630 likes | 773 Vues
SOFTWARE VERIFICATION WORKSHOP. Informatics Institute, Middle East Technical University August 26-27, 2002. MODEL CHECKING. by. Hüsnü Yenigün Sabanci University. Outline :. Motivation Reachability Analysis for Bug Detection Safety and Liveness Properties
E N D
SOFTWARE VERIFICATION WORKSHOP Informatics Institute, Middle East Technical University August 26-27, 2002 MODEL CHECKING by Hüsnü Yenigün Sabanci University
Outline : • Motivation • Reachability Analysis for Bug Detection • Safety and Liveness Properties • LTL as a Specification Notation • Syntax and Semantics of LTL • LTL Model Checking • Büchi Automata • Automata Theoretic Approach • LTL Model Checking via Reachability Analysis • Conclusion
Don’t take our word for it... Gibbs, W. Wayt, “Software’s Chronic Crisis”, Scientific American, Sept. 1994. Studies have shown that for every six large scale software systems that are put into operation, two others are cancelled. The average software development project overshoots its schedule by half; larger projects generally do worse. And three quarters of all large systems are “operating failures” that either do not function as intended or are not used at all. Weiner, L. Ruth, “Why we should not depend upon software” Software products --even programs of modest size-- are among the most complex artifacts that humans produce, and software development projects are among our most complex undertakings. They soak up money and time, however many people we throw at them. The results are modestly reliable. Even after the most thorough and rigorous testing, some bugs still remain. We can never test all threads through the system with all possible inputs. Intel’s President, Andy Grove: After almost 35 years in the microprocessor business, I have come to the conclusion that no microprocessor is ever perfect; they just come closer to perfection with each stepping. In the life of a typical microprocessor, we go through half a dozen or more such steppings.
Some disasters Ariane 5 • A giant rocket of ESA (European Space Agency) • Successor of Ariane-4 • Took 10 years and $7 billion to develop • Launched on June 4, 1996 carrying $500 million worth of satellites • 37 seconds later, triggered a self-distruct mechanism... • It used some piece of code from Ariane-4 that calculates the speed • of the rocket. Unfortunately, Ariane-5 was faster than Ariane-4. • The speed calculated did not fit in to the registers which were • sufficient for the speed Ariane-4, and ... Patriot Missile Defense • February 9, 1991 (Gulf War) • An American Patriot Missile battery in Saudi Arabia failed to intercept • an incoming Iraqi Scud Missile • Scud struck at an American Army barrack and killed 28 soldiers • A report of the General Accounting Office, GAO/IMTEC-92-26, entitled • “Software Problem Led to System Failure in Saudi Arabia”
Some disasters Pentium Bug ... for more examples search the net • see e.g. • wwwzenger.informatik.tu-muenchen.de/persons/huckle/bugse.html
Cost of bug correction Unit System Analysis Design Programming Testing Testing Operation cost of error per correction # of errors detected # of errors introduced Time (not linear) [Liggsmeyer et al., 1998]
Distributed (or concurrent, or reactive) systems more than one modules (probably distributed geographically as well) reacting to and interacting with each other
Distributed (or concurrent, or reactive) systems more than one modules (probably distributed geographically as well) reacting to and interacting with each other
A simple concurrency bug prestate: x = 0 . . . . . . . . . poststate: x = 0 (or 1, or -1 ?) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B This is a trivial error and can be prevented by good practice (e.g. using semaphores), but less trivial concurrency errors are harder to prevent.
The mathematical approach 1- Generate a mathematical model of the distributed system D=(P1, P2, …, Pn) Theorem proving : extract axioms 1, 2, … , k Model Checking : deduce the system automaton A=A1A2 …An 2- Generate a mathematical model of the property p Theorem proving : describe the property as a formula () Model Checking : deduce the property automaton (a) 3- (mathematically) Show that the system D has the property p Theorem proving : prove (1 2 … k) Model Checking : show language inclusion L(A) L(a)
