Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Published byVictoria Hubbard Modified over 8 years ago

Similar presentations

Presentation on theme: "Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University."— Presentation transcript:

1 Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University

2 Symbolic Model Checking of Software Goal: –Use BDD-based Symbolic Model Checker for the verification of concurrent software Motivation: – Very successful for large state spaces in hardware Challenges: –Generating the models (language -> SMV) –Adding Partial-Order Reduction –Optimized BDD-operations (e.g., generation and storage) This Talk: –Focus on Partial-Order Reduction

3 Outline Background –Modeling language –Partial-order reduction –Twophase algorithm New Approach: ImProviso –Basic formulation –Extensions –Experimental results Related Work Future Work Conclusions

4 Background: Software Verification Concurrent software –Asynchronous execution, unlike hardware –Huge state space, e.g. large variable ranges Partial-order reduction (POR) –Attacks the state-space explosion problem –Very effective in explicit-state model checking –Symbolic Model Checking yet to benefit

5 Background: Modeling Language Process-oriented modeling language –Each process maintains local variables –Each process has a program counter System –Concurrent processes –Global variables –Point-to-point channels Each process is specified as statements –Statements are formalized as transition functions –Multiple statements per pc value allowed, i.e. non-determinism Example: Promela

6 Background: Partial-Order Reduction s0s0’ s0s1’ s1s0’ s1s1’ x = 1 y = 2 Choose a representative set of paths

7 Background: Partial-Order Reduction Two kinds of state-expansion –Full Expansion generate next states for all enabled transitions –Partial Expansion expand only a subset of enabled transitions, postponing all others Challenges: –How to choose such subset? (-> deterministic) –How to avoid transitions being postponed indefinitely? (-> proviso)

8 Background: Deterministic States Which subset of enabled transitions to choose? Deterministic state for a process P: –Only one transition t of P enabled at that state –Can be taken without affecting property to be verified Partial Expansions of deterministic states –Do not need to consider all interleavings A state s is deterministic for a process P iff:  only one transition t of P is enabled in s  t commutes with transitions that can be executed by other processes  executing t does not disable transitions of other processes  executing a transition of another process cannot disable or enable any transition of P A state s is deterministic for a process P iff:  only one transition t of P is enabled in s  t commutes with transitions that can be executed by other processes  executing t does not disable transitions of other processes  executing a transition of another process cannot disable or enable any transition of P

9 Background: Partial-Order Reduction Avoiding transitions being postponed indefinitely: Proviso SPIN: In-Stack Proviso –Partial Expansion should not generate a state in stack –Otherwise, must do Full Expansion S1S1 S2S2 S3S3 S4S4 t1t1 t1t1 t1t1 t2t2 t2t2 t2t2 t0t0 t3t3 t4t4 t5t5

10 Combining POR with Symbolic Model Checking POR developed for explicit-state –DFS –Stack: for proviso check Whereas symbolic verification –Involves a BFS-like algorithm –No stack exists –Only frontier at hand

11 Twophase Partial-Order Algorithm Nalumasu, Gopalakrishnan [1997] –Modified proviso check –Alternating phases Phase 1: Do for each process in sequence expand if in deterministic state Phase 2: Full expansion of the current state Proviso check: S1S1 S2S2 S3S3 S4S4 P1P1 P1P1 P1P1 P2P2 (a) S5S5 S6S6 S7S7 S8S8 P1P1 P1P1 P2P2 P2P2 (b) Suits the symbolic case

12 New Approach: ImProviso Implicit Proviso check –Employs BDDs Motivation –Based on Twophase (explicit-state) –Observation: can be formulated in an implicit way –Crucial point: more efficient proviso than previous techniques New Contributions: –Defining the transition relation –Implicit formulation –Dropping the determinism –Additional fixpoint computation Automated and incorporated into NuSMV

