170 likes | 314 Views
Extraction of Verification Models via Guided Abstraction. Benjamin Gorry 1 ( beng@macs.hw.ac.uk ) Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh. 1 Sponsored by an ICASE Studentship from the EPSRC and QinetiQ. Background.
E N D
Extraction of Verification Models via Guided Abstraction Benjamin Gorry1 (beng@macs.hw.ac.uk) Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh 1 Sponsored by an ICASE Studentship from the EPSRC and QinetiQ
Background • Model Checking – not enough? • SPIN • FeaVer • Example • Applications • Other Tools • Conclusions • Questions?
Model Checking – not enough? • Problems… • Insufficient abstractions • Too fine • Too coarse • Wrong items • State space explosion • Personal style • Harry Potter syndrome • Are there any solutions to this?
Model Checking – not enough? • If model checking contains so many potential pitfalls why stick with it? • Powerful (simulation/verification) • Cost (financially and temporally) • Testing / theorem proving • Relatively new discipline • Growing community • Can be used in conjunction with other more established techniques
SPIN • We all know about SPIN • Version from 2nd January 2004 • Embedded ANSI-C code • Changes in algorithms • Verification of ‘actual system code’ • Provide facilities for post-hoc verification • Provision for new ‘guided abstraction’ tool…
Feaver • Feature Verification • Developed at Bell Labs by Gerard Holzmann and Margaret Smith • Unrecognisable code? • c_code{ … } & c_expr{ …. } • Concurrency? • Test harness allows Promela test programs to be constructed • Statements written in ANSI-C can be mapped to acceptable Promela statements • Models verified for correctness using SPIN
FeaVer • How it works… Mapping Table ANSI-C Code modex Promela Model Test Harness
Example - code • Alternating bit protocol • typedef struct Msg { • short seq; /* sequence number */ • char *cont; /* message contents */ • } Msg; • void • abp_sender(Msg in) • { Msg out; • if (in.seq == out.seq) • { • get_data(out.cont); /* get new data to send */ • out.seq = 1 - out.seq; /* flip sequence number */ • } • send(out); /* send message */ • }
Example - code • int expect = 0; • void • abp_receiver(Msg in) • { Msg out; • out.seq = in.seq; /* or use expect? */ • out.cont = (char *) 0; • send(out); /* always acknowledge */ • if (in.seq == expect) • { • put_data(in.cont); /* accept data recvd */ • expect = 1 - expect; /* flip sequence number */ • } • }
Example – test harness %F abp2.c %X -L abp_sender -n abp_sender %X -L abp_receiver -n abp_receiver %L Import _all_ _all_ %% %L abp_sender get_data(... hide send(out) c_code { Pabp_sender->s = Pabp_sender->out.seq; }; qr!s %% %L abp_receiver put_data(... hide send(out) c_code { Pabp_receiver->s = Pabp_receiver->out.seq; }; qs!s %% %D typedef struct Msg { short seq; char *cont; } Msg; %% %P chan qs = [0] of { bit }; chan qr = [0] of { bit };
Example – test harness active proctype abp_sender() { bit s; do :: qs?s; c_code { Pabp_sender->in.seq = Pabp_sender->s; }; #include "_modex_abp_sender.spn" od } active proctype abp_receiver() { bit s; if /* start sender */ :: qs!1 :: qs!0 fi; do :: qr?s; c_code { Pabp_receiver->in.seq = Pabp_receiver->s; }; #include "_modex_abp_receiver.spn" od } %%
What is generated? int expect = 0; int __w64; int __builtin_va_list; c_state "Msg out" "Local abp_receiver" c_state "Msg in" "Local abp_receiver" c_state "Msg out" "Local abp_sender" c_state "Msg in" "Local abp_sender" c_decl { typedef struct Msg { short seq; char *cont; } Msg; } chan qs = [0] of { bit }; chan qr = [0] of { bit }; active proctype abp_sender() { bit s; do :: qs?s; c_code { Pabp_sender->in.seq = Pabp_sender->s; }; if :: c_expr { (Pabp_sender->in.seq==Pabp_sender->out.seq) }; c_code { Pabp_sender->out.seq=(1-Pabp_sender->out.seq); }; :: else; fi; c_code { Pabp_sender->s = Pabp_sender->out.seq; }; qr!s; ; od }
What is generated? active proctype abp_receiver() { bit s; if :: qs!1 :: qs!0 fi; do :: qr?s; c_code { Pabp_receiver->in.seq = Pabp_receiver->s; }; c_code { Pabp_receiver->out.seq=Pabp_receiver->in.seq; }; c_code { Pabp_receiver->out.cont=(char *)0; }; c_code { Pabp_receiver->s = Pabp_receiver->out.seq; }; qs!s; if :: c_expr { (Pabp_receiver->in.seq==now.expect) }; c_code { now.expect=(1-now.expect); }; :: else; fi; ; od }
From generated model… • Sorry – wanted to provide a decent example • We can view the relationships between ANSI-C, the FeaVer test harness, and Promela (the gap is not large) • We have a Promela model ready for verification • Assertions • LTL • We have a re-usable test harness (long term savings in cost) • We have removed many of the problems discussed earlier
Applications • FeaVer used at Bell Labs between 1998 and 2000 to exhaustively verify the call-processing software of Lucent's PathStar access server • Telephone call processing code for one of Lucent's switches, the PathStar access server, was checked against a database of formally specified logical correctness requirements using standard model checking techniques (using SPIN)
Other Tools • Bandera used on NASA Pathfinder project (recipient of NASA's 2003 TGIR Award for Engineering Innovation) – Java code • SLAM project from Microsoft Research (C programs) • Canvas project – component verification from IBM and the University of Tel-Aviv
Conclusions • A new technique • A lot of responsibility removed from the modeller • Savings both financially and temporally • A new generation of tools to shape a new generation of modellers? • Watch this space!