Model Checking with Automatic Guidance Samik Basu1 and Diptikalyan Saha2 1
Department of Computer Science, Iowa State University, Ames, IA 50014 E-mail:
[email protected] 2 Department of Computer Science State University of New York at Stony Brook, Stony Brook, NY 11794 E-mail:
[email protected]
Abstract. Model checking involves exploring state-space of system model and automatically proving or disproving the correct functionality of the system. Verification of all properties may not require exploration of the state-space in its entirety. However, traditional model checkers are not equipped with enough knowledge of the system apriori to make smart decisions so as to explore only those portions of state-space that contribute to the result. In this paper, we present a technique to provide such guidance to the model checker so that it can perform state-space exploration more intelligently. We incorporated our technique in XMC model checker, a tool for verifying process expressions in CCS against properties expressed by modal mu-calculus formulas. We demonstrate the applicability of our guidance mechanism by verifying several example protocols from XMC test-suite.
1 Introduction Model Checking [CES86,QS82] is widely used to automatically validate or invalidate the functional correctness of software [HD01,BR03,BLA03] and hardware [BCL+ 94] systems. The properties of systems are typically represented in terms of temporal logic, e.g., CTL, LTL, mu-calculus while the systems, themselves, are modeled using labeled transition systems or Kripke structure. Finally, model checking amounts to searching (explicitly or symbolically) the state-space of the system model and inferring whether or not the temporal logic formula is satisfied. Driving Problem. In certain cases, entire state-space exploration is not required to prove or disprove satisfiability of properties. In such cases, the efficiency of the model checker is hampered due to high turn-around time if it blindly searches large portion of the system model that does not contribute to the result. For example, for proving reachability property, the model checker is required to just identify one path (preferably the shortest) in the model that satisfies the property. However, it is difficult to provide necessary information to the model checker apriori such that it only searches the path that will satisfy the given reachability property. In this context, we present a heuristic to provide guidance to the model checker so that it can automatically order or rank the transitions in the model to be explored. The central theme of ranking is that transitions higher in the rank are more likely to be a
part of satisfiable path of a reachability property than those with lower rank. Typically, at each state in the model, the model checker may non-deterministically select any of the out-going transitions for satisfiability of a property. In our strategy, the model checker explores the path starting with a transition with higher rank before deciding to explore along the lower rank transitions. The consequences of such ordered exploration of transitions are (a) the model checker can prove the reachability property in less time and (b) the path justifying the result is most likely to be shorter and will facilitate easy understanding of the result. Two important issues need to be addressed in order to deploy the above technique into practice. First, the decision of giving priority to one transition over another at a non-deterministic point should be local, i.e., transition ranking should not require exploring the entire global state-space; any global decision procedure will make the model checker inefficient as most of the effort may be devoted to eliminating incorrect decisions. Second, rank of a transition should depend on the property to be verified as different parts of the same model might be responsible for satisfying different properties. We focus in the paper on guided model checking of labeled transition system against mu-calculus formula. For this purpose, we use logic-based model checking tool XMC [RRR+ 97], a highly optimized local and on-the-fly model checker for value-passing process calculus [Mil89] and the alternation-free modal mu-calculus [Koz83]. A systemmodel in XMC is represented using synchronous1 composition of sub-system models denoted by value-passing CCS. The CCS specification is then translated into transition relation. Our technique relies on understanding the structure of the mu-calculus formula in terms of modal obligations and rank the transitions based on this structure. Consider the formula denoting the existence of action lock in a model: µX.tt ∨ X: a least fixed point mu-calculus formula defined over the variable X. Here, denotes existence of any modal action. As per our technique, the transitions in the sub-systems are ranked according to their distance from the one which is labeled by action lock; shorter the distance higher is the rank. In the event a sub-system is incapable of performing action lock all its transitions are ranked equally. Finally, while model checking the global system, global transitions are explored as per their ranks where the rank of a global transition is obtained from the ranks of those subsystem-transitions that make up the global transition under consideration. In the current case, the global transitions that move the sub-systems towards action lock will be explored before other transitions. The proposed technique for exploring transitions based on their ranks is referred to as Property-dependent guidance (ProDG). We incorporated this strategy in XMC and present in this paper our experience in using automatic guidance in model checking reachability properties. The results show that guidance significantly improves the efficiency of the model checker. The rest of the paper is organized as follows: Section 2 presents the related work followed by overview of XMC model checker in Section 3. In Section 4, we present our technique for providing property-dependent guidance to XMC model checker. Section 5 presents the evaluation of our guidance mechanism via a number of case studies taken 1
Sub-systems communicate via actions over the same channel.
2
from XMC test suite. Finally, in Section 6 we summarize the contribution of the paper and discuss the future avenues of research.
