Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST."— Presentation transcript:

1 1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN nicolas.rapin@cea.fr CEA LIST Laboratory of Model Driven Engineering for embedded systems F-91191 Gif-sur-Yvette, FRANCE. Tests and Proofs 2009

2 3 rd of July 2009 DTSI CEA-LIST Context and motivation Critical embedded systems => formal methods Spec (  ) Model ( M ) Model System (black box) Conforms to ? (TAP’07) Conforms to ? (TestCom’06) Conforms to ? refinement implementation design Several problems, one technique, Symbolic Execution (SE), one platform (AGATHA). shift from space complexity to time complexity (for verification). concise representation: for simulation, test purpose definition … M |= symb exec  ?

3 3 rd of July 2009 DTSI CEA-LIST Outline  Models: IOSTS formalism  Specifications: IOLTL logic  IOLTL tableau calculus  Symbolic Execution technique  Tableau calculus and SE (|= symb path )  Termination  Experiment, Conclusion, Futur works

4 3 rd of July 2009 DTSI CEA-LIST IOSTS Formalism T [rel_speed?v] {} T [  ] {b : = 1, v : = 0} (b = = 0) [  ] {} v > 1 [motor ! -1]{} v < -1 [motor ! 1]{} -1  v  1 [  ]{} q r p I T [  ] {b:=0} t4t4 t3t3 (I,v  0,b  1) (p,v  0,b  0) (q,v  -5,b  0)(r,v  -5,b  0) (p,v  -5,b  0) rel_speed ? -5 a run: motor ! 1 Data part: first order decidable theory Th (ex: Presburger Arithmetics) state variables: {v,b} Graph part : states, transitions label: Guard [I|O|  ] {Substitution} I: channel ? Variable O : channel ! Term Relative speed regulator (virtual trains for trucks)

5 3 rd of July 2009 DTSI CEA-LIST IOLTL BNF Grammar:  ::= atom | T |  |   1 |  1   2 | X  1 |  1 U  2 |  1 R  2 Atomic propositions: properties over states: (v > 0) properties over I/O: (c ! u, u > v+1) Satisfaction: M |= iosts  if for all r  Run(M), r |= run  Implicit Kripke structure : I p e1e1 e2e2 I,e 1 p,e 2 |= X  if |= 

6 3 rd of July 2009 DTSI CEA-LIST IOLTL tableau calculus r |= run  means r(0) |= run  r(i) |= run  can be reduced to: r[i] |= state Now(  ) or r(i+1) |= run neXt(  ) where Now(  )  Atoms r[i] |= state Now(  ) means T |= /\ r[i]  /\ Now(  ) Goal: transform satisfaction relation |= run into an operational procedure. Idea : reduce it to a satisfaction relation on state |= state which can be reduced itself to Th |= f (the data theory Th is supposed to be decidable). Now neXt Now’ neXt’ 2 kind of inference rules  neXt neXt  r(i) r[i] r: (transformation) (transition)

7 3 rd of July 2009 DTSI CEA-LIST Tableau calculus: example F p (abbreviates: T U p) F p  p  X (F p) r(i) |= F p iff r[i] |= p or r(i+1) |= F p {F p},  {p},  {F p},  {},{F p} {F p},{} F1F1 F2F2 NSR (Next State Rule) p {},{F p} p p Prove p now … … or prove Fp in the next state. Build the next state. If p is not an atom: after F 1 rules dedicated to p main operator are applied and so on until Now set contains only atoms.

8 3 rd of July 2009 DTSI CEA-LIST Symbolic execution (I, T,{v  v 0, b  b 0 }) (p, T,{v  v 0, b  0 })  (q, T,{v  v 1, b  0 }) rel_speed?v 1 (r, T,{v  v 1, b  0 }) (r, T,{v  0, b  1 }) (p, v 1 < -1,{v  v 1, b  0 }) (p, v 1 > 1,{v  v 1, b  0 }) (p,-1  v 1  1,{v  v 1, b  0 }) Motor ! -1 Motor ! 1  Principle: symbols are used instead of values. Red symbolic path: contains the run of slide 4. Correct, complete. Intentional representation of all runs (concise and exact). M |= iosts  iff for all sp  SP(M) we have sp |= symb path 

9 3 rd of July 2009 DTSI CEA-LIST IOLTL tableau calculus and symbolic execution (p, v i >1, v  v i ) {F (v < 5) }  E,  (p, vi>1, v  v i ) { (v < 5) }  E,  F1F1 E,E, Atom (p, v i >1, v  v i ) (p, (v i >1)  (v  vi)(v<5), v  v i ) { (v < 5) }  E,  (p, (1<v i <5), v  v i ) Atom Rule transfers atoms into path condition.

