1 / 20

Integrating Model Checking and Procedural Languages (FI03)

This article discusses the integration of model checking and procedural languages in software development, focusing on the benefits and challenges. It also explores the use of model-based tools like MATLAB for NASA projects and introduces upcoming advancements in model-based development.

dlazaro
Download Presentation

Integrating Model Checking and Procedural Languages (FI03)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating Model Checking and Procedural Languages (FI03) Tim Menzies West Virginia Universitytim@menzies.us David Owen West Virginia University drobo75@hotmail.com

  2. Model-based tools (MATLAB) for NASA projects STEREO= “solar terrestrial relations observatory”  studies 3D structure of coronal mass ejections GLAST= “gamma ray large area space telescope”  studies high-energy objects

  3. Coming soon to softwarenear you: model-baseddevelopment Rhapsody from I-Logix Rose Real-Time from Rational Esterel Simulink/ Stateflow Stanley/ Livingston But checking these is hard No longer testing procedural software Test “properties”, not “structure” Issues: Hard when nondeterministic Checking properties on all pathways= HARD (NP-hard; i.e. O(2N) When complete search is too slow Will stochastic search do?

  4. Analysis Testing Visualization Prototyping Specification Model Code Model-Based Development

  5. Why model-based development? Source: Esterel Technologies - 37.5 % - 25 % - 75 % - 50 %

  6. Bandera, JPF: Auto-extract from JAVA Autonoma compiler Dwyer’s temporal logic patterns Random sampling of possible states Costs: write, run, rewrite • Write • System model • Mathematical abstraction of program • Properties model • Temporal logic description of key requirements • Negate, search for counter-examples • PhD-level mathematical expertise • Run • Explore all pathways • Exponential time • Rewrite • Theory too big • Use some abstraction to shrink theory transitions to P-states occur at most 2 times between Q and R: []((Q & <>R) -> ((!P & !R) U (R | ((P & !R) U (R | ((!P & !R) U (R | ((P & !R) U (R | (!P U R))))))))))

  7. Random vs complete search Animation by Bart Selman

  8. Source: IJCAI-01 tutorial Gomes, Hogg, Walsh, Zhang

  9. OR-Nodes White NAYO NO-EdgesDotted LURCH: random search of nondeterministic FSM as NAYOs NAYO graph = <V+,E+> V= and | or; E= yes | no for (each FSM f) for (each state) make an OR-node; draw NO-edges to all other states in f ; for (each transition) make an AND-node a; draw YES-edges: from current (state) to a, from inputs to a, from a to outputs, and from a to next (state); FSM B2

  10. LURCH and “C” enum { UNDEF, X, O } turn = X; int x_turn() { if (t != X) return FALSE; t = UNDEF; return TRUE; } int o_turn() { if (t != O) return FALSE; t = UNDEF; return TRUE; } %% s1_1-blank; (x_turn()); {t = O;}; s1_1-X; s1_1-blank; (o_turn()); {t = X;}; s1_1-O; s1_2-X; s1_2-blank; (x_turn()); {t = O;}; s1_2-X; s1_2-blank; (o_turn()); {t = X;}; s1_2-O; s2_1-blank; (x_turn()); {t = O;}; s2_1-X; s2_1-blank; (o_turn()); {t = X;}; s2_1-O; s2_2-O; s2_2-blank; (x_turn()); {t = O;}; s2_2-X; s2_2-blank; (o_turn()); {t = X;}; s2_2-O; no-win; s1_1-X,s1_2-X; -; win; no-win; s2_1-X,s2_2-X; -; win; no-win; s1_1-X,s2_1-X; -; win; no-win; s1_2-X,s2_2-X; -; win; no-win; s1_1-X,s2_2-X; -; win; no-win; s1_2-X,s2_1-X; -; win; no-win; s1_1-O,s1_2-O; -; win; no-win; s2_1-O,s2_2-O; -; win; no-win; s1_1-O,s2_1-O; -; win; no-win; s1_2-O,s2_2-O; -; win; no-win; s1_1-O,s2_2-O; -; win; no-win; s1_2-O,s2_1-O; -; win;