2 Related Work Several techniques have been proposed and developed in different application domains for guiding the search procedure of model checkers. These techniques rely either on the nature of the property to be verified or the structure of the model being analyzed or both. [LCL87] presents best-first exploration for verification of safety properties of protocols. Specifically, the work shows that verification of deadlock and channel overflow properties using best-first analysis is about 30 times faster than that using traditional depth-first search mechanism. Yang and Dill in [YD98] discusses a number of techniques aiming to reduce the state-space explored for finding errors in the models. The first technique, target enlargement, involves increasing the boundary of error states. [YD98] also proposes the application of tracks to identify an approximate pre-image of error states representing assertion violations. The second heuristic depends on finding the Hamming distance from the error states and directs the search towards the states with smaller Hamming distance. This technique is further exploited in [RE99]. Finally, the last technique uses explicit hints from the designer to help guide the search procedure. This is later explored by Bloem et. al. in [BRS00] where intense symbolic computations are avoided by such hints. Bloem et. al. also classify heuristics for guided model checking as property-dependent or system-dependent. System-dependent heuristics apply only to symbolic model checking algorithms. Other kinds of heuristics, such as structural dependent [GV02] and specification-dependent [PH03] heuristics have also been proposed. Edelkamp et. al. [ELL01a,ELL01b] have developed a property-dependent heuristics for explicit state model checker Spin. Their heuristic never overestimates the cost of reaching an error and relies on specific limitations of queue behavior in SPIN to generate better estimates. Best-first search mechanism is used with the proposed heuristic to explore fewer states. The same authors also combined partial order reduction in directed model checking in [LEL02]. [ELL04] presents the class of A* directed search algorithms and developed heuristics coupled with bitstate compression techniques for the search of safety property violations. [ELL04] also presents an improvement of nested DFS algorithm and showed how it can be used with A* algorithm to improve the search for liveness property. Groce and Visser in [GV02] proposes efficient search-heuristics to the verification of Java programs by exploiting the structure of the state space being explored. The structural-dependent technique effectively uses code-coverage techniques to detect errors efficiently. [GV02] suggests a further classification of property dependent heuristics into property-specific heuristics that rely on features of a particular property e.g. queue sizes or blocking statements for deadlock, distance in control or data flow to false valuations of assertions. 3
In [TAC+ 04], a heuristics function is considered similar to our ordering mechanism. The evaluation function f(n) measures the distance to a goal node based on a heuristic function h(n) which gives estimated shortest distance from the given node n to a goal node. Nodes are explored according to their f-values using a priority queue. In the domain of verification of timed automata, [BFHL01] presents an algorithm for efficiently computing the minimum cost of reachability analysis. The model considered is referred to as uniformly priced timed automata. [BFHL01] also proposes a number of techniques inspired by branch-and-bound algorithms which can be used for limiting search space for finding near-optimal solutions. In this paper, we present heuristic for providing automatic guidance to a local, onthe-fly, explicit-state model checker XMC. The heuristic, ProDG, is property dependent as it relies on the structure of the mu-calculus formulas used as property specifiers.
3 Background: Model Checking in XMC XMC [RRR+ 97] is a XSB-Prolog [XSB03] based model checker for value-passing process calculus [Mil89] and the alternation-free modal mu-calculus [Koz83]. In XMC, modal mu-calculus properties are represented in equational form using the following syntax. F --> tt | ff | F /\ F | F \/ F | fDiam(A, F) | fBox(A, F) | fDiam(-A, F) | fBox(-A, F) | X E --> X += F | X -= F
In the above, X belongs to the set of formula or fixed point variables (Prolog atoms), A is the set of actions; tt and ff are propositional constants true and false respectively. The fDiam(A, F) and fBox(A, F) are dual modal operators where the former states after any actions in A formula expression F holds while the latter states after all actions in A formula F holds. Each formula variable X appears in the lhs of at most one formula equation E of the form X+=F or X-=F where the former represents least fixed point equation and the latter represents greatest fixed point equation. For example the following mu-calculus equation, over least fixed point variable deadlock, models a path leading to a state with no outgoing transitions. freedom property: deadlock += fBox(-[], ff) \/ fDiam(-[], deadlock).
