Software Verification, весна 2008: Assuring software quality by model checking
Transcript of Software Verification, весна 2008: Assuring software quality by model checking
![Page 1: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/1.jpg)
1
Assuring Software Quality by Model Checking
Natasha Sharygina
University of Luganoand
Carnegie Mellon University
Acknowledgment: Prof. Ed Clarke, Carnegie Mellon University
![Page 2: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/2.jpg)
2
USS YorktownUSS Yorktown
F/A 22F/A 22
Embedded BUGS?Embedded BUGS?Embedded BUGS?
Embedded SoftwareEmbedded SoftwareEmbedded Software
![Page 3: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/3.jpg)
3
French Guyana, June 4, 1996$600 million software failure
![Page 4: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/4.jpg)
4
Mars, December 3, 1999Crashed due to uninitializedvariable
![Page 5: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/5.jpg)
5
Cost of Software Errors
June 2002
“Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually, or about 0.6 percent of the gross domestic product…
At the national level, over half of the costs are borne by software users and the remainder by software developers/vendors.”
NIST Planning Report 02-3The Economic Impacts of InadequateInfrastructure for Software Testing
![Page 6: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/6.jpg)
6
Cost of Software Errors
“The study also found that, although all errors cannot be removed, more than a third of these costs, or an estimated $22.2 billion, could be eliminated by an improved testing infrastructure that enables earlier and more effective identification and removal of software defects.”
![Page 7: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/7.jpg)
7
Model Checking
• Developed independently by Clarke and Emersonand by Queille and Sifakis in early 1980’s.
• Properties are written in propositional temporal logic.
• Systems are modeled by finite state machines.
• Verification procedure is an exhaustive search of the state space of the design.
• Model checking complements testing/simulation.
![Page 8: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/8.jpg)
8
Advantages of Model Checking
• No proofs!!!
• Fast (compared to other rigorous methods)
• Diagnostic counterexamples
• No problem with partial specifications / properties
• Logics can easily express many concurrency properties
![Page 9: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/9.jpg)
9
State-transition graphdescribes system evolvingover time.
Model of computation
στ
~ Start~ Close~ Heat~ Error
Start~ Close~ HeatError
~ StartClose~ Heat~ Error
~ StartCloseHeat~ Error
StartCloseHeat~ Error
StartClose~ Heat~ Error
StartClose~ HeatError
Microwave Oven Example
![Page 10: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/10.jpg)
10
Temporal Logic
The oven doesn’t heat up until the door is closed.
Not heat_up holds until door_closed
(~ heat_up) U door_closed
![Page 11: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/11.jpg)
11
Basic Temporal Operators
• Fp - p holds sometime in the future.• Gp - p holds globally in the future.• Xp - p holds next time.• pUq - p holds until q holds.
The symbol “p” is an atomic proposition, e.g. “heat_up” or “door_closed”.
![Page 12: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/12.jpg)
12
Model Checking Problem
Let M be a model, i.e., a state-transition graph.
Let ƒ be the property in temporal logic.
Find all states s such that M has property ƒ at state s.
Efficient Algorithms: CE81, CES83
![Page 13: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/13.jpg)
13
The EMC System 1982/83
PreprocessorPreprocessor Model Checker(EMC)
Model Checker(EMC)
State Transition Graph104 to 105 statesState Transition Graph
104 to 105 states
PropertiesProperties
True or CounterexamplesTrue or Counterexamples
![Page 14: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/14.jpg)
14
Model Checker Architecture
System Description Formal Specification
Validationor
Counterexample
Model Checker
State Explosion Problem!!
![Page 15: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/15.jpg)
15
The State Explosion Problem
System Description
State Transition Graph
Combinatorial explosion of system states renders explicit
model construction infeasible.
Combinatorial explosion of system states renders explicit
model construction infeasible.
Exponential Growth of …… global state space in number of concurrent components.… memory states in memory size.
Exponential Growth of …… global state space in number of concurrent components.… memory states in memory size.
Feasibility of model checking inherently tied to handling state explosion.
![Page 16: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/16.jpg)
16
Combating State Explosion
• Binary Decision Diagrams can be used to represent state transition systems more efficiently.
Symbolic Model Checking 1992
• Semantic techniques for alleviating state explosion:– Partial Order Reduction.– Abstraction.– Compositional reasoning.– Symmetry.– Cone of influence reduction.– Semantic minimization.