  11. NAYO search = NP-hard A solution—a DAG ofYES-edges connectingonly compatible (no NO-edges) nodes—can beverified in polynomial time. NAYO Search ∈ NP This NAYO represents the SAT query 3SAT ≤P NAYO Search

  12. Machines with local states Machines= variables with N possible assignments Global state: an assignment to all variables “Global state path”: list of global states path[i] “earlier” than path[j] i < j. 2 ignore 1 frontier Since NP-hard, try stochastic • “Thrash” • Explore transitions in random order • “Frontier”: • Reachable local states that contradict local states found earlier • Asychronous mode: “next” when |fronter|=1 • Synchronous model: “next” when no new local states found • Inputs to path[i] are • FIRST: frontier [i -1] • THEN :reached[i -1] • minus local states that contradict frontier

  13. “Looping” and “Saturation” • Inter- iteration: • global state hashes in any iteration • accumulates over many iterations • Used to detect “saturation” • LURCH stops on “saturation” • stop if less than X% new global states seen in this iteration • lurch –p 0.05 • LURCH “iterates” • One iteration= one global state path • Default # of iterations: 500 • lurch –I 500 • Internally: • each global state hashed to a 32-bit int • Intra- iteration: • keeps hashes found in this iteration • cleared after each iteration • “Collision”: • same global state reached again • checked against inter-iteration memory • “Loop”: • Too many collisions • max collisions default = 10 • lurch –c 10

  14. Ram (MB) spin smv lurch super trace % errors spin smv lurch Tic-tac-toe board size: 2..15 Some LURCHresults spin lurch dining philosophers spin lurch nqueens n=: 4..14

  15. NuSMV Lurch (5 runs) Mats HeimdahlUMN Jimin GaUMN • Flight Guidance System: • RSML-e model from Rockwell Collins Inc. • Pitch and Roll commands, complex mode logic • Convert to LURCH,SMV • Find errors in using historical records that SMV would detect • Compare SMV, LURCH memory (MB) Runtime (secs) • Usually, finds what SMV finds • Often, much faster • Often, uses less memory • Sometimes, (8/40) random search failed • Further work: tunings; larger sample size

  16. Use straight symbolic model checking for rigorous verification for all cases. Ricky Butler NASA Langley Charles Pecheur RIACS,ARC When not to LURCH • When 100% assurance is essential • When other, more complete methods, work • But if the choice is LURCH vs “nothing at all” • Considering LURCH-ing

  17. Linking LURCH to procedures (method #1: spiderweb) • Tiny formal model for the interfaces • Large procedural systems (in “C”) • Execution= traversal FSMs • Call “C” functions as transition side-effects • Advantage: • Usability: most NASA programmers code in “C” (or ADA)

  18. Hyrbid Model (e.g. MATLAB) Lurch Model Numeric part (e.g. Simulkink) C Code Part Discrete part (e.g. Stateflow) Finite-State Machine Part Linking LURCH to procedures (method #2: MATLAB) enum { UNDEF, X, O } turn = X; int x_turn() { if (t != X) return FALSE; t = UNDEF; return TRUE;} int o_turn() { if (t != O) return FALSE; t = UNDEF; return TRUE;} %% s1_1-blank; (x_turn()); {t = O;}; s1_1-X; s1_1-blank; (o_turn()); {t = X;}; s1_1-O; s1_2-X; s1_2-blank; (x_turn()); {t = O;}; s1_2-X; s1_2-blank; (o_turn()); {t = X;}; s1_2-O; s2_1-blank; (x_turn()); {t = O;}; s2_1-X; s2_1-blank; (o_turn()); {t = X;}; s2_1-O; s2_2-O; s2_2-blank; (x_turn()); {t = O;}; s2_2-X; s2_2-blank; (o_turn()); {t = X;}; s2_2-O;

  19. Property (Java) bytecode Counter Example MC JVM DFS search Commercial JVM Yes Program (Java) bytecode Linking LURCH to procedures (method #3: JPF) • NASA’s engineering for complex systems • JAVA pathfinder • Runtime monitoring of JAVA • Or C++ translated to JAVA (automatically) • Used for (e.g.) test case generation or detection of livelocks Is LURCH a better search strategy than depth first search? C++

  20. Questions? Comments?

More Related