Build Your Own Model Checker in One Month

Build Your Own Model Checker in One Month

SUN, JunAssistant Professor@SUTD, Visiting Scientist@MIT

Jing Song Dong and Yang Liu, NUS

How to Deliver Correct Computer-based Systems?

The synthesis problem

System requirements: functionality, performance, security, etc.

System implementation

synthesizer

The verification problem

System requirements: functionality, performance, security, etc.

System implementation

Is it exception

free?

Model checking: check whether a model satisfies a property by exhaustive searching.

Model Checking

Model

Model Checker

PropertyCounterexample!

Two Problems

How to obtain a finite-state model?

How to deal with state space explosion?

One Simple Example

Number of States: 16! = 20922789888000

8

Model Checking Works!

Applying existing model checkers ◦ Good news: plenty model checkers out there.◦ Bad news: using them might not be easy.

Extending existing model checkers

Developing one from scratch◦ Language parser, operational semantics encoding,model checking algorithms, state reduction techniques, visualization, …

How to Apply Model Checking

Process Analysis Toolkithttp://www.patroot.com

Over 1 million lines of C# codes The PAT team has now 10 PhD candidates, 2

research assistant, 5 postdoc, and 2 faculties.

More than 1000 registered users from more than 200 organizations

Adopted for teaching formal methods and model checking (NUS, Monash, Auckland, York U.@Canada)

Supporting 10 different languages

Some Facts about PAT

How to Deliver Correct Computer-based Systems?

More Than a Model Checker

Build a Model Checker

Define Syntax Define

Semantics

VisualizeTrace

Optimization

Develop MC Algorithms

PropertyLanguage

Build a Model Checker with PAT

Define Syntax Define

Semantics

Real-time system modeling and verification is dominated by Timed Automata

High-level requirements are often stated in terms of deadline, timeout, etc.

Many real-time systems are hierarchical.

Case Study 1: RTS@PAT

How about we develop a model checker to verify Hierarchical Real-Time Systems supporting Timeout, Deadline, etc.?

Data/Data Operations◦ Invoke external C#/Java programs?

Control Flow◦ Hoare’s CSP?

Real-time◦ Delay, Timeout, Timed Interrupt, Deadline, etc.

Property◦ Reachability Analysis?◦ Linear Temporal Logic?◦ Refinement checking?

What Language Features?

A RTS program is a tuple (Var, Proc, Assertions) ◦ Var is a finite set of finite-domain variables; ◦ Proc is a process which models control flow.◦ Assertions is a set of assertions.

Define Syntax

Constants#define N 5;

Variables of Type Bool, Integer, Arrays of integers

var x: {0..10} = 5;var x[N];

User-defined data typesvar<Stack> stack;

Variables

ProcessesProcess Expression

Remarks

Stop Do nothingSkip Termination, like Returne{x:=1} -> P Event prefixingP | Q ChoiceP; Q Sequential CompositionP || Q Parallel CompositionWait[d] Delay for d time unitsP timeout[d] Q TimeoutP deadline[d] P must terminate with d time

unitsP within[d] P must act within d time unitsP interrupt[d] Timed interrupt

Assertions

Assertion Remarks#assert P deadlockfree; P is deadlock-free.#assert P reaches goal; P reaches a state where goal is

true.#assert P |= []<> goal; P always eventually satisfies goal;#assert P refines Q; P trace-refines Q;#assert P refines<F> Q; P refines Q in stable failures

semantics.#assert P refines<FD> Q; P refines Q in failures/divergences

semantics.

#define N 4; #define Idle -1;var x = Idle; var counter;

P(i) = ifb(x == Idle) { ((update.i{x = i} -> Wait[4]) within[3]); if (x == i) { cs.i{counter++} -> exit.i{counter--; x=Idle} -> P(i) } else { P(i)

} }; FischersProtocol = ||| i:{0..N-1}@P(i);

#assert FischersProtocol reaches (counter > 1);#assert FischersProtocol |= [] (x==1) -> <> cs.1;

A Modeling Example

First version finished in 6 weeks! Efficiency with Zone Abstraction

Efficiency with Digitalization

RTS@PAT

Model #Visited States

Time (s)

Fischer * 5 37K 0.4Fischer * 6 293K 4.7Fischer * 7 2,639K 56.2

Model #Visited States

Time (s)

Fischer * 5 54K 0.2Fischer * 6 362K 1.2Fischer * 7 2,437K 8.1

How PAT Helps?

Step 1: Build a parser – using Antlr. Step 2: Define/encoding operational

semantics. Step 3 [optional]: Develop/implement

specialized model checking algorithms.

Starting Building a Model Checker

PAT Class Diagram

The Specification class which contains everything in any given model.◦ A list of variables, with types, domains, initial

values, etc.◦ A list of processes, with parameters, etc.◦ A list of assertions, with the initial process, etc.◦ A method to obtain the initial system

configuration.

