Software Model Checking for Embedded Systems PIs Matthew
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students: Robby 1, Roby Joehanes 1, Yu Chen 1 Kansas State University 1 University of Massachusetts 2
![The Dream void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object](http://slidetodoc.com/presentation_image/46a1bb23c55cf8198403506527b5cd35/image-2.jpg "The Dream void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object")
The Dream void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } OK Program Property 1: … Property 2: … … Requirement or Checker Error trace
Model Checking OK Finite-state model or Model Checker (F W) Temporal logic formula Error trace Line Line … Line 5: … 12: … 15: … 21: … 25: … 27: … 41: … 47: …
Why use Model Checking? l Automatically check, e. g. , – invariants, safety & liveness properties – absence of dead-lock and live-lock, – complex event sequencing properties, “Between the key being inserted and the key being removed, the ignition can be activated at most twice. ” l In contrast to testing, gives complete coverage by exhaustively exploring all paths in system, l It’s been used for years with good success in hardware and protocol design This suggests that model-checking can complement existing software quality assurance techniques.
What makes model-checking software difficult? OK Finite-state model (F W) or Model Checker Error trace Line Temporal logic formula 5: … 12: … 15: … 21: … Problems using existing checkers: Model construction l Property specification l State explosion l Output interpretation l
![Model Construction Problem void add(Object o) { buffer[head] = o; head = (head+1)%size; }](http://slidetodoc.com/presentation_image/46a1bb23c55cf8198403506527b5cd35/image-6.jpg "Model Construction Problem void add(Object o) { buffer[head] = o; head = (head+1)%size; }")
Model Construction Problem void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Program l Gap Model Checker Model Description Semantic gap: Programming Languages methods, inheritance, dynamic creation, exceptions, etc. Model Description Languages automata
What makes model-checking software difficult? OK Finite-state model (F W) or Model Checker Error trace Line Temporal logic formula 5: … 12: … 15: … 21: … Problems using existing checkers: Model construction l Property specification l State explosion l Output interpretation l
Property Specification Problem l Difficult to formalize a requirement in temporal logic “Between the key being inserted and the key being removed, the ignition can be activated at most twice. ” …is rendered in LTL as. . . []((key. In / <>key. Rem) -> ((!activate / !key. Rem) U (key. Rem / ((activate / !key. Rem) U (key. Rem / (!activate U key. Rem)))))
What makes model-checking software difficult? OK Finite-state model (F W) or Model Checker Error trace Line Temporal logic formula 5: … 12: … 15: … 21: … Problems using existing checkers: Model construction l Property specification l State explosion l Output interpretation l
State Explosion Problem l Cost is exponential in the number of components Bit x 1, …, x. N l 2^N states Moore’s law and algorithm advances can help – Holzmann: 7 days (1980) ==> 7 seconds (2000) l Explosive growth of software limits scalability
What makes model-checking software difficult? OK Finite-state model (F W) or Model Checker Error trace Line Temporal logic formula 5: … 12: … 15: … 21: … Problems using existing checkers: Model construction l Property specification l State explosion l Output interpretation l
![Output Interpretation Problem Line Line … Line void add(Object o) { buffer[head] = o;](http://slidetodoc.com/presentation_image/46a1bb23c55cf8198403506527b5cd35/image-12.jpg "Output Interpretation Problem Line Line … Line void add(Object o) { buffer[head] = o;")
Output Interpretation Problem Line Line … Line void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Program Gap Model Description 5: … 12: … 15: … 21: … 25: … 27: … 41: … 47: … Error trace Raw error trace may be 1000’s of steps long l Must map line listing onto model description l Mapping to source is made difficult by l – Semantic gap & clever encodings of complex features – multiple optimizations and transformations
Bandera: An open tool set for model-checking Java source code Graphical User Interface Checker Inputs Bandera Specification Language Model Checkers void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Java Source Transformation & Abstraction Tools Error Trace Mapping Bandera Checker Outputs
![Addressing the Model Construction Problem void add(Object o) { buffer[head] = o; head =](http://slidetodoc.com/presentation_image/46a1bb23c55cf8198403506527b5cd35/image-14.jpg "Addressing the Model Construction Problem void add(Object o) { buffer[head] = o; head =")
Addressing the Model Construction Problem void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Java Source Static Analyses Abstract Interpretation Slicing Optimizations Model Compiler Model Description Model extraction: compiling to model checker inputs: Numerous analyses, optimizations, two intermediate languages, multiple back-ends l Slicing, abstract interpretation l
Addressing the Property Specification Problem A Java-based language for defining sequences of program observations as instances of field-tested specification patterns []((key. In / <>key. Rem) -> ((!activate / !key. Rem) U (key. Rem / ((activate / !key. Rem) U (key. Rem / (!activate U key. Rem))))) Using the pattern system: 2 -bounded existence forall[v: Vehicle]. between {key. In(v)} and {key. Rem(v)} {activate(v)} exists at most {2} times;
![Addressing the State Explosion Problem Property void add(Object o) { buffer[head] = o; head](http://slidetodoc.com/presentation_image/46a1bb23c55cf8198403506527b5cd35/image-16.jpg "Addressing the State Explosion Problem Property void add(Object o) { buffer[head] = o; head")
Addressing the State Explosion Problem Property void add(Object o) { buffer[head] = o; head = (head+1)%size; } … Java Source Model Compiler Model Descriptions Generate models customized for property! l Result: multiple models --- even as many as one per property l Aggressive customization via slicing, abstract interp
![Addressing the Output Interpretation Problem void add(Object o) { buffer[head] = o; head =](http://slidetodoc.com/presentation_image/46a1bb23c55cf8198403506527b5cd35/image-17.jpg "Addressing the Output Interpretation Problem void add(Object o) { buffer[head] = o; head =")
Addressing the Output Interpretation Problem void add(Object o) { buffer[head] = o; head = (head+1)%size; } Model Description Intermediate Representations Object take() { … tail=(tail+1)%size; return buffer[tail]; } Java Source Model Checker Model Compiler + simulator Error trace Like a debugger: error traces mapped back to source Run error traces forwards and backwards l Program state queried l Locks, wait sets, blocked sets displayed l Line 5: … 12: … 15: … 21: …
Goals for HCES project … Extend model extraction technologies, e. g. , – Exploit both code and design artifacts – Automate generation of environments – Automate program abstraction Extend property-specification formalisms, e. g. , – Code and design-based formalisms – Mixed state and event-based formalisms – Multiple inter-operating formalisms Add time to models, environments, specifications, and abstractions
Goals for HCES project … Integrate software model checking tools, e. g. , – Develop methodological support for applying tools Conduct systematic evaluation of tools – Apply tools to embedded systems code contributed by industrial/government partners – Develop suites of realistic multi-threaded Java programs for tool evaluation that might serve as community-wide challenge/demonstration problems
- Slides: 19