22
Slide 1
Lucas [email protected]
Model Checking Embedded Systems
IAS Seminar
Career SummaryBSc in Electrical Engineering, MSc/PhD in Computer Sciencealgorithms, software engineering, formal verification, and embedded systems39 reviewed publications, including 6 journal papers and 33 workshop/conference contributionsdistinguished paper awards at SAC'08 and ICSE'11, and two bronze medals at TACAS12 and TACAS13developer of XMPM, STB225, and ESBMC toolsresearch collaborations with Southampton and Stellenboshresearch funding from Samsung, Nokia, and Royal Societyresearch team leader (one PhD, four MSc, and two BSc students) acting as course leader of Electrical Engineering2
embedded system is part of a well-specified larger system (intelligent product)automobilesairplanescommunication systemsconsumer electronicsmedical systems
Embedded systems are ubiquitousbut their verification becomes more difficult.
3embedded system is part of a well-specified larger system (intelligent product)automobilesairplanescommunication systemsconsumer electronicsmedical systemsprovide a number of distinctive characteristicsusually implemented in DSP, FPGA and C (mass production)functionality determined by software in read-only memorymulti-core processors with scalable shared memorylimited amount of energy
Embedded systems are ubiquitousbut their verification becomes more difficult.
44verification methodologies for embedded systems
verification of embedded systems raises additional challengeshandle concurrent softwaremeet time and energy constraintslegacy designs (usually written in low-level languages)improve coverage and reduce verification time
Verification ChallengesSpecificationEmbedded SoftwareMicroprocessor modelGenerate test vectors with constraintsassertdata(x>0)[1..7]56Bounded Model Checking (BMC)Basic Idea: check negation of given property up to given depth
transition system M unrolled k timesfor programs: loops, arrays, translated into verification condition such that satisfiable iff has counterexample of max. depth k has been applied successfully to verify (embedded) software. . .M0M1M2Mk-1Mk012k-1
kcounterexample trace transition systempropertyboundconcurrency bugs are tricky to reproduce because they usually occur under specific thread interleavingsmost common errors: 67% related to atomicity and order violations, 30% related to deadlock [Lu et al.08]
BMC of Multi-threaded SoftwareThread T1a1a2Thread T2b1b2b1a1a2b2a2b2a1a2b2number of executions: O(ns)a1a2b1b2b1a2b2a2b2hypothesis:SAT/SMT solvers produce unsatisfiable cores that allow removing possible undesired models of the systemcontextswitchconcurrency bugs are shallow [Qadeer&Rehof05]7SystemC consists of a set of C++ classes that simulates concurrent processes using plain C++object-oriented design and template classes
the standard C++ library complicates the VCs unnecessarilyhypothesis:abstract representation of the standard C++ libraries to conservatively approximate their semanticsBMC of SystemC/C++
Standard Libraries of C++
Operational Model
C++ Programs
g++ compilerESBMC++executable fileverification result8template void vector::_M_fill_insert(iterator __position, size_type __n, const _Tp& __x){ if (__n != 0) { if (size_type(_M_end_of_storage - _M_finish) >= __n) { _Tp __x_copy = __x; const size_type __elems_after = _M_finish - __position; iterator __old_finish = _M_finish; if (__elems_after > __n) { uninitialized_copy(_M_finish - __n, _M_finish, _M_finish); _M_finish += __n; copy_backward(__position, __old_finish - __n, __old_finish); fill(__position, __position + __n, __x_copy);
time constraint
limit cyclediscrete-time systems consist of a mathematical operator that maps one signal into another signal
fixed-point implementation leads to errors due to the finite word-lengthhypothesis:discrete-time systems realization has a rigid structuresimplify the models according to the property to be verifiedBMC of Discrete-Time SystemsT [.]X(n)Y(n) = T[x(n)]
overflowwrap around9MAX = 2k-1 2-l MIN = -2k-1Software BMC using ESBMC program modelled as state transition systemstate: program counter and program variablesderived from control-flow graphchecked safety properties give extra nodesprogram unfolded up to given boundsloop iterationscontext switchesunfolded program optimized to reduce blow-upconstant propagationforward substitutionsint main() { int a[2], i, x; if (x==0) a[i]=0; else a[i+2]=1; assert(a[i+1]==1);}
