formal verification by model checking
play

Formal Verification by Model Checking Jonathan Aldrich Carnegie - PDF document

Oct 08, 2023 •101 likes •307 views

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

  1. Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking • AG (Start ⇒ AF Heat) • Theorem: Any CTL formula can be expressed in terms of ¬ , ∨ , EX , EU , and EG . – F p = true U p – A [x U y] = ¬ ( EG ¬ y ∨ E [ ¬ y U ¬ (x ∨ y)]) – AX p = ¬ EX ¬ p – AG p = ¬ EF ¬ p 2 1

  2. Subformula Labeling Case ¬ f • – Label each state not labeled with f f 1 ∨ f 2 • – Label each state which is labeled with either f 1 or f 2 EX f • – Label every state that has some successor labeled with f E [ f 1 U f 2 ] • – Label every state labeled with f 2 – Traverse backwards from labeled states; if the previous state is labeled with f 1 , label it with E [ f 1 U f 2 ] as well EG f 1 • – Find strongly connected components where f 1 holds – Traverse backwards from labeled states; if the previous state is labeled with f 1 , label it with EG f 1 as well 4 CTL Model Checking Example • Pressing Start will eventually result in heat ~ Start ~ Close ~ Heat AG (Start ⇒ AF Heat) ~ Error = ¬ E [ true U (Start ∧ EG ¬ Heat)] Start ~ Start ~ Start ~ Close Close Close ~ Heat Heat ~ Heat Error ~ Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat Error ~ Error ~ Error 5 2

  3. CTL Model Checking Example • The oven doesn’t heat up until the door is closed. ~ Start ~ Close ~ Heat ~ Error Start ~ Start ~ Start ~ Close Close Close ~ Heat Heat ~ Heat Error ~ Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat Error ~ Error ~ Error 6 Practice Writing Properties • If the door is locked, it will not open until someone unlocks it • If you press ctrl-C, you will get a command line prompt • The saw will not run unless the safety guard is engaged 10 3

  4. LTL Model Checking • Beyond the scope of this course • Canonical reference on Model Checking: – Edmund Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, 1999. 12 Dataflow Analysis as Model Checking • Consider a lattice that is a tuple of sets: – Var � 2 Set – e.g. [ x � { <, = }, y � { > } ] where Set = { <, =, > } • Represent the CFG as a Kripke structure – Let N be the nodes in the CFG, with initial node N 0 – Let E be the edges in the CFG Consider the set of abstract stores L = 2 Var � � Set � � • – Choose one element of lattice set for each var e.g. [ x � <, y � > ] • • Strategy: instead of propagating around sets, see if each individual member of the lattice set can reach each node (may traverse each path multiple times) – This is exactly what Metal does! – Metal is essentially a model checker 13 4

  5. Propagating Elements Instead of Sets L U get_free_buffer if (…) L U L save_flags(flags) if (…) sh->bp = … U L U L cli() sti() bh->bs = … L U L return NULL restore_flags(flags) U return bh 14 Dataflow Analysis as Model Checking Let F = { l 1 � e l 2 | • n 1 � e n 2 ∈ E ∧ l 2 ∈ � DF ({ l 1 }, n 1 ) } [all others] – Represents flow functions L – There’s an edge from one lattice value to another, annotated with edge e from the sti(), program, iff when we apply the cli() restore_flags(flags) flow function for the source node of the program edge to the singleton set containing the U first lattice value, the second lattice value is one of the results [all others] – We will assume edges are annotated with the source node 15 5

  6. Dataflow Analysis as Model Checking • Consider synchronous product – Cross product of nodes • N p = N*L – Edges exist only when there is an edge in both source graphs with the same label • E p = { (n 1 ,l 1 ) � e (n 2 ,l 2 ) | n 1 � e n 2 ∈ E ∧ l 1 � e l 2 ∈ F } • Purpose: matches up edge from n 1 to n 2 (marked n 1 ) with edge representing flow function for n 1 (also marked n 1 ) • Data flow is reachability in product graph – Flow(n) = { l | EF (n,l) } 16 Dataflow Analysis as Model Checking ✔ cli() if (…) ✔ cli() if (…) ✔ sh->bp = … ✔ save_flags(flags) if (…) sh->bp = … ✔ ✔ ✔ save_flags(flags) if (…) sti() bh->bs = … ✔ ✔ sti() bh->bs = … get_free_buffer return NULL ✔ restore_flags(flags) ✔ get_free_buffer return NULL ✔ restore_flags(flags) return bh Which nodes are reachable? Locked For which (n,l) do we have EF (n,l)? ✔ Unlocked Labeling algorithm works backwards 17 return bh For this special case forwards is more efficient 6

  7. Abstraction • Data flow values – We abstracted program values to two states: locked and unlocked • Program – We represented the program directly as a CFG, without abstracting it – But really, we only care about 4 node types: • sti() • cli() • restore_flags(…) • anything else – Can we abstract the program to just these types of nodes? 18 Model Checking Abstract Graph cli() if (…) sh->bp = … save_flags(flags) if (…) sti() bh->bs = … get_free_buffer return NULL restore_flags(flags) return bh 19 7

