Model Checking Büchi Pushdown Systems
description
Transcript of Model Checking Büchi Pushdown Systems
Model Checking Büchi Pushdown Systems
Presented byRustan Leino
Juncao Li and Fei XieDept. of Computer Science, Portland State UniversityThomas Ball and Vladimir LevinMicrosoft Corporation
Hardware/Software (HW/SW) Interfaces are Pervasive…
Windows XP◦ Over 35,000 drivers (over
100,000 versions) for different devices (Murphy and Garzia, 2004)
Linux◦ 70% of code for drivers that
operate hardware (Chou, et al., 2001)
And Unreliable… In Windows
◦ Drivers cause 85% reported failures (Swift, 2005)
◦ At least 52.6% of Windows crashes involve HW/SW interaction (Sinha, 2005)
In Linux◦ Seven times more driver failures
(Chou, et al., 2001)
Lots of issues cannot be gathered … ◦ e.g., device/driver I/O hangs
What we have done (FASE’10, CAV’10)
Formal specification framework Specify hardware model for verifying software
Unifying formal model Labeled Pushdown System (LPDS) as the
software model Büchi automaton (BA) as the hardware model Büchi Pushdown System (BPDS): BA ˣ LPDS
Reachability analysis algorithm For BPDS Static Partial Order Reduction
Discovered12 bugs in 5 Windows drivers
Need more?Why? (system responsiveness)
Software commands will always be acknowledged
I/O will not hang
How?Specify the properties
Linear Temporal Logic (LTL)Model checking algorithm
For checking liveness properties of BPDSReduction algorithm
Static Partial Order Reduction
Where are we …IntroductionPreliminaries
AlgorithmsModel CheckingReduction
Examples & EvaluationConclusion
Büchi Automaton (BA)A BA,
◦ , the alphabet◦ , the finite set of states◦ , the set of state transitions◦ , the initial state◦ , the set of final states
The alphabet is defined on the states of LPDS◦ LPDS is the generator of inputs to BA
),,,,( 0 FqQΒ Q
0qF
WRITE_REGISTER_UCHAR(foo, 32)
Labeled Pushdown System (LPDS)An LPDS,
◦ , the input alphabet◦ , finite set of global states◦ , finite stack alphabet◦ , initial configuration ◦the set of transition rules is
),,,,,( 00 gGIP
*)()( GIG
G
00 ,g
Labeling Functions
BPDS …
Where are we …IntroductionPreliminaries
AlgorithmsModel CheckingReduction
Examples & EvaluationConclusion
Model Checking Problem
Model Checking Problem
Find a trace that ◦Starts from the initial state ◦Visits the final states infinitely often◦Satisfies the fairness requirement
Infinite many hardware transitions from and
Infinite many software transitions from
Model Checking AlgorithmDetect the loops in that
◦visit the final states◦contains at least one hardware
transition◦contains at least one software
transition◦Backward reachability analysis
algorithm of Pushdown systems (Schwoon, 2002)
Check if one of the loops is reachable from the initial state ◦Reachability checking (FASE’2010,
CAV’2010)
Where are we …IntroductionPreliminaries
AlgorithmsModel CheckingReduction
Examples & EvaluationConclusion
Static Partial Order ReductionPartial order reduction
◦Exploit commutativity of concurrent transitions
◦Usually applied during model checking
Static – applied at compile time◦NO modification to model checker◦Can be applied with other techniques,
e.g., co-simulation (Kuznetsov, 2010 )◦May be less effective in reduction
State GraphLPDS self-loopsBA self-loopsBA and LPDS both transition
An Intuition of the Reduction LPDS self-loopsBA self-loopsBA and LPDS both transition
What to reduce?SensitiveSet
◦when HW/SW interface events happen, e.g., HW interrupt, SW writes to HW register
VisibleSet◦when the propositional variables of the LTL
formula are affected
LoopSet◦when this is the last HW (or SW) transition in
a loop – fairness constraint
Where are we …IntroductionPreliminaries
AlgorithmsModel CheckingReduction
Examples & EvaluationConclusion
void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();
// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od
// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od
// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end
// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end
__atomic bool<2> status() begin return s,r; end
__atomic bool<3> rd_reg() begin return c2,c1,c0; end
// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end
// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend
__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend
Software Hardware
void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();
// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od
// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od
// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end
// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end
__atomic bool<2> status() begin return s,r; end
__atomic bool<3> rd_reg() begin return c2,c1,c0; end
// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end
// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend
__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend
Software Hardware
void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();
// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od
// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od
// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end
// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end
__atomic bool<2> status() begin return s,r; end
__atomic bool<3> rd_reg() begin return c2,c1,c0; end
// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end
// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend
__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend
Software Hardware
void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();
// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od
// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od
// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end
// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end
__atomic bool<2> status() begin return s,r; end
__atomic bool<3> rd_reg() begin return c2,c1,c0; end
// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end
// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend
__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend
Software Hardware
void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();
// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od
// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od
// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end
// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end
__atomic bool<2> status() begin return s,r; end
__atomic bool<3> rd_reg() begin return c2,c1,c0; end
// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end
// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend
__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend
Software Hardware
With reductionLTL formula:G (sw_reset -> (F reset_act))
void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();
// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od
// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od
// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end
// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end
__atomic bool<2> status() begin return s,r; end
__atomic bool<3> rd_reg() begin return c2,c1,c0; end
// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end
// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend
__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend
Software Hardware
SensitiveSet
VisibleSet
LoopSet
With reductionLTL formula:G (sw_reset -> (F reset_act))
Where are we …IntroductionPreliminaries
AlgorithmsModel CheckingReduction
Examples & EvaluationConclusion
EvaluationDesigned a BPDS template
To generate BPDS models with different complexities
Verified eleven LTL formulae
Observations 80% average reduction in time usage 35% average reduction in memory usage One spaceout without reduction
The reduction is effective Since HW and SW transitions are mostly asynchronous
28
Where are we …IntroductionPreliminaries
AlgorithmsModel CheckingReduction
Examples & EvaluationConclusion
ConclusionWe have presented
A model checking algorithm for BPDS A static partial order reduction algorithm for BPDS
Take away with you … The model checking algorithm can be implemented based on
existing liveness verification engines of Pushdown Systems The reduction algorithm has a broader application, e.g., co-
simulation
Future work Realize the liveness checking on BPDS specified in C
language Co-simulation that utilizes our reduction algorithm
30
ReferencesMurphy, B., Garzia, M.R.: Software reliability engineering for mass market products. Available in: http://www.softwaretechnews.com (2004)Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proc. of SOSP. (2001)Swift, M.M.: Improving the Reliability of Commodity Operating Systems. PhD thesis (2005)Sinha, A.: Windows driver quality signature. Available in: http://www.microsoft.com (2005)Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis (2002)Li, J., Xie, F., Ball, T., Levin, V., and McGarvey, C.. An Automata-Theoretic Approach to Hardware/Software Co-verification. In Proc. of FASE. (2010)Li, J., Xie, F., Ball, T., and Levin, V.. Efficient Reachability Analysis of Büchi Pushdown Systems for Hardware/Software Co-verification. In Proc. of CAV. (2010)Kuznetsov, V., Chipounov, V. and Candea, G.: Testing closed-source binary device drivers with DDT. In: Proc. of USENIXATC. (2010)