Carnegie Mellon

# Formal Verification by Model Checking

Natasha Sharygina Carnegie Mellon University

> Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005

Carnegie Mellon

#### Outline

Lecture 1: Overview of Model Checking

Lecture 2: Complexity Reduction Techniques

Lecture 3: Software Model Checking

Lecture 4: State/Event-based software model checking

Lecture 5: Deadlock Detection and Component Substitutability

Lecture 6: Model Checking Practicum (Student Reports on the Lab exercises)

2

Carnegie Mellon

#### **Actual Goal**

- •Deadlock for concurrent blocking message-passing C programs
- •Tackle complexity using automated abstraction and compositional reasoning
- •Obtain precise answers using automated iterative abstraction refinement

3

Carnegie Mellon

#### For this talk

- •Focus on finite state machines
- Labeled transition systems (LTSs)
- •Parallel composition of state machines
- Synchronous communication
- Asynchronous execution
- Natural for modeling blocking message-passing C programs

4

 Carnegie Mellor

## Concurrency

- Components communicate by handshaking (synchronizing) over shared actions
- Else proceed independently (asynchronously)
- -Essentially CSP semantics
- –Composition of A<sub>1</sub> & A<sub>2</sub>  $\equiv$  A<sub>1</sub> || A<sub>2</sub>

6























Deadlock Detection: Insight

• Deadlock ⇔ a reachable state cannot perform any actions at all

• Deadlock depends on the set of actions that a reachable state cannot perform

• In order to preserve deadlock A must overapproximate not just what P can do but also what P refuses



 $Abstract\ Deadlock$ • M abstractly deadlocks iff there is a reachable state s such that AR(s) =  $\Sigma$ - Denote by ADLock(M)  $\neg\ ADLock([M_1] \parallel ... \parallel [M_n])$   $\Rightarrow$   $\neg\ DLock(M_1 \parallel ... \parallel M_n)$ 

















| Results |       |      |       |              |     |       |      |
|---------|-------|------|-------|--------------|-----|-------|------|
| Name    | Plain |      |       | IterDeadlock |     |       |      |
|         | St    | Т    | Mem   | St           | lt  | Т     | Men  |
| ABB     | *     | *    | 162   | 1973         | 861 | 1446  | 33.3 |
| SSL     | 25731 | 44   | 43.5  | 16           | 16  | 31.9  | 40.8 |
| μCD-3   | *     | *    | 58.6  | 4930         | 120 | 221.8 | 15   |
| μCN-6   | *     | *    | 219.3 | 71875        | 44  | 813   | 30.8 |
| DPN-6   | *     | *    | 203   | 62426        | 48  | 831   | 26.1 |
| DPD-10  | 38268 | 87.6 | 17.3  | 44493        | 51  | 755   | 18.4 |

Carnegie Mellon

Ongoing and Future Work

- Shared memory
- · Assume-Guarantee reasoning
- Industrial size examples
- Symbolic implementation
- Branching-time state/event logic (completed)

35

Carnegie Mellon

### Component Substitutability: Motivation

- Model checking is a highly time consuming, labor intensive effort
- For example, a system of 25 components (~20K LOC) and 100+ properties might take up to a month of verification effort
- It discourages practitioner use when system evolves
- Can model checking be used to automatically determine if previously established properties will hold for the evolved system without repeating each of the individual checks

Carnegie Mellon

#### What's The Problem

- Software evolution is inevitable in any real system:
  - Changing requirements
  - Bug fixes
  - Product changes (underlying platform, third-party,etc.)
  - Incremental verification during the design process

37

Carnegie Mellon

## Component Substitutability Check

- Component-based Software
  - Software modules shipped by separate developers
  - Undergo several updates/bug-fixes during their lifecycle
- · Component assembly verification
  - Necessary on upgrade of any component
  - High costs of complete global verification
- Idea:
  - Instead check locally for substitutability of new components

38

Carnegie Mello

## **Potential Contribution**

- · Verify upgraded components locally
- · Reuse previous verification results
- For example, for a system of 25 components (~20K LOC) and 100+ properties verification might take up to a month of verification effort
- If 3 components change, instead of repeating a month effort of reverifying 100+ properties, our technique will ensure the substitutability of all properties in one iteration of the substitutability check (- 1 day effort).

9







Substitutability Check

• Approach:

- Obtain finite state models of all components by abstraction

- Containment Check:

• Use under- and over- approximations (new)

- Compatibility Check:

• Use dynamic assume-guarantee reasoning (new)



Containment Check

• Goal: Check C ⊆ C' (Every behavior of C is an allowable behavior of C')

- All behaviors retained after upgrade

• Solution:

- Create abstraction (over-approximation) M: C ⊆ M

- Create abstraction (under-approximation) M': M' ⊆ C'

- Check for M ⊆ M'

C

Containment Check















Carnegie Mellon Implementation ComFoRT Framework Validated on an Industrial benchmark Inter-process Communication (IPC) ABB software
 4 main components – CriticalSection, IPCQueue, ReadMQ, WriteMQ • Evaluated on single and simultaneous upgrades WriteMQ and IPCQueue components Properties P<sub>1</sub>: Write after obtaining CS lock - P2: Correct protocol to write to IPCQueue



Carnegie Mellon

## Lab Assignment

- Spit into groups of 4-5 people
- Design, implementation and verification of the current surge protector

   In PROMELA/SPIN

  - In ComFoRT
- Comparative validation
- Presentations on March 31, 2005

# Lab Assignment (2)

- · Questions about ComFoRT
  - Natasha Sharygina: nys@sei.cmu.edu theory
  - Sagar Chaki: chaki@sei.cmu.edu tool support

56

Carnegie Mello

Carnegie Mellon

# Collaboration Opportunities

- Research and development projects on verification of software (ComFoRT project)
- As part of the PACC (Predictable Assembly from Certifiable Components) project at the SEI
- · Joint work with Prof. Ed Clarke

## Collaboration Opportunities

- · Independent studies
- . M.S. and Ph.D. Research (jointly with your current advisors)
- Internships

If interested contact me and we can discuss options

9