Symbolic Model Checking of Software - PowerPoint PPT Presentation

About This Presentation
Title:

Symbolic Model Checking of Software

Description:

Edmund Clarke, Flavio Lerda, Michael Theobald. Carnegie Mellon University ... Suits the symbolic case. New Approach: ImProviso. Implicit Proviso check. Employs BDDs ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 26
Provided by: SCS6
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Symbolic Model Checking of Software


1
Symbolic Model Checking of Software
  • Nishant Sinha
  • with
  • Edmund Clarke, Flavio Lerda, Michael Theobald
  • Carnegie Mellon University

2
Symbolic Model Checking of Software
  • Goal
  • Use BDD-based Symbolic Model Checker for the
    verification of concurrent software
  • Motivation
  • Very successful for large state spaces in
    hardware
  • Challenges
  • Generating the models (language -gt SMV)
  • Adding Partial-Order Reduction
  • Optimized BDD-operations (e.g., generation and
    storage)
  • This Talk
  • Focus on Partial-Order Reduction

3
Outline
  • Background
  • Modeling language
  • Partial-order reduction
  • Twophase algorithm
  • New Approach ImProviso
  • Basic formulation
  • Extensions
  • Experimental results
  • Related Work
  • Future Work
  • Conclusions

4
Background Software Verification
  • Concurrent software
  • Asynchronous execution, unlike hardware
  • Huge state space, e.g. large variable ranges
  • Partial-order reduction (POR)
  • Attacks the state-space explosion problem
  • Very effective in explicit-state model checking
  • Symbolic Model Checking yet to benefit

5
Background Modeling Language
  • Process-oriented modeling language
  • Each process maintains local variables
  • Each process has a program counter
  • System
  • Concurrent processes
  • Global variables
  • Point-to-point channels
  • Each process is specified as statements
  • Statements are formalized as transition functions
  • Multiple statements per pc value allowed, i.e.
    non-determinism
  • Example Promela

6
Background Partial-Order Reduction
Choose a representative set of paths
s0s0
x 1
y 2
s0s1
s1s0
y 2
x 1
s1s1
7
Background Partial-Order Reduction
  • Two kinds of state-expansion
  • Full Expansion
  • generate next states for all enabled
    transitions
  • Partial Expansion
  • expand only a subset of enabled transitions,
    postponing all others
  • Challenges
  • How to choose such subset? (-gt deterministic)
  • How to avoid transitions being postponed
    indefinitely? (-gt proviso)

8
Background Deterministic States
  • Which subset of enabled transitions to choose?
  • Deterministic state for a process P
  • Only one transition t of P enabled at that state
  • Can be taken without affecting property to be
    verified
  • Partial Expansions of deterministic states
  • Do not need to consider all interleavings
  • A state s is deterministic for a process P iff
  • only one transition t of P is enabled in s
  • t commutes with transitions that can be
    executed by other processes
  • executing t does not disable transitions of
    other processes
  • executing a transition of another process cannot
    disable or enable any transition of P

9
Background Partial-Order Reduction
  • Avoiding transitions being postponed
    indefinitely Proviso
  • SPIN In-Stack Proviso
  • Partial Expansion should not generate a state in
    stack
  • Otherwise, must do Full Expansion

10
Combining POR with Symbolic Model Checking
  • POR developed for explicit-state
  • DFS
  • Stack for proviso check
  • Whereas symbolic verification
  • Involves a BFS-like algorithm
  • No stack exists
  • Only frontier at hand

11
Twophase Partial-Order Algorithm
  • Nalumasu, Gopalakrishnan 1997
  • Modified proviso check
  • Alternating phases
  • Phase 1 Do for each process in sequence
    expand if in deterministic state
  • Phase 2 Full expansion of the current state
  • Proviso check

Suits the symbolic case
12
New Approach ImProviso
  • Implicit Proviso check
  • Employs BDDs
  • Motivation
  • Based on Twophase (explicit-state)
  • Observation can be formulated in an implicit way
  • Crucial point more efficient proviso than
    previous techniques
  • New Contributions
  • Defining the transition relation
  • Implicit formulation
  • Dropping the determinism
  • Additional fixpoint computation
  • Automated and incorporated into NuSMV

13
ImProviso Defining the Transition Relation
  • Two transition relations
  • TR1 all transitions from deterministic states
    (Phase 1)
  • TR2 entire system (Phase 2)
  • TR1 is further partitioned
  • one transition relation for each process Pi
  • Example
  • Statement reads from a channel into a local
    variable
  • States in which the channel is not empty are
    deterministic
  • TR1 channel is not empty gt TR-stmt

14
ImProviso Dropping the Determinism
  • Twophase
  • Only one transition in Phase 1 may be enabled
  • Simplifies Twophase implementation
  • Not necessary for correctness
  • ImProviso allows non-determinism in Phase 1
  • Multiple enabled transitions in each process
  • Each enabled transition must fulfill other
    conditions of a deterministic state
  • BFS search, i.e. enabled transitions expanded at
    the same time

15
ImProviso Pseudo-Code
16
ImProviso Illustration
bool c-1 chan a 1 of int active
proctype rec() int x0 bool
d d0 a?x active proctype send()
a!1 active proctype p1() c0 ... activ
e proctype p2() c1 ...
17
ImProviso Illustration
Phase1 Fixed Point
2
2
p1 c0
p2 c1
18
ImProviso Implicit Formulation
  • Implicit formulation of the algorithm
  • conceptually simple but not so easy to get right
  • Reason paths may have different lengths
  • BFS instead of DFS
  • ImProviso tighter over-approximation than
    previous symbolic methods
  • Problem visited vs. in-stack
  • phase-1 only Cycles -gt local check
  • Larger than phase-1 -gt no issue!

19
Related Work
  • Two other approaches combine PO and Symbolic
    Model Checking
  • Kurshan et al. Preprocess the model
  • Alur et al. BDD-based

Alurs approach
20
Implementation
Add Phase 1 and Phase 2 information
Promela2SMV translator
NuSMV ImProviso
Promela Specifications
  • Automated Model Checking framework
  • ImProviso implemented in NuSMV
  • Current examples translated from Promela
  • Considerable effort to compare with explicit
    state model checkers
  • e.g., atomic construct in Spin

21
Comparison NuSMV vs. NuSMV-ImProviso
  • states significant reduction
  • Time significant reduction
  • Memory No reduction

22
Comparison NuSMV-ImProviso, PV, and SPIN
  • SPIN and PV faster, if they can handle example
  • NuSMV-ImProviso can handle more examples
  • NuSMV-ImProviso matches PV, SPIN on Best, Worst

23
Comparison Leader Election Protocol
  • Models of same size in SMV and Promela
  • Same reduction
  • SPIN, PV faster until

24
Leader with Non-deterministic Initial State
25
Future Work
  • Reduce memory and run time
  • BDD blowup problem
  • BDD algorithms optimized for Concurrent Software
  • Verification of both safety and liveness
    properties
  • Only safety now
  • Flexible input languages
  • Only Promela now

26
Conclusions
  • Novel Partial Order Reduction algorithm for
    Symbolic Model Checking
  • Incorporated into NuSMV
  • Illustrated the effectiveness with several
    benchmark examples
  • Current focus is on tackling large run-time and
    memory problems
  • Symbolic Model Checking of Software, Software
    Model Checking Workshop CAV03
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Symbolic Model Checking of Software" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!