Tools for Formal ModelingAnd Verification:

MOCHA, HeRMes, CHARON

Rajeev Alur Systems Design Research LabUniversity of Pennsylvaniawww.cis.upenn.edu/~alur/

Is Formal Verification Relevant toDeveloping Reliable Software?

Challenges:

Model checking does not scale!

There is a gap between model and code

Model

Code

Model-Based DesignRefinement

Code generation

Model ExtractionAbstraction

Promise of Model-Based Design

Standard engineering practice in control applications

Growing acceptance of modeling tools such as RationalRose, Simulink

But no formal semantics / analysis

Ad-hoc features

Increasingly powerful verification tools Formal modeling by itself is useful for

modularity, reusability, rapid prototyping

Talk Outline

MOCHA: Exploiting architectural hierarchy for modular model checking

HeRMes

CHARON

MOCHA Team

U PennRajeev AlurMinsu KangBow-yaw Wang

SUNY Stony BrookRadu Grosu

UC BerkeleyLuca de AlfaroTom HenzingerChristoph KirschFreddy Mang

Overview of MOCHA

GoalsExploit design structure for scalable model checkingCoherent integration of techniques

Key features Compositional modeling language: Reactive ModulesRefinement checking by assume-guarantee rulesGame-theoretic requirements of open systems: ATL

Hierarchical compression of internal transitions

Why Modular Reasoning?

Behavior of a component can be computed from behaviors of its parts

Components can be analyzed in isolation

Assume-guarantee rules -> Scalable analysisMocha Theme: Modular model checking!

Refinement CheckingProblem

Given modules Imp and Spec, check if every behavior of Imp is allowed by Spec: Imp < Spec

Why relevant ? Writing Spec as another module may be easier than

listing all temporal logic formulas of interestPromotes hierarchical design by successive

refinements

ExamplesCache-coherent memory < Abstract serial memoryPipelined implementation < ISA spec

Network protocol code < RFC spec

Refinement Verification

Goal: Given two models Imp and Spec, verify that Imp refines Spec

Methodology:Step 1: Using compositional rules, generate

simpler subgoals Step 2: For each subgoal I < S, introduce a

witness module W, and reduce the check to reachability analysis of I || W

Step 3: Apply an efficient reachability check

Point-to-Point Protocol

Popular networking protocol for establishing connections remotely

Goal: To verify the actual implementation

Specification: RFC 1661 (standard) Specified in tabular format

Implementation: ppp version 2.4.0 available in various Linux distributions C code

PPP Verification

Focus on option negotiation aspect of protocol

Manually constructed module I from C-code

Manually translated RFC spec to module S

Goal: To verify I < S Result: Discovered an inconsistency in

the code wrt specification

Assume Guarantee Reasoning

GOAL:

I0 I1 < S0 S1

LINK

REDUCES TO

I0 S1 < S0

LINK

Basis: formal compositional semantics of Reactive Modules

Classical Temporal Requirements

Safety propertiesMutual exclusion

Deadlock freedom

Liveness properties Every request is followed by response

Every reachable state has a path to reset state

Classical Temporal logic Linear-time (LTL) vs Branching-time (CTL)

Sample formulas:[] (pc1=cs -> pc2!=cs)

[] (req -> <> response)

Alternating Temporal Logic

Suitable for requirements of open systemsexplicit distinction between choices of system vs env

Sample game: system and env take turns

EF p AG p <sys> F p

Alternating Temporal Logic

In Mocha, multiple players that execute concurrently

Sample property <A,B> G pcan agents A and B collaborate to maintain invariant p?

existential over choices of A & B, universal over others

Can specify games and controllability

Recent application: Security protocols

More expressive than CTL

model checking via symbolic fixpoint computation

Talk Outline

MOCHA

HeRMes: Exploiting behavior hierarchy for formal verification

CHARON

Hermes Team

Rajeev AlurRadu GrosuMichael

McDougallJames Yang

Hierarchical State MachinesFormalism Introduced: 1987 by David Harel as Statecharts, Related notations: RSML, Modecharts, Roomcharts, Key component in OO Methods: UML, ROOM, OMT, etc.Software ILogix, ObjecTime, Rational, etc.

Application Area Automotive industry, avionics, etc.

Motivation for our work Statecharts semantics unclear Analysis cannot exploit hierarchical structure

Research Summary

Complexity bounds for model checking Analysis possible without flattening

Succinctness of hierarchical constructs Provably exponential

Formal compositional semantics Assume-guarantee proof calculus for

modes Hermes tool for Model checking

Reachability Analysis

What is the cost of concurrency and hierarchy ?