We use ’[]’ to denote an empty set. In the formula, the modal action set ’-[]’ represents the negation of empty set, i.e., denotes the set of all actions. System models in XMC are represented using XL specification language, an expressive extension of value-passing CCS. We give here a brief overview of syntax and semantics of process algebra CCS. For details refer to [Mil89]. P → 0 | A | a.P | P + P | P ′ |′ P | P\L | P[f ] def
A = P In the above, 0 denotes a deadlocked process. A ranges over process names or agents, a is a member of action set Act = L∪L∪τ , where τ denotes internal action and L is a set of actions such that a ∈ L ⇔ a ∈ L. L ranges over the powerset of L and f : L → L. 4
a
a
p → p′
a.p → p
a
A → p′ a
a
a
q → q′
p → p′ q → q ′
a
p | q → p | q′
a
a
def
A = p
τ
p | q → p′ | q ′
q → q′
p → p′ a
p + q → p′
a
p + q → q′
b
a
p | q → p′ | q a
a
p → p′
a
p → p′
f (a) = b
p[f ] → p′ [f ]
p → p′ a
p\L → p′ \L
a 6∈ L
Fig. 1. Operational Semantics of CCS
The operators ’.’, ’+’, ’|’, and ’\’ and ’[.]’ denote prefix, choice, parallel composition, restriction and relabeling operators respectively. A CCS process specification consists def
of a set of process definitions each of the form A = P where P ∈ P. Each agent used in P appears on the left-hand side of a process definition. The operational semantics of CCS expression is given in terms of labeled transition system (S, →) where the states in S represent CCS process expressions and the transition relation →⊆ S × Act × S [Mil89]. XMC translates the process definitions into Prolog transition rules following this structural operational semantics of CCS (Figure 1). For example the following encodes the operational semantics of CCS process expression P + P . transition(choice(S1, S2), A, T) :transition(S1, A, T); transition(S2, A, T). choice(S1, S2) corresponds to S1+S2 process expression and ‘;’ in the rhs of the
‘:-’ denotes disjunction (of prolog sub-goals). The encoding of transition rules in XSB Prolog facilitates on-the-fly construction of transition relations of the global model from transitions of the sub-systems. Given the transitions, the semantics of modal mucalculus formula is encoded directly as logic program as follows: :- table models/2. models(S, models(S, models(S, models(S, models(S,
tt). F1 \/ F2) F1 /\ F2) fDiam(A, F)) fBox(A, F))
::::-
models(S, fDiam(-A, F)):models(S, fBox(-A, F)) :-
models(S, F1); models(S, F2). models(S, F1), models(S, F2). trans_in(S, A, T), models(T, F). findall(T, trans_in(S, A1, T), Ts), all_models(Ts, F). trans_not_in(S, A, T), models(T, F). findall(T, trans_not_in(S, A1, T), Ts), all_models(Ts, F). X += XDef, models(S, XDef). X -= XDef, negate(XDef, NXDef), sk_not(models(S, XDef).
models(S, X) models(S, X)
::-
trans_in(S, A, T) trans_not_in(S, A, T)
:- transition(S, A1, T), member(A1, A). :- transition(S, A1, T), not member(A1, A).
5
Observe that, for formula expression fBox(A, F), findall/3 is used to aggregate (Ts) the destination states reachable from the source S and all models/2 returns true if Ts is empty or every element in Ts satisfies the formula expression F. Also note that the evaluation of models(S,X) where X is a greatest fixed point formula variable proceeds by negation (negate) of the definition XDef followed by the negation (sk not) of the evaluation of models(S, NXDef). This is because XSB with tabling naturally results in least model solutions to prolog programs. Another important consequence of tabling the models/2 predicate is that redundant sub-computations can be avoided by storing and retrieving prior evaluations from the table. On-the-fly construction of the transition system coupled with goal-directed evaluation of tabled logic program, makes XMC a local model checker where the state-space generation and exploration is driven by the evaluation of models predicate.
4 ProDG: Property-Dependent Guidance for Model Checking In this section, we discuss the technique for providing guidance to XMC model checker using the structure of mu-calculus formula to be verified. A state S can satisfy the modal obligation in a formula fDiam(A, F) in multiple ways: along any outgoing transitions from S which are labeled by actions in A. The model checker XMC decides to give equal priority to all these transitions and explores them one after the other without any specific order. However, all these transitions may not lead to a path where F is satisfiable. Furthermore, different transitions may lead to satisfying paths with different lengths. An alternative, specifically for satisfying formulas with diamond or existential modality, will be to make the model checker explore the transitions in a specific order such that transitions that are likely to satisfy the modal actions are selected or traversed before the others. In short, the transitions are ranked and the model checker explores them as per their ranks. Rank of a transition is related to its minimum distance from another transition that can satisfy modal obligations in the formula; smaller the distance higher is the rank. For example for a diamond-modality formula expression fDiam(A, tt), transitions labeled by actions belonging to A have the highest rank and for i < j, transitions i-steps away from highest rank transitions are at higher rank than those that are j-steps away from the same. However, in order to rank the transitions in such a fashion, it is required to explore the entire global state space before model checking. This defeats to purpose of making model checking process efficient, local and/or on-the-fly. As such, we present here a heuristic which can identify approximate ranking of global transitions by examining the transition-ranks of sub-systems. The technique is light-weight, incurs allowable amount of overhead and provides significant improvement in model checking process. 4.1 Ranking Sub-System Transitions Action-sets appearing as modal obligations in the mu-calculus formula refer only to the visible actions2 of the sub-systems. Our technique examines transitions in each sub2
Visible actions are the ones observable outside the system.
