# Verification and Abstraction (VA 2015) Giorgio Delzanno DIBRIS, Università di Genova ## What is Computer Aided Verification? Automated verification method aimed at finding bugs in hardware design and software ### What is Computer Aided Verification? - Automated verification method aimed at finding bugs in hardware design and software - The basic idea is to exhaustively search for bugs ### What is Computer Aided Verification? - Automated verification method aimed at finding bugs in hardware design and software - The basic idea is to exhaustively search for bugs - Particularly useful for verification of concurrent and reactive systems ## What to verify? We have to specify the behavior of the system we are considering ## What to verify? - We have to specify the behavior of the system we are considering - and the corresponding safety requirements (e.g. nothing bad happens when the program runs) Let us consider a multitasking computation where several processes operate on shared data A race condition occurs when the result of the computation depends on the order of execution Let us consider a multitasking computation where several processes operate on shared data - A race condition occurs when the result of the computation depends on the order of execution - They occur frequently in multitasking application (e.g. OS Kernel, multithreaded programs) Let us consider a multitasking computation where several processes operate on shared data - A race condition occurs when the result of the computation depends on the order of execution - They occur frequently in multitasking application (e.g. OS Kernel, multithreaded programs) - They are dangerous: we must ensure consistency of shared data Let us consider a multitasking computation where several processes operate on shared data - A race condition occurs when the result of the computation depends on the order of execution - They occur frequently in multitasking application (e.g. OS Kernel, multithreaded programs) - They are dangerous: we must ensure consistency of shared data - They are difficult to find and to reproduce: a different execution → a possible different instruction order → a possible different output ## Back to ... What to verify? Absence of race conditions in all possible executions of a concurrent system ## Back to ... What to verify? - Absence of race conditions in all possible executions of a concurrent system - It is a classical problem! ## Back to ... What to verify? - Absence of race conditions in all possible executions of a concurrent system - It is a classical problem! (Critical section problem, semaphores, etc). ### Example: Critical Section Problem • N processes compete to use shared resources ### Example: Critical Section Problem - *N* processes compete to use shared resources - Each process has a critical section in its code in which the shared resource is used ### Example: Critical Section Problem - N processes compete to use shared resources - Each process has a critical section in its code in which the shared resource is used - Property to verify = mutual exclusion, i.e., in each execution at most one process is in the critical section 1. Mutual Exclusion: at most two processes in critical section - 1. Mutual Exclusion: at most two processes in critical section - 2. Progress: no deadlock - 1. Mutual Exclusion: at most two processes in critical section - 2. Progress: no deadlock - 3. Bounded Waiting: no starvation - 1. Mutual Exclusion: at most two processes in critical section - 2. Progress: no deadlock - 3. Bounded Waiting: no starvation - 4. Typical assumption Fairness: enabled instructions are eventually executed ### Example: Lamport's Bakery Algorithm ``` begin integer j; L1: choosing[i] := 1; number[i] := 1 + maximum (number[1], ..., number[N]); choosing[i] := 0; for j = 1 step 1 until N do begin L2: if choosing[j] \neq 0 then goto L2; L3: if number[j] \neq 0 and (number[j], j) < (number[i], i) then goto L3; end: critical section; number[i] := 0; noncritical section; goto L1; end ``` #### **Automated Verification** Automated verification methods like model checking can be applied to verify finite-state models of concurrent systems #### **Automated Verification** - Automated verification methods like model checking can be applied to verify finite-state models of concurrent systems - To obtain a finite-state model: fix the number of processes, bound the domain of variable, use abstractions • Input: - Input: - system requirements given in form of a finite-state model M - Input: - system requirements given in form of a finite-state model M - a property $\varphi$ (called specification) that the final system is expected to satisfy. - Input: - system requirements given in form of a finite-state model M - a property $\varphi$ (called specification) that the final system is expected to satisfy. - Output: yes if M satisfies $\varphi$ , otherwise a counterexample - Input: - system requirements given in form of a finite-state model M - a property $\varphi$ (called specification) that the final system is expected to satisfy. - Output: yes if M satisfies $\varphi$ , otherwise a counterexample - The counterexample details why the model doesn't satisfy the specification. The model represents all possible (abstract) behaviors of our design - The model represents all possible (abstract) behaviors of our design - It can be given as a transition system: - The model represents all possible (abstract) behaviors of our design - It can be given as a transition system: - A finite collection of states S - The model represents all possible (abstract) behaviors of our design - It can be given as a transition system: - A finite collection of states S - A transition relation $T \subseteq S \times S$ s.t. T(s, s') represents a transition from state s to state s' ### Example ``` \begin{array}{lll} \mbox{Bool $wantP$, $wantQ$=} \mbox{false}; \\ \mbox{Proc P$=$} & \mbox{Proc Q$=$} \\ \mbox{1: Loop } \{ & \mbox{1: Loop } \{ \\ \mbox{2: $wait(!wantQ)$;} & \mbox{2: $wait(!wantP)$;} \\ \mbox{3: $wantP$ := true$;} & \mbox{3: $wantQ$ := true$;} \\ \mbox{4: Critical section$;} & \mbox{4: Critical section$;} \\ \mbox{5: $wantP$ := false$;} & \mbox{5: $wantQ$ := false$;} \\ \mbox{States} & = \{\langle 1, 1, false, false \rangle, \langle 2, 1, false, false \rangle, \ldots \} \\ \end{array} ``` #### Transition Relation ### **Property** • Specifications can be given in different formats: ### **Property** - Specifications can be given in different formats: - assertions, ### Property - Specifications can be given in different formats: - assertions, - graphs (automata) that specify good behaviors, ### Property - Specifications can be given in different formats: - assertions. - graphs (automata) that specify good behaviors, - logic formulas with navigation operators (temporal operators) # **Property** - Specifications can be given in different formats: - assertions, - graphs (automata) that specify good behaviors, - logic formulas with navigation operators (temporal operators) - ... - In our example an assertion defined on a new variable critical == 1 ## Models with Infinite State-Space? - Extended Finite-State Machines - Data: Unbounded local and global variables - Stack: Recursive Boolean programs - Channels: (Unreliable) Communication systems - . . . ## Models with Infinite State-Space? - Extended Finite-State Machines - Data: Unbounded local and global variables - Stack: Recursive Boolean programs - Channels: (Unreliable) Communication systems - . . . - Parameterized Systems - Parameters in the transitions - Families of systems ### Models with Infinite State-Space? - Extended Finite-State Machines - Data: Unbounded local and global variables - Stack: Recursive Boolean programs - Channels: (Unreliable) Communication systems - . . . - Parameterized Systems - Parameters in the transitions - Families of systems - Computability issues: What can be verified? ### Parameterized Verification Model: a concurrent system with an arbitrary (finite) number of components #### Parameterized Verification - Model: a concurrent system with an arbitrary (finite) number of components - Classes of topologies: Unordered, Linearly ordered, Tree-shaped, Graph-based #### Parameterized Verification - Model: a concurrent system with an arbitrary (finite) number of components - Classes of topologies: Unordered, Linearly ordered, Tree-shaped, Graph-based - Goal: Verify a Property for any number of processes (any topology in a given class) • Deductive Methods: Invariants and Theorem Proving - Deductive Methods: Invariants and Theorem Proving - Abstractions: Reductions to Finite-state Systems - Deductive Methods: Invariants and Theorem Proving - Abstractions: Reductions to Finite-state Systems - Regular Model Checking: Automata-based Representation of Sets of Configurations - Deductive Methods: Invariants and Theorem Proving - Abstractions: Reductions to Finite-state Systems - Regular Model Checking: Automata-based Representation of Sets of Configurations - Constraint-based Model Checking: Constraints as Representation of Sets of Configurations # Example: Lamport's Bakery Algorithm for N-processes ``` begin integer j; L1: choosing[i] := 1: number[i] := 1 + maximum (number[1], ..., number[N]); choosing[i] := 0: for j = 1 step 1 until N do begin L2: if choosing |i| \neq 0 then goto L2: L3: if number[j] \neq 0 and (number[j], j) < (number[i], j) i) then goto L3: end: critical section; number[i] := 0; noncritical section: goto L1; end ``` Verify mutual exclusion for any number of processes! #### Plan of the Lessons - Verification of Finite-state Systems and Abstractions - Verification of Infinite-state Systems and Abstractions - Parameterized Verification and Abstractions