V erification de syst` emes avec compteurs et pointeurs Arnaud - - PowerPoint PPT Presentation

V´ erification de syst` emes avec compteurs et pointeurs

Arnaud Sangnier LSV, ENS Cachan, CNRS & EDF R&D 21 Novembre 2008

Th` ese CIFRE r´ ealis´ ee dans le cadre du projet RNTL AVERILES

1

Computer systems are everywhere

Introduction

2

Computer systems are everywhere

Introduction

2

Computer systems are everywhere

Introduction

2

Introduction

3

Objective of the thesis

Propose methods to verify automatically the correct behaviour of programs

Example of program

List reverse(List p) { List q,r; q =NULL; while (p!=NULL) { r=q; q=p; p=p->next; q->next=r; } return q; }

Characterictic

• f

the pro- grams :

• Manipulate dynamically

the memory heap Property to check :

• Absence of errors

Introduction

4

Formal methods

Use of mathematics to prove a desired property Different methods have been proposed :

• Automatic generation of tests
• Theorem proving
• Model checking

⇒ These methods are often complementary

Introduction

5

Formal methods

Use of mathematics to prove a desired property Different methods have been proposed :

• Automatic generation of tests
• Theorem proving
• Model checking

⇒ These methods are often complementary

Introduction

5

Principle of model checking

Does a system satisfy a specification ?

Introduction

6

Principle of model checking

Does a system satisfy a specification ? Model

Introduction

6

Principle of model checking

Does a system satisfy a specification ?

Φ

Model Formula

Introduction

6

Principle of model checking

Does a system satisfy a specification ?

| = Φ

? Model Formula model-checking algorithm

Introduction

6

Model checking issues

1 Define models to represent the systems

• Finite state systems / Infinite state systems

2 Define specification languages to express properties

• Temporal logics

3 Find algorithms and/or procedures of model-checking

⇒ Trade-off between efficiency and expressiveness

Introduction

7

Verification of programs with lists

• Active field of research
• Many methods using shape analysis

⇒ Find a method to refine shape analysis

[Bardin et al. 04]

• There is a strong connection between programs with lists

and counter machines

• Considering the length of the lists allows to refine shape

analysis In this thesis :

1 Study of counter machines 2 Establish a link between counter machines and programs

with lists

Introduction

8

Counter machines

Finite Automaton + Integer Variables q1 q2 x′

1 = x1 + 2

x′

1 = x1 − 1

q3 10 ≤ x1?

• An execution :

Introduction

9

Counter machines

Finite Automaton + Integer Variables q1 q2 x′

1 = x1 + 2

x′

1 = x1 − 1

q3 10 ≤ x1?

• An execution : (q1, 0)

Introduction

9

Counter machines

Finite Automaton + Integer Variables q1 q2 x′

1 = x1 + 2

x′

1 = x1 − 1

q3 10 ≤ x1?

• An execution :

(q1, 0) → (q2, 2)

Introduction

9

Counter machines

Finite Automaton + Integer Variables q1 q2 x′

1 = x1 + 2

x′

1 = x1 − 1

q3 10 ≤ x1?

• An execution :

(q1, 0) → (q2, 2) → (q1, 1) → (q2, 3) . . .

Introduction

9

Counter machines

Finite Automaton + Integer Variables q1 q2 x′

1 = x1 + 2

x′

1 = x1 − 1

q3 10 ≤ x1?

• An execution :

(q1, 0) → (q2, 2) → (q1, 1) → (q2, 3) . . .

• The reachability set :

Reach(S, (q1, 0)) = {q1} × N ∪{q2} × N \ {0, 1} ∪{q3} × N \ {0, . . . , 9}

Introduction

9

Verification of counter machines

Theorem [Minsky 67]

The reachability problem is undecidable for 2-counter machines

For some classes reachability is decidable

• Petri nets or VASS

[Kosaraju 82, Mayr 84]

• Reversal-bounded counter machines

[Ibarra 78]

• Flat and flattable counter machines

[Finkel & Leroux 02]

• How to represent the reachability set of a counter machine

⇒ With semi-linear sets / Presburger arithmetic

• FAST : A tool to compute semi-linear reachability set

[Leroux et al. 03]

Introduction

10

Outline

1

Introduction

2

Verification of counter machines Reversal-bounded counter machines Model-checking counter machines with freeze LTL

3

Verification of programs with lists

4

Conclusion

Introduction

11

Outline

1

Introduction

2

Verification of counter machines Reversal-bounded counter machines Model-checking counter machines with freeze LTL

