Static and Runtime Verification A Monte Carlo Approach - PowerPoint PPT Presentation

About This Presentation

Title:

Static and Runtime Verification A Monte Carlo Approach

Description:

Static and Runtime Verification A Monte Carlo Approach Radu Grosu State University of New York at Stony Brook grosu_at_cs.sunysb.edu – PowerPoint PPT presentation

Number of Views:163

Avg rating:3.0/5.0

Slides: 73

Provided by: robertp192

Learn more at: https://www3.cs.stonybrook.edu

Category:

more less

Transcript and Presenter's Notes

Title: Static and Runtime Verification A Monte Carlo Approach

1
Static and Runtime VerificationA Monte Carlo
Approach
Radu Grosu
State University of New York at Stony
Brook grosu_at_cs.sunysb.edu
2
Talk Outline

Embedded Software Systems
Automata-Theoretic Verification
Monte Carlo Verification
Monte Carlo Model Checking
Static Verification of Software-Systems
Dynamic Verification Software-Systems

3
Embedded Software Systems

Systems with ongoing interaction with
their environment.
Termination is rather an error than expected
behavior
Becoming an integral part of nearly every
engineered product.
- They control

4
Embedded Systems
5
Boeing 777 Super Computers with Wings

Has
gt 4M lines of code
gt 1K embedded processors
In order to
- control subsystems
- aid pilots in flight mngmnt.

A great challenge of software engineering

hard real-time deadlines,

mission and safety-critical,

complex and embedded within another complex
system,

interacts with humans in a sophisticated way.

6
Embedded Software Systems

Difficult to develop maintain
Concurrent and distributed (OS, ES, middleware),
Complicated by DS improving performance (locks,
RC,...),
Mostly written in C programming language.
Have to be high-confidence
Provide the critical infrastructure for all
applications,
Failures are very costly (business, reputation),
Have to protect against cyber-attacks.

7
Temporal Properties

Safety (something bad never happens)
Airborne planes are at least 1 mile apart
Nuclear reactor core never overheats
Gamma knife never exceeds prescribed dose

Liveness (something good eventually happens)
Core eventually reaches nominal temperature
Dishwasher tank is eventually full
Airbag inflates within 5ms of collision

8
Linear Temporal Logic

An LTL formula is made up of atomic propositions
p, boolean connectives ?, ?, ? and temporal
modalities X (neXt) and U (Until).
Safety nothing bad ever happens
E.g. G(? (pc1cs ? pc2cs)) where G is a
derived modality (Globally).
Liveness something good eventually happens
E.g. G( req ? F serviced ) where F is a
derived
modality (Finally).

9
LTL Semantics

Semantics given in terms of the inductively
defined entailment relation ? ? ?.
? is an infinite word (execution) over the power
set of the set of atomic propositions.
? is an LTL formula.

10
LTL Semantics
X p
p
p U q
p
p
q
p
p
p
F p
p
G p
p
p
p
p
p
p
11
What is High-Confidence?
Ability to guarantee that
?
system-software S satisfies LTL property f
12
Talk Outline

Embedded Software Systems
Automata-Theoretic Verification
Monte Carlo Verification
Monte Carlo Model Checking
Static Verification of Software-Systems
Dynamic Verification Software-Systems

13
Checking if

Statically (at compile time)
Abstract interpretation (sequential IS programs),
Model checking (concurrent FS programs),
Dynamically (at run time)
Runtime analysis (sequential program
optimization).
Basic Idea
Intelligently explore Ss state space in attempt
to
establish that S ? ?

14
Automata-Theoretic Approach

Büchi automaton NFA over ?-words with acceptance
condition - a final state must be visited ?-
often.
Every LTL formula ? can be translated to a Büchi
automaton B? such that L(?) L(B?).
State transition graph of S can also be viewed as
a Büchi automaton.

15
Automata-theoretic approach

Satisfaction reduced to language emptiness
S ? ? ? L(BS) ? L(B? ) ? L(BS) n
L(B? ) ?
? L(BS) n L(B?? ) ? ? L(BS ?
B?? ) ?

16
Büchi Automata

Finite automata over infinite words.

A
B
a
a
b
b
1
2
1
2
L(A) ab?
L(B) ?

Checking non-emptiness is equivalent to finding a
reachable accepting cycle (lasso).

17
Checking Non-Emptiness
Lassos Computation Tree (CT) of B
recurrence diameter
Explore all lassos in the CT DDFS,SCC time
efficient DFS memory efficient
18
Talk Outline

Embedded Software Systems
Automata-Theoretic Verification
Monte Carlo Verification
Monte Carlo Model Checking
Static Verification of Software-Systems
Dynamic Verification Software-Systems

19
Randomized Algorithms

Huge impact on CS (distributed) algorithms,
complexity theory, cryptography, etc.
Takes of next step algorithm may depend on random
choice (coin flip).
Benefits of randomization include simplicity,
efficiency, and symmetry breaking.

