CEA LIST 13rd of July 2009

Symbolic execution based model checking of open systems with unbounded variables

Nicolas RAPINnicolas.rapin@cea.fr

CEA LISTLaboratory of Model Driven Engineering for embedded systems

F-91191 Gif-sur-Yvette, FRANCE.

Tests and Proofs 2009

CEA-LIST 3rd of July 2009DTSI

Context and motivation

Critical embedded systems => formal methods

Spec ()

Model (M)

Model

System(black box)

Conforms to ?(TAP’07)

Conforms to ?(TestCom’06)

Conforms to ?

refinement

implementation

design

Several problems, one technique, Symbolic Execution (SE), one platform (AGATHA).• shift from space complexity to time complexity (for verification).• concise representation: for simulation, test purpose definition …

M |=symb exec ?

CEA-LIST 3rd of July 2009DTSI

Outline

Models: IOSTS formalism

Specifications: IOLTL logic

IOLTL tableau calculus

Symbolic Execution technique

Tableau calculus and SE (|=symb path)

Termination

Experiment, Conclusion, Futur works

CEA-LIST 3rd of July 2009DTSI

IOSTS Formalism

T [rel_speed?v] {}

T [] {b : = 1, v : = 0}

(b = = 0) [] {}

v > 1 [motor ! -1]{}

v < -1 [motor ! 1]{}

-1 v 1 []{}

q rpIT [] {b:=0} t4

t3

(I,v0,b 1) (p,v0,b 0) (q,v-5,b 0) (r,v-5,b 0) (p,v-5,b 0)rel_speed ? -5

a run:

motor ! 1

Data part: first order decidable theory Th (ex: Presburger Arithmetics) state variables: {v,b}

Graph part : states, transitionslabel: Guard [I|O|] {Substitution}I: channel ? Variable O : channel ! Term

Relative speed regulator(virtual trains for trucks)

CEA-LIST 3rd of July 2009DTSI

IOLTL

BNF Grammar:::= atom | T | | 1 | 1 2 | X 1 | 1 U 2 | 1 R 2

Atomic propositions: properties over states: (v > 0) properties over I/O: (c ! u, u > v+1)

Satisfaction:

M |=iosts if for all r Run(M), r |=run

Implicit Kripke structure :

I

p

e1

e2

I,e1

p,e2

|= X if

|=

CEA-LIST 3rd of July 2009DTSI

IOLTL tableau calculus

r |=run means r(0) |=run

r(i) |=run can be reduced to:

r[i] |=state Now() or r(i+1) |=run neXt() where Now() Atoms

r[i] |=state Now() means T |= /\ r[i] /\ Now()

Goal: transform satisfaction relation |=run into an operational procedure. Idea : reduce it to a satisfaction relation on state |=state which can be reduced itself to Th |= f (the data theory Th is supposed to be decidable).

Now neXt

Now’ neXt’

2 kind of inference rules

neXt

neXt

r(i)

r[i]r:

(transformation) (transition)

CEA-LIST 3rd of July 2009DTSI

Tableau calculus: example

F p (abbreviates: T U p)F p p X (F p)r(i) |= F p iff r[i] |= p or r(i+1) |= F p

{F p},

{p},

{F p},

{},{F p}

{},{F p}

{F p},{}

F1 F2

NSR(Next State Rule)

p {},{F p}

p

{},{F p}

{},{F p}

p

Prove p now … … or prove Fp in the next state.

Build the next state.

If p is not an atom: after F1

rules dedicated to p main operator are applied and so on until Now set contains only atoms.

CEA-LIST 3rd of July 2009DTSI

Symbolic execution

(I,T,{v v0, b b0})

(p,T,{v v0, b 0})

(q,T,{v v1, b 0})

rel_speed?v1

(r,T,{v v1, b 0}) (r,T,{v 0, b 1})

(p,v1 < -1,{v v1, b 0}) (p,v1 > 1,{v v1, b 0})

(p,-1 v1 1,{v v1, b 0})

Motor ! -1Motor ! 1

Principle: symbols are used instead of values.

Red symbolic path: containsthe run of slide 4.

Correct, complete. Intentional representation of all runs (concise and exact).