3

Verification of programs with lists

4

Conclusion

Verification of counter machines

12

Motivation

Find classes of counter machines for which reachability problems are decidable

Verification of counter machines

13

Motivation

Find classes of counter machines for which reachability problems are decidable Even better: Find classes of counter machines for which the reachability set can be computed

Verification of counter machines

13

Ibarra-reversal-bounded counter machines

Definition [Ibarra78]

A counter machine (S, c0) is Ibarra-reversal-bounded iff there exists a k ∈ N s.t. in all the executions of S leaving from c0, each counter does at most k alternations between increasing and decreasing mode. q1 q2 x′

1 = x1 + 2

x′

1 = x1 − 1

q3 3 ≤ x1? Not Ibarra-reversal-bounded (with c0 = (q1, 0))

Verification of counter machines

14

Ibarra-reversal-bounded counter machines

Definition [Ibarra78]

A counter machine (S, c0) is Ibarra-reversal-bounded iff there exists a k ∈ N s.t. in all the executions of S leaving from c0, each counter does at most k alternations between increasing and decreasing mode. q1 x′

1 = x1 + 1

q3 3 ≤ x1? Ibarra-reversal-bounded (with c0 = (q1, 0))

Verification of counter machines

14

Counter machines with computable semi-linear reachability set

Bounded

Verification of counter machines

15

Counter machines with computable semi-linear reachability set

[Ibarra 78] Ibarra Reversal Bounded Bounded

Verification of counter machines

15

Counter machines with computable semi-linear reachability set

[Leroux & Sutre 05] Flattable (termination of FAST ) Ibarra Reversal Bounded Bounded

Verification of counter machines

15

A not Ibarra-reversal-bounded counter machine

q1 q2 x′ = x + 1 x′ = x − 1 S

• (S, (q1, 0)) is not Ibarra-reversal-bounded
• Reach(S, (q1, 0)) = {(q1, 0), (q2, 1)} is finite hence

semi-linear ⇒ Extend the notion of reversal-bounded

Verification of counter machines

16

Reversal-bounded counter machines

Definition [MFCS 08]

A counter machine (S, c0) is k-reversal-b-bounded iff each counter does at most k alternations over the bound b.

. . . . . .

b

Verification of counter machines

17

Reversal-bounded counter machines

Definition [MFCS 08]

A counter machine (S, c0) is k-reversal-b-bounded iff each counter does at most k alternations over the bound b.

. . . . . .

b Remarks :

• Ibarra-reversal-bounded counter machines are

reversal-0-bounded

• b-bounded counter machines are 0-reversal-b-bounded

Verification of counter machines

17

Counter machines with computable semi-linear reachability set

Ibarra Reversal Bounded Bounded

Verification of counter machines

18

Counter machines with computable semi-linear reachability set

[MFCS 08] Ibarra Reversal Bounded Bounded Reversal Bounded

Verification of counter machines

18

Counter machines with computable semi-linear reachability set

Flattable (termination of FAST ) Ibarra Reversal Bounded Bounded Reversal Bounded

Verification of counter machines

18

Can we decide if a counter machine is reversal-bounded ?

Undecidability [MFCS 08]

The following problems are undecidable for counter machines

• 1. Reversal-boundedness
• 2. k-reversal-boundedness (for a fixed k)
• 3. Reversal-b-boundedness (for a fixed b)

Verification of counter machines

19

Can we decide if a counter machine is reversal-bounded ?

Undecidability [MFCS 08]

The following problems are undecidable for counter machines

• 1. Reversal-boundedness
• 2. k-reversal-boundedness (for a fixed k)
• 3. Reversal-b-boundedness (for a fixed b)

Decidability [MFCS 08]

• 1. Verifying if a counter machine is k-reversal-b-bounded is

decidable

• 2. Verifying if a VASS is reversal-bounded is decidable

Verification of counter machines

19

Verifying counter machines using reversal-bounded counter machines

Require: S a counter machine; Require: (q0, v0) an initial configuration; Ensure: C a set of configurations;

1: C = {(q0, v0)}, k = 0, b = 0 2: while Post(S, C) ⊆ C do 3:

k = k + 1

4:

b = b + 1

5:

Choose an unfolding Sk,b of S which is k-reversal-b- bounded

6:

C = Reach(Sk,b, (q0, v0))

7: end while 8: return C

Verification of counter machines

20

Outline

1

Introduction

2

Verification of counter machines Reversal-bounded counter machines Model-checking counter machines with freeze LTL

3

Verification of programs with lists

4

Conclusion

Verification of counter machines

21

Motivation

Describe the temporal behavior of a counter machine How ?

