1 / 18

Symbolic execution based model checking of open systems with unbounded variables

Tests and Proofs 2009. Symbolic execution based model checking of open systems with unbounded variables. Nicolas RAPIN nicolas.rapin@cea.fr. CEA LIST Laboratory of Model Driven Engineering for embedded systems F-91191 Gif-sur-Yvette, FRANCE. Spec (  ). design. Conforms to ?. Model ( M ).

lowri
Télécharger la présentation

Symbolic execution based model checking of open systems with unbounded variables

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tests and Proofs 2009 Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN nicolas.rapin@cea.fr CEA LIST Laboratory of Model Driven Engineering for embedded systems F-91191 Gif-sur-Yvette, FRANCE. CEA LIST

  2. Spec () design Conforms to ? Model (M) refinement Conforms to ? (TAP’07) Model implementation Conforms to ? (TestCom’06) System (black box) Critical embedded systems => formal methods Context and motivation M |=symb exec ? • Several problems, one technique, Symbolic Execution (SE), one platform (AGATHA). • shift from space complexity to time complexity (for verification). • concise representation: for simulation, test purpose definition … CEA-LIST

  3. Outline • Models: IOSTS formalism • Specifications: IOLTL logic • IOLTL tableau calculus • Symbolic Execution technique • Tableau calculus and SE (|=symb path) • Termination • Experiment, Conclusion, Futur works CEA-LIST

  4. Data part: first order decidable theory Th (ex: Presburger Arithmetics) • state variables: {v,b} • Graph part : states, transitions • label: Guard [I|O|] {Substitution} • I: channel ? Variable • O : channel ! Term IOSTS Formalism v > 1 [motor ! -1]{} Relative speed regulator (virtual trains for trucks) T [] {b : = 1, v : = 0} T [] {b:=0} T [rel_speed?v] {} t4 q p r I t3 (b = = 0) [] {} v < -1 [motor ! 1]{} -1  v  1 []{} a run: (p,v-5,b 0) rel_speed ? -5 motor ! 1 (q,v-5,b 0) (r,v-5,b 0) (p,v0,b 0) (I,v0,b  1) CEA-LIST

  5. BNF Grammar: • ::= atom | T |  |  1 | 1  2 | X 1 | 1 U 2 | 1 R 2 • Atomic propositions: • properties over states: (v > 0) • properties over I/O: (c ! u, u > v+1) Satisfaction: • M |=iosts if for all r  Run(M), r |=run  IOLTL Implicit Kripke structure : |= X  if I I,e1 e1 p e2 |=  p,e2 CEA-LIST

  6. Goal: transform satisfaction relation |=run into an operational procedure. Idea : reduce it to a satisfaction relation on state |=state which can be reduced itself to Th |= f (the data theory Th is supposed to be decidable). IOLTL tableau calculus r[i] r: r |=run means r(0) |=run  r(i) |=run  can be reduced to: r[i] |=state Now() or r(i+1) |=run neXt() where Now()  Atoms r[i] |=state Now() means T |= /\ r[i]  /\ Now() r(i) (transition) (transformation) 2 kind of inference rules  neXt Now neXt Now’ neXt’ neXt  CEA-LIST

  7. Tableau calculus: example F p (abbreviates: T U p) F p  p  X (F p) r(i) |= F p iff r[i] |= p or r(i+1) |= F p {F p}, {F p}, F1 F2 {},{F p} {p}, Prove p now … … or prove Fp in the next state. If p is not an atom: after F1 rules dedicated to p main operator are applied and so on until Now set contains only atoms. {},{F p} NSR (Next State Rule) p {},{F p} {},{F p} p {},{F p} {F p},{} p Build the next state. CEA-LIST

  8. Principle: symbols are used instead of values. Symbolic execution Correct, complete. Intentional representation of all runs (concise and exact). (I,T,{v  v0, b  b0})  (p,T,{v  v0, b  0}) M |=iosts iff for all sp  SP(M) we have sp |=symb path  rel_speed?v1 Red symbolic path: contains the run of slide 4. (q,T,{v  v1, b  0}) (r,T,{v  v1, b  0}) (r,T,{v  0, b  1}) Motor ! -1 Motor ! 1 (p,v1 < -1,{v  v1, b  0}) (p,v1 > 1,{v  v1, b  0})  (p,-1  v11,{v  v1, b  0}) CEA-LIST

