specification verification and synthesis using extended
play

Specification, Verification, and Synthesis using Extended State - PowerPoint PPT Presentation

Oct 28, 2022 •228 likes •567 views

Specification, Verification, and Synthesis using Extended State Machines with Callbacks Farhaan Fowze and Tuba Yavuz University of Florida MEMOCODE 2016, Kanpur, India Farhaan Fowze and Tuba Yavuz (UF) SMACK 1 / 33 Overview Problem 1 A

  1. Specification, Verification, and Synthesis using Extended State Machines with Callbacks Farhaan Fowze and Tuba Yavuz University of Florida MEMOCODE 2016, Kanpur, India Farhaan Fowze and Tuba Yavuz (UF) SMACK 1 / 33

  2. Overview Problem 1 A Study on Linux Device Drivers Example: Linux usbkbd driver Approach 2 Modeling: State Machines with Callbacks (SMACK) Formal Semantics Synchronization Synthesis Conclusion 3 Related Work Summary & Future Work Farhaan Fowze and Tuba Yavuz (UF) SMACK 2 / 33

  3. Software Reuse is Useful but .. Modern software is built with extensibility as a design goal Programming models with callback mechanism Linux kernel Android Framework Robotic Operating System + New software can be developed with less effort - Debugging becomes difficult as the control-flow becomes implicit Especially when coupled with concurrency! Farhaan Fowze and Tuba Yavuz (UF) SMACK 3 / 33

  4. A Study on Linux Device Driver Race Conditions 88 drivers from 44 device classes Developed by programmers from 45 different companies/organizations Patches incorporated into the Linux stable kernel source tree Race Condition Type Count a) Lack of locking 22 b) Inconsistent locking 18 c) Insufficient locking 9 d) Premature resource allocation/registration 14 e) Late resource deallocation/deregistration 4 f) Other 21 Total 88 Farhaan Fowze and Tuba Yavuz (UF) SMACK 4 / 33

  5. Running Example: USB keyboard driver (usbkbd) Receives keyboard events and passes to the input layer usb kbd irq processes keyboard events including LED related keys, e.g., CAPSLOCK, and sends LED commands to the device Sends control commands to turn on/off LEDs usb kbd led receives acknowledgement of performed LED commands Complication: Both usb kbd irq and usb kbd led may send LED commands to the device and need to synchronize Submission of LED commands in usb kbd irq is implicit due to a callback function! Farhaan Fowze and Tuba Yavuz (UF) SMACK 5 / 33

  6. Example for the Implicit Control-Flow - USB keyboard driver Static Call Graph Run-time Dependencies Farhaan Fowze and Tuba Yavuz (UF) SMACK 6 / 33

  7. Dealing with Concurrency at the Model Level Model the concurrent components of a software system making the programming model visible Verify the formal semantics of the model for correctness including race and deadlock freedom Synthesize correct concurrency Farhaan Fowze and Tuba Yavuz (UF) SMACK 7 / 33

  8. Overview Problem 1 Approach 2 Modeling: State Machines with Callbacks (SMACK) Formal Semantics Synchronization Synthesis Conclusion 3 Farhaan Fowze and Tuba Yavuz (UF) SMACK 8 / 33

  9. State Machines with Callbacks (SMACK) Extended state machine formalism Separation bw control locations and the states over extended variables Hierarchical state machines Modeling of callbacks as state machines Synchronous: Embedding an instance Models function calls Asynchronous: Instantiating an instance Models creation of a thread of execution Goal: To provide A modeling formalism that can express the dependencies among software components explicitly. An associated formal semantics to provide automated analysis for concurrency bugs Farhaan Fowze and Tuba Yavuz (UF) SMACK 9 / 33

  10. Modeling simplified usbkbd with SMACK Farhaan Fowze and Tuba Yavuz (UF) SMACK 10 / 33

  11. Modeling Layers in SMACK // Model for the driver module USBKBD uses InputLayer, SpinLock; sync {usb_kbd_probe(T), usb_kbd_disconnect, usb_kbd_open, usb_kbd_close, usb_kbd_event(T)}; async {usb_kbd_irq, usb_kbd_led}; ... end module // Model for the Input Layer of the kernel module InputLayer uses SpinLock; sync {input_event(T), input_register_device(T)}; ... end module Farhaan Fowze and Tuba Yavuz (UF) SMACK 11 / 33

  12. A SMACK Model for input event SM: input_event(dev: input_dev) T : {init->ih_generic, ih_generic->lr_exit}; where init =>dev.event_lock.acquire, lr_exit => dev.event_lock.release; end SM Farhaan Fowze and Tuba Yavuz (UF) SMACK 12 / 33

  13. A SMACK Model for usb kbd irq SM:(2) usb_kbd_irq() T: {init->kbd_event, kbd_event->submit_urb, submit_urb->exit}; [init->kbd_event] (guard: r new and r old); [kbd_event->submit_urb] (update: w new, r old); [submit_urb->exit] (update:@sync(usb_kbd_irq)); where kbd_event => InputLayer.input_event[usb_kbd_event/ih_generic]; end SM Farhaan Fowze and Tuba Yavuz (UF) SMACK 13 / 33

  14. State machines with generic and mapped states Mapping of states: kbd event �→ input event , init �→ acquire , lr exit �→ release . Binding generic states: ih generic �→ usb kbd event . Farhaan Fowze and Tuba Yavuz (UF) SMACK 14 / 33

  15. Flattened state machine for usb kbd irq Mapping of states: kbd event �→ input event , init �→ acquire , lr exit �→ release . Binding generic states: ih generic �→ usb kbd event . Farhaan Fowze and Tuba Yavuz (UF) SMACK 15 / 33

  16. Asynchronous Instantiation Farhaan Fowze and Tuba Yavuz (UF) SMACK 16 / 33

  17. Overview Problem 1 Approach 2 Modeling: State Machines with Callbacks (SMACK) Formal Semantics Synchronization Synthesis Conclusion 3 Farhaan Fowze and Tuba Yavuz (UF) SMACK 17 / 33

  18. Semantics of the Main Module INSTANTIATING THE MAIN MODULE � [ M ] � ≡ � [ SM S 1 ] || ... || [ SM S m ] || [ SM A 1 ] || ... || [ SM A n ] � where [ SM S i ]: Synchronous state machine One of the top synchronous state machines of the main module [ SM A j ]: Asynchronous state machine One of the state machines instantiated by at least one of the flattened top synchronous machines of the main module || : Asynchronous composition Farhaan Fowze and Tuba Yavuz (UF) SMACK 18 / 33

  19. Semantics of a Synchronous State Machine � [ SM S ] � ≡ ( S , I , R ) where S ≡ B ⌈ log ( |SM . S sm | ) ⌉ × SM . S e , I ≡ I e ∧ � pc SM = s , s ∈SM . I sm (1) � pc SM = s 1 ∧ pc ′ R ≡ SM = s 2 ∧ ( s 1 , s 2 ) ∈SM . R sm SM . G ′ e ( s 1 , s 2 ) ∧ SM . U e ( s 1 , s 2 ) ∧ IDENT IT Y ( Unchanged ) Synchronous state machines are represented concretely, i.e., a concrete control state variable per instance Transitions can be executed if the state machine is enabled, i.e., en SM S = true . #nable (SM) : en ′ SM = true , $isable (SM) : en ′ SM = false Farhaan Fowze and Tuba Yavuz (UF) SMACK 19 / 33

  20. Semantics of an Asynchronous State Machine � [ SM A ] � ≡ ( S , I , R ) where � c SM � c SM S ≡ ≥ 0 ∧ SM . S e , I ≡ = 0 ∧ SM . I e s s s ∈SM . S sm s ∈SM . S sm � R ≡ SM . G e ( s 1 , s 2 ) ∧ SM . U e ( s 1 , s 2 ) ( s 1 , s 2 ) ∈SM . S sm > 0 ∧ c SM ′ − 1 ∧ c SM ′ ∧ c SM = c SM = c SM + 1 s 1 s 1 s 1 s 2 s 2 (2) Asychronous state machines are abstracted using counting abstraction c SM keeps track of the number instances of state machine SM in s 1 state s 1 s ∈ SM . I sm c SM ′ s ∈ SM . I sm c SM @sync (SM) : � = � + 1 s s Farhaan Fowze and Tuba Yavuz (UF) SMACK 20 / 33

  21. Overview Problem 1 Approach 2 Modeling: State Machines with Callbacks (SMACK) Formal Semantics Synchronization Synthesis Conclusion 3 Farhaan Fowze and Tuba Yavuz (UF) SMACK 21 / 33

  22. Counter-example Guided Synchronization Synthesis Involves abstract operations alloc , init , and Type 1 Race: dealloc and relies on existence of #nable and $isable Type 2 Race: Otherwise, i.e., no #nable and $isable or among read/write or write/write operations Operations can be concrete, e.g., !CHANGE , or abstract, e.g., w leds Safety property for potential race conditions between s 1 of SM 1 and s 2 of SM 2 Both SM 1 and SM 2 are synchronous: invariant( ¬ ( pc SM 1 = s 1 ∧ pc SM 2 = s 2 ∧ g 1 ∧ g 2 )) , (3) If SM 1 is asynchronous: invariant( ¬ ( c SM 1 > 0 ∧ pc SM 2 = s 2 ∧ g 1 ∧ g 2 )) , (4) s 1 If SM 1 and SM 2 are the same asynchronous state machine: invariant( ¬ ( c SM 1 > 1 ∧ g 1 )) , (5) s 1 Farhaan Fowze and Tuba Yavuz (UF) SMACK 22 / 33

  23. Type 1 Race bw usb kbd probe and usb kbd irq Farhaan Fowze and Tuba Yavuz (UF) SMACK 23 / 33

  24. Fixing Type 1 Races The fix involves moving the alloc , init ( dealloc ) operation before (after) the enabling (disabling) action of the state machine that performs the read/write The challenge is to identify the right level in the hierarchy of state machines the alloc , init , or dealloc operation should be moved to Farhaan Fowze and Tuba Yavuz (UF) SMACK 24 / 33

  25. Establishing happens-before via #enable Farhaan Fowze and Tuba Yavuz (UF) SMACK 25 / 33

  26. Type 2 Race bw different instantiations of usb kbd led Farhaan Fowze and Tuba Yavuz (UF) SMACK 26 / 33

  27. Fixing Type 2 Races The fix involves enclosing the racy transition with acquire and release operations of a lock model Creates equivalence classes of variables based on data-flow and control-flow dependency Two variables belong to the same equivalence class if they appear in the guard or update of the same transition. Each equivalence class is associated with at most one lock The algorithm checks if there is a candidate lock that can be used The lock held closest to the race location is considered as a candidate Introduces a new lock if there is no candidate or the candidate does not satisfy the minimum context priority requirement Farhaan Fowze and Tuba Yavuz (UF) SMACK 27 / 33

  28. Establishing happens-before via locking Farhaan Fowze and Tuba Yavuz (UF) SMACK 28 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Syntax-Guided Synthesis Rajeev Alur University of Pennsylvania 1 Program Verification Program

Syntax-Guided Synthesis Rajeev Alur University of Pennsylvania 1 Program Verification Program

Syntax-Guided Synthesis Rajeev Alur University of Pennsylvania 1 Program Verification Program P Specification S Verifier Proof of correctness or Witness of a bug 2 Classical Program Synthesis Specification S High Level WHAT

