Rajeev Alur University of Pennsylvania CAV Mentoring Workshop July 2015 Systems Software Can Microsoft Windows version X be bugfree Millions of lines of code Types of bugs that cause crashes wellknown ID: 1037860
Download Presentation The PPT/PDF document "Introduction to Computer-Aided Verificat..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Introduction to Computer-Aided VerificationRajeev Alur University of PennsylvaniaCAV Mentoring Workshop, July 2015
2. Systems SoftwareCan Microsoft Windows version X be bug-free?Millions of lines of codeTypes of bugs that cause crashes well-knownEnormous effort spent on debugging/testing codeCertifying third-party code (e.g. device drivers)do{ KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; }}while(nPackets!= nPacketsOld);KeReleaseSpinLock();Do lock operations, acquire and release strictly alternate on everyprogram execution?
3. Concurrency LibrariesExploiting concurrency efficiently and correctlydequeue(queue_t *queue, value_t *pvalue){ node_t *head; node_t *tail; node_t *next; while (true) { head = queue->head; tail = queue->tail; next = head->next; if (head == queue->head) { if (head == tail) { if (next == 0) return false; cas(&queue->tail, tail, next); } else { *pvalue = next->value; if (cas(&queue->head, head, next)) break; } } } delete_node(head); return true;}Concurrent Queue (MS’92)Can the code deadlock?Is sequential semantics of a queuepreserved? (Sequential consistency)
4. Security Checks for Java AppletsHow to certify applications fordata integrity / confidentiality ? By listening to messages, can one infer whether a particular entry is in the addressbook?https://java.sun.com/javame/public Vector<String> phoneBook;public String number;public int Selected;public void sendEvent() { phoneBook = getPhoneBook(); selected = chhoseReceiver(); number=phoneBook.elementAt(selected); if ((number==null)|(number=“”)){ //output error } else{ String message = inputMessage(); sendMessage(number, message); }}EventSharingMidlet from J2ME
5. Certification of Safety-Critical SoftwareHow to verify that a pacemaker meets all the correctnessrequirements published by the FDA ?
6. Correctness is formalized as a mathematical claim to be proved or falsified rigorously Always with respect to the given specification Challenge: Impossibility results for automated verifierVerification problem is undecidableEven approximate versions are computationally intractable (model checking is Pspace-hard)Verifiersoftware/modelcorrectnessspecificationyes/proofno/bugIn Search of the Holy Grail…
7. History of CAV (not comprehensive…)Some guidelines for choosing a research problemThis Talk
8. BubbleSort (A : array[1..n] of int) { B = A : array[1..n] of int; for (i=0; i<n; i++) { Permute(A,B) Sorted(B[n-i,n]) for 0<k<=n-i-1 and n-i<=k’<=n B[k]<=B[k’] for (j=0; j<n-i; j++) { Permute(A,B), Sorted(B[n-i,n], for 0<k<=n-i-1 and n-i<=k’<=n B[k]<=B[k’] for 0<k<j B[k] <= B[j] if (B[j]>B[j+1]) swap(B,j,j+1) } }; return B;}1970s: Proof calculi for program correctness BubbleSort (A : array[1..n] of int) { B = A : array[1..n] of int; for (i=0; i<n; i++) { for (j=0; j<n-i; j++) { if (B[j]>B[j+1]) swap(B,j,j+1) } }; return B;}Key to proof:Finding suitable loop invariants
9. Deductive Program VerificationPowerful mathematical logic (e.g. first-order logic, Higher-order logics) needed for formalizationGreat progress in decision proceduresFinding proof decomposition requires expertise, but modern tools support many built-in proof tacticsContemporary theorem provers: Coq, PVS, ACL2, ESC-JavaIn practice …User partially annotates the program with invariants, and the tool infers remaining invariants needed to complete the proofSuccess story: CompCert: Fully verified optimizing compiler for a subset of CCurrent research: Automatic synthesis of loop invariants
10. 1980s: Finite-state Protocol AnalysisAutomated analysis of finite-state protocols with respect to temporal logic specificationsNetwork protocols, Distributed algorithmsSpecs: Is there a deadlock? Does every req get ack? Does a buffer overflow?Tools: SPIN, Murphi, CADP …
11. Battling State-space ExplosionAnalysis is basically a reachability problem in a HUGE graphSize of graph grows exponentially as the number of bits required for state encodingGraph is constructed only incrementally, on-the-flyMany techniques for exploiting structure: symmetry, data independence, hashing, partial order reduction …Great flexibility in modeling: Scale down parameters (buffer size, number of network nodes…)StateTransitionBad states
12. 1990s: Symbolic Model CheckingConstraint-based analysis of Boolean systemsSymbolic Boolean representations (propositional formulas, OBDDs) used to encode system dynamicsSuccess in finding high-quality bugs in hardware applications (VHDL/Verilog code)MPUICUICUICMPGlobal busCluster busRead-shared/read-owned/write-invalid/write-shared/…Deadlock found in cache coherency protocol Gigamax by model checker SMV
13. Symbolic Reachability ProblemModel variables X ={x1, … xn} Each var is of finite type, say, booleanInitialization: I(X): a formula over X e.g. (x1 && ~x2)Update: T(X,X’) How new vars X’ are related to old vars X as a result of executing one step of the program: Disjunction of clauses obtained by compiling individual instructions e.g. (x1 && x1’ = x1 && x2’ = ~x2 && x3’ = x3)Target set: F(X) e.g. (x2 && x3)Computational problem: Can F be satisfied starting with I by repeatedly applying T ?K-step reachability reduces to propositional satisfiability (SAT): Bounded Model Checking I(X0) && T(X0,X1) && T(X1,X2) && --- && T(Xk-1,Xk) && F(Xk)
14. The Story of SAT2001Chaff10k var1986BDDs 100 var1992GSAT 300 var1996Stålmarck 1000 var1996GRASP1k var1960DP10 var1988SOCRATES 3k var1994Hannibal 3k var1962DLL 10 var1952Quine 10 var1996SATO1k var2002Berkmin10k varPropositional Satisfiability: Given a formula over Boolean variables, is there an assignment of 0/1’s to vars which makes the formula trueCanonical NP-hard problem (Cook 1973)Enormous progress in tools that can solve instances with thousands of variables and millions of clausesExtensions to richer classes of constraints (SMT solvers)
15. 2000s: Model Checking of C codePhase 1: Given a program P, build an abstract finite-state (Boolean) model A such that set of behaviors of P is a subset of those of A (conservative abstraction)Phase 2: Model check A wrt specification: this can prove P to be correct, or reveal a bug in P, or suggest inadequacy of AShown to be effective on Windows device drivers in Microsoft Research project SLAM (follow-up: SDV)do{ KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; }}while(nPackets!= nPacketsOld);KeReleaseSpinLock();Do lock operations, acquire and release, strictly alternate on everyprogram execution?
