A - PowerPoint PPT Presentation

About This Presentation
Title:

A

Description:

Symbolic model checking (SMV,MURPHI,MOCHA) Partial order reduction ... ZING. Own modeling language. No iterative refinement. Safety properties. 5. Contributions ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 62
Provided by: csC76
Learn more at: http://www.cs.cmu.edu
Category:
Tags: zing

less

Transcript and Presenter's Notes

Title: A


1
A Framework for Verifying Concurrent C Programs
  • Sagar Chaki
  • Thesis Defense Talk

2
Motivation
Requirements
Specification
Specification Validation
Code
Code Validation
3
Related Work
  • Model Checking
  • Symbolic model checking (SMV,MURPHI,MOCHA)
  • Partial order reduction (SPIN,COSPAN)
  • Compositional reasoning
  • Assume-guarantee
  • Abstraction
  • Abstract interpretation, existential abstraction
  • Message-passing systems
  • CCS, ?-Calculus
  • Simulation, bisimulation,

4
Iterative Refinement
No
Counterexample
Counterexample Valid?
5
Related Work
  • Iterative Refinement (Kurshan)
  • Hardware
  • Yuan Lu ) Ph.D. thesis
  • SLAM (device drivers)
  • BLAST (lazy abstraction, thread modular safety)
  • Concurrent Software
  • SPIN, Behave!, ZING
  • Own modeling language
  • No iterative refinement
  • Safety properties

6
Contributions
  • Compositional Iterative Refinement (IR)
  • concurrent message-passing programs
  • simulation conformance
  • Combining predicate abstraction with existential
    abstraction
  • Predicate Minimization
  • Compositional IR for Liveness properties
  • Compositional IR for Deadlock detection

7
Basic Concepts
  • Var set of variables
  • Expr expressions over Var
  • Store set of stores
  • Var ! Addresses
  • Addresses ! Values
  • AP set of atomic propositions
  • Conc AP Expr

8
Extended FSM
  • Transitions labeled with guarded commands
  • Guards are expressions
  • Command are actions or assignments

x 0 ? x
true ? ?
x ! 0 ? ?
9
Control Flow Graph
xxy
lib()
Component
10
Control Flow Graph
xxy
1
x 0 ? x
2
x ! 0 ? ?
true ? ?
Control Flow Graph
11
Labeled Kripke Structure
  • M ( Q , I , ? , T , AP, L)
  • Q non-empty set of states
  • I 2 Q initial state
  • ? set of actions alphabet
  • T µ Q ? Q transition relation
  • AP µ AP set of atomic propositions
  • L Q ! 2AP propositional labeling

q
?
?
?
? ?,?,?,?,?,?
p
r
p,r
AP p,q,r,s
?
?
p,q
?
12
Concurrent C Program
  • Set of components P hC1 ,, Cn i
  • Each Ci is a single C procedure
  • Possibly calling library routines
  • Library routines are specified via EFSMs
  • Semantics of C is an LKS
  • Depends on the library specificationss

13
Context for Pi
  • Context (Init, EFSM, ?, ?, AP)
  • Init An initial condition
  • EFSM Lib ! EFSM
  • Specification EFSMs for all libraries
  • An internal action ?
  • AP µ AP Set of atomic propositions
  • ? alphabet

14
Concrete Semantics of C
  • Context (Init, EFSM, ?, ?, AP)
  • SCFG States of CFG
  • ICFG Initial state of CFG
  • MC ( Q , I , ? ?, T , AP, L)
  • Q SCFG Store
  • I (s,?) j s ICFG and ? ² Init
  • L(s,?) p j ? ² Conc(p)

15
Transitions of P
?
  • (s,?) ! (s,?)
  • s assignment
  • s next(s) and ? ?(s)
  • s branch with condition c
  • s then(s) and ? ² c
  • s else(s) and ? ² c

16
Transitions of P
?
  • (s,?) ! (s,?)
  • ? 2 ?
  • s inlined EFSM state
  • s next(s)
  • s ! s with guard g and action ?
  • ? ² g

17
Concrete Semantics
xxy
1
x 0 ? x
2
x ! 0 ? ?
true ? ?
p x 0
18
Predicate Abstraction
  • Pred µ Expr
  • Set of expressions (predicates) associated with
    each state of the CFG
  • Pred Conc(p) j p 2 AP
  • Predicate corresponding to every atomic
    proposition must be associated with each state of
    the CFG
  • In practice each CFG state has a different set of
    associated predicates

19
Valuation Two Views
  • Valuation minterm Pred
  • Set of all valuations 2Pred
  • Pred x 0, y 0
  • x ? 0 Æ y ? 0 ,
  • x 0 Æ y ? 0 , x 0
  • x ? 0 Æ y 0 , y 0
  • x 0 Æ y 0 , x 0, y0