6
system and identifies the ones whose action-label appears in the modal-action set of the formula defined over a fixed point variable X. In the process, each transition t is assigned a rank label, denoted by RtX . We will omit the sub- and super-scripts, t and X respectively, whenever their references are evident from the context. Positive and Negative Modal Actions. We will classify the modal obligations that explicitly refers to a set of actions. In other words, we will not consider modal obligations over any actions: ‘-[]’. A set of positive modal actions is the set of actions whose presence is required for the satisfiability of a formula expression (e.g. A in fDiam(A, F)). On the other hand, the set of negative modal actions refers to the set whose absence in the model is required for the satisfiability of a formula (e.g. A in fDiam(-A, F)). The Seed Transitions. If the action labeling a transition appears in a positive modal obligation, the transition is labeled R = 0. We refer to these transitions as +seed transitions. On the other hand, if the action is a part of negative modal obligation, the R label of transition is set to infinity. For practical purpose, infinite value is considered to be a pre-specified integer N which is equal to twice the max number of transitions in any sub-system. We will call these transitions -seed transitions. Backward Exploration from Seeds. In the next step, backward breadth-first traversal is performed from the seed transitions. First, if a transition n depth away from the +seed transitions, its rank is assigned to n. Proceeding further, R of the transitions n depth away from the -seed transitions are annotated with R = N -n, if its rank is not already assigned to a value less than N -n. In other words, transitions, that can reach both the +seed and -seed transitions, retain the rank-label they obtained from their distance from the +seed. The Intermediates. Finally, transitions that do not reach any seed transitions are provided R = M which is the maximum number of transitions in any sub-system. We refer to these transitions as intermediates as they may effect the satisfiability of formula expressions in both positive or negative fashion. Non-overlapping Range for R. Note that the selection of 0 (rank of +seed), N (rank of -seed) and M (rank for intermediates) ensures that rank of intermediates always falls between ranks of transitions that can reach +seed and ranks of transitions leading to -seed; the reason being a transition can be at most M − 1 steps away from any seed transitions where M is the maximum number of transitions in any sub-system. In short, the maximum value assigned to R of a transition that can reach the +seed transition can be M − 1 and the minimum value for R of a transition that leads to -seed is N − (M − 1) = M + 1. Example. Consider the example in Figure 2. The system sys, a simple multi-threaded protocol, is defined by the parallel composition of two thread (th) processes and an object ob process. A thread sends req and waits for reply from the object. If the reply is of the form ack, denoting the thread has successfully gained exclusive access of object, the thread performs an observable action IN and proceeds to release the lock 7
th = req.th1 th1 = ack.th2 + nack.th th2 = IN.rel.OUT.th
ob = req.ack.ob1 ob1 = rel.ob + req.ob2 ob2 = nack.ob1 T1
OUT (3,12) S 1
req (6,6)
nack (3,3)
req (2,2)
nack (6,6)
S2 S5
T2 ack (6,6)
ack (1,1)
T3
S3 rel (4,4)
rel (6,6)
IN (0,0)
req (6,6) T4
S4
(a)
(b)
Fig. 2. CCS Definition and LTS for (a) Thread, (b) Object
(rel). Otherwise, the thread goes back to its initial state and tries to lock the object again. A lock-releasing thread makes an observable OUT action and returns to its initial state. The property to be verified for this system is defined by the following least fixed point mu-calculus equations. x += fDiam([IN], y) \/ fDiam(-[], x). y += fDiam([IN], tt) \/ fDiam(-[OUT], y).
