Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
A Survey of Runtime Verification Jonathan Amir 2004.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
Bandera: Extracting Finite-state Models from Java Source Code James C. Corbett (Hawai’i) Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. Păsăreanu,
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
VERTAF: An Application Framework for Design and Verification of Embedded Real-Time Software Pao-Ann Hsiung, Shang-Wei Lin, Chih-Hao Tseng, Trong-Yen Lee,
What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center.
Toward Dependable Software: Cyberinfrastructure Support for Controlled Experimentation with Testing and Analysis Techniques Gregg Rothermel and Matt Dwyer.
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
CASE Tools CIS 376 Bruce R. Maxim UM-Dearborn. Prerequisites to Software Tool Use Collection of useful tools that help in every step of building a product.
Presenter: PCLee Design Automation Conference, ASP-DAC '07. Asia and South Pacific.
Bandera Tool Set Presented by: Dor Nir. Outline Specification Language (LTL) Software verification problems Introduction to Bandera tool Set Bandera Specification.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.
02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
1 CSE 2102 CSE 2102 CSE 2102: Introduction to Software Engineering Ch9: Software Engineering Tools and Environments.
Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton.
C++ Code Analysis: an Open Architecture for the Verification of Coding Rules Paolo Tonella ITC-irst, Centro per la Ricerca Scientifica e Tecnologica
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
Speaking Bluntly about SharpHDL: Some Old Stuff and Some Other Proposed Future Extensions Gordon J. Pace & Christine Vella Synchron’05 Malta, November.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
Institute e-Austria in Timisoara 1 Author: prep. eng. Calin Jebelean Verification of Communication Protocols using SDL ( )
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
Software Engineering Research paper presentation Ali Ahmad Formal Approaches to Software Testing Hierarchal GUI Test Case Generation Using Automated Planning.
Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.
Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
Model construction and verification for dynamic programming languages Radu Iosif
An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
Software Model-checking: The SAnToS/Bandera Perspective Matt Dwyer John Hatcliff Principal Investigators Support US National.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
Bandera: Extracting Finite-state Models from Java Source Code. Paper By: James C. Corbett, Mathew Dwyer, John Hatcliff, Shawn Laubach, Corina Pasareanu,
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
BOĞAZİÇİ UNIVERSITY DEPARTMENT OF MANAGEMENT INFORMATION SYSTEMS MATLAB AS A DATA MINING ENVIRONMENT.
Toulouse, September 2003 Page 1 JOURNEE ALTARICA Airbus ESACS  ISAAC.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
Model-checking Concurrent Java Software Using the Bandera Tool Set Matthew Dwyer John Hatcliff Radu Iosif Yu Chen Georg Jung Todd Wallentine FacultyStudents.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Software Development Introduction
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.
Model-checking Concurrent Java Software Using the Bandera Tool Set Matthew Dwyer John Hatcliff Radu Iosif Hongjun Zheng Shawn Laubach Corina Pasareanu.
From Use Cases to Implementation 1. Structural and Behavioral Aspects of Collaborations  Two aspects of Collaborations Structural – specifies the static.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
24 September 2002© Willem Visser Program Model Checking Enabling Technology Abstraction void add(Object o) { buffer[head] = o; head = (head+1)%size;
From Use Cases to Implementation 1. Mapping Requirements Directly to Design and Code  For many, if not most, of our requirements it is relatively easy.
Authors :John Hatcliff and Mattew Dwyer presented by Slava Yablonovich
Bandera: Extracting Finite-state Models from Java Code
Space-Reduction Strategies for Model Checking Dynamic Software
runtime verification Brief Overview Grigore Rosu
Ada – 1983 History’s largest design effort
QGen and TQL-1 Qualification
Automatic Derivation, Integration and Verification
The Challenge of Cross - Language Interoperability
Hongyu Zhang, Jeremy S. Bradbury, James R. Cordy, Juergen Dingel
Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods DARPA Order K203/AFRL Contract F C-3044.
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
From Use Cases to Implementation
Presentation transcript:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students: Robby 1, Roby Joehanes 1, Yu Chen 1 Kansas State University 1 University of Massachusetts 2

The Dream Program Requirement Checker void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Property 1: … Property 2: … … OK Error trace or

Model Checking Finite-state model Temporal logic formula Model Checker  OK Error trace or Line 5: … Line 12: … Line 15:… Line 21:… Line 25:… Line 27:… … Line 41:… Line 47:…

Why use Model Checking? In contrast to testing, gives complete coverage by exhaustively exploring all paths in system, It’s been used for years with good success in hardware and protocol design Automatically check, e.g., –invariants, safety & liveness properties –absence of dead-lock and live-lock, –complex event sequencing properties, “Between the key being inserted and the key being removed, the ignition can be activated at most twice.” This suggests that model-checking can complement existing software quality assurance techniques.