13 ImProviso: Defining the Transition Relation Two transition relations: –TR1: all transitions from deterministic states (Phase 1) –TR2: entire system (Phase 2) TR1 is further partitioned: – one transition relation for each process P i Example: –Statement reads from a channel into a local variable –States in which the channel is not empty are deterministic –TR1 := channel is not empty => TR-stmt

14 ImProviso: Dropping the Determinism Twophase: –Only one transition in Phase 1 may be enabled –Simplifies Twophase implementation –Not necessary for correctness ImProviso allows non-determinism in Phase 1 –Multiple enabled transitions in each process –Each enabled transition must fulfill other conditions of a deterministic state BFS search, i.e. enabled transitions expanded at the same time

15 ImProviso: Pseudo-Code

16 ImProviso: Illustration rec: d=0 1 send: a!1 1 rec: a?x 1 p1: c=1 2 p2: c=0 2 p1: c=0 2 p2: c=1 2 rec: a?x 2 1 1 bool c=-1; chan a = [1] of {int}; active proctype rec() { int x=0; bool d; d=0; a?x; } active proctype send() { a!1; } active proctype p1() { c=0;... } active proctype p2() { c=1;... }

17 ImProviso: Illustration bool c=-1; chan a = [1] of {int}; active proctype rec() { int x=0; bool d; d=0; a?x; } active proctype send() { a!1; } active proctype p1() { c=0;... } active proctype p2() { c=1;... } Phase1: Fixed Point p1: c=0 2 p2: c=1 2 rec: d=0 1 send: a!1 1 rec: a?x 1 1

18 ImProviso: Implicit Formulation Implicit formulation of the algorithm –conceptually simple but… not so easy to get right Reason: paths may have different lengths –BFS instead of DFS ImProviso: ‘tighter’ over-approximation than previous symbolic methods –Problem: visited vs. in-stack phase-1 only Cycles -> local check Larger than phase-1 -> no issue!

19 Related Work Two other approaches combine PO and Symbolic Model Checking: –Kurshan et al.: Preprocess the model –Alur et al.: BDD-based Alur’s approach Stack P1P1 P1P1 P2P2 P1P1 Current Image ImProviso

20 Implementation Automated Model Checking framework –ImProviso implemented in NuSMV Current examples translated from Promela Considerable effort to compare with explicit state model checkers –e.g., atomic construct in Spin Promela2SMV translator NuSMV + ImProviso Promela Specifications Add Phase 1 and Phase 2 information

21 Comparison: NuSMV vs. NuSMV-ImProviso #states: significant reduction Time: significant reduction Memory: No reduction

22 Comparison: NuSMV-ImProviso, PV, and SPIN SPIN and PV faster, if they can handle example NuSMV-ImProviso can handle more examples NuSMV-ImProviso matches PV, SPIN on Best, Worst

23 Comparison: Leader Election Protocol Models of same size in SMV and Promela Same reduction SPIN, PV faster until…

24 Leader with Non-deterministic Initial State

25 Future Work Reduce memory and run time –BDD blowup problem –BDD algorithms optimized for Concurrent Software Verification of both safety and liveness properties –Only safety now Flexible input languages –Only Promela now

26 Conclusions Novel Partial Order Reduction algorithm for Symbolic Model Checking –Incorporated into NuSMV Illustrated the effectiveness with several benchmark examples Current focus is on tackling large run-time and memory problems Symbolic Model Checking of Software, Software Model Checking Workshop CAV’03

Download ppt "Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University."

Similar presentations

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Openflow App Testing Chao SHI, Stephen Duraski. Motivation Network is still a complex stuff ! o Distributed mechanism o Complex protocol o Large state.

Openflow App Testing Chao SHI, Stephen Duraski. Motivation Network is still a complex stuff ! o Distributed mechanism o Complex protocol o Large state.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.

ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Weizmann Institute Deciding equality formulas by small domain instantiations O. Shtrichman The Weizmann Institute Joint work with A.Pnueli, Y.Rodeh, M.Siegel.

Similar presentations

Ads by Google