Formal Methods: foundations and Applications, 12 conf., SBMF2009

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany

5902

Marcel Vinícius Medeiros Oliveira Jim Woodcock (Eds.)

Formal Methods: Foundations and Applications 12th Brazilian Symposium on Formal Methods, SBMF 2009 Gramado, Brazil, August 19-21, 2009 Revised Selected Papers

13

Volume Editors Marcel Vinícius Medeiros Oliveira Universidade Federal do Rio Grande do Norte Departamento de Informática e Matemática Aplicada Campus Universitário, Lagoa Nova, 59078-900 Natal, RN, Brazil E-mail: [email protected] Jim Woodcock University of York Department of Computer Science Heslington, York YO1 7BZ, UK E-mail: [email protected]

Library of Congress Control Number: 2009938928 CR Subject Classification (1998): D.2.4, D.2, F.3, D.3, D.1, K.6, F.4 LNCS Sublibrary: SL 2 – Programming and Software Engineering ISSN ISBN-10 ISBN-13

0302-9743 3-642-10451-7 Springer Berlin Heidelberg New York 978-3-642-10451-0 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12793839 06/3180 543210

Preface

This volume contains the papers presented at SBMF 2009: the Brazilian Symposium on Formal Methods, held during August 19–21, 2009 in Gramado, Rio Grande do Sul, Brazil. The SBMF programme included three invited talks given by Leonardo de Moura (Microsoft Research), Sebastian Uchitel (University of Buenos Aires and Imperial College London), and Daniel Kr¨ oning (University of Oxford). The symposium was accompanied by two short courses: – Introduction to Software Testing, given by M´ arcio Eduardo Delamaro (University of S˜ ao Paulo) – Formal Models for Automatic Test Case Generation, given by Patr´ıcia Machado and Wilkerson Andrade (Federal University of Campina Grande) This year, the SBMF symposium had a special section on the Grand Challenge in Verified Software, inspired by recent advances in theory and tool support. Work on the grand challenge started with the creation of a Verified Software Repository with two principal aims: – To collect a set of verified software components – To conduct a series of industrial-scale verification experiments with theoretical significance and impact on tool-support This special session on the grand challenge was dedicated to two pilot projects currently underway: – The Flash File Store. The challenge is to verify the correctness of a faulttolerant, POSIX-compliant file store implemented on flash memory. Verification issues include dependability guarantees as well as software correctness. Levels of abstraction include requirements specification, software design, executable code, device drivers, and flash translation layers. The challenge was inspired by the requirements for forthcoming NASA space missions. – FreeRTOS. The challenge is to verify the correctness of an open source realtime mini-kernel. FreeRTOS is designed for real-time performance with limited resources, and is accessible, efficient, and popular: it runs on 17 different architectures and is very widely used in many applications. There are over 5,000 downloads per month from SourceForge, making it the repository’s 250th most downloaded code (out of 170,000 codes). FreeRTOS presents a significant verification challenge, in spite of it containing less than 2,500 lines of pointer-rich code. Attendance at the session gave speakers and participants an opportunity to discuss the state of the art in software verification and to discuss open problems in need of solutions. In particular, it helped to contribute to an open agenda of

VI

Preface

research actions for the grand challenge. The papers in the session are of interest to theoreticians, tool builders, tool users, and industrial practitioners. SBMF was co-located with SAST 2009, the Brazilian Workshop on Systematic and Automated Software Testing. There was a joint technical session on formal aspects of testing, and a joint panel on Academic and Industrial Research Directions in Software Verification. SBMF was organized by the Instituto de Inform´ atica at the Federal University of Rio Grande do Sul (UFRGS) under the auspices of the Brazilian Computer Society (SBC). It was sponsored by the following organizations: – – – – – – –

CNPq, the Brazilian Scientific and Technological Research Council CAPES, the Brazilian Higher Education Funding Council Banrisul, the Rio Grande do Sul state bank The Governor of the State of Rio Grande do Sul Microsoft Research The Federal University of Rio Grande do Norte (UFRN) The University of York

The deliberations of the Programme Committee and the preparation of these proceedings were handled by EasyChair, which made our lives much easier. September 2009