  8. Model Checking Abstract Graph cli() ANY cli() ANY ANY ANY ANY ANY sti() ANY ANY ANY sti() ANY ANY ANY restore_flags(flags) ANY restore_flags(flags) ANY Which nodes are reachable? Locked For which (n,l) do we have EF (n,l)? Unlocked 20 ANY Duality of Dataflow Analysis and Model Checking • We’ve seen how dataflow analysis can be phrased as a model checking problem – Applies to all analyses that are tuples of sets • A more complex (and inefficient) construction still works if your lattice cannot be phrased as a tuple of sets – Benefit: can take advantage of model checking techniques • Symbolic representations (beyond scope of course) • Counterexample-guided abstraction refinement (CEGAR—next lecture) – Cost: explores each path for each set element • Unless you’re using a symbolic representation or need CEGAR, dataflow analysis will be more efficient • The converse is possible in some cases – Probably impossible for general LTL formulas • I have not actually seen impossibility results, but the model checking algorithm involves nested depth-first search which does not match dataflow analysis well 21 8

  9. SPIN: The Promela Language • PROcess MEta LAnguage • Asynchronous composition of independent processes • Communication using channels and global variables • Non-deterministic choices and interleavings 22 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: NC noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; T trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: C state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 23 9

  10. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 24 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 25 10

  11. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 26 An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 27 11

  12. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: NC noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; T trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: C state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 28 Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } 29 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 , Raluca Lefticaru 1 , Ignacio Prez-Hurtado 2 , Mario J. Prez-Jimnez 2 , Cristina Tudose 1 1 University of Pitesti 2 University of Sevilla

578 views • 23 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

706 views • 56 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal verification? Does so&amp;ware correctly implement a specifica3on? Does so&amp;ware have desired proper3es (safety, liveness, other)? Is a par3cular

1.25k views • 47 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of

Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of

Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of Denmark (DTU) Overview Background Many problems within formal verification can be reduced to solving parity games Model checking (Stirling,

794 views • 64 slides
Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Introduction Modeling Specification Algorithms Conclusions Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification Algorithms Conclusions Motivation Formal Methods: Motivation examples of what can go

986 views • 74 slides
Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal

Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal

Alpine Verification Meeting 2013, FBK, Trento, Italy. Optimization Techniques For Craig Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal Methods Group, Politecnico di Torino, Torino, Italy. Before

880 views • 40 slides
VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking Model checking Automated formal verification for finite-state models Finite-state model System Result Model checker e.g. SMV, Spin Counter-

776 views • 58 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of

Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of

Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of Computer Science University of Oxford Probabilistic Model Checking Formal verification and analysis of systems that exhibit probabilistic

821 views • 40 slides
Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and Verification Group RWTH Aachen University associated to University of Twente, Formal Methods and Tools Lecture at Quantitative Model Checking School, March

672 views • 66 slides
Control theory Bert Kappen ML 273 The sensori-motor problem Brain is a sensori-motor machine:

Control theory Bert Kappen ML 273 The sensori-motor problem Brain is a sensori-motor machine:

Control theory Bert Kappen ML 273 The sensori-motor problem Brain is a sensori-motor machine: perception action perception causes action, action causes perception much of this is learned Bert Kappen ML 274 The sensori-motor

937 views • 75 slides
Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

15-251: Great Theoretical Ideas in Computer Science Fall 2016 Lecture 1.5 August 31, 2016 Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to Succeed in This Class No specific topic covered

857 views • 61 slides
ELEC 5260/6260/6266 Embedded Computing Systems Spring 2019 Victor P . Nelson Text:

ELEC 5260/6260/6266 Embedded Computing Systems Spring 2019 Victor P . Nelson Text:

ELEC 5260/6260/6266 Embedded Computing Systems Spring 2019 Victor P . Nelson Text: Computers as Components, 4 th Edition Prof. Marilyn Wolf (Georgia Tech) Course Web Page: http: / / www.eng.auburn.edu/ ~ nelsovp/ courses/

506 views • 19 slides
Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 1.1 Ponnurangam

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 1.1 Ponnurangam

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 1.1 Ponnurangam Kumaraguru (PK) Associate Professor ACM Distinguished &amp; TEDx Speaker Linkedin/in/ponguru/ fb/ponnurangam.kumaraguru, @ponguru What do

704 views • 13 slides
Lecture 6: GUI Basics (Ch 12) Adapted by Fangzhen Lin for COMP3021 from Y. Danial Liang s

Lecture 6: GUI Basics (Ch 12) Adapted by Fangzhen Lin for COMP3021 from Y. Danial Liang s

Lecture 6: GUI Basics (Ch 12) Adapted by Fangzhen Lin for COMP3021 from Y. Danial Liang s PowerPoints for Introduction to Java Programming, Comprehensive Version, 9/E, Pearson, 2013. 1 Motivations The design of the API for Java GUI

751 views • 60 slides
XFEL X-Ray Free-Electron Laser Industrialization process for XFEL Power couplers

XFEL X-Ray Free-Electron Laser Industrialization process for XFEL Power couplers

XFEL X-Ray Free-Electron Laser Industrialization process for XFEL Power couplers Industrialization process for XFEL Power couplers and Volume manufacturing and Volume manufacturing TTC meeting at Fermi lab, April 2007 TTC meeting at Fermi

458 views • 22 slides
CS 171: Introduction to Computer Science II Algorithm Analysis Li Xiong Announcement/Reminders

CS 171: Introduction to Computer Science II Algorithm Analysis Li Xiong Announcement/Reminders

CS 171: Introduction to Computer Science II Algorithm Analysis Li Xiong Announcement/Reminders Hw3 due Friday Quiz 2 on October 17, Wednesday (after Spring break, based on class poll) Linked List, Algorithm Analysis Road Map

349 views • 30 slides
Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer

Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer

Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer Museum the Vintage Computer Festival the Computer History Museum and a special group of Apple 76ers Want to cook up an industry? Its easy! Just

398 views • 17 slides

More recommend