symbolic model checking of software
DESCRIPTION
Symbolic Model Checking of Software. Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University. Symbolic Model Checking of Software. Goal: Use BDD-based Symbolic Model Checker for the verification of concurrent software Motivation: - PowerPoint PPT PresentationTRANSCRIPT
Symbolic Model Checking of Software
Nishant Sinhawith
Edmund Clarke, Flavio Lerda, Michael Theobald
Carnegie Mellon University
Symbolic Model Checking of Software
• Goal: – Use BDD-based Symbolic Model Checker
for the verification of concurrent software• Motivation:
– Very successful for large state spaces in hardware
• Challenges: – Generating the models (language -> SMV)– Adding Partial-Order Reduction– Optimized BDD-operations (e.g., generation
and storage) • This Talk:
– Focus on Partial-Order Reduction
Outline
• Background – Modeling language– Partial-order reduction – Twophase algorithm
• New Approach: ImProviso– Basic formulation– Extensions – Experimental results
• Related Work • Future Work• Conclusions
Background: Software Verification
• Concurrent software– Asynchronous execution, unlike hardware– Huge state space, e.g. large variable ranges
• Partial-order reduction (POR)– Attacks the state-space explosion problem– Very effective in explicit-state model checking– Symbolic Model Checking yet to benefit
Background: Modeling Language
• Process-oriented modeling language– Each process maintains local variables– Each process has a program counter
• System – Concurrent processes – Global variables – Point-to-point channels
• Each process is specified as statements– Statements are formalized as transition functions– Multiple statements per pc value allowed,
i.e. non-determinism• Example: Promela
Background: Partial-Order Reduction
s0s0’
s0s1’s1s0’
s1s1’
x = 1
x = 1
y = 2
y = 2
Choose a representative set of paths
Background: Partial-Order Reduction
• Two kinds of state-expansion– Full Expansion generate next states for all enabled transitions– Partial Expansion expand only a subset of enabled transitions,
postponing all others
• Challenges:– How to choose such subset? (-> deterministic)– How to avoid transitions being postponed
indefinitely? (-> proviso)
Background: Deterministic States
• Which subset of enabled transitions to choose? • Deterministic state for a process P:
– Only one transition t of P enabled at that state– Can be taken without affecting property to be
verified
• Partial Expansions of deterministic states– Do not need to consider all interleavings
A state s is deterministic for a process P iff: only one transition t of P is enabled in s t commutes with transitions that can be executed by other processes executing t does not disable transitions of other processes executing a transition of another process cannot disable or enable any transition of P
A state s is deterministic for a process P iff: only one transition t of P is enabled in s t commutes with transitions that can be executed by other processes executing t does not disable transitions of other processes executing a transition of another process cannot disable or enable any transition of P
Background: Partial-Order Reduction
• Avoiding transitions being postponed indefinitely: Proviso
• SPIN: In-Stack Proviso– Partial Expansion should not generate a state in
