![Page 1: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/1.jpg)
Systema(cally exploring control programs (Lecture I)
Ratul Mahajan Microso' Research
Joint work with Jason Cro3, Ma5 Caesar, and Madan Musuvathi
![Page 2: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/2.jpg)
Control programs are everywhere From the smallest of networks to the largest
![Page 3: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/3.jpg)
Control programs are everywhere From the smallest of networks to the largest
![Page 4: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/4.jpg)
The nature of control programs
Collec>on of rules with triggers and ac>ons
motionPorch.Detected: if (Now - tLastMotion < 1s && lightLevel < 20) porchLight.Set(On) tLastMotion = Now @6:00:00 PM: porchLight.Set(On) @6:00:00 AM: porchLight.Set(Off)
packetIn: entry = new Entry(inPkt.src, inPkt.dst) if (!cache.Contains(entry) cache.Insert(entry, Now)
CleanupTimer: foreach entry in cache
if (Now – cache[entry] < 5s)
cache.Remove(entry)
![Page 5: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/5.jpg)
Buggy control programs wreak havoc
One nice morning in the summer
![Page 6: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/6.jpg)
Buggy control programs wreak havoc
“I had a rule that would turn on the heat, disarm the alarm, turn on some lights, etc. at 8am ….. I came home from vaca>on to find a warm, invi>ng, insecure, well lit house that had been that way for a week…… That’s just one example, but the point is that it has taken me literally YEARS of these types of mistakes to iron out all the kinks.”
![Page 7: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/7.jpg)
Control programs are hard to reason about
motionPorch.Detected: if (Now - timeLastMotion < 1 secs && lightMeter.Level < 20)
porchLight.Set(On);
timeLastMotion = Now;
porchLight.StateChange: if (porchLight.State == On)
timerPorchLight.Reset(5 mins);
timerPorchLight.Fired: if (Now.Hour > 6AM && Now.Hour < 6PM) porchLight.Set(Off);
Dependence on (me
Rule interac(on
Large input space
9:00 PM Physical actua>on
9:04 PM Mo>on 9:05 PM Lights off
![Page 8: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/8.jpg)
Desirable proper(es for bug finders
Sound Complete Fast
![Page 9: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/9.jpg)
Two bug finding methods
Tes>ng Model checking
![Page 10: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/10.jpg)
Two threads in model checking
Check models Check code
![Page 11: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/11.jpg)
Model checking code
FSM is the most popular abstrac>on
![Page 12: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/12.jpg)
Model checking code
FSM is the most popular abstac>on
![Page 13: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/13.jpg)
Model checking code
FSM is the most popular abstrac>on – Decide what are “states” and “transi>ons”
S0
S1 S2
T1 T2
S3 T1
T2 T1
S4
T2
![Page 14: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/14.jpg)
Example
motionPorch: porchLight.Set(On)
timer.Start(5 mins)
porchLight.On: timer.Start(5 mins)
timer.Fired: porchLight.Set(Off)
[PorchLight, Timer]
[Off, Off]
[On, On]
Mo>on LightOn
Mo>on LightOn
Timer
[Off, On] LightOff
LightOn Mo>on Timer
![Page 15: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/15.jpg)
Exploring input space motionPorch: if (lightLevel < 20) porchLight.Set(On)