The first equation states that eventually after IN action in a path, formula y is satisfiable. The second equation states that IN action is present eventually in a path where there is no OUT action. The given formula represents the case where there is a path with two IN actions with no intermediate OUT action – the absence of mutually exclusive access of object by the threads. We proceed by annotating the LTS of each sub-system (thread and object) with R values. Note that as there are two formula variables, x and y, the transitions will have two annotations (Rtx , Rty ), one each for the two formula variables. First consider the LTS for the thread in Figure 2(a). The positive modal action in formula equation for x is IN. The transition from s3 to s4 is, therefore, a +seed with IN
Rsx3 → s4 = 0. All other transitions are marked with the corresponding Rx value by backward breadth-first traversal from s3 . Note that due to absence of explicit negative modal action, there is no -seed transition corresponding to x. In the next step, the equation corresponding to formula y is considered. It has the positive modal action IN and negative modal action OUT. Accordingly, the transitions IN
IN
OUT
OUT
s3 → s4 = 0) and -seed (Rsy5 → s1 s3 → s4 and s5 → s1 are marked as +seed (Ry = 12) transitions respectively. First, all the transitions leading to +seed are assigned a Ry values and finally the transitions reaching the -seed are considered. Recall that, the transitions that reach both the +seed and -seed transitions, retain their rank obtained
8
sys = (th |th |ob) \{req,rel,ack,nack}
τ
S1S1 (req) T1
OUT
OUT
τ S3 S2 S2S1(ack) S3S1 T3 (req) T4 T2 τ
OUT S5S4 T3
IN OUT (rel)τ
τ(nack)
S4 S2 S4S1 τ T4 T3 (req)
IN
S5S1 S5S3 (rel) τ τ T1 OUT (ack) T3 S5S2 τ (req) S S 5 1 T2 T1
Fig. 3. CCS Definition and LTS for sys
rel
from their distance from +seed. As a result, Rsy4 → s5 is equal to 4 (four steps away from the +seed) and not 11 (one step away from -seed). The LTS for the object process does not have any observable action and as such the Rx and Ry are both assigned to 6 (R value for intermediates). 4.2 From Ranking Sub-System to Global Ranking Once all the transitions in the sub-systems’ LTSs are assigned R values for each formula, model checking proceeds by exploring global transitions in the order of their ranks. We define the pattern of transition relations in the global system followed by the technique for assigning ranks to global transitions. a
Definition 1. Transition in a global system is denoted by (s1 , s2 , . . . , sn ) → (t1 , t2 . . . , tn ) where si and ti are states in the LTS of i-th sub-system and a
1. si → ti is a transition in the i-th sub-system and ∀k 6= i.sk = tk (autonomous move) or b
b
2. si → ti , sj → tj are transitions in the i-th and j-th sub-system, a = τ and ∀k 6= i, j.sk = tk (synchronized move). Definition 2. The R label of a global transition is either 1. equal to the R label of the sub-system transition responsible for the autonomous move or 2. equal to the minimum R value of the transitions of the sub-system participating in a synchronous move. Note that the rank of a global transition (Definition 2) is computed without exploring the global state-space. Equipped with the knowledge of global transition ranks for each formula variable, we encode the predicates dtrans in/4 and dtrans not in/4 as follows: 9
dtrans_in(X, S, A, T)
:-
dtrans_not_in(X, S, A, T)
:-
order((transition(R1, X, S, A1, T1), member(A1, A)), T). order((transition(R1, X, S, A1, T1), not member(A1, A)), T).
In the above, transition(R1, X, S, A1, T1) represents a global transition relation from state S to T1 with R = R1 in the context of the formula variable X. Given a query with specific values for source state s, action set aSet and formula variable x, dtrans in(x, s, aSet, T) returns the destinations of transitions from s with actions in aSet in ascending order R computed for the formula variable x. Accordingly, we re-encode the semantics of mu-calculus formula to reflect the changes in the transition relation of the system. This is represented by dmodels(S, F, Y) predicate which returns true if the global state S satisfies the formula expression F which is a part of the formula equation corresponding to formula variable Y. :- table dmodels/3. dmodels(S, dmodels(S, dmodels(S, dmodels(S,
tt, Y). F1 \/ F2, Y) :F1 /\ F2, Y) :fDiam(A, F1), Y) :-
dmodels(S, F1, Y); dmodels(S, F2, Y). dmodels(S, F1, Y), dmodels(S, F2, Y). dtrans_in(Y, S, A, T), dmodels(T, F1, Y).
dmodels(S, fBox(A, F1), Y) :findall(T, dtrans_in(Y, S, A1, T), Ts), all_dmodels(Ts, F1, Y). dmodels(S, fDiam(-A, F1), Y):dtrans_not_in(Y, S, A, T), dmodels(T, F1, Y). dmodels(S, fBox(-A, F1), Y) :findall(T, dtrans_not_in(Y, S, A1, T), Ts), all_dmodels(Ts, F1, Y). dmodels(S, X, Y) :- X += XDef, dmodels(S, XDef, X). dmodels(S, X, Y) :- X += XDef, negate(XDef, NXDef), sk_not(dmodels(S, NXDef, X).