![Page 17: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/17.jpg)
17
Model Checking since 19811981 Clarke / Emerson: CTL Model Checking
Sifakis / Quielle1982 EMC: Explicit Model Checker
Clarke, Emerson, Sistla
1990 Symbolic Model CheckingBurch, Clarke, Dill, McMillan
1992 SMV: Symbolic Model VerifierMcMillan
1998 Bounded Model Checking using SATBiere, Clarke, Zhu
2000 Counterexample-guided Abstraction RefinementClarke, Grumberg, Jha, Lu, Veith
105
10100
101000
1990s: Formal Hardware Verification in Industry:Intel, IBM, Motorola, etc.
![Page 18: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/18.jpg)
18
The Cube Puzzle
![Page 19: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/19.jpg)
19
Glacier Gorge
![Page 20: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/20.jpg)
20
Further Up
![Page 21: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/21.jpg)
21
Skies Above Us
Galaxies in the (observable) universe: 2.5 ・ 1011
Stars in the Milky Way: 4 ・1011
Stars in the universe: 1023
A small sequential circuit may have more than 10100
states
![Page 22: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/22.jpg)
22
Model Checking since 19811981 Clarke / Emerson: CTL Model Checking
Sifakis / Quielle1982 EMC: Explicit Model Checker
Clarke, Emerson, Sistla
1990 Symbolic Model CheckingBurch, Clarke, Dill, McMillan
1992 SMV: Symbolic Model VerifierMcMillan
1998 Bounded Model Checking using SATBiere, Clarke, Zhu
2000 Counterexample-guided Abstraction RefinementClarke, Grumberg, Jha, Lu, Veith
2002 SAT-based Software Model CheckingKroening, Sharygina, Yorav, Clarke
CBMCMAGICSATABS
![Page 23: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/23.jpg)
23
Grand Challenge:Model Check Software !
What makes Software Model Checkingdifferent ?
![Page 24: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/24.jpg)
24
What Makes Software Model Checking Different ?
• Large/unbounded base types: int, float, string
• User-defined types/classes• Pointers/aliasing + unbounded #’s of heap-
allocated cells• Procedure calls/recursion/calls through
pointers/dynamic method lookup/overloading• Concurrency + unbounded #’s of threads
![Page 25: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/25.jpg)
25
What Makes Software Model Checking Different ?
• Templates/generics/include files• Interrupts/exceptions/callbacks• Use of secondary storage: files, databases• Absent source code for: libraries, system calls,
mobile code• Esoteric features: continuations, self-modifying
code• Size (e.g., MS Word = 1.4 MLOC)
![Page 26: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/26.jpg)
26
Grand Challenge:Model Check Software !
Early attempts in the 1980s failed to scale.
2000s: renewed interest / demand:Java Pathfinder: NASA AmesSLAM: MicrosoftBandera: Kansas StateBLAST: Berkeley…SLAM is shipped to Windows device driver developers.
In general, these tools are unable to handle complex data structures and concurrency.
![Page 27: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/27.jpg)
27
SATABS Tool: Counterexample-Guided Abstraction Refinement
AbstractMemory
State
MemoryStateMemory
StateMemory
StateMemory
StateMemory
StateMemory
StateMemory
StateMemory
State
Abstraction
Abstraction maps classes of similar memory states to single abstract memory states.
+ Model size drastically reduced.
- Invalid counterexamples possible.
Abstraction maps classes of similar memory states to single abstract memory states.
+ Model size drastically reduced.
- Invalid counterexamples possible.
AbstractMemory
State
![Page 28: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/28.jpg)
28
Existential Abstraction
M
Mα
Given an abstraction function α : S → Sα, the concrete states are grouped and mapped into abstract states :
α α α Preservation Theorem ?
![Page 29: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/29.jpg)
29
Automatic Abstraction
M Original Model
Refinement
Refinement
Mα Initial AbstractionSpurious
Spuriouscounterexample
Validation orCounterexample Correct !
![Page 30: Software Verification, весна 2008: Assuring software quality by model checking](https://reader034.fdocuments.us/reader034/viewer/2022051405/58addd9d1a28ab33798b6965/html5/thumbnails/30.jpg)
30
CEGAR CounterExample-Guided Abstraction
Refinement
CProgram
Abstractmodel
InitialInitialAbstractionAbstraction
Simulator
No errorNo erroror bug foundor bug found
PropertyPropertyholdsholds
SimulationSimulationsucessfulsucessful
Bug foundBug found
Abstraction refinementAbstraction refinement Refinement
ModelChecker
VerificationVerification
Spurious counterexampleSpurious counterexample
CounterexampleCounterexample