Tweet
Tweet

Slide 1

Slide 1 text

Abstraction-based model checking for real-time software-intensive system models DΓ³ra CziborovΓ‘ Alpine Verification Meeting 2024

Slide 2

Slide 2 text

Model checking 2 System Requirement Formalized requirement Formal model Model checker πŸ—Έ βœ—

Slide 3

Slide 3 text

Model checking 2 System Requirement Formalized requirement Formal model Model checker πŸ—Έ βœ— Reachability

Slide 4

Slide 4 text

Model checking – system models 3 β€’ Focus: real-time software- intensive systems β€’ State-based representation, e.g. statecharts System Requirement Formalized requirement Formal model Model checker πŸ—Έ βœ— Reachability

Slide 5

Slide 5 text

Model checking – formal models 4 β€’ Intermediate formalisms: β€’ High-level language constructs β€’ More expressive than low-level formal models β€’ Easier mapping from system models β€’ The XSTS formalism – eXtended Symbolic Transition System System Requirement Formalized requirement Formal model Model checker πŸ—Έ βœ— Reachability

Slide 6

Slide 6 text

Model checking – abstraction 5 System Requirement Formalized requirement Formal model Model checker πŸ—Έ βœ— β€’ # of data variables β€’ Continuous time β€’ Abstraction β€’ State space: abstract reachability graph (ARG) state space explosion Reachability

Slide 7

Slide 7 text

6 I. An intermediate formalism is required β€’ Existing formalism: timed automata β€’ Extending the XSTS formalism by timing II. Supporting the verification of timed XSTS models β€’ Usual challenges of timed verification β€’ Challenges specific to the timed XSTS formalism Steps to verify timed software-intensive models

Slide 8

Slide 8 text

7 The XSTS formalism type State : {Q} ctrl var state : State = Q var x : integer = 0 var y : integer = 0 trans { if (state == Q) { choice { havoc x; } or { y := x + 1; } } } Environment Simple statechart model XSTS representation

Slide 9

Slide 9 text

8 XSTS language constructs

Slide 10

Slide 10 text

8 XSTS language constructs Assumption assume y > x;

Slide 11

Slide 11 text

8 XSTS language constructs Assumption Assignment assume y > x; y := x + 1;

Slide 12

Slide 12 text

8 XSTS language constructs Assumption Assignment Non-deterministic assignment assume y > x; havoc x; y := x + 1;

Slide 13

Slide 13 text

8 XSTS language constructs Assumption Assignment Non-deterministic assignment Conditional operation assume y > x; havoc x; y := x + 1; if (x > 0) { ... } else { ... }

Slide 14

Slide 14 text

8 XSTS language constructs Assumption Assignment Non-deterministic assignment Conditional operation Non-deterministic operation assume y > x; havoc x; y := x + 1; if (x > 0) { ... } else { ... } choice { ... } or { ... } or { ...

Slide 15

Slide 15 text

8 XSTS language constructs Assumption Assignment Non-deterministic assignment Conditional operation Non-deterministic operation Counting loop assume y > x; havoc x; y := x + 1; if (x > 0) { ... } else { ... } choice { ... } or { ... } or { ... for i from 0 to x do { ... }

Slide 16

Slide 16 text

β€’ XSTS extended by clock variables and clock operations 9 The TXSTS formalism – Timed XSTS

Slide 17

Slide 17 text

β€’ XSTS extended by clock variables and clock operations Clock set / reset c := 0; c := 500; 9 The TXSTS formalism – Timed XSTS

Slide 18

Slide 18 text

β€’ XSTS extended by clock variables and clock operations Clock set / reset c := 0; c := 500; 9 The TXSTS formalism – Timed XSTS Clock constraints assume c1 – c2 > 0; if (c > 500 || …) …

Slide 19

Slide 19 text

β€’ XSTS extended by clock variables and clock operations Clock set / reset c := 0; c := 500; 9 The TXSTS formalism – Timed XSTS Clock constraints Increment all clocks assume c1 – c2 > 0; if (c > 500 || …) … __delay;

Slide 20

Slide 20 text

10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Mapping to intermediate formalism

Slide 21

Slide 21 text

10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Mapping to intermediate formalism High-level formal model XSTS Time β†’ data transform.