1.28k views • 59 slides
Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning

Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning

Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning Sanjit A. Seshia EECS Department UC Berkeley Joint work with Susmit Jha (UTC) Dagstuhl Seminar Verified SW Working Group August 2014 July

661 views • 28 slides
The ESC/Java2 Calculi and Object Logics Implications on Specification and Verification Joseph

The ESC/Java2 Calculi and Object Logics Implications on Specification and Verification Joseph

The ESC/Java2 Calculi and Object Logics Implications on Specification and Verification Joseph Kiniry Department of Computer Science University College Dublin ESC/Java2 ESC/Java2 is an extended static checker based upon DEC/Compaq SRC

278 views • 27 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Formal specification Specification for program/system Specification for

443 views • 21 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
The Siren Song of Temporal Synthesis Moshe Y. Vardi Rice University Verification Model Checking

The Siren Song of Temporal Synthesis Moshe Y. Vardi Rice University Verification Model Checking

The Siren Song of Temporal Synthesis Moshe Y. Vardi Rice University Verification Model Checking : Given : Program P , Specification . Task : Check that P satisfies Success : Algorithmic methods : temporal specifications and

414 views • 39 slides
Formal Specification and Verification of Avionics Software Claus Wonnemann June 7th, 2006 Claus

Formal Specification and Verification of Avionics Software Claus Wonnemann June 7th, 2006 Claus

Introduction Specification of the Java Flight Manager Runtime Assertion Checking and Verification Conclusions Formal Specification and Verification of Avionics Software Claus Wonnemann June 7th, 2006 Claus Wonnemann Formal Specification and

708 views • 54 slides
Verification and Synthesis of Reactive Programs Overview of System Synthesis. Amir Pnueli

Verification and Synthesis of Reactive Programs Overview of System Synthesis. Amir Pnueli

Lecture 1: Overview of System Synthesis A. Pnueli Lectures Outline Verification and Synthesis of Reactive Programs Overview of System Synthesis. Amir Pnueli Fair Discrete Systems and their Computations. Model Checking Invariance and

309 views • 19 slides
Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of Recurrence Sets via Constraint Solving Andreas Podelski January 17, 2012 1 Program Verification and Constraints Reasoning about program

422 views • 28 slides
Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification

Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification

Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification Project February 26, 2020 Welcome HMOs, MCOs, IRIS FEAs Sandata team (EVV vendor) Wisconsin Department of Health Services team

941 views • 47 slides
Verification and Synthesis of Security Chains Stephan Merz joint work with N. Schnepf, R.

Verification and Synthesis of Security Chains Stephan Merz joint work with N. Schnepf, R.

Verification and Synthesis of Security Chains Stephan Merz joint work with N. Schnepf, R. Badonnel, A. Lahmadi Inria & LORIA, Nancy, France IFIP Working Group 2.2 Vienna, September 2019 Stephan Merz Verification and Synthesis of Security

863 views • 22 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
specification free monitoring CS 119 can we avoid writing specs? specification and programming

specification free monitoring CS 119 can we avoid writing specs? specification and programming

specification free monitoring CS 119 can we avoid writing specs? specification and programming specification runtime verification program input output 2 properties can be hard to write To quote quite excellent NASA software engineer

987 views • 65 slides
Automatic Synthesis of Code Using Genetic Programming Doron A. Peled Bar Ilan University,

Automatic Synthesis of Code Using Genetic Programming Doron A. Peled Bar Ilan University,

Automatic Synthesis of Code Using Genetic Programming Doron A. Peled Bar Ilan University, Israel 1 Why not synthesize the software directly from specification? Specification System Specification Model checking/ Revision testing

694 views • 51 slides
Project Overview TRS High Level Architecture Specification Language and Synthesis ISA

Project Overview TRS High Level Architecture Specification Language and Synthesis ISA

