LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder...

LTL Software Model Checkingin CPAchecker

Thomas BunkLMU Munich, Germany

October 01, 2019

Thomas Bunk LMU Munich, Germany 1 / 20

LTL Software Model Checking [1]Program P LTL property ϕ

Transition System TS Büchi automaton A¬ϕ

Product automatonTS ⊗ A¬ϕ

Emptiness checkL(TS⊗A¬ϕ) ?= ∅

P � ϕ P 2 ϕτ is CEX

yes no

[1] M. Vardi, P. Wolper: An Automata-Theoretic Approach to Automatic Program Verification [LICS’86]Thomas Bunk LMU Munich, Germany 2 / 20

Büchi Automata in CPAchecker

1. Parsing of LTL properties

I Consider e.g.: [] (x -> F y U X "z > 0")

2. Transformation into Büchi automata using external Tools

3. Parsing and converting the result into automata from theCPAchecker-framework

1. Parsing of LTL propertiesI Consider e.g.: [] (x -> F y U X "z > 0")

Büchi Automata in CPAcheckerLTL properties already used in SV-Comp, e.g.:I Unreachability of Error Function:

CHECK( init(main()), LTL(G ! call(__VERIFIER_error())) )

I Termination:CHECK( init(main()), LTL(F end) )

Keep format for LTL software model checking, i.e.I CHECK ( init(<init_function>) , LTL(<property>) )

Example:I CHECK( init(main()), LTL([]("x>0" ==> <>("y==0"))) )

Execution with CPAchecker:I scripts/cpa.sh -ltl <path/program> -spec <path/specification>

LTL Software Model Checking [1]Program P LTL property ϕ

Transition System TS Büchi automaton A¬ϕ

Product automatonTS ⊗ A¬ϕ

Emptiness checkL(TS⊗A¬ϕ) ?= ∅

P � ϕ P 2 ϕτ is CEX

yes no

[1] M. Vardi, P. Wolper: An Automata-Theoretic Approach to Automatic Program Verification [LICS’86]Thomas Bunk LMU Munich, Germany 6 / 20

Example [1]

1 i n t x , y ;2 whi le ( t r u e ) {3 x := ∗ ;4 y := 1 ;5 whi le ( x > 0) {6 x−−;7 i f ( x <= 1) {8 y := 0 ;9 }

10 }11 }

Listing 1: Program P aspseudocode

x := ∗; y := 1

x−−

x <= 1; y := 0 !(x <= 1)

!(x > 0)

Figure: CFA of program P

[1] D. Dietsch, M. Heizmann, V. Langenfeld, and A. Podelski:Fairness modulo theory: A new approach to LTL software model checking. [CAV’15]

Combining the CFA and LT property

1 i n t x , y ;2 whi le ( t r u e ) {3 x := ∗ ;4 y := 1 ;5 whi le ( x > 0) {6 x−−;7 i f ( x <= 1) {8 y := 0 ;9 }

10 }11 }

Listing 2: Program P

x := ∗; y := 1

x−−

x <= 1; y := 0 !(x <= 1)

!(x > 0)

Figure: CFA of P

LTL property:ϕ = �(x > 0→ ♦(y = 0))

(x > 0) ∧ !(y == 0)

!(y == 0)

Figure: Büchi Automaton A¬ϕ

Büchi-programl0q0

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

x <= 1; y:=0

!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

!(x > 0)

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

CPAchecker: Architecture

SourceCode

ResultsParser &CFA Builder

CEGARAlgorithm

CPAAlgorithm

DCACPA

LocationCPA

CallstackCPA

PredicateCPA

Func.Pt.CPA

Local infeasibilityl0q0

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

x <= 1; y:=0

!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

!(x > 0)

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

Local infeasibilityl0q0

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

x <= 1; y:=0

!(y == 0)!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

!(x > 0)

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

Infeasibility of a finite prefixl0q0

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

x:=∗; y:=1

!(y == 0)

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

Trace abstraction [1]

Goal:I Generalize infeasible error tracesI Exclude classes of infeasible traces

[1] M. Heizmann, J. Hoenicke, and A. Podelski: Software model checking for people who love automata. [CAV’13]Thomas Bunk LMU Munich, Germany 13 / 20

Example for Trace Abstraction

Approach:

1. take trace τ1

2. consider trace asautomaton A1

3. analyze correctness of A1

4. generalize automaton A1

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

Approach:

1. take trace τ1

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

Approach:

1. take trace τ1

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

Approach:

1. take trace τ1

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

Trace Abstraction – Interpolant Based Approach

Approach:

1. take trace τ1

4. generalize automaton A1I add transitionsI merge locations

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

Trace Abstraction for Infeasible Prefixes

x := ∗; y := 1

x−−

x <= 1; y := 0 !(x <= 1)