20
Randomized Algorithms

Monte Carlo may produce incorrect result but
with bounded error probability.
Example Elections result prediction
Las Vegas always gives correct result but
running time is a random variable.
Example Randomized Quick Sort

21
Monte Carlo Approach
Lassos Computation tree (CT) of B
recurrence diameter

flip a k-sided coin
Explore N(?,?) independent lassos in the CT Error
margin ? and confidence ratio ?
22
Lassos Probability Space

Sample Space lassos in BS ? B??
Bernoulli random variable Z (coin flip)
Outcome 1 if randomly chosen lasso accepting
Outcome 0 otherwise
pZ ? pi Zi (expectation of an accepting
lasso)
where pi is lasso prob. (uniform random
walk)

23
Example Lassos Probability Space
24
Geometric Random Variable

Value of geometric RV X with parameter pz
No. of independent trials (lassos) until success
Probability mass function
p(N) PX N qzN-1 pz
Cumulative Distribution Function
F(N) PX ? N ?i ? Np(i) 1 - qzN

25
How Many Lassos?

Requiring 1 - qzN 1- d yields
N ln (d) / ln (1- pz)
Lower bound on number of trials N needed to
achieve success with confidence ratio d.

26
What If pz Unknown?

Requiring pz ? e yields
M ln (d) / ln (1- e) ? N ln (d) / ln
(1- pz)
and therefore PX ? M ? 1- d
Lower bound on number of trials M needed to
achieve success with
confidence ratio d and error margin e .

27
Statistical Hypothesis Testing

Null hypothesis H0 pz ? e
Inequality becomes P X ? M H0 ? 1- d
If no success after N trials, i.e., X gt M, then
reject H0
Type I error a P X gt M H0 lt d

28
Monte Carlo Verification (MV)
input B(S,Q,Q0,d,F), e, d N ln (d) / ln
(1- e) for (i 1 i ? N i) if (RL(B) 1)
return (1, error-trace) return (0, reject H0
with a Pr X gt N H0 lt d) RL(B) performs
a uniform random walk through B
storing states encountered in hash table to
obtain a random sample (lasso).
29
Correctness of MV

Theorem Given a Büchi automaton B, error margin
e, and confidence ratio d, if MV rejects H0,
then its type I error has probability
a P X gt M H0 lt d

30
Complexity of MV

Theorem Given a Büchi automaton B having
diameter D, error margin e, and confidence ratio
d, MV runs in time O(ND) and uses space O(D),
where N ln(d) / ln(1- e)

Cf. DDFS which runs in O(2Sf) time for B
BS ? B??
31
Talk Outline

Embedded Software Systems
Automata-Theoretic Verification
Monte Carlo Verification
Monte Carlo Model Checking
Static Verification of Software-Systems
Dynamic Verification Software-Systems

32
Model Checking ISOLA04, TACAS05

Implemented DDFS and MV in jMocha model checker
for synchronous systems specified using Reactive
Modules.
Performance and scalability of MV compares very
favorably to DDFS.

33
Dining Philosophers
34
DPh Symmetric Unfair Version
(Deadlock freedom)
35
DPh Symmetric Unfair Version
(Starvation freedom)
36
DPh Asymmetric Fair Version
(Deadlock freedom)
d 10-1 e 1.810-3 N 1278
37
DPh Asymmetric Fair Version
(Starvation freedom)
d 10-1 e 1.810-3 N 1278
38
Related Work

Random walk testing
Heimdahl et al Lurch debugger
Random walks to sample system state space
Mihail Papadimitriou (and others)
Monte Carlo Model Checking of Markov Chains
Herault et al LTL-RP, bonded MC, zero/one ET
Younes et al Time-Bounded CSL, sequential
analysis
Sen et al Time-Bounded CSL, zero/one ET
Probabilistic Model Checking of Markov Chains
ETMCC, PRISM, PIOAtool, and others.

39
Talk Outline

Embedded Software Systems
Automata-Theoretic Verification
Monte Carlo Verification
Monte Carlo Model Checking
Static Verification of Software-Systems
Dynamic Verification Software-Systems

40
Checking for High-Confidence (in-principle)
All Lassos Non-accepting
BA BS
LTL-P ?
BA BS ? B??
Instrumenter (Product)
Execution Engine
Accepting Lasso L
41
Checking for High-Confidence (in-practice)

Combine static runtime verification techniques
Abstract interpretation (sequential IS programs),
Model checking (concurrent FS programs),
Runtime analysis (sequential program
optimization).
Make scalability a priority
Open source compiler technology started to
mature,
Apply techniques to source code rather than
models,
Models can be obtained by abstraction-refinement
techniques,
Probabilistic techniques trade-of between
precision-effort.