16. Software Model Checking Tools for verifying source code combine many techniquesProgram analysis techniques such as slicing, range analysisAbstractionModel checkingRefinement from counter-examples (CEGAR) New challenges for model checking (beyond finite-state reachability analysis)Recursion gives pushdown controlPointers, dynamic creation of objects, inheritence…. Active research areaAbstraction-based tools: SLAM, BLAST,…Direct state encoding: F-SOFT, CBMC, CheckFence…
17. SMT Success StorySMT-LIB Standardized Interchange Format (smt-lib.org) Problem classification + Benchmark repositories LIA, LIA_UF, LRA, QF_LIA, … + Annual Competition (smt-competition.org)Z3YicesCVC4MathSAT5CBMCSAGEVCCSpec#
18. Since 1990s: Cyber-Physical SystemsDiscrete software interacting with a continuously evolving physical systemNeed to model physical world using differential equations/timing delaysModels: Timed automata, Hybrid automataSymbolic reachability analysis over sets of real-valued variablesFinite-state abstractionsBeyond correctness: Stability, Timely response Fruitful collaboration between control theory and formal methods
19. Formal Methods for Cyber-Physical Systems Tools for verifying timed/hybrid systems modelsUppaal, Taliro, Keymaera, dReal, Space-Ex … ApplicationsMedical devices (infusion pump, pacemaker)Autonomous driving (collision avoidance protocols) Industrial technology transferModel-based design tools (e.g. Hybrid automata as Simulink domain)Simulink Design Verifier (model-based testing, static analysis)Industry research groups (Toyota, Ford…)
20. How to choose a research problem ? Common Themes in CAV Success StoriesPhase 1: Initial demonstration of a compelling match between the capability of a research prototype and real-world needPhase 2: Sustained research on improving scalability But the path to the promised land is unclear …
21. Incremental vs. Transformative Symbolic model checking using binary decision diagrams (McMillan et al, 1990) Importance was immediately obvious and celebrated Critical for industrial adoption of hardware model checkingChaff: Engineering an efficient SAT solver (Malik etal,2001) Low-level optimization exploiting cache perforamce Played critical role in boosting performance of SAT solversDon’t keep searching for “big” ideas by dismissing research problems as incremental
22. Source: Existing Literature vs. Real-world Problems? Hybrid automata (Alur, Henzinger et al, 1991)Started as a theoretical extension of timed automataNow with significant research and adoption in CPS community SAGE (Godefroid et al, CACM 2012)A response to pressing industrial need for effective testing for discovering security vulnerabilitiesIntegration of many research ideas into a highly successful toolKeep looking everywhere!
23. Theoretical Results vs. Prototype Tools Nested depth-first search (CVWY, CAV 1990)Beautiful algorithm for on-the-fly detection of fair cyclesKey ingredient of all explicit-state LTL model checkers SLAM (Ball and Rajamani, 2001)Integration of predicate abstraction, symbolic model checking, and counter-example guided abstraction refinementPrototype tool and evaluation essential to demonstrate utilityCAV offers many options for research: theoretical, practical, and theory in practice!
24. Advice 1: Be sure of the motivation If you were to succeed in finding a good solution to the problem you are studying, what would be the consequence?Tool: who is a potential user?Algorithm: which tool can use and why should it use?Method: which design/analysis task can be done better? Be convinced of the answer yourself first, and worry about reviewers later
25. Advice 2: Know the related work Is your idea new?How does it fit into what people know and have tried earlier?Vast literature, but there is no way around this question Be an expert on work related to your thesisCaution: this is not an excuse for inaction!
26. Advice 3: Don’t live in a silo! Computer science is rapidly expanding in exciting directionsNeed to know at a high level what’s happening around youOrganization into conferences/sub-disciplines is artificialOther fields can be a source of new ideas, applications, solution techniquesHow can statistical machine learning help CAV?Can CAV techniques be applied to problems in system biology?Goal: Become an expert in Formal Methods AND X