Expression
Subset of Pred
20
Compatibility
  • Given expressions e1 and e2
  • e1 e2 iff e1 Æ e2 is satisfiables
  • 9 ? 2 Store ? ² e1 Æ ? ² e2
  • e1 e2 e1 and e2 are compatible
  • Each valuation v is an expression
  • v e and v v defined as above

21
Abstract Semantics of C
  • Context (Init, EFSM, ?, ?, AP, Pred)
  • SCFG States of CFG
  • ICFG Initial state of CFG
  • MC ( Q , I , ? ?, T , AP, L)
  • Q SCFG 2Pred
  • I (s,v) j s ICFG and v Init
  • L(s,v) p j Conc(p) 2 v

22
Transitions of P
?
  • (s,v) ! (s,v)
  • s assignment
  • s next(s) and v WP v (s)
  • s branch with condition c
  • s then(s) and v ² c Æ v
  • s else(s) and v ² c Æ v

23
Transitions of P
?
  • (s,v) ! (s,v)
  • ? 2 ?
  • s inlined EFSM state
  • s next(s)
  • s ! s with guard g and action ?
  • v ² g Æ v

24
Abstract Semantics
xxy
1
x 0 ? x
2
x ! 0 ? ?
true ? ?
p x 0
25
Simulation
  • M1 ( Q1 , I1 , ? , T1 , AP, L1)
  • M2 ( Q2 , I2 , ? , T2 , AP, L2)
  • R µ Q1 Q2 is a simulation relation if
  • s1 R s2 )
  • L1(s1) L2(s2)
  • 8 (s1, ?, s1) 2 T1 9 s2 (s2, ?, s2) 2 T2 Æ
    s1 R s2
  • M1 4 M2
  • 9 R µ Q1 Q2 8 s1 2 I1 9 s2 2 I2 s1 R s2

26
Satisfaction
  • ?(e) evaluation of e under ?
  • ? ² e ?(e) ? 0
  • ?(stmt) new store after executing statement
    stmt in store ?

27
MC 4 MC
  • ?(e) evaluation of e under ?
  • ? ² e ?(e) ? 0
  • Define relation R µ QC QC
  • (s,m) R (s,v) , m ² v
  • R is a simulation relation
  • 8 s 2 IC 9 s 2 IC s R s

28
Parallel Composition
  • M1 ( Q1 , I1 , ?1 , T1 , AP2, L1)
  • M2 ( Q2 , I2 , ?2 , T2 , AP1, L2)
  • M1M2
  • ( Q1 Q2 , I1 I2 , ?1 ?2 , T , AP1 AP2
    , L)
  • L(s1,s2) L1(s1) L2(s2)
  • ((s1, s2), ?, (s1, s2)) 2 T iff for i 2 1,2
  • ? ? ?i Æ (si, ?, si) 2 Ti
  • ? ? ?i Æ si si

29
Program Semantics
  • P h C , C i
  • MP MC MC
  • MP MC MC
  • Abstraction is done modularly

4
4
4
30
Program Semantics
  • P C C
  • P C C

4
4
4
31
Verification
  • Specification is an LKS Spec
  • Given P and Spec, check if P 4 Spec
  • Construct P
  • Check if P 4 Spec
  • P 4 P Æ P 4 Spec ) P 4 Spec
  • Otherwise

32
Counterexample
  • (P 4 Spec) )
  • 9 CE CE 4 P Æ (CE 4 Spec)
  • CE has a tree structure
  • Look at Chapter 5 for the procedure to check P
    4 Spec and construct CE if necessary

33
Counterexample Validation
  • Check if CE 4 P
  • (CE 4 Spec) Æ CE 4 P
  • ) (P 4 Spec)
  • Real
  • P C C

34
Problems
  • CE 4 C C

Infinite States
Statespace Explosion
Symbolic Representation
Compositional Reasoning
35
LKS Projection
q
?
?
?
? ?,?,?,?,?,?
p
r
p,r
AP p,q,r,s
?
?
p,q
?
M
36
LKS Projection
t
?
?
? Å ? ?
p
r
r
AP Å AP
?
t
p
t
M ¼ ?,AP
M ( , ? , AP , ) ) M ¼ M M ¼ ?, AP
37
Weak Simulation
  • M1 ( Q1 , I1 , ? ? , T1 , AP, L1)
  • M2 ( Q2 , I2 , ? , T2 , AP, L2)
  • R µ Q1 Q2 is a weak simulation relation if
  • s1 R s2 )
  • L1(s1) L2(s2)
  • 8 (s1, ?, s1) 2 T1 9 s2 (s2, ?, s2) 2 T2 Æ
    s1 R s2
  • 8 (s1, ?, s1) 2 T1 s1 R s2
  • M1 - M2
  • 9 R µ Q1 Q2 8 s1 2 I1 9 s2 2 I2 s1 R s2

