Lecture 1: Model CheckingCost of Software ErrorsSlide 3Model CheckingAdvantages of Model CheckingModel of computationTemporal LogicBasic Temporal OperatorsModel Checking ProblemThe EMC System 1982/83Model Checker ArchitectureThe State Explosion ProblemCombating State ExplosionModel Checking since 1981Slide 15Grand Challenge: Model Check Software !What Makes Software Model Checking Different ?What Makes Software Model Checking Different ?Slide 19The MAGIC Tool: Counterexample-Guided Abstraction RefinementSlide 21CBMC: Embedded Systems VerificationCase Study: Verification of MicroC/OS1Lecture 1:Model CheckingEdmund ClarkeSchool of Computer ScienceCarnegie Mellon University2Cost of Software ErrorsJune 2002“Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually, or about 0.6 percent of the gross domestic product…At the national level, over half of the costs are borne by software users and the remainder by software developers/vendors.”NIST Planning Report 02-3The Economic Impacts of InadequateInfrastructure for Software Testing3Cost of Software Errors“The study also found that, although all errors cannot be removed, more than a third of these costs, or an estimated $22.2 billion, could be eliminated by an improved testing infrastructure that enables earlier and more effective identification and removal of software defects.”4 Model Checking •Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980’s.•Properties are written in propositional temporal logic.•Systems are modeled by finite state machines.•Verification procedure is an exhaustive search of the state space of the design. •Model checking complements testing/simulation.5Advantages of Model Checking•No proofs!!!•Fast (compared to other rigorous methods)•Diagnostic counterexamples•No problem with partial specifications / properties•Logics can easily express many concurrency properties6State-transition graphdescribes system evolvingover time. Model of computationst~ Start~ Close~ Heat~ ErrorStart~ Close~ HeatError~ StartClose~ Heat~ Error~ StartCloseHeat~ ErrorStartCloseHeat~ ErrorStartClose~ Heat~ ErrorStartClose~ HeatErrorMicrowave Oven Example7Temporal LogicThe oven doesn’t heat up until the door is closed.Not heat_up holds until door_closed (~ heat_up) U door_closed8Basic Temporal Operators •Fp - p holds sometime in the future. •Gp - p holds globally in the future.•Xp - p holds next time.•pUq - p holds until q holds.The symbol “p” is an atomic proposition, e.g. “heat_up” or “door_closed”.9Model Checking ProblemLet M be a model, i.e., a state-transition graph.Let ƒ be the property in temporal logic.Find all states s such that M has propertyƒ at state s.Efficient Algorithms: CE81, CES8310The EMC System 1982/83 PreprocessorPreprocessorModel Checker (EMC)Model Checker (EMC) State Transition Graph104 to 105 states State Transition Graph104 to 105 statesPropertiesPropertiesTrue or CounterexamplesTrue or Counterexamples11Model Checker ArchitectureSystem DescriptionFormal SpecificationValidation orCounterexampleModel CheckerState Explosion Problem!!12The State Explosion ProblemSystem DescriptionState Transition GraphCombinatorial explosion of system states renders explicit model construction infeasible.Combinatorial explosion of system states renders explicit model construction infeasible.Exponential Growth of …… global state space in number of concurrent components.… memory states in memory size.Exponential Growth of …… global state space in number of concurrent components.… memory states in memory size.Feasibility of model checking inherently tied to handling state explosion.13Combating State Explosion•Binary Decision Diagrams can be used to represent state transition systems more efficiently.  Symbolic Model Checking 1992•Semantic techniques for alleviating state explosion:–Partial Order Reduction.–Abstraction.–Compositional reasoning.–Symmetry.–Cone of influence reduction.–Semantic minimization.14Model Checking since 19811981 Clarke / Emerson: CTL Model CheckingSifakis / Quielle1982 EMC: Explicit Model CheckerClarke, Emerson, Sistla1990 Symbolic Model CheckingBurch, Clarke, Dill, McMillan1992 SMV: Symbolic Model VerifierMcMillan1998 Bounded Model Checking using SATBiere, Clarke, Zhu2000 Counterexample-guided Abstraction RefinementClarke, Grumberg, Jha, Lu, Veith105101001010001990s: Formal Hardware Verification in Industry:Intel, IBM, Motorola, etc.15Model Checking since 19811981 Clarke / Emerson: CTL Model CheckingSifakis / Quielle1982 EMC: Explicit Model CheckerClarke, Emerson, Sistla1990 Symbolic Model CheckingBurch, Clarke, Dill, McMillan1992 SMV: Symbolic Model VerifierMcMillan1998 Bounded Model Checking using SATBiere, Clarke, Zhu2000 Counterexample-guided Abstraction RefinementClarke, Grumberg, Jha, Lu, VeithCBMCMAGIC16Grand Challenge:Model Check Software !What makes Software Model Checking different ?17What Makes Software Model Checking Different ? •Large/unbounded base types: int, float, string•User-defined types/classes•Pointers/aliasing + unbounded #’s of heap-allocated cells•Procedure calls/recursion/calls through pointers/dynamic method lookup/overloading•Concurrency + unbounded #’s of threads18What Makes Software Model Checking Different ?•Templates/generics/include files•Interrupts/exceptions/callbacks•Use of secondary storage: files, databases•Absent source code for: libraries, system calls, mobile code•Esoteric features: continuations, self-modifying code•Size (e.g., MS Word = 1.4 MLOC)19Grand Challenge:Model Check Software !Early attempts in the 1980s failed to scale.2000s: renewed interest / demand:Java Pathfinder: NASA AmesSLAM: MicrosoftBandera: Kansas StateBLAST: Berkeley…SLAM to be shipped to Windows device driver developers.In general, these tools are unable to handle complex data structures and concurrency.20The MAGIC Tool: Counterexample-Guided Abstraction RefinementAbstractMemoryStateMemoryStateMemoryStateMemoryStateMemoryStateMemoryStateMemoryStateMemoryStateMemoryStateAbstractionAbstraction maps classes of similar memory states to single abstract memory states.+ Model size drastically reduced.- Invalid counterexamples possible.Abstraction maps classes of similar memory states to single abstract memory states.+ Model size drastically