Temporal logics

• linear time : LTL

[Pnueli 77]

• branching time : CTL

[Clarke & Emerson 82]

• CTL∗

[Emerson & Halpern 83] ⇒ Do not allow to speak about the values of the counter

Verification of counter machines

22

Motivation

Describe the temporal behavior of a counter machine How ?

Temporal logics

• linear time : LTL

[Pnueli 77]

• branching time : CTL

[Clarke & Emerson 82]

• CTL∗

[Emerson & Halpern 83] ⇒ Do not allow to speak about the values of the counter

Possible extensions

• FOCTL∗(Pr) : Presburger formulae as atomic propositions

[Demri et al. 06]

• Freeze LTL : logic for data words

[Demri & Lazi´ c & Nowak 05]

Verification of counter machines

22

Freeze LTL : LTL↓,Σ

Syntax

φ ::= q | ↑r | ¬φ | φ ∧ φ | φUφ | Xφ | ↓r φ

• Models:

q0 q2 q3 q2 q3 q2 1 2 3 4

• Register valuation v: (partial) map from N \ {0} to N.

Satisfaction relation

σ, i | =v q

def

⇔ σ(i) has location q σ, i | =v ↑r

def

⇔ σ(i) has counter value v(r) σ, i | =v Xφ

def

⇔ i + 1 < |σ| and σ, i + 1 | =v φ σ, i | =v ↓r φ

def

⇔ σ, i | =v[r→ni] φ

Verification of counter machines

23

Examples

• There is a suffix such that all counter values are different

FG(↓1 XG¬ ↑1) q0 q2 q3 q2 q3 q2 q2 · · · 1 3 2 4 5 · · ·

• Whenever location q is reached with current counter value

n and next current counter value m, if there is a later following occurrence of q, the two consecutive counter values are also n and m G(q ⇒↓1 X ↓2 XG(q ⇒↑1 ∧X ↑2)) q q′ q′ q q′′ q” q” · · · 5 6 1 5 6 8 9 · · ·

Verification of counter machines

24

Application to counter machines

Executions as data words

• Finite alphabet : control states
• Data : counter values

Restriction to one-counter machines (1CM) Remark 1: 1CM are simple operational models but freeze LTL can specify rich properties Remark 2: Numerous problems are decidable for 1CM

Verification of counter machines

25

Previous results

Theorem [Muller & Schupp 85, Serre 06]

The model-checking of propositional µ-calculus is decidable for

• ne-counter machines and it is in PSPACE.

Verification of counter machines

26

Previous results

Theorem [Muller & Schupp 85, Serre 06]

The model-checking of propositional µ-calculus is decidable for

• ne-counter machines and it is in PSPACE.

Theorem [Demri & Lazi´ c 06]

• The satisfiability problem for LTL↓,Σ with one register is

decidable over finite data words

• The satisfiability problem for LTL↓,Σ with two registers is

undecidable over finite and infinite data words

Verification of counter machines

26

(Existential) Model checking of LTL↓,Q

Inputs:

• a one-counter machine M
• a sentence φ of LTL↓,Q

Finitary model-checking

Is there a finite accepting run ρ of M such that ρ, 0 | = φ ?

Infinitary model-checking

Is there an infinite accepting run ρ of M such that ρ, 0 | = φ ?

Verification of counter machines

27

Variants

Studied restrictions

• With a fixed number of registers

Hypothesis on 1CM:

• Deterministic : From every location q :

q OR q q′ inc OR q q′ dec q′′ ifzero

• Non-deterministic

Verification of counter machines

28

Results for model-checking of LTL↓,Q

Theorem [FOSSACS 08]

Model-checking is PSPACE-complete for deterministic one- counter machines

Verification of counter machines

29

Results for model-checking of LTL↓,Q

Theorem [FOSSACS 08]

Model-checking is PSPACE-complete for deterministic one- counter machines

Theorem [FOSSACS 08]

Model-checking with one register is undecidable for non- deterministic one-counter machines

Verification of counter machines

29

Results for model-checking of LTL↓,Q

Theorem [FOSSACS 08]

Model-checking is PSPACE-complete for deterministic one- counter machines

Theorem [FOSSACS 08]

Model-checking with one register is undecidable for non- deterministic one-counter machines These results still hold if you do not allow the logic to speak about the control states

Verification of counter machines

29

Outline

1

Introduction

2

Verification of counter machines Reversal-bounded counter machines Model-checking counter machines with freeze LTL

3

Verification of programs with lists

4

Conclusion

Verification of programs with lists

30

Motivation

Checking safety properties on programs manipulating dynamically linked lists

Existing tools

• TVLA : tool based on abstraction of shape graphs

[Sagiv et al. 04]

• Space invaders : tool based on separation logic

[Calcagno et al. 08]

• Many other methods

Main issues of this work

• More precise (exact)
• Verify programs with lists and integer variables

Verification of programs with lists

31

Which properties ?

