Build Your Own Model Checker in One Month
SUN, JunAssistant Professor@SUTD, Visiting Scientist@MIT
Jing Song Dong and Yang Liu, NUS
How to Deliver Correct Computer-based Systems?
The synthesis problem
System requirements: functionality, performance, security, etc.
System implementation
synthesizer
The verification problem
System requirements: functionality, performance, security, etc.
System implementation
Is it exception
free?
Model checking: check whether a model satisfies a property by exhaustive searching.
Model Checking
Model
Model Checker
PropertyCounterexample!
Two Problems
How to obtain a finite-state model?
How to deal with state space explosion?
One Simple Example
Number of States: 16! = 20922789888000
8
Model Checking Works!
Applying existing model checkers ◦ Good news: plenty model checkers out there.◦ Bad news: using them might not be easy.
Extending existing model checkers
Developing one from scratch◦ Language parser, operational semantics encoding,model checking algorithms, state reduction techniques, visualization, …
How to Apply Model Checking
Process Analysis Toolkithttp://www.patroot.com
Over 1 million lines of C# codes The PAT team has now 10 PhD candidates, 2
research assistant, 5 postdoc, and 2 faculties.
More than 1000 registered users from more than 200 organizations
Adopted for teaching formal methods and model checking (NUS, Monash, Auckland, York U.@Canada)
Supporting 10 different languages
Some Facts about PAT
How to Deliver Correct Computer-based Systems?
More Than a Model Checker
Build a Model Checker
Define Syntax Define
Semantics
VisualizeTrace
Optimization
Develop MC Algorithms
PropertyLanguage
Build a Model Checker with PAT
Define Syntax Define
Semantics
Real-time system modeling and verification is dominated by Timed Automata
High-level requirements are often stated in terms of deadline, timeout, etc.
Many real-time systems are hierarchical.
Case Study 1: RTS@PAT
How about we develop a model checker to verify Hierarchical Real-Time Systems supporting Timeout, Deadline, etc.?
Data/Data Operations◦ Invoke external C#/Java programs?
Control Flow◦ Hoare’s CSP?
Real-time◦ Delay, Timeout, Timed Interrupt, Deadline, etc.
Property◦ Reachability Analysis?◦ Linear Temporal Logic?◦ Refinement checking?
What Language Features?
A RTS program is a tuple (Var, Proc, Assertions) ◦ Var is a finite set of finite-domain variables; ◦ Proc is a process which models control flow.◦ Assertions is a set of assertions.
Define Syntax
Constants#define N 5;
Variables of Type Bool, Integer, Arrays of integers
var x: {0..10} = 5;var x[N];
User-defined data typesvar<Stack> stack;
Variables
ProcessesProcess Expression
Remarks
Stop Do nothingSkip Termination, like Returne{x:=1} -> P Event prefixingP | Q ChoiceP; Q Sequential CompositionP || Q Parallel CompositionWait[d] Delay for d time unitsP timeout[d] Q TimeoutP deadline[d] P must terminate with d time
unitsP within[d] P must act within d time unitsP interrupt[d] Timed interrupt
Assertions
Assertion Remarks#assert P deadlockfree; P is deadlock-free.#assert P reaches goal; P reaches a state where goal is
true.#assert P |= []<> goal; P always eventually satisfies goal;#assert P refines Q; P trace-refines Q;#assert P refines<F> Q; P refines Q in stable failures
semantics.#assert P refines<FD> Q; P refines Q in failures/divergences
semantics.
#define N 4; #define Idle -1;var x = Idle; var counter;
P(i) = ifb(x == Idle) { ((update.i{x = i} -> Wait[4]) within[3]); if (x == i) { cs.i{counter++} -> exit.i{counter--; x=Idle} -> P(i) } else { P(i)
} }; FischersProtocol = ||| i:{0..N-1}@P(i);
#assert FischersProtocol reaches (counter > 1);#assert FischersProtocol |= [] (x==1) -> <> cs.1;
A Modeling Example
First version finished in 6 weeks! Efficiency with Zone Abstraction
Efficiency with Digitalization
RTS@PAT
Model #Visited States
Time (s)
Fischer * 5 37K 0.4Fischer * 6 293K 4.7Fischer * 7 2,639K 56.2
Model #Visited States
Time (s)
Fischer * 5 54K 0.2Fischer * 6 362K 1.2Fischer * 7 2,437K 8.1
How PAT Helps?
Step 1: Build a parser – using Antlr. Step 2: Define/encoding operational
semantics. Step 3 [optional]: Develop/implement
specialized model checking algorithms.
Starting Building a Model Checker
PAT Class Diagram
The Specification class which contains everything in any given model.◦ A list of variables, with types, domains, initial
values, etc.◦ A list of processes, with parameters, etc.◦ A list of assertions, with the initial process, etc.◦ A method to obtain the initial system
configuration.
Essential Classes
A configuration is a global state which encapsulates every varying aspects of a model. ◦ A configuration of a RTS module is a pair (V, P)
where V is a valuation function which gives the values of the variables and P is the current process expression.
◦ The configuration class has one essential method to be implemented.
public Configuration[] MakeOneMove(Configuration source) { … }
Essential Classes: Configuration
Given one configuration (V, P), what are the next configurations that can be reachabile via one transition?◦ If P is Stop, return an empty list.◦ If P is Skip, return configuration (V, Stop) – the
event that has been performed is the special termination event √.
◦ If P is e{x:=1} -> Q, return configuration (V’, Q) such that V’ is equivalent to V except that x is set to 1 in V’.
◦ …
RTS: MakeOneMove
(V, P) –e-> (V’, P’)---------------(V, P | Q) –e-> (V’, P’)
(V, Q) –e-> (V’, Q’)---------------(V, P | Q) –e-> (V’, Q’)
This translates exactly into MakeOneMove().
Operational Semantics: Choice
System Exploration
Get Initial Configuration from Specification Class
MakeOneMove
MakeOneMove
MakeOneMove
What if the number of configurations are infinite?◦ Wait[1] -0.1-> Wait[0.9] -0.01->◦ Wait[0.89] -0.001-> Wait[0.889] -0.0001 -> …
Abstraction◦ Infinitely many configurations are partitioned into
finitely many groups, referred as abstract configurations.
◦ Correctness: There is a counterexample if and only if there is a counterexample in the abstract state space.
Infinite Configurations
Theorem: It is correct to always make time transitions of duration 1 (with respect to untimed properties).
Example:◦ Wait[3]
-1-> Wait[2] -1-> Wait[1] -1-> Wait[0]
◦ (Wait[3]) timeout[2] (P) -1-> (Wait[2]) timeout[1] (P)-1-> (Wait[1]) timeout[0] (P)-τ-> P
Digitalization for RTS
public override List<Configuration> GetEventTransitions(Configuration current) {List<Configuration> toReturn = FirstProcess.GetEventTransitions(current);foreach (Configuration config in toReturn) {
if (value == 0) { config.IsUrgent = true; }}if (value == 0) {
toReturn.Add(new Configuration(SecondProcess, TAU, eStep.GlobalEnv, false, true);}
}
public override Configuration GetTimeTransitions(Configuration current) {if (value == 0) {return null;}Configuration toReturn = FirstProcess.GetTimeTransitions(current);if (toReturn == null) {return null;}toReturn.Process = new TimeOutProcess(toReturn.Process, SecondProcess, d - 1);return toReturn;
}
Timeout Implementation
First version finished in 6 weeks! Efficiency with Zone Abstraction
Efficiency with Digitalization
RTS@PAT
Model #Visited States
Time (s)
Fischer * 5 37K 0.4Fischer * 6 293K 4.7Fischer * 7 2,639K 56.2
Model #Visited States
Time (s)
Fischer * 5 54K 0.2Fischer * 6 362K 1.2Fischer * 7 2,437K 8.1
Real-world systems may have data structures, real-time, probability, hierarchical control flow, etc.
We propose PRTS = RTS + probabilistic choiceFlipCoin = Wait[1]; pcase {[0.5]: head -> FlipCoin[0.5]: tail -> FlipCoin}; The semantic model is Markov Decision
Processes (MDP).
RTS + Probability
LTL to BA or DRA translation Zone abstraction library BDD encoding library …
PAT’s Model Checking Library
Semantics Property MethodLTS Deadlock-free or
ReachabilityExplicit state DFS and BFS,BDD-based
LTS State/Event-LTL Explicit State Automata-based, BDD-based
MDP Deadlock-free or Reachability
Explicit state
MDP State/Event-LTL Explicit StateLTS Refinement checking Explicit StateMDP Refinement checking Explicit State
Fairness matters in verifying liveness!
Case Study 2: Fairness
Fairness is Well-Studied
A variety of fairness supported in PAT with simply one method!
Fairness in PAT
Fairness: Efficiency
Developing a model checker in PAT is really easy. ◦ Implement a language parser (two weeks)◦ Encode operational semantics (two weeks)◦ Fight against state-space explosion (indefinitely
long) A unified framework helps to maintain and
compare the great variety of existing model checking algorithms.
Conclusion
Ongoing PAT-based Projects
NesC Model Checker Orc Model CheckerEvent Grammar
Model Checker
Partial Order Reduction
Symmtry Detection/Reduction
BDD LibraryMTBDD Library
PAT is available at http://www.patroot.com PAT source code is available upon email
request.
Conclusion
Multiple Postdoc Postions Available in NUS or SUTD