Property-dependent guidance. An important aspect of our technique is that the statespace exploration depends solely on the formula to be satisfied. For example, in the above, dmodels(S, X, Y), where X and Y are formula variables, does not depend on ranking of transitions in terms of Y (the formula variable whose definition has X nested in it) but depends on ranking obtained in the context of formula variable X. The above encoding ensures that the model checker always tries to explore the state-space with the goal of satisfying the modal obligations of the formula expression under consideration. Example. Going back to the multi-threaded protocol example, Figure 3 presents the partial view of global transition system of sys. Each state in the global system is represented by the tuple (P,Q,R), where P and Q are states of the thread process and R is the state in the object process. Transitions are labeled by observable actions IN and OUT and internal actions τ . In the latter case, for easy readability, we also show the action (enclosed in ’()’) synchronization over which caused the τ action. 10
The query issued to the model checker is dmodels((S1 ,S1 ,T1 ), x, ), i.e., whether the start state of sys satisfies the formula represented by x. Accordingly, the model checker proceeds to satisfy the diamond modal action IN. As such, from (S3 , S1 , T3 ) the model checker explores the transition to (S4 , S1 , T3 ) via IN action before exploring the transition to (S4 , S2 , T4 ) as the former transition has precedence over the latter as IN
τ
(S ,S ,T ) → (S ,S ,T )
(S ,S ,T )→(S ,S ,T )
4 1 3 3 2 4 per their ranks (Rx 3 1 3 = 0 and Rx 3 1 3 = 2). Proceeding further from the state (S3 , S1 , T3 ), the model checker now explores transitions on the basis of the assigned ranks in the context of the formula definition of y. As such, it explores the transitions that are likely to be part of a path which eventually has an IN transition with no preceding OUT actions. At each branch points (e.g. (S5 , S1 , T1 ), (S5 , S2 , T2 ),(S5 , S3 , T3 )) the model checker explores the transitions that brings it closer to satisfying the property expressed by y. Figure 3 presents the path explored by our model checker with bold directed transitions.
5 Case Study We demonstrate the effectiveness of guided model checking by comparing the verification result of XMC and ProDG model checker. Table 1 summarizes the verification results for three protocols from XMC test-suite. For each model and its corresponding property, the table shows the number of transitions visited with the time taken by the XMC and ProDG model checker. Alternation Bit Protocol. Alternation bit protocol is a simple data-link layer protocol where a sender transmits messages with a one-bit sequence (0 or 1) number. A message with a specific sequence bit is continually retransmitted till an acknowledgement of receipt from the receiver is obtained. The protocol is modeled using XL, the specification language for XMC. Here we consider a buggy version of the model where the sender transmits new message without checking whether the acknowledgement it received corresponds to the previous message. We verified the following property: drop_packet += fDiam([sendnew], lost) \/ fDiam([], drop_packet). lost += fDiam([sendnew], tt) \/ fDiam(-[recv], lost).
In the above, sendnew and recv are observable actions of the sender and the receiver respectively. The sender transmits a new message followed by sendnew action while the receiver, after receiving a message it was waiting for, performs recv action. The mu-calculus property expressed by drop packet states that two new messages are sent (sendnew) with no intermediate action recv, i.e., a message is lost without being received. Table 1 shows that ProDG model checker performs considerably better than XMC in terms of the number of transitions considered for proving the satisfiability of drop packet property. Needham-Schroeder Protocol. Needham-Schroeder public key protocol is meant for establishing mutual authentication between two users (initiator and responder) and ensuring a secure communication channel. The model for this protocol in XMC includes 11
Transitions Visited XMC ProDG drop packet 104 29 A LTERNATING B IT P ROTOCOL Property
Time (sec) XMC Ranking ProDG 0.01 0.04 0.01
attack 8 5 0.01 N EEDHAM S CHROEDER P ROTOCOL
0.11
0.01
nomutex(1) 344 344 0.02 1.21 nomutex(2) 38662 344 1.48 1.20 nomutex(3) 51524 344 2.26 1.20 M ETA - LOCK WITH 2 THREADS AND 3 OBJECTS
0.08 0.08 0.08
nomutex(1) 345 345 0.02 1.38 nomutex(2) 1596231 345 130.26 1.41 nomutex(3) 1342857 345 118.21 1.40 M ETA - LOCK WITH 3 THREADS AND 3 OBJECTS
0.10 0.10 0.10
Table 1. Verification Results (all results are taken in 3GHz P-4 processor with 2GB memory running RedHat 9.0)
a model of an intruder. The intruder process intercepts messages exchanged by the two users with the main aim of the impersonating as a normal user and set up fake session with the other. The property of interest is expressed in mu-calculus as follows: attack += fDiam([commit_AI], attack1) \/ fDiam(-[], attack). attack1 += fDiam([commit_BA], tt) \/ fDiam(-[commit_IA, commit_BA], attack1).