timer.Start(10 mins) porchLight.On: timer.Start(5 mins)
timer.Fired: porchLight.Set(Off)
To explore comprehensively, must consider all possible values of input parameters
[Off, Off]
[…]
LtLvl=0
[…]
LtLvl=99 ● ● ●
[PorchLight, Timer]
[Off, Off]
[Off, Off]
LtLvl=0
[On, On]
LtLvl=19
LtLvl=99 LtLvl=20 ● ● ● ● ● ●
[PorchLight, Timer]
![Page 16: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/16.jpg)
Symbolic execu(on
if (x < 2)
if (y > 5) p = 1;
else
p = 2;
else
if (y > 10) p = 3;
else
p = 4;
(x,y,p) = ( 𝜎↓𝑥 , 𝜎↓𝑦 , 𝜎↓𝑝 ) 𝜎↓𝑥 <2 𝜎↓𝑦 >5 𝜎↓𝑥 <2 �𝜎↓𝑦 >5 𝜎↓𝑝 =1
𝜎↓𝑥 ≥2�𝜎↓𝑦 ≤5 𝜎↓𝑝 =2
𝜎↓𝑥 ≥2�𝜎↓𝑦 >10 𝜎↓𝑝 =3
𝜎↓𝑥 ≥2�𝜎↓𝑦 ≤10�𝜎↓𝑝 =4
𝜎↓𝑦 ≤5
𝜎↓𝑥 ≥2 𝜎↓𝑦 >10
𝜎↓𝑦 ≤10
![Page 17: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/17.jpg)
Finding equivalent inputs using symbolic execu(on
motionPorch: if (lightMeter.level < 20) porchLight.Set(On)
timer.Start(5 mins)
porchLight.On: timer.Start(5 mins)
timer.Fired: porchLight.Set(Off)
1. Symbolically execute each trigger 2. Find input ranges that lead to same state
LtLvl <20
LtLvl ≥20
LtLvl=∗
LtLvl=∗
![Page 18: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/18.jpg)
Finding equivalent inputs using symbolic execu(on
motionPorch: x = lightMeter.Level
porchLight.On: timer.Start(5 mins)
timer.Fired: porchLight.Set(Off)
1. Symbolically execute each trigger 2. Find input ranges that lead to same state
LtLvl=0 LtLvl=99
• • • •
![Page 19: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/19.jpg)
Efficiently exploring the input space
[Off, Off]
[Off, Off]
Mo>on, LtLvl =10
[On, On]
Mo>on, LtLvl = 20
motionPorch: if (lightMeter.level < 20) porchLight.Set(On)
timer.Start(5 mins)
porchLight.On: timer.Start(5 mins)
timer.Fired: porchLight.Set(Off)
LtLvl <20
LtLvl ≥20
Pick random values in equivalent classes
![Page 20: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/20.jpg)
Use symbolic execu(on alone?
Trigger0, Trigger1, Trigger2
[] Trigger0 []
Trigger1
Trigger2
Symbolic, path-‐based Concrete, state-‐based
![Page 21: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/21.jpg)
Exploring temporal behavior: soundness
motionPorch: porchLight.Set(On) timerDim.Start(5 mins)
timerOff.Start(10 mins)
porchLight.On: timerDim.Start(5 mins)
timerOff.Start(10 mins) timerDim.Fired: porchLight.Set(Dim)
timerOff.Fired: porchLight.Set(Off)
if timerDim.On() Abort();
[PorchLight, TimerDim, TimerOff]
[Off, Off, Off]
[On, On, On]
LightOff
[Off, On, On] [Off, On, Off] [Dim, Off, On]
Mo>on LightOn
TimerOff LightOff
Mo>on LightOn
TimerDim
![Page 22: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/22.jpg)
Exploring temporal behavior: completeness
motionPorch: if (Now - tLastMotion < 60)
porchLight.Set(On)
timer.Start(600)
tLastMotion = Now
porchLight.On: timer.Start(600)
timer.Fired: porchLight.Set(Off)
To explore comprehensively, must fire all possible events at all possible >mes
![Page 23: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/23.jpg)
Trigger0: tTrigger1 = Now
tTrigger2 = Now
trigger1Seen = false
Trigger1: if (Now – tTrigger1 < 5)
trigger1Seen = true
tTrigger1 = Now
Trigger2: if (trigger1Seen)
if (Now – tTrigger2 < 2)
DoSomething()
else
DoSomethingElse()
[trigger1Seen, tTrigger1, tTrigger2]
[false, T, T]
[true, T+3, T]
Trigger2
Trigger1 [Now=T+3]
[false, T+6, T]
Trigger1 [Now=T+6]
DoSomething() DoSomethingElse()
![Page 24: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/24.jpg)
[trigger1Seen, tTrigger1, tTrigger2]