Slide 22

Slide 22 text

10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Time β†’ data transform.

Slide 23

Slide 23 text

Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Time β†’ data transform.

Slide 24

Slide 24 text

Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Result of verification Time β†’ data transform.

Slide 25

Slide 25 text

Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Result of verification Mapping Time β†’ data transform.

Slide 26

Slide 26 text

Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Modified combined verification algorithm Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Result of verification Mapping Time β†’ data transform.

Slide 27

Slide 27 text

Abstract data domain Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Modified combined verification algorithm Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Result of verification Mapping Time β†’ data transform.

Slide 28

Slide 28 text

Abstract data domain Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Modified combined verification algorithm Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Abstract time domain Result of verification Mapping Time β†’ data transform.

Slide 29

Slide 29 text

Abstract data domain Abstract data domain 10 Verification approaches for TXSTS models Engineering model High-level formal model TXSTS Modified combined verification algorithm Mapping to intermediate formalism High-level formal model XSTS Abstraction algorithms Abstract time domain Result of verification Mapping Time β†’ data transform.

Slide 30

Slide 30 text

11 β€’ Clocks to rational variables β€’ Clock operations to data operations 1st approach: transformation of TXSTS to XSTS c1 := 0; Clock variable Data variable c1 := 0;

Slide 31

Slide 31 text

11 β€’ Clocks to rational variables β€’ Clock operations to data operations 1st approach: transformation of TXSTS to XSTS c1 := 0; havoc _d; assume _d >= 0; c1 := c1 + _d; c2 := c2 + _d; Clock variable Data variable __delay; c1 := 0; Advance of time _d is nondeterministic and nonnegative

Slide 32

Slide 32 text

11 β€’ Clocks to rational variables β€’ Clock operations to data operations β€’ Existing algorithms can be used without modification β€’ Efficient time abstraction techniques cannot be used 1st approach: transformation of TXSTS to XSTS c1 := 0; havoc _d; assume _d >= 0; c1 := c1 + _d; c2 := c2 + _d; Clock variable Data variable __delay; c1 := 0; Advance of time _d is nondeterministic and nonnegative

Slide 33

Slide 33 text

12 β€’ Existing abstraction-based techniques: lazy abstraction, CEGAR β€’ Building on combined abstraction – Lazy abstraction for timing, CEGAR for data 2nd approach: verification of TXSTS models

Slide 34

Slide 34 text

12 β€’ Existing abstraction-based techniques: lazy abstraction, CEGAR β€’ Building on combined abstraction – Lazy abstraction for timing, CEGAR for data 2nd approach: verification of TXSTS models

Slide 35

Slide 35 text

12 β€’ Existing abstraction-based techniques: lazy abstraction, CEGAR β€’ Building on combined abstraction – Lazy abstraction for timing, CEGAR for data 2nd approach: verification of TXSTS models

Slide 36

Slide 36 text

13 β€’ Existing abstraction-based techniques: lazy abstraction, CEGAR β€’ Building on combined abstraction – Lazy abstraction for timing, CEGAR for data Existing algorithms presume that the results of operations can be computed individually for timing and data 2nd approach: verification of TXSTS models

Slide 37

Slide 37 text

13 β€’ Existing abstraction-based techniques: lazy abstraction, CEGAR β€’ Building on combined abstraction – Lazy abstraction for timing, CEGAR for data Existing algorithms presume that the results of operations can be computed individually for timing and data β€’ A problematic example, with data variable x and clock variable c if ((x == 0 && c > 500) || (x == 1 && c < 400)) { ... } 2nd approach: verification of TXSTS models

