1 / 25

Symbolic Model Checking of Software

Symbolic Model Checking of Software. Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University. Symbolic Model Checking of Software. Goal: Use BDD-based Symbolic Model Checker for the verification of concurrent software Motivation:

ray-petty
Download Presentation

Symbolic Model Checking of Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University

  2. Symbolic Model Checking of Software • Goal: • Use BDD-based Symbolic Model Checker for the verification of concurrent software • Motivation: • Very successful for large state spaces in hardware • Challenges: • Generating the models (language -> SMV) • Adding Partial-Order Reduction • Optimized BDD-operations (e.g., generation and storage) • This Talk: • Focus on Partial-Order Reduction

  3. Outline • Background • Modeling language • Partial-order reduction • Twophase algorithm • New Approach: ImProviso • Basic formulation • Extensions • Experimental results • Related Work • Future Work • Conclusions

  4. Background: Software Verification • Concurrent software • Asynchronous execution, unlike hardware • Huge state space, e.g. large variable ranges • Partial-order reduction (POR) • Attacks the state-space explosion problem • Very effective in explicit-state model checking • Symbolic Model Checking yet to benefit

  5. Background: Modeling Language • Process-oriented modeling language • Each process maintains local variables • Each process has a program counter • System • Concurrent processes • Global variables • Point-to-point channels • Each process is specified as statements • Statements are formalized as transition functions • Multiple statements per pc value allowed, i.e. non-determinism • Example: Promela

  6. Background: Partial-Order Reduction Choose a representative set of paths s0s0’ x = 1 y = 2 s0s1’ s1s0’ y = 2 x = 1 s1s1’

  7. Background: Partial-Order Reduction • Two kinds of state-expansion • Full Expansion generate next states for all enabled transitions • Partial Expansion expand only a subset of enabled transitions, postponing all others • Challenges: • How to choose such subset? (-> deterministic) • How to avoid transitions being postponed indefinitely? (-> proviso)

  8. Background: Deterministic States • Which subset of enabled transitions to choose? • Deterministic state for a process P: • Only one transition tof P enabled at that state • Can be taken without affecting property to be verified • Partial Expansions of deterministic states • Do not need to consider all interleavings A state s is deterministic for a process Piff: • only one transition t of P is enabled in s • t commutes with transitions that can be executed by otherprocesses • executing t does not disable transitions of other processes • executing a transition of another process cannot disable or enable any transition of P

  9. Background: Partial-Order Reduction S1 t0 S2 t5 t1 t2 t3 S3 t1 t4 t2 S4 t1 t2 • Avoiding transitions being postponed indefinitely: Proviso • SPIN: In-Stack Proviso • Partial Expansion should not generate a state in stack • Otherwise, must do Full Expansion

  10. Combining POR with Symbolic Model Checking • POR developed for explicit-state • DFS • Stack: for proviso check • Whereas symbolic verification • Involves a BFS-like algorithm • No stack exists • Only frontier at hand

  11. Twophase Partial-Order Algorithm S1 S5 P2 P2 S2 S6 P2 P1 P1 P1 S7 S3 P1 P1 S4 S8 (b) (a) • Nalumasu, Gopalakrishnan[1997] • Modified proviso check • Alternating phases • Phase 1: Do for each process in sequenceexpand if in deterministic state • Phase 2: Full expansion of the current state • Proviso check: Suits the symbolic case

  12. New Approach: ImProviso • Implicit Proviso check • Employs BDDs • Motivation • Based on Twophase (explicit-state) • Observation: can be formulated in an implicit way • Crucial point: more efficient proviso than previous techniques • New Contributions: • Defining the transition relation • Implicit formulation • Dropping the determinism • Additional fixpoint computation • Automated and incorporated into NuSMV

  13. ImProviso: Defining the Transition Relation • Two transition relations: • TR1:all transitions from deterministic states (Phase 1) • TR2:entire system (Phase 2) • TR1 is further partitioned: • one transition relation for each process Pi • Example: • Statement reads from a channel into a local variable • States in which the channel is not empty are deterministic • TR1 := channel is not empty => TR-stmt

  14. ImProviso: Dropping the Determinism • Twophase: • Only one transition in Phase 1 may be enabled • Simplifies Twophase implementation • Not necessary for correctness • ImProviso allows non-determinism in Phase 1 • Multiple enabled transitions in each process • Each enabled transition must fulfill other conditions of a deterministic state • BFS search, i.e. enabled transitions expanded at the same time

  15. ImProviso: Illustration rec: d=0 1 rec: a?x send: a!1 1 1 2 2 2 p2: c=1 p1: c=0 rec: a?x 1 2 2 1 rec: a?x rec: a?x p2: c=0 p1: c=1 bool c=-1; chan a = [1] of {int}; active proctype rec() { int x=0; bool d; d=0; a?x; } active proctype send() { a!1; } active proctype p1() { c=0; ... } active proctype p2() { c=1; ... }

  16. ImProviso: Illustration rec: d=0 bool c=-1; chan a = [1] of {int}; active proctype rec() { int x=0; bool d; d=0; a?x; } active proctype send() { a!1; } active proctype p1() { c=0; ... } active proctype p2() { c=1; ... } 1 rec: a?x send: a!1 1 1 1 rec: a?x Phase1: Fixed Point 2 2 p1: c=0 p2: c=1

  17. ImProviso: Implicit Formulation • Implicit formulation of the algorithm • conceptually simple but… not so easy to get right • Reason: paths may have different lengths • BFS instead of DFS • ImProviso: ‘tighter’ over-approximation than previous symbolic methods • Problem: visited vs. in-stack • phase-1 only Cycles -> local check • Larger than phase-1 -> no issue!

  18. Related Work Stack P1 P1 P2 P1 Current Image ImProviso • Two other approaches combine PO and Symbolic Model Checking: • Kurshan et al.: Preprocess the model • Alur et al.: BDD-based Alur’s approach

  19. Implementation • Automated Model Checking framework • ImProviso implemented in NuSMV • Current examples translated from Promela • Considerable effort to compare with explicit state model checkers • e.g., atomic construct in Spin Add Phase 1 and Phase 2 information Promela Specifications Promela2SMV translator NuSMV + ImProviso

  20. Comparison: NuSMV vs. NuSMV-ImProviso • #states: significant reduction • Time: significant reduction • Memory: No reduction

  21. Comparison: NuSMV-ImProviso, PV, and SPIN • SPIN and PV faster, if they can handle example • NuSMV-ImProviso can handle more examples • NuSMV-ImProviso matches PV, SPIN on Best, Worst

  22. Comparison: Leader Election Protocol • Models of same size in SMV and Promela • Same reduction • SPIN, PV faster until…

  23. Leader with Non-deterministic Initial State

  24. Future Work • Reduce memory and run time • BDD blowup problem • BDD algorithms optimized for Concurrent Software • Verification of both safety and liveness properties • Only safety now • Flexible input languages • Only Promela now

  25. Conclusions • Novel Partial Order Reduction algorithm for Symbolic Model Checking • Incorporated into NuSMV • Illustrated the effectiveness with several benchmark examples • Current focus is on tackling large run-time and memory problems • Symbolic Model Checking of Software, Software Model Checking Workshop CAV’03

More Related