In the above, commit AI is the observable action performed by the initiator when it establishes secure connection with the intruder while commit BA and commit IA are observables representing secure connection between the responder and initiator and intruder and initiator respectively. As in ABP, we see, in Table 1, that ProDG model checker explores lesser number (though to a much smaller extent) of transitions for proving the verification result. Java Meta-Lock. The Java Meta-lock is a highly optimized distributed algorithm to ensure mutually exclusive access of objects by Java threads [ADG+ 99]. In [BSW00], we reported our experience in modeling the algorithm and verifying it using XMC by varying the number of the threads and objects that constitute the system. The model of the algorithm involves synchronization between threads and objects via request and reply to and from objects. It also involves synchronous communication between threads – a thread, releasing exclusive access rights of an object, hands over the concerned object-lock to the thread trying to access the same object. In meta-lock, the state of an object can be either Busy, signifying that a thread has requested for the access right to the object or Not-Busy, signifying that the object is not being accessed by any threads. Each object has a field, referred to as multi-use word, 12
which records its state and in case of Busy state also keeps track of the identifier of the thread that is responsible for the object-state. The central requirement for the correct functionality of the algorithm is atomicity of a swap operation that reads the multi-use word of the object and updates it to record the thread identifier and Busy state of the object (For details refer to [BSW00]). We used the meta-lock model in XMC and injected faults in the protocol by breaking the atomic swap operation (referred to as sanity checks in [BSW00]). As a result, two or more threads may read the object state being Not-Busy simultaneously. This introduces non-mutual exclusive access of objects by threads. The property we verified is encoded in mu-calculus as follows: nomutex(I) += fDiam([gotmetalock(I)], f(I)) \/ fDiam(-[], nomutex(I)). f(I) += fDiam([gotmetalock(I)], tt) \/ fDiam(-[releasemetalock(I)], f(I)).
In the above, gotmetalock(I) and releasemetalock(I) are visible actions representing the cases when a thread successfully locks and releases the object I. The formula definition for nomutex(I)) models a path where the object I is accessed by two threads simultaneously (mutually exclusive access is violated). The buggy-version of meta-lock with 2 threads and 3 objects, and with 3 threads and 3 objects is verified against nomutex(I) by varying the value of I from 1 to 3. The results in Table 1 show that for checking mutual exclusion property for the same system, XMC takes more time and explores more transitions as the object identifier index in the formula is increased. The reason for such phenomenon is attributed to the presence of non-deterministic choice points. In the algorithm, the thread process selects non-deterministically one of the objects it is going to lock, e.g., if there are 3 objects, each thread can select any one of the 3 objects. In short, if the property to be verified is nomutex(2), XMC model checker may not immediately search the portion of the model where two threads in the system selects object 2. On the other hand, by our guidance mechanism, for the property nomutex(2), the model checker first explores the transitions corresponding to the case where threads select object 2 to lock. As such, guided-XMC can find the path that satisfies the reachability property in less time and by exploring significantly lesser number of transitions. Guidance in model checking makes the time and space requirement of the search procedure independent of the object identifier used in the property specification. It is worth mentioning that in the event a reachability property is not satisfied by a system, both XMC and guided-XMC will explore the exactly the same number of transitions – the entire state-space of the system.
6 Discussion We presented an effective heuristic for providing automatic guidance to mu-calculus model checkers. The central tenet of our technique is that exploration of model checker can be adequately guided, specifically for reachability properties, by providing an ordering among the transitions. The ordering of a transition is based on its minimum 13
distance from the transitions labeled by actions present in the modalities of the formula to be satisfied. We incorporated our technique in XMC model checker, a logic-based model checking tool for process algebra CCS and modal mu-calculus. We show the efficacy of our technique by verifying several protocols from XMC test-suite. The ranking mechanism, however, relies on explicit presence of actions in the modal operators. In the event, the property does not depend on any specific action, our technique fails to order the transitions. An example of such a formula commonly used is: deadlock += fBox(-[], ff) \/ fDiam(-[], deadlock).
The above formula states that there exists a path which eventually ends in a state with no out-going transition. Ordering transitions in such a situation will require finding the pattern of actions required for satisfiability of the formula and assigning rank labels to transitions on the basis of their distance from such patterns. Finally, the guidance, being a local heuristic, does not ensure that the model checker always explores the shortest path for the satisfiability of a reachability property. For example, consider a property expressed as two mu-calculus equations over two formula variables x and y, where y is nested in the formula definition for x. The model checker first explores the shortest path satisfying the modal obligation leading to y in x’s definition and from thereon identifies the shortest path for satisfying the definition of y. However, the local shortest paths from the outer-most formula may not constitute a global shortest path. We will pursue an alternative strategy to engineer the model checker and perform backward reachability. This will find the shortest paths from inner-most formulas which will in turn result in the exploration of shortest global path.
References [ADG+ 99] O. Agesen, D. Detlefs, A. Garthwaite, R. Knippel, Y. S. Ramakrishna, and D. White. An efficient meta-lock for ubiquitous synchronization. In Proceedings of ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages and Applications, 1999. [BCL+ 94] J. Burch, E. M. Clarke, D. Long, K. McMillan, and D. Dill. Symblic model checking for sequential circuit verification. IEEE Transaction on Computer Aided Design of Integrated Circuits and Systems, 13(4):401–424, April 1994. [BFHL01] G. Behrmann, A. Fehnker, T. Hune, and K. Larsen. Efficient guiding towards costoptimality in UPPAAL. Lecture Notes in Computer Science, 2031:174+, 2001. [BLA03] BLAST. Berkeley lazy abstraction software verification tool, 2003. http://www-cad.eecs.berkeley.edu/∼rupak/blast/. [BR03] T. Ball and S.K. Rajamani. Slam, 2003. http://research.microsoft.com/slam. [BRS00] R. Bloem, K. Ravi, and F. Somenzi. Symbolic guided search for ctl model checking. In Proceedings of the 37th conference on Design automation, pages 29–34. ACM Press, 2000. [BSW00] S. Basu, S.A . Smolka, and O. R. Ward. Model checking the java meta-locking algorithm. In Proceedings of Engineering of Computer-Based Systems, 2000. [CES86] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2), 1986.
14
[ELL01a] S. Edelkamp, A. L. Lafuente, and S. Leue. Directed explicit model checking with hsf-spin. In Proceedings of the 8th international SPIN workshop on Model checking of software, pages 57–79. Springer-Verlag New York, Inc., 2001. [ELL01b] S. Edelkamp, A. L. Lafuente, and S. Leue. Trail-directed model checking. In Scott D. Stoller and Willem Visser, editors, Electronic Notes in Theoretical Computer Science, volume 55. Elsevier, 2001. [ELL04] S. Edelkamp, S. Leue, and A. L. Lafuente. Directed explicit-state model checking in the validation of communication protocols. International Journal on Software Tools and Technology Transfer, 5(2):247–267, 2004. [GV02] A. Groce and W. Visser. Model checking java programs using structural heuristics. In Proceedings of the 2002 ACM SIGSOFT international symposium on Software testing and analysis, pages 12–21. ACM Press, 2002. [HD01] J. Hatcliff and M. Dwyer. Using the bandera tool set to model-check properties of concurrent Java software. LNCS, 2154:39–??, 2001. [Koz83] D. Kozen. Results on the propositional µ-calculus. Theoretical Computer Science, 27:333–354, 1983. [LCL87] F. J. Lin, P. M. Chu, and M. T. Liu. Protocol verification using reachability analysis: the state space explosion problem and relief strategies. SIGCOMM Comput. Commun. Rev., 17(5):126–135, 1987. [LEL02] A. L. Lafuente, S. Edelkamp, and S. Leue. Partial order reduction in directed model checking. In Proceedings of the 9th International SPIN Workshop on Model Checking of Software, pages 112–127. Springer-Verlag, 2002. [Mil89] R. Milner. Communication and Concurrency. International Series in Computer Science. Prentice Hall, 1989. [PH03] Tuomo Pyh¨al¨a and Keijo Heljanko. Specification coverage aided test selection. In Proceeding of the 3rd International Conference on Application of Concurrency to System Design (ACSD’2003), pages 187–195. IEEE Computer Society, June 2003. [QS82] J. P. Queille and J. Sifakis. Specification and verification of concurrent systems in Cesar. In Proceedings of International Symposium on Programming, 1982. [RE99] F. Reffel and S. Edelkamp. Error detection with directed symbolic model checking. In Proceedings of the Wold Congress on Formal Methods in the Development of Computing Systems-Volume I, pages 195–211. Springer-Verlag, 1999. [RRR+ 97] Y. S. Ramakrishna, C. R. Ramakrishnan, I. V. Ramakrishnan, S. A. Smolka, T. W. Swift, and D. S. Warren. Efficient model checking using tabled resolution. In Proceedings of International Conference on Computer-Aided Verification (CAV’97). Springer-Verlag, July 1997. [TAC+ 04] J. Tan, G. S. Avrunin, L. A. Clarke, S. Zilberstein, and S. Leue. Heuristic-guided counterexample search in flavers. In Proceedings of Foundations of Software Engineering (FSE) 2004, 2004. [XSB03] XSB. The XSB logic programming system v2.6, 2003. Available from http://xsb.sourceforge.net. [YD98] C. H. Yang and D. L. Dill. Validation with guided search of the state space. In Proceedings of the 35th annual conference on Design automation, pages 599–604, 1998.
15
