Apply Program Model Checking

Apply Program Model Checking Qian Ling Oct. 28, 2004 Bell Labs Research China

Agenda • Motivation • Program Model Checking • Program Model Checking Tools • The Spin Tool • The Verisoft Tool • The SLAM Tool • Use Spin tool to check TTS Server • Future Work

Motivation • Testing of concurrent programs • VMS TTS Server Program • OS Adapter Project • POSIX thread impl. on VxWorks 5.4 • Progress in Program Model Checking • New tech and tools developed

SW Quality Control Tech • Software Testing • Unit/integration/system test • Functional test, Conformance test • Stress test • API test, etc • Code Review • Peer Review • Design Review • Program Model Checking • Formal Method • Software Verification • Software Quality Assurance

Software Testing “Sequential, Stand-alone”

Code Review “Static”

Facing Concurrent & Distributed Software It is not too surprising that the behavior of even non-buggy distributed applications can easily defy our human reasoning skills. Gerard J. Holzmann

Facing Concurrent & Distributed Software, cont Really Hard Issue • Deadlock • Livelock, starvation • Underspecification • unexpected reception of messages • Overspecification • Dead code • Violations of constraints • Buffer overruns • Array bounds violations • Assumptions about speed • Logical correctness vs.real-time performance

What is Model Checking? • [Clarke & Emerson 1981] “Model checking is an automated technique that, given a finite-state model of a system and a logical property, systematically checks whether this property holds for (a given initial state in) that model.” • Model checking tools automatically verify whether M |= φ Holds where M is a (finite-state) model of a system and property φ is stated in some formal notation • Problem: state space explosion • SPIN is one of the most powerful model checker

Classic v.s. Modern MC WaterfallSW Lifecycle Process

Classic Model Checking

Modern Model Checking • Abstraction: To fight with explosion • Focus on Modern Model Checking

Tools for program model Checking • SPIN • Gerard J. Holzmann (Bell-Labs), 1991~ • Proving the correctness of process interaction, asynchronized control • Verisoft • Patrice Godefroid (Bell Labs), 1996~ • Runtime analyses for multi-process programs • SLAM • Thomas Ball (MS Research), 1999~ • Static analyses for “API Usage Rules” in programs

Tools for program model Checking, cont • Eraser • Stefan Savage (University of Washington) & DEC, 1997~ • Dynamic detecting data-race in lock-based multithread programs • FLAVERS • Matthew B. Dwyer, L. A. Clarke (University of Kansas State/Massachusetts Amherst) &DoD, DAAH, NSF, IBM… , 1999~ • Check if all executions adhere to specification, data flow analysis, stack • SMV • CMU, 1992~ • Symbolic model checker • …

Tool Comparison • Modeling Languages • Static Analyze v.s. Dynamic • Explicit State space? • Scope of verification • Safety only • Acceptation cycle, etc • Stages in development • Design phase • Code Ready • Incremental development

The SPIN Model Checker • SPIN = Simple Promela Interpreter • is a tool for analysing the logical consistency of concurrent systems, specifically of data communication protocols. • Concurrent systems are described in the modelling language called Promela. • state-of-the-art model checker

Promela • Promela = Protocol/Process Meta Language • allows for the dynamic creation of concurrent processes. • communication via message channels can be defined to be • synchronous (i.e. rendezvous), or • asynchronous (i.e. buffered). • resembles the programming language C • specification language to model finite-state systems

Modern Model Checking with SPIN

Foundation of SPIN • Based on automata theoretic model • System Model • Translate process tmpl to automaton • State space=product of all automata • Global behavior modeled by an automaton • Specification • Correctness requirement in LTL formula • Convert LTL to Büchi automaton • Verification • global automaton× Büchi automaton • (Accepted language = empty) not satisfied • (Accepted language ‡ empty) satisfied behaviors • SPIN formalize the erroneous behaviors • Prove such behavior are impossible • Provide detail matched behaviors Vardi & Wolper 83

Algorithms of SPIN • Nested Depth-First Search (Cycles detection) • 1st search: from initial state, find accepting states • 2nd search (nested): from all accepting states • LTL to Büchi automaton • Normalize LTL formulasrecursive conversion • Make use of Promela condition statement • Partial Order Reduction • Represent classes of execution sequence with one single path, statically • Memory Management • State Compression (60%~80% reduction) • Separate local state (small) and global state • Global state use index to refer to local state • Bit-State Hashing (Improve problem coverage 1) • 2 bits are used to store a reachable state • 2 bits:F1(S1) = M[m1], F2(S2)=M[m2] • Collision problem Problem coverage = M / (N*S) M=2^m: memory space in bytes N=2^n: true # of Reachable states S=2^s: bytes for each state