Marcel Vin´ıcius Medeiros Oliveira James Charles Paul Woodcock

Conference Organization

Programme Chairs Marcel Oliveira and Jim Woodcock

Programme Committee Aline Andrade David Aspinall Luis Barbosa Roberto Bigonha Michael Butler Andrew Butterfield Ana Cavalcanti Andrea Corradini Jim Davies David D´eharbe Ewen Denney Clare Dixon Adolfo Duran Jorge Figueiredo Leo Freitas Rohit Gheyi Rolf Hennicker Juliano Iyoda Moonzoo Kim

Steering Committee Ana C. V. de Melo (USP) Jim Woodcock (University of York) Leila Ribeiro (UFRGS) Marcel Oliveira (UFRN) Patr´ıcia Machado (UFCG)

Organizing Committee ´ Alvaro Freitas Moreira (Chair; UFRGS) Cl´audio Fuzitaki (UFRGS)

Luis Lamb Gerald L¨ uttgen Patr´ıcia Machado Ana Melo Anamaria Moreira ´ Alvaro Moreira Arnaldo Moura Alexandre Mota David Naumann Daltro Nunes Jos´e Nuno Oliveira Alberto Pardo Alexandre Petrenko Leila Ribeiro Augusto Sampaio Leila Silva Adenilso Sim˜ao Willem Visser Heike Wehrheim

VIII

Organization

Fabiane Cristine Dillenburg (UFRGS) Germano Caumo (UFRGS) Luciana Foss (UFRGS) Lucio Mauro Duarte (UFRGS) Olinto E. David de Oliveira (UFRGS)

Table of Contents

Speeding Up Simulation of SystemC Using Model Checking . . . . . . . . . . . Nicolas Blanc and Daniel Kroening Partial Behaviour Modelling: Foundations for Incremental and Iterative Model-Based Software Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sebastian Uchitel

1

17

Satisfiability Modulo Theories: An Appetizer . . . . . . . . . . . . . . . . . . . . . . . . Leonardo de Moura and Nikolaj Bjørner

23

Interruption Testing of Reactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wilkerson L. Andrade and Patr´ıcia D.L. Machado

37

Test Case Generation of Embedded Real-Time Systems with Interruptions for FreeRTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wilkerson L. Andrade, Patr´ıcia D.L. Machado, Everton L.G. Alves, and Diego R. Almeida

54

Concurrent Models of Flash Memory Device Behaviour . . . . . . . . . . . . . . ´ Cath´ Andrew Butterfield and Art O ain

70

Corecursive Algebras: A Study of General Structured Corecursion . . . . . . Venanzio Capretta, Tarmo Uustalu, and Varmo Vene

84

Formalizing FreeRTOS: First Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . David D´eharbe, Stephenson Galv˜ ao, and Anamaria Martins Moreira

101

A Mechanized Strategy for Safe Abstraction of CSP Specifications . . . . . Adriana Damasceno, Adalberto Farias, and Alexandre Mota

118

Applying Event and Machine Decomposition to a Flash-Based Filestore in Event-B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kriangsak Damchoom and Michael Butler

134

An Integrated Formal Methods Tool-Chain and Its Application to Verifying a File System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Miguel Alexandre Ferreira and Jos´e Nuno Oliveira

153

Towards Safe Design of Synchronous Bus Protocols in Event-B . . . . . . . . Ricardo Bedin Fran¸ca, Leandro Buss Becker, Jean-Paul Bodeveix, Jean-Marie Farines, and Mamoun Filali

170

Mechanising Data-Types for Kernel Design in Z . . . . . . . . . . . . . . . . . . . . . . Leo Freitas

186

X

Table of Contents

A Complete Set of Object Modeling Laws for Alloy . . . . . . . . . . . . . . . . . . Rohit Gheyi, Tiago Massoni, Paulo Borba, and Augusto Sampaio

204

Undecidability Results for Distributed Probabilistic Systems . . . . . . . . . . Sergio Giro

220

Formalisation and Analysis of Objects as CSP Processes . . . . . . . . . . . . . . Renata Kaufman, Augusto Sampaio, and Alexandre Mota

236

Concolic Testing of the Multi-sector Read Operation for Flash Memory File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Moonzoo Kim and Yunho Kim

