Download Slide - International Conference on Computer

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
Introduction to Computer-Aided Verification
Rajeev Alur
University of Pennsylvania
CAV Mentoring Workshop, July 2015
Systems Software
Can Microsoft Windows version X be
bug-free?
Millions of lines of code
Types of bugs that cause
crashes well-known
Enormous effort spent on
debugging/testing code
Certifying third-party code
(e.g. device drivers)
do{
KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){
request = request->Next;
KeReleaseSpinLock();
nPackets++;
}
}while(nPackets!=
nPacketsOld);
KeReleaseSpinLock();
Do lock operations, acquire and
release strictly alternate on every
program execution?
Concurrency Libraries
Exploiting concurrency efficiently and correctly
dequeue(queue_t *queue, value_t *pvalue)
{
node_t *head;
node_t *tail;
node_t *next;
}
while (true) {
head = queue->head;
tail = queue->tail;
next = head->next;
if (head == queue->head) {
if (head == tail) {
if (next == 0)
return false;
cas(&queue->tail, tail, next);
} else {
*pvalue = next->value;
if (cas(&queue->head, head, next))
break;
}
}
}
delete_node(head);
return true;
Concurrent Queue (MS’92)
Can the code deadlock?
Is sequential semantics of a queue
preserved? (Sequential consistency)
Security Checks for Java Applets
https://java.sun.com/javame/
public Vector<String> phoneBook;
public String number;
public int Selected;
public void sendEvent() {
phoneBook = getPhoneBook();
selected = chhoseReceiver();
number=phoneBook.elementAt(selected);
if ((number==null)|(number=“”)){
//output error
} else{
String message = inputMessage();
sendMessage(number, message);
}
}
How to certify applications for
data integrity / confidentiality ?
EventSharingMidlet from J2ME
By listening to messages, can
one infer whether a particular
entry is in the addressbook?
Certification of Safety-Critical Software
How to verify that a pacemaker meets all the correctness
requirements published by the FDA ?
In Search of the Holy Grail…
software/model
correctness
specification
yes/proof
Verifier
no/bug
 Correctness is formalized as a mathematical claim to be
proved or falsified rigorously
Always with respect to the given specification

Challenge: Impossibility results for automated verifier
Verification problem is undecidable
Even approximate versions are computationally intractable (model
checking is Pspace-hard)
This Talk
 History of CAV (not comprehensive…)
 Some guidelines for choosing a research problem
1970s: Proof calculi for program correctness
Key to proof:
BubbleSort (A : array[1..n] of int) {
B = A : array[1..n] of int;
Finding suitable
for (i=0; i<n; i++) {
loop invariants
Permute(A,B)
Sorted(B[n-i,n])
for 0<k<=n-i-1 and n-i<=k’<=n B[k]<=B[k’]
for (j=0; j<n-i; j++) {
Permute(A,B), Sorted(B[n-i,n],
for 0<k<=n-i-1 and n-i<=k’<=n B[k]<=B[k’]
for 0<k<j B[k] <= B[j]
if (B[j]>B[j+1]) swap(B,j,j+1)
}
};
return B;
}
Deductive Program Verification
 Powerful mathematical logic (e.g. first-order logic, Higherorder logics) needed for formalization
 Great progress in decision procedures
 Finding proof decomposition requires expertise, but modern tools
support many built-in proof tactics
 Contemporary theorem provers: Coq, PVS, ACL2, ESC-Java
 In practice …
 User partially annotates the program with invariants, and the tool
infers remaining invariants needed to complete the proof
 Success story: CompCert: Fully verified optimizing compiler for a
subset of C
 Current research: Automatic synthesis of loop invariants
1980s: Finite-state Protocol Analysis
Automated analysis of finite-state protocols with respect to
temporal logic specifications
 Network protocols, Distributed algorithms
Specs:
Is there a deadlock?
Does every req get ack?
Does a buffer overflow?