[false, T, T]
[true, T+1, T]
Trigger2
Trigger1 [Now=T+1]
[false, T+6, T]
Trigger1 [Now=T+6]
DoSomething() DoSomethingElse()
Trigger0: tTrigger1 = Now
tTrigger2 = Now
trigger1Seen = false
Trigger1: if (Now – tTrigger1 < 5)
trigger1Seen = true
tTrigger1 = Now
Trigger2: if (trigger1Seen)
if (Now – tTrigger2 < 2)
DoSomething()
else
DoSomethingElse()
![Page 25: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/25.jpg)
The tyranny of “all possible (mes”
Speed
Completeness
![Page 26: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/26.jpg)
Timed automata
FSM (states, transi>ons) + the following: • Finite number of real-‐values clocks (VCs) • All VCs progress at the same rate, except that one or more VCs may reset on a transi>on
• VC constraints gate transi>ons
![Page 27: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/27.jpg)
[trigger1Seen]
[false]
[true]
Trigger0 () [x1,x2]
Trigger1 (x1<5) [x1]
Trigger1 (x1 >=5) [x1]
Trigger2 (x2 < 2) [] {DoSomething}
Trigger2 (x2 >= 2) [] {DoSomethingElse}
Trigger0 () [x1,x2]
Trigger1 (x1 >= 5) [x1]
Trigger1 (x1 < 5 ) [x1]
Trigger2 () []
Trigger0: tTrigger1 = Now
tTrigger2 = Now
trigger1Seen = false
Trigger1: if (Now – tTrigger1 < 5)
trigger1Seen = true
tTrigger1 = Now
Trigger2: if (trigger1Seen)
if (Now – tTrigger2 < 2)
DoSomething()
else
DoSomethingElse()
![Page 28: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/28.jpg)
Proper(es of (med automata
If VC constraints are such that: No arithme>c opera>on involving two VCs No mul>plica>on opera>on involving a VC No irra>onal constants in constraints
Time can be par>>oned into equivalence regions
x + y < z
2x < 3
x < √2
x < y + 2
[s0] [s1]
t1 (x<2) [x]
t2 (y<1) [y] X à
Y à
0 1 2
1
28 regions • Corner points (6) • Line segments (14) • Spaces (8)
x < 2
![Page 29: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/29.jpg)
X1 à
X2 à
1 2 3 4 5
1 2
0
Trigger0: tTrigger1 = Now
tTrigger2 = Now
trigger1Seen = false
Trigger1: if (Now – tTrigger1 < 5)
trigger1Seen = true
tTrigger1 = Now
Trigger2: if (trigger1Seen)
if (Now – tTrigger2 < 2)
DoSomething()
else
DoSomethingElse()
![Page 30: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/30.jpg)
Why regions are fine-‐grained
[s0] [s1]
t1 (x<2) [x]
t2 (y<1) [y] X à
Y à
0 1 2
1
X à
Y à
0 1 2
1 ● ●
● ●
● (0.5, 0.5) ● (1.5, 0.5)
● (1.5, 1.5) ● (2.5, 1.5) [s0] [s1]
t1 (x<2) [x]
t2 (y<1) [y]
[s2] t3 (x<2, y > 1)
![Page 31: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/31.jpg)
Region construc(on If integer constants and simple constraints (e.g., 𝑥< c)
Straight lines ∀𝑥: {𝑥=𝑐 | 𝑐=0, 1, …𝑐↓𝑥 }
Diagonals lines
∀𝑥,y:{fract(𝑥)=fract(y)|𝑥< c↓𝑥 , y<c↓y }
X1 à
X2 à
1 2 3 4 5
1 2
0
x2 < x1 + 2
![Page 32: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/32.jpg)
Why this construc(on works
X1 à
X2 à
1 2 3 4 5
1 2
0
● ●
● ●1. X1 < 5 2. X2 < 2 3. X1 < 5 && X2 > 2
![Page 33: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/33.jpg)
Why this construc(on works
X1 à
X2 à
1 2 3 4 5
1 2
0
● ●
●●
1. X1 < 5 2. X2 < 2 3. X1 < 5 && X2 > 2
![Page 34: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/34.jpg)
Exploring a TA
[false]
[true]
Trigger0 () [x1,x2]
Trigger1 (x1<5) [x1]
Trigger1 (x1 >=5) [x1]
Trigger2 (x2 < 2) [] {DoSomething}
Trigger2 (x2 > 2) [] {DoSomethingElse}
Trigger0 () [x1,x2]
Trigger1 (x1 >= 5) [x1]
Trigger1 (x1 < 5 ) [x1]
Trigger2 () []
[false] x1=0, x2=0
Trigger0 Trigger2
[true] x1=0, x2=0
[false] x1=0.5, x2=0.5
