1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded...

CEA LIST 13rd of July 2009

Symbolic execution based model checking of open systems with unbounded variables

Nicolas [email protected]

CEA LISTLaboratory of Model Driven Engineering for embedded systems

F-91191 Gif-sur-Yvette, FRANCE.

Tests and Proofs 2009

CEA-LIST 3rd of July 2009DTSI

Context and motivation

Critical embedded systems => formal methods

Spec ()

Model (M)

Model

System(black box)

Conforms to ?(TAP’07)

Conforms to ?(TestCom’06)

Conforms to ?

refinement

implementation

design

Several problems, one technique, Symbolic Execution (SE), one platform (AGATHA).• shift from space complexity to time complexity (for verification).• concise representation: for simulation, test purpose definition …

M |=symb exec ?


Outline

Models: IOSTS formalism

Specifications: IOLTL logic

IOLTL tableau calculus

Symbolic Execution technique

Tableau calculus and SE (|=symb path)

Termination

Experiment, Conclusion, Futur works


IOSTS Formalism

T [rel_speed?v] {}

T [] {b : = 1, v : = 0}

(b = = 0) [] {}

v > 1 [motor ! -1]{}

v < -1 [motor ! 1]{}

-1 v 1 []{}

q rpIT [] {b:=0} t4

t3

(I,v0,b 1) (p,v0,b 0) (q,v-5,b 0) (r,v-5,b 0) (p,v-5,b 0)rel_speed ? -5

a run:

motor ! 1

Data part: first order decidable theory Th (ex: Presburger Arithmetics) state variables: {v,b}

Graph part : states, transitionslabel: Guard [I|O|] {Substitution}I: channel ? Variable O : channel ! Term

Relative speed regulator(virtual trains for trucks)


IOLTL

BNF Grammar:::= atom | T | | 1 | 1 2 | X 1 | 1 U 2 | 1 R 2

Atomic propositions: properties over states: (v > 0) properties over I/O: (c ! u, u > v+1)

Satisfaction:

M |=iosts if for all r Run(M), r |=run

Implicit Kripke structure :

I

p

e1

e2

I,e1

p,e2

|= X if

|=


IOLTL tableau calculus

r |=run means r(0) |=run

r(i) |=run can be reduced to:

r[i] |=state Now() or r(i+1) |=run neXt() where Now() Atoms

r[i] |=state Now() means T |= /\ r[i] /\ Now()

Goal: transform satisfaction relation |=run into an operational procedure. Idea : reduce it to a satisfaction relation on state |=state which can be reduced itself to Th |= f (the data theory Th is supposed to be decidable).

Now neXt

Now’ neXt’

2 kind of inference rules

neXt

neXt

r(i)

r[i]r:

(transformation) (transition)


Tableau calculus: example

F p (abbreviates: T U p)F p p X (F p)r(i) |= F p iff r[i] |= p or r(i+1) |= F p

{F p},

{p},

{F p},

{},{F p}

{},{F p}

{F p},{}

F1 F2

NSR(Next State Rule)

p {},{F p}

p

{},{F p}

{},{F p}

p

Prove p now … … or prove Fp in the next state.

Build the next state.

If p is not an atom: after F1

rules dedicated to p main operator are applied and so on until Now set contains only atoms.


Symbolic execution

(I,T,{v v0, b b0})

(p,T,{v v0, b 0})

(q,T,{v v1, b 0})

rel_speed?v1

(r,T,{v v1, b 0}) (r,T,{v 0, b 1})

(p,v1 < -1,{v v1, b 0}) (p,v1 > 1,{v v1, b 0})

(p,-1 v1 1,{v v1, b 0})

Motor ! -1Motor ! 1

Principle: symbols are used instead of values.

Red symbolic path: containsthe run of slide 4.

Correct, complete. Intentional representation of all runs (concise and exact).

M |=iosts iff for all sp SP(M) we have sp |=symb path


IOLTL tableau calculus and symbolic execution

(p, vi>1, vvi) {F (v < 5) } E,

(p, vi>1, vvi) { (v < 5) } E,F1

E,

Atom (p, vi>1, vvi)

(p, (vi>1)(vvi)(v<5), vvi)

{ (v < 5) }E,

(p, (1<vi<5), vvi)

Atom Rule transfers atoms into path condition.


IOLTL tableau calculus and symbolic execution

(p, vi>1, vvi) {F (v < 5) },

(p, vi>1, vvi) ,{F (v < 5)}F2

NSR (p, vi>1, vvi) ,{F (v < 5) }

{F (v < 5) },(q, vi>1, vvi+1)

rel_speed?vi+1

Context

Rules build sequences of transitions linking contexts: we call them unfoldings

(an unfolding is consistent if the path condition of its symbolic state component)


Satisfaction problem with Until formulas

v > 0 v > 1

Consider: F(v<0) and the kripke structure above. Rule F2 applies forever (i.e. build an infinite consistent unfolding) although (v<0) is never

satisfied ! Consistency of an infinite unfolding is not a sufficient criteria for the satisfaction relation.

The technique requires a third set of formulas which stores Until formulas (remember that F is an Until) never proved: initialized with all Until (Finally) sub-formulas.

USet, {}, neXt

USetneXt, neXt, {}

NSR(modified to takeUset into account)

With above example:USet always contains F(x<0) !

Emptiness of the Uset provides a sufficient criterion.


Termination criterion 1: lassos detection

Context with Uset =

Lemma: O1 O2 => There is a lasso (see red execution a.b)

a

b

Moreover, if there exists, in the loop part of the unfolding, a context with Uset = then: a.b* satisfies .

O1 , O2 are omega sets (see paper) with respect to symbols present in the prefix)

O1

O2

prefixloop

An unfolding:


Termination criterion 2: “dead end” detection

Uset

O2 O1 => unfoldings “after” S2 cannot prove more than those “after” S1 => cut on S2.

O1 , O2 (omega sets of S1 and S2 with respect to )

S2

S1


Theorems

Theorem 1: If there exits an unfolding satisfying the lasso criterion and the Uset criterion then there exists a run r |= .

Theorem 2: If all unfoldings satisfy the inclusion criterion but not the Uset criterion then there exists no run satisfying .

(the two criteria are applied in a defined sequence)


First experiment

Diagnosability. A model is not diagnosable with respect to a fault if we can find two different runs, having the same observable traces, one being affected by the fault and not the other. The speed regulator IOSTS model of slide 4 contains a fault whose occurrence is characterized by the value of b).

Diagnosability can be reduced to a model-checking problem:

M M |=iosts F G (b1 = T b2 = ) ?

Answer about the speed captor failure:

Not diagnosable when relative speed is maintained at 0.


Conclusion

|=symb path can be used instead of |=run

Allows analysis of models with unbounded variables or huge domains

SE and tableau calculus combination provides an operational technique for |=symb

semi-decision verification algorithm (between test and proof)


FUTUR WORKS

Improve verification algorithm with strategies(priorities over rules: F1 > F2 to check F G )

Monte Carlo methods for large systems(adaptation of the MC2 PLTL checker approach)

What about FIFO channels ?

Use tableau calculus and SE to generate tests purposes (TestCom’06) from IOLTL properties(Test purpose refinement).

Thank You !

1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded...

Documents

Transcript of 1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded...