Benjamin Gorry1

1
Extraction of Verification Models via Guided
Abstraction

• Benjamin Gorry1
• (beng_at_macs.hw.ac.uk)
• Dependable Systems Group
• School of Mathematical Computer Sciences
• Heriot-Watt University
• Edinburgh

1 Sponsored by an ICASE Studentship from the
EPSRC and QinetiQ
2
Background

• Model Checking not enough?
• SPIN
• FeaVer
• Example
• Applications
• Other Tools
• Conclusions
• Questions?

3
Model Checking not enough?

• Problems
• Insufficient abstractions
• Too fine
• Too coarse
• Wrong items
• State space explosion
• Personal style
• Harry Potter syndrome
• Are there any solutions to this?

4
Model Checking not enough?

• If model checking contains so many potential
  pitfalls why stick with it?
• Powerful (simulation/verification)
• Cost (financially and temporally)
• Testing / theorem proving
• Relatively new discipline
• Growing community
• Can be used in conjunction with other more
  established techniques

5
SPIN

• We all know about SPIN
• Version from 2nd January 2004
• Embedded ANSI-C code
• Changes in algorithms
• Verification of actual system code
• Provide facilities for post-hoc verification
• Provision for new guided abstraction tool

6
Feaver

• Feature Verification
• Developed at Bell Labs by Gerard Holzmann and
  Margaret Smith
• Unrecognisable code?
• c_code c_expr .
• Concurrency?
• Test harness allows Promela test programs to be
  constructed
• Statements written in ANSI-C can be mapped to
  acceptable Promela statements
• Models verified for correctness using SPIN

7
FeaVer

• How it works

Mapping Table
ANSI-C Code
Promela Model
modex
Test Harness
8
Example - code

• Alternating bit protocol
• typedef struct Msg
• short seq / sequence number /
• char cont / message contents /
• Msg
• void
• abp_sender(Msg in)
• Msg out
• if (in.seq out.seq)
• get_data(out.cont) / get new data to send /
• out.seq 1 - out.seq / flip sequence number
  /
• send(out) / send message /

9
Example - code

• int expect 0
• void
• abp_receiver(Msg in)
• Msg out
• out.seq in.seq / or use expect? /
• out.cont (char ) 0
• send(out) / always acknowledge /
• if (in.seq expect)
• put_data(in.cont) / accept data recvd /
• expect 1 - expect / flip sequence number /

10
Example test harness

• F abp2.c
• X -L abp_sender -n abp_sender
• X -L abp_receiver -n abp_receiver
• L
• Import _all_ _all_
• L abp_sender
• get_data(... hide
• send(out) c_code Pabp_sender-gts
  Pabp_sender-gtout.seq qr!s
• L abp_receiver
• put_data(... hide
• send(out) c_code Pabp_receiver-gts
  Pabp_receiver-gtout.seq qs!s
• D
• typedef struct Msg
• short seq
• char cont
• Msg

11
Example test harness

• active proctype abp_sender()
• bit s
• do qs?s c_code Pabp_sender-gtin.seq
  Pabp_sender-gts
• include "_modex_abp_sender.spn"
• od
• active proctype abp_receiver()
• bit s
• if / start sender /
• qs!1
• qs!0
• fi
• do qr?s c_code Pabp_receiver-gtin.seq
  Pabp_receiver-gts
• include "_modex_abp_receiver.spn"
• od

12
What is generated?

• int expect 0
• int __w64
• int __builtin_va_list
• c_state "Msg out" "Local abp_receiver"
• c_state "Msg in" "Local abp_receiver"
• c_state "Msg out" "Local abp_sender"
• c_state "Msg in" "Local abp_sender"
• c_decl
• typedef struct Msg
• short seq
• char cont
• Msg
• chan qs 0 of bit
• chan qr 0 of bit
• active proctype abp_sender()
• bit s
• do qs?s c_code Pabp_sender-gtin.seq
  Pabp_sender-gts
• if

13
What is generated?

• active proctype abp_receiver()
• bit s
• if
• qs!1
• qs!0
• fi
• do qr?s c_code Pabp_receiver-gtin.seq
  Pabp_receiver-gts
• c_code Pabp_receiver-gtout.seqPabp_receive
  r-gtin.seq
• c_code Pabp_receiver-gtout.cont(char )0
  
• c_code Pabp_receiver-gts
  Pabp_receiver-gtout.seq qs!s
• if
• c_expr (Pabp_receiver-gtin.seqnow.expe
  ct)
• c_code now.expect(1-now.expect)
• else
• fi
• od

14
From generated model

• Sorry wanted to provide a decent example
• We can view the relationships between ANSI-C, the
  FeaVer test harness, and Promela (the gap is not
  large)
• We have a Promela model ready for verification
• Assertions
• LTL
• We have a re-usable test harness (long term
  savings in cost)
• We have removed many of the problems discussed
  earlier

15
Applications

• FeaVer used at Bell Labs between 1998 and 2000 to
  exhaustively verify the call-processing software
  of Lucent's PathStar access server
• Telephone call processing code for one of
  Lucent's switches, the PathStar access server,
  was checked against a database of formally
  specified logical correctness requirements using
  standard model checking techniques (using SPIN)

16
Other Tools

• Bandera used on NASA Pathfinder project
  (recipient of NASA's 2003 TGIR Award for
  Engineering Innovation) Java code
• SLAM project from Microsoft Research (C programs)
• Canvas project component verification from IBM
  and the University of Tel-Aviv

17
Conclusions

• A new technique
• A lot of responsibility removed from the modeller
• Savings both financially and temporally
• A new generation of tools to shape a new
  generation of modellers?
• Watch this space!