Slide 38

Slide 38 text

13 β€’ Existing abstraction-based techniques: lazy abstraction, CEGAR β€’ Building on combined abstraction – Lazy abstraction for timing, CEGAR for data Existing algorithms presume that the results of operations can be computed individually for timing and data β€’ A problematic example, with data variable x and clock variable c if ((x == 0 && c > 500) || (x == 1 && c < 400)) { ... } β€’ Solution: control flow splitting 2nd approach: verification of TXSTS models

Slide 39

Slide 39 text

14 Control flow splitting Operation Transformed operation Constraints over Bool vars Transformation: introducing new Boolean variables, and constraints on these variables

Slide 40

Slide 40 text

14 Control flow splitting Operation Transformed operation Constraints over Bool vars Transformation: introducing new Boolean variables, and constraints on these variables Satisfying assignment Control flow

Slide 41

Slide 41 text

14 Control flow splitting Operation Transformed operation Constraints over Bool vars Variable assignments Transformation: introducing new Boolean variables, and constraints on these variables All-SAT problem Satisfying assignment Control flow

Slide 42

Slide 42 text

14 Control flow splitting Operation Transformed operation Constraints over Bool vars Variable assignments Transformation: introducing new Boolean variables, and constraints on these variables Set of final operations All-SAT problem Satisfying assignment Control flow Independent timing and data, existing methods can be used for verification

Slide 43

Slide 43 text

15 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } Clock Data

Slide 44

Slide 44 text

15 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } if (b1) { assume x == 0 && c < 5; x := x + 1; } Clock Data

Slide 45

Slide 45 text

15 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Clock Data

Slide 46

Slide 46 text

15 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Clock Data Constraints: β€’ b1 xor b2

Slide 47

Slide 47 text

16 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Clock Data Constraints: β€’ b1 xor b2 if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } Clock Data

Slide 48

Slide 48 text

16 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Constraints: β€’ b1 xor b2 assume x == 0; assume c < 5; if (x == 0 && c < 5) { x := x + 1; } else { c := 0; }

Slide 49

Slide 49 text

16 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Constraints: β€’ b1 xor b2 assume x == 0; assume c < 5; choice { assume !(x == 0); } or { assume !(c < 5); } if (x == 0 && c < 5) { x := x + 1; } else { c := 0; }

Slide 50

Slide 50 text

16 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Constraints: β€’ b1 xor b2 assume x == 0; assume c < 5; choice { assume !(x == 0); } or { assume !(c < 5); } if (b3) { assume !(x == 0); } if (b4) { assume !(c < 5); } if (x == 0 && c < 5) { x := x + 1; } else { c := 0; }

Slide 51

Slide 51 text

16 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Constraints: β€’ b1 xor b2 β€’ b2 οƒž (οƒ˜b3b4)οƒš(b3οƒ™οƒ˜b4) assume x == 0; assume c < 5; choice { assume !(x == 0); } or { assume !(c < 5); } if (b3) { assume !(x == 0); } if (b4) { assume !(c < 5); } if (x == 0 && c < 5) { x := x + 1; } else { c := 0; }

Slide 52

Slide 52 text

16 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0 && c < 5; x := x + 1; } if (b2) { assume !(x == 0) || !(c < 5); c := 0; } Constraints: β€’ b1 xor b2 β€’ b2 οƒž (οƒ˜b3b4)οƒš(b3οƒ™οƒ˜b4) β€’ οƒ˜b2 οƒž οƒ˜b3 β€’ οƒ˜b2 οƒž οƒ˜b4 assume x == 0; assume c < 5; choice { assume !(x == 0); } or { assume !(c < 5); } if (b3) { assume !(x == 0); } if (b4) { assume !(c < 5); } if (x == 0 && c < 5) { x := x + 1; } else { c := 0; }

