Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University

Symbolic Model Checking of Software Goal: –Use BDD-based Symbolic Model Checker for the verification of concurrent software Motivation: – Very successful for large state spaces in hardware Challenges: –Generating the models (language -> SMV) –Adding Partial-Order Reduction –Optimized BDD-operations (e.g., generation and storage) This Talk: –Focus on Partial-Order Reduction

Outline Background –Modeling language –Partial-order reduction –Twophase algorithm New Approach: ImProviso –Basic formulation –Extensions –Experimental results Related Work Future Work Conclusions

Background: Software Verification Concurrent software –Asynchronous execution, unlike hardware –Huge state space, e.g. large variable ranges Partial-order reduction (POR) –Attacks the state-space explosion problem –Very effective in explicit-state model checking –Symbolic Model Checking yet to benefit

Background: Modeling Language Process-oriented modeling language –Each process maintains local variables –Each process has a program counter System –Concurrent processes –Global variables –Point-to-point channels Each process is specified as statements –Statements are formalized as transition functions –Multiple statements per pc value allowed, i.e. non-determinism Example: Promela

Background: Partial-Order Reduction s0s0’ s0s1’ s1s0’ s1s1’ x = 1 y = 2 Choose a representative set of paths

Background: Partial-Order Reduction Two kinds of state-expansion –Full Expansion generate next states for all enabled transitions –Partial Expansion expand only a subset of enabled transitions, postponing all others Challenges: –How to choose such subset? (-> deterministic) –How to avoid transitions being postponed indefinitely? (-> proviso)

Background: Deterministic States Which subset of enabled transitions to choose? Deterministic state for a process P: –Only one transition t of P enabled at that state –Can be taken without affecting property to be verified Partial Expansions of deterministic states –Do not need to consider all interleavings A state s is deterministic for a process P iff:  only one transition t of P is enabled in s  t commutes with transitions that can be executed by other processes  executing t does not disable transitions of other processes  executing a transition of another process cannot disable or enable any transition of P A state s is deterministic for a process P iff:  only one transition t of P is enabled in s  t commutes with transitions that can be executed by other processes  executing t does not disable transitions of other processes  executing a transition of another process cannot disable or enable any transition of P

Background: Partial-Order Reduction Avoiding transitions being postponed indefinitely: Proviso SPIN: In-Stack Proviso –Partial Expansion should not generate a state in stack –Otherwise, must do Full Expansion S1S1 S2S2 S3S3 S4S4 t1t1 t1t1 t1t1 t2t2 t2t2 t2t2 t0t0 t3t3 t4t4 t5t5

Combining POR with Symbolic Model Checking POR developed for explicit-state –DFS –Stack: for proviso check Whereas symbolic verification –Involves a BFS-like algorithm –No stack exists –Only frontier at hand

Twophase Partial-Order Algorithm Nalumasu, Gopalakrishnan [1997] –Modified proviso check –Alternating phases Phase 1: Do for each process in sequence expand if in deterministic state Phase 2: Full expansion of the current state Proviso check: S1S1 S2S2 S3S3 S4S4 P1P1 P1P1 P1P1 P2P2 (a) S5S5 S6S6 S7S7 S8S8 P1P1 P1P1 P2P2 P2P2 (b) Suits the symbolic case

New Approach: ImProviso Implicit Proviso check –Employs BDDs Motivation –Based on Twophase (explicit-state) –Observation: can be formulated in an implicit way –Crucial point: more efficient proviso than previous techniques New Contributions: –Defining the transition relation –Implicit formulation –Dropping the determinism –Additional fixpoint computation Automated and incorporated into NuSMV

ImProviso: Defining the Transition Relation Two transition relations: –TR1: all transitions from deterministic states (Phase 1) –TR2: entire system (Phase 2) TR1 is further partitioned: – one transition relation for each process P i Example: –Statement reads from a channel into a local variable –States in which the channel is not empty are deterministic –TR1 := channel is not empty => TR-stmt

ImProviso: Dropping the Determinism Twophase: –Only one transition in Phase 1 may be enabled –Simplifies Twophase implementation –Not necessary for correctness ImProviso allows non-determinism in Phase 1 –Multiple enabled transitions in each process –Each enabled transition must fulfill other conditions of a deterministic state BFS search, i.e. enabled transitions expanded at the same time

ImProviso: Pseudo-Code

ImProviso: Illustration rec: d=0 1 send: a!1 1 rec: a?x 1 p1: c=1 2 p2: c=0 2 p1: c=0 2 p2: c=1 2 rec: a?x bool c=-1; chan a = [1] of {int}; active proctype rec() { int x=0; bool d; d=0; a?x; } active proctype send() { a!1; } active proctype p1() { c=0;... } active proctype p2() { c=1;... }

ImProviso: Illustration bool c=-1; chan a = [1] of {int}; active proctype rec() { int x=0; bool d; d=0; a?x; } active proctype send() { a!1; } active proctype p1() { c=0;... } active proctype p2() { c=1;... } Phase1: Fixed Point p1: c=0 2 p2: c=1 2 rec: d=0 1 send: a!1 1 rec: a?x 1 1

ImProviso: Implicit Formulation Implicit formulation of the algorithm –conceptually simple but… not so easy to get right Reason: paths may have different lengths –BFS instead of DFS ImProviso: ‘tighter’ over-approximation than previous symbolic methods –Problem: visited vs. in-stack phase-1 only Cycles -> local check Larger than phase-1 -> no issue!

Related Work Two other approaches combine PO and Symbolic Model Checking: –Kurshan et al.: Preprocess the model –Alur et al.: BDD-based Alur’s approach Stack P1P1 P1P1 P2P2 P1P1 Current Image ImProviso

Implementation Automated Model Checking framework –ImProviso implemented in NuSMV Current examples translated from Promela Considerable effort to compare with explicit state model checkers –e.g., atomic construct in Spin Promela2SMV translator NuSMV + ImProviso Promela Specifications Add Phase 1 and Phase 2 information

Comparison: NuSMV vs. NuSMV-ImProviso #states: significant reduction Time: significant reduction Memory: No reduction

Comparison: NuSMV-ImProviso, PV, and SPIN SPIN and PV faster, if they can handle example NuSMV-ImProviso can handle more examples NuSMV-ImProviso matches PV, SPIN on Best, Worst

Comparison: Leader Election Protocol Models of same size in SMV and Promela Same reduction SPIN, PV faster until…

Leader with Non-deterministic Initial State

Future Work Reduce memory and run time –BDD blowup problem –BDD algorithms optimized for Concurrent Software Verification of both safety and liveness properties –Only safety now Flexible input languages –Only Promela now

Conclusions Novel Partial Order Reduction algorithm for Symbolic Model Checking –Incorporated into NuSMV Illustrated the effectiveness with several benchmark examples Current focus is on tackling large run-time and memory problems Symbolic Model Checking of Software, Software Model Checking Workshop CAV’03