



Carnegie Mellon  
Software Engineering Institute

---

Pittsburgh, PA 15213-3890

# The ComFoRT Reasoning Framework

Sagar Chaki  
James Ivers  
Natasha Sharygina  
Kurt Wallnau

© 2005 by Carnegie Mellon University

# Predictable Assembly from Certifiable Components

Enable the development of software systems from software components where:

- critical runtime attributes e.g., performance and safety, are reliably predicted (**predictable assembly**)
- properties of software components needed for prediction are trusted (**certifiable components**)

# PACC Component Technology Idiom



The Construction and Composition Language (CCL) formalizes this idiom

# PACC Reasoning Frameworks



# ComFoRT Reasoning Framework

- Contains a software model checker **Copper**:
  - provides **new model checking techniques** developed for verification of component software
  - builds on academic tool **MAGIC**
- Analysis models are **automatically** extracted from programs
- **Claims** and verification **results** (counterexamples) are mapped to programs

# Verification Domain

High-level designs (CCL programs) and C programs

- Sequential and concurrent

Communication via **shared actions**

- **Synchronous** communication
- **Asynchronous** execution

# Copper Capabilities

## State/Event-based Verification

- leverages distinction between *data* and *communication actions*

## Compositional Deadlock Detection

- automated deadlock detection that ensures *sound abstractions* and acts as a space reduction procedure

## Verification of Evolving Systems

- automated component *substitutability checks*

# ComFoRT Underlying Framework



# ComFoRT Underlying Framework





## State/Event-based Model Checking (IFM04)

### Labeled Kripke Structures

- Every state is labeled with a set of atomic propositions,  $P$ , true in the state
- Every LKS comes with an alphabet of actions,  $\Sigma$



### State/Event LTL and State/Event AW formalisms

Efficient model checking algorithms for SE-LTL and SE-AW employing the compositional abstraction-refinement framework

# State/Event-based Model Checking

## Labeled Kripke Structures

- Every state is labeled with a set of atomic propositions,  $P$ , true in the state
- Every LKS comes with an alphabet of actions,  $\Sigma$



## State/Event LTL and State/Event AW formalisms

**State/Event-based Software Model Checking**, In  
Proceedings of IFM *Integrated Formal Methods 2004*  
Conference, by Sagar Chaki, Edmund Clarke, Joel  
Ouaknine, Natasha Sharygina and Nishant Sinha.

# Surge Protector : State/Event



Changes of current beyond threshold are disallowed

**G ((c2 → m=2) & (c1 → (m=1 ∨ m=2)))**

# Surge Protector : State Only



**G** (((c=0 V c=2) & X (c=1)) → (m=1 V m=2)) &

**G** (((c=0 V c=1) & X (c=2)) → m=2)

# Deadlock Detection (MEMOCODE'04)

Deadlocks are not preserved by abstraction

- Abstraction refinement does not work



Copper:  $\text{Deadlock} = \text{AbsRef}(s) = \Sigma$

to preserve deadlock the *abstract model* over-approximates not just what *concrete program* can do but also what it **refuses**

# Compositional Deadlock Detection

Deadlock is inherently **non-compositional**

- Can't say anything by looking at components individually

*Copper:*  $\text{AbsRef}(A_1, A_2) = \text{AbsRef}(A_1) \cup \text{AbsRef}(A_2)$

**Abstract deadlock** - reachable state  $s$  such that  $\text{AbsRef}(s) = \Sigma$

*Copper:* No **abstract deadlock** in abstract models      No  
deadlock in concrete models

**Automated, compositional and iterative deadlock detection**, In Proceedings of the Conference on Formal Methods for Codesign (MEMOCODE) 2004, by Sagar Chaki, Edmund Clarke, Joel Ouaknine and Natasha Sharygina

# Component Substitutability Check



Containment check (Local correctness)

Are **all local** old services (properties) of the verified component contained in the upgraded component?

# Component Substitutability Check



# Substitutability Check Approach

- Procedure for checking *simultaneous upgrades* of *multiple components* (FM'04)
  - Abstraction (under- and over- approximations) for the component containment check
  - Compositional reasoning + learning regular sets for automated compatibility check
- Procedure for checking *individual component upgrades* (SAVCBS'04)
  - Algorithms based on learning regular sets technique for the component containment and compatibility tests

# Substitutability Check Approach

- Procedure for checking *simultaneous upgrades of multiple components*
  - Abstraction (under- and over- approximations) for the component containment check
  - Compositional reasoning + learning regular sets for automated compatibility check

**Dynamic Component Substitutability Analysis**, In Proceedings of FM 2005 *Formal Methods Conference*, by Sagar Chaki, Ed Clarke, Natasha Sharygina and Nishant Sinha.