38
Compositional Validation
  • CE 4 C C

,
CE ¼ C - C Æ CE ¼ C - C
39
Compositional Validation
  • CE 4 C C

,
CE ¼ - C Æ CE ¼ - C
40
Symbolic Representation
  • MC ( Q , I , ? , T , AP, L)
  • There exists a class R µ 2Q
  • Each r 2 R has a finite representation
  • Q 2 R
  • R closed under intersection and pre-image
  • Given r 2 R can check if r

41
CE ¼ - C
?
t
g
Q
b(Q)
Q
d(Q)
t
b
t
d
Q
Q
Q
Q
CE ¼ C
42
CE ¼ - C
?(Q)
?(Q Å d(Q))
b(Q)
?
t
g
Q
b(Q)
Q Å d(Q)
t
b
t
d
Q
Q
Q
Q
CE ¼ C
43
CE ¼ - C
?(Q) Å ?(Q) Å ?(Q Å d(Q))
?
?
t
g
Q
b(Q)
Q Å d(Q)
t
b
t
d
Q
Q
Q
Q
CE ¼ C
44
Abstraction Refinement
  • Check if CE 4 P
  • CE 4 P ) Real
  • Update the set Pred such that for the new P we
    have (CE 4 P)
  • Chapter 6
  • Minimize number of predicates to be added
  • Chapter 7

45
Case Study SSL Handshake
  • Verify that OpenSSL correctly implements the SSL
    handshake
  • Server and client code
  • Each about 2500 LOC
  • 400 LOC after abstracting
  • away library routine calls
  • Analyzed client and server separately and together

46
SSL Results
NAME
LINES OF CODE
NO. OF ITER
AVG. MODEL SIZE
AVG. MODEL TIME (SEC)
SPEC SIZE (ST/TR)
AVG. HORN VAR NUM
AVG. HORN CLAUSE NUM
VERIF TIME
TOTAL TIME (SEC)
MEMORY (MB)
SERVER
2483
64
8984
40.2
32 / 67
287472
352150
1636
8639
743
CLIENT
2484
71
6747
28.7
29 / 60
195635
238296
1217
7437
185
SRVR-CLNT
4967
175
77474
3.3
6 / 5
387375
1386980
13786
21134
1105
47
SSL Results
NAME
LINES OF CODE
NO. OF ITER
AVG. MODEL SIZE
AVG. MODEL TIME (SEC)
SPEC SIZE (ST/TR)
AVG. HORN VAR NUM
AVG. HORN CLAUSE NUM
VERIF TIME
TOTAL TIME (SEC)
MEMORY (MB)
SERVER
2483
64
8984
40.2
32 / 67
287472
352150
1636
8639
743
CLIENT
2484
71
6747
28.7
29 / 60
195635
238296
1217
7437
185
SRVR-CLNT
4967
175
77474
3.3
6 / 5
387375
1386980
13786
21134
1105
48
Thoughts
  • Predicate abstraction alone inadequate for
    concurrent systems
  • States from different control locations are
    always kept distinct
  • They might be merged
  • How do we combine other kinds of abstractions
    with predicate abstraction

49
Iterative Refinement
No
Counterexample Valid?
50
IR Model Checking
No
Counterexample Valid?
51
Verification IR
No
Counterexample Valid?
52
Existential Abstraction
  • M ( Q , I , ? , T , AP, L)
  • Equivalence R µ Q Q
  • Compatible with propositional labeling
  • s R s ) L(s) L(s)
  • s equivalence class of s
  • Induces a quotient LKS MR

53
Quotient LKS
  • M ( Q , I , ? , T , AP, L), R µ Q Q
  • MR ( QR , IR , ? , TR , AP, LR)
  • QR s j s 2 Q
  • IR s j s 2 I
  • (s, ?, s) 2 TR , (s, ?, s) 2 T
  • LR(s) L(s)
  • R compatible with L ) LR well-defined

54
Example
Theorem M ¹ MR
p
1
a
b
d
2
3
q
Proof (s R s) is a simulation relation
b
e
a
c
4
6
5
7
M
55
Verification
  • Given P C C and Spec
  • Use equivalence relations R and R
  • Initially R and R are maximal
  • Construct PRR CR CR
  • P 4 PRR
  • Check if PRR 4 Spec
  • P 4 PRR Æ PRR 4 Spec ) P 4 Spec
  • Otherwise

56
Counterexample Validation
  • (PRR 4 Spec) )
  • 9 CE CE 4 PRR Æ (CE 4 Spec)
  • CE has a tree structure
  • Check if CE 4 P C C
  • Same as CE ¼ - C Æ CE ¼ - C
  • (CE 4 Spec) Æ CE 4 P
  • ) (P 4 Spec)

57
Refinement
  • Suppose (CE ¼ - C)
  • We know CE 4 PRR CR CR
  • Hence CE ¼ - CR
  • By transitivity (CR - C)
  • Can split some equivalence class of R

58
Splitting R
?
b
g
CE ¼ CR
CR
-
59
Splitting R
?
?
Repeated Splitting ) CR converges
to bisimulation quotient of C
b
g
b
g
CE ¼ CR
CR
-
60
Two Level IR
4
C1
Spec
C2
C3
C4
61
Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
Existential Abstraction
A1
4
Spec
A1
A2
A3
A4
Existential Refinement
62
Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
Existential Abstraction
A1
A3
4
Spec
A1
A2
A4
A3
Existential Refinement
63
Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
A1
Existential Abstraction
A3
A1
4
Spec
A1
A2
A4
A3
Existential Refinement
64
Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
4
C1
Spec
C2
C3
C4
A1
Existential Abstraction
A3
A1
A2
4
Spec
A1
A4
A3
A2
Existential Refinement
65
Two Level IR
4
C1
Spec
C2
C3
C4
Predicate Abstraction
C2
4
C1
Spec
C2
C3
C4
A1
Existential Abstraction
A3
A1
4
Spec
A1
A2
A4
A3
Existential Refinement
66
Results
Test Name One Level One Level One Level Two Level Two Level Two Level Gain Gain
Test Name S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1
SSL-2
SSL-3
SSL-4
SSL-5
SSL-6
SSL-7
SSL-8
SSL-9
SSL-10
SSL-11
SSL-12
SSL-13
67
Results
Test Name One Level One Level One Level Two Level Two Level Two Level Gain Gain
Test Name S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1 157266 1023 886 15840 122 1081 0.82 8.39
SSL-2 201940 1070 1645 6072 64 500 3.29 16.72
SSL-3 203728 1003 1069 20172 130 1805 0.59 7.72
SSL-4 201940 640 1184 7808 69 482 2.46 9.28
SSL-5 184060 780 1355 6240 64 407 3.33 12.19
SSL-6 158898 426 695 2310 56 219 3.17 7.61
SSL-7 103566 250 447 7743 74 472 0.95 3.38
SSL-8 161580 945 1071 4617 64 387 2.77 14.77
SSL-9 214989 1475 1515 13800 106 716 2.12 13.92
SSL-10 118353 663 628 3024 60 402 1.56 11.05
SSL-11 204708 1131 794 8820 79 446 1.78 14.32
SSL-12 121170 373 303 2079 56 204 1.49 6.66
SSL-13 152796 361 579 3780 60 349 1.66 6.02
68
Results
Test Name One Level One Level One Level Two Level Two Level Two Level Gain Gain
Test Name S1 M1 T1 S2 M2 T2 T1/T2 M1/M2
SSL-1 157266 1023 886 15840 122 1081 0.82 8.39
SSL-2 201940 1070 1645 6072 64 500 3.29 16.72
SSL-3 203728 1003 1069 20172 130 1805 0.59 7.72
SSL-4 201940 640 1184 7808 69 482 2.46 9.28
SSL-5 184060 780 1355 6240 64 407 3.33 12.19
SSL-6 158898 426 695 2310 56 219 3.17 7.61
SSL-7 103566 250 447 7743 74 472 0.95 3.38
SSL-8 161580 945 1071 4617 64 387 2.77 14.77
SSL-9 214989 1475 1515 13800 106 716 2.12 13.92
SSL-10 118353 663 628 3024 60 402 1.56 11.05
SSL-11 204708 1131 794 8820 79 446 1.78 14.32
SSL-12 121170 373 303 2079 56 204 1.49 6.66
SSL-13 152796 361 579 3780 60 349 1.66 6.02
69
Summary
  • Compositional IR for concurrent programs
  • Message-passing communication
  • Simulation conformance
  • Combine predicate abstraction and existential
    abstraction in a two-level compositional IR
    algorithm
  • Experimental validation

70
Thank you!
  • Edmund Clarke
  • Exemplary advisor
  • Alex Groce, Somesh Jha, Helmut Veith
  • The original magicians
  • Tom Ball, Sriram Rajamani, Jakob Rehof
  • Superb summer job mentors
  • Orna Grumberg, Joel Ouaknine, Natalia Sharygina,
    Ofer Strichman, Karen Yorav
  • Awesome guides
  • Randal Bryant, David Garlan
  • Excellent thesis committee members

71
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!