)
  • user examples composed of elementary ones (17 specs)

◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR)

13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-76
SLIDE 76

Introduction CHC-based Verification Conclusion Experiments

Benchmarks

◮ Two groups of PLC programs from PLCopen Safety library

  • elementary modules implementing safety concepts (23 specs)
  • user examples composed of elementary ones (17 specs)

◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR)

13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-77
SLIDE 77

Introduction CHC-based Verification Conclusion Experiments

Results

100 101 102 103 100 101 102 103 PDR PDR + Mode Abstraction

Figure: Time [s] spent on verification of each task

14 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-78
SLIDE 78

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-79
SLIDE 79

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-80
SLIDE 80

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-81
SLIDE 81

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-82
SLIDE 82

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-83
SLIDE 83

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-84
SLIDE 84

Introduction CHC-based Verification Conclusion Concluding Remarks

Summary

◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable

  • compositional characterisation and reasoning
  • uniform characterisation of program, spec & abstraction

◮ Experiments suggest that

  • mode-abstraction may help significantly
  • overall, mode-abstraction overhead is negligble

15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-85
SLIDE 85

Appendix References Related Work

Related Tools & Techniques

Mode-Abstraction:

◮ Predicate abstraction [GS97] ◮ Abstract-domain selection based on variable usage [Ape+13]

Recent years:

◮ Decoupling Language Details from Verifier Implementations ◮ Modular structure & off-the-shelf components

Intermediate Verification Language:

◮ BOOGIE [Lei08]

  • used by SMACK [RE14]
  • checked by CORRAL [LQL12]

◮ Constrained Horn Clauses (CHCs) [Bjø+15]

  • used by SEAHORN [Gur+15]
  • checked by SPACER [KGC14] or Z3 [MB08]

16 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-86
SLIDE 86

Appendix References Typical Logic Control Applications

PLCopen Safety Application

SF_Equivalent

Activate S_ChannelA S_ChannelB S_DiscrepancyTime Ready S_EquivalentOut Error DiagCode

SF_EmergencyStop

Activate S_EStopIn S_StartReset S_AutoReset Reset Ready S_EStopOut Error DiagCode

SF_ESPE

Activate S_ESPE_In S_StartReset S_AutoReset Reset Ready S_ESPE_Out Error DiagCode

AND AND SF_SafeStop1

Activate S_StopIn AxisID MonitoringTime Reset Ready S_Stopped Error DiagCode

Single Cycle

InputDevice1_active S1_S_EStopIn_1 S1_S_EStopIn_2 T#10ms Error_Equiv1 Diag_Equiv1 FALSE FALSE S0_Reset S_EStopOut Error_EStop1 Diag_EStop1 InputDevice2_active S2_S_ESPE_In FALSE FALSE S0_Reset Error_ESPE1 Diag_ESPE1 S_EStopOut AxisID_1 T#100ms S3_Drive_Reset S_Stopped Error_SafeStop1 Diag_SafeStop1

17 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-87
SLIDE 87

Appendix References Typical Logic Control Applications

Typical Block Specification

Idle DiagCode=0 1 Init DiagCode=0x8001 1 2 3 Wait for NC DiagCode=0x8014 1 2 3 Error 1/2 DiagCode=0xC001 | DiagCode=0xC002 1 Wait for NO DiagCode=0x8004 1 2 3 Safety Output Enabled DiagCode=0x8000 1 2 Error 3 DiagCode=0xC003 1 From Active Wait DiagCode=0x8005 1 2 !Activate Activate S_ChannelNC & S_ChannelNO !S_ChannelNO & !S_ChannelNC S _ C h a n n e l N C & ! S _ C h a n n e l N O DiscrepancyTime elapsed !S_ChannelNC !S_ChannelNO !S_ChannelNC & S_ChannelNO DiscrepancyTime elapsed S_ChannelNO S_ChannelNC !S_ChannelNC | S_ChannelNO ! S _ C h a n n e l N C & S _ C h a n n e l N O D i s c r e p a n c y T i m e e l a p s e d !S_ChannelNC & S_ChannelNO !S_ChannelNC & S_ChannelNO Ready=FALSE Ready=TRUE S_AntivalentOut=FALSE S_AntivalentOut=TRUE