FSM : NLogSpace

Concurrent : PSPACEHierarchical: PTIME

Concurrent Hierarchical: EXPSPACE

Well structured: PSPACE

CTL is PSPACE !

The HeRMes Language

Hierarchical Reactive Machines– Graphical language– Processes run concurrently– Communication using shared variables

HRM Modes– Similar to finite state machines– Input, output and local variables– May contain sub-modes– May be re-used in many locations

Language Structure

Points:

Transitions:Guard: x & y

Action: y:=false

Modes: Mode M1

Submode M2

Reads: xWrites: yLocal: z

Exploiting Hierarchy in Enumerative Search

Local variables do not need to be stored when out of scope

Hierarchy gives efficient ways of storing state information

If a mode is used in two places it only needs to be searched once

Mode’s behavior only depends on readable variables - can ignore irrelevant variables

Exploiting Hierarchy in Symbolic Search

Transition relation is indexed by control points• generalization of conjunctively partitioned

bdds, Transition type exploited

• for early quantification in the symbolic search,

Reached state space indexed by control points• pool of variables is not global,

Mode definitions are shared among instances.

v2

inc

skpv3

w1

incskp

z

id

c

incskpskp

inc

v3

w0

inc

skp

w1

z

The Reached Set

R(c,z,w1,v3,hw1,hz)

R(c,z,w1,v3)

R(c,z,w1,v3,hw1)

R(c,z)

R(c,z,w1)

The reached set is indexed by control points:

• Each reached control point has an associated multi valued binary decision diagram (mdd),

• The set of variables of an mdd depends on the scope of the control point.

Talk Outline

MOCHA

HeRMes

CHARON: Hierarchical Hybrid Systems

CHARON Team

Rajeev Alur (CIS)Vijay Kumar (MEAM)Insup Lee (CIS)George Pappas (EE)Harvey Rubin (Med)

Calin BeltaThao DangJoel EspositoRafael FieroRadu Grosu

(StonyBrook)Yerang HurFranjo IvancicPradyumna MisraOleg Sokolsky

What are Hybrid Systems?

State machines

offon

+ Dynamical systems

dx=kxx<70

dx=-k’xx>60

x>68

x<63

Charon

Charon is a high-level modeling language and design environment reflecting state-of-the-art in formal as well as object oriented methods

Autonomous cooperating robots

Goal: Modular design, reusability, formal analysis

Research Summary

Language designFormal semantics

Compositional refinement calculus

Analysis toolsModular simulation

Accurate event detection

Model checking by predicate abstraction

Distributed simulation

Testing …..

Language Summary

Individual components described as agentsComposition, instantiation, and hiding

Individual behaviors described as modesEncapsulation, instantiation, and scoping

Support for concurrencyShared variables as well as message passing

Support for discrete and continuous behavior

Differential as well as algebraic constraints

Discrete transitions can call Java routines

Compositional Semantics

Mode should have a precise interface spec• Control interface: entry/exit points

• Data interface: shared (read/write, discrete/analog vars)

• Behaviors: traces over observables

Which properties are preserved?

Can we restrict reasoning to modified parts of design?

Modular Simulation

x.

y.

z. 1. Hierarchical modes can be

integrated at different time scales 2. Submodes viewed as black-boxes 3. Initial experimental results

encouraging

, x, inv1

,x,y,inv2

Goal: To speed up simulation by exploitingThe modular structure of specification

CHARON Applications

Multiagent robotics (DARPA MARS program)Collision avoidance, coordination, modular design

Automotive control (DARPA Mobies program)Verification/hierarchical design for Powertrain

Biological systems: Protein regulatory networksModeling/simulation of luminiscence in Vibrio Fisheri

Graphics: animation

Multiactor physics-based modeling and simulation

Vision-Based Control: Mode Switching

Motion Controller

Modes in Vision Based Control

Frame Grabber Actuators

AvoidObstacle

CollisionRecovery

EdgeDetector

CollisionDetector

Color BlobFinder

Robot PositionEstimator

TargetDetector

Range Mapper

Wall-Following

Control

Conclusions

Formal modeling and verification tools aimed at exploiting modularity and hierarchy, and automating compositional reasoning

Ongoing basic research

Discrete abstractions of hybrid systems

Compositionality for control systems

Better heuristics for exploiting hierarchy

Promising Opportunities

Collaborations

Bandera-style abstractions for hybrid systems

Reachability tools for hybrid systems

Integrating requirement languages (beyond temporal logics)

Case study: Programmable interface allowing formal/verified top-down design for an embedded device (e.g. a microwave oven)