  9. IOLTL tableau calculus and symbolic execution (p, vi>1, vvi) {F (v < 5) } E, F1 (p, vi>1, vvi) { (v < 5)} E, Atom (p, vi>1, vvi) { (v < 5)}E, (p, (vi>1)(vvi)(v<5), vvi) E, (p, (1<vi<5), vvi) Atom Rule transfers atoms into path condition. CEA-LIST

  10. IOLTL tableau calculus and symbolic execution (p, vi>1, vvi) {F (v < 5) }, F2 (p, vi>1, vvi) ,{F (v < 5)} NSR (p, vi>1, vvi) ,{F (v < 5)} rel_speed?vi+1 (q, vi>1, vvi+1) {F (v < 5) }, Context Rules build sequences of transitions linking contexts: we call them unfoldings (an unfolding is consistent if the path condition of its symbolic state component) CEA-LIST

  11. Satisfaction problem with Until formulas v > 1 v > 0 Consider: F(v<0) and the kripke structure above. Rule F2 applies forever (i.e. build an infinite consistent unfolding) although (v<0) is never satisfied ! Consistency of an infinite unfolding is not a sufficient criteria for the satisfaction relation. The technique requires a third set of formulas which stores Until formulas (remember that F is an Until) never proved: initialized with all Until (Finally) sub-formulas. With above example: USet always contains F(x<0) ! USet, {}, neXt NSR (modified to take Uset into account) Emptiness of the Uset provides a sufficient criterion. USetneXt, neXt, {} CEA-LIST

  12. Lemma With Uset emptiness criterion (never infinitely non empty) |=run and |=symb path are equivalent (i.e. we can use |=symb path instead of |=run in the definition of |=iosts ) CEA-LIST

  13. An unfolding: Termination criterion 1: lassos detection b O2 a O1 prefix Context with Uset =  loop O1 , O2 are omega sets (see paper) with respect to symbols present in the prefix) Lemma: O1 O2   => There is a lasso (see red execution a.b) Moreover, if there exists, in the loop part of the unfolding, a context with Uset =  then: a.b* satisfies . CEA-LIST

  14. Termination criterion 2: “dead end” detection S2 S1 Uset  O1 , O2 (omega sets of S1 and S2 with respect to  ) O2 O1   => unfoldings “after” S2 cannot prove more than those “after” S1 => cut on S2. CEA-LIST

  15. Theorems Theorem 1: If there exits an unfolding satisfying the lasso criterion and the Uset criterion then there exists a run r |= . Theorem 2: If all unfoldings satisfy the inclusion criterion but not the Uset criterion then there exists no run satisfying . (the two criteria are applied in a defined sequence) CEA-LIST

  16. Diagnosability. A model is not diagnosable with respect to a fault if we can find two different runs, having the same observable traces, one being affected by the fault and not the other. The speed regulator IOSTS model of slide 4 contains a fault whose occurrence is characterized by the value of b). Diagnosability can be reduced to a model-checking problem: M  M |=iosts F G (b1 = T  b2 = ) ? First experiment Answer about the speed captor failure: Not diagnosable when relative speed is maintained at 0. CEA-LIST

  17. Conclusion • |=symbpath can be used instead of |=run • Allows analysis of models with unbounded variables or huge domains • SE and tableau calculus combination provides an operational technique for |=symb • semi-decision verification algorithm (between test and proof) CEA-LIST

  18. FUTUR WORKS • Improve verification algorithm with strategies (priorities over rules: F1 >F2 to check F G  ) • Monte Carlo methods for large systems (adaptation of the MC2 PLTL checker approach) • What about FIFO channels ? • Use tableau calculus and SE to generate tests purposes (TestCom’06) from IOLTL properties (Test purpose refinement). Thank You ! CEA-LIST

More Related