1 / 17

Extraction of Verification Models via Guided Abstraction

Extraction of Verification Models via Guided Abstraction. Benjamin Gorry 1 ( beng@macs.hw.ac.uk ) Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh. 1 Sponsored by an ICASE Studentship from the EPSRC and QinetiQ. Background.

taipa
Download Presentation

Extraction of Verification Models via Guided Abstraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extraction of Verification Models via Guided Abstraction Benjamin Gorry1 (beng@macs.hw.ac.uk) Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh 1 Sponsored by an ICASE Studentship from the EPSRC and QinetiQ

  2. Background • Model Checking – not enough? • SPIN • FeaVer • Example • Applications • Other Tools • Conclusions • Questions?

  3. Model Checking – not enough? • Problems… • Insufficient abstractions • Too fine • Too coarse • Wrong items • State space explosion • Personal style • Harry Potter syndrome • Are there any solutions to this?

  4. Model Checking – not enough? • If model checking contains so many potential pitfalls why stick with it? • Powerful (simulation/verification) • Cost (financially and temporally) • Testing / theorem proving • Relatively new discipline • Growing community • Can be used in conjunction with other more established techniques

  5. SPIN • We all know about SPIN • Version from 2nd January 2004 • Embedded ANSI-C code • Changes in algorithms • Verification of ‘actual system code’ • Provide facilities for post-hoc verification • Provision for new ‘guided abstraction’ tool…

  6. Feaver • Feature Verification • Developed at Bell Labs by Gerard Holzmann and Margaret Smith • Unrecognisable code? • c_code{ … } & c_expr{ …. } • Concurrency? • Test harness allows Promela test programs to be constructed • Statements written in ANSI-C can be mapped to acceptable Promela statements • Models verified for correctness using SPIN

  7. FeaVer • How it works… Mapping Table ANSI-C Code modex Promela Model Test Harness

  8. Example - code • Alternating bit protocol • typedef struct Msg { • short seq; /* sequence number */ • char *cont; /* message contents */ • } Msg; • void • abp_sender(Msg in) • { Msg out; • if (in.seq == out.seq) • { • get_data(out.cont); /* get new data to send */ • out.seq = 1 - out.seq; /* flip sequence number */ • } • send(out); /* send message */ • }

  9. Example - code • int expect = 0; • void • abp_receiver(Msg in) • { Msg out; • out.seq = in.seq; /* or use expect? */ • out.cont = (char *) 0; • send(out); /* always acknowledge */ • if (in.seq == expect) • { • put_data(in.cont); /* accept data recvd */ • expect = 1 - expect; /* flip sequence number */ • } • }

  10. Example – test harness %F abp2.c %X -L abp_sender -n abp_sender %X -L abp_receiver -n abp_receiver %L Import _all_ _all_ %% %L abp_sender get_data(... hide send(out) c_code { Pabp_sender->s = Pabp_sender->out.seq; }; qr!s %% %L abp_receiver put_data(... hide send(out) c_code { Pabp_receiver->s = Pabp_receiver->out.seq; }; qs!s %% %D typedef struct Msg { short seq; char *cont; } Msg; %% %P chan qs = [0] of { bit }; chan qr = [0] of { bit };

  11. Example – test harness active proctype abp_sender() { bit s; do :: qs?s; c_code { Pabp_sender->in.seq = Pabp_sender->s; }; #include "_modex_abp_sender.spn" od } active proctype abp_receiver() { bit s; if /* start sender */ :: qs!1 :: qs!0 fi; do :: qr?s; c_code { Pabp_receiver->in.seq = Pabp_receiver->s; }; #include "_modex_abp_receiver.spn" od } %%

  12. What is generated? int expect = 0; int __w64; int __builtin_va_list; c_state "Msg out" "Local abp_receiver" c_state "Msg in" "Local abp_receiver" c_state "Msg out" "Local abp_sender" c_state "Msg in" "Local abp_sender" c_decl { typedef struct Msg { short seq; char *cont; } Msg; } chan qs = [0] of { bit }; chan qr = [0] of { bit }; active proctype abp_sender() { bit s; do :: qs?s; c_code { Pabp_sender->in.seq = Pabp_sender->s; }; if :: c_expr { (Pabp_sender->in.seq==Pabp_sender->out.seq) }; c_code { Pabp_sender->out.seq=(1-Pabp_sender->out.seq); }; :: else; fi; c_code { Pabp_sender->s = Pabp_sender->out.seq; }; qr!s; ; od }

  13. What is generated? active proctype abp_receiver() { bit s; if :: qs!1 :: qs!0 fi; do :: qr?s; c_code { Pabp_receiver->in.seq = Pabp_receiver->s; }; c_code { Pabp_receiver->out.seq=Pabp_receiver->in.seq; }; c_code { Pabp_receiver->out.cont=(char *)0; }; c_code { Pabp_receiver->s = Pabp_receiver->out.seq; }; qs!s; if :: c_expr { (Pabp_receiver->in.seq==now.expect) }; c_code { now.expect=(1-now.expect); }; :: else; fi; ; od }

  14. From generated model… • Sorry – wanted to provide a decent example • We can view the relationships between ANSI-C, the FeaVer test harness, and Promela (the gap is not large) • We have a Promela model ready for verification • Assertions • LTL • We have a re-usable test harness (long term savings in cost) • We have removed many of the problems discussed earlier

  15. Applications • FeaVer used at Bell Labs between 1998 and 2000 to exhaustively verify the call-processing software of Lucent's PathStar access server • Telephone call processing code for one of Lucent's switches, the PathStar access server, was checked against a database of formally specified logical correctness requirements using standard model checking techniques (using SPIN)

  16. Other Tools • Bandera used on NASA Pathfinder project (recipient of NASA's 2003 TGIR Award for Engineering Innovation) – Java code • SLAM project from Microsoft Research (C programs) • Canvas project – component verification from IBM and the University of Tel-Aviv

  17. Conclusions • A new technique • A lot of responsibility removed from the modeller • Savings both financially and temporally • A new generation of tools to shape a new generation of modellers? • Watch this space!

More Related