What makes model-checking software difficult? Model construction OK Error trace or Finite-state model Temporal logic formula Model Checker  State explosion Problems using existing checkers: Property specification Output interpretation Line 5: … Line 12: … Line 15:… Line 21:…

Model Construction Problem Semantic gap: Model Description Model Checker Program void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Gap Programming Languages Model Description Languages methods, inheritance, dynamic creation, exceptions, etc. automata

What makes model-checking software difficult? Model construction OK Error trace or Finite-state model Temporal logic formula Model Checker  State explosion Problems using existing checkers: Property specification Output interpretation Line 5: … Line 12: … Line 15:… Line 21:…

Property Specification Problem Difficult to formalize a requirement in temporal logic “Between the key being inserted and the key being removed, the ignition can be activated at most twice.” []((keyIn /\ <>keyRem) -> ((!activate /\ !keyRem) U (keyRem \/ ((activate /\ !keyRem) U (keyRem \/ ((!activate /\ !keyRem) U (keyRem \/ ((activate /\ !keyRem) U (keyRem \/ (!activate U keyRem)))))))))) …is rendered in LTL as...

What makes model-checking software difficult? Model construction OK Error trace or Finite-state model Temporal logic formula Model Checker  State explosion Problems using existing checkers: Property specification Output interpretation Line 5: … Line 12: … Line 15:… Line 21:…

State Explosion Problem Moore’s law and algorithm advances can help –Holzmann: 7 days (1980) ==> 7 seconds (2000) Explosive growth of software limits scalability Bit x1,…,xN2^N states Cost is exponential in the number of components

What makes model-checking software difficult? Model construction OK Error trace or Finite-state model Temporal logic formula Model Checker  State explosion Problems using existing checkers: Property specification Output interpretation Line 5: … Line 12: … Line 15:… Line 21:…

Output Interpretation Problem Raw error trace may be 1000’s of steps long Model Description Program void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Gap Error trace Line 5: … Line 12: … Line 15:… Line 21:… Line 25:… Line 27:… … Line 41:… Line 47:… Must map line listing onto model description Mapping to source is made difficult by –Semantic gap & clever encodings of complex features –multiple optimizations and transformations

Bandera: An open tool set for model-checking Java source code Checker Inputs Checker Outputs Transformation & Abstraction Tools Model Checkers Java Source void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Bandera Specification Language Graphical User Interface Error Trace Mapping Bandera

Addressing the Model Construction Problem Numerous analyses, optimizations, two intermediate languages, multiple back-ends Slicing, abstract interpretation Model extraction: compiling to model checker inputs: Java Source void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Model DescriptionModel Compiler Static Analyses Abstract Interpretation Slicing Optimizations

Addressing the Property Specification Problem A Java-based language for defining sequences of program observations as instances of field-tested specification patterns Using the pattern system: 2-bounded existence forall[v: Vehicle]. between {keyIn(v)} and {keyRem(v)} {activate(v)} exists at most {2} times; []((keyIn /\ <>keyRem) -> ((!activate /\ !keyRem) U (keyRem \/ ((activate /\ !keyRem) U (keyRem \/ ((!activate /\ !keyRem) U (keyRem \/ ((activate /\ !keyRem) U (keyRem \/ (!activate U keyRem))))))))))

Addressing the State Explosion Problem Aggressive customization via slicing, abstract interpretation, static analysis Java Source void add(Object o) { buffer[head] = o; head = (head+1)%size; } … Model DescriptionsModel Compiler Property Generate models customized for property! Result: multiple models --- even as many as one per property

Addressing the Output Interpretation Problem Run error traces forwards and backwards Program state queried Locks, wait sets, blocked sets displayed Like a debugger: error traces mapped back to source Java Source void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Model Compiler Model Checker Intermediate Representations Error trace Line 5: … Line 12: … Line 15:… Line 21:… Model Description + simulator

Goals for HCES project … Extend model extraction technologies, e.g., –Exploit both code and design artifacts –Automate generation of environments –Automate program abstraction Extend property-specification formalisms, e.g., –Code and design-based formalisms –Mixed state and event-based formalisms –Multiple inter-operating formalisms Add time to models, environments, specifications, and abstractions

Goals for HCES project … Integrate software model checking tools, e.g., –Develop methodological support for applying tools Conduct systematic evaluation of tools –Apply tools to embedded systems code contributed by industrial/government partners –Develop suites of realistic multi-threaded Java programs for tool evaluation that might serve as community-wide challenge/demonstration problems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.