Slide 53

Slide 53 text

17 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – operation transformation if (b1) { assume x == 0; assume c < 5; x := x + 1; } if (b2) { if (b3) { assume !(x == 0); } if (b4) { assume !(c < 5); } c := 0; } Constraints: β€’ b1 xor b2 β€’ b2 οƒž (οƒ˜b3b4)οƒš(b3οƒ™οƒ˜b4) β€’ οƒ˜b2 οƒž οƒ˜b3 β€’ οƒ˜b2 οƒž οƒ˜b4 if (x == 0 && c < 5) { x := x + 1; } else { c := 0; }

Slide 54

Slide 54 text

18 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – control flow with an SMT solver if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } if (b1) { b1 = false assume x == 0; assume c < 5; x := x + 1; } if (b2) { b2 = true if (b3) { b3 = true assume !(x == 0); } if (b4) { b4 = false assume !(c < 5); } c := 0; } Constraints: β€’ b1 xor b2 β€’ b2 οƒž (οƒ˜b3b4)οƒš(b3οƒ™οƒ˜b4) β€’ οƒ˜b2 οƒž οƒ˜b3 β€’ οƒ˜b2 οƒž οƒ˜b4

Slide 55

Slide 55 text

18 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – control flow with an SMT solver if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } if (b1) { b1 = false assume x == 0; assume c < 5; x := x + 1; } if (b2) { b2 = true if (b3) { b3 = true assume !(x == 0); } if (b4) { b4 = false assume !(c < 5); } c := 0; } Constraints: β€’ b1 xor b2 β€’ b2 οƒž (οƒ˜b3b4)οƒš(b3οƒ™οƒ˜b4) β€’ οƒ˜b2 οƒž οƒ˜b3 β€’ οƒ˜b2 οƒž οƒ˜b4 assume !(x == 0); c := 0;

Slide 56

Slide 56 text

18 Boolean vars + constraints: satisfying assignment ο‚« control flow Example – control flow with an SMT solver if (x == 0 && c < 5) { x := x + 1; } else { c := 0; } if (b1) { b1 = false assume x == 0; assume c < 5; x := x + 1; } if (b2) { b2 = true if (b3) { b3 = true assume !(x == 0); } if (b4) { b4 = false assume !(c < 5); } c := 0; } Constraints: β€’ b1 xor b2 β€’ b2 οƒž (οƒ˜b3b4)οƒš(b3οƒ™οƒ˜b4) β€’ οƒ˜b2 οƒž οƒ˜b3 β€’ οƒ˜b2 οƒž οƒ˜b4 assume !(x == 0); c := 0; assume !(c < 5); c := 0; assume x == 0; assume c < 5; x := x + 1;

Slide 57

Slide 57 text

19 β€’ Implemented in the Theta open source verification framework β€’ Two TXSTS models from Gamma engineering models: – Example model demonstrating the capabilities of Gamma: crossroad – Industrial case study: model of a safety-critical railway protocol β€’ 30 reachability properties, analyzed in two ways: – Reachability of a given state – Timed reachability: reachability of given state under a given time limit Preliminary evaluation of the approaches

Slide 58

Slide 58 text

20 ‒ 3 CPU cores, time limit of 20 minutes, memory limit of 15 GB ‒ Best configurations of both approaches compared: number of verified properties, with mean CPU time ‒ Reachability: same success rate, time→data transf. is faster ‒ Timed reachability: control flow splitting is more successful Preliminary evaluation of the approaches Approach Verified properties with time limit of 20 minutes Reachability Timed reachability Time → data transformation 30/30 (100%) 7.48 s 12/30 (40%) 2.26 s Combined abstraction with control flow splitting 30/30 (100%) 11.09 s 18/30 (60%) 40.99 s

Slide 59

Slide 59 text

21 Summary High-level formal model TXSTS Modified combined verification algorithm Existing abstraction algorithms (no time abstraction) Result of verification Time β†’ data transformation Control flow splitting