10 3 rd of July 2009 DTSI CEA-LIST IOLTL tableau calculus and symbolic execution (p, v i >1, v  v i ) {F (v < 5) },  (p, vi>1, v  v i ) ,{F (v < 5)} F2F2 NSR (p, v i >1, v  v i ) ,{F (v < 5) } {F (v < 5) },  (q, v i >1, v  v i+1 ) rel_speed?v i+1 Context Rules build sequences of transitions linking contexts: we call them unfoldings (an unfolding is consistent if the path condition of its symbolic state component)

11 3 rd of July 2009 DTSI CEA-LIST Satisfaction problem with Until formulas v > 0 v > 1 Consider: F(v<0) and the kripke structure above. Rule F 2 applies forever (i.e. build an infinite consistent unfolding) although (v<0) is never satisfied ! C onsistency of an infinite unfolding is not a sufficient criteria for the satisfaction relation. The technique requires a third set of formulas which stores Until formulas (remember that F is an Until) never proved: initialized with all Until (Finally) sub-formulas. USet, {}, neXt USet  neXt, neXt, {} NSR (modified to take Uset into account) With above example: USet always contains F(x<0) ! Emptiness of the Uset provides a sufficient criterion.

12 3 rd of July 2009 DTSI CEA-LIST Lemma With Uset emptiness criterion (never infinitely non empty) |= run and |= symb path are equivalent (i.e. we can use |= symb path instead of |= run in the definition of |= iosts )

13 3 rd of July 2009 DTSI CEA-LIST Termination criterion 1: lassos detection Context with Uset =  Lemma: O 1  O 2   => There is a lasso (see red execution a.b) a b Moreover, if there exists, in the loop part of the unfolding, a context with Uset =  then: a.b* satisfies . O 1, O 2 are omega sets (see paper) with respect to symbols present in the prefix) O1O1 O2O2 prefix loop An unfolding:

14 3 rd of July 2009 DTSI CEA-LIST Termination criterion 2: “dead end” detection Uset   O 2  O 1   => unfoldings “after” S2 cannot prove more than those “after” S1 => cut on S2. O 1, O 2 (omega sets of S1 and S2 with respect to  ) S2 S1

15 3 rd of July 2009 DTSI CEA-LIST Theorems Theorem 1: If there exits an unfolding satisfying the lasso criterion and the Uset criterion then there exists a run r |= . Theorem 2: If all unfoldings satisfy the inclusion criterion but not the Uset criterion then there exists no run satisfying . (the two criteria are applied in a defined sequence)

16 3 rd of July 2009 DTSI CEA-LIST First experiment Diagnosability. A model is not diagnosable with respect to a fault if we can find two different runs, having the same observable traces, one being affected by the fault and not the other. The speed regulator IOSTS model of slide 4 contains a fault whose occurrence is characterized by the value of b). Diagnosability can be reduced to a model-checking problem: M  M |= iosts F G (b 1 = T  b 2 =  ) ? Answer about the speed captor failure: Not diagnosable when relative speed is maintained at 0.

17 3 rd of July 2009 DTSI CEA-LIST Conclusion  |= symb path can be used instead of |= run  Allows analysis of models with unbounded variables or huge domains  SE and tableau calculus combination provides an operational technique for |= symb  semi-decision verification algorithm (between test and proof)

18 3 rd of July 2009 DTSI CEA-LIST FUTUR WORKS  Improve verification algorithm with strategies (priorities over rules: F 1 > F 2 to check F G  )  Monte Carlo methods for large systems (adaptation of the MC2 PLTL checker approach)  What about FIFO channels ?  Use tableau calculus and SE to generate tests purposes (TestCom’06) from IOLTL properties (Test purpose refinement). Thank You !

Download ppt "1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Completeness and Expressiveness

Completeness and Expressiveness
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG.

1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.

Similar presentations

Ads by Google