Reachability analysis Assumption: Initially x=0. Property: After A and B terminates, x=0. process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B A global state is (a,b,c) where - a is the current control point of A - b is the current control point of B - c is the value of the variable x Formally: for all reachable states (a,b,c) : ((a=A2) (b=B2)) (c=0) (A2,B1,1) x = x-1 x = x+1 A1 B1 x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1
Reachability analysis Structure of a global state : (CP A, CP B, x, r1, r2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B (A1,B1,0, 0, 0) fetch x to r1 (A1a,B1,0, 0, 0) fetch x to r2 (A1a,B1a,0, 0, 0) incr r1 A1 B1 (A1b,B1a,0, 1, 0) fetch x to r1 fetch x to r2 decr r2 A1a B1a (A1b,B1b,0, 1, -1) incr r1 decr r2 write r1 to x A1b B1b (A2,B1b,1, 1, -1) write r1 to x write r2 to x write r2 to x A2 B2 (A2,B2,-1, 1, -1)
Reachability analysis Structure of a global state : (CP A, CP B, x, r1, r2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B (A1,B1,0, 0, 0) fetch x to r1 (A1a,B1,0, 0, 0) fetch x to r2 (A1a,B1a,0, 0, 0) incr r1 A1 B1 (A1b,B1a,0, 1, 0) fetch x to r1 fetch x to r2 decr r2 A1a B1a (A1b,B1b,0, 1, -1) incr r1 decr r2 error write r1 to x A1b B1b (A2,B1b,1, 1, -1) write r1 to x write r2 to x write r2 to x A2 B2 (A2,B2,-1, 1, -1)
Reachability analysis can be performed using DFS S : the set of all states s0: the initial state SR: the set of reachable states next : S 2S (transition relation) SR =; // the set of reachable states is initially empty dfs ( s0 ); // start the search with the initial state s0 proc dfs ( s ) SR = SR { s }; // include the new state ınto the set of reachable states t next(s) do // for all the next states of the current state if t SRthen // if this next state has not been visited before dfs ( t ); // continue the search with this next state fi od endproc dfs
Safety vs. Liveness - Safety properties : something bad will never happen ( DEADLOCK) e.g. Never [ (a=A2) (b=B2) (c0) ] errors expose themselves in a state
Safety vs. Liveness - Safety properties : something bad will never happen ( DEADLOCK) e.g. Never [ (a=A2) (b=B2) (c0) ] errors expose themselves in a state - Liveness properties : something good will eventually happen (LIVELOCK) e.g. Eventually [ (a=A2) (b=B2) ] e.g. If [ RequestArrived ] Then Eventually [ RequestReplied ] errors expose themselves within an infinite loop
Safety vs. Liveness - Safety properties : something bad will never happen ( DEADLOCK) e.g. Never [ (a=A2) (b=B2) (c0) ] errors expose themselves in a state - Liveness properties : something good will eventually happen (LIVELOCK) e.g. Eventually [ (a=A2) (b=B2) ] e.g. If [ RequestArrived ] Then Eventually [ RequestReplied ] errors expose themselves within an infinite loop Reachability analysis can detect safety errors, but it doesn’t seem good for checking the correctness of liveness properties.
Linear (Time) Temporal Logic - LTL - Given a set of atomic propositions P = { p1, p2, … , pn } pi : (x = 5) pj : (y > 0) pk : (process A is at control point A2) Syntax of LTL: 1) For any p P, p is an LTL formula 2) If , 1 and 2 are LTL formulae, then so are a) b) 1 2 c) X (next time ) d) 1 U2 (1 until2)
Semantics of LTL Given an interpretation I: I: {0, 1, 2, …} P {true,false} I(k) : P {true,false} let Ii be the shifted version of I such that for all k, Ii (k) = I (k+i) Given on P in LTL, I|= (read as : “Imodels ”, or “Iis a model for ” meaning is true under the interpretation I) is defined as 1) If = p, then I|= iff I(0)(p) is true 2a) If = 1, then I|=iff not I|=1 2b) If = 1 2, then I|= iff I|=1I|=2 2c) If = X 1, then I|= iffI1 |=1 2d) If = 1 U2 , then I|= iff i such that Ii|=2 and 0 j < i, Ij|=1
Semantics of LTL (in other words) time (discrete)
Semantics of LTL (in other words) {p0,p5} {p0,p2} {p0,p1} {p1} {p0,p1,p2} I time (discrete) {p0,p4,p5} {p5} {p0,p3} {p0,p1} {}
Semantics of LTL (in other words) I 0 1 3 2 {… , p, ...}
Semantics of LTL (in other words) p • I2 |= p I 0 1 3 2 {… , p, ...}
Semantics of LTL (in other words) Xp p • I2 |= p • I1 |= Xp I 0 1 3 2 {… , p, ...}
Semantics of LTL (in other words) XXp Xp p • I2 |= p • I1 |= Xp • I |= X(Xp) I 0 1 3 2 {… , p, ...}
Semantics of LTL (in other words) XXp Xp p • I2 |= p • I1 |= Xp • I |= X(Xp) I 0 1 3 2 {… , p, ...} I 0 1 3 2 {p1} {p1} {p1} {p2}
Semantics of LTL (in other words) XXp Xp p • I2 |= p • I1 |= Xp • I |= X(Xp) I 0 1 3 2 {… , p, ...} • I3 |= p2 p2 I 0 1 3 2 {p1} {p1} {p1} {p2}