Trigger1 δ Trigger0
Trigger1
Trigger2 {DoSomething}
[true] x1=0.5, x2=0.5
δ
Trigger0
[true] x1=0, x2=0.5
Trigger1 Trigger2
[false] x1=1, x2=1
δ
![Page 35: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/35.jpg)
Exploring a TA
[false]
[true]
Trigger0 () [x1,x2]
Trigger1 (x1<5) [x1]
Trigger1 (x1 >=5) [x1]
Trigger2 (x2 < 2) [] {DoSomething}
Trigger2 (x2 > 2) [] {DoSomethingElse}
Trigger0 () [x1,x2]
Trigger1 (x1 >= 5) [x1]
Trigger1 (x1 < 5 ) [x1]
Trigger2 () []
[false] x1=0, x2=0
Trigger0 Trigger2
[true] x1=0, x2=0
[false] x1=0.5, x2=0.5
Trigger1 δ Trigger0
Trigger1
Trigger2 {DoSomething}
[true] x1=0.5, x2=0.5
δ
Trigger0
[true] x1=0, x2=0.5
Trigger1 Trigger2
[false] x1=1, x2=1
δ
![Page 36: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/36.jpg)
Systema(cally exploring control programs (Lecture II)
Ratul Mahajan Microso' Research
Joint work with Jason Cro3, Ma5 Caesar, and Madan Musuvathi
![Page 37: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/37.jpg)
Recap: The nature of control programs
Collec>on of rules with triggers and ac>ons
motionPorch.Detected: if (Now - tLastMotion < 1s && lightLevel < 20) porchLight.Set(On) tLastMotion = Now @6:00:00 PM: porchLight.Set(On) @6:00:00 AM: porchLight.Set(Off)
packetIn: entry = new Entry(inPkt.src, inPkt.dst) if (!cache.Contains(entry) cache.Insert(entry, Now)
CleanupTimer: foreach entry in cache
if (Now – cache[entry] < 5s)
cache.Remove(entry)
![Page 38: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/38.jpg)
Recap: Timed automata
FSM (states, transi>ons) + the following: • Finite number of real-‐values clocks (VCs) • All VCs progress at the same rate, except that one or more VCs may reset on a transi>on
• VC constraints gate transi>ons
![Page 39: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/39.jpg)
Recap: Proper(es of (med automata
If VC constraints are such that: No arithme>c opera>on involving two VCs No mul>plica>on opera>on involving a VC No irra>onal constants in constraints
Time can be par>>oned into equivalence regions
x + y < z
2x < 3
x < √2
x < y + 2
[s0] [s1]
t1 (x<2) [x]
t2 (y<1) [y] X à
Y à
0 1 2
1
28 regions • Corner points (6) • Line segments (14) • Spaces (8)
x < 2
![Page 40: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/40.jpg)
Recap: Region construc(on If integer constants and simple constraints (e.g., 𝑥< c)
Straight lines ∀𝑥: {𝑥=𝑐 | 𝑐=0, 1, …𝑐↓𝑥 }
Diagonals lines
∀𝑥,y:{fract(𝑥)=fract(y)|𝑥< c↓𝑥 , y<c↓y }
X1 à
X2 à
1 2 3 4 5
1 2
0
x2 < x1 + 2
![Page 41: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/41.jpg)
Recap: Exploring a TA
[false]
[true]
Trigger0 () [x1,x2]
Trigger1 (x1<5) [x1]
Trigger1 (x1 >=5) [x1]
Trigger2 (x2 < 2) [] {DoSomething}
Trigger2 (x2 > 2) [] {DoSomethingElse}
Trigger0 () [x1,x2]
Trigger1 (x1 >= 5) [x1]
Trigger1 (x1 < 5 ) [x1]
Trigger2 () []
[false] x1=0, x2=0
Trigger0 Trigger2
[true] x1=0, x2=0
[false] x1=0.5, x2=0.5
Trigger1 δ Trigger0
Trigger1
Trigger2 {DoSomething}
[true] x1=0.5, x2=0.5
δ
Trigger0
[true] x1=0, x2=0.5
Trigger1 Trigger2
[false] x1=1, x2=1
δ
![Page 42: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/42.jpg)
Exploring control programs with TAs
1. Mapping >me-‐related ac>vity to VCs 2. Model devices 3. Construct >me regions 4. Compute equivalent classes for inputs 5. Explore states
![Page 43: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/43.jpg)
Mapping to VCs (1/4): Delay measurers
Trigger1: ...
