DEGREE PROJECT IN TECHNOLOGY, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2020 Extracting scalable program models for TLA model checking THEO PURANEN ÅHFELDT ANDERS ÅGREN THUNÉ KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Extracting scalable program models for TLA model checking THEO PURANEN ÅHFELDT ANDERS ÅGREN THUNÉ Bachelor in Computer Science Date: June 5, 2020 Supervisor: Dilian Gurov Examiner: Pawel Herman School of Electrical Engineering and Computer Science Swedish title: Extrahering av skalbara programmodeller för TLA-modellprövning iii Abstract Program verification has long been of interest to researchers and practition- ers for its role in asserting reliability in critical systems. Many such systems feature reactive behavior, where temporal properties are of interest. Conse- quently, a number of systems and program verification tools for dealing with temporal logic have been developed. One such is TLA, whose main purpose is to verify temporal properties of systems using model checking. A TLA model is determined by a logical formula that describes all possible behaviors of a system. TLA is primarily used to verify abstract system designs, as it is considered ill-suited for implementation code in real programming languages. This thesis investigates how TLA models can be extracted from real code, in order to verify temporal properties of the code. The main problem is get- ting the model size to scale well with the size of the code, while still being representative. The paper presents a general method for achieving this, which utilizes deductive verification to abstract away unnecessary implementation details from the model. Specifically, blocks which can be considered atomic are identified in the original code and replaced with Hoare-style assertions rep- resenting only the data transformation performed in the block. The result can then be translated to a more compact TLA model. The assertions, known as block contracts, are verified separately using deductive verification, ensuring the model remains representative. We successfully instantiate the method on a simple C program, using the tool Frama-C to perform deductive verification on blocks of code and translat- ing the result to a TLA model in several steps. The PlusCal algorithm language is used as an intermediary to simplify the translation, and block contracts are successfully translated to TLA using a simple encoding. The results show promise, but there is future work to be done. iv Sammanfattning Programverifiering har länge varit av intresse för att kunna försäkra sig om tillförlitligheten hos kritiska system. Många sådana system uppvisar ett reak- tivt beteende, där temporala egenskaper är av intresse. Som följd har ett antal system och programverifieringsverktyg för hantering av temporallogik utveck- lats. Ett sådant är TLA, vars huvudsakliga syfte är att verifiera egenskaper hos abstrakta algoritmer med hjälp av modellprövning. En TLA-modell bestäms av en logisk formel som beskriver alla möjliga beteenden av ett visst system. TLA anses mindre lämpligt för riktig implementationskod och används främst för att verifiera egenskaper hos abstrakta systemmodeller. Denna uppsats undersöker hur TLA-modeller kan extraheras från verklig kod för att verifiera kodens temporala egenskaper. Det huvudsakliga proble- met är att även för större program kunna skapa en modell av hanterbar storlek som ändå är representativ. Vi presenterar en allmän metod för att uppnå det- ta som använder deduktiv verifiering för att abstrahera onödiga implemente- ringsdetaljer från modellen. Kodblock som kan betraktas som atomiska i den ursprungliga koden identifieras och ersätts med blockkontrakt som represente- rar datatransformationen som utförs i blocket. Resultatet kan sedan översättas till en mera kompakt TLA-modell. Kontrakten verifieras separat med deduktiv verifiering, vilket säkerställer att modellen behålls representativ. Vi instantierar med framgång metoden på ett enkelt C-program. Verkty- get Frama-C används för att utföra deduktiv verifiering på kodblock och flera steg genomförs för att översätta resultatet till en TLA-modell. Algoritmspråket PlusCal används som ett mellansteg för att förenkla översättningen, och block- kontrakt översätts till TLA med en enkel kodning. Resultaten är lovande, men det finns flera punkter som kräver ytterligare arbete. Contents 1 Introduction 1 1.1 Research Problem . .2 1.2 Thesis Organization . .2 2 Background 3 2.1 Deductive Verification . .3 2.1.1 Hoare Logic . .3 2.1.2 Frama-C . .5 2.2 Model Checking . .6 2.3 The Temporal Logic of Actions . .6 2.4 TLA+ ..............................9 2.4.1 PlusCal . 10 2.5 Combining Approaches . 11 3 Method 14 3.1 Problem Statement . 14 3.2 Approach . 15 3.2.1 General Approach . 15 3.2.2 Instantiation . 15 3.2.3 Motivation . 16 4 Results 18 4.1 A Server Example . 18 4.2 A Truck Example . 22 5 Discussion 24 5.1 Related Work . 25 6 Conclusion 27 v vi CONTENTS Bibliography 28 Acknowledgment 30 A TLA+ Specifications 31 A.1 The Server Example . 31 A.2 The Truck Example . 