State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel...

State-Event Software Verification for Branching-Time Specifications

Sagar Chaki, Ed Clarke,

Joel Ouaknine, Orna Grumberg

Natasha Sharygina, Tayssir Touili , Helmut Veith

Software Model-Checking

• Challenge in computer science

• Tools: SLAM, BLAST, MAGIC,…

• Counter-Example Guided Abstraction Refinement (CEGAR)

CEGAR

VerificationYes

System OKAbstraction

Model

CounterexampleValid?

P

Yes

No

Counterexample

AbstractionRefinement

No

SpuriousCounterexample

Property

Limitation of CEGAR applications

VerificationYes

System OK

Predicate Abstraction



YesNo

No

CounterexampleNo branching time properties

LTL formula

AbstractionModel

Property

P

VerificationYes

System OK




YesNo

No

Counterexample

LTL formula

AbstractionModel

Our Goal:Extension to branching-time properties

Branching-time formula

P

First Problem

• CEGAR cannot be applied to general branching-time logics

What are counterexamples?

property φS

φ universal

• LTL: universal logic• Describes events along a single path

G(Req→ F Ack)

• S ╞ φ iff all the paths of S ╞ φ

CEGAR natural for LTL

• ¬(S ╞ φ) iff exists one path p of S ¬( p╞ φ)

• p: Counterexample

Branching-time properties are not universal

• Existential operator:

AG(EF Restart)

CEGAR →

Define a universal Branching-time logic

VerificationYes

System OK




YesNo

No

Counterexample

AbstractionModel



P

We need to:

• Define an expressive universal branching-time logic

• Define a model-checking algorithm for this logic

• Define suitable refinement techniques

State/event universal branching-time logic

• Industrial applications need state/event reasoning

• Bluetooth: when an action a is received in a q state, the next state has to be p

• Need to a state/event framework

The state/event universal logic SE-AΩ

• We view time operators as regular path patterns on the time line

,...,,, 1111 MMMM Fφ: 1* M

Xφ: 1M

Gφ:

φUψ:

1M

2*

1 MM


:),...,( 1 nO Regular expression over ),...,( 1 nMMP

431*

21 ,, MMMMMO

),,,( baO

ψφ φ φ φ

aa ba

φ

a

φ


),( 21 MMK(φ,a):

Lφ: )( 11111 MMMMM

K(φ,a): φ and a hold at all even time points

Lφ: no more than 4 time units between 2 occurrences of φ


APppp ;,

2121 ,

actions ofset a or formula :

:),...,(

i

1

nAO


• Labeled Kripke Structure: M=(S,AP,L,Σ,T)

p,q

0sp

1s

q,r

2s

a

bc


• Labeled Kripke Structure: M=(S,AP,L,Σ,T)

)( ,, and )( ,, sLppsMsLppsM

2121 , , , sMsM

actions ofset a or formula :

:),...,(,

i

1

nAOsM

We need to:

• Define an expressive universal branching-time logic

• Define a model-checking algorithm for this logic

• Define suitable refinement techniques

Model-checking algorithm for SE-AΩsM ,

pp,q

0sp1s

q,r

2s

a

bc

b

Model-checking algorithm for SE-AΩsM ,

21 p,q

0sp1s

q,r

2s

a

bc

b

Model-checking algorithm for SE-AΩ0, sM

),...,( 1 nAO

),,,( 431 cAO

p,q

0sp1s

q,r

2s

a

bc

, 31

, 43

1

, 31 MM

, 31 MM

,, 432 MMM

, 21 MM

, 31 MM

, 21 MM 1M

432 ,, MMM

VerificationYes

System OK




YesNo

No

Counterexample

AbstractionModel


SE-AΩ

nPPP ...21

What is a counterexample formally?

0, sC

0, sM

MC

mplecounterexaa :C

CounterExample generation for SE-AΩ

21

or 21 Compute a counterexample either for


21

1Compute a counterexample for

2Compute a counterexample for


AG ¬p v AF ¬q

q

q

q

q

p

CounterExample generation for SE-AΩ0, sM

),...,( 1 nAO

),,,( 431 cAO

0s1s

2s

a

bc

b

, 31

, 43

1M

432 ,, MMM

0s1s

ab

1 CEX

3 CEX 4 CEX 4 CEX

VerificationYes

System OK




YesNo

No

Counterexample

AbstractionModel


SE-AΩ

nPPP ...21

nAAA ...21

VerificationYes

System OK




YesNo

No

Counterexample

AbstractionModel


SE-AΩ

nPPP ...21

nAAA ...21

?? ...

...

21

21

n

n

PPPC

AAAC

0s1s

2s

a

bc

b

0s1s

2s

a

c

C 2C

Projection

...21 nPPP

Weak simulation

a

a

p,qp,q

1M2M

Compositionality

...21 nPPPC

ni1 ; iiPC

Theorem:

iff

VerificationYes

System OK




YesNo

No

Counterexample

AbstractionModel


SE-AΩ

nPPP ...21

nAAA ...21

Compositional refinement

P1 SpecP2 P3 P4

Abstraction

SpecA1 A2 A3 A4

11PC


P1 Spec

Abstraction

P2 P3 P4

SpecA1 A2 A3 A4

A1

Refinement

33PC


P1 Spec

Abstraction

P2 P3 P4

SpecA1 A2 A4

A1

Refinement

A3

A3

11PC


P1 Spec

Abstraction

P2 P3 P4

SpecA1 A2 A4

A1

Refinement

A3

A3

A1


P1 Spec

Abstraction

P2 P3 P4

SpecA1

A2

A4Refinement

A3

A3A2

A1

A1

No more counterexamples


P1 Spec

Abstraction

P2 P3 P4

SpecA1

A2

A4

Refinement

A3

A3A2

A1

A1

Real counterexamples

Action-guided Refinement

a b

ba

c

Abstraction

a

a,bb

c

a

a,bb

Counterexample

VerificationYes

System OK




YesNo

No

Counterexample

AbstractionModel



nPPP ...21

Case study: IPC

• IPC (InterProcess Communication) Protocol: organize communication in a multithreaded robot controller

• Bug discovery

• Protocol has been used for 7 years

• Bug undetected with earlier model-checking efforts using LTL

Conclusion

• Definition of an advanced branching-time state-event logic SE-AΩ

• Model-checking algorithm for SE-AΩ

• Compositional counterexample validation and refinement techniques for SE-AΩ

First application of compositional CEGAR to a branching-time specifications

Bug discovery in the IPC protocol

Questions?

State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel...

Documents

Transcript of State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel...