linear programming for software verification
DESCRIPTION
Linear Programming for Software Verification. Model Checking Group Talk. Linear Programming for Software Verification. Dellacherie et al LPV Technology patent #97 15217 [ France Telecom, the CNRS, and the University of Caen ]. Problem Definition. - PowerPoint PPT PresentationTRANSCRIPT
Linear Programming for Software Verification
Model Checking Group Talk
Linear Programming for Software Verification
Dellacherie et al
LPV Technology patent #97 15217 [ France Telecom, the CNRS, and the University of Caen ]
Problem Definition
• Given a software S and a property P, determine whether a path of S satisfies P.– If yes, show the path– If not, generate a proof of its non-existence.
System Model and Approach
• System ModelSystem Model: A system of automatons synchronized by a set of messages
• ApproachApproach: A system of linear equations is derived from the model whereof the unknowns are related to – the status of the automatons, – the occurrence of transitions in the automatons, and – the production of synchronization messages between
automatons. • These unknowns have in principle a value of 0 or 1, and• Each of these unknowns concerns an operating step
among T successive steps.• The property to be verified is defined using additional
linear constraints.
Synchronized Automata - IA small example of
synchronized automata• Each automata has a single token
that can move from state to state using
the transitions.
• Transitions carry (possibly multiple)
synchronization messages.
• An automaton can go (i.e. move its token) from a state to another if and only
if
there exists a transition between those two states and
all the synchronization messages present on that transition can be
emitted.
Synchronized Automata - II
• A message can be emitted if and
only if all automata that know the
message (i.e. that have at least one
transition carrying this message)
can use simultaneously a
transition carrying this message.
• For example, automaton A can go from state Ae1 to state Ae2 if and only if
both synchronization messages m1 and m2 can be emitted.
•This is possible if, for example, automata B and C are (i.e. have their token) respectively in states Be1 and Ce1 .
•In this situation, the three automata will arrive in state Ae2 , Be2 and Ce2
respectively
Definition: System of Automata
• A system of automata S is composed of N sub-systems Sn (1 · n · N) called automata, and of a set M = { mj
,,1 · k · |M| } containing the messages mj of S.
• Every automaton Sn is described by
– 1. the set En = { ein ; 1 · i · |En| } of its states;
– 2. the set An = { ajn; 1 · j · |An| } of its transitions;
– 3. the set of messages Mn ½ M carried by An.
Definition: Synchronization Rule
• Let us call configuration a mapping C which associates to every automaton Sn a unique state en 2 Sn called the activated state of Sn, and let us call syn a subset s of M. We then define the sync rule as follows:
• The synchronization s has the automata system S changed from configuration C to configuration C’ if and only if 8 Sn 2 S,
• 1. if s Å Mn = ; then C’ (Sn) = C (Sn)– If s does not share a message with Sn, then the
token on Sn does not move.
• 2. if s Å Mn and 9 ajn = ( ej1
n, ej2n 2 An, such
that Mjn = s Å Mn, then ej1
n = C (Sn) and ej2n = C’
(Sn)– If s does share a message with S_n, then the transition labeled with
a subset of s are enabled.
Definition: Synchronized Automata
• A system of synchronized automata is a system of automata endowed with the (previously discussed) synchronization rule.
• Accessibility Properties: The kind of requests we will check on a system of synchronized automata corresponds to the classical set of accessibility (or reachability) properties.
Definition: Path Satisfiability
• An accessibility property P = (C; C’) on S has a path satisfying P if and only if there exists a path in N steps going from the initial conguration C0 to a conguration C’n such that 8 Sn 2 S,
• if En Å C , then C0 (Sn) 2 C
• if En Å C’ , then C’n (Sn) 2 C’
Flow-Synchronized Automata
• Message-flow: A message-flow is a function fm which associates to every message m of S a real quantity fm(m) 2 [0, 1].
• Transition-flow: A transition-flow is a function fa which associates to every transition aj
n of S a real quantity fa(aj
n) 2 [0, 1].
• State-flow: A state-flow is a function fe which associates to every state ei
n of S a real quantity fe(ei
n) 2 [0, 1].
Flow-Synchronization Rules - I
• Amn is the set of transitions of automata Sn
carrying message m: – Am
n = { ajn 2 An / m 2 Mj
n }
• Ei+n is the set of transitions of Sn having ei
n as starting state: – Ei+
n = { ajn 2 An / 9 e, aj
n = (ein, e) }
• Ei−n is the set of transitions of Sn having ei
n as arriving state: – Ei−
n = { ajn 2 An / 9 e; aj
n = (e, ein) }.
