Space-Reduction Strategies for Model Checking Dynamic Software Robby1 Matthew B. Dwyer1 John Hatcliff1 Radu Iosif2 Support ARO CIP/SW URI award DAAD190110564 DARPA/AFRL project AFRL-F33615-00-C-3044 NSF SEL Program under Award CCR-0306607 1 Kansas State University 2 Verimag
Bogor (http://bogor.projects.cis.ksu.edu) Summer 2003 Release An extensible and highly-modular (explicit state) model checking framework [Robby-al FSE’03] rich & extensible modeling language modular design with open API to ease customization Targeted for checking dynamic systems by specializations at several different abstraction levels checking Java programs in the Bandera project (http://bandera.projects.cis.ksu.edu) Symmetry reductions & collapse compression [this talk] PO reductions using dynamic escape analysis and locking discipline [Dwyer-al:TR-1] checking designs of avionic (Boeing) systems in the Cadena project (http://cadena.projects.cis.ksu.edu) Abstraction of CORBA event channel and customized scheduler & search [Hatcliff-al:FMCO’02] Quasi-cyclic search (parallel) [Dwyer-al:EMSOFT’03]
Bogor
Dynamic Software Dynamic software written in modern programming languages such as Java features automatic memory management for objects allocations and de-allocations concurrency constructs etc. These features introduce more complexity for model checking heap threads
Issues in Model Checking Dynamic Software How to linearize states? How to manage states? <010101101011…> heap seen set threads
Related Work Symmetry for Scalar Sets [Ip-al’96] Heap Symmetry [Lerda-al’01, Iosif’01/’02] Thread Symmetry [Bosnacki-al’00/’02] Collapse Compression [Holzmann’97, Lerda-al’01]
Contribution Combine the best methods from all the previous (related) work Extend the heuristics for thread symmetry reduction by using threads observables can also be applied for symmetry in abstract data types Efficient collapse compression by considering objects and threads ordering from symmetry reductions
Issues in Model Checking Dynamic Software — Linearizing States How to linearize states? How to manage states? <010101101011…> heap threads seen set
Linearizing Heap Usually using store-based representation there are still explicit locations of objects in the memory objects at locations unreachable from the state root node are garbage However locations of objects are irrelevant to most properties (that we are interested) object identities are usually used for equality comparison garbage objects are definitely irrelevant cannot be observed, thus, can’t affect program execution garbages are irrelevant to the properties being checked This object may be located at memory cell 0x34AB4 This object may be located at memory cell 0x34FFF mostly interested only to distinguish objects heap
Heap Symmetry [Iosif’01/’02] Observationally Equivalent Finding a canonical heap representation permuting objects location removing garbage objects Using topological sort on objects canonical for deterministic heap structure heap heap =
Linearizing Thread Set Threads are active objects garbage collected only if they died different states may have different set of threads Similar to object locations the actual thread identifiers/descriptors are irrelevant we still want to be able to distinguish threads
Thread Symmetry [Bosnacki-al’00/02] = Observationally Equivalent Similar to heap symmetry permute thread identities only preserve threads that are still alive However, in contrast to heap structure there are no topology for threads (set) [Bosnacki-al’00/02] proposed a heuristic: sorting threads by their program counters (PC)
Dining Philosophers Example if not taken, get left fork state after phil#1 took its left fork fork#1 fork#3 fork#2 phil#1 phil#2 phil#3 left right if not taken, get right fork 1 put back right fork put back left fork
Dining Philosophers Example — PC Thread+Heap Symmetry [Iosif’02] Thus, they can be ordered (ascending) as follows: phil#2, phil#3, phil#1 phil#3, phil#2, phil#1 phil#1’s PC > phil#2’s PC fork#1 phil#1’s PC > phil#3’s PC left right phil#1 1 phil#3 phil#1’s PC = phil#3’s PC right left fork#3 fork#2 left right phil#2
Dining Philosophers Example — PC Thread+Heap Symmetry [Iosif’02] fork#1 fork#1 left right left right phil#1 1 phil#3 phil#1 1 phil#3 right left right left fork#3 fork#2 fork#3 fork#2 not observationally equivalent! fork#2 is not held, but fork#1 is left right left right phil#2 phil#2 phil#2, phil#3, phil#1 phil#3, phil#2, phil#1 fork#3, fork#2, fork#1 fork#2, fork#1, fork#3
