State-Event Software Verification for Branching-Time Specifications
Sagar Chaki, Ed Clarke,
Joel Ouaknine, Orna Grumberg
Natasha Sharygina, Tayssir Touili , Helmut Veith
Software Model-Checking
• Challenge in computer science
• Tools: SLAM, BLAST, MAGIC,…
• Counter-Example Guided Abstraction Refinement (CEGAR)
CEGAR
VerificationYes
System OKAbstraction
Model
CounterexampleValid?
P
Yes
No
Counterexample
AbstractionRefinement
No
SpuriousCounterexample
Property
Limitation of CEGAR applications
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
CounterexampleNo branching time properties
LTL formula
AbstractionModel
Property
P
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
LTL formula
AbstractionModel
Our Goal:Extension to branching-time properties
Branching-time formula
P
First Problem
• CEGAR cannot be applied to general branching-time logics
What are counterexamples?
property φS
φ universal
• LTL: universal logic• Describes events along a single path
G(Req→ F Ack)
• S ╞ φ iff all the paths of S ╞ φ
CEGAR natural for LTL
• ¬(S ╞ φ) iff exists one path p of S ¬( p╞ φ)
• p: Counterexample
Branching-time properties are not universal
• Existential operator:
AG(EF Restart)
CEGAR →
Define a universal Branching-time logic
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
Branching-time formula
P
We need to:
• Define an expressive universal branching-time logic
• Define a model-checking algorithm for this logic
• Define suitable refinement techniques
State/event universal branching-time logic
• Industrial applications need state/event reasoning
• Bluetooth: when an action a is received in a q state, the next state has to be p
• Need to a state/event framework
The state/event universal logic SE-AΩ
• We view time operators as regular path patterns on the time line
,...,,, 1111 MMMM Fφ: 1* M
Xφ: 1M
Gφ:
φUψ:
1M
2*
1 MM
The state/event universal logic SE-AΩ
:),...,( 1 nO Regular expression over ),...,( 1 nMMP
431*
21 ,, MMMMMO
),,,( baO
ψφ φ φ φ
aa ba
φ
a
φ
The state/event universal logic SE-AΩ
),( 21 MMK(φ,a):
Lφ: )( 11111 MMMMM
K(φ,a): φ and a hold at all even time points
Lφ: no more than 4 time units between 2 occurrences of φ
The state/event universal logic SE-AΩ
APppp ;,
2121 ,
actions ofset a or formula :
:),...,(
i
1
nAO
The state/event universal logic SE-AΩ
• Labeled Kripke Structure: M=(S,AP,L,Σ,T)
p,q
0sp
1s
q,r
2s
a
bc
The state/event universal logic SE-AΩ
• Labeled Kripke Structure: M=(S,AP,L,Σ,T)
)( ,, and )( ,, sLppsMsLppsM
2121 , , , sMsM
actions ofset a or formula :
:),...,(,
i
1
nAOsM
We need to:
• Define an expressive universal branching-time logic
• Define a model-checking algorithm for this logic
• Define suitable refinement techniques
Model-checking algorithm for SE-AΩsM ,
pp,q
0sp1s
q,r
2s
a
bc
b
Model-checking algorithm for SE-AΩsM ,
pp,q
0sp1s
q,r
2s
a
bc
b
Model-checking algorithm for SE-AΩsM ,
21 p,q
0sp1s
q,r
2s
a
bc
b
Model-checking algorithm for SE-AΩsM ,
21 p,q
0sp1s
q,r
2s
a
bc
b
Model-checking algorithm for SE-AΩ0, sM
),...,( 1 nAO
),,,( 431 cAO
p,q
0sp1s
q,r
2s
a
bc
, 31
, 43
1
, 31 MM
, 31 MM
,, 432 MMM
, 21 MM
, 31 MM
, 21 MM 1M
432 ,, MMM
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
What is a counterexample formally?
0, sC
0, sM
MC
mplecounterexaa :C
CounterExample generation for SE-AΩ
21
or 21 Compute a counterexample either for
CounterExample generation for SE-AΩ
21
1Compute a counterexample for
2Compute a counterexample for
CounterExample generation for SE-AΩ
AG ¬p v AF ¬q
q
q
q
q
p
CounterExample generation for SE-AΩ0, sM
),...,( 1 nAO
),,,( 431 cAO
0s1s
2s
a
bc
b
, 31
, 43
1M
432 ,, MMM
0s1s
ab
1 CEX
3 CEX 4 CEX 4 CEX
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
nAAA ...21
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
nAAA ...21
?? ...
...
21
21
n
n
PPPC
AAAC
0s1s
2s
a
bc
b
0s1s
2s
a
c
C 2C
Projection
...21 nPPP
Weak simulation
a
a
p,qp,q
1M2M
Compositionality
...21 nPPPC
ni1 ; iiPC
Theorem:
iff
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
SE-AΩ
nPPP ...21
nAAA ...21
Compositional refinement
P1 SpecP2 P3 P4
Abstraction
SpecA1 A2 A3 A4
11PC
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1 A2 A3 A4
A1
Refinement
33PC
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1 A2 A4
A1
Refinement
A3
A3
11PC
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1 A2 A4
A1
Refinement
A3
A3
A1
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1
A2
A4Refinement
A3
A3A2
A1
A1
No more counterexamples
Compositional refinement
P1 Spec
Abstraction
P2 P3 P4
SpecA1
A2
A4
Refinement
A3
A3A2
A1
A1
Real counterexamples
Action-guided Refinement
a b
ba
c
Abstraction
a
a,bb
c
a
a,bb
Counterexample
VerificationYes
System OK
Predicate Abstraction
CounterexampleValid?
AbstractionRefinement
YesNo
No
Counterexample
AbstractionModel
Our Goal:Extension to branching-time properties
Branching-time formula
nPPP ...21
Case study: IPC
• IPC (InterProcess Communication) Protocol: organize communication in a multithreaded robot controller
• Bug discovery
• Protocol has been used for 7 years
• Bug undetected with earlier model-checking efforts using LTL
Conclusion
• Definition of an advanced branching-time state-event logic SE-AΩ
• Model-checking algorithm for SE-AΩ
• Compositional counterexample validation and refinement techniques for SE-AΩ
First application of compositional CEGAR to a branching-time specifications
Bug discovery in the IPC protocol
Questions?