251

Low-Level Code Verification Based on CSP Models . . . . . . . . . . . . . . . . . . . Moritz Kleine and Steffen Helke

266

Formal Modelling of a Microcontroller Instruction Set in B . . . . . . . . . . . . Val´erio Medeiros Jr. and David D´eharbe

282

Defining Behaviours by Quasi-finality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Elisabete Freire and Lu´ıs Monteiro

290

Verifying Compiled File System Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jan Tobias M¨ uhlberg and Gerald L¨ uttgen

306

Reasoning about General Quantum Programs over Mixed States . . . . . . . Juliana Kaizer Vizzotto, Giovani Rubert Librelotto, and Amr Sabry

321

A Simple and General Theoretical Account for Abstract Types . . . . . . . . Hongwei Xi

336

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

351

Speeding Up Simulation of SystemC Using Model Checking Nicolas Blanc1 and Daniel Kroening2 1

2

ETH Zurich, Switzerland Oxford University, Computing Laboratory, UK

Abstract. SystemC is a system-level modeling language that offers a wide range of features to describe concurrent systems. The SystemC standard permits simulators to implement a deterministic thread scheduling policy, which often hides concurrency-related design flaws. We present a novel compiler for SystemC that integrates a formal race analysis based on Model Checking techniques. The key insight to make the formal analysis scalable is to apply the Model Checker only to small partitions of the model. Our compiler produces a simulator that uses the race analysis information at runtime to perform partial-order reduction, thereby eliminating context switches that do not affect the result of the simulation. Experimental results show simulation speedups of one order of magnitude and better.

1

Introduction

Time-to-market requirements have rushed the Electronic Design Automation (EDA) industry towards design paradigms that require a very high level of abstraction. This high level of abstraction can shorten the design time by enabling the creation of fast executable verification models. This way, bugs in the design can be discovered early in the design process. As part of this paradigm, an abundance of C-like system design languages has emerged. A key feature is joint modeling of both the hardware and software component of a system using a language that is well-known to engineers. A promising candidate for an industry standard is SystemC. SystemC offers a wide range of language features such as hierarchical design by means of a hierarchy of modules, arbitrary-width bit-vector types, and concurrency with related synchronization mechanisms. SystemC permits different levels of abstraction, from a very high-level specification with big-step transactions down to the gate level. The execution model of SystemC is driven by events, which start or resume processes. In addition to communication via shared variables, processes can exchange information through predefined communication channels such as signals and FIFOs. 

This paper is an extended version of a conference paper that appeared at ICCAD 2008 [1]. This research is supported by ETH research grant TH-21/05-1 and by the Semiconductor Research Corporation (SRC) under contract no. 2006-TJ-1539.

M.V.M. Oliveira and J. Woodcock (Eds.): SBMF 2009, LNCS 5902, pp. 1–16, 2009. c Springer-Verlag Berlin Heidelberg 2009 

2

N. Blanc and D. Kroening

Technically, SystemC programs rely on a C++ template library. SystemC modules are therefore plain C++ classes, which are compiled and then linked to a runtime scheduler. This provides a simple yet efficient way to simulate the behavior of the system. Methods of a module may be designated as threads or processes. Interleaving between those threads is performed at pre-determined program locations, e.g., at the end of a thread or when the wait() method is called. When multiple threads are ready for execution, the ordering of the threads is nondeterministic. Nevertheless, the SystemC standard allows simulators to adopt a deterministic scheduling policy. Consequently, simulators can avoid problematic schedules, which often prevents the discovery of concurrencyrelated design flaws. When describing synchronous circuits at the register transfer level, system designers can prevent races by restricting inter-process communication to deterministic communication channels such as sc signals. However, the elimination of races from the high-level model is often not desirable: In practice, system designers often use constructs that yield races in order to model nondeterministic choices implicit in the design. In particular, models containing standard transaction-level modeling (TLM) interfaces are frequently subject to race phenomena. TLM designs usually consist of agents sharing communication resources and competing for access to them. An example is a FIFO with two clock domains: the races model the different orderings of the clock events that can arise. Contribution. Due to the combinatorial explosion of process interleavings, testing methods for concurrent software alone are unlikely to detect bugs that depend on subtle interleavings. Therefore, we propose to employ formal methods to statically pre-compute thread-dependency relations and predicates that predict race conditions, and to use this information subsequently during the simulation run to prune the exploration of concurrent behaviors. There are two possible ways of exploiting the information: 1. In general, proving or refuting process independence requires precise static analysis. From a designer perspective, the statically computed dependency relations between the threads provide key insights into potential races. 2. The statically computed race conditions improve the performance of partial order reduction, which results in a greatly reduced number of interleavings. The remaining interleavings can then be explored exhaustively, which is a valuable validation aid. We have implemented this technique in Scoot [2], a novel research compiler for SystemC. The static computation of the race conditions relies on a Model Checker. The technique we propose is independent of the specific formal engine. We have performed our experiments using SatAbs [3], a SAT-based Model Checker implementing predicate abstraction, and CBMC, a SAT-based bounded Model Checker. Our experimental results indicate that strong race conditions can be computed statically at reasonable cost, and result in a simulation speedup of a factor of ten or better.