M |=iosts iff for all sp SP(M) we have sp |=symb path

CEA-LIST 3rd of July 2009DTSI

IOLTL tableau calculus and symbolic execution

(p, vi>1, vvi) {F (v < 5) } E,

(p, vi>1, vvi) { (v < 5) } E,F1

E,

Atom (p, vi>1, vvi)

(p, (vi>1)(vvi)(v<5), vvi)

{ (v < 5) }E,

(p, (1<vi<5), vvi)

Atom Rule transfers atoms into path condition.

CEA-LIST 3rd of July 2009DTSI

IOLTL tableau calculus and symbolic execution

(p, vi>1, vvi) {F (v < 5) },

(p, vi>1, vvi) ,{F (v < 5)}F2

NSR (p, vi>1, vvi) ,{F (v < 5) }

{F (v < 5) },(q, vi>1, vvi+1)

rel_speed?vi+1

Context

Rules build sequences of transitions linking contexts: we call them unfoldings

(an unfolding is consistent if the path condition of its symbolic state component)

CEA-LIST 3rd of July 2009DTSI

Satisfaction problem with Until formulas

v > 0 v > 1

Consider: F(v<0) and the kripke structure above. Rule F2 applies forever (i.e. build an infinite consistent unfolding) although (v<0) is never

satisfied ! Consistency of an infinite unfolding is not a sufficient criteria for the satisfaction relation.

The technique requires a third set of formulas which stores Until formulas (remember that F is an Until) never proved: initialized with all Until (Finally) sub-formulas.

USet, {}, neXt

USetneXt, neXt, {}

NSR(modified to takeUset into account)

With above example:USet always contains F(x<0) !

Emptiness of the Uset provides a sufficient criterion.

CEA-LIST 3rd of July 2009DTSI

Lemma

With Uset emptiness criterion (never infinitely non empty)

|=run and |=symb path

are equivalent(i.e. we can use |=symb path instead of |=run

in the definition of |=iosts )

CEA-LIST 3rd of July 2009DTSI

Termination criterion 1: lassos detection

Context with Uset =

Lemma: O1 O2 => There is a lasso (see red execution a.b)

a

b

Moreover, if there exists, in the loop part of the unfolding, a context with Uset = then: a.b* satisfies .

O1 , O2 are omega sets (see paper) with respect to symbols present in the prefix)

O1

O2

prefixloop

An unfolding:

CEA-LIST 3rd of July 2009DTSI

Termination criterion 2: “dead end” detection

Uset

O2 O1 => unfoldings “after” S2 cannot prove more than those “after” S1 => cut on S2.

O1 , O2 (omega sets of S1 and S2 with respect to )

S2

S1

CEA-LIST 3rd of July 2009DTSI

Theorems

Theorem 1: If there exits an unfolding satisfying the lasso criterion and the Uset criterion then there exists a run r |= .

Theorem 2: If all unfoldings satisfy the inclusion criterion but not the Uset criterion then there exists no run satisfying .

(the two criteria are applied in a defined sequence)

CEA-LIST 3rd of July 2009DTSI

First experiment

Diagnosability. A model is not diagnosable with respect to a fault if we can find two different runs, having the same observable traces, one being affected by the fault and not the other. The speed regulator IOSTS model of slide 4 contains a fault whose occurrence is characterized by the value of b).

Diagnosability can be reduced to a model-checking problem:

M M |=iosts F G (b1 = T b2 = ) ?

Answer about the speed captor failure:

Not diagnosable when relative speed is maintained at 0.

CEA-LIST 3rd of July 2009DTSI

Conclusion

|=symb path can be used instead of |=run

Allows analysis of models with unbounded variables or huge domains

SE and tableau calculus combination provides an operational technique for |=symb

semi-decision verification algorithm (between test and proof)

CEA-LIST 3rd of July 2009DTSI

FUTUR WORKS

Improve verification algorithm with strategies(priorities over rules: F1 > F2 to check F G )

Monte Carlo methods for large systems(adaptation of the MC2 PLTL checker approach)

What about FIFO channels ?

Use tableau calculus and SE to generate tests purposes (TestCom’06) from IOLTL properties(Test purpose refinement).

Thank You !