Tools:
SPIN, Murphi, CADP …
Battling State-space Explosion
Analysis is basically a reachability
problem in a HUGE graph
 Size of graph grows exponentially as
the number of bits required for state
encoding
 Graph is constructed only
incrementally, on-the-fly
 Many techniques for exploiting
structure: symmetry, data
independence, hashing, partial order
reduction …
 Great flexibility in modeling: Scale
down parameters (buffer size, number
of network nodes…)
Bad states
State
Transition
1990s: Symbolic Model Checking
Constraint-based analysis of Boolean systems
 Symbolic Boolean representations (propositional formulas, OBDDs)
used to encode system dynamics
 Success in finding high-quality bugs in hardware applications
(VHDL/Verilog code)
Global bus
UIC
UIC
M
UIC
P
M
P
Deadlock found in
cache coherency
protocol Gigamax by
model checker SMV
Cluster bus
Read-shared/read-owned/write-invalid/write-shared/…
Symbolic Reachability Problem
Model variables X ={x1, … xn}
Each var is of finite type, say, boolean
Initialization: I(X): a formula over X e.g. (x1 && ~x2)
Update: T(X,X’)
How new vars X’ are related to old vars X as a result of executing one step
of the program: Disjunction of clauses obtained by compiling individual
instructions e.g. (x1 && x1’ = x1 && x2’ = ~x2 && x3’ = x3)
Target set: F(X) e.g. (x2 && x3)
Computational problem:
Can F be satisfied starting with I by repeatedly applying T ?
K-step reachability reduces to propositional satisfiability (SAT):
Bounded Model Checking
I(X0) && T(X0,X1) && T(X1,X2) && --- && T(Xk-1,Xk) && F(Xk)
The Story of SAT
Propositional Satisfiability: Given a formula over Boolean variables, is
there an assignment of 0/1’s to vars which makes the formula true
 Canonical NP-hard problem (Cook 1973)
 Enormous progress in tools that can solve instances with
thousands of variables and millions of clauses
 Extensions to richer classes of constraints (SMT solvers)
1960
DP
10 var
1952
Quine
 10 var
1988
SOCRATES
 3k var
1962
DLL
 10 var
1986
BDDs
 100 var
1994
Hannibal
 3k var
1992
GSAT
 300 var
1996
GRASP
1k var
1996
Stålmarck
 1000 var
1996
SATO
1k var
2002
Berkmin
10k var
2001
Chaff
10k var
2000s: Model Checking of C code
Phase 1: Given a program P, build an
abstract finite-state (Boolean)
model A such that set of
behaviors of P is a subset of those
of A (conservative abstraction)
Phase 2: Model check A wrt
specification: this can prove P to
be correct, or reveal a bug in P, or
suggest inadequacy of A
Shown to be effective on
Windows device drivers in
Microsoft Research project
SLAM (follow-up: SDV)
do{
KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){
request = request->Next;
KeReleaseSpinLock();
nPackets++;
}
}while(nPackets!=
nPacketsOld);
KeReleaseSpinLock();
Do lock operations, acquire and
release, strictly alternate on every
program execution?
Software Model Checking
 Tools for verifying source code combine many techniques
 Program analysis techniques such as slicing, range analysis
 Abstraction
 Model checking
 Refinement from counter-examples (CEGAR)
 New challenges for model checking (beyond finite-state
reachability analysis)
 Recursion gives pushdown control
 Pointers, dynamic creation of objects, inheritence….
 Active research area
 Abstraction-based tools: SLAM, BLAST,…
 Direct state encoding: F-SOFT, CBMC, CheckFence…
SMT Success Story
CBMC
SAGE
VCC
Spec#
SMT-LIB Standardized Interchange Format (smt-lib.org)
Problem classification + Benchmark repositories
LIA, LIA_UF, LRA, QF_LIA, …
+ Annual Competition (smt-competition.org)
Z3
Yices
CVC4
MathSAT5
Since 1990s: Cyber-Physical Systems
Discrete software interacting with a
continuously evolving physical system






Need to model physical world using
differential equations/timing delays
Models: Timed automata, Hybrid
automata
Symbolic reachability analysis over sets
of real-valued variables
Finite-state abstractions
Beyond correctness: Stability, Timely
response
Fruitful collaboration between control
theory and formal methods
Formal Methods for Cyber-Physical Systems
 Tools for verifying timed/hybrid systems models
Uppaal, Taliro, Keymaera, dReal, Space-Ex …
 Applications
 Medical devices (infusion pump, pacemaker)
 Autonomous driving (collision avoidance protocols)
 Industrial technology transfer
 Model-based design tools (e.g. Hybrid automata as Simulink domain)
 Simulink Design Verifier (model-based testing, static analysis)
 Industry research groups (Toyota, Ford…)
How to choose a research problem ?
