Presentation is loading. Please wait.

Presentation is loading. Please wait.

Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.

Similar presentations


Presentation on theme: "Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now."— Presentation transcript:

1 Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now at UPenn) Pascal Van Hentenryck (Brown)

2 An Product Line BaseEncryptDecryptSignAuthBaseEncryptDecryptSignAuthBaseSignAuth

3 A Desired Product Property Signed s can always be authenticated BaseEncryptDecryptSignAuth Decrypting mangles the signature

4 Mix-and-Match Systems F1F2F4Sign F2F4F1F4F3F2F1F3F4SignF2 There is no single “program”! The number of configurations is enormous…

5 Model Checking Product Lines Features unaware of other features and their requirements by design Products often contain bugs as a result –“feature interaction problem” Modular reasoning essential to cope with design space (not product size)

6 Modeling Features and Products Points of entry (s0) and exit (s2) sign s1 s0s2 SignBaseSignAuth Product: a sequential composition of features Feature:

7 Verification Problem (1) Have a set of features and a property that should hold of all products Verify property against each feature separately Combine results to show property holds of product

8 Try Model Checking Problems: Sign feature has no knowledge of encrypted Property must hold globally –but there is no temporal information at s2 What value to return? sign s1 s0s2 AG(encrypted  AF decrypt)

9 Model Checking’s Limitation Model checking designed to give a yes/no answer about a closed system Features are inherently open systems

10 Model Checking’s Limitation Two sources of openness: values of (some) propositions behavior along paths from exit sign s1 s0s2 AG(encrypted  AF decrypt)

11 Verification Problem (2) Have a set of features and a property that should hold of all products Derive constraint on each feature that is sufficient to preserve property –expensive verification should happen here Check constraints when form product –this step should be lightweight

12 Feature Constraints Where does value of encrypted come from? –from an earlier feature (enter at s0) Where do rest of control paths come from? –from the subsequent features (exit at s2) Want a constraint parameterized on these values sign s1 s0s2 AG(encrypted  AF decrypt)

13 Constraint Contents If encrypted is true at s0, what is required at s2? AF decrypt What must hold at s2 regardless of encrypted? AG(encrypted  AF decrypt) sign s1 s0s2 AG(encrypted  AF decrypt)

14 The Computed Constraint [AG(encrypted  AF decrypt)] s2   encrypted v [AF decrypt] s2 sign s1 s0s2 AG(encrypted  AF decrypt) constraint parameterized over both data and control values

15 Computing Constraints [AG(encrypted  AF decrypt)] s2   encrypted v [AF decrypt] s2 sign s1 s0s2 AG(encrypted  AF decrypt) Modification of basic model checker: Propositions: return name if value unknown Terminal states: return annotated formula

16 Discharging Constraints SignBaseEncryptDecryptAuth [AG(encrypted  AF decrypt)] s2   encrypted v [AF decrypt] s2 encrypted [AG(encrypted  AF decrypt)] s2, [AF decrypt] s2 effectively propositional

17 Verification Given Property P F3F1F2F4F5 C 3P C 1P C 2P C 4P C 5P D3D3 D1D1 D2D2 D4D4 D5D5 D1D1 D 1 o D 2 …… C 5 (D 1-5 ) …… …

18 Undiscussed Details Dataflow computation for data values Propositional reasoning actually 3-valued –handles data values across different paths Can use simpler reasoning about individual features in some cases

19 Case Study Conducted on an suite that exhibits many property violations (previously discovered manually by Robert Hall [ FITS 00 ]) Tested 9 properties; detected all violations successfully (each one a feature interaction) Detected violations without traversing features at composition time

20 Limitations Current algorithm cannot handle cyclic feature compositions ( DAG s fine) –supports pipe-and-filter architecture –have other work (heavier checks) supporting cyclic compositions and liveness properties [Fisler/Krishnamurthi FSE2001, FSE2004] Cycles within individual features cannot set data propositions used in properties

21 Perspective A non-trivial class of systems needs openness due to design considerations sequential composition looser forms of modular verification Traditional modular verification seems mismatched with these demands Our property-driven constraint generation targets these systems


Download ppt "Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now."

Similar presentations


Ads by Google