18 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-88
SLIDE 88

Appendix References Encoding Details

Intuition for Logical Characterisation

◮ Reason about program semantics by leveraging Satisfiability

Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables x > y + 1 = x > y + 1 Statement Formula over pre- & post variables instances x := y + 1 =

  • x′ = y + 1
  • y′ = y
  • Procedure Predicate over pre- & post variables instances
  • abs(x, x′)
  • =
  • x ≥ 0 → x′ = x
  • x < 0 → x′ = −x
  • Unclear Characterisation of procedures with loops

19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-89
SLIDE 89

Appendix References Encoding Details

Intuition for Logical Characterisation

◮ Reason about program semantics by leveraging Satisfiability

Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables x > y + 1 = x > y + 1 Statement Formula over pre- & post variables instances x := y + 1 =

  • x′ = y + 1
  • y′ = y
  • Procedure Predicate over pre- & post variables instances
  • abs(x, x′)
  • =
  • x ≥ 0 → x′ = x
  • x < 0 → x′ = −x
  • Unclear Characterisation of procedures with loops

19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-90
SLIDE 90

Appendix References Encoding Details

Intuition for Logical Characterisation

◮ Reason about program semantics by leveraging Satisfiability

Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables x > y + 1 = x > y + 1 Statement Formula over pre- & post variables instances x := y + 1 =

  • x′ = y + 1
  • y′ = y
  • Procedure Predicate over pre- & post variables instances
  • abs(x, x′)
  • =
  • x ≥ 0 → x′ = x
  • x < 0 → x′ = −x
  • Unclear Characterisation of procedures with loops

19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-91
SLIDE 91

Appendix References Encoding Details

Intuition for Logical Characterisation

◮ Reason about program semantics by leveraging Satisfiability

Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables x > y + 1 = x > y + 1 Statement Formula over pre- & post variables instances x := y + 1 =

  • x′ = y + 1
  • y′ = y
  • Procedure Predicate over pre- & post variables instances
  • abs(x, x′)
  • =
  • x ≥ 0 → x′ = x
  • x < 0 → x′ = −x
  • Unclear Characterisation of procedures with loops

19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-92
SLIDE 92

Appendix References Encoding Details

Intuition for Logical Characterisation

◮ Reason about program semantics by leveraging Satisfiability

Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables x > y + 1 = x > y + 1 Statement Formula over pre- & post variables instances x := y + 1 =

  • x′ = y + 1
  • y′ = y
  • Procedure Predicate over pre- & post variables instances
  • abs(x, x′)
  • =
  • x ≥ 0 → x′ = x
  • x < 0 → x′ = −x
  • Unclear Characterisation of procedures with loops

19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-93
SLIDE 93

Appendix References Encoding Details

Intuition for Logical Characterisation

◮ Reason about program semantics by leveraging Satisfiability

Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables x > y + 1 = x > y + 1 Statement Formula over pre- & post variables instances x := y + 1 =

  • x′ = y + 1
  • y′ = y
  • Procedure Predicate over pre- & post variables instances
  • abs(x, x′)
  • =
  • x ≥ 0 → x′ = x
  • x < 0 → x′ = −x
  • Unclear Characterisation of procedures with loops

19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-94
SLIDE 94

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-95
SLIDE 95

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-96
SLIDE 96

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-97
SLIDE 97

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-98
SLIDE 98

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-99
SLIDE 99

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-100
SLIDE 100

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-101
SLIDE 101

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-102
SLIDE 102

Appendix References Encoding Details

Encoding the Running Example

Variables instances:

X = (req, in, m, h.data, h.DiagCode, h.res, out)

X′ =

  • req′, in′, m′, h.data′, h.DiagCode′, h.res′, out′

Reachability facts & rules:

◮ Initial configuration reachable

init( X) → pMain(0, X, 0, X)

◮ Transitive reachability

pMain(l, X, 1, X′) ∧ h.data′′ = in′ ∧ id(X′ \

  • h.data′

) → pMain(l, X, 2, X′′)

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-103
SLIDE 103

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-104
SLIDE 104

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-105
SLIDE 105

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-106
SLIDE 106

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-107
SLIDE 107

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-108
SLIDE 108

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-109
SLIDE 109

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-110
SLIDE 110

Appendix References Encoding Details

Encoding a Call

Variables instances:

  • X = (req, in, m, h.data, h.DiagCode, h.res
  • Xh

, out) Reachability rules:

◮ Entry configuration reachable

pMain(l, X, 2, X′) → pReqHandler(0, X′

h, 0,

X′

h) ◮ Transitive reachability (& call summary)

pMain(l, X, 2, X′) ∧ pReqHandler(0, X′

h, 42,

X′′

h) ∧ id(

X′ \ X′

h)

∧ SReqHandler( X′

h,

X′′

h)

→ pMain(l, X, 3, X′′)

2 . . . 3 . . . ReqHandler( h.data, h.DiagCode, h.res )

21 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-111
SLIDE 111

Appendix References Encoding Details

Implementation Details

◮ Possible cycle-edge encoding

pMain(l, X, 7, X′) ∧ id( X \ Xin) → pMain(l, X, 0, X′′)

◮ Allow summaries for main

block by modelling it like a call

◮ Reduce number of locations

via Large Block Encoding

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

22 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-112
SLIDE 112

Appendix References Encoding Details

Implementation Details

◮ Possible cycle-edge encoding

pMain(l, X, 7, X′) ∧ id( X \ Xin) → pMain(l, X, 0, X′′)

◮ Allow summaries for main

block by modelling it like a call

◮ Reduce number of locations

via Large Block Encoding

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

22 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-113
SLIDE 113

Appendix References Encoding Details

Implementation Details

◮ Possible cycle-edge encoding

pMain(l, X, 7, X′) ∧ id( X \ Xin) → pMain(l, X, 0, X′′)

◮ Allow summaries for main

block by modelling it like a call

◮ Reduce number of locations

via Large Block Encoding

1 2 3 4 5 6 7 req && !m h.data:=in ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

!(req && !m) ReqHandler( h.data, h.DiagCode, h.res )

  • ut:=h.res

m:=req

22 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-114
SLIDE 114

Appendix References Bibliography

References I

[Ape+13] Sven Apel et al. “Domain Types: Abstract-Domain Selection Based on Variable Usage”. In: Hardware and Software: Verification and Testing - 9th International Haifa Verification Conference, HVC 2013, Haifa, Israel, November 5-7, 2013, Proceedings. 2013,

  • pp. 262–278.

[Bjø+15] Nikolaj Bjørner et al. “Horn Clause Solvers for Program Verification”. In: Fields of Logic and Computation II - Essays Dedicated to Yuri Gurevich on the Occasion of His 75th Birthday. 2015, pp. 24–51.

23 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-115
SLIDE 115

Appendix References Bibliography

References II

[GS97] Susanne Graf and Hassen Saïdi. “Construction of Abstract State Graphs with PVS”. In: Computer Aided Verification, 9th International Conference, CAV ’97, Haifa, Israel, June 22-25, 1997, Proceedings. 1997,

  • pp. 72–83.

[Gur+15] Arie Gurfinkel et al. “The SeaHorn Verification Framework”. In: Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I. 2015,

  • pp. 343–361.

24 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-116
SLIDE 116

Appendix References Bibliography

References III

[KGC14] Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. “SMT-Based Model Checking for Recursive Programs”. In: Computer Aided Verification - 26th International Conference, CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings. 2014, pp. 17–34. [Lei08] Rustan Leino. “This is Boogie 2”. In: Microsoft Research, 2008. [LQL12] Akash Lal, Shaz Qadeer, and Shuvendu Lahiri. “Corral: A Solver for Reachability Modulo Theories”. In: Computer-Aided Verification (CAV). 2012.

25 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-117
SLIDE 117

Appendix References Bibliography

References IV

[MB08] Leonardo Mendonça de Moura and Nikolaj Bjørner. “Z3: An Efficient SMT Solver”. In: Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008.

  • Proceedings. 2008, pp. 337–340.

26 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski
slide-118
SLIDE 118

Appendix References Bibliography

References V

[RE14] Zvonimir Rakamari´ c and Michael Emmi. “SMACK: Decoupling Source Language Details from Verifier Implementations”. In: Proceedings of the 26th International Conference on Computer Aided Verification (CAV). Ed. by Armin Biere and Roderick Bloem. Vol. 8559. Lecture Notes in Computer Science. Springer, 2014, pp. 106–113.

27 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction

  • D. Bohlender | S. Kowalewski