 Common Themes in CAV Success Stories
 Phase 1: Initial demonstration of a compelling match between the
capability of a research prototype and real-world need
 Phase 2: Sustained research on improving scalability
 But the path to the promised land is unclear …
Incremental vs. Transformative
 Symbolic model checking using binary decision diagrams
(McMillan et al, 1990)
 Importance was immediately obvious and celebrated
 Critical for industrial adoption of hardware model checking
 Chaff: Engineering an efficient SAT solver (Malik etal,2001)
 Low-level optimization exploiting cache perforamce
 Played critical role in boosting performance of SAT solvers
 Don’t keep searching for “big” ideas by dismissing research
problems as incremental
Source: Existing Literature vs. Real-world Problems?
 Hybrid automata (Alur, Henzinger et al, 1991)
 Started as a theoretical extension of timed automata
 Now with significant research and adoption in CPS community
 SAGE (Godefroid et al, CACM 2012)
 A response to pressing industrial need for effective testing for
discovering security vulnerabilities
 Integration of many research ideas into a highly successful tool
 Keep looking everywhere!
Theoretical Results vs. Prototype Tools
 Nested depth-first search (CVWY, CAV 1990)
 Beautiful algorithm for on-the-fly detection of fair cycles
 Key ingredient of all explicit-state LTL model checkers
 SLAM (Ball and Rajamani, 2001)
 Integration of predicate abstraction, symbolic model checking, and
counter-example guided abstraction refinement
 Prototype tool and evaluation essential to demonstrate utility
 CAV offers many options for research: theoretical,
practical, and theory in practice!
Advice 1: Be sure of the motivation
 If you were to succeed in finding a good solution to the
problem you are studying, what would be the consequence?
 Tool: who is a potential user?
 Algorithm: which tool can use and why should it use?
 Method: which design/analysis task can be done better?
 Be convinced of the answer yourself first, and worry about
reviewers later
Advice 2: Know the related work
 Is your idea new?
 How does it fit into what people know and have tried earlier?
 Vast literature, but there is no way around this question
 Be an expert on work related to your thesis
 Caution: this is not an excuse for inaction!
Advice 3: Don’t live in a silo!
 Computer science is rapidly expanding in exciting directions
 Need to know at a high level what’s happening around you
 Organization into conferences/sub-disciplines is artificial
 Other fields can be a source of new ideas, applications,
solution techniques
 How can statistical machine learning help CAV?
 Can CAV techniques be applied to problems in system biology?
 Goal: Become an expert in Formal Methods AND X
Related documents
HOMEWORK 6 Exercise 1. (a) Let X be a Bernoulli random variable
HOMEWORK 6 Exercise 1. (a) Let X be a Bernoulli random variable
An Empirical Analysis in Risk Management: Comparison of Portfolio Value at Risk with Different Approaches
An Empirical Analysis in Risk Management: Comparison of Portfolio Value at Risk with Different Approaches
Probability 2 - REQUIREMENTS FOR TEST. 1. P.g.f.: (a) Know p.g.f.
Probability 2 - REQUIREMENTS FOR TEST. 1. P.g.f.: (a) Know p.g.f.
A probability argument that lays the foundation for the Monte Carlo
A probability argument that lays the foundation for the Monte Carlo
Lecture 23 - Stony Brook AMS
Lecture 23 - Stony Brook AMS
NYU_class7
NYU_class7
Malaria parasites use antigenic variation to avoid immune clearance
Malaria parasites use antigenic variation to avoid immune clearance
Proof of the Law of Large Numbers in the Case of Finite Variance
Proof of the Law of Large Numbers in the Case of Finite Variance
here - Herald Sun
here - Herald Sun
Activity Time Uncertainty
Activity Time Uncertainty