Flow-Synchronization Rules - II
• Conservation of tokens in state-flow of automata:
8 Sn, ein 2 Sn
fC(ein) = 1
– i.e. the quantity of token on each automaton is equal to 1
• Relation between Transition Flow and Message Flow for valid synchronization:8 m 2 M, 8 Sn,
Amn ) fs(m) = aj
n 2 Amn fa (aj
n) – i.e. for all automata that know m, the quantity of m
emitted is equal to the flow going through the transitions carrying m.
Flow Synchronization Rules - III
• 1. ajn 2 Ei+
n fa(ajn) · fC(ei
n)
– (i.e. the flow leaving ein is not greater than the
quantity of token which is on ein),
• 2. ajn 2 E(i-)
N fa(ajn) · fC’ (ei
n)
– (i.e. the flow arriving on ein is not greater than the
total amount of token which is on ein),
• 3. fC(ein)− aj
n 2 Ei+n fa(aj
n) = fC’ (ein) − aj
n 2 Ei−n fa(aj
n)
– (i.e. the new quantity of token on ein is the
previous quantity plus the flow arriving on ein and
less the flow leaving ein).
Flow Synchronization Automata
• A system of flow-synchronized automata is a system of automata endowed with the flow-synchronization rule.
• Furthermore, let fC and fC’ be two flow-configurations of S. The change from fC to fC’ by flow-synchronization fs defines a flow-step (fC, fs, fC’) for S.
• A succession of flow-steps (fC0, fs0,
fC’0 ), …, (fCn−1,
fsn−1, fC’n
) such that fC’i = fCi+1
defines a flow-path for S.
Storied Automata• Let S be a system of automata. We consider S
on T + 1 time steps as follow: for each automaton Sn 2 S we associate – To every value t 2 { 0; … ; T} and every state ei
n, a state ei
n(t);– To every value t 2 { 1; … ; T} and every transition aj
n = (ej1
n ; ej2n ), a transition ajn(t) = (ej1
n (t − 1), ej2n (t));
– To to every value t 2 {1; … ; T} and every message mk 2 Maj
n, a message mk(t) 2 Maj
n(t);
– To every value t 2 {1; … ; T} and every state ein, an -
transition in(t) = (ei
n(t − 1), ein(t)).
• The system thus constructed from S is called the storied system of automata ST of S on T time steps.
System of Equations: L(ST,P)
• Flow equations: 8 Sn 2 S; 8 t 2 {1; … ; T}, 8 ein 2 Sn,
we have – ei
n(t − 1) = j1 2 Ei+
n aj1n (t) + i
n(t)
– ein(t) = j2 2 Ei−
n aj2n (t) + i
n(t)
• Synchronization equations: 8 Sn 2 S; forall t 2 {1, … ,T}; 8 m 2 Mn, we have – m(t) = j3 2 Am
n aj3n (t)
• Property equations: 8 Sn 2 S, we have ein 2 Am
n
ein(0)=1
– If C Å En then ein 2 C Å En
ein (0) = 1
– If C’ Å En then ein 2 C’ Å En
ein (T) = 1
Key Result
• The solving of L(ST ;P) gives either a flow-path or a proof of the inexistence of any path of length N on a model of T stories.– If we find a flow path, it may be spurious.– If we find a proof of the inexistence of any
path, we are done.
Examples Analyzed - I
• Telephone System: The systems is made of more than 800 automata and uses more than 2500 different synchronization messages. The state space is more than 10104040 wide.
• The property checked was to know whether phone#2 ring while nobody ever called it ?
Examples Analyzed - II
• An Access Control System: On this last instance the resulting system is made of 230 automata and uses more than 2800 different synchronization messages. The state space is more than 10105252 wide
• The property checked was:– Can card#1, who entered building#1, enter
building#2 without first getting out of building#1 ?
Examples Analyzed - III
• Bus Arbiter: Systems with up to 1200 cells were analyzed. The state space is then at least 1010500500 wide, and the computation took around one hourone hour.
• The property checked was to know whether a client could access the bus at the same time as client#1.
Deeper Insights
• There is a PhD thesis in German which perhaps contain the details:– [Del99b] S. Dellacherie. Vrication logicielle
base sur la programmation linaire. PhD thesis, Universit de Caen, 1999. To appear.
– [Dev99] S. Devulder. Un modle de preuve de logiciels fond sur la programmationlinaire. PhD thesis, Universit de Caen, 1999. To appear.
US Patent October 15, 2002 Dellacherie; Samuel (Caen, FR), Broult; Christophe (Briouze, FR),
Devulder; Samuel (Saint-Contest, FR), Lambert; Jean-Luc (Amfreville, FR) • Farkas Lemma: Let A be a matrix and x
and b be vectors. Then the system
A x = b for some x ¸ 0
has no solution iff the system
ATy ¸ 0 and bTy < 0
has a solution, where x is a vector.
Fang, S.-C. and Puthenpura, S. Linear Optimization and Extensions: Theory and Algorithms. Englewood Cliffs, NJ: Prentice-Hall, p. 60, 1993.