k-Bounded Thread Symmetry (k-BOTS) phil#2 1 phil#1 fork#1 fork#3 left right fork#2 Given two threads, decide ordering by the observables from each thread: stack heights program counters at each stack frame primitive local values at each stack frame recursively compare reachable non-primitive values user can tweak the recursive depth k for trade off between space and time phil#2 is ordered before phil#1 Stack heights are equal, but PCs are not phil#3 phil#2 fork#3 fork#2 left right fork#1 Stack heights and PCs are equal phil#2 is ordered before phil#3 Left forks are equal Right forks are not equal
Dining Philosopher Example — k-BOTS+Heap Symmetry fork#1 fork#3 phil#1 phil#2 left right 1 fork#2 phil#3 Only one ordering Threads ordering phil#2, phil#3, phil#1 Heap objects ordering fork#3, fork#2, fork#1
Issues in Model Checking Dynamic Software — Managing States How to linearize states? How to manage states? <010101101011…> heap threads seen set
Managing State Storage Many state bit-vectors contain similar sub-bit-vectors only small number of changes for each transition Thus, this opens an opportunity for compression building dictionary of bit-vector state parts However, it is unclear which state parts we should use for the dictionary <010101101011…> similar bit pattern <010111101010…>
Collapse Compression [Lerda-al’01] Bit-vector pools for fields data (static and dynamic) monitor data method stack frames other thread information (thread status) We follow a similar categorization, but we take advantage of the orderings generated by the symmetry reductions fork#1 fork#3 phil#1 phil#2 left right 1 fork#2 phil#3
Collapse Compression — Dining Philosopher Example Empty bit-vector since there are no global variables Since this is the first bit-vector, start with 1 fork#3 is not held Structure Bit-vector n Globals <> 1 fork#3 <false> 2 fork#2 fork#1 <true> 3 Heap <Fork,2, Fork,2, Fork,3> 4 p#2 store <1,2> 5 phil#2 <loc0,5> 6 p#3 store <2,3> 7 phil#3 <loc0,7> 8 p#1 store <3,1> 9 phil#1 <loc1,9> 10 Thread Set <6,8,10> 11 State <1,4,11> 12 This is the second bit-vector fork#1 fork#3 phil#1 phil#2 left right 1 fork#2 phil#3 This bit-vector has been seen before fork#2 is not held The heap consists of the sequence of heap object types and heap object ids (n) The object is ordered by the heap symmetry ordering Phil#2’s left fork is the first object in the heap, and its right fork is the second object in the heap Phil#2’s stack frames The state consists of the bit-vector id of the global values, the heap, and the thread set The thread set consists of the bit-vector id of the threads phil#2, phil#3, phil#1 fork#3, fork#2, fork#1
Collapse Compression — Dining Philosopher Example Structure Bit-vector n Globals <> 1 fork#3 <false> 2 fork#2 fork#1 <true> 3 Heap <Fork,2, Fork,2, Fork,3> 4 p#2 store <1,2> 5 phil#2 <loc0,5> 6 p#3 store <2,3> 7 phil#3 <loc0,7> 8 p#1 store <3,1> 9 phil#1 <loc1,9> 10 Thread Set <6,8,10> 11 State <1,4,11> 12 Structure Bit-vector n Globals <> 1 fork#3 <false> 2 fork#2 <true> 3 fork#1 Heap <Fork,2, Fork,3, Fork,3> 13 p#2 store <1,2> 5 phil#2 <loc0,5> 6 p#3 store <3,2> 14 phil#3 <loc0,14> 15 p#1 store <2,3> 7 phil#1 <loc2,7> 16 Thread Set <6,15,16> 17 State <1,13,17> 18 State after Phil#1 took its left fork State after Phil#1 took its left and right forks
Preliminary Results (k-BOTS+Collapse) Dining Philosophers For 10 dining philosophers 4x faster, 25% memory consumption (no compression, no thread symmetry) 2x faster, 36% less memory consumption (collapse compression, PC thread symmetry) Bounded Buffer For small number of threads (3 and 4) 9% less memory and time consumption (collapse compression, PC thread symmetry) Ordered-List For 3 updater threads: 0.02% memory reduction For 4 updater threads: 2.5% memory reduction All examples Collapse compression is faster and it gives more reductions than GZIP compression
Applications for Bogor Type Extensions Bogor allows introductions of new abstract data types (ADTs) as first class construct of the BIR modeling language Many ADTs such as Set or Table have symmetric properties The treatment that we use for threads (k-BOTS) can be used for such ADTs
Conclusion and Future Work We have proposed extensions of two existing framework tunable heuristics for combination of thread and heap symmetry using information from symmetry reductions for collapse compression More empirical study, including symmetry for ADTs Extends the symmetry reductions to handle more state configurations, for example: lock wait set set of sets of …