stack– Otherwise, must do Full Expansion
S1
S2
S3
S4
t1
t1
t1
t2
t2
t2
t0
t3
t4
t5
Combining POR with Symbolic Model Checking
• POR developed for explicit-state – DFS– Stack: for proviso check
• Whereas symbolic verification– Involves a BFS-like algorithm– No stack exists– Only frontier at hand
Twophase Partial-Order Algorithm• Nalumasu, Gopalakrishnan [1997]
– Modified proviso check– Alternating phases
• Phase 1: Do for each process in sequence expand if in deterministic state
• Phase 2: Full expansion of the current state
• Proviso check:
S1
S2
S3
S4
P1
P1
P1
P2
(a)
S5
S6
S7
S8
P1
P1
P2
P2
(b)
Suits the symbolic
case
New Approach: ImProviso
• Implicit Proviso check – Employs BDDs
• Motivation– Based on Twophase (explicit-state) – Observation: can be formulated in an implicit way– Crucial point: more efficient proviso than previous
techniques• New Contributions:
– Defining the transition relation – Implicit formulation – Dropping the determinism– Additional fixpoint computation
• Automated and incorporated into NuSMV
ImProviso: Defining the Transition Relation
• Two transition relations:– TR1: all transitions from deterministic states (Phase 1)
– TR2: entire system (Phase 2)
• TR1 is further partitioned:– one transition relation for each process Pi
• Example: – Statement reads from a channel into a local
variable– States in which the channel is not empty are
deterministic
– TR1 := channel is not empty => TR-stmt
ImProviso: Dropping the Determinism
• Twophase: – Only one transition in Phase 1 may be enabled– Simplifies Twophase implementation – Not necessary for correctness
• ImProviso allows non-determinism in Phase 1– Multiple enabled transitions in each process– Each enabled transition must fulfill other
conditions of a deterministic state
• BFS search, i.e. enabled transitions expanded at the same time
ImProviso: Illustration
rec: d=0
1
send: a!1
1
rec: a?x
1
p1: c=1
2
p2: c=0
2
p1: c=0
2
p2: c=12
rec: a?x
2
rec: a?x
1 1
rec: a?x
bool c=-1;chan a = [1] of {int}; active proctype rec() {
int x=0;bool d;d=0;a?x;
}
active proctype send(){
a!1;}
active proctype p1() {c=0;...
}
active proctype p2() {c=1;...
}
ImProviso: Illustration
bool c=-1;chan a = [1] of {int}; active proctype rec() {
int x=0;bool d;d=0;a?x;
}
active proctype send(){
a!1;}
active proctype p1() {c=0;...
}
active proctype p2() {c=1;...
}
Phase1:Fixed Point
p1: c=0
2
p2: c=1
2
rec: d=0
1
send: a!1
1
rec: a?x
1
1 rec: a?x
ImProviso: Implicit Formulation
• Implicit formulation of the algorithm– conceptually simple but… not so easy to get right
• Reason: paths may have different lengths
– BFS instead of DFS
• ImProviso: ‘tighter’ over-approximation than previous symbolic methods– Problem: visited vs. in-stack
• phase-1 only Cycles -> local check• Larger than phase-1 -> no issue!
Related Work
• Two other approaches combine PO and Symbolic Model Checking:– Kurshan et al.: Preprocess the model
– Alur et al.: BDD-based
Alur’s approach
Stack
P1
P1
P2
P1
Current Image
ImProviso
Implementation
• Automated Model Checking framework– ImProviso implemented in NuSMV
• Current examples translated from Promela• Considerable effort to compare with
explicit state model checkers– e.g., atomic construct in Spin
Promela2SMVtranslator
NuSMV +ImProviso
PromelaSpecifications
Add Phase 1 andPhase 2 information
Comparison: NuSMV vs. NuSMV-ImProviso
