310 likes | 432 Views
Model Checking Büchi Pushdown Systems. Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball and Vladimir Levin Microsoft Corporation. Hardware/Software (HW/SW) Interfaces are Pervasive…. Windows XP
E N D
Model Checking Büchi Pushdown Systems Presented by RustanLeino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball and Vladimir Levin Microsoft Corporation
Hardware/Software (HW/SW) Interfaces are Pervasive… • Windows XP • Over 35,000 drivers (over 100,000 versions) for different devices (Murphy and Garzia, 2004) • Linux • 70% of code for drivers that operate hardware (Chou, et al., 2001)
And Unreliable… • In Windows • Drivers cause 85% reported failures • (Swift, 2005) • At least 52.6% of Windows crashes involve HW/SW interaction • (Sinha, 2005) • In Linux • Seven times more driver failures • (Chou, et al., 2001) • Lots of issues cannot be gathered … • e.g., device/driver I/O hangs
What we have done (FASE’10, CAV’10) • Formal specification framework • Specify hardware model for verifying software • Unifying formal model • Labeled Pushdown System (LPDS) as the software model • Büchi automaton (BA) as the hardware model • Büchi Pushdown System (BPDS): BA ˣ LPDS • Reachability analysis algorithm • For BPDS • Static Partial Order Reduction • Discovered12 bugs in 5 Windows drivers
Need more? • Why? (system responsiveness) • Software commands will always be acknowledged • I/O will not hang • How? • Specify the properties • Linear Temporal Logic (LTL) • Model checking algorithm • For checking liveness properties of BPDS • Reduction algorithm • Static Partial Order Reduction
Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion
Büchi Automaton (BA) • A BA, • , the alphabet • , the finite set of states • , the set of state transitions • , the initial state • , the set of final states • The alphabet is defined on the states of LPDS • LPDS is the generatorof inputs to BA WRITE_REGISTER_UCHAR(foo, 32)
Labeled Pushdown System (LPDS) • An LPDS, • , the input alphabet • , finite set of global states • , finite stack alphabet • , initial configuration • the set of transition rules is
Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion
Model Checking Problem • Find a trace that • Starts from the initial state • Visits the final states infinitely often • Satisfies the fairness requirement • Infinite many hardware transitions from and • Infinite many software transitions from
Model Checking Algorithm • Detect the loops in that • visit the final states • contains at least one hardware transition • contains at least one software transition • Backward reachability analysis algorithm of Pushdown systems (Schwoon, 2002) • Check if one of the loops is reachable from the initial state • Reachability checking (FASE’2010, CAV’2010)
Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion
Static Partial Order Reduction • Partial order reduction • Exploit commutativity of concurrent transitions • Usually applied during model checking • Static – applied at compile time • NO modification to model checker • Can be applied with other techniques, e.g., co-simulation (Kuznetsov, 2010 ) • May be less effective in reduction
State Graph LPDS self-loops BA self-loops BA and LPDS both transition
An Intuition of the Reduction LPDS self-loops BA self-loops BA and LPDS both transition
What to reduce? • SensitiveSet • when HW/SW interface events happen, e.g., HW interrupt, SW writes to HW register • VisibleSet • when the propositional variables of the LTL formula are affected • LoopSet • when this is the last HW (or SW) transition in a loop – fairness constraint
Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion
Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool<2> status() begin return s,r; end __atomic bool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end
Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end
Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end
Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end
Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end With reduction LTL formula: G (sw_reset -> (Freset_act))
Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end With reduction LTL formula: G (sw_reset -> (Freset_act)) SensitiveSet VisibleSet LoopSet
Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples &Evaluation • Conclusion
Evaluation • Designed a BPDS template • To generate BPDS models with different complexities • Verified eleven LTL formulae • Observations • 80% average reduction in time usage • 35% average reduction in memory usage • One spaceout without reduction • The reduction is effective • Since HW and SW transitions are mostly asynchronous
Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion
Conclusion • We have presented • A model checking algorithm for BPDS • A static partial order reduction algorithm for BPDS • Take away with you … • The model checking algorithm can be implemented based on existing liveness verification engines of Pushdown Systems • The reduction algorithm has a broader application, e.g., co-simulation • Future work • Realize the liveness checking on BPDS specified in C language • Co-simulation that utilizes our reduction algorithm
References Murphy, B., Garzia, M.R.: Software reliability engineering for mass market products. Available in: http://www.softwaretechnews.com (2004) Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proc. of SOSP. (2001) Swift, M.M.: Improving the Reliability of Commodity Operating Systems. PhD thesis (2005) Sinha, A.: Windows driver quality signature. Available in:http://www.microsoft.com (2005) Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis (2002) Li, J., Xie, F., Ball, T., Levin, V., and McGarvey, C.. An Automata-Theoretic Approach to Hardware/Software Co-verification. In Proc. of FASE. (2010) Li, J., Xie, F., Ball, T., and Levin, V.. Efficient Reachability Analysis of Büchi Pushdown Systems for Hardware/Software Co-verification. In Proc. of CAV. (2010) Kuznetsov, V., Chipounov, V. and Candea, G.: Testing closed-source binary device drivers with DDT. In: Proc. of USENIXATC. (2010)