Essential Classes

A configuration is a global state which encapsulates every varying aspects of a model. ◦ A configuration of a RTS module is a pair (V, P)

where V is a valuation function which gives the values of the variables and P is the current process expression.

◦ The configuration class has one essential method to be implemented.

public Configuration[] MakeOneMove(Configuration source) { … }

Essential Classes: Configuration

Given one configuration (V, P), what are the next configurations that can be reachabile via one transition?◦ If P is Stop, return an empty list.◦ If P is Skip, return configuration (V, Stop) – the

event that has been performed is the special termination event √.

◦ If P is e{x:=1} -> Q, return configuration (V’, Q) such that V’ is equivalent to V except that x is set to 1 in V’.

◦ …

RTS: MakeOneMove

(V, P) –e-> (V’, P’)---------------(V, P | Q) –e-> (V’, P’)

(V, Q) –e-> (V’, Q’)---------------(V, P | Q) –e-> (V’, Q’)

This translates exactly into MakeOneMove().

Operational Semantics: Choice

System Exploration

Get Initial Configuration from Specification Class

MakeOneMove

MakeOneMove

MakeOneMove

What if the number of configurations are infinite?◦ Wait[1] -0.1-> Wait[0.9] -0.01->◦ Wait[0.89] -0.001-> Wait[0.889] -0.0001 -> …

Abstraction◦ Infinitely many configurations are partitioned into

finitely many groups, referred as abstract configurations.

◦ Correctness: There is a counterexample if and only if there is a counterexample in the abstract state space.

Infinite Configurations

Theorem: It is correct to always make time transitions of duration 1 (with respect to untimed properties).

Example:◦ Wait[3]

-1-> Wait[2] -1-> Wait[1] -1-> Wait[0]

◦ (Wait[3]) timeout[2] (P) -1-> (Wait[2]) timeout[1] (P)-1-> (Wait[1]) timeout[0] (P)-τ-> P

Digitalization for RTS

public override List<Configuration> GetEventTransitions(Configuration current) {List<Configuration> toReturn = FirstProcess.GetEventTransitions(current);foreach (Configuration config in toReturn) {

if (value == 0) { config.IsUrgent = true; }}if (value == 0) {

toReturn.Add(new Configuration(SecondProcess, TAU, eStep.GlobalEnv, false, true);}

}

public override Configuration GetTimeTransitions(Configuration current) {if (value == 0) {return null;}Configuration toReturn = FirstProcess.GetTimeTransitions(current);if (toReturn == null) {return null;}toReturn.Process = new TimeOutProcess(toReturn.Process, SecondProcess, d - 1);return toReturn;

}

Timeout Implementation

First version finished in 6 weeks! Efficiency with Zone Abstraction

Efficiency with Digitalization

RTS@PAT

Model #Visited States

Time (s)

Fischer * 5 37K 0.4Fischer * 6 293K 4.7Fischer * 7 2,639K 56.2

Model #Visited States

Time (s)

Fischer * 5 54K 0.2Fischer * 6 362K 1.2Fischer * 7 2,437K 8.1

Real-world systems may have data structures, real-time, probability, hierarchical control flow, etc.

We propose PRTS = RTS + probabilistic choiceFlipCoin = Wait[1]; pcase {[0.5]: head -> FlipCoin[0.5]: tail -> FlipCoin}; The semantic model is Markov Decision

Processes (MDP).

RTS + Probability

LTL to BA or DRA translation Zone abstraction library BDD encoding library …

PAT’s Model Checking Library

Semantics Property MethodLTS Deadlock-free or

ReachabilityExplicit state DFS and BFS,BDD-based

LTS State/Event-LTL Explicit State Automata-based, BDD-based

MDP Deadlock-free or Reachability

Explicit state

MDP State/Event-LTL Explicit StateLTS Refinement checking Explicit StateMDP Refinement checking Explicit State

Fairness matters in verifying liveness!

Case Study 2: Fairness

Fairness is Well-Studied

A variety of fairness supported in PAT with simply one method!

Fairness in PAT

Fairness: Efficiency

Developing a model checker in PAT is really easy. ◦ Implement a language parser (two weeks)◦ Encode operational semantics (two weeks)◦ Fight against state-space explosion (indefinitely

long) A unified framework helps to maintain and

compare the great variety of existing model checking algorithms.

Conclusion

Ongoing PAT-based Projects

NesC Model Checker Orc Model CheckerEvent Grammar

Model Checker

Partial Order Reduction

Symmtry Detection/Reduction

BDD LibraryMTBDD Library

PAT is available at http://www.patroot.com PAT source code is available upon email

request.

Conclusion

Multiple Postdoc Postions Available in NUS or SUTD