1 / 31

Model Checking Büchi Pushdown Systems

Model Checking Büchi Pushdown Systems. Presented by Rustan Leino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball and Vladimir Levin Microsoft Corporation. Hardware/Software (HW/SW) Interfaces are Pervasive…. Windows XP

arva
Télécharger la présentation

Model Checking Büchi Pushdown Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking Büchi Pushdown Systems Presented by RustanLeino Juncao Li and Fei Xie Dept. of Computer Science, Portland State University Thomas Ball and Vladimir Levin Microsoft Corporation

  2. Hardware/Software (HW/SW) Interfaces are Pervasive… • Windows XP • Over 35,000 drivers (over 100,000 versions) for different devices (Murphy and Garzia, 2004) • Linux • 70% of code for drivers that operate hardware (Chou, et al., 2001)

  3. And Unreliable… • In Windows • Drivers cause 85% reported failures • (Swift, 2005) • At least 52.6% of Windows crashes involve HW/SW interaction • (Sinha, 2005) • In Linux • Seven times more driver failures • (Chou, et al., 2001) • Lots of issues cannot be gathered … • e.g., device/driver I/O hangs

  4. What we have done (FASE’10, CAV’10) • Formal specification framework • Specify hardware model for verifying software • Unifying formal model • Labeled Pushdown System (LPDS) as the software model • Büchi automaton (BA) as the hardware model • Büchi Pushdown System (BPDS): BA ˣ LPDS • Reachability analysis algorithm • For BPDS • Static Partial Order Reduction • Discovered12 bugs in 5 Windows drivers

  5. Need more? • Why? (system responsiveness) • Software commands will always be acknowledged • I/O will not hang • How? • Specify the properties • Linear Temporal Logic (LTL) • Model checking algorithm • For checking liveness properties of BPDS • Reduction algorithm • Static Partial Order Reduction

  6. Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion

  7. Büchi Automaton (BA) • A BA, • , the alphabet • , the finite set of states • , the set of state transitions • , the initial state • , the set of final states • The alphabet is defined on the states of LPDS • LPDS is the generatorof inputs to BA WRITE_REGISTER_UCHAR(foo, 32)

  8. Labeled Pushdown System (LPDS) • An LPDS, • , the input alphabet • , finite set of global states • , finite stack alphabet • , initial configuration • the set of transition rules is

  9. Labeling Functions

  10. BPDS …

  11. Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion

  12. Model Checking Problem

  13. Model Checking Problem • Find a trace that • Starts from the initial state • Visits the final states infinitely often • Satisfies the fairness requirement • Infinite many hardware transitions from and • Infinite many software transitions from

  14. Model Checking Algorithm • Detect the loops in that • visit the final states • contains at least one hardware transition • contains at least one software transition • Backward reachability analysis algorithm of Pushdown systems (Schwoon, 2002) • Check if one of the loops is reachable from the initial state • Reachability checking (FASE’2010, CAV’2010)

  15. Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion

  16. Static Partial Order Reduction • Partial order reduction • Exploit commutativity of concurrent transitions • Usually applied during model checking • Static – applied at compile time • NO modification to model checker • Can be applied with other techniques, e.g., co-simulation (Kuznetsov, 2010 ) • May be less effective in reduction

  17. State Graph LPDS self-loops BA self-loops BA and LPDS both transition

  18. An Intuition of the Reduction LPDS self-loops BA self-loops BA and LPDS both transition

  19. What to reduce? • SensitiveSet • when HW/SW interface events happen, e.g., HW interrupt, SW writes to HW register • VisibleSet • when the propositional variables of the LTL formula are affected • LoopSet • when this is the last HW (or SW) transition in a loop – fairness constraint

  20. Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion

  21. Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomic bool<2> status() begin return s,r; end __atomic bool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end

  22. Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end

  23. Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end

  24. Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end

  25. Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end With reduction LTL formula: G (sw_reset -> (Freset_act))

  26. Hardware Software // represent HW registers decl c0,c1,c2,r,s; __atomic void reset() begin reset_cmd: r := 1; end __atomicbool<2> status() begin return s,r; end __atomicbool<3> rd_reg() begin return c2,c1,c0; end // HW instrumentation function void HWInstr() begin while(*) do HWModel(); od end // Asynchronous HW model __atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fi end __atomic void inc_reg()begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fi end void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset:reset(); // wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od // wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od // if the return value is valid if(v1|v0) then error: skip; fi exit: return; end With reduction LTL formula: G (sw_reset -> (Freset_act)) SensitiveSet VisibleSet LoopSet

  27. Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples &Evaluation • Conclusion

  28. Evaluation • Designed a BPDS template • To generate BPDS models with different complexities • Verified eleven LTL formulae • Observations • 80% average reduction in time usage • 35% average reduction in memory usage • One spaceout without reduction • The reduction is effective • Since HW and SW transitions are mostly asynchronous

  29. Where are we … • Introduction • Preliminaries • Algorithms • Model Checking • Reduction • Examples & Evaluation • Conclusion

  30. Conclusion • We have presented • A model checking algorithm for BPDS • A static partial order reduction algorithm for BPDS • Take away with you … • The model checking algorithm can be implemented based on existing liveness verification engines of Pushdown Systems • The reduction algorithm has a broader application, e.g., co-simulation • Future work • Realize the liveness checking on BPDS specified in C language • Co-simulation that utilizes our reduction algorithm

  31. References Murphy, B., Garzia, M.R.: Software reliability engineering for mass market products. Available in: http://www.softwaretechnews.com (2004) Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proc. of SOSP. (2001) Swift, M.M.: Improving the Reliability of Commodity Operating Systems. PhD thesis (2005) Sinha, A.: Windows driver quality signature. Available in:http://www.microsoft.com (2005) Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis (2002) Li, J., Xie, F., Ball, T., Levin, V., and McGarvey, C.. An Automata-Theoretic Approach to Hardware/Software Co-verification. In Proc. of FASE. (2010) Li, J., Xie, F., Ball, T., and Levin, V.. Efficient Reachability Analysis of Büchi Pushdown Systems for Hardware/Software Co-verification. In Proc. of CAV. (2010) Kuznetsov, V., Chipounov, V. and Candea, G.: Testing closed-source binary device drivers with DDT. In: Proc. of USENIXATC. (2010)

More Related