State-Event Software Verification for Branching-Time Specifications - PowerPoint PPT Presentation
Title:
State-Event Software Verification for Branching-Time Specifications
Description:
Counter-Example Guided Abstraction Refinement (CEGAR) CEGAR. Verification. Yes. System OK ... Abstraction. Model. Our Goal: Extension to branching-time ... – PowerPoint PPT presentation
Number of Views:84
Avg rating:3.0/5.0
Title: State-Event Software Verification for Branching-Time Specifications
1
State-Event Software Verification for
Branching-Time Specifications
- Sagar Chaki, Ed
Clarke, - Joel Ouaknine, Orna Grumberg
- Natasha Sharygina, Tayssir Touili , Helmut Veith
2
Software Model-Checking
- Challenge in computer science
- Tools SLAM, BLAST, MAGIC,
- Counter-Example Guided Abstraction Refinement
(CEGAR)
3
CEGAR
Verification
No
Counterexample
Counterexample Valid?
4
Limitation of CEGAR applications
LTL formula
Verification
Predicate Abstraction
No branching time properties
Counterexample Valid?
Abstraction Refinement
5
Our GoalExtension to branching-time properties
Branching-time formula
LTL formula
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
6
First Problem
- CEGAR cannot be applied to general
branching-time logics
7
What are counterexamples?
property f
S
f universal
8
CEGAR natural for LTL
- LTL universal logic
- Describes events along a single path
- G(Req? F Ack)
- S f iff all the paths of S f
- (S f) iff exists one path p of S ( p f)
- p Counterexample
9
Branching-time properties are not universal
- Existential operator
- AG(EF Restart)
CEGAR ? Define a universal Branching-time logic
10
Our GoalExtension to branching-time properties
Branching-time formula
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
11
We need to
- Define an expressive universal branching-time
logic
- Define a model-checking algorithm for this logic
- Define suitable refinement techniques
12
State/event universal branching-time logic
- Industrial applications need state/event
reasoning
- Bluetooth when an action a is received in a q
state, the next state has to be p
- Need to a state/event framework
13
The state/event universal logic SE-AO
- We view time operators as regular path patterns
on the time line
Ff
Xf
Gf
fU?
14
The state/event universal logic SE-AO
15
The state/event universal logic SE-AO
K(f,a) f and a hold at all even time points
K(f,a)
Lf no more than 4 time units between 2
occurrences of f
16
The state/event universal logic SE-AO
17
The state/event universal logic SE-AO
- Labeled Kripke Structure M(S,AP,L,S,T)
18
The state/event universal logic SE-AO
- Labeled Kripke Structure M(S,AP,L,S,T)
19
We need to
- Define an expressive universal branching-time
logic
- Define a model-checking algorithm for this logic
- Define suitable refinement techniques
20
Model-checking algorithm for SE-AO
p,q
b
a
p
b
c
q,r
21
Model-checking algorithm for SE-AO
p,q
b
a
p
b
c
q,r
22
Model-checking algorithm for SE-AO
p,q
b
a
p
b
c
q,r
23
Model-checking algorithm for SE-AO
p,q
b
a
p
b
c
q,r
24
Model-checking algorithm for SE-AO
p,q
a
p
b
c
q,r
25
Our GoalExtension to branching-time properties
SE-AO
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
26
What is a counterexample formally?
27
CounterExample generation for SE-AO
Compute a counterexample either for
28
CounterExample generation for SE-AO
Compute a counterexample for
Compute a counterexample for
29
CounterExample generation for SE-AO
AG p v AF q
q
q
q
q
p
30
CounterExample generation for SE-AO
b
a
31
Our GoalExtension to branching-time properties
SE-AO
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
32
Our GoalExtension to branching-time properties
SE-AO
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
33
Projection
a
c
34
Weak simulation
p,q
p,q
a
a
35
Compositionality
Theorem
iff
36
Our GoalExtension to branching-time properties
SE-AO
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
37
Compositional refinement
P1
Spec
P2
P3
P4
Abstraction
Spec
A1
A2
A3
A4
38
Compositional refinement
P1
Spec
P2
P3
P4
Abstraction
A1
Spec
A1
A2
A3
A4
Refinement
39
Compositional refinement
P1
Spec
P2
P3
P4
A1
A3
Abstraction
Spec
A1
A2
A4
A3
Refinement
40
Compositional refinement
P1
Spec
P2
P3
P4
A1
A3
A1
Abstraction
Spec
A1
A2
A4
A3
Refinement
41
Compositional refinement
P1
Spec
P2
P3
P4
No more counterexamples ?
A1
Abstraction
A2
A3
A1
Spec
A1
A4
Refinement
A3
A2
42
Compositional refinement
P1
Spec
P2
P3
P4
Real counterexamples ?
A1
Abstraction
A2
A3
A1
Spec
A1
A4
A3
A2
Refinement
43
Action-guided Refinement
a
a
a
b
a
a,b
b
a,b
b
b
c
c
Counterexample
Abstraction
44
Our GoalExtension to branching-time properties
Branching-time formula
Verification
Predicate Abstraction
Counterexample Valid?
Abstraction Refinement
45
Case study IPC
- IPC (InterProcess Communication) Protocol
organize communication in a multithreaded robot
controller
- Bug discovery
- Protocol has been used for 7 years
- Bug undetected with earlier model-checking
efforts using LTL
46
Conclusion
- Definition of an advanced branching-time
state-event logic SE-AO - Model-checking algorithm for SE-AO
- Compositional counterexample validation and
refinement techniques for SE-AO
First application of compositional CEGAR to a
branching-time specifications
Bug discovery in the IPC protocol
47
- Questions?
Recommended
CrystalGraphics Presentations