#states time memory #states time memory
4864210 3217.69s 63.6 MB Migratory Protocol (2) 155040 108.63s 56.3 MB1270 0.87s 6.2 MB Stable Marriage (2) 710 0.84s 7.3 MB3107 4.26s 10.3 MB Stable Marriage (3) 1275 2.72s 10.4 MB
71495 112.25s 24.7 MB Stable Marriage (5) 10351 31.56s 30.0 MB2187 0.08s 0.7 MB Best (7) 15 0.06s 0.7 MB
3486780000 0.56s 5.7 MB Best (20) 41 0.34s 5.7 MB27 0.04s 0.3 MB Worst (3) 15 0.04s 0.3 MB
3486780000 0.46s 5.0 MB Worst (20) 2097150 0.36s 5.0 MB
Worst (100) 2.54E+30 14.34s 14.6 MB
NuSMV NuSMV-ImProviso
N/A1
• #states: significant reduction• Time: significant reduction• Memory: No reduction
Comparison: NuSMV-ImProviso, PV, and SPIN
#states time memory #states time memory #states time memory
Migratory Protocol (2) 155040 108.63s 56.3 MB 86246 1.00s 4.3 MB 435456 2.34s 42.8 MBStable Marriage (2) 710 0.84s 7.3 MB 595 <0.01s 2.2 MB 568 <0.01s 1.5 MBStable Marriage (3) 1275 2.72s 10.4 MB 1135 <0.01s 2.2 MB 945 <0.01s 1.5 MBStable Marriage (5) 10351 31.56s 30.0 MB 9063 0.14s 2.6 MB 8421 0.03s 2.1 MBBest (7) 15 0.06s 0.7 MB 15 <0.01s 2.2 MB 2187 0.03s 1.5 MB
Best (20) 41 0.34s 5.7 MB 41 <0.01s 2.2 MBWorst (3) 15 0.04s 0.3 MB 27 <0.01s 2.1 MB 15 <0.01s 1.5 MB
Worst (20) 2097150 0.36s 5.0 MB 2097150 15.03s 110.6 MB
Worst (100) 2.54E+30 14.34s 14.6 MB
NuSMV-ImProviso PV SPIN
N/A1
N/A1
N/A1
N/A1
• SPIN and PV faster, if they can handle example• NuSMV-ImProviso can handle more examples• NuSMV-ImProviso matches PV, SPIN on Best, Worst
Comparison: Leader Election Protocol
# #states time memory #states time memory #states time memory
2 70 0.11s 1.1 MB 70 <0.01s 2.1 MB 70 <0.01s 1.5 MB3 488 0.57s 4.6 MB 488 0.03s 2.2 MB 488 <0.01s 1.5 MB4 3576 6.77s 10.6 MB 3576 0.38s 2.5 MB 3576 0.10s 2.3 MB
8
# #states time memory #states time memory #states time memory
2 48 0.10s 1.0 MB 48 0.04s 2.1 MB 48 0.02s 1.5 MB3 209 0.31s 3.0 MB 209 <0.01s 2.2 MB 209 <0.01s 1.5 MB4 922 1.77s 10.4 MB 922 0.04s 2.2 MB 922 <0.01s 1.7 MB8 306903 3553.86s 381.8 MB 306903 28.62s 60.4 MB 306903 11.82s 232.8 MB
N/A1
Non-PO
PONuSMV-ImProviso PV
NuSMV PV
N/A1 N/A1
SPIN
SPIN
• Models of same size in SMV and Promela• Same reduction• SPIN, PV faster until…
Leader with Non-deterministic Initial State
# #states time memory #states time memory #states time memory
2 187 0.17s 3.0 MB 187 <0.01s 2.1 MB 187 <0.01s 1.5 MB3 5602 5.61s 12.5 MB 5602 0.32s 2.6 MB 5602 0.07s 2.4 MB4 473173 650.25s 62.9 MB 473173 46.62s 49.1 MB 473173 13.58s 119.7 MB
5
# #states time memory #states time memory #states time memory
2 119 0.17s 3.3 MB 139 <0.01s 2.1 MB 119 <0.01s 1.5 MB3 2566 2.14s 11.7 MB 3298 0.12s 2.4 MB 2566 0.07s 1.9 MB4 135173 133.69s 37.6 MB 167173 6.99s 18.9 MB 135173 1.81s 34.3 MB
5 7699370 11635.00s 829.2 MB
NuSMV PV SPINNon-PO
N/A1 N/A1 N/A1
N/A1 N/A1
PONuSMV-ImProviso PV SPIN
Future Work
• Reduce memory and run time– BDD blowup problem– BDD algorithms optimized for Concurrent
Software
• Verification of both safety and liveness properties– Only safety now
• Flexible input languages– Only Promela now
Conclusions
• Novel Partial Order Reduction algorithm for Symbolic Model Checking– Incorporated into NuSMV
• Illustrated the effectiveness with several benchmark examples
• Current focus is on tackling large run-time and memory problems
• Symbolic Model Checking of Software, Software Model Checking Workshop CAV’03