Properties

• Absence of memory violation
• Absence of memory leak
• Qualitative properties (shape analysis)
• Ex : The reverse function returns an acyclic list
• Quantitative properties
• Ex : The reverse function returns a list of the same size

as the input list

Quantitative properties can be used :

• To refine shape analysis
• To prove termination of programs

Verification of programs with lists

32

Pointer systems

Finite Automaton + Pointer Variables

void deleteAll(List p) { List q; while (p!=NULL) { q=p; p=p->next; free(q); } }

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q)

Verification of programs with lists

33

Encoding the heap as a graph

Execution of a pointer system

3 2 1 5 ¬p == null? q = p p == null? skip p = p.next free(q)

Verification of programs with lists

34

Encoding the heap as a graph

Execution of a pointer system

3 2 1 5 ¬p == null? q = p p == null? skip p = p.next free(q) 1, MG1 MG1 p null

Verification of programs with lists

34

Encoding the heap as a graph

Execution of a pointer system

3 2 1 5 ¬p == null? q = p p == null? skip p = p.next free(q) 1, MG1 2, MG2 MG2 p q null

Verification of programs with lists

34

Encoding the heap as a graph

Execution of a pointer system

3 2 1 5 ¬p == null? q = p p == null? skip p = p.next free(q) 1, MG1 2, MG2 3, MG3 MG3 q p null

Verification of programs with lists

34

Encoding the heap as a graph

Execution of a pointer system

3 2 1 5 ¬p == null? q = p p == null? skip p = p.next free(q) 1, MG1 2, MG2 3, MG3 1, MG4 MG4 p null

Verification of programs with lists

34

Undecidability results

A pointer system with 3 variables can simulate a 2 counter machine Consequence :

Theorem [Bardin et al. 04]

Absence of memory violation and of memory leak are undecid- able problems for pointer systems ⇒ Find a way to verify programs working over lists despite these undecidability results

Verification of programs with lists

35

Memory shapes : encoding graphs using counters

p q null Memory graph

Verification of programs with lists

36

Memory shapes : encoding graphs using counters

1 Compression of irrelevant nodes

p q null Memory graph

Verification of programs with lists

36

Memory shapes : encoding graphs using counters

1 Compression of irrelevant nodes

p q null Memory graph p q null Memory shape

Verification of programs with lists

36

Memory shapes : encoding graphs using counters

1 Compression of irrelevant nodes 2 Labeling with strictly positive counters

p q null Memory graph p q null x1 x2 Memory shape

v(x1) ≥ 1 v(x2) ≥ 1

Verification of programs with lists

36

Memory shapes : encoding graphs using counters

1 Compression of irrelevant nodes 2 Labeling with strictly positive counters

p q null Memory graph p q null x1 x2 Memory shape

v(x1) ≥ 1 v(x2) ≥ 1 v(x1) = 2 v(x2) = 1

Verification of programs with lists

36

Memory shapes : encoding graphs using counters

1 Compression of irrelevant nodes 2 Labeling with strictly positive counters

p q null Memory graph p q null x1 x2 Memory shape

v(x1) ≥ 1 v(x2) ≥ 1 v(x1) = 2 v(x2) = 1

• There is a finite number of memory shapes

[Bardin et al. 04]

Verification of programs with lists

36

From pointer systems to counter machines

[Bouajjani et al. 06, AVIS 06]

• A control state of the counter machine =

a memory shape + a control state of the pointer system

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q) A1 B2 C3 . . . G3 Err x2 > 1? x1 = 1? x1 > 1? x′

2 = 1, x′ 1 = x1 − 1

x2 = 1? x′

2 = 0 Verification of programs with lists

37

From pointer systems to counter machines

[Bouajjani et al. 06, AVIS 06]