crucial10Software BMC using ESBMC program modelled as state transition systemstate: program counter and program variablesderived from control-flow graphchecked safety properties give extra nodesprogram unfolded up to given boundsloop iterationscontext switchesunfolded program optimized to reduce blow-upconstant propagationforward substitutionsfront-end converts unrolled andoptimized program into SSAint main() { int a[2], i, x; if (x==0) a[i]=0; else a[i+2]=1; assert(a[i+1]==1);}crucialg1= x1 == 0a1= a0 WITH [i0:=0]a2= a0a3= a2 WITH [2+i0:=1]a4= g1 ? a1 : a3t1= a4 [1+i0] == 111Software BMC using ESBMC program modelled as state transition systemstate: program counter and program variablesderived from control-flow graphchecked safety properties give extra nodesprogram unfolded up to given boundsloop iterationscontext switchesunfolded program optimized to reduce blow-upconstant propagationforward substitutionsfront-end converts unrolled andoptimized program into SSAextraction of constraints C and properties Pspecific to selected SMT solver, uses theoriessatisfiability check of C P int main() { int a[2], i, x; if (x==0) a[i]=0; else a[i+2]=1; assert(a[i+1]==1);}crucial
12Context-Bounded Model Checking in ESBMCIdea: iteratively generate all possible interleavings and call the BMC procedure on each interleaving... combinessymbolic model checking: on each individual interleavingexplicit state model checking: explore all interleavingsbound the number of context switches allowed among threads13execution paths0 : tmain,0,val1=0, val2=0, m1=0, m2=0, 1: ttwoStage,1,val1=0, val2=0, m1=1, m2=0, initial stateglobal and local variablesactive thread, context boundCS1syntax-directed expansion rulesCS2Lazy Exploration of the Reachability Tree14execution paths0 : tmain,0,val1=0, val2=0, m1=0, m2=0, 1: ttwoStage,1,val1=0, val2=0, m1=1, m2=0, 2: ttwoStage,2,val1=1, val2=0, m1=1, m2=0, initial stateglobal and local variablesactive thread, context boundCS1syntax-directed expansion rulesCS2interleaving completed, socall single-threaded BMC15Lazy Exploration of the Reachability Treeexecution pathsblocked execution paths (eliminated)0 : tmain,0,val1=0, val2=0, m1=0, m2=0, 1: ttwoStage,1,val1=0, val2=0, m1=1, m2=0, 2: ttwoStage,2,val1=1, val2=0, m1=1, m2=0, 3: treader,2,val1=0, val2=0, m1=1, m2=0, initial stateglobal and local variablesactive thread, context boundCS1CS2backtrack to last unexpanded node and continue16Lazy Exploration of the Reachability Treeexecution pathsblocked execution paths (eliminated)0 : tmain,0,val1=0, val2=0, m1=0, m2=0, 1: ttwoStage,1,val1=0, val2=0, m1=1, m2=0, 2: ttwoStage,2,val1=1, val2=0, m1=1, m2=0, 3: treader,2,val1=0, val2=0, m1=1, m2=0, initial stateglobal and local variablesactive thread, context boundCS1CS2backtrack to last unexpanded node and continuesymbolic execution can statically determine that path is blocked(encoded in instrumented mutex-op)17Lazy Exploration of the Reachability Treeexecution pathsblocked execution paths (eliminated)0 : tmain,0,val1=0, val2=0, m1=0, m2=0, 1: ttwoStage,1,val1=0, val2=0, m1=1, m2=0, 4: treader,1,val1=0, val2=0, m1=1, m2=0, 2: ttwoStage,2,val1=1, val2=0, m1=1, m2=0, 3: treader,2,val1=0, val2=0, m1=1, m2=0, 5: ttwoStage,2,val1=0, val2=0, m1=1, m2=0, 6: treader,2,val1=0, val2=0, m1=1, m2=0, initial stateglobal and local variablesactive thread, context boundCS1CS218Lazy Exploration of the Reachability TreeAchievementsproposed first SMT-based context-BMC for full C verifies single- and multi-threaded software (ASE09, distinguished paper award at ICSE11, TSE12)discrete-time systems (SBrT13) and C++ (ECBS13)combines plain BMC with k-induction (TACAS13, SBESC13)found undiscovered bugs related to arithmetic overflow, buffer overflow, and invalid pointer in standard benchmarks confirmed by the benchmarks creators (NOKIA, NEC, NXP)most prominent BMC tool (two bronze medals in the overall ranking at TACAS12 and TACAS13)users of our ESBMC model checkerAirbus, Fraunhofer-Institut (Germany), LIAFA laboratory (France), University of Tokyo (Japan), Nokia Institute of Technology (Brazil)19manual localization and correction takes significant timedebugging consists of failure detection, fault localization, and fault correction
apply automated fault localization to embedded softwareJoint Work with IAS
c = a + b;d = a b;if (a % 2 == 0) { int e; a = e; }
20Fault Localization: Running Example21
verify SystemC within the context of C++operational model to allow functional verificationanalyze the proof of unsatisfiability to remove behaviour that is not relevant to check a given propertydesign and verify discrete-time systemsfault localizationextend the range of propertiesprove the correctness and timeliness of systems via mathematical inductionheap-manipulating programsIntegrate methods to localize faults in industrial automation systems
Future WorkX-AxisTimeSpecifyLocalizeDebugDesignCorrectDetect
