model checking büchi pushdown systems

Model Checking Büchi Pushdown Systems

Presented byRustan Leino

Juncao Li and Fei XieDept. of Computer Science, Portland State UniversityThomas Ball and Vladimir LevinMicrosoft Corporation

Hardware/Software (HW/SW) Interfaces are Pervasive…

Windows XP◦ Over 35,000 drivers (over

100,000 versions) for different devices (Murphy and Garzia, 2004)

Linux◦ 70% of code for drivers that

operate hardware (Chou, et al., 2001)

And Unreliable… In Windows

◦ Drivers cause 85% reported failures (Swift, 2005)

◦ At least 52.6% of Windows crashes involve HW/SW interaction (Sinha, 2005)

In Linux◦ Seven times more driver failures

(Chou, et al., 2001)

Lots of issues cannot be gathered … ◦ e.g., device/driver I/O hangs

What we have done (FASE’10, CAV’10)

Formal specification framework Specify hardware model for verifying software

Unifying formal model Labeled Pushdown System (LPDS) as the

software model Büchi automaton (BA) as the hardware model Büchi Pushdown System (BPDS): BA ˣ LPDS

Reachability analysis algorithm For BPDS Static Partial Order Reduction

Discovered12 bugs in 5 Windows drivers

Need more?Why? (system responsiveness)

Software commands will always be acknowledged

I/O will not hang

How?Specify the properties

Linear Temporal Logic (LTL)Model checking algorithm

For checking liveness properties of BPDSReduction algorithm

Static Partial Order Reduction

Where are we …IntroductionPreliminaries

AlgorithmsModel CheckingReduction

Examples & EvaluationConclusion

Büchi Automaton (BA)A BA,

◦ , the alphabet◦ , the finite set of states◦ , the set of state transitions◦ , the initial state◦ , the set of final states

The alphabet is defined on the states of LPDS◦ LPDS is the generator of inputs to BA

),,,,( 0 FqQΒ Q

0qF

WRITE_REGISTER_UCHAR(foo, 32)

Labeled Pushdown System (LPDS)An LPDS,

◦ , the input alphabet◦ , finite set of global states◦ , finite stack alphabet◦ , initial configuration ◦the set of transition rules is

),,,,,( 00 gGIP

*)()( GIG

G

00 ,g

Labeling Functions

BPDS …

Where are we …IntroductionPreliminaries

AlgorithmsModel CheckingReduction

Examples & EvaluationConclusion

Model Checking Problem

Model Checking Problem

Find a trace that ◦Starts from the initial state ◦Visits the final states infinitely often◦Satisfies the fairness requirement

Infinite many hardware transitions from and

Infinite many software transitions from

Model Checking AlgorithmDetect the loops in that

◦visit the final states◦contains at least one hardware

transition◦contains at least one software

transition◦Backward reachability analysis

algorithm of Pushdown systems (Schwoon, 2002)

Check if one of the loops is reachable from the initial state ◦Reachability checking (FASE’2010,

CAV’2010)

Where are we …IntroductionPreliminaries

AlgorithmsModel CheckingReduction

Examples & EvaluationConclusion

Static Partial Order ReductionPartial order reduction

◦Exploit commutativity of concurrent transitions

◦Usually applied during model checking

Static – applied at compile time◦NO modification to model checker◦Can be applied with other techniques,

e.g., co-simulation (Kuznetsov, 2010 )◦May be less effective in reduction

State GraphLPDS self-loopsBA self-loopsBA and LPDS both transition

An Intuition of the Reduction LPDS self-loopsBA self-loopsBA and LPDS both transition

What to reduce?SensitiveSet

◦when HW/SW interface events happen, e.g., HW interrupt, SW writes to HW register

VisibleSet◦when the propositional variables of the LTL

formula are affected

LoopSet◦when this is the last HW (or SW) transition in

a loop – fairness constraint

Where are we …IntroductionPreliminaries

AlgorithmsModel CheckingReduction

Examples & EvaluationConclusion

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();

// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od

// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od

// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end

// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end

__atomic bool<2> status() begin return s,r; end

__atomic bool<3> rd_reg() begin return c2,c1,c0; end

// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end

// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend

__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend

Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();

// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od

// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od

// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end

// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end

__atomic bool<2> status() begin return s,r; end

__atomic bool<3> rd_reg() begin return c2,c1,c0; end

// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end

// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend

__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend

Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();

// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od

// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od

// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end

// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end

__atomic bool<2> status() begin return s,r; end

__atomic bool<3> rd_reg() begin return c2,c1,c0; end

// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end

// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend

__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend

Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();

// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od

// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od

// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end

// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end

__atomic bool<2> status() begin return s,r; end

__atomic bool<3> rd_reg() begin return c2,c1,c0; end

// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end

// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend

__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend

Software Hardware

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();

// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od

// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od

// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end

// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end

__atomic bool<2> status() begin return s,r; end

__atomic bool<3> rd_reg() begin return c2,c1,c0; end

// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end

// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend

__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend

Software Hardware

With reductionLTL formula:G (sw_reset -> (F reset_act))

void main() begin decl v0, v1, v2; v0, v1, v2 := 1,1,1; sw_reset: reset();

// wait for the reset to complete v1,v0 := status(); while(!v1|v0) do v1,v0 := status(); od

// wait for the counter to increase v2,v1,v0 := rd_reg(); while(!v2) do v2,v1,v0 := rd_reg(); od

// if the return value is valid if(v1|v0) then error: skip; fi exit: return;end

// represent HW registersdecl c0,c1,c2,r,s;__atomic void reset() begin reset_cmd: r := 1; end

__atomic bool<2> status() begin return s,r; end

__atomic bool<3> rd_reg() begin return c2,c1,c0; end

// HW instrumentation functionvoid HWInstr()begin while(*) do HWModel(); od end

// Asynchronous HW model__atomic void HWModel() begin if(r) then reset_act: c2,c1,c0,r,s := 0,0,0,0,1; elseif(s) then inc_reg(); fiend

__atomic void inc_reg() begin if(!c0) then c0 := 1; elseif(!c1) then c1,c0 := 1,0; elseif(!c2) then c2,c1,c0 := 1,0,0; fiend

Software Hardware

SensitiveSet

VisibleSet

LoopSet

With reductionLTL formula:G (sw_reset -> (F reset_act))

Where are we …IntroductionPreliminaries

AlgorithmsModel CheckingReduction

Examples & EvaluationConclusion

EvaluationDesigned a BPDS template

To generate BPDS models with different complexities

Verified eleven LTL formulae

Observations 80% average reduction in time usage 35% average reduction in memory usage One spaceout without reduction

The reduction is effective Since HW and SW transitions are mostly asynchronous

28

Where are we …IntroductionPreliminaries

AlgorithmsModel CheckingReduction

Examples & EvaluationConclusion

ConclusionWe have presented

A model checking algorithm for BPDS A static partial order reduction algorithm for BPDS

Take away with you … The model checking algorithm can be implemented based on

existing liveness verification engines of Pushdown Systems The reduction algorithm has a broader application, e.g., co-

simulation

Future work Realize the liveness checking on BPDS specified in C

language Co-simulation that utilizes our reduction algorithm

30

ReferencesMurphy, B., Garzia, M.R.: Software reliability engineering for mass market products. Available in: http://www.softwaretechnews.com (2004)Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proc. of SOSP. (2001)Swift, M.M.: Improving the Reliability of Commodity Operating Systems. PhD thesis (2005)Sinha, A.: Windows driver quality signature. Available in: http://www.microsoft.com (2005)Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis (2002)Li, J., Xie, F., Ball, T., Levin, V., and McGarvey, C.. An Automata-Theoretic Approach to Hardware/Software Co-verification. In Proc. of FASE. (2010)Li, J., Xie, F., Ball, T., and Levin, V.. Efficient Reachability Analysis of Büchi Pushdown Systems for Hardware/Software Co-verification. In Proc. of CAV. (2010)Kuznetsov, V., Chipounov, V. and Candea, G.: Testing closed-source binary device drivers with DDT. In: Proc. of USENIXATC. (2010)