State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel...
![Page 1: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/1.jpg)
State-Event Software Verification for Branching-Time Specifications
Sagar Chaki, Ed Clarke,
Joel Ouaknine, Orna Grumberg
Natasha Sharygina, Tayssir Touili , Helmut Veith
![Page 2: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/2.jpg)
Software Model-Checking
• Challenge in computer science
• Tools: SLAM, BLAST, MAGIC,…
• Counter-Example Guided Abstraction Refinement (CEGAR)
![Page 3: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/3.jpg)
CEGAR
VerificationYes
System OKAbstraction
Model
CounterexampleValid?
P
Yes
No
Counterexample
AbstractionRefinement
No
SpuriousCounterexample
Property
![Page 4: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/4.jpg)
Limitation of CEGAR applications
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
CounterexampleNo branching time properties
LTL formula
AbstractionModel
Property
P
![Page 5: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/5.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
LTL formula
AbstractionModel
Our Goal:Extension to branching-time properties
Branching-time formula
P
![Page 6: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/6.jpg)
First Problem
• CEGAR cannot be applied to general branching-time logics
![Page 7: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/7.jpg)
What are counterexamples?
property φS
φ universal
![Page 8: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/8.jpg)
• LTL: universal logic• Describes events along a single path
G(Req→ F Ack)
• S ╞ φ iff all the paths of S ╞ φ
CEGAR natural for LTL
• ¬(S ╞ φ) iff exists one path p of S ¬( p╞ φ)
• p: Counterexample
![Page 9: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/9.jpg)
Branching-time properties are not universal
• Existential operator:
AG(EF Restart)
CEGAR →
Define a universal Branching-time logic
![Page 10: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/10.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
Branching-time formula
P
![Page 11: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/11.jpg)
We need to:
• Define an expressive universal branching-time logic
• Define a model-checking algorithm for this logic
• Define suitable refinement techniques
![Page 12: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/12.jpg)
State/event universal branching-time logic
• Industrial applications need state/event reasoning
• Bluetooth: when an action a is received in a q state, the next state has to be p
• Need to a state/event framework
![Page 13: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/13.jpg)
The state/event universal logic SE-AΩ
• We view time operators as regular path patterns on the time line
,...,,, 1111 MMMM Fφ: 1* M
Xφ: 1M
Gφ:
φUψ:
1M
2*
1 MM
![Page 14: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/14.jpg)
The state/event universal logic SE-AΩ
:),...,( 1 nO Regular expression over ),...,( 1 nMMP
431*
21 ,, MMMMMO
),,,( baO
ψφ φ φ φ
aa ba
φ
a
φ
![Page 15: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/15.jpg)
The state/event universal logic SE-AΩ
),( 21 MMK(φ,a):
Lφ: )( 11111 MMMMM
K(φ,a): φ and a hold at all even time points
Lφ: no more than 4 time units between 2 occurrences of φ
![Page 16: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/16.jpg)
The state/event universal logic SE-AΩ
APppp ;,
2121 ,
actions ofset a or formula :
:),...,(
i
1
nAO
![Page 17: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/17.jpg)
The state/event universal logic SE-AΩ
• Labeled Kripke Structure: M=(S,AP,L,Σ,T)
p,q
0sp
1s
q,r
2s
a
bc
![Page 18: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/18.jpg)
The state/event universal logic SE-AΩ
• Labeled Kripke Structure: M=(S,AP,L,Σ,T)
)( ,, and )( ,, sLppsMsLppsM
2121 , , , sMsM
actions ofset a or formula :
:),...,(,
i
1
nAOsM
![Page 19: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/19.jpg)
We need to:
• Define an expressive universal branching-time logic
• Define a model-checking algorithm for this logic
• Define suitable refinement techniques
![Page 20: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/20.jpg)
Model-checking algorithm for SE-AΩsM ,
pp,q
0sp1s
q,r
2s
a
bc
b
![Page 21: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/21.jpg)
Model-checking algorithm for SE-AΩsM ,
pp,q
0sp1s
q,r
2s
a
bc
b
![Page 22: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/22.jpg)
Model-checking algorithm for SE-AΩsM ,
21 p,q
0sp1s
q,r
2s
a
bc
b
![Page 23: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/23.jpg)
Model-checking algorithm for SE-AΩsM ,
21 p,q
0sp1s
q,r
2s
a
bc
b
![Page 24: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/24.jpg)
Model-checking algorithm for SE-AΩ0, sM
),...,( 1 nAO
),,,( 431 cAO
p,q
0sp1s
q,r
2s
a
bc
, 31
, 43
1
, 31 MM
, 31 MM
,, 432 MMM
, 21 MM
, 31 MM
, 21 MM 1M
432 ,, MMM
![Page 25: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/25.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
![Page 26: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/26.jpg)
What is a counterexample formally?
