Edmund M. Clarke School of Computer Science Carnegie Mellon University Model Checking and the Verification of Computer Systems.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
SAT-based verification: underlying methods Mary Sheeran Chalmers University of Technology and Prover Technology AB.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Demonstration Of SPIN By Mitra Purandare
CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.
Software Engineering: Where are we? And where do we go from here? V Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
1 Model Checking Orna Grumberg Technion Haifa, Israel Taiwan, October 8, 2009.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking My 27 year quest to overcome the state explosion problem Edmund Clarke Computer Science Department Computer Science Department Carnegie.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University.
Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.
Grand Challenge Problem: Model Check Concurrent Software Edmund M. Clarke Department of Computer Science Carnegie Mellon University.
Lecture 1: Model Checking
50.530: Software Engineering
Using a Formal Specification and a Model Checker to Monitor and Guide Simulation Verifying the Multiprocessing Hardware of the Alpha Microprocessor.
7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
An Introduction to Formal Methods
Edmund M. Clarke School of Computer Science Carnegie Mellon University Lecture 2: Model Checking My 30 Year Quest to Conquer the State Explosion Problem.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
10/19/2015COSC , Lecture 171 Real-Time Systems, COSC , Lecture 17 Stefan Andrei.
Specifying circuit properties in PSL. Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Model Checking Overview Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA
Verification & Validation By: Amir Masoud Gharehbaghi
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Automated Formal Verification of PLC (Programmable Logic Controller) Programs
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.
Survey on the Formal Verification Dept. of Nuclear and Quantum Engineering NICIEL Myung Jun Song.
SAT for Software Model Checking Introduction to SAT-problem for newbie
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Basic concepts of Model Checking
SS 2017 Software Verification Bounded Model Checking, Outlook
Over-Approximating Boolean Programs with Unbounded Thread Creation
50.530: Software Engineering
Introduction to verification
Predicate Abstraction
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Presentation transcript:

Edmund M. Clarke School of Computer Science Carnegie Mellon University Model Checking and the Verification of Computer Systems

2 Intel Pentium FDIV Bug  Try – / * = ? In ’94 Pentium, it doesn’t return 0, but 256.  Intel uses the SRT algorithm for floating point division. Five entries in the lookup table are missing.  Cost: $400 - $500 million  Xudong Zhao’s Thesis on Word Level Model Checking

3 Turing's Quote on Program Verification  “How can one check a routine in the sense of making sure that it is right?”  “The programmer should make a number of definite assertions which can be checked individually, and from which the correctness of the whole program easily follows.” Quote by A. M. Turing on 24 June 1949 at the inaugural conference of the EDSAC computer at the Mathematical Laboratory, Cambridge.

4 Temporal Logic Model Checking  Model checking is an automatic verification technique for finite state concurrent systems.  Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980’s.  The assertions written as formulas in propositional temporal logic. (Pnueli 77)  Verification procedure is algorithmic rather than deductive in nature.

5 Advantages of Model Checking  No proofs!!! (Algorithmic rather than Deductive)  Fast (compared to other rigorous methods such as theorem proving)  Diagnostic counterexamples  No problem with partial specifications  Logics can easily express many concurrency properties Second Edition on the way!

Model Checking NASA Missions Gerard Holzmann (JPL) The Spin Model Checker and Promela language. Applied to most missions launched in the last decade. 6 Mars Curiosity

Model Checking in Industry Many hardware companies use and develop model checkers: Intel, IBM, … Microsoft makes intensive use of software model checking. NEC: Varvel analyzed a total of about 40.5 M lines of code. Found more than a thousand bugs and bad coding patterns. 7

8 Main Disadvantage Curse of Dimensionality: Curse of Dimensionality: “In view of all that we have said in the foregoing sections, the many obstacles we appear to have surmounted, what casts the pall over our victory celebration? It is the curse of dimensionality, a malediction that has plagued the scientist from the earliest days.” Richard E. Bellman Adaptive Control Processes: A Guided Tour Princeton University Press, 1961

1 2 3 a b c | n states, m processes 1,a 2,a 1,b 2,b 3,a 1,c 3,b 2,c 3,c n m states Main Disadvantage (Cont.) 9

10 Curse of Dimensionality: The number of states in a system grows exponentially with its dimensionality (i.e. number of variables or bits or processes). This makes the system harder to reason about. Unavoidable in worst case, but steady progress over the past 30 years using clever algorithms, data structures, and engineering Main Disadvantage (Cont.)

11 Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now” X a “a is true in the neXt state” F a “a will be true in the Future” G a “a will be Globally true in the future” a U b “a will hold true Until b becomes true” LTL - Linear Time Logic (Pn 77) a

12 Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now” X a “a is true in the neXt state” F a “a will be true in the Future” G a “a will be Globally true in the future” a U b “a will hold true Until b becomes true” LTL - Linear Time Logic (Pn 77) a

13 Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now” X a “a is true in the neXt state” F a “a will be true in the Future” G a “a will be Globally true in the future” a U b “a will hold true Until b becomes true” LTL - Linear Time Logic (Pn 77) a

14 Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now” X a “a is true in the neXt state” F a “a will be true in the Future” G a “a will be Globally true in the future” a U b “a will hold true Until b becomes true” LTL - Linear Time Logic (Pn 77) aaaaa

15 Determines Patterns on Infinite Traces Atomic Propositions Boolean Operations Temporal operators a “a is true now” X a “a is true in the neXt state” F a “a will be true in the Future” G a “a will be Globally true in the future” a U b “a will hold true Until b becomes true” LTL - Linear Time Logic (Pn 77) aaaab

16 Model Checking Problem  Let M be a state-transition graph.  Let ƒ be an assertion or specification in temporal logic.  Find all states s of M such that M, s satisfies ƒ. LTL Model Checking Complexity: (Sistla, Clarke & Vardi, Wolper) singly exponential in size of specification linear in size of state-transition graph.

17 Trivial Example ~ Start ~ Close ~ Heat ~ Error Start ~ Close ~ Heat Error ~ Start Close ~ Heat ~ Error ~ Start Close Heat ~ Error Start Close Heat ~ Error Start Close ~ Heat ~ Error Start Close ~ Heat Error Microwave Oven State-transition graph describes system evolving over time.

18 Temporal Logic and Model Checking heat updoor is closed  The oven doesn’t heat up until the door is closed.  “Notheat_upuntildoor_closed”  “Not heat_up holds until door_closed” ~heat_upU door_closed  (~ heat_up) U door_closed

19  Symbolic Model Checking Burch, Clarke, McMillan, Dill, and Hwang 90; Ken McMillan’s thesis 92.   The Partial Order Reduction Valmari 90 Godefroid 90 Peled 94 Gerard Holzmann’s SPIN Four Big Breakthroughs in Model Checking!

20  Symbolic Model Checking Burch, Clarke, McMillan, Dill, and Hwang 90; Ken McMillan’s thesis states.   The Partial Order Reduction Valmari 90 Godefroid 90 Peled 94 Gerard Holzmann’s SPIN Four Big Breakthroughs in Model Checking!

21  Symbolic Model Checking Burch, Clarke, McMillan, Dill, and Hwang 90; Ken McMillan’s thesis states...   The Partial Order Reduction Valmari 90 Godefroid 90 Peled 94 Gerard Holzmann’s SPIN Four Big Breakthroughs in Model Checking!

22  Symbolic Model Checking Burch, Clarke, McMillan, Dill, and Hwang 90; Ken McMillan’s thesis states...   The Partial Order Reduction Valmari 90 Godefroid 90 Peled 94 Gerard Holzmann’s SPIN Four Big Breakthroughs in Model Checking!

23  Bounded Model Checking  Biere, Cimatti, Clarke, Zhu 99  Using Fast SAT solvers  Can handle thousands of state elements Can the given property fail in k-steps? I(V 0 ) Λ T(V 0,V 1 ) Λ … Λ T(V k-1,V k ) Λ ( ¬ P(V 0 ) V … V ¬ P(V k )) k-steps Property fails in some step Initial state BMC in practice: Circuit with 9510 latches, 9499 inputs BMC formula has 4 x 10 6 variables, 1.2 x 10 7 clauses Shortest bug of length 37 found in 69 seconds Four Big Breakthroughs in Model Checking (Cont.)

24 Four Big Breakthroughs in Model Checking (Cont.)  Localization Reduction  Bob Kurshan 1994   Counterexample Guided Abstraction Refinement (CEGAR)  Clarke, Grumberg, Jha, Lu, Veith 2000  Used in most software model checkers

25 CEGAR C ounter E xample- G uided A bstraction R efinement Circuit or Program InitialAbstraction Simulator No error or bug found Propertyholds Simulationsucessful Bug found Abstraction refinement Refinement Model CheckerVerification Spurious counterexample Counterexample Abstract Model

26 Future Challenge Is it possible to model check software? According to Wired News on Nov 10, 2005: “When Bill Gates announced that the technology was under development at the 2002 Windows Engineering Conference, he called it the Holy Grail of computer science”

27 Software Example: Device Driver Code Also according to Wired News : “Microsoft has developed a tool called Static Device Verifier or SDV, that uses ‘Model Checking’ to analyze the source code for Windows drivers and see if the code that the programmer wrote matches a mathematical model of what a Windows device driver should do. If the driver doesn’t match the model, the SDV warns that the driver might contain a bug.” Ball and Rajamani, Microsoft

Model Checking Cyber-Physical Systems Significant breakthrough in unifying logical reasoning and numerical methods [Gao et al. LICS’12, IJCAR’12, PhD Thesis, CADE’13, FMCAD’13] Delta-Reachability: theory and tools for performing model checking & parameter synthesis on nonlinear cyber-physical systems. 28 Sicun Gao and Soonho Kong

Example: Cardiac Cells Model [Radu et al. CAV 2011] Model Checking Results: – Nonlinear ODEs with sigmoids: – Solved logic formulas with hundreds of such ODEs. [Gao et al FMCAD 13] – Counterexamples indicate when cardiac cells lose excitability. Confirmed by experimental data. 29

Example: The Kepler Conjecture The Flyspeck project led by by Thomas Hales aims for a complete formal proof of the Kepler Conjecture. [Hales 2005] 30 The full proof has one last piece unfinished: proving correctness of a thousand nonlinear real constraints. Very Difficult: Huge combinations of polynomials and trigonometric functions. We solved over 95% of the Flyspeck benchmarks. Automated generation of proofs is in progress. (showing 4% of a typical formula)

31 Future Challenge: Can We Debug This Circuit? Kurt W. Kohn, Molecular Biology of the Cell 1999

The End Questions? Papers and Programs: OBDD Based Model Checker: nuSMV Hybrid System Model Checker: dReal ( Computational Modeling and Analysis for Complex Systems: CMACS ( 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.