tLast = Now ...
Trigger2: ...
if (Now - tLast < 60)
...
Trigger1: ... VC_tLast = 0
...
Trigger2: ... if (VC_tLast < 60)
...
![Page 44: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/44.jpg)
Mapping to VCs (2/4): Periodic (mers
timer1.Period = 600 timer1.Event += Timer1Fired
...
Timer1Fired: ...
VC_timer1 = 0 ...
VC_timer1 == 600: ...
VC_timer1 = 0
![Page 45: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/45.jpg)
Mapping to VCs (2/4): Delayed ac(ons
Trigger1: ... timer1.Start(600) ...
timer1.Fired: ...
Trigger1: ... VC_timer1 = 0 ... VC_timer1 == 600: ...
![Page 46: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/46.jpg)
Mapping to VCs (4/4): Sleep calls
Trigger: ...
Sleep(10)
...
Trigger: ... // pre-sleep actions
VC_sleeper = 0
VC_sleeper == 10: ... // post-sleep actions
![Page 47: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/47.jpg)
Reducing the number of VCs: Combining periodic (mers
timer1.Period = 600 timer1.Event += Timer1Fired timer2.Period = 800 timer2.Event += Timer2Fired
...
Timer1Fired: ... Timer2Fired: ...
VC_timer = 0 ... VC_timer == 600: ...
VC_timer == 800: ... VC_timer = 0
![Page 48: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/48.jpg)
Reducing the number of VCs: Combining sleep calls
Trigger: Act1()
Sleep(5)
Act2()
Sleep(10)
Act3()
Trigger: Act1()
VC_sleeper = 0
sleep_counter = 1;
VC_sleeper == 5: Act2() VC_sleeper == 15: Act3()
![Page 49: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/49.jpg)
Modeling devices Model a device using one of more key value pairs
– Mo>on sensor: Single key with binary value – Dimmer: Single key with values in range [0..99] – Thermostat: Mul>ple keys
Keys can be no>fying or non-‐no>fying – Triggers are used for no>fying keys
Queries for values are treated as program inputs
![Page 50: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/50.jpg)
Limita(ons of device modeling
Values can change arbitrarily Key value pairs of a device are independent Different devices are independent
![Page 51: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/51.jpg)
Construc(ng (me regions
1. Extract VC constraints using symbolic execu>on
2. Construct >me regions using the constraints
Trigger0: tTrigger1 = Now
tTrigger2 = Now
trigger1Seen = false
Trigger1: if (Now – tTrigger1 < 5)
trigger1Seen = true
tTrigger1 = Now
Trigger2: if (trigger1Seen)
if (Now – tTrigger2 < 2)
DoSomething()
else
DoSomethingElse()
![Page 52: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/52.jpg)
Explora(on using TA Region state = Variables values + VC region + ready timers 1. exploredStates = {}
2. unexploredStates = { 𝑆↓𝑖𝑛𝑖𝑡𝑖𝑎𝑙 } 3. While (unexploredStates ≠𝜙)
4. 𝑆↓𝑖 = PickNext(UnexploredStates)
5. foreach event in Events, 𝑆↓𝑖 .𝑅𝑒𝑎𝑑𝑦𝑇𝑖𝑚𝑒𝑟𝑠 6. foreach input in Inputs
7. 𝑆↓𝑜 = Compute(𝑆↓𝑖 , event, input)
8. if ( 𝑆↓𝑜 ∉ exploredStates) unexploredStates.Add( 𝑆↓𝑜 ) 9. if ( 𝑆↓𝑖 .𝑅𝑒𝑎𝑑𝑦𝑇𝑖𝑚𝑒𝑟𝑠=𝜙)
10. 𝑆↓𝑜 = AdvanceRegion( 𝑆↓𝑖 ) //also marks ReadyTimers
11. if ( 𝑆↓𝑜 ∉ exploredStates) unexploredStates.Add( 𝑆↓𝑜 ) 12. exploredStates.Add( 𝑆↓𝑖 )
![Page 53: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/53.jpg)
Op(miza(on: Predic(ng successor states
Observa>on: Mul>ple region states can have iden>cal response to a trigger
Trigger1: if (x1 < 5)
trigger1Seen = true
x1= 0
Trigger2: if (trigger1Seen)
if (x2 < 2)
DoSomething()
else DoSomethingElse()
tTrigger1
tTrig
ger2
1 2 3 4 5
1 2
0
●●
![Page 54: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/54.jpg)