0, sC
0, sM
MC
mplecounterexaa :C
![Page 27: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/27.jpg)
CounterExample generation for SE-AΩ
21
or 21 Compute a counterexample either for
![Page 28: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/28.jpg)
CounterExample generation for SE-AΩ
21
1Compute a counterexample for
2Compute a counterexample for
![Page 29: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/29.jpg)
CounterExample generation for SE-AΩ
AG ¬p v AF ¬q
q
q
q
q
p
![Page 30: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/30.jpg)
CounterExample generation for SE-AΩ0, sM
),...,( 1 nAO
),,,( 431 cAO
0s1s
2s
a
bc
b
, 31
, 43
1M
432 ,, MMM
0s1s
ab
1 CEX
3 CEX 4 CEX 4 CEX
![Page 31: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/31.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
nAAA ...21
![Page 32: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/32.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
nAAA ...21
?? ...
...
21
21
n
n
PPPC
AAAC
![Page 33: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/33.jpg)
0s1s
2s
a
bc
b
0s1s
2s
a
c
C 2C
Projection
...21 nPPP
![Page 34: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/34.jpg)
Weak simulation
a
a
p,qp,q
1M2M
![Page 35: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/35.jpg)
Compositionality
...21 nPPPC
ni1 ; iiPC
Theorem:
iff
![Page 36: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/36.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
nAAA ...21
![Page 37: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/37.jpg)
Compositional refinement
P1 SpecP2 P3 P4
Abstraction
SpecA1 A2 A3 A4
11PC
![Page 38: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/38.jpg)
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1 A2 A3 A4
A1
Refinement
33PC
![Page 39: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/39.jpg)
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1 A2 A4
A1
Refinement
A3
A3
11PC
![Page 40: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/40.jpg)
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1 A2 A4
A1
Refinement
A3
A3
A1
![Page 41: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/41.jpg)
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1
A2
A4Refinement
A3
A3A2
A1
A1
No more counterexamples
![Page 42: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/42.jpg)
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1
A2
A4
Refinement
A3
A3A2
A1
A1
Real counterexamples
![Page 43: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/43.jpg)
Action-guided Refinement
a b
ba
c
Abstraction
a
a,bb
c
a
a,bb
Counterexample
![Page 44: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/44.jpg)
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
Branching-time formula
nPPP ...21
![Page 45: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/45.jpg)
Case study: IPC
• IPC (InterProcess Communication) Protocol: organize communication in a multithreaded robot controller
• Bug discovery
• Protocol has been used for 7 years
• Bug undetected with earlier model-checking efforts using LTL
![Page 46: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/46.jpg)
Conclusion
• Definition of an advanced branching-time state-event logic SE-AΩ
• Model-checking algorithm for SE-AΩ
• Compositional counterexample validation and refinement techniques for SE-AΩ
First application of compositional CEGAR to a branching-time specifications
Bug discovery in the IPC protocol
![Page 47: State-Event Software Verification for Branching-Time Specifications Sagar Chaki, Ed Clarke, Joel Ouaknine, Orna Grumberg Natasha Sharygina, Tayssir Touili,](https://reader030.fdocuments.in/reader030/viewer/2022032800/56649d395503460f94a137ea/html5/thumbnails/47.jpg)
Questions?