Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Büchi Pushdown Systems Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking Büchi Pushdown Systems Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball."— Presentation transcript:

1 Model Checking Büchi Pushdown Systems Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball and Vladimir Levin Microsoft Corporation

2 Hardware/Software (HW/SW) Interfaces are Pervasive… Windows XP ◦ Over 35,000 drivers (over 100,000 versions) for different devices (Murphy and Garzia, 2004) Linux ◦ 70% of code for drivers that operate hardware (Chou, et al., 2001)

3 And Unreliable… In Windows ◦ Drivers cause 85% reported failures  (Swift, 2005) ◦ At least 52.6% of Windows crashes involve HW/SW interaction  (Sinha, 2005) In Linux ◦ Seven times more driver failures  (Chou, et al., 2001) Lots of issues cannot be gathered … ◦ e.g., device/driver I/O hangs

4 What we have done (FASE’10, CAV’10) Formal specification framework Specify hardware model for verifying software Unifying formal model Labeled Pushdown System (LPDS) as the software model Büchi automaton (BA) as the hardware model Büchi Pushdown System (BPDS): BA ˣ LPDS Reachability analysis algorithm For BPDS Static Partial Order Reduction Discovered12 bugs in 5 Windows drivers

5 Need more? Why? (system responsiveness) Software commands will always be acknowledged I/O will not hang How? Specify the properties Linear Temporal Logic (LTL) Model checking algorithm For checking liveness properties of BPDS Reduction algorithm Static Partial Order Reduction

6 Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

7 Büchi Automaton (BA) A BA, ◦, the alphabet ◦, the finite set of states ◦, the set of state transitions ◦, the initial state ◦, the set of final states The alphabet is defined on the states of LPDS ◦ LPDS is the generator of inputs to BA WRITE_REGISTER_UCHAR(foo, 32)

8 Labeled Pushdown System (LPDS) An LPDS, ◦, the input alphabet ◦, finite set of global states ◦, finite stack alphabet ◦, initial configuration ◦ the set of transition rules is 

9 Labeling Functions

10 BPDS …

11 Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

12 Model Checking Problem

13 Find a trace that ◦ Starts from the initial state ◦ Visits the final states infinitely often ◦ Satisfies the fairness requirement  Infinite many hardware transitions from and  Infinite many software transitions from

14 Model Checking Algorithm Detect the loops in that ◦ visit the final states ◦ contains at least one hardware transition ◦ contains at least one software transition ◦ Backward reachability analysis algorithm of Pushdown systems (Schwoon, 2002) Check if one of the loops is reachable from the initial state ◦ Reachability checking (FASE’2010, CAV’2010)

15 Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

16 Static Partial Order Reduction Partial order reduction ◦ Exploit commutativity of concurrent transitions ◦ Usually applied during model checking Static – applied at compile time ◦ NO modification to model checker ◦ Can be applied with other techniques, e.g., co- simulation (Kuznetsov, 2010 ) ◦ May be less effective in reduction

17 State Graph LPDS self-loops BA self-loops BA and LPDS both transition

18 An Intuition of the Reduction LPDS self-loops BA self-loops BA and LPDS both transition

19 What to reduce? SensitiveSet ◦ when HW/SW interface events happen, e.g., HW interrupt, SW writes to HW register VisibleSet ◦ when the propositional variables of the LTL formula are affected LoopSet ◦ when this is the last HW (or SW) transition in a loop – fairness constraint

20 Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

21 void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

22 void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

23 void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

24 void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware

25 void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware With reduction LTL formula: G (sw_reset -> (F reset_act))

26 void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool status() begin return s,r; end __atomic bool rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end Software Hardware SensitiveSet VisibleSet LoopSet With reduction LTL formula: G (sw_reset -> (F reset_act))

27 Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

28 Evaluation Designed a BPDS template To generate BPDS models with different complexities Verified eleven LTL formulae Observations 80% average reduction in time usage 35% average reduction in memory usage One spaceout without reduction The reduction is effective Since HW and SW transitions are mostly asynchronous 28

29 Where are we … Introduction Preliminaries Algorithms Model Checking Reduction Examples & Evaluation Conclusion

30 Conclusion We have presented A model checking algorithm for BPDS A static partial order reduction algorithm for BPDS Take away with you … The model checking algorithm can be implemented based on existing liveness verification engines of Pushdown Systems The reduction algorithm has a broader application, e.g., co- simulation Future work Realize the liveness checking on BPDS specified in C language Co-simulation that utilizes our reduction algorithm 30

31 References Murphy, B., Garzia, M.R.: Software reliability engineering for mass market products. Available in: http://www.softwaretechnews.com (2004) http://www.softwaretechnews.com Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proc. of SOSP. (2001) Swift, M.M.: Improving the Reliability of Commodity Operating Systems. PhD thesis (2005) Sinha, A.: Windows driver quality signature. Available in: http://www.microsoft.com (2005)http://www.microsoft.com Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis (2002) Li, J., Xie, F., Ball, T., Levin, V., and McGarvey, C.. An Automata-Theoretic Approach to Hardware/Software Co-verification. In Proc. of FASE. (2010) Li, J., Xie, F., Ball, T., and Levin, V.. Efficient Reachability Analysis of Büchi Pushdown Systems for Hardware/Software Co-verification. In Proc. of CAV. (2010) Kuznetsov, V., Chipounov, V. and Candea, G.: Testing closed-source binary device drivers with DDT. In: Proc. of USENIXATC. (2010)

Download ppt "Model Checking Büchi Pushdown Systems Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.

purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

Similar presentations

Ads by Google