• A control state of the counter machine =

a memory shape + a control state of the pointer system

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q) A1 B2 C3 . . . G3 Err x2 > 1? x1 = 1? x1 > 1? x′

2 = 1, x′ 1 = x1 − 1

x2 = 1? x′

2 = 0

p null x1

Verification of programs with lists

37

From pointer systems to counter machines

[Bouajjani et al. 06, AVIS 06]

• A control state of the counter machine =

a memory shape + a control state of the pointer system

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q) A1 B2 C3 . . . G3 Err x2 > 1? x1 = 1? x1 > 1? x′

2 = 1, x′ 1 = x1 − 1

x2 = 1? x′

2 = 0

p q null x1

Verification of programs with lists

37

From pointer systems to counter machines

[Bouajjani et al. 06, AVIS 06]

• A control state of the counter machine =

a memory shape + a control state of the pointer system

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q) A1 B2 C3 . . . G3 Err x2 > 1? x1 = 1? x1 > 1? x′

2 = 1, x′ 1 = x1 − 1

x2 = 1? x′

2 = 0

q null p x1

Verification of programs with lists

37

From pointer systems to counter machines

[Bouajjani et al. 06, AVIS 06]

• A control state of the counter machine =

a memory shape + a control state of the pointer system

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q) A1 B2 C3 . . . D3 Err x2 > 1? x1 = 1? x1 > 1? x′

2 = 1, x′ 1 = x1 − 1

x2 = 1? x′

2 = 0

q null p x2 x1

Verification of programs with lists

37

From pointer systems to counter machines

[Bouajjani et al. 06, AVIS 06]

• A control state of the counter machine =

a memory shape + a control state of the pointer system

3 2 1 4 ¬p == null? q = p p == null? skip p = p.next free(q) A1 B2 C3 . . . D3 Err x2 > 1? x1 = 1? x1 > 1? x′

2 = 1, x′ 1 = x1 − 1

x2 = 1? x′

2 = 0

null p x1

Verification of programs with lists

37

Verification of pointer systems

Theorem [AVIS 06]

The resulting counter machine is bisimilar to the pointer system Two steps analysis procedure :

1 Building of the counter machine 2 Reachability analysis on the counter machine

Remark : During the first step, absence of errors can already be detected

Verification of programs with lists

38

TOPICS

Translation Of Programs Into Counter Systems TOPICS is a tool which implements the previous translation (15 000 lines in Java)

Features of TOPICS

• Takes as input C programs with :
• Integer variables and pointer variables
• Finite size arrays
• Non-recursive function calls
• Produces a counter machine (FAST and ASPIC )
• Properties checked
• Absence of memory violation
• Absence of memory leak
• Absence of out of bound error

Verification of programs with lists

39

Results obtained with TOPICS

Case States of States of Results R´ esultats R´ esultats Study the pointer the counter after translation ASPIC FAST system system create 7 14 No SegF No MemL No MemL No Undef No OOBound insert 19 44 No SegF No MemL No Undef No OOBound reverse 8 19 No SegF No MemL No MemL No Undef No OOBound deleteAll 5 8 No SegF No MemL No MemL No Undef No OOBound merge 20 532 No OOBound No SegF No Undef No MemL mainReverse 14 45 No SegF No MemL No OOBound doubleFree 8 15 No OOBound No MemL No MemL No Undef SegF doubleFree 7 15 No OOBound No MemL No MemL even length lists No Undef No SegF

Verification of programs with lists

40

Outline

1

Introduction

2

Verification of counter machines Reversal-bounded counter machines Model-checking counter machines with freeze LTL

3

Verification of programs with lists

4

Conclusion

Conclusion

41

Contributions

1 Study of counter machines

[MFCS 08]

• Extension of the class of Ibarra-reversal-bounded counter

machines

• The new class still has a semi-linear reachability set

2 Model checking of counter machines

[FOSSACS 08]

• Model checking of freeze LTL over one-counter machines :
• with deterministic machines : PSPACE-complete
• with non-deterministic machines : undecidable

3 Verification of programs with lists

[AVIS 06, ILC 07]

• Translation towards counter machines
• Implementation of this translation

Conclusion

42

Perspectives

• Counter machines
• Implement a tool to compute the reachability set of

reversal-bounded counter machines

• Study model-checking of freeze LTL over reversal-bounded

counter machines

• Pointer systems
• Extend the proposed translation for programs working over

more general data structures

• Improve the tool TOPICS

More general perspectives

Develop others techniques to verify programs (use of abstrac- tions, consider other models,. . . )

Conclusion

43