MIT9904-04 Malleable Architectures for Adaptive Computing Arvind, Rudolph and Devadas Project Overview TRS High Level Architecture Specification Language and Synthesis ISA Cache Malleable Architectures Specification

165 views • 3 slides
Update to the 2020 Unified Transportation Program Texas Transportation Commission 2020 Unified

Update to the 2020 Unified Transportation Program Texas Transportation Commission 2020 Unified

Update to the 2020 Unified Transportation Program Texas Transportation Commission 2020 Unified Transportation Program April 30, 2020 April 30, 2020 Unified Transportation Program Purpose Despite its importance to TxDOT as a planning and

257 views • 14 slides
Management Liability Corporate Compliance, Executive Liability and D&O Insurance in Germany

Management Liability Corporate Compliance, Executive Liability and D&O Insurance in Germany

Management Liability Corporate Compliance, Executive Liability and D&O Insurance in Germany November 14, 2018 Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown

425 views • 21 slides
Guaranteed Energy Savings Project (GESP) 1 I N F O R M A T I O N A L P R E S E N T A T I O N S

Guaranteed Energy Savings Project (GESP) 1 I N F O R M A T I O N A L P R E S E N T A T I O N S

Guaranteed Energy Savings Project (GESP) 1 I N F O R M A T I O N A L P R E S E N T A T I O N S C O T T T E S S E N V I R O N M E N T A L S U S T A I N A B I L I T Y M A N A G E R Purpose 2 GESP is a facilities improvement mechanism

179 views • 17 slides
Community Project Presentation TEDx-Style Talk Student(s) name (s): School number: Supervisor:

Community Project Presentation TEDx-Style Talk Student(s) name (s): School number: Supervisor:

Community Project Presentation TEDx-Style Talk Student(s) name (s): School number: Supervisor: Type of service: Proposal for action: Word count and Time Allowance: Contents page Investigating Page Planning Page Taking action Page Reflecting

415 views • 13 slides
Understanding Your Federal Loan Repayment Plan Options COMPARING REPAYMENT OPTIONS BY SARAH QIN

Understanding Your Federal Loan Repayment Plan Options COMPARING REPAYMENT OPTIONS BY SARAH QIN

Understanding Your Federal Loan Repayment Plan Options COMPARING REPAYMENT OPTIONS BY SARAH QIN AND DENNIS MURPHY Agenda Questions to ask yourself Introductory notes Standard Repayment Extended (Fixed) Repayment Graduated Repayment

500 views • 37 slides
Strategic Plan for Tourism 2016-2021 Final Presentation Prepared for November 2016 Contents

Strategic Plan for Tourism 2016-2021 Final Presentation Prepared for November 2016 Contents

Prince Edward Island Strategic Plan for Tourism 2016-2021 Final Presentation Prepared for November 2016 Contents Moving from Good to Great Situation Analysis Vision, Principles & Strategic Objectives Strategic Recommendations

555 views • 32 slides
Calgary Transit Greening the Fleet Russell Davies Manager, Transit Fleet 1 June 13, 2016 |

Calgary Transit Greening the Fleet Russell Davies Manager, Transit Fleet 1 June 13, 2016 |

Calgary Transit Greening the Fleet Russell Davies Manager, Transit Fleet 1 June 13, 2016 | Presentation V05 Calgary Transit Provide over 600,000 trips a day on Bus and Light Rail Fleet 222 Light Rail Vehicles 40 Buses 750 60

414 views • 14 slides
Floyd County, Georgia Auditors Discussion & Analysis Financial & Compliance Audit

Floyd County, Georgia Auditors Discussion & Analysis Financial & Compliance Audit

Floyd County, Georgia Auditors Discussion & Analysis Financial & Compliance Audit Summary December 31, 2017 Presented by: Floyd County, Georgia Auditors Discussion & Analysis (AD&A) December 31, 2017 PURPOSE OF THE AUDITORS

483 views • 46 slides

More recommend