**Verification of Evolving Software**, In Proceedings of SAVCBS 2004 by Sagar Chaki, Natasha Sharygina and Nishant Sinha

PECT - critical\_section.ccl - SEPECT IDE

File Edit Navigate Search Project Tools Window Help

Navigator

- Design
- ComFoRT
- ComposedIPC
  - Claim1-annotated.txt
  - composed.spec
  - critical\_section.ccl**
  - critical\_section.pp
  - critical\_section.spec
  - environment.pp
  - environment.spec
  - ipc\_queue.cpp
  - ipc\_queue.ccl
  - ipc\_queue.spec
  - ipc\_queue.xml
  - read\_msg\_queue.ccl
  - read\_msg\_queue.pp
  - read\_msg\_queue.spec
  - write\_msg\_queue.ccl
  - write\_msg\_queue.pp
  - write\_msg\_queue.spec
- CriticalSection
- SSL
- GeneratedCode
- .project
- Interactive
- ComFoRT
- Design

ipc\_queue.ccl critical\_section.ccl read\_msg\_queue.ccl write\_msg\_queue.ccl composed.spec

```
int numWaiting = 0;
int waiting1 = 0;
int type1 = 0;
int waiting2 = 0;
int type2 = 0;
int random = 0;
int error = 0;
int caller = 0;

sink mutex EnterCriticalSection_read (consume int caller);
sink mutex LeaveCriticalSection_read (consume int caller);
sink mutex EnterCriticalSection_write (consume int caller);
sink mutex LeaveCriticalSection_write (consume int caller);

threaded react CS (EnterCriticalSection_read, LeaveCriticalSection_read, EnterCriticalSection_write, LeaveCriticalSection_write)
    start -> one {}
    one -> two (trigger ^EnterCriticalSection_read(caller))
    two -> one {}
    one -> three (trigger ^LeaveCriticalSection_read(caller))
    three -> one {}
    one -> four (trigger ^EnterCriticalSection_write(caller))
    four -> one {}
    one -> five (trigger ^LeaveCriticalSection_write(caller))
    five -> one {}

    state two { entry{
```

Problems Properties Console

ComFoRT

Verification complete.

Claim Claim28 does not hold. See targets\_C1\_Claim28.txt for the counterexample.

Demo/Design/ComposedIPC/critical\_section.ccl

start PECT - critical\_section.ccl Microsoft PowerPoint ... 4:43 AM

PECT - critical\_section.ccl - SEPECT IDE

File Edit Navigate Search Project Tools Window Help

Navigator

ipc\_queue.ccl critical\_section.ccl read\_msg\_queue.ccl write\_msg\_queue.ccl composed.spec

```
int numWaiting = 0;
int waiting1 = 0;
int type1 = 0;
int waiting2 = 0;
int type2 = 0;
int random = 0;
int error = 0;
int caller = 0;

sink mutex EnterCriticalSection_read (consume int caller);
sink mutex LeaveCriticalSection_read (consume int caller);
sink mutex EnterCriticalSection_write (consume int caller);
sink mutex LeaveCriticalSection_write (consume int caller);

threaded react CS (EnterCriticalSection_read, LeaveCriticalSection_read, EnterCriticalSection_write, LeaveCriticalSection_write)
    start -> one {}
    one -> two (trigger ^EnterCriticalSection_read(caller))
    two -> one {}
    one -> three (trigger ^LeaveCriticalSection_read(caller))
    three -> one {}
    one -> four (trigger ^EnterCriticalSection_write(caller))
    four -> one {}
    one -> five (trigger ^LeaveCriticalSection_write(caller))
    five -> one {}
```

Properties

Analyze Using > Performance RF

Interpretation > ComFoRT

Console

ComFoRT

Verification complete.

Claim Claim28 does not hold. See targets\_C1\_Claim28.txt for the counterexample.

Demo/Design/ComposedIPC/critical\_section.ccl

start PECT - critical\_section.ccl Microsoft PowerPoint ... 4:44 AM



PECT - Claim1-annotated.txt - SEI PECT IDE

File Edit Navigate Search Project Tools Window Help

Navigator

ipc\_queue.ccl critical\_section.ccl read\_msg\_queue.ccl write\_msg\_queue... composed.spec Claim1-annotated...

```
##### P6:::STUTTER #####
P6:::temp_var_110 = do_environment ( & P6:::x , & P6:::y , & P6:::z ) : STUTTER
#####
P6:::temp_var_110 = do_environment ( & P6:::x , & P6:::y , & P6:::z ) : STUTTER
#####
P6:::temp_var_110 = do_environment ( & P6:::x , & P6:::y , & P6:::z )
***** end local CE dag #6 *****
CE dag projections analysed ...
<<< END CHECKPOINT >>>

<<< CHECKPOINT : Projection of CE on fourth component >>>
***** start local CE dag #3 *****
P3:::curState = 145
#####
(P3:::curState = [ $0 == 145 ]) #####
P3:::critical_section_owner = 0
#####
(P3:::critical_section_owner = [ $0 == 0 ]) #####
P3:::critical_section_ownerType = 0
#####
(P3:::critical_section_ownerType = [ $0 == 0 ]) #####
P3:::critical_section_timesEntered = 0
#####
(P3:::critical_section_timesEntered = [ $0 == 0 ]) #####
P3:::critical_section_numWaiting = 0
#####
(P3:::critical_section_numWaiting = [ $0 == 0 ]) #####
P3:::critical_section_waiting1 = 0
#####
(P3:::critical_section_waiting1 = [ $0 == 0 ]) #####
P3:::critical_section_type1 = 0
#####
(P3:::critical_section_type1 = [ $0 == 0 ]) #####
```

Problems Properties Console

ComFoRT

Pre-processing complete.