!(x > 0)

Figure: CFA of P

LTL property:ϕ = �(x > 0→ ♦(y = 0))

(x > 0) ∧ !(y == 0)

!(y == 0)

Figure: Büchi Automaton A¬ϕ

x:=∗; y:=1 ∧!(y == 0) ∧ (x > 0)

!(x > 0) ∧ !(y == 0)

Figure: Trace automaton A1

Buechi Program after Refinementl0q0p0

l1q0p0

l2q0p1

l3q0p0

l0q1perr

l1q1p1

l2q1p1

l3q1p0

x:=∗; y:=1

!(x > 0)

!(x <= 1)

x <= 1; y:=0

x−−

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

Buechi Program after Refinementl0q0p0

l0q0perr⊥

l1q0p0

l1q0p1x > 0

l2q0p1 x > 0

l3q0p0>

l0q1perr ⊥

l1q1p1 x > 0

l2q1p1 x > 0

l3q1p0 >

!(x <= 1)

!(x > 0)

x:=∗; y:=1

!(x > 0)

x <= 1; y:=0

x−−

!(x > 0)

!(y == 0)

x > 0!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

ω-Infeasibilityl0q0p0

l0q0perr

l1q0p0

l1q0p1

l2q0p1

l3q0p0

l0q1perr

l1q1p1

l2q1p1

l3q1p0

!(x <= 1)

!(x > 0)

x:=∗; y:=1

!(x > 0)

x <= 1; y:=0

x−−

!(x > 0)

!(y == 0)

!(x <= 1)

!(y == 0)

x−−

!(y == 0)

x:=∗; y:=1

!(y == 0) ∧ (x > 0)

x > 0!(y == 0) ∧ (x > 0)

x−−

!(y == 0) ∧ (x > 0)

!(x <= 1)

!(y == 0) ∧ (x > 0)

LTL Software Model CheckingProgram P LTL property ϕ

Control-flow automaton CFA Büchi automaton A¬ϕ

Büchi ProgramB:=CFA⊗A¬ϕ

τ exists ?

τ = τ1τω2

τ1τ2 ∈ L(B)

τ1τ2 feasible ?

τ terminating ?

P � ϕno

P 2 ϕτ is CEX

yesnoB:=B ∪ refineF (τ)

yesyesB:=B ∪ refineω(τ)

Outlook

I Implement Trace Abstraction algorithm for terminationarguments[1]

I Make use of Adjustable Block Encoding (ABE)

[1] M. Heizmann, J. Hoenicke, and A. Podelski: Termination analysis by learning terminating programs. [CAV’14]Thomas Bunk LMU Munich, Germany 19 / 20

Thank you for your attention!

LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder...

Documents

Transcript of LTL Software Model Checking in CPAchecker · 2021. 1. 21. · Spec Parser & Results CFA Builder...

J/Ψ event selection algorithm - status

Solving Models with Heterogeneous Agents - KS algorithm

ΔRLE: Lossless data compression algorithm using delta ...

Alpha Algorithm: Limitations - courses.edsa-project.eu

Algorithm Complexity & Big-O Notation: From the Basics

Lecture 3 Symmetric encryption, IND-CPA, CTR, CBC

FlowMap based ALgorithm

CSCI 2100B Data Structures 1 Algorithm Analysis

Solving Double Digest Problem by Genetic Algorithm

EMD Algorithm

The exponential average algorithm with α

Enhancing the Quantum Linear Systems Algorithm using ...

CPA 2008 en El Comments En

6. Max-product algorithm - University Of Illinoisswoh.web.engr.illinois.edu/courses/IE598/handout/maxprod.pdf · 6. Max-product algorithm MAP elimination algorithm Max-product algorithm

CPA 2004: Mario Schweigler: Adding Mobility to KRoC.net 1 Adding Mobility to Networked Channel-Types Mario Schweigler Computing Laboratory, University.

Fm Spas120c en Dca

EM algorithm and applications Lecture #9

Supplementary Figure.1 NF- κ B p65 / β- actin protein ** ID8HM-1 1 2 3 ** * * * β-actin ID8 HM-1 +CPA(0.7uM)non-treat+CPA(7uM)+CPA(70uM) NF-κB p65 β-actin.

NACE - CPA - CPA - ΣΥΜΒΟΥΛΟΙ ΕΠΙΧΕΙΡΗΣΕΩΝ nace nace - cpa - cpa-,,,,, · ·,

Metropolis-Hasting Algorithm - University of Pennsylvania

Supplementary Figure.1 NF- κ B p65 / β- actin protein ID8HM-1 1 2 3 * * * β-actin ID8 HM-1 +CPA(0.7uM)non-treat+CPA(7uM)+CPA(70uM) NF-κB p65 β-actin.