33 Chapter 1 Introduction Digital systems are growing more and more complex, and we often depend on these systems being reliable. This is especially true in critical systems like self-driving cars, where an error could lead to lives being lost. Program verifi- cation is the study of making sure programs, such as these, work in the intended manner. This is usually done by first specifying exactly what the intended be- havior of the program is, and then formally verifying that the program adheres to the specification using logic. Typically, there are two primary aspects of program behavior that are verified in this way: how a program transforms data and how the program state changes over time. The difference between the two may seem insignificant, but when larger programs involving concurrency are considered, they become more pronounced. Sequential procedures that only transform data, without other side effects, can be described with a Hoare-style assertion, which is simply a relation be- tween the state before the procedure and the state after (Hoare 1969). This relation can then be verified using a set of rules, a process called deductive ver- ification. However, for many concurrent systems it is also of interest to verify temporal properties, such as safety properties (asserting bad things never hap- pen) and liveness properties (asserting good things eventually happen) (Lam- port 1994). Verifying such properties requires reasoning about time, using temporal logic. One framework for modelling programs in temporal logic is TLA, the Tem- poral Logic of Actions (Lamport 1994), where programs are represented by logical formulas. PlusCal is a language that allows smaller concurrent pro- grams to be automatically translated to TLA, after which they can be checked by existing TLA verification tools (Lamport 2009). However, this does not scale for large concurrent applications: Lamport states that PlusCal would be 1 2 CHAPTER 1. INTRODUCTION unlikely to work well for algorithms of over one or two thousand lines. In- stead, TLA typically works on a higher level of abstraction, containing as few unessential implementation details as possible. 1.1 Research Problem In order to verify large programs using TLA, it is only feasible to verify the abstract algorithm, which might hide faults in the implementation. The pur- pose of this thesis is to present an approach that could be used to verify such large programs without ignoring implementation details, by combining TLA with deductive verification using Hoare-style assertions. This aims to provide a clear connection between the abstract TLA model and the concrete imple- mentation, in a way that is not possible using only TLA. While the approach should be applicable to any program, in this thesis, the scope is limited to simple, sequential C programs. 1.2 Thesis Organization First, Chapter 2 explains the concepts of deductive verification, model check- ing and the temporal logic TLA, and their relationship. It also describes exist- ing tools for automatic verification in these logics that makes them practical. Chapter 3 then restates the problem addressed by the thesis and presents the ap- proach proposed for solving it. The abstract approach proposed is described in detail, and a workflow for implementing it on C programs using specific tools is proposed. Chapter 4 implements the proposed workflow for a repre- sentative example program. Chapter 5 discusses the strengths and weaknesses of the proposed approach, and relates this to other work and suggestions for future work. Finally, Chapter 6 presents the conclusion of the thesis. Chapter 2 Background When verifying correctness properties of systems, two principal approaches are algorithmic verification and deductive verification. Deductive verification relies on using a set of rules to formulate proofs about the system. Algorithmic verification, or model checking, is based on constructing a model of the system to be verified, which can then be used to (computationally) check properties of interest. This has the advantage of requiring less input from the programmer at the cost of generality and computational efficiency (Pnueli and Shahar 1996). This chapter describes deductive verification and model checking to the reader and then proceeds to introduce the main background matter, TLA. It also touches upon the tools that are used when working with program verifi- cation. 2.1 Deductive Verification This section gives an overview of Hoare logic (Hoare 1969), a formal sys- tem for deductive verification, and Frama-C (Kirchner et al. 2015), a tool for automating deductive verification proofs. 2.1.1 Hoare Logic When it comes to procedures that can be fully specified by how they transform data, in the form of a relation between the state of the involved variables before and after the execution of the procedure, Hoare logic is sufficient for verifica- tion. In Hoare logic one specifies a program, or part of a program (referred to as a block) in terms of an assertion. An assertion is a triple fPgφfQg where P and Q are predicates, and φ is a code block (H.