Debug with SPIN • Correctness Requirement: • Inline assertions • assert(…) • End-state label / deadlock • endxxx: • Progress-state label / livelock • progressxxx: • Acceptance-state label • acceptxxx: • LTL properties • Make use of LTL specification • Never-claims • never {…} Commonly Used

Extensions to SPIN (1) • dSpin = dynamic SPIN • R. Iosif & R. Sisto, Kanas State University, 1999~ • Solve Limitations in SPIN, • Object creation & deletion • Pointer and reference variables • Polymorphic function calls • Solutions • Memory management • Dynamic memory allocation • Reference mechanism • Functional management • Function declaration, call and reference • Local scoping

Extensions to SPIN (2) • FeaVer/Modex = Model Extractor for C • Gerard J. Holzmann, Bell Labs, 1998~ • Extract Promela model from ANSI C • 3 phases: • Parsing: C  Full Parse Tree • Interpretation: Tabled Abstraction • Optimization • Applications: • Lucent PathStar™ Access Server

Extensions to SPIN (3) • JPF1/JPF2 = Java Path Finder • Automated Software Engineering Group, NASA • JPF1, since 1998 • A translator from Java 1.0 to Promela • Suitable for multi-threaded Java programs • Applications • Find deadlocks in Game Server • Analyze Remote Agent • JPF2, since 2000 • Work on Java Byte Code, 100% Java support • Garbage Collection • Static analysis dependencies for partial-order reduction • Contain runtime race-cond analysis by “Eraser” Algorithm • Use Bandera to calculate slices

Extensions to SPIN (4) • Bandera Toolset • Santos Laboratory, since 2000 • source code  FSM model checker, SPIN/SMV • Analyze, • Abstraction • Transformation • More than just a SPIN extension!

VeriSoft • A tool for systematically testing concurrent reactive software • Stateless search, for: • Deadlocks • Livelocks • Assertion violations • Divergence • Replay Error Scenarios • Applications: • 4ESS Heart-Beat Monitor debugging and unit testing • WaveStar 40G R4 integration and system testing • 7R/E PacketStar Gateway Solutions Feature Server unit testing • CDMA Call Processing Library testing

SLAM • Check Temporal safety property in sequential C programs • Based on Boolean Program • Solutions: • Preparation: • Model conterexample in SLIC • C  BP (C2BP) • Verification: • BEBOP: perform reachability analysis of BP • NEWTON: refine BP by discover additional predicts • Error in BP  Error in P • Applications • API in Windows XP device drivers

VMS TTS Server • Multi-threaded • 1 server thread • 1~10 tts working threads • 1~10 IBM viavoice synthesis threads • Asynchronzed Message Q • server  working threads • Synchronized • synthesis threads  working threads

VMS TTS Server, cont • A Sequence Diagram

Purpose • Check safety properties • potential deadlocks • Unexpected end states • Unreachable code • Check if it works for 10 V V instances • Currently we have only 1 instance • Check about the Msg Loss

Result in Simulation • No Error found in program (simulation) • 1 bug found in promela model • Deadlock in server thread • Forget to add lock when access globals in abstr. • There are un-reached code • Abstraction is not a easy work • Programs works for 10 threads • There are message loss • Under high stress • Every thread are full loaded • Increase # of buffers  fewer loss • Increase # of instance  fewer loss • Decrease synthesis delay • As for performance • Simulation is not trustable

Result in PAN

Restrictions, Lessons • No Timer in Promela • Use loop to simulate a timer • Different behavior in simulation & PAN • Hard to locate an error • Too many messages • Generally, subtle errors occur after quite a long time • Platform dependant APIs are hard to be abstracted • What is the size of the Win32 thread message queue?

Future Work • More applications • OS Adapter Project • POSIX thread • … • Tool enhancements • Locate bug easier ? • Timer ? • Automata  LTL ?

Reference Site • SPIN • http://spinroot.com/spin/whatispin.html • Verisoft • http://cm.bell-labs.com/who/god/verisoft/ • SLAM • http://research.microsoft.com/slam/

Suggestions! Thanks! &

Apply Program Model Checking

Apply Program Model Checking

Presentation Transcript

Model Checking

Model Checking

Model checking

Regular Model Checking

LTL Model Checking

Model Checking

Apply Model Checking to Security Analysis in Trust Management

Model Checking

Model Checking

Model checking

Model Checking

Model Checking

Model Checking

Model Checking

Optimizing CTL Model checking + Model checking TCTL

Model Checking

Model checking

Logic Model Checking

Model Checking Overview

Model Checking

Model checking

Software Model Checking