Semantics of LTL (in other words) XXp Xp p • I2 |= p • I1 |= Xp • I |= X(Xp) I 0 1 3 2 {… , p, ...} p1U p2 • I3 |= p2 • I2 |= p1 • I2 |= X p2 • I2 |= p1U p2 Xp2 p1 p2 I 0 1 3 2 {p1} {p1} {p1} {p2}
Semantics of LTL (in other words) XXp Xp p • I2 |= p • I1 |= Xp • I |= X(Xp) I 0 1 3 2 {… , p, ...} p1U p2 p1U p2 • I3 |= p2 • I2 |= p1 • I2 |= X p2 • I2 |= p1U p2 • I1 |= p1 • I1 |= X(p1U p2) • I1 |= p1U p2 X(p1U p2 ) Xp2 p1 p1 p2 I 0 1 3 2 {p1} {p1} {p1} {p2}
Semantics of LTL (in other words) XXp Xp p • I2 |= p • I1 |= Xp • I |= X(Xp) I 0 1 3 2 {… , p, ...} p1U p2 p1U p2 p1U p2 • I3 |= p2 • I2 |= p1 • I2 |= X p2 • I2 |= p1U p2 • I1 |= p1 • I1 |= X(p1U p2) • I1 |= p1U p2 • I |= X(p1U p2) • I |= p1 • I |= p1U p2 X(p1U p2 ) X(p1U p2 ) Xp2 p1 p1 p1 p2 I 0 1 3 2 {p1} {p1} {p1} {p2}
More temporal operators - E (eventually ) Ep p E = true U - G (globally ) Gp p p p p p p p p ... G = E
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) (A2,B1,1) x = x-1 x = x+1 A1 B1 x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2}
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2} {p3}
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2} {p3} {p1}
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2} {p3} {p1} {p1,p2,p3}
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2} {p3} ??? {p1} {p1,p2,p3}
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2} {p3} ... {p1} {p1,p2,p3} {p1,p2,p3} {p1,p2,p3}
LTL Model Checking p1 (A is at A2) p2 (B is at B2) process A begin x = x + 1 end endprocess A process B begin x = x - 1 end endprocess B p3 (x=0) E(p1 p2 p3) {p1} (A2,B1,1) x = x-1 x = x+1 A1 B1 {p3} {p1,p2,p3} x = x+1 x = x-1 (A1,B1,0) (A2,B2,0) A2 B2 x = x-1 (A1,B2,-1) x = x+1 {p2} {p3} ... {p1} {p1,p2,p3} {p1,p2,p3} I’ I’’ ... {p3} {p2} {p1,p2,p3} {p1,p2,p3}
LTL Model Checking - Note that both I’ |=and I’’ |=.
LTL Model Checking - Note that both I’ |=and I’’ |=. • In general, given an LTL formula , and a concurrent system D, • D has the LTL property iff • for all interpretations I generated by D, I |= .
LTL Model Checking - Note that both I’ |=and I’’ |=. • In general, given an LTL formula , and a concurrent system D, • D has the LTL property iff • for all interpretations I generated by D, I |= . Problems : - How to compute all the interpretations? - How to check if an interpretation satisfies ?
Automata Theoretic Approach to LTL Model Checking A Büchi automaton is B=(, S, s0, R, F) where - is a finite alphabet - S is a finite set of states - s0 S is the initial state - R S S is the transition relation - F S is the set of accepting states A run of B is an infinite and alternating sequence of states and letters of the form = s0 a0 s1 a1 s2 a2 s3 … where i 0 : (si, ai , si+1 ) R (it respects the transition relation) Given = s0 a0 s1 a1 s2 a2 s3 …, let us define | = a0 a1 a2 … |S= s0 s1 s2 … An infinite string is accepted by B iff a run of B such that - |= - s F which appears infinitely in |S L(B) = {| is accepted by B }
Synchronous product of Büchi Automata - Given two Büchi automata over the same alphabet B1=(, S1, s01, R1, F1) B2=(, S2, s02, R2, F2) the synchronous product B1B2 is another Büchi automaton B=(, S, s0, R, F) where S = S1S2 s0 = (s01, s02) F = F1F2 : ((s1,s2), , (s3,s4)) R iff (s1, , s3) R1(s2, , s4) R2 - Given two Büchi automata B1 and B2 over the same alphabet, L(B1B2) = L(B1) L(B2)
The Büchi Automaton for an LTL formula - Recall : Given an LTL formula on a set of atomic propositions P, an interpretation I for is I : {0, 1, 2, …} P {true,false} - I imposes an infinite sequence of subsets of P : IP = i0 i1 i2 … where ij 2P and for an atomic proposition p P, p ij iff I(j)(p)=true. i1={p0,p2} i3={} …... I …... i0={p0,p1} i2={p1,p3} i4={p5} • - L() = {IP (2P) | I|=} • the string representations of those interpretations that satisfy • Given an LTL formula on a set of propositions P, there exists a • Büchi automatonB = (2P, S, s0, R, F) such that L(B) = L()
The Büchi Automaton for our example LTL formula p1 (A is at A2) p2 (B is at B2) p3 (x=0) E(p1 p2 p3) =E(p1 p2 p3) B {} {p1} {p2} {p3} {p1,p2} {p1,p3} {p2,p3} {p1,p2,p3} {} {p1} {p2} {p3} {p1,p2} {p1,p3} {p2,p3} {p1,p2,p3} s0 s1
The Büchi Automaton for our concurrent system {p1} (A2,B1,1) x = x-1 x = x+1 {p3} {p1,p2,p3} (A1,B1,0) (A2,B2,0) x = x-1 (A1,B2,-1) x = x+1 {p2}
The Büchi Automaton for our concurrent system {p1} (A2,B1,1) x = x-1 x = x+1 {p3} {p1,p2,p3} (A1,B1,0) (A2,B2,0) x = x-1 (A1,B2,-1) x = x+1 {p2}