Op(miza(on: Predic(ng successor states
Observa>on: Mul>ple region states can have iden>cal response to a trigger
Clock personality: region’s evalua>on of clock constraints
𝑆↓1
𝑆↓2
Same variable values and ready >mers
Different regions but same personality
��
�
● ● ● ●
Compute ��
�
● ● ● ● Predict
![Page 55: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/55.jpg)
Op(miza(on: Independent control loops
Observa>on: Control programs tend to have mul>ple, independent control loops 1. Determine independent sets of variables 2. Explore independent sets independently
![Page 56: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/56.jpg)
DeLorean
Control program Safety invariants
Front end
Program with virtualized devices
Program analyzer
Clock constraints Input space classes
Control loops
Region states Paths Explorer
![Page 57: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/57.jpg)
Demo
![Page 58: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/58.jpg)
Evalua(on on ten real home automa(on rograms
![Page 59: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/59.jpg)
Example bugs
P9-‐1: Lights turned on even in the absence of mo>on – Bug in condi>onal clause: used OR instead of AND
P9-‐2: Lights turned off between sunset and 2AM – Interac>on between rules that turned lights on and off
P10-‐1: Dimmer wouldn’t turn on despite mo>on – No rule to cover a small >me window
P10-‐2: One device in a group behaved differently – Missing reference to the device in one of the rules
![Page 60: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/60.jpg)
Performance of explora(on
Time to “fast forward” the home by one hour
![Page 61: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/61.jpg)
Benefit of successor predic(on
Successor predic>on yields significant advantage
![Page 62: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/62.jpg)
Comparison with un(med model checking
Un>med model checking reaches many invalid states
![Page 63: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/63.jpg)
Comparison with randomized tes(ng
Random tes>ng misses many valid states
![Page 64: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/64.jpg)
Exploring OpenFlow programs
#devs SLoC #VCs GCD MAC-‐Learning Switch (PySwitch)
2 hosts, 2 sw, 1 ctrl
128 >= 6 1
Web Server Load Balancer
3 hosts, 1 sw, 1 ctrl
1307 >= 4 1
Energy-‐Efficient Traffic Engineering
3 hosts, 3 sw, 1 ctrl
342 >= 8 2
![Page 65: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/65.jpg)
Addi(onal challenges in OF programs
Dynamically created VCs Variable number of VCs along different paths
packetIn: timer = new Timer(5s)
Insert(timer, inPkt.src, inPkt.dst)
![Page 66: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/66.jpg)
Open problems
Handling communica>ng control programs Exploring all possible topologies
![Page 67: Systemacallyexploring controlprograms(LectureI)+ · Buggy+control+programs+wreakhavoc+ “Ihad&arule&thatwould&turn&on&the&heat,&disarm&the& alarm,&turn&on&some&lights,&etc.&at8am&…..&](https://reader034.vdocuments.mx/reader034/viewer/2022050208/5f5ae0c9da58dc08e00b35c2/html5/thumbnails/67.jpg)
Summary
Control programs are tricky to debug – Interac>on between rules – Large space of inputs – In>mate dependence on >me
These challenges cab be tacked using
– Systema>c explora>on (model checking) – Symbolic execu>on to find equivalent input classes – Timed automata based explora>on (equivalent >mes)