Starting verification as background task...

Writable Insert 2945 : 19 Verifying Claim1

start PECT - Claim1-annotated... Choose ComFoRT claims Choose ComFoRT claims Choose ComFoRT claims Microsoft PowerPoint ... 4:50 AM



PECT - Claim1-annotated.txt - SEIPECT IDE

File Edit Navigate Search Project Tools Window Help

Navigator

ipc\_queue.ccl critical\_section.ccl read\_msg\_queue.ccl write\_msg\_queue... composed.spec Claim1-annotated...

<<< CHECKPOINT : valid CE found >>>  
CE dag projections analysed ...  
conformance relation does not exist !!  
abstraction abs1 is invalid ...  
<<< END CHECKPOINT >>>  
  
<<< CHECKPOINT : various statistics >>>  
total global time = 1584534.2 milliseconds  
total cpu time = 1414160.0 milliseconds  
total input processing time = 542.7 milliseconds  
total Buchi automaton construction time = 0.0 milliseconds  
total implementation machine extraction time = 223985.4 milliseconds  
total verification time = 1238970.9 milliseconds  
total proof generation time = 0.0 milliseconds  
total abstraction refinement time = 121032.3 milliseconds  
total CE generation time = 12.6 milliseconds  
total CE verification time = 2587.9 milliseconds  
total predicate abstraction refinement time = 118444.3 milliseconds  
total LTS abstraction refinement time = 0.0 milliseconds  
total number of eliminating combinations = 0  
max number of eliminating combinations for a CE = 0  
max size of eliminating combination = 0  
max size of tried combination = 0  
number of iterations = 4  
number of predicate iterations = 4  
number of lts iterations = 0  
number of seed branches : 5  
specification details : 3 states 2 transitions  
number of implementation states : 106422142422400

Problems Properties Console

ComFoRT

Writable Insert 12140 : 1 Verifying Claim1

start PECT - Claim1-annotated... Choose ComFoRT claims Choose ComFoRT claims Choose ComFoRT claims Microsoft PowerPoint ... 4:56 AM

# Applications

## IPC Module

- Deployed by a world leader in robotics
- Discovered **synchronization bug** under which senders would receive the wrong answer to their requests
- Problem had remained undetected for seven years prior to independent discovery by business unit

## Case Study: Micro-C OS

- Real-time OS for **embedded** applications
  - 6000+ LOC, widely used
- Verified **locking discipline**
- Found **four bugs**
  - Missing **unlock** and **return**
  - Three already reported



# Ongoing and Future Work

- Use a SAT solver for computing abstraction
  - Semantics of bit-wise operators is taken into account
- Use of pattern languages for specifying properties
- Integrated Abstraction and Compositional reasoning
- Component certification

# ComFoRT Resources

## ComFoRT tools

- <http://www.sei.cmu.edu/pacc/comfort.html>

## Ongoing industrial & academic **collaborations**

- Prof. Edmund Clarke and his model checking group, Prof. Peter Lee at CMU
- Prof. Dr. Daniel Kroening from ETH Zurich
- Industrial corporate research centers developing embedded controllers

## Conference and Journal **publications**

## References

**Overview of ComFoRT: A Model Checking Reasoning Framework**, CMU/SEI Tech. Report SEI-2004-TN-018 by James Ivers and Natasha Sharygina

**State/Event-based Software Model Checking**, In Proceedings of IFM *Integrated Formal Methods 2004 International Conference*, by Sagar Chaki, Edmund Clarke, Joel Ouaknine, Natasha Sharygina and Nishant Sinha.

**Automated, compositional and iterative deadlock detection**, In Proceedings of the Second ACM-IEEE *International Conference on Formal Methods for Codesign (MEMOCODE) 2004* , by Sagar Chaki, Edmund Clarke, Joel Ouaknine and Natasha Sharygina

**Dynamic Component Substitutability Analysis**, In Proceedings of FM 2005 *Formal Methods Conference*, by Sagar Chaki, Ed Clarke, Natasha Sharygina and Nishant Sinha.

## References

**Verification of Evolving Software**, In Proceedings of SAVCBS 2004 by Sagar Chaki, Natasha Sharygina and Nishant Sinha

**Snapshot of CCL: A Language for Predictable Assembly**, In CMU/SEI TR-2002-TR-031, by James Ivers and Kurt Wallnau

**A Technology for Predictable Assembly from Certifiable Components (PACC)**, In CMU/SEI-TR-2003-TR-009, by Kurt Wallnau

**SAT-based predicate abstraction for ANSI-C**, In *Formal Methods System Design* Journal, Vol. 25(2), 2004, by Daniel Kroening, Ed Clarke, Natasha Sharygina and Karen Yorav.