42
GCC Compiler

Early stages a modest C compiler.
Translation source code translated directly to
RTL.
Optimization at low RTL level.
High level information lost calls, structures,
fields, etc.
Now days full blown, multi-language compiler
generating code for more than 30 architectures.
Input C, C, Objective-C, Fortran, Java and
Ada.
Tree-SSA added GENERIC, GIMPLE and SSA ILs.
Optimization at GENERIC, GIMPLE, SSA and RTL
levels.
Verification Tree-SSA API suitable for
verification, too.

43
GCC Compilation Process
44
GCC Compilation Process
API Plug-In
45
C Program and its GIMPLE IL
int main int a,b,c int T1,T2,T3,T4
a 5 b a 10 T1 foo(a,b)
T2 a T1 if (a gt T2) goto fi T3
b / a T4 b a c T2 T3
b b 1 fi bar(a,b,c)
int main() int a,b,c a 5 b a 10
c a foo(a,b) if (a gt c) c b/a
ba bar(a,b,c)
Gimplify
46
Associated GIMPLE CFG
47
MC Static Verification of ESS SOFTMC05, NGS06
48
Monte Carlo Algorithm

Input a set of CFGs.
Main function A specifically designated CFG.
Random walks in the Büchi automaton generated
on-the-fly.
Initial state of the main routine bookkeeping
information.
Next state choose process call GAM on its CFG.
Processes created by using the fork primitive.
Optimization GAM returns only upon context
switch.
Lassos detected by using a hierarchic hash
table.
Local variables removed upon return from a
procedure.

49
Program State
Shared Variables Valuation (channels semaphores)
List Of Process states
p1
p2
p3

Control State
Data State
CFG Name
Statement
50
Program State
Shared Variables Valuation (channels semaphores)
List Of Process states
p1
p2
p3

Control State
Data State
Heap
Global Variables Valuation
Frame Stack
f1
f2

Return Control State
Local Variables Valuation
51
GIMPLE Abstract Machine (GAM)

Interprets GIMPLE statements according to their
semantics. Interesting
Inter-procedural call(), return(). Manipulate
the frame stack.
Catches and interprets function calls to
various modeling and concurrency primitives
Modeling toss(), assert(). Nondeterminism and
checks.
Processes fork(), Manipulate the process
list.
Communication send(), recv(). Manipulate shared
vars. May involve a context switch.

52
Results TCAS
53
DPh Symmetric Fair Version
(Deadlock freedom)
54
Needham-Schroeder Protocol

Quite sophisticated C implementation.
However, of a sequential nature
Essentially executes only one round of a
reactive system

55
Related Work

Software model checkers for concurrent C/C
VeriSoft, Spin, Blast (Slam), Magic, C-Wolf.
Bogor?
Cooperative Bug Isolation Liblit, Naik Zheng
Compile-time instrumentation. Distribute
binaries/collect bugs.
Statistical analysis to isolate erroneous code
segments.
Random interpretation Gulvany Necula
Execute random paths and merge with random linear
operators.
Monte Carlo and abstract interpretation
Monniaux
Analyze programs with probabilistic and
nondeterministic input.

56
Talk Outline

Embedded Software Systems
Automata-Theoretic Verification
Monte Carlo Verification
Monte Carlo Model Checking
Static Verification of Software-Systems
Dynamic Verification Software-Systems

57
MC Runtime Verification of ESS MBT06, NGS06
SS S
Gimplify
GCC
CFG BS
CFG BS ? B??
Instrument
LTL-P ?
Verifier
58
Runtime Verification Challenges

Inserting instrumentation code
Verifying states and transitions
Reducing overheads

59
Inserting Instrumentation Code

struct inode my_inode
atomic_t my_atomic
my_atomic
my_inode-gti_count

if(instrument) log_event(ATOMIC_INC,
INODE, my_atomic)
atomic_inc(my_atomic)
60
Instrumentation Plug-Ins

Ref-Counts detects misuse of reference counts
Instruments inc(rc), dec(rc),
Checks st-inv (rc?0), tr-inv (rc'-rc1),
leak-inv (rcgt0 gt rc0),
Maintains a list of reference counts and their
container type.
Malloc detects allocation bugs at runtime
Instruments malloc() and free() function calls,
Checks sequences free()free(), free() and
malloc(),
Maintains a list of existing allocations.

61
Instrumentation Plug-Ins

Bounds checks for invalid memory access
Instruments malloc(), free() and f(a),
Checks accesses to non-allocated areas,
Maintains heap, stack and text allocations
Higher accuracy than ElectricFence-like libraries.

62
RC Runtime Verification

Lasso concept weakened (abstracted)
Execution where RC vary 0 ? ? 0
State may include FS caches, HW regs, etc
Lasso sampling used to reduce overhead
Check for acceptance (error)
Dynamically adjust sampling rate

63
Sampling Granularity
Sample
64
State and Transition Invariants
Change gt1
Change lt1
Value lt0
65
The Leak Invariant
Timeout
Timeout
66
Proof of Concept