Speeding Up Simulation of SystemC Using Model Checking

3

Related Work Concurrent threads with nondeterministic interleaving semantics may give rise to races. A data race is a special kind of race that occurs in a multi-threaded application when several processes enter a critical section simultaneously [4]. Flanagan and Freud use a formal type system to detect race-condition patterns in Java [5]. Eraser is a dynamic data-race detector for concurrent applications [6]. It uses binary rewriting techniques to monitor shared variables and to find failures of the locking discipline at runtime. Other tools, such as RacerX [7] and Chord [8], rely on classic pointer-analysis techniques to statically detect data races. Data races can also occur in SystemC if processes call synchronization routines while holding shared resources. Model Checkers are frequently applied to the verification of concurrent applications, and SystemC programs are an instance; see [9] for a survey on software Model Checking. Vardi identifies formal verification of SystemC models as a research challenge [10]. Prior applications of formal analysis to SystemC or similar languages are indeed limited. We therefore briefly survey recent advances in the application of such tools to system-level software. DDVerify is a tool for the verification of Linux device drivers [11]. It places the modules into a concurrent environment and relies on SatAbs for the verification. KISS is a tool for the static analysis of multi-threaded programs written in C [12]. It reduces the verification of a concurrent application to the verification of a sequential program with only one stack by bounding the number of context switches. The reduction never produces false alarms, but is only complete up to a specific number of context switches. KISS uses Slam [13], a Model Checker based on Predicate Abstraction [14,15], to verify the sequential model. Verisoft is a popular tool for the systematic exploration of the state space of concurrent applications [16] and could, in principle, be adapted to SystemC. The execution of processes is synchronized at visible operations, which are system calls monitored by the environment. Verisoft systematically explores the schedules of the processes without storing information about the visited states. Such a method is, therefore, referred to as a state-less search. Verisoft ’s support for partial-order reduction relies exclusively on dynamic information to achieve the reduction. In a recent paper, Sen et al. propose a modified SystemC-Scheduler that aims to detect design flaws that depend on specific schedules [17]. The scheduler relies on dynamic information only, i.e., the information has to be computed during simulation, which incurs an additional run-time overhead. In contrast, Scoot statically computes the conditions that guarantee independence of the transitions. The analysis is very precise, as it is based on a Model Checker, and Scoot is therefore able to detect opportunities for partial-order reduction with little overhead during simulation. Flanagan and Godefroid describe a state-less search technique with support for partial-order reduction [18]. Their method runs a program up to completion, recording information about inter-process communication. Subsequently, the trace is analyzed to detect alternative transitions that might lead to different behaviors. Alternative schedules are built using happens-before information,

4

N. Blanc and D. Kroening

which defines a partial-order relation on all events of all processes in the system [19]. The procedure explores alternative schedules until all relevant traces are discovered. Helmstetter et al. present a partial-order reduction technique for SystemC [20]. Their approach relies on dynamic information and is similar to Flanagan and Godefroid’s technique [18]. Their simulator starts with a random execution, and observes visible operations to detect dependency between the processes and to fork the execution. Our technique performs a powerful analysis statically that is able to discover partial-order reduction opportunities not detectable using only dynamic information. Kundu et al. propose to compute read/write dependencies between SystemC processes using a path-sensitive static analysis [21]. At runtime, their simulator starts with a random execution and detects dependent transitions using static information. The novelty of our approach is to combine conventional static analysis with Model Checking to compute sufficient conditions over the global variables of the SystemC model that guarantee commutativity of the processes. Wang et al. introduce the notion of guarded independence for pairs of transitions [22]. Their idea is to compute a condition (or guard) that holds in the states where two specific transitions are independent. Our contribution in this context is to compute these conditions for SystemC using a Model Checker.

2

Partial-Order Reduction for SystemC

In this section, we provide a brief introduction to the concurrency model of SystemC and describe the challenges of applying partial-order reduction in the context of SystemC. 2.1

An Overview of the Concurrency Model of SystemC

The dominating concurrency model for software permits asynchronous interleavings between threads, that is, running processes are preempted. SystemC is different as it is mainly designed for modeling synchronous systems. Its scheduler has a co-operative multitasking semantics, meaning that the execution of processes is serialized by explicit calls to a wait() method, and that threads are not preempted. The SystemC scheduler tracks simulation time and delta cycles. The simulation time is a positive integer value (the clock). Delta cycles are used to stabilize the state of the system. A delta cycle consists of three phases: evaluate, update, and notify. 1. The evaluation phase selects a process from the set of runnable processes and triggers or resumes its execution. The process runs immediately up to the point where it returns or invokes the wait function. The evaluation phase is iterated until the set of runnable processes is empty. The SystemC standard allows simulators to choose any runnable process, as long as the policy is consistent between runs.

Speeding Up Simulation of SystemC Using Model Checking

5

Program 1. A SystemC module with a race condition SC MODULE(m) { s c c l o c k c l k ; int p ressu re ; void guard ( ) { i f ( p r e s s u r e == PMAX) p r e s s u r e = PMAX−1; } void i n c r e m e n t ( ) { p r e s s u r e ++; }

};

SC CTOR(m) { SC METHOD( guard ) ; s e n s i t i v e (tl.tLunSelected.readPageComplete -> T_RPP_COMPLETE(tbStatusOut, tbChgCol,tCopyback,tLunSelected,tLastCmd,T_RPP_ReadParams, tbStatus78hReq,cmd,false,isWriteProtected,dataBit,addrReceived, lun0ready,lun1ready,intCounter,addr3Block,addr2Page,addr1ColH, addr0ColL) [] ht_ioCmd.cmd70h -> T_RS_EXECUTE(tbStatusOut,tbChgCol,tCopyback, tLunSelected,tLastCmd,T_RPP_ReadParams,tbStatus78hReq,cmd,false, isWriteProtected,dataBit,addrReceived,lun0ready,lun1ready, intCounter,addr3Block,addr2Page,addr1ColH,addr0ColL) [] (tbStatusOut==true) & (ht_read -> T_IDLE_RD_STATUS(tbStatusOut,tbChgCol,tCopyback, tLunSelected,tLastCmd,T_RPP_ReadParams,tbStatus78hReq,cmd,false, isWriteProtected,dataBit,addrReceived,lun0ready,lun1ready, intCounter,addr3Block,addr2Page,addr1ColH,addr0ColL)))

Fig. 2. CSP encoding

After some initial experimentation with small handcrafted examples, it became very clear that some form of automation was going to be needed if the CSP encoding was going to be completed in a timely fashion. The solution adopted was to use State Chart XML (SCXML), a “state-chart” dialect of XML [BAA+ 09] for initial data entry. This was chosen because SCXML provided a textual way to describe states, state-variables, and variable updates at a level very close to that used in the ONFi descriptions. Given an SCXML encoding, this could then be translated into the machine-readable form of CSP using XSL Transformations (XSLT) [W3C99]. The ready availability of parsers and tools to manipulate XML made this an easier prospect than trying to develop our own data-entry language with tool support. The SCXML code to describe the T_RPP_ReadParam state is shown in Fig.3. The key feature to note is that the data-entry requirements are limited to the information that appears explicitly in the ONFi behaviour tables. <state id=T_RPP_